Keccak STARK: constraint preimage to equal A on first round

2026-01-10 09:43:09 +00:00 · 2023-08-28 12:42:01 -07:00 · 2023-08-28 12:42:01 -07:00 · ea03e4183f
commit ea03e4183f
parent 760f09a8aa
1 changed files with 26 additions and 0 deletions
--- a/evm/src/keccak/keccak_stark.rs
+++ b/evm/src/keccak/keccak_stark.rs
@ -264,6 +264,8 @@ impl<F: RichField + Extendable<D>, const D: usize> Stark<F, D> for KeccakStark<F
        yield_constr.constraint(not_final_step * filter);

        // If this is not the final step, the local and next preimages must match.
+        // Also, if this is the first step, the preimage must match A.
+        let is_first_step = vars.local_values[reg_step(0)];
        for x in 0..5 {
            for y in 0..5 {
                let reg_preimage_lo = reg_preimage(x, y);
@ -274,6 +276,13 @@ impl<F: RichField + Extendable<D>, const D: usize> Stark<F, D> for KeccakStark<F
                    vars.local_values[reg_preimage_hi] - vars.next_values[reg_preimage_hi];
                yield_constr.constraint_transition(not_final_step * diff_lo);
                yield_constr.constraint_transition(not_final_step * diff_hi);
+
+                let reg_a_lo = reg_a(x, y);
+                let reg_a_hi = reg_a_lo + 1;
+                let diff_lo = vars.local_values[reg_preimage_lo] - vars.local_values[reg_a_lo];
+                let diff_hi = vars.local_values[reg_preimage_hi] - vars.local_values[reg_a_hi];
+                yield_constr.constraint(is_first_step * diff_lo);
+                yield_constr.constraint(is_first_step * diff_hi);
            }
        }

@ -439,6 +448,8 @@ impl<F: RichField + Extendable<D>, const D: usize> Stark<F, D> for KeccakStark<F
        yield_constr.constraint(builder, constraint);

        // If this is not the final step, the local and next preimages must match.
+        // Also, if this is the first step, the preimage must match A.
+        let is_first_step = vars.local_values[reg_step(0)];
        for x in 0..5 {
            for y in 0..5 {
                let reg_preimage_lo = reg_preimage(x, y);
@ -455,6 +466,21 @@ impl<F: RichField + Extendable<D>, const D: usize> Stark<F, D> for KeccakStark<F
                );
                let constraint = builder.mul_extension(not_final_step, diff);
                yield_constr.constraint_transition(builder, constraint);
+
+                let reg_a_lo = reg_a(x, y);
+                let reg_a_hi = reg_a_lo + 1;
+                let diff_lo = builder.sub_extension(
+                    vars.local_values[reg_preimage_lo],
+                    vars.local_values[reg_a_lo],
+                );
+                let constraint = builder.mul_extension(is_first_step, diff_lo);
+                yield_constr.constraint(builder, constraint);
+                let diff_hi = builder.sub_extension(
+                    vars.local_values[reg_preimage_hi],
+                    vars.local_values[reg_a_hi],
+                );
+                let constraint = builder.mul_extension(is_first_step, diff_hi);
+                yield_constr.constraint(builder, constraint);
            }
        }