SRAI

[zemse]

This PR adds SRAI to shift_imm, also changes logic for SLLI and SRLI.

Closes #365

[naure]

Regarding the constraints, here is a more efficient way, without division or limb decomposition.

First calculate the sign-extension, that is bits flowing in from the left.

let imm = cb.create_witin(…);    // UInt not necessary.
let ones = imm - 1;       // 2**shift - 1, or 00…111 in binary.
let inflow = msb * ones;  // Extend with 0s or 1s.

Calculate the bits flowing out to the right

// outflow < imm
AssertLTConfig::construct_circuit(…, outflow, imm, …)

Then require:

rd * imm + outflow == inflow * 2**32 + rs1

Other checks:

• rs1 < 2**32 from register read.
• rd < 2**32 from UInt::new.
• shift < 32 from imm_or_funct7

[naure]

This technique can also be refactored with SRLI by setting constant inflow = 0.

[hero78119]

Regarding the constraints, here is a more efficient way, without division or limb decomposition.

First calculate the sign-extension, that is bits flowing in from the left.

let imm = cb.create_witin(…);    // UInt not necessary.
let ones = imm - 1;       // 2**shift - 1, or 00…111 in binary.
let inflow = msb * ones;  // Extend with 0s or 1s.

Calculate the bits flowing out to the right

// outflow < imm
AssertLTConfig::construct_circuit(…, outflow, imm, …)

Then require:

rd * imm + outflow == inflow * 2**32 + rs1

Other checks:

• rs1 < 2**32 from register read.
• rd < 2**32 from UInt::new.
• shift < 32 from imm_or_funct7

What an insightful observation bro!!
It taught me something new and totally changed how I see the question 😇😇

[zemse]

Thanks! I have updated the implementation

let imm = cb.create_witin(…); // UInt not necessary.

shift < 32 from imm_or_funct7

I had to keep imm as UInt so that it gets range checked to be under 32 bits.

[naure]

imm as UInt so that it gets range checked to be under 32 bits.

Unnecessary, it is a fixed value. Following the code, it will go through a cb.fetch function, where it matches the fixed column imm in the program table, which is in turn populated by imm_or_funct7, which finally computes 1 << rs1 with rs1 < 32.

[naure]

One more argument for soundness, both sides of the equation are 63 bits numbers (<2**63), fitting in Goldilocks.

rd * imm + outflow == inflow * 2**32 + rs1
32 + 31.      31.         31 + 32.     32.                (Bit widths)

[matthiasgoergens]

imm as UInt so that it gets range checked to be under 32 bits.

Unnecessary, it is a fixed value. Following the code, it will go through a cb.fetch function, where it matches the fixed column imm in the program table, which is in turn populated by imm_or_funct7, which finally computes 1 << rs1 with rs1 < 32.

Yes!

And part of that is arguably unnecessary, too.

[matthiasgoergens]

What does this change have to do with SRAI?

[zemse]

This is not related to SRAI. This is for MockProver accurate error description. The way MockProver infers assert equal is by destructuring LHS,RHS = Sum(LHS, RHS). After the monomial PR, Mock Prover is not able to infer require equal correctly because to_monomial_form is performed on Sum(LHS, RHS) the result doesn't correctly destructure to what it should be.

This change can be in other PR.

[matthiasgoergens]

What does this change have to do with SRAI?

Seems like an unrelated improvement?

[zemse]

This is not related to SRAI. If Wtns(x) appears multiple times in the expression, then it is duplicated.

This change can be in other PR.

[matthiasgoergens]

I'm happy to review that extracted PR fast.

[matthiasgoergens]

Putting unrelated changes in their own PR is best; but as a second best alternative you can also expand the PR description for this PR to include the additional unrelated changes.

[zemse]

Changing imm to WitIn requires impl of UInt x WitIn (currently we just support muliply of UInt and UInt) since that is needed in SLLI. Do you think it can be followed up in other PR?

[matthiasgoergens]

Changing imm to WitIn requires impl of UInt x WitIn (currently we just support muliply of UInt and UInt) since that is needed in SLLI. Do you think it can be followed up in other PR?

Why don't you get that other PR into master first, if that's useful, and built this PR on that one?

[naure]

UInt x WitIn

That's uint.value() * witin.expr()

But yes that can be done in a follow up PR.

Already done.

[hero78119]

A quick review went through.
👍 Per offline discussion, make SLLI follow in/out flow and the final config sharing with same imm as witin is nice

[naure]

Nice implementation of the arithmetic approach and nice refactoring of all three instructions!

[hero78119]

LGTM!

[matthiasgoergens]

Why do you mix pattern matching with if?

[matthiasgoergens]

@hero78119 We are freely mixing .unwrap()s into our code. We pay the mental tax for the extra complexity of the Result wrapper but don't actually use it.

(The unwrap might even be justified here. It's honestly hard to tell.)