Add SHA-384 support

Author: Avaneesh-axiom

Cargo.lock

@@ -279,6 +279,72 @@ pub const SHA512_H: [u64; 8] = [
     0x5be0cd19137e2179,
 ];
 
+#[derive(Clone)]
+pub struct Sha384Config;
+
+impl ShaConfig for Sha384Config {
+    // ==== Do not change these constants! ====
+    type Word = u64;
+    /// Number of bits in a SHA384 word
+    const WORD_BITS: usize = 64;
+    /// Number of words in a SHA384 block
+    const BLOCK_WORDS: usize = 16;
+    /// Number of rows per block
+    const ROWS_PER_BLOCK: usize = 21;
+    /// Number of rounds per row
+    const ROUNDS_PER_ROW: usize = 4;
+    /// Number of rounds per block
+    const ROUNDS_PER_BLOCK: usize = 80;
+    /// Number of words in a SHA384 hash
+    const HASH_WORDS: usize = 8;
+    /// Number of vars needed to encode the row index with [Encoder]
+    const ROW_VAR_CNT: usize = 6;
+
+    fn get_invalid_carry_a(round_num: usize) -> &'static [u32] {
+        &SHA384_INVALID_CARRY_A[round_num]
+    }
+    fn get_invalid_carry_e(round_num: usize) -> &'static [u32] {
+        &SHA384_INVALID_CARRY_E[round_num]
+    }
+    fn get_k() -> &'static [u64] {
+        &SHA384_K
+    }
+    fn get_h() -> &'static [u64] {
+        &SHA384_H
+    }
+}
+
+pub(crate) const SHA384_INVALID_CARRY_A: [[u32; Sha384Config::WORD_U16S];
+    Sha384Config::ROUNDS_PER_ROW] = [
+    [1571481603, 1428841901, 1050676523, 793575075],
+    [1233315842, 1822329223, 112923808, 1874228927],
+    [1245603842, 927240770, 1579759431, 70557227],
+    [195532801, 594312107, 1429379950, 220407092],
+];
+
+pub(crate) const SHA384_INVALID_CARRY_E: [[u32; Sha384Config::WORD_U16S];
+    Sha384Config::ROUNDS_PER_ROW] = [
+    [1067980802, 1508061099, 1418826213, 1232569491],
+    [1453086722, 1702524575, 152427899, 238512408],
+    [1623674882, 701393097, 1002035664, 4776891],
+    [1888911362, 184963225, 1151849224, 1034237098],
+];
+
+/// SHA384 constant K's
+pub const SHA384_K: [u64; 80] = SHA512_K;
+
+/// SHA384 initial hash values
+pub const SHA384_H: [u64; 8] = [
+    0xcbbb9d5dc1059ed8,
+    0x629a292a367cd507,
+    0x9159015a3070dd17,
+    0x152fecd8f70e5939,
+    0x67332667ffc00b31,
+    0x8eb44a8768581511,
+    0xdb0c2e0d64f98fa7,
+    0x47b5481dbefa4fa4,
+];
+
 // Needed to avoid compile errors in utils.rs
 // not sure why this doesn't inf loop
 pub trait RotateRight {

crates/circuits/sha-air/src/config.rs

@@ -1,4 +1,4 @@
-use crate::{ShaDigestColsRefMut, ShaRoundColsRef, ShaRoundColsRefMut};
+use crate::{Sha384Config, ShaDigestColsRefMut, ShaRoundColsRef, ShaRoundColsRefMut};
 use std::{borrow::BorrowMut, cmp::max, sync::Arc};
 
 use openvm_circuit::arch::{
@@ -22,7 +22,7 @@ use openvm_stark_backend::{
 use openvm_stark_sdk::utils::create_seeded_rng;
 use rand::Rng;
 
-use crate::{compose, small_sig0_field, Sha256Config, Sha512Config, Sha2Air, ShaConfig};
+use crate::{compose, small_sig0_field, Sha256Config, Sha2Air, Sha512Config, ShaConfig};
 
 // A wrapper AIR purely for testing purposes
 #[derive(Clone, Debug)]
@@ -121,6 +121,11 @@ fn rand_sha512_test() {
     rand_sha_test::<Sha512Config>();
 }
 
+#[test]
+fn rand_sha384_test() {
+    rand_sha_test::<Sha384Config>();
+}
+
 // A wrapper Chip to test that the final_hash is properly constrained.
 // This chip implements a malicious trace gen that violates the final_hash constraints.
 pub struct ShaTestBadFinalHashChip<C: ShaConfig> {
@@ -282,3 +287,9 @@ fn test_sha256_final_hash_constraints() {
 fn test_sha512_final_hash_constraints() {
     test_sha_final_hash_constraints::<Sha512Config>();
 }
+
+#[test]
+#[should_panic]
+fn test_sha384_final_hash_constraints() {
+    test_sha_final_hash_constraints::<Sha384Config>();
+}

crates/circuits/sha-air/src/tests.rs

@@ -563,7 +563,7 @@ impl<C: ShaConfig> Sha2Air<C> {
 
     /// The following functions do the calculations in native field since they will be called on padding rows
     /// which can overflow and we need to make sure it matches the AIR constraints
-    /// Puts the correct carrys in the `next_row`, the resulting carrys can be out of bound
+    /// Puts the correct carries in the `next_row`, the resulting carries can be out of bounds
     pub fn generate_carry_ae<F: PrimeField32>(
         local_cols: ShaRoundColsRef<F>,
         next_cols: &mut ShaRoundColsRefMut<F>,

crates/circuits/sha-air/src/trace.rs

@@ -546,7 +546,8 @@ meaning all memory cells are constrained to be bytes.
 | Name        | Operands    | Description                                                                                                                                                              |
 | ----------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | SHA256_RV32 | `a,b,c,1,2` | `[r32{0}(a):32]_2 = sha256([r32{0}(b)..r32{0}(b)+r32{0}(c)]_2)`. Does the necessary padding. Performs memory reads with block size `16` and writes with block size `32`. |
-| SHA512_RV32 | `a,b,c,1,2` | `[r32{0}(a):64]_2 = sha512([r32{0}(b)..r32{0}(b)+r32{0}(c)]_2)`. Does the necessary padding. Performs memory reads with block size `16` and writes with block size `64`. |
+| SHA512_RV32 | `a,b,c,1,2` | `[r32{0}(a):64]_2 = sha512([r32{0}(b)..r32{0}(b)+r32{0}(c)]_2)`. Does the necessary padding. Performs memory reads with block size `16` and writes with block size `32`. |
+| SHA384_RV32 | `a,b,c,1,2` | `[r32{0}(a):64]_2 = sha384([r32{0}(b)..r32{0}(b)+r32{0}(c)]_2)`. Does the necessary padding. Performs memory reads with block size `16` and writes with block size `32`. Writes 64 bytes to memory: the first 48 are the SHA-384 digest and the last 16 are zeros. |
 
 ### BigInt Extension
 

docs/specs/ISA.md

@@ -84,6 +84,7 @@ the guest must take care to validate all data and account for behavior in cases
 | ----------- | --- | ----------- | ------ | ------ | ---------------------------------------- |
 | sha256      | R   | 0001011     | 100    | 0x1    | `[rd:32]_2 = sha256([rs1..rs1 + rs2]_2)` |
 | sha512      | R   | 0001011     | 100    | 0x2    | `[rd:32]_2 = sha512([rs1..rs1 + rs2]_2)` |
+| sha384      | R   | 0001011     | 100    | 0x3    | `[rd:32]_2 = sha384([rs1..rs1 + rs2]_2)` |
 
 ## BigInt Extension
 

docs/specs/RISCV.md

@@ -157,6 +157,7 @@ Each VM extension's behavior is specified below.
 | ----------- | ----------------------------------------------- |
 | sha256      | SHA256_RV32 `ind(rd), ind(rs1), ind(rs2), 1, 2` |
 | sha512      | SHA512_RV32 `ind(rd), ind(rs1), ind(rs2), 1, 2` |
+| sha384      | SHA384_RV32 `ind(rd), ind(rs1), ind(rs2), 1, 2` |
 
 ### BigInt Extension
 

docs/specs/transpiler.md

@@ -14,7 +14,7 @@ use openvm_rv32im_circuit::{
     Rv32MExecutor, Rv32MPeriphery,
 };
 use openvm_sha256_transpiler::Rv32Sha2Opcode;
-use openvm_sha_air::{Sha256Config, Sha512Config};
+use openvm_sha_air::{Sha256Config, Sha384Config, Sha512Config};
 use openvm_stark_backend::p3_field::PrimeField32;
 use serde::{Deserialize, Serialize};
 
@@ -53,6 +53,7 @@ pub struct Sha2;
 pub enum Sha2Executor<F: PrimeField32> {
     Sha256(Sha2VmChip<F, Sha256Config>),
     Sha512(Sha2VmChip<F, Sha512Config>),
+    Sha384(Sha2VmChip<F, Sha384Config>),
 }
 
 #[derive(From, ChipUsageGetter, Chip, AnyEnum)]
@@ -95,13 +96,23 @@ impl<F: PrimeField32> VmExtension<F> for Sha2 {
         let sha512_chip = Sha2VmChip::<F, Sha512Config>::new(
             builder.system_port(),
             builder.system_config().memory_config.pointer_max_bits,
-            bitwise_lu_chip,
+            bitwise_lu_chip.clone(),
             builder.new_bus_idx(),
             Rv32Sha2Opcode::CLASS_OFFSET,
             builder.system_base().offline_memory(),
         );
         inventory.add_executor(sha512_chip, vec![Rv32Sha2Opcode::SHA512.global_opcode()])?;
 
+        let sha384_chip = Sha2VmChip::<F, Sha384Config>::new(
+            builder.system_port(),
+            builder.system_config().memory_config.pointer_max_bits,
+            bitwise_lu_chip,
+            builder.new_bus_idx(),
+            Rv32Sha2Opcode::CLASS_OFFSET,
+            builder.system_base().offline_memory(),
+        );
+        inventory.add_executor(sha384_chip, vec![Rv32Sha2Opcode::SHA384.global_opcode()])?;
+
         Ok(inventory)
     }
 }

extensions/sha256/circuit/src/extension.rs

@@ -1,4 +1,5 @@
 use std::cmp::min;
+use std::convert::TryInto;
 
 use openvm_circuit::{
     arch::ExecutionBridge,
@@ -457,7 +458,7 @@ impl<C: ShaChipConfig> Sha2VmAir<C> {
             .when(not::<AB::Expr>(is_last_row.clone()))
             .assert_eq(*next_cols.control.len, *local_cols.control.len);
 
-        // Read ptr should increment by [SHA256_READ_SIZE] for the first 4 rows and stay the same otherwise
+        // Read ptr should increment by [C::READ_SIZE] for the first 4 rows and stay the same otherwise
         let read_ptr_delta =
             *local_cols.inner.flags.is_first_4_rows * AB::Expr::from_canonical_usize(C::READ_SIZE);
         builder
@@ -510,7 +511,8 @@ impl<C: ShaChipConfig> Sha2VmAir<C> {
                     )
                     .eval(builder, *local_cols.inner.flags.is_first_4_rows);
             }
-            Sha2Variant::Sha512 => {
+            // Sha512 and Sha384 have the same read size so we put them together
+            Sha2Variant::Sha512 | Sha2Variant::Sha384 => {
                 let message: [AB::Var; Sha512Config::READ_SIZE] =
                     message.try_into().unwrap_or_else(|_| {
                         panic!("message is not the correct size");
@@ -610,10 +612,10 @@ impl<C: ShaChipConfig> Sha2VmAir<C> {
         // the number of reads that happened to read the entire message: we do 4 reads per block
         let time_delta = (*local_cols.inner.flags.local_block_idx + AB::Expr::ONE)
             * AB::Expr::from_canonical_usize(4);
-        // Every time we read the message we increment the read pointer by SHA256_READ_SIZE
+        // Every time we read the message we increment the read pointer by C::READ_SIZE
         let read_ptr_delta = time_delta.clone() * AB::Expr::from_canonical_usize(C::READ_SIZE);
 
-        let result: Vec<AB::Var> = (0..C::DIGEST_SIZE)
+        let result: Vec<AB::Var> = (0..C::HASH_SIZE)
             .map(|i| {
                 // The limbs are written in big endian order to the memory so need to be reversed
                 local_cols.inner.final_hash[[i / C::WORD_U8S, C::WORD_U8S - i % C::WORD_U8S - 1]]
@@ -630,7 +632,7 @@ impl<C: ShaChipConfig> Sha2VmAir<C> {
                 debug_assert_eq!(C::NUM_WRITES, 1);
                 debug_assert_eq!(local_cols.writes_aux_base.len(), 1);
                 debug_assert_eq!(local_cols.writes_aux_prev_data.nrows(), 1);
-                let prev_data: [AB::Var; Sha256Config::DIGEST_SIZE] = local_cols
+                let prev_data: [AB::Var; Sha256Config::HASH_SIZE] = local_cols
                     .writes_aux_prev_data
                     .row(0)
                     .to_vec()
@@ -654,13 +656,20 @@ impl<C: ShaChipConfig> Sha2VmAir<C> {
                     )
                     .eval(builder, is_last_row.clone());
             }
-            Sha2Variant::Sha512 => {
+            Sha2Variant::Sha512 | Sha2Variant::Sha384 => {
                 debug_assert_eq!(C::NUM_WRITES, 2);
                 debug_assert_eq!(local_cols.writes_aux_base.len(), 2);
                 debug_assert_eq!(local_cols.writes_aux_prev_data.nrows(), 2);
+
+                // For Sha384, set the last 16 cells to 0
+                let mut truncated_result: Vec<AB::Expr> =
+                    result.iter().map(|x| (*x).into()).collect();
+                for x in truncated_result.iter_mut().skip(C::DIGEST_SIZE) {
+                    *x = AB::Expr::ZERO;
+                }
+
                 // write the digest in two halves because we only support writes up to 32 bytes
                 for i in 0..Sha512Config::NUM_WRITES {
-                    // for i in 0..1 {
                     let prev_data: [AB::Var; Sha512Config::WRITE_SIZE] = local_cols
                         .writes_aux_prev_data
                         .row(i)
@@ -677,8 +686,9 @@ impl<C: ShaChipConfig> Sha2VmAir<C> {
                                 dst_ptr_val.clone()
                                     + AB::Expr::from_canonical_usize(i * Sha512Config::WRITE_SIZE),
                             ),
-                            result
+                            truncated_result
                                 [i * Sha512Config::WRITE_SIZE..(i + 1) * Sha512Config::WRITE_SIZE]
+                                .to_vec()
                                 .try_into()
                                 .unwrap_or_else(|_| {
                                     panic!("result is not the correct size");

extensions/sha256/circuit/src/sha256_chip/air.rs

@@ -53,7 +53,6 @@ pub struct ShaVmDigestCols<
     const ROUNDS_PER_ROW: usize,
     const ROUNDS_PER_ROW_MINUS_ONE: usize,
     const ROW_VAR_CNT: usize,
-    const DIGEST_SIZE: usize,
     const NUM_WRITES: usize,
     const WRITE_SIZE: usize,
 > {
@@ -85,8 +84,6 @@ pub struct ShaVmDigestCols<
     pub writes_aux_prev_data: [[T; WRITE_SIZE]; NUM_WRITES],
 }
 
-pub type Sha256VmDigestCols<F> = ShaVmDigestCols<F, 32, 4, 2, 8, 4, 3, 5, 32, 1, 32>;
-
 /// These are the columns that are used on both round and digest rows
 #[repr(C)]
 #[derive(Clone, Copy, Debug, ColsRef)]

extensions/sha256/circuit/src/sha256_chip/columns.rs

@@ -1,12 +1,13 @@
 use openvm_instructions::riscv::RV32_CELL_BITS;
 use openvm_sha256_transpiler::Rv32Sha2Opcode;
-use openvm_sha_air::{Sha256Config, Sha512Config, ShaConfig};
+use openvm_sha_air::{Sha256Config, Sha384Config, Sha512Config, ShaConfig};
 
 use super::{ShaVmControlColsRef, ShaVmDigestColsRef, ShaVmRoundColsRef};
 
 pub enum Sha2Variant {
     Sha256,
     Sha512,
+    Sha384,
 }
 
 pub trait ShaChipConfig: ShaConfig {
@@ -44,13 +45,15 @@ pub trait ShaChipConfig: ShaConfig {
 
     /// Number of cells to read in a single memory access
     const READ_SIZE: usize = Self::WORD_U8S * Self::ROUNDS_PER_ROW;
-    /// Number of cells in the digest
-    const DIGEST_SIZE: usize = Self::WORD_U8S * Self::HASH_WORDS;
-    /// Digest will be written in NUM_WRITES parts of equal size
-    /// NUM_WRITES must divide DIGEST_SIZE
+    /// Number of cells in the digest before truncation (Sha384 truncates the digest)
+    const HASH_SIZE: usize = Self::WORD_U8S * Self::HASH_WORDS;
+    /// Number of cells in the digest after truncation
+    const DIGEST_SIZE: usize;
+
+    /// Number of parts to write the hash in. Must divide HASH_SIZE
     const NUM_WRITES: usize;
     /// Size of each write
-    const WRITE_SIZE: usize = Self::DIGEST_SIZE / Self::NUM_WRITES;
+    const WRITE_SIZE: usize = Self::HASH_SIZE / Self::NUM_WRITES;
 }
 
 /// Register reads to get dst, src, len
@@ -62,6 +65,8 @@ impl ShaChipConfig for Sha256Config {
     const MESSAGE_LENGTH_BITS: usize = 64;
     const NUM_WRITES: usize = 1;
     const OPCODE: Rv32Sha2Opcode = Rv32Sha2Opcode::SHA256;
+    // no truncation
+    const DIGEST_SIZE: usize = Self::HASH_SIZE;
 }
 
 // Currently same as Sha256Config, but can configure later
@@ -72,4 +77,17 @@ impl ShaChipConfig for Sha512Config {
     // Use 2 writes because we only support writes up to 32 bytes
     const NUM_WRITES: usize = 2;
     const OPCODE: Rv32Sha2Opcode = Rv32Sha2Opcode::SHA512;
+    // no truncation
+    const DIGEST_SIZE: usize = Self::HASH_SIZE;
+}
+
+impl ShaChipConfig for Sha384Config {
+    const VARIANT: Sha2Variant = Sha2Variant::Sha384;
+    const OPCODE_NAME: &'static str = "SHA384";
+    const MESSAGE_LENGTH_BITS: usize = 128;
+    // Use 2 writes because we only support writes up to 32 bytes
+    const NUM_WRITES: usize = 2;
+    const OPCODE: Rv32Sha2Opcode = Rv32Sha2Opcode::SHA384;
+    // Sha284 truncates the output to 48 cells
+    const DIGEST_SIZE: usize = 48;
 }