Kimchi

• This document specifies kimchi, a zero-knowledge proof system that’s a variant of PLONK.
• This document does not specify how circuits are created or executed, but only how to convert a circuit and its execution into a proof.

Table of content:

• Overview
  • Tables used to describe a circuit
  • Tables produced during proof creation
• Dependencies
  • Polynomial Commitments
  • Poseidon hash function
  • Pasta
• Constraints
  • Linearization
  • Permutation
  • Lookup
    • The Lookup Tables
    • The Lookup Selectors
    • Producing the sorted table as the prover
  • Gates
    • Double Generic Gate
    • Poseidon
    • Elliptic Curve Addition
    • Endo Scalar
    • Endo Scalar Multiplication
    • Scalar Multiplication
    • Range Check
    • Foreign Field Addition
    • Foreign Field Multiplication
    • Rotation
    • Xor
  • Gadgets
    • Not
    • And
• Setup
  • Common Index
  • Lookup Index
  • Prover Index
  • Verifier Index
• Proof Construction & Verification
  • Proof Structure
  • Proof Creation
  • Proof Verification
    • Fiat-Shamir argument
    • Partial verification
    • Batch verification of proofs
• Optimizations
• Security Considerations

Overview

There are three main algorithms to kimchi:

• Setup: takes a circuit and produces a prover index, and a verifier index.
• Proof creation: takes the prover index, and the execution trace of the circuit to produce a proof.
• Proof verification: takes the verifier index and a proof to verify.

As part of these algorithms, a number of tables are created (and then converted into polynomials) to create a proof.

Tables used to describe a circuit

The following tables are created to describe the circuit:

Gates. A circuit is described by a series of gates, that we list in a table. The columns of the tables list the gates, while the rows are the length of the circuit. For each row, only a single gate can take a value $1$ while all other gates take the value $0$.

Coefficients. The coefficient table has 15 columns, and is used to tweak the gates. Currently, only the Generic and the Poseidon gates use it (refer to their own sections to see how). All other gates set their values to $0$.

Wiring (or Permutation, or sigmas). For gates to take the outputs of other gates as inputs, we use a wiring table to wire registers together. To learn about registers, see the next section. It is defined at every row, but only for the first $7$ registers. Each cell specifies a (row, column) tuple that it should be wired to. Cells that are not connected to another cell are wired to themselves. Note that if three or more registers are wired together, they must form a cycle. For example, if register (0, 4) is wired to both registers (80, 6) and (90, 0) then you would have the following table:

The lookup feature is currently optional, as it can add some overhead to the protocol. In the case where you would want to use lookups, the following tables would be needed:

Lookup Tables. The different lookup tables that are used in the circuit. For example, the XOR lookup table:

Lookup selectors. A lookup selector is used to perform a number of queries in different lookup tables. Any gate can advertise its use of a lookup selector (so a lookup selector can be associated to several gates), and on which rows they want to use them (current and/or next). In cases where a gate need to use lookups in its current row only, and is the only one performing a specific combination of queries, then its gate selector can be used in place of a lookup selector. As with gates, lookup selectors (including gates used as lookup selectors) are mutually exclusives (only one can be used on a given row).

For example, suppose we have two lookup selectors:

Where each applies 4 queries. A query is a table describing which lookup table it queries, and the linear combination of the witness to use in the query. For example, the following table describes a query into the XOR table made out of linear combinations of registers (checking that $r_0\oplus r_2=2\cdot r_1$):

Tables produced during proof creation

The following tables are created by the prover at runtime:

Registers (or Witness). Registers are also defined at every row, and are split into two types: the IO registers from $0$ to $6$ usually contain input or output of the gates (note that a gate can output a value on the next row as well). I/O registers can be wired to each other (they’ll be forced to have the same value), no matter what row they’re on (for example, the register at row:0, col:4 can be wired to the register at row:80, col:6). The rest of the registers, $7$ through $14$, are called advice registers as they can store values that useful only for the row’s active gate. Think of them as intermediary or temporary values needed in the computation when the prover executes a circuit.

Wiring (Permutation) trace. You can think of the permutation trace as an extra register that is used to enforce the wiring specified in the wiring table. It is a single column that applies on all the rows as well, which the prover computes as part of a proof.

Queries trace. These are the actual values made by queries, calculated by the prover at runtime, and used to construct the proof.

Table trace. Represents the concatenation of all the lookup tables, combined into a single column at runtime by both the prover and the verifier.

Sorted trace. Represents the processed (see the lookup section) concatenation of the queries trace and the table trace. It is produced at runtime by the prover. The sorted trace is long enough that it is split in several columns.

Lookup (aggregation, or permutation) trace. This is a one column table that is similar to the wiring (permutation) trace we talked above. It is produced at runtime by the prover.

Dependencies

To specify kimchi, we rely on a number of primitives that are specified outside of this specification. In this section we list these specifications, as well as the interfaces we make use of in this specification.

Polynomial Commitments

Refer to the specification on polynomial commitments. We make use of the following functions from that specification:

• PolyCom.non_hiding_commit(poly) -> PolyCom::NonHidingCommitment
• PolyCom.commit(poly) -> PolyCom::HidingCommitment
• PolyCom.evaluation_proof(poly, commitment, point) -> EvaluationProof
• PolyCom.verify(commitment, point, evaluation, evaluation_proof) -> bool

Poseidon hash function

Refer to the specification on Poseidon. We make use of the following functions from that specification:

• Poseidon.init(params) -> FqSponge
• Poseidon.update(field_elem)
• Poseidon.finalize() -> FieldElem

specify the following functions on top:

• Poseidon.produce_challenge() (TODO: uses the endomorphism)
• Poseidon.to_fr_sponge() -> state_of_fq_sponge_before_eval, FrSponge

With the current parameters:

• S-Box alpha: 7
• Width: 3
• Rate: 2
• Full rounds: 55
• Round constants: fp_kimchi, fq_kimchi
• MDS matrix: fp_kimchi, fq_kimchi

Pasta

Kimchi is made to work on cycles of curves, so the protocol switch between two fields Fq and Fr, where Fq represents the base field and Fr represents the scalar field.

See the Pasta curves specification.

Constraints

Kimchi enforces the correct execution of a circuit by creating a number of constraints and combining them together. In this section, we describe all the constraints that make up the main polynomial $f$ once combined.

We define the following functions:

• combine_constraints(range_alpha, constraints), which takes a range of contiguous powers of alpha and a number of constraints. It returns the sum of all the constraints, where each constraint has been multiplied by a power of alpha. In other words it returns: $$\sum _i{\alpha }^i\cdot {\text{constraint}}_i$$

The different ranges of alpha are described as follows:

• gates. Offset starts at 0 and 21 powers of $\alpha$ are used
• Permutation. Offset starts at 21 and 3 powers of $\alpha$ are used

Linearization

TODO

Permutation

The permutation constraints are the following 4 constraints:

The two sides of the coin (with ${\text{shift}}_0=1$):

$$\begin{array}{rl}& z(x)\cdot zkpm(x)\cdot {\alpha }^{PERM0}\cdot \\ & (w_0(x)+\beta \cdot {\text{shift}}_{0}x+\gamma )\cdot \\ & (w_1(x)+\beta \cdot {\text{shift}}_{1}x+\gamma )\cdot \\ & (w_2(x)+\beta \cdot {\text{shift}}_{2}x+\gamma )\cdot \\ & (w_3(x)+\beta \cdot {\text{shift}}_{3}x+\gamma )\cdot \\ & (w_4(x)+\beta \cdot {\text{shift}}_{4}x+\gamma )\cdot \\ & (w_5(x)+\beta \cdot {\text{shift}}_{5}x+\gamma )\cdot \\ & (w_6(x)+\beta \cdot {\text{shift}}_{6}x+\gamma )\end{array}$$

and

$$\begin{array}{rl}& -1\cdot z(x\omega )\cdot zkpm(x)\cdot {\alpha }^{PERM0}\cdot \\ & (w_0(x)+\beta \cdot {\sigma }_0(x)+\gamma )\cdot \\ & (w_1(x)+\beta \cdot {\sigma }_1(x)+\gamma )\cdot \\ & (w_2(x)+\beta \cdot {\sigma }_2(x)+\gamma )\cdot \\ & (w_3(x)+\beta \cdot {\sigma }_3(x)+\gamma )\cdot \\ & (w_4(x)+\beta \cdot {\sigma }_4(x)+\gamma )\cdot \\ & (w_5(x)+\beta \cdot {\sigma }_5(x)+\gamma )\cdot \\ & (w_6(x)+\beta \cdot {\sigma }_6(x)+\gamma )\cdot \end{array}$$

the initialization of the accumulator:

$$(z(x)-1)L_1(x){\alpha }^{PERM1}$$

and the accumulator’s final value:

$$(z(x)-1)L_{n-k}(x){\alpha }^{PERM2}$$

You can read more about why it looks like that in this post.

The quotient contribution of the permutation is split into two parts $perm$ and $bnd$. They will be used by the prover.

$$\begin{array}{rl}perm(x)=& a^{PERM0}\cdot zkpl(x)\cdot [\\ & z(x)\cdot \\ & (w_0(x)+\gamma +x\cdot \beta \cdot {\text{shift}}_0)\cdot \\ & (w_1(x)+\gamma +x\cdot \beta \cdot {\text{shift}}_1)\cdot \\ & (w_2(x)+\gamma +x\cdot \beta \cdot {\text{shift}}_2)\cdot \\ & (w_3(x)+\gamma +x\cdot \beta \cdot {\text{shift}}_3)\cdot \\ & (w_4(x)+\gamma +x\cdot \beta \cdot {\text{shift}}_4)\cdot \\ & (w_5(x)+\gamma +x\cdot \beta \cdot {\text{shift}}_5)\cdot \\ & (w_6(x)+\gamma +x\cdot \beta \cdot {\text{shift}}_6)\cdot \\ & -\\ & z(x\cdot w)\cdot \\ & (w_0(x)+\gamma +{\sigma }_0\cdot \beta )\cdot \\ & (w_1(x)+\gamma +{\sigma }_1\cdot \beta )\cdot \\ & (w_2(x)+\gamma +{\sigma }_2\cdot \beta )\cdot \\ & (w_3(x)+\gamma +{\sigma }_3\cdot \beta )\cdot \\ & (w_4(x)+\gamma +{\sigma }_4\cdot \beta )\cdot \\ & (w_5(x)+\gamma +{\sigma }_5\cdot \beta )\cdot \\ & (w_6(x)+\gamma +{\sigma }_6\cdot \beta )\cdot \\ & ]\end{array}$$

and bnd:

$$bnd(x)=a^{PERM1}\cdot \frac{z(x)-1}{x-1}+a^{PERM2}\cdot \frac{z(x)-1}{x-sid[n-k]}$$

The linearization:

$\text{scalar}\cdot {\sigma }_6(x)$

where $\text{scalar}$ is computed as:

$$\begin{array}{r}z(\zeta \omega )\beta {\alpha }^{PERM0}zkpl(\zeta )\cdot \\ (\gamma +\beta {\sigma }_0(\zeta )+w_0(\zeta ))\cdot \\ (\gamma +\beta {\sigma }_1(\zeta )+w_1(\zeta ))\cdot \\ (\gamma +\beta {\sigma }_2(\zeta )+w_2(\zeta ))\cdot \\ (\gamma +\beta {\sigma }_3(\zeta )+w_3(\zeta ))\cdot \\ (\gamma +\beta {\sigma }_4(\zeta )+w_4(\zeta ))\cdot \\ (\gamma +\beta {\sigma }_5(\zeta )+w_5(\zeta ))\cdot \end{array}$$

To compute the permutation aggregation polynomial, the prover interpolates the polynomial that has the following evaluations. The first evaluation represents the initial value of the accumulator: $$z(g^0)=1$$ For $i=0,\cdot ,n-4$, where $n$ is the size of the domain, evaluations are computed as:

$$z(g^{i+1})=z_1/z_2$$

with

$$\begin{array}{rl}{z}_1=& (w_0(g^i+sid(g^i)\cdot beta\cdot shif{t}_0+\gamma )\cdot \\ & (w_1(g^i)+sid(g^i)\cdot beta\cdot shif{t}_1+\gamma )\cdot \\ & (w_2(g^i)+sid(g^i)\cdot beta\cdot shif{t}_2+\gamma )\cdot \\ & (w_3(g^i)+sid(g^i)\cdot beta\cdot shif{t}_3+\gamma )\cdot \\ & (w_4(g^i)+sid(g^i)\cdot beta\cdot shif{t}_4+\gamma )\cdot \\ & (w_5(g^i)+sid(g^i)\cdot beta\cdot shif{t}_5+\gamma )\cdot \\ & (w_6(g^i)+sid(g^i)\cdot beta\cdot shif{t}_6+\gamma )\end{array}$$

and

$$\begin{array}{rl}{z}_2=& (w_0(g^i)+{\sigma }_0\cdot beta+\gamma )\cdot \\ & (w_1(g^i)+{\sigma }_1\cdot beta+\gamma )\cdot \\ & (w_2(g^i)+{\sigma }_2\cdot beta+\gamma )\cdot \\ & (w_3(g^i)+{\sigma }_3\cdot beta+\gamma )\cdot \\ & (w_4(g^i)+{\sigma }_4\cdot beta+\gamma )\cdot \\ & (w_5(g^i)+{\sigma }_5\cdot beta+\gamma )\cdot \\ & (w_6(g^i)+{\sigma }_6\cdot beta+\gamma )\end{array}$$

We randomize the evaluations at n - zk_rows + 1 and n - zk_rows + 2 in order to add zero-knowledge to the protocol.

For a valid witness, we then have have $z(g^{n-z{k}_{r}ows})=1$.

Lookup

Lookups in kimchi allows you to check if a single value, or a series of values, are part of a table. The first case is useful to check for checking if a value belongs to a range (from 0 to 1,000, for example), whereas the second case is useful to check truth tables (for example, checking that three values can be found in the rows of an XOR table) or write and read from a memory vector (where one column is an index, and the other is the value stored at that index).

The lookup functionality is an opt-in feature of kimchi that can be used by custom gates. From the user’s perspective, not using any gates that make use of lookups means that the feature will be disabled and there will be no overhead to the protocol.

Please refer to the lookup RFC for an overview of the lookup feature.

In this section, we describe the tables kimchi supports, as well as the different lookup selectors (and their associated queries)

The Lookup Tables

Kimchi currently supports two lookup tables:

/// The table ID associated with the XOR lookup table.
pub const XOR_TABLE_ID: i32 = 0;

/// The range check table ID.
pub const RANGE_CHECK_TABLE_ID: i32 = 1;

XOR

The lookup table for 4-bit xor. Note that it is constructed so that (0, 0, 0) is the last position in the table.

This is because tables are extended to the full size of a column (essentially) by padding them with their final value. And, having the value (0, 0, 0) here means that when we commit to this table and use the dummy value in the lookup_sorted columns, those entries that have the dummy value of

$$0=0+j\ast 0+j^2\ast 0$$

will translate into a scalar multiplication by 0, which is free.

12-bit Check

The range check table is a single-column table containing the numbers from 0 to 2^12 (excluded). This is used to check that the value fits in 12 bits.

Runtime tables

Another type of lookup tables has been suggested in the Extended Lookup Tables.

The Lookup Selectors

XorSelector. Performs 4 queries to the XOR lookup table.

Producing the sorted table as the prover

Because of our ZK-rows, we can’t do the trick in the plookup paper of wrapping around to enforce consistency between the sorted lookup columns.

Instead, we arrange the LookupSorted table into columns in a snake-shape.

Like so,

   _   _
| | | | |
| | | | |
|_| |_| |

or, imagining the full sorted array is [ s0, ..., s8 ], like

s0 s4 s4 s8
s1 s3 s5 s7
s2 s2 s6 s6

So the direction (“increasing” or “decreasing” (relative to LookupTable) is

if i % 2 = 0 { Increasing } else { Decreasing }

Then, for each i < max_lookups_per_row, if i % 2 = 0, we enforce that the last element of LookupSorted(i) = last element of LookupSorted(i + 1), and if i % 2 = 1, we enforce that the first element of LookupSorted(i) = first element of LookupSorted(i + 1).

Gates

A circuit is described as a series of gates. In this section we describe the different gates currently supported by kimchi, the constraints associated to them, and the way the register table, coefficient table, and permutation can be used in conjunction.

TODO: for each gate describe how to create it?

Double Generic Gate

The double generic gate contains two generic gates.

A generic gate is simply the 2-fan in gate specified in the vanilla PLONK protocol that allows us to do operations like:

• addition of two registers (into an output register)
• or multiplication of two registers
• equality of a register with a constant

More generally, the generic gate controls the coefficients $c_i$ in the equation:

$$c_0\cdot l+c_1\cdot r+c_2\cdot o+c_3\cdot (l\times r)+c_4$$

The layout of the gate is the following:

where l1, r1, and o1 (resp. l2, r2, o2) are the left, right, and output registers of the first (resp. second) generic gate.

The selectors are stored in the coefficient table as:

with m1 (resp. m2) the mul selector for the first (resp. second) gate, and c1 (resp. c2) the constant selector for the first (resp. second) gate.

The constraints:

• $w_0\cdot c_0+w_1\cdot c_1+w_2\cdot c_2+w_0\cdot w_1\cdot c_3+c_4$
• $w_3\cdot c_5+w_4\cdot c_6+w_5\cdot c_7+w_3{w}_4{c}_8+c_9$

where the $c_i$ are the coefficients.

Poseidon

The poseidon gate encodes 5 rounds of the poseidon permutation. A state is represents by 3 field elements. For example, the first state is represented by (s0, s0, s0), and the next state, after permutation, is represented by (s1, s1, s1).

Below is how we store each state in the register table:

The last state is stored on the next row. This last state is either used:

• with another Poseidon gate on that next row, representing the next 5 rounds.
• or with a Zero gate, and a permutation to use the output elsewhere in the circuit.
• or with another gate expecting an input of 3 field elements in its first registers.

We define $M_{r,c}$ as the MDS matrix at row $r$ and column $c$.

We define the S-box operation as $w^S$ for $S$ the SPONGE_BOX constant.

We store the 15 round constants $r_i$ required for the 5 rounds (3 per round) in the coefficient table:

The initial state, stored in the first three registers, are not constrained. The following 4 states (of 3 field elements), including 1 in the next row, are constrained to represent the 5 rounds of permutation. Each of the associated 15 registers is associated to a constraint, calculated as:

first round:

• $w_6-\left(r_0+(M_{0,0}{w}_0^S+M_{0,1}{w}_1^S+M_{0,2}{w}_2^S)\right)$
• $w_7-\left(r_1+(M_{1,0}{w}_0^S+M_{1,1}{w}_1^S+M_{1,2}{w}_2^S)\right)$
• $w_8-\left(r_2+(M_{2,0}{w}_0^S+M_{2,1}{w}_1^S+M_{2,2}{w}_2^S)\right)$

second round:

• $w_9-\left(r_3+(M_{0,0}{w}_6^S+M_{0,1}{w}_7^S+M_{0,2}{w}_8^S)\right)$
• $w_{10}-\left(r_4+(M_{1,0}{w}_6^S+M_{1,1}{w}_7^S+M_{1,2}{w}_8^S)\right)$
• $w_{11}-\left(r_5+(M_{2,0}{w}_6^S+M_{2,1}{w}_7^S+M_{2,2}{w}_8^S)\right)$

third round:

• $w_{12}-\left(r_6+(M_{0,0}{w}_9^S+M_{0,1}{w}_{10}^S+M_{0,2}{w}_{11}^S)\right)$
• $w_{13}-\left(r_7+(M_{1,0}{w}_9^S+M_{1,1}{w}_{10}^S+M_{1,2}{w}_{11}^S)\right)$
• $w_{14}-\left(r_8+(M_{2,0}{w}_9^S+M_{2,1}{w}_{10}^S+M_{2,2}{w}_{11}^S)\right)$

fourth round:

• $w_3-\left(r_9+(M_{0,0}{w}_{12}^S+M_{0,1}{w}_{13}^S+M_{0,2}{w}_{14}^S)\right)$
• $w_4-\left(r_{10}+(M_{1,0}{w}_{12}^S+M_{1,1}{w}_{13}^S+M_{1,2}{w}_{14}^S)\right)$
• $w_5-\left(r_{11}+(M_{2,0}{w}_{12}^S+M_{2,1}{w}_{13}^S+M_{2,2}{w}_{14}^S)\right)$

fifth round:

• $w_{0,next}-\left(r_{12}+(M_{0,0}{w}_3^S+M_{0,1}{w}_4^S+M_{0,2}{w}_5^S)\right)$
• $w_{1,next}-\left(r_{13}+(M_{1,0}{w}_3^S+M_{1,1}{w}_4^S+M_{1,2}{w}_5^S)\right)$
• $w_{2,next}-\left(r_{14}+(M_{2,0}{w}_3^S+M_{2,1}{w}_4^S+M_{2,2}{w}_5^S)\right)$

where $w_{i,next}$ is the polynomial $w_i(\omega x)$ which points to the next row.

Elliptic Curve Addition

The layout is

where

• (x1, y1), (x2, y2) are the inputs and (x3, y3) the output.
• inf is a boolean that is true iff the result (x3, y3) is the point at infinity.

The rest of the values are inaccessible from the permutation argument, but same_x is a boolean that is true iff x1 == x2.

The following constraints are generated:

constraint 1:

• $x_0=w_2-w_0$
• $(w_{10}\cdot x_0-\mathbb{F}(1)-w_7)$

constraint 2:

• $x_0=w_2-w_0$
• $w_7\cdot x_0$

constraint 3:

• $x_0=w_2-w_0$
• $x_1=w_3-w_1$
• $x_2=w_0\cdot w_0$
• $w_7\cdot (2\cdot w_8\cdot w_1-2\cdot x_2-x_2)+(\mathbb{F}(1)-w_7)\cdot (x_0\cdot w_8-x_1)$

constraint 4:

• $w_0+w_2+w_4-w_8\cdot w_8$

constraint 5:

• $w_8\cdot (w_0-w_4)-w_1-w_5$

constraint 6:

• $x_1=w_3-w_1$
• $x_1\cdot (w_7-w_6)$

constraint 7:

• $x_1=w_3-w_1$
• $x_1\cdot w_9-w_6$

Endo Scalar

We give constraints for the endomul scalar computation.

Each row corresponds to 8 iterations of the inner loop in “Algorithm 2” on page 29 of the Halo paper.

The state of the algorithm that’s updated across iterations of the loop is (a, b). It’s clear from that description of the algorithm that an iteration of the loop can be written as

(a, b, i) ->
  ( 2 * a + c_func(r_{2 * i}, r_{2 * i + 1}),
    2 * b + d_func(r_{2 * i}, r_{2 * i + 1}) )

for some functions c_func and d_func. If one works out what these functions are on every input (thinking of a two-bit input as a number in $\{0,1,2,3\}$), one finds they are given by

• c_func(x), defined by

  • c_func(0) = 0
  • c_func(1) = 0
  • c_func(2) = -1
  • c_func(3) = 1

• d_func(x), defined by

  • d_func(0) = -1
  • d_func(1) = 1
  • d_func(2) = 0
  • d_func(3) = 0

One can then interpolate to find polynomials that implement these functions on $\{0,1,2,3\}$.

You can use sage, as

R = PolynomialRing(QQ, 'x')
c_func = R.lagrange_polynomial([(0, 0), (1, 0), (2, -1), (3, 1)])
d_func = R.lagrange_polynomial([(0, -1), (1, 1), (2, 0), (3, 0)])

Then, c_func is given by

2/3 * x^3 - 5/2 * x^2 + 11/6 * x

and d_func is given by

2/3 * x^3 - 7/2 * x^2 + 29/6 * x - 1 <=> c_func + (-x^2 + 3x - 1)

We lay it out the witness as

where each xi is a two-bit “crumb”.

We also use a polynomial to check that each xi is indeed in $\{0,1,2,3\}$, which can be done by checking that each $x_i$ is a root of the polyunomial below:

crumb(x)
= x (x - 1) (x - 2) (x - 3)
= x^4 - 6*x^3 + 11*x^2 - 6*x
= x *(x^3 - 6*x^2 + 11*x - 6)

Each iteration performs the following computations

• Update $n$: $n_{i+1}=2\cdot n_i+x_i$
• Update $a$: $a_{i+1}=2\cdot a_i+c_i$
• Update $b$: $b_{i+1}=2\cdot b_i+d_i$

Then, after the 8 iterations, we compute expected values of the above operations as:

• expected_n8 := 2 * ( 2 * ( 2 * ( 2 * ( 2 * ( 2 * ( 2 * (2 * n0 + x0) + x1 ) + x2 ) + x3 ) + x4 ) + x5 ) + x6 ) + x7
• expected_a8 := 2 * ( 2 * ( 2 * ( 2 * ( 2 * ( 2 * ( 2 * (2 * a0 + c0) + c1 ) + c2 ) + c3 ) + c4 ) + c5 ) + c6 ) + c7
• expected_b8 := 2 * ( 2 * ( 2 * ( 2 * ( 2 * ( 2 * ( 2 * (2 * b0 + d0) + d1 ) + d2 ) + d3 ) + d4 ) + d5 ) + d6 ) + d7

Putting together all of the above, these are the 11 constraints for this gate

• Checking values after the 8 iterations:
  • Constrain $n$: 0 = expected_n8 - n8
  • Constrain $a$: 0 = expected_a8 - a8
  • Constrain $b$: 0 = expected_b8 - b8
• Checking the crumbs, meaning each $x$ is indeed in the range $\{0,1,2,3\}$:
  • Constrain $x_0$: 0 = x0 * ( x0^3 - 6 * x0^2 + 11 * x0 - 6 )
  • Constrain $x_1$: 0 = x1 * ( x1^3 - 6 * x1^2 + 11 * x1 - 6 )
  • Constrain $x_2$: 0 = x2 * ( x2^3 - 6 * x2^2 + 11 * x2 - 6 )
  • Constrain $x_3$: 0 = x3 * ( x3^3 - 6 * x3^2 + 11 * x3 - 6 )
  • Constrain $x_4$: 0 = x4 * ( x4^3 - 6 * x4^2 + 11 * x4 - 6 )
  • Constrain $x_5$: 0 = x5 * ( x5^3 - 6 * x5^2 + 11 * x5 - 6 )
  • Constrain $x_6$: 0 = x6 * ( x6^3 - 6 * x6^2 + 11 * x6 - 6 )
  • Constrain $x_7$: 0 = x7 * ( x7^3 - 6 * x7^2 + 11 * x7 - 6 )

Endo Scalar Multiplication

We implement custom gate constraints for short Weierstrass curve endomorphism optimised variable base scalar multiplication.

Given a finite field ${\mathbb{F}}_q$ of order $q$, if the order is not a multiple of 2 nor 3, then an elliptic curve over ${\mathbb{F}}_q$ in short Weierstrass form is represented by the set of points $(x,y)$ that satisfy the following equation with $a,b\in {\mathbb{F}}_q$  and $4a^3+27b^2{\ne }_{{\mathbb{F}}_q}0$: $$E({\mathbb{F}}_q):y^2=x^3+ax+b$$ If $P=(x_p,y_p)$ and $T=(x_t,y_t)$ are two points in the curve $E({\mathbb{F}}_q)$, the goal of this operation is to perform the operation $2P\pm T$ efficiently as $(P\pm T)+P$.

S = (P + (b ? T : −T)) + P

The same algorithm can be used to perform other scalar multiplications, meaning it is not restricted to the case $2\cdot P$, but it can be used for any arbitrary $k\cdot P$. This is done by decomposing the scalar $k$ into its binary representation. Moreover, for every step, there will be a one-bit constraint meant to differentiate between addition and subtraction for the operation $(P\pm T)+P$:

In particular, the constraints of this gate take care of 4 bits of the scalar within a single EVBSM row. When the scalar is longer (which will usually be the case), multiple EVBSM rows will be concatenated.

The layout of this gate (and the next row) allows for this chained behavior where the output point of the current row $S$ gets accumulated as one of the inputs of the following row, becoming $P$ in the next constraints. Similarly, the scalar is decomposed into binary form and $n$ ($n^{\prime }$ respectively) will store the current accumulated value and the next one for the check.

For readability, we define the following variables for the constraints:

• endo $:=$ EndoCoefficient
• xq1 $:=(1+($endo$-1)\cdot b_1)\cdot x_t$
• xq2 $:=(1+($endo$-1)\cdot b_3)\cdot x_t$
• yq1 $:=(2\cdot b_2-1)\cdot y_t$
• yq2 $:=(2\cdot b_4-1)\cdot y_t$

These are the 11 constraints that correspond to each EVBSM gate, which take care of 4 bits of the scalar within a single EVBSM row:

• First block:
  • (xq1 - xp) * s1 = yq1 - yp
  • (2 * xp – s1^2 + xq1) * ((xp – xr) * s1 + yr + yp) = (xp – xr) * 2 * yp
  • (yr + yp)^2 = (xp – xr)^2 * (s1^2 – xq1 + xr)
• Second block:
  • (xq2 - xr) * s3 = yq2 - yr
  • (2*xr – s3^2 + xq2) * ((xr – xs) * s3 + ys + yr) = (xr – xs) * 2 * yr
  • (ys + yr)^2 = (xr – xs)^2 * (s3^2 – xq2 + xs)
• Booleanity checks:
  • Bit flag $b_1$: 0 = b1 * (b1 - 1)
  • Bit flag $b_2$: 0 = b2 * (b2 - 1)
  • Bit flag $b_3$: 0 = b3 * (b3 - 1)
  • Bit flag $b_4$: 0 = b4 * (b4 - 1)
• Binary decomposition:
  • Accumulated scalar: n_next = 16 * n + 8 * b1 + 4 * b2 + 2 * b3 + b4

The constraints above are derived from the following EC Affine arithmetic equations:

• (1) => $(x_{q_1}-x_p)\cdot s_1=y_{q_1}-y_p$
• (2&3) => $(x_p–x_r)\cdot s_2=y_r+y_p$
• (2) => $(2\cdot x_p+x_{q_1}–s_1^2)\cdot (s_1+s_2)=2\cdot y_p$
  • <=> $(2\cdot x_p–s_1^2+x_{q_1})\cdot ((x_p–x_r)\cdot s_1+y_r+y_p)=(x_p–x_r)\cdot 2\cdot y_p$
• (3) => $s_1^2-s_2^2=x_{q_1}-x_r$
  • <=> $(y_r+y_p{)}^2=(x_p–x_r{)}^2\cdot (s_1^2–x_{q_1}+x_r)$
• (4) => $(x_{q_2}-x_r)\cdot s_3=y_{q_2}-y_r$
• (5&6) => $(x_r–x_s)\cdot s_4=y_s+y_r$
• (5) => $(2\cdot x_r+x_{q_2}–s_3^2)\cdot (s_3+s_4)=2\cdot y_r$
  • <=> $(2\cdot x_r–s_3^2+x_{q_2})\cdot ((x_r–x_s)\cdot s_3+y_s+y_r)=(x_r–x_s)\cdot 2\cdot y_r$
• (6) => $s_3^2–s_4^2=x_{q_2}-x_s$
  • <=> $(y_s+y_r{)}^2=(x_r–x_s{)}^2\cdot (s_3^2–x_{q_2}+x_s)$

Defining $s_2$ and $s_4$ as

• $s_2:=\frac{2\cdot y_P}{2\ast x_P+x_T-s_1^2}-s_1$
• $s_4:=\frac{2\cdot y_R}{2\ast x_R+x_T-s_3^2}-s_3$

Gives the following equations when substituting the values of $s_2$ and $s_4$:

1. (xq1 - xp) * s1 = (2 * b1 - 1) * yt - yp

2. (2 * xp – s1^2 + xq1) * ((xp – xr) * s1 + yr + yp) = (xp – xr) * 2 * yp

3. (yr + yp)^2 = (xp – xr)^2 * (s1^2 – xq1 + xr)

4. (xq2 - xr) * s3 = (2 * b2 - 1) * yt - yr

5. (2 * xr – s3^2 + xq2) * ((xr – xs) * s3 + ys + yr) = (xr – xs) * 2 * yr

6. (ys + yr)^2 = (xr – xs)^2 * (s3^2 – xq2 + xs)

Scalar Multiplication

We implement custom Plonk constraints for short Weierstrass curve variable base scalar multiplication.

Given a finite field ${\mathbb{F}}_q$ of order $q$, if the order is not a multiple of 2 nor 3, then an elliptic curve over ${\mathbb{F}}_q$ in short Weierstrass form is represented by the set of points $(x,y)$ that satisfy the following equation with $a,b\in {\mathbb{F}}_q$ and $4a^3+27b^2{\ne }_{{\mathbb{F}}_q}0$: $$E({\mathbb{F}}_q):y^2=x^3+ax+b$$ If $P=(x_p,y_p)$ and $Q=(x_q,y_q)$ are two points in the curve $E({\mathbb{F}}_q)$, the algorithm we represent here computes the operation $2P+Q$ (point doubling and point addition) as $(P+Q)+Q$.

The original algorithm that is being used can be found in the Section 3.1 of https://arxiv.org/pdf/math/0208038.pdf, which can perform the above operation using 1 multiplication, 2 squarings and 2 divisions (one more squaring) if $P=Q$), thanks to the fact that computing the $Y$-coordinate of the intermediate addition is not required. This is more efficient to the standard algorithm that requires 1 more multiplication, 3 squarings in total and 2 divisions.

Moreover, this algorithm can be applied not only to the operation $2P+Q$, but any other scalar multiplication $kP$. This can be done by expressing the scalar $k$ in biwise form and performing a double-and-add approach. Nonetheless, this requires conditionals to differentiate $2P$ from $2P+Q$. For that reason, we will implement the following pseudocode from https://github.com/zcash/zcash/issues/3924 (where instead, they give a variant of the above efficient algorithm for Montgomery curves $b\cdot y^2=x^3+a\cdot x^2+x$).

Acc := [2]T
for i = n-1 ... 0:
   Q := (k_{i + 1} == 1) ? T : -T
   Acc := Acc + (Q + Acc)
return (k_0 == 0) ? Acc - P : Acc

The layout of the witness requires 2 rows. The i-th row will be a VBSM gate whereas the next row will be a ZERO gate.

The gate constraints take care of 5 bits of the scalar multiplication. Each single bit consists of 4 constraints. There is one additional constraint imposed on the final number. Thus, the VarBaseMul gate argument requires 21 constraints.

For every bit, there will be one constraint meant to differentiate between addition and subtraction for the operation $(P\pm T)+P$:

S = (P + (b ? T : −T)) + P

We follow these criteria:

• If the bit is positive, the sign should be a subtraction
• If the bit is negative, the sign should be an addition

Then, paraphrasing the above, we will represent this behavior as:

S = (P - (2 * b - 1) * T ) + P

Let us call Input the point with coordinates (xI, yI) and Target is the point being added with coordinates (xT, yT). Then Output will be the point with coordinates (xO, yO) resulting from O = ( I ± T ) + I

In each step of the algorithm, we consider the following elliptic curves affine arithmetic equations:

• $s_1:=\frac{y_i-(2\cdot b-1)\cdot y_t}{x_i-x_t}$
• $s_2:=\frac{2\cdot y_i}{2\ast x_i+x_t-s_1^2}-s_1$
• $x_o:=x_t+s_2^2-s_1^2$
• $y_o:=s_2\cdot (x_i-x_o)-y_i$

For readability, we define the following 3 variables in such a way that $s_2$ can be expressed as u / t:

• rx $:=s_1^2-x_i-x_t$
• t $:=x_i-$ rx $⟺2\cdot x_i-s_1^2+x_t$
• u $:=2\cdot y_i-$ t $\cdot s_1⟺2\cdot y_i-s_1\cdot (2\cdot x_i-s_1^2+x_t)$

Next, for each bit in the algorithm, we create the following 4 constraints that derive from the above:

• Booleanity check on the bit $b$: 0 = b * b - b
• Constrain $s_1$: (xI - xT) * s1 = yI – (2b - 1) * yT
• Constrain Output $X$-coordinate $x_o$ and $s_2$: 0 = u^2 - t^2 * (xO - xT + s1^2)
• Constrain Output $Y$-coordinate $y_o$ and $s_2$: 0 = (yO + yI) * t - (xI - xO) * u

When applied to the 5 bits, the value of the Target point (xT, yT) is maintained, whereas the values for the Input and Output points form the chain:

[(x0, y0) -> (x1, y1) -> (x2, y2) -> (x3, y3) -> (x4, y4) -> (x5, y5)]

Similarly, 5 different s0..s4 are required, just like the 5 bits b0..b4.

Finally, the additional constraint makes sure that the scalar is being correctly expressed into its binary form (using the double-and-add decomposition) as: $$n^{\prime }=2^5\cdot n+2^4\cdot b_0+2^3\cdot b_1+2^2\cdot b_2+2^1\cdot b_3+b_4$$ This equation is translated as the constraint:

• Binary decomposition: 0 = n' - (b4 + 2 * (b3 + 2 * (b2 + 2 * (b1 + 2 * (b0 + 2*n)))))

Range Check

The multi range check gadget is comprised of three circuit gates (RangeCheck0, RangeCheck1 and Zero) and can perform range checks on three values ($v_0,v_1$ and $v_2$) of up to 88 bits each.

Values can be copied as inputs to the multi range check gadget in two ways:

• (Standard mode) With 3 copies, by copying $v_0,v_1$ and $v_2$ to the first cells of the first 3 rows of the gadget. In this mode the first gate coefficient is set to 0.
• (Compact mode) With 2 copies, by copying $v_2$ to the first cell of the first row and copying $v_{10}=v_0+2^{\ell }\cdot v_1$ to the 2nd cell of row 2. In this mode the first gate coefficient is set to 1.

The RangeCheck0 gate can also be used on its own to perform 64-bit range checks by constraining witness cells 1-2 to zero.

Byte-order:

• Each cell value is in little-endian byte order
• Limbs are mapped to columns in big-endian order (i.e. the lowest columns contain the highest bits)
• We also have the highest bits covered by copy constraints and plookups, so that we can copy the highest two constraints to zero and get a 64-bit lookup, which are envisioned to be a common case

The values are decomposed into limbs as follows:

• L is a 12-bit lookup (or copy) limb,
• C is a 2-bit “crumb” limb (we call half a nybble a crumb).

        <----6----> <------8------>
   v0 = L L L L L L C C C C C C C C
   v1 = L L L L L L C C C C C C C C
        <2> <--4--> <---------------18---------------->
   v2 = C C L L L L C C C C C C C C C C C C C C C C C C

Witness structure:

• The first 2 rows contain $v_0$ and $v_1$ and their respective decompositions into 12-bit and 2-bit limbs
• The 3rd row contains $v_2$ and part of its decomposition: four 12-bit limbs and the 1st 10 crumbs
• The final row contains $v_0$’s and $v_1$’s 5th and 6th 12-bit limbs as well as the remaining 10 crumbs of $v_2$

Constraints:

For efficiency, the limbs are constrained differently according to their type:

• 12-bit limbs are constrained with plookups
• 2-bit crumbs are constrained with degree-4 constraints $x(x-1)(x-2)(x-3)$

Layout:

This is how the three 88-bit inputs $v_0,v_1$ and $v_2$ are laid out and constrained.

• vipj is the jth 12-bit limb of value $v_i$
• vicj is the jth 2-bit crumb limb of value $v_i$

The 12-bit chunks are constrained with plookups and the 2-bit crumbs are constrained with degree-4 constraints of the form $x(x-1)(x-2)(x-3)$.

Note that copy denotes a plookup that is deferred to the 4th gate (i.e. Zero). This is because of the limitation that we have at most 4 lookups per row. The copies are constrained using the permutation argument.

Gate types:

Different rows are constrained using different CircuitGate types

RangeCheck0 - Range check constraints

• This circuit gate is used to partially constrain values $v_0$ and $v_1$
• Optionally, it can be used on its own as a single 64-bit range check by constraining columns 1 and 2 to zero
• The rest of $v_0$ and $v_1$ are constrained by the lookups in the Zero gate row
• This gate operates on the Curr row

It uses three different types of constraints:

• copy - copy to another cell (12-bits)
• plookup - plookup (12-bits)
• crumb - degree-4 constraint (2-bits)

Given value v the layout looks like this

where the notation vpi and vci defined in the “Layout” section above.

RangeCheck1 - Range check constraints

• This circuit gate is used to fully constrain $v_2$
• It operates on the Curr and Next rows

It uses two different types of constraints:

• plookup - plookup (12-bits)
• crumb - degree-4 constraint (2-bits)

Given value v2 the layout looks like this

where the notation v2ci and v2pi defined in the “Layout” section above.

Foreign Field Addition

These circuit gates are used to constrain that

left_input +/- right_input = field_overflow * foreign_modulus + result

Documentation

For more details please see the Foreign Field Addition chapter.

Mapping

To make things clearer, the following mapping between the variable names used in the code and those of the RFC document can be helpful.

    left_input_lo -> a0  right_input_lo -> b0  result_lo -> r0  bound_lo -> u0
    left_input_mi -> a1  right_input_mi -> b1  result_mi -> r1  bound_mi -> u1
    left_input_hi -> a2  right_input_hi -> b2  result_hi -> r2  bound_hi -> u2

    field_overflow  -> q
    sign            -> s
    carry_lo        -> c0
    carry_mi        -> c1
    bound_carry_lo  -> k0
    bound_carry_mi  -> k1

Note: Our limbs are 88-bit long. We denote with:

• lo the least significant limb (in little-endian, this is from 0 to 87)
• mi the middle limb (in little-endian, this is from 88 to 175)
• hi the most significant limb (in little-endian, this is from 176 to 263)

Let left_input_lo, left_input_mi, left_input_hi be 88-bit limbs of the left element

Let right_input_lo, right_input_mi, right_input_hi be 88-bit limbs of the right element

Let foreign_modulus_lo, foreign_modulus_mi, foreign_modulus_hi be 88-bit limbs of the foreign modulus

Then the limbs of the result are

• result_lo = left_input_lo +/- right_input_lo - field_overflow * foreign_modulus_lo - 2^{88} * result_carry_lo
• result_mi = left_input_mi +/- right_input_mi - field_overflow * foreign_modulus_mi - 2^{88} * result_carry_mi + result_carry_lo
• result_hi = left_input_hi +/- right_input_hi - field_overflow * foreign_modulus_hi + result_carry_mi

field_overflow $=0$ or $1$ or $-1$ handles overflows in the field

result_carry_i $=-1,0,1$ are auxiliary variables that handle carries between limbs

Apart from the range checks of the chained inputs, we need to do an additional range check for a final bound to make sure that the result is less than the modulus, by adding 2^{3*88} - foreign_modulus to it.  (This can be computed easily from the limbs of the modulus) Note that 2^{264} as limbs represents: (0, 0, 0, 1) then:

The upper-bound check can be calculated as:

• bound_lo = result_lo - foreign_modulus_lo - bound_carry_lo * 2^{88}
• bound_mi = result_mi - foreign_modulus_mi - bound_carry_mi * 2^{88} + bound_carry_lo
• bound_hi = result_hi - foreign_modulus_hi + 2^{88} + bound_carry_mi

Which is equivalent to another foreign field addition with right input 2^{264}, q = 1 and s = 1

• bound_lo = result_lo + s * 0 - q * foreign_modulus_lo - bound_carry_lo * 2^{88}
• bound_mi = result_mi + s * 0 - q * foreign_modulus_mi - bound_carry_mi * 2^{88} + bound_carry_lo
• bound_hi = result_hi + s * 2^{88} - q * foreign_modulus_hi + bound_carry_mi

bound_carry_i $=0$ or $1$ or $-1$ are auxiliary variables that handle carries between limbs

The range check of bound can be skipped until the end of the operations and result is an intermediate value that is unused elsewhere (since the final result must have had the right amount of moduli subtracted along the way, meaning a multiple of the modulus). In other words, intermediate results could potentially give a valid witness that satisfies the constraints but where the result is larger than the modulus (yet smaller than 2^{264}). The reason that we have a  final bound check is to make sure that the final result (min_result) is indeed the minimum one  (meaning less than the modulus).

A more optimized version of these constraints is able to reduce by 2 the number of constraints and by 1 the number of witness cells needed. The idea is to condense the low and middle limbs in one longer limb of 176 bits (which fits inside our native field) and getting rid of the low carry flag. With this idea in mind, the sole carry flag we need is the one located between the middle and the high limbs.

Layout

The sign of the operation (whether it is an addition or a subtraction) is stored in the fourth coefficient as a value +1 (for addition) or -1 (for subtraction). The first 3 coefficients are the 3 limbs of the foreign modulus. One could lay this out as a double-width gate for chained foreign additions and a final row, e.g.:

We reuse the foreign field addition gate for the final bound check since this is an addition with a specific parameter structure. Checking that the correct right input, overflow, and overflow are used shall be done by copy constraining these values with a public input value. One could have a specific gate for just this check requiring less constrains, but the cost of adding one more selector gate outweights the savings of one row and a few constraints of difference.

Integration

• Copy final overflow bit from public input containing value 1  * Range check the final bound

Foreign Field Multiplication

This gadget is used to constrain that

left_input * right_input = quotient * foreign_field_modulus + remainder

Documentation

For more details please see the Foreign Field Multiplication chapter or the original Foreign Field Multiplication RFC.

Notations

For clarity, we use more descriptive variable names in the code than in the RFC, which uses mathematical notations.

In order to relate the two documents, the following mapping between the variable names used in the code and those of the RFC can be helpful.

left_input0 => a0  right_input0 => b0  quotient0 => q0  remainder01 => r01
left_input1 => a1  right_input1 => b1  quotient1 => q1
left_input2 => a2  right_input2 => b2  quotient2 => q2  remainder2 => r2

   product1_lo => p10      product1_hi_0 => p110     product1_hi_1 => p111
   carry0 => v0            carry1_lo => v10          carry1_hi => v11
   quotient_hi_bound => q'2

Suffixes

The variable names in this code uses descriptive suffixes to convey information about the positions of the bits referred to. When a word is split into up to n parts we use: 0, 1 … n (where n is the most significant). For example, if we split word x into three limbs, we’d name them x0, x1 and x2 or x[0], x[1] and x[2].

Continuing in this fashion, when one of those words is subsequently split in half, then we add the suffixes _lo and _hi, where hi corresponds to the most significant bits. For our running example, x1 would become x1_lo and x1_hi. If we are splitting into more than two things, then we pick meaningful names for each.

So far we’ve explained our conventions for a splitting depth of up to 2. For splitting deeper than two, we simply cycle back to our depth 1 suffixes again. So for example, x1_lo would be split into x1_lo_0 and x1_lo_1.

Parameters

• hi_foreign_field_modulus := high limb of foreign field modulus $f$ (stored in gate coefficient 0)
• neg_foreign_field_modulus := negated foreign field modulus $f’$ (stored in gate coefficients 1-3)
• n := the native field modulus is obtainable from F, the native field’s trait bound

Witness

• left_input := left foreign field element multiplicand $ ~\in F_f$
• right_input := right foreign field element multiplicand $ ~\in F_f$
• quotient := foreign field quotient $ ~\in F_f$
• remainder := foreign field remainder $ ~\in F_f$
• carry0 := 2 bit carry
• carry1_lo := low 88 bits of carry1
• carry1_hi := high 3 bits of carry1
• product1_lo := lowest 88 bits of middle intermediate product
• product1_hi_0 := lowest 88 bits of middle intermediate product’s highest 88 + 2 bits
• product1_hi_1 := highest 2 bits of middle intermediate product
• quotient_hi_bound := quotient high bound for checking q2 ≤ f2

Layout

The foreign field multiplication gate’s rows are laid out like this

Rotation

Rotation of a 64-bit word by a known offset Rot64 onstrains known-length rotation of 64-bit words:

• This circuit gate is used to constrain that a 64-bit word is rotated by $r < 64$ bits to the “left”.
• The rotation is performed towards the most significant side (thus, the new LSB is fed with the old MSB).
• This gate operates on the Curr and Next rows.

The idea is to split the rotation operation into two parts:

• Shift to the left
• Add the excess bits to the right

We represent shifting with multiplication modulo $2^{64}$. That is, for each word to be rotated, we provide in the witness a quotient and a remainder, similarly to ForeignFieldMul such that the following operation holds:

$$word \cdot 2^{rot} = quotient \cdot 2^{64} + remainder$$

Then, the remainder corresponds to the shifted word, and the quotient corresponds to the excess bits.

$$word \cdot 2^{rot} = excess \cdot 2^{64} + shifted$$

Thus, in order to obtain the rotated word, we need to add the quotient and the remainder as follows:

$$rotated = shifted + excess$$

The input word is known to be of length 64 bits. All we need for soundness is check that the shifted and excess parts of the word have the correct size as well. That means, we need to range check that:

$$ \begin{aligned} excess &< 2^{rot}\ shifted &< 2^{64} \end{aligned} $$

The latter can be obtained with a RangeCheck0 gate setting the two most significant limbs to zero. The former is equivalent to the following check:

$$bound = excess - 2^{rot} + 2^{64} < 2^{64}$$

which is doable with the constraints in a RangeCheck0 gate. Since our current row within the Rot64 gate is almost empty, we can use it to perform the range check within the same gate. Then, using the following layout and assuming that the gate has a coefficient storing the value $2^{rot}$, which is publicly known

In Keccak, rotations are performed over a 5x5 matrix state of w-bit words each cell. The values used to perform the rotation are fixed, public, and known in advance, according to the following table, depending on the coordinate of each cell within the 5x5 matrix state:

But since we will always be using 64-bit words in our Keccak usecase ($w = 64$), we can have an equivalent table with these values modulo 64 to avoid needing multiple passes of the rotation gate (a single step would cause overflows otherwise):

Since there is one value of the coordinates (x, y) where the rotation is 0 bits, we can skip that step in the gadget. This will save us one gate, and thus the whole 25-1=24 rotations will be performed in just 48 rows.

Xor

Xor16 - Chainable XOR constraints for words of multiples of 16 bits.

• This circuit gate is used to constrain that in1 xored with in2 equals out
• The length of in1, in2 and out must be the same and a multiple of 16bits.
• This gate operates on the Curr and Next rows.

It uses three different types of constraints:

• copy - copy to another cell (32-bits)
• plookup - xor-table plookup (4-bits)
• decomposition - the constraints inside the gate

The 4-bit nybbles are assumed to be laid out with 0 column being the least significant nybble. Given values in1, in2 and out, the layout looks like this:

One single gate with next values of in1', in2' and out' being zero can be used to check that the original in1, in2 and out had 16-bits. We can chain this gate 4 times as follows to obtain a gadget for 64-bit words XOR: