Skip to content

feat: add sha extend precompile. #1213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dreamATD wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: add sha extend precompile. #1213

dreamATD wants to merge 1 commit into from

Conversation

@dreamATD
Copy link
Collaborator

@dreamATD dreamATD commented Dec 31, 2025
edited
Loading

Description

Sha extend circuit

This PR adds sha extend precompile, computing the parameter w[0..64] defined as follows:

// w[0..16] are copied from the input
for i in 16..64 {
    let s0 = w[i - 15].rotate_right(7) ^ w[i - 15].rotate_right(18) ^ (w[i - 15] >> 3);
    let s1 = w[i - 2].rotate_right(17) ^ w[i - 2].rotate_right(19) ^ (w[i - 2] >> 10);
    w[i] = w[i - 16]
        .wrapping_add(s0)
        .wrapping_add(w[i - 7])
        .wrapping_add(s1);
}

The sha extend circuit represents a single round computation in sha extend. It fetches the instruction at the same pc as the first cycle, reads the same register, and defines the global state with increasing cycles. I each instance, it reads w[i - 2], w[i - 7], w[i - 15], w[i - 16] from the memory and computes w[i] and writes it back.

Changes in ceno_patch

The function is replaced from syscall_sha256_extend(w_i: &mut [u32; 64]); to syscall_sha256_extend(w_i: &mut u32):

/// Executes one SHA256 extend round in place.
#[allow(unused_variables)]
pub fn syscall_sha256_extend(w_i: &mut u32) {
    #[cfg(target_os = "zkvm")]
    {
        let w_i = w_i as *mut u32;
        unsafe {
            asm!(
            "ecall",
            in("t0") SHA_EXTEND,
            in("a0") w_i,
            );
        }
    }

    #[cfg(not(target_os = "zkvm"))]
    unreachable!()
}

And the functionality in ceno_emul is changed accordingly.

Tiny change of SelectTypeLayout

The original definition is as follows:

#[derive(Clone, Debug)]
pub struct SelectorTypeLayout<E: ExtensionField> {
    pub sel_mem_read: SelectorType<E>,
    pub sel_mem_write: SelectorType<E>,
    pub sel_lookup: SelectorType<E>,
    pub sel_zero: SelectorType<E>,
}

while they are sometimes duplicated and in sha extend circuit, it needs to set round_i = 16 in the first round and update pc during the last round. Therefore, the definition is changed as follows:

#[derive(Clone, Debug)]
pub struct SelectorTypeLayout<E: ExtensionField> {
    pub sel_first: Option<SelectorType<E>>,
    pub sel_last: Option<SelectorType<E>>,
    pub sel_all: SelectorType<E>,
}

@dreamATD dreamATD force-pushed the precompiles/sha256 branch 4 times, most recently from e8efcb6 to e14d078 Compare December 31, 2025 19:36
@dreamATD dreamATD force-pushed the precompiles/sha256 branch 2 times, most recently from 2f854bc to 155bbe1 Compare January 18, 2026 09:13
hero78119
hero78119 reviewed Jan 19, 2026
View reviewed changes
Copy link
Collaborator

@hero78119 hero78119 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First quick pass and LGTM!

Just one add-on: as this PR introduce OrderSparse change, we also need to modify recursion verifier, and I will submit another PR for it 👍

@dreamATD dreamATD changed the title feat: support multi-cycle instruction and add sha extend precompile. feat: add sha extend precompile. Jan 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hero78119 hero78119 hero78119 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dreamATD @hero78119