[feat] Precompile MODEXP (#520)

* feat: preliminary work

* wip

* finish assignment to ecrecover

* fix: input length may be different than call data length (for precompiles)

* fix: input bytes to ecrecover

* minor edits

* modexp table

* wip

wip

wip

wip

* add auxdata of modexp

* assign in modexp gadget

* wip: fix most constraint failure

* wip

* wip: fix constraints

* pass primary test

* optimize phase2 cell usage and add more tests

* add invalid detection and test

* wip: induce u256 modexp

* modexp event

* wip: induce modexp table to evm

* fix super circuit

* induce modexp table done

* regression pass

* modexp circuit done

* wip: test modexp table lookup

* wip: testing modexp table lookup

* pass modexptable lookup

* pass u256 modexp circuit

* refine dependencies

* fix for merging develop

* add modexp into super circuit

* clippy

* fmt

* disable ecrecover temporarily.
(lint not pass in CI but tests should be able to move forword)

* post merging fixing

* fmt and clippy

* for invalid input

* upgrade modexp circuit dep

* fixes according to review

* fmt

* update dep, prune ff 0.13

* optimize by powofrand table

* constraint for nil output

* reverse geth step error indication for precompile

* trivial fix for invalid case

* fmt

* error should not be throw for precompile failure

* fix for merge

* post-merge fixes for compile errors

* reverse throwing precompile error in get_step_err

* fmt

* clippy lint

* update `dev_load` of modexp table and some file structures

* resume size limit for modexp

* refactor and support garbage bytes in input

* prune and lint

* + resume the precompile error detection. + trivial logs

* update modexp chip rows usage constant

---------

Co-authored-by: Rohit Narurkar <[email protected]>

Author: noel2004

Cargo.lock

@@ -36,8 +36,8 @@ use ethers_core::{
 };
 use ethers_providers::JsonRpcClient;
 pub use execution::{
-    CopyBytes, CopyDataType, CopyEvent, CopyEventStepsBuilder, CopyStep, EcAddOp, EcMulOp,
-    EcPairingOp, EcPairingPair, ExecState, ExecStep, ExpEvent, ExpStep, NumberOrHash,
+    BigModExp, CopyBytes, CopyDataType, CopyEvent, CopyEventStepsBuilder, CopyStep, EcAddOp,
+    EcMulOp, EcPairingOp, EcPairingPair, ExecState, ExecStep, ExpEvent, ExpStep, NumberOrHash,
     PrecompileEvent, PrecompileEvents, N_BYTES_PER_PAIR, N_PAIRING_PER_OP,
 };
 use hex::decode_to_slice;

bus-mapping/src/circuit_input_builder.rs

@@ -893,6 +893,20 @@ impl PrecompileEvents {
             })
             .collect()
     }
+    /// Get all Big Modexp events.
+    pub fn get_modexp_events(&self) -> Vec<BigModExp> {
+        self.events
+            .iter()
+            .filter_map(|e| {
+                if let PrecompileEvent::ModExp(op) = e {
+                    Some(op)
+                } else {
+                    None
+                }
+            })
+            .cloned()
+            .collect()
+    }
 }
 
 /// I/O from a precompiled contract call.
@@ -906,6 +920,8 @@ pub enum PrecompileEvent {
     EcMul(EcMulOp),
     /// Represents the I/O from EcPairing call.
     EcPairing(Box<EcPairingOp>),
+    /// Represents the I/O from Modexp call.
+    ModExp(BigModExp),
 }
 
 impl Default for PrecompileEvent {
@@ -1174,3 +1190,27 @@ impl EcPairingOp {
         false
     }
 }
+
+/// Event representating an exponentiation `a ^ b == d (mod m)` in precompile modexp.
+#[derive(Clone, Debug)]
+pub struct BigModExp {
+    /// Base `a` for the exponentiation.
+    pub base: Word,
+    /// Exponent `b` for the exponentiation.
+    pub exponent: Word,
+    /// Modulus `m`
+    pub modulus: Word,
+    /// Mod exponentiation result.
+    pub result: Word,
+}
+
+impl Default for BigModExp {
+    fn default() -> Self {
+        Self {
+            modulus: 1.into(),
+            base: Default::default(),
+            exponent: Default::default(),
+            result: Default::default(),
+        }
+    }
+}

bus-mapping/src/circuit_input_builder/execution.rs

@@ -11,11 +11,13 @@ mod ec_add;
 mod ec_mul;
 mod ec_pairing;
 mod ecrecover;
+mod modexp;
 
 use ec_add::opt_data as opt_data_ec_add;
 use ec_mul::opt_data as opt_data_ec_mul;
 use ec_pairing::opt_data as opt_data_ec_pairing;
 use ecrecover::opt_data as opt_data_ecrecover;
+use modexp::opt_data as opt_data_modexp;
 
 type InOutRetData = (Option<Vec<u8>>, Option<Vec<u8>>, Option<Vec<u8>>);
 
@@ -37,6 +39,7 @@ pub fn gen_associated_ops(
         PrecompileCalls::Bn128Add => opt_data_ec_add(input_bytes, output_bytes),
         PrecompileCalls::Bn128Mul => opt_data_ec_mul(input_bytes, output_bytes),
         PrecompileCalls::Bn128Pairing => opt_data_ec_pairing(input_bytes, output_bytes),
+        PrecompileCalls::Modexp => opt_data_modexp(input_bytes, output_bytes),
         PrecompileCalls::Identity => (None, None),
         _ => {
             log::warn!("precompile {:?} unsupported in circuits", precompile);

bus-mapping/src/evm/opcodes/precompiles/mod.rs

@@ -0,0 +1,30 @@
+use crate::{
+    circuit_input_builder::{BigModExp, PrecompileEvent},
+    precompile::{ModExpAuxData, PrecompileAuxData},
+};
+
+use eth_types::Word;
+
+pub(crate) fn opt_data(
+    input_bytes: Option<Vec<u8>>,
+    output_bytes: Option<Vec<u8>>,
+) -> (Option<PrecompileEvent>, Option<PrecompileAuxData>) {
+    let aux_data = ModExpAuxData::new(
+        input_bytes.unwrap_or_default(),
+        output_bytes.unwrap_or_default(),
+    );
+    if aux_data.valid {
+        let event = BigModExp {
+            base: Word::from_big_endian(&aux_data.inputs[0]),
+            exponent: Word::from_big_endian(&aux_data.inputs[1]),
+            modulus: Word::from_big_endian(&aux_data.inputs[2]),
+            result: Word::from_big_endian(&aux_data.output),
+        };
+        (
+            Some(PrecompileEvent::ModExp(event)),
+            Some(PrecompileAuxData::Modexp(aux_data)),
+        )
+    } else {
+        (None, Some(PrecompileAuxData::Modexp(aux_data)))
+    }
+}

bus-mapping/src/evm/opcodes/precompiles/modexp.rs

@@ -20,7 +20,22 @@ pub(crate) fn execute_precompiled(address: &Address, input: &[u8], gas: u64) ->
     };
 
     match precompile_fn(input, gas) {
-        Ok((gas_cost, return_value)) => (return_value, gas_cost),
+        Ok((gas_cost, return_value)) => {
+            match PrecompileCalls::from(address.0[19]) {
+                // FIXME: override the behavior of invalid input
+                PrecompileCalls::Modexp => {
+                    let (input_valid, [_, _, modulus_len]) = ModExpAuxData::check_input(input);
+                    if input_valid {
+                        // detect some edge cases like modulus = 0
+                        assert_eq!(modulus_len.as_usize(), return_value.len());
+                        (return_value, gas_cost)
+                    } else {
+                        (vec![], gas)
+                    }
+                }
+                _ => (return_value, gas_cost),
+            }
+        }
         Err(_) => (vec![], gas),
     }
 }
@@ -117,6 +132,7 @@ impl PrecompileCalls {
         match self {
             Self::Ecrecover | Self::Bn128Add => Some(128),
             Self::Bn128Mul => Some(96),
+            Self::Modexp => Some(MODEXP_INPUT_LIMIT),
             _ => None,
         }
     }
@@ -168,6 +184,91 @@ impl EcrecoverAuxData {
     }
 }
 
+/// size limit of modexp
+pub const MODEXP_SIZE_LIMIT: usize = 32;
+/// size of input limit
+pub const MODEXP_INPUT_LIMIT: usize = 192;
+
+/// Auxiliary data for Modexp
+#[derive(Clone, Debug, Default, PartialEq, Eq)]
+pub struct ModExpAuxData {
+    /// The specified len of inputs: [base, exp, modulus]
+    pub input_lens: [Word; 3],
+    /// Input value [base, exp, modulus], limited to SIZE_LIMIT
+    pub inputs: [[u8; MODEXP_SIZE_LIMIT]; 3],
+    /// Input valid.
+    pub valid: bool,
+    /// len of output, limited to lens of moduls, but can be 0
+    pub output_len: usize,
+    /// output of modexp.
+    pub output: [u8; MODEXP_SIZE_LIMIT],
+    /// backup of input memory
+    pub input_memory: Vec<u8>,
+    /// backup of output memory
+    pub output_memory: Vec<u8>,
+}
+
+impl ModExpAuxData {
+    fn parse_memory_to_value(mem: &[u8]) -> [u8; MODEXP_SIZE_LIMIT] {
+        let mut value_bytes = [0u8; MODEXP_SIZE_LIMIT];
+        if !mem.is_empty() {
+            value_bytes.as_mut_slice()[(MODEXP_SIZE_LIMIT - mem.len())..].copy_from_slice(mem);
+        }
+        value_bytes
+    }
+
+    /// check input
+    pub fn check_input(input: &[u8]) -> (bool, [Word; 3]) {
+        let mut i = input.chunks(32);
+        let base_len = Word::from_big_endian(i.next().unwrap_or(&[]));
+        let exp_len = Word::from_big_endian(i.next().unwrap_or(&[]));
+        let modulus_len = Word::from_big_endian(i.next().unwrap_or(&[]));
+
+        let limit = Word::from(MODEXP_SIZE_LIMIT);
+
+        let input_valid = base_len <= limit && exp_len <= limit && modulus_len <= limit;
+
+        (input_valid, [base_len, exp_len, modulus_len])
+    }
+
+    /// Create a new instance of modexp auxiliary data.
+    pub fn new(mut mem_input: Vec<u8>, output: Vec<u8>) -> Self {
+        let input_memory = mem_input.clone();
+        let output_memory = output.clone();
+
+        let (input_valid, [base_len, exp_len, modulus_len]) = Self::check_input(&mem_input);
+
+        let base_mem_len = if input_valid { base_len.as_usize() } else { 0 };
+        let exp_mem_len = if input_valid { exp_len.as_usize() } else { 0 };
+        let modulus_mem_len = if input_valid {
+            modulus_len.as_usize()
+        } else {
+            0
+        };
+
+        mem_input.resize(96 + base_mem_len + exp_mem_len + modulus_mem_len, 0);
+        let mut cur_input_begin = &mem_input[96..];
+
+        let base = Self::parse_memory_to_value(&cur_input_begin[..base_mem_len]);
+        cur_input_begin = &cur_input_begin[base_mem_len..];
+        let exp = Self::parse_memory_to_value(&cur_input_begin[..exp_mem_len]);
+        cur_input_begin = &cur_input_begin[exp_mem_len..];
+        let modulus = Self::parse_memory_to_value(&cur_input_begin[..modulus_mem_len]);
+        let output_len = output.len();
+        let output = Self::parse_memory_to_value(&output);
+
+        Self {
+            valid: input_valid,
+            input_lens: [base_len, exp_len, modulus_len],
+            inputs: [base, exp, modulus],
+            output,
+            output_len,
+            input_memory,
+            output_memory,
+        }
+    }
+}
+
 /// Auxiliary data for EcAdd, i.e. P + Q = R
 #[derive(Clone, Debug, Default, PartialEq, Eq)]
 pub struct EcAddAuxData {
@@ -245,6 +346,8 @@ pub struct EcPairingAuxData(pub EcPairingOp);
 pub enum PrecompileAuxData {
     /// Ecrecover.
     Ecrecover(EcrecoverAuxData),
+    /// Modexp.
+    Modexp(ModExpAuxData),
     /// EcAdd.
     EcAdd(EcAddAuxData),
     /// EcMul.

bus-mapping/src/precompile.rs

@@ -368,6 +368,7 @@ impl fmt::Debug for GethExecStep {
             .field("op", &self.op)
             .field("gas", &format_args!("{}", self.gas.0))
             .field("gas_cost", &format_args!("{}", self.gas_cost.0))
+            .field("refund", &format_args!("{}", self.refund.0))
             .field("depth", &self.depth)
             .field("error", &self.error)
             .field("stack", &self.stack)

eth-types/src/lib.rs

@@ -33,6 +33,7 @@ serde_json = "1.0.78"
 
 hash-circuit = { package = "poseidon-circuit", git = "https://github.com/scroll-tech/poseidon-circuit.git", branch = "scroll-dev-0619", features=['short']}
 #mpt-circuits = { package = "halo2-mpt-circuits", path = "../../mpt-circuit" }
+misc-precompiled-circuit = { package = "rmd160-circuits", git = "https://github.com/scroll-tech/misc-precompiled-circuit.git", branch = "integration" }
 
 halo2-base = { git = "https://github.com/scroll-tech/halo2-lib", branch = "develop", default-features=false, features=["halo2-pse","display"] }
 halo2-ecc = { git = "https://github.com/scroll-tech/halo2-lib", branch = "develop", default-features=false, features=["halo2-pse","display"] }