1. 引言

SHA-256详细说明参见 NIST FIPS PUB 180-4。

与该说明书不同之处在于，Halo2中使用 $\boxplus$ 来表示addition modulo $2^{32}$ ， $+$ 来表示field addition， $\oplus$ 来表示 XOR。

2. Gadget interface

SHA-256用8个32-bit变量来维护state，其输入为512-bit blocks，内部会将这些blocks切分为32-bit chunks，因此设计了SHA-256 gadget来consume input in 32-bit chunks。

3. Chip instructions

SHA-256 gadget需要具有如下指令的chip：

# extern crate halo2;
# use halo2::plonk::Error;
# use std::fmt;
#
# trait Chip: Sized {}
# trait Layouter<C: Chip> {}
const BLOCK_SIZE: usize = 16;
const DIGEST_SIZE: usize = 8;

pub trait Sha256Instructions: Chip {
    /// Variable representing the SHA-256 internal state.
    type State: Clone + fmt::Debug;
    /// Variable representing a 32-bit word of the input block to the SHA-256 compression
    /// function.
    type BlockWord: Copy + fmt::Debug;

    /// Places the SHA-256 IV in the circuit, returning the initial state variable.
    fn initialization_vector(layouter: &mut impl Layouter<Self>) -> Result<Self::State, Error>;

    /// Starting from the given initial state, processes a block of input and returns the
    /// final state.
    fn compress(
        layouter: &mut impl Layouter<Self>,
        initial_state: &Self::State,
        input: [Self::BlockWord; BLOCK_SIZE],
    ) -> Result<Self::State, Error>;

    /// Converts the given state into a message digest.
    fn digest(
        layouter: &mut impl Layouter<Self>,
        state: &Self::State,
    ) -> Result<[Self::BlockWord; DIGEST_SIZE], Error>;
}

这些指令用于strike a balance between the reusability of the instructions and the scope for chips to internally optimise them。特别地，考虑将compression function 按其组成部分切分为 Ch, Maj等等，并提供a compression function gadget 来实现the round logic。但是，这将阻止chips from using relative references between the various parts of a compression round。采用一个指令来实现所有的compression rounds则类似于the Intel SHA extensions——提供了一个指令来运行多个compression rounds。

4. 16-bit table chip for SHA-256

Halo2中的chip for SHA-256实现是基于a single 16-bit lookup table的。其最少需要 $2^{16}$ circuit rows，从而也适合用于larger circuits中。

Halo2中定义的最大constraint degree为 $9$ ，将支持进行constraining carries 和 “small pieces” to a range of up to ${0..7\}$ in one row。

4.1 Compression round

一共有64 compression rounds。每一轮的输入为32-bit values $A, B, C, D, E, F, G, H$ ，并执行如下操作：
$\begin{array}{rcl} Ch(E, F, G) &=& (E \wedge F) \oplus (¬E \wedge G) \\ Maj(A, B, C) &=& (A \wedge B) \oplus (A \wedge C) \oplus (B \wedge C) \\ &=& count(A, B, C) \geq 2 \\ \Sigma_0(A) &=& (A ⋙ 2) \oplus (A ⋙ 13) \oplus (A ⋙ 22) \\ \Sigma_1(E) &=& (E ⋙ 6) \oplus (E ⋙ 11) \oplus (E ⋙ 25) \\ H' &=& H + Ch(E, F, G) + \Sigma_1(E) + K_t + W_t \\ E_{new} &=& reduce_6(H' + D) \\ A_{new} &=& reduce_7(H' + Maj(A, B, C) + \Sigma_0(A)) \end{array}$
其中 $reduce_i$ 必须handle a carry $0\leq carry <i$ 。
在这里插入图片描述
定义 $\mathtt{spread}$ 为 a table mapping a $16$ -bit input to an output interleaved with zero bits。不需要一个单独的table来进行 range checks 因为可复用 $\mathtt{spread}$ 。

4.2 Modular addition

对于addition modulo $2^{32}$ ：
$\boxplus b = c$
将其切分为 $16$ -bit chunks表示为：
$(a_L : \mathbb{Z}_{2^{16}}, a_H : \mathbb{Z}_{2^{16}}) \boxplus (b_L : \mathbb{Z}_{2^{16}}, b_H : \mathbb{Z}_{2^{16}}) = (c_L : \mathbb{Z}_{2^{16}}, c_H : \mathbb{Z}_{2^{16}})$
使用field addition重组表示为：
$\mathsf{carry} \cdot 2^{32} + c_H \cdot 2^{16} + c_L = (a_H + b_H) \cdot 2^{16} + a_L + b_L$
注意，此处正确处理了the carry from $a_L+b_L$ 。
更一般地说，可将output分解为任意bit，而不仅仅是分解为 $16$ -bit chunks。

该constraint要求每个chunk都正确range-checked了（否则，会存在field溢出的问题）：

The operand and result chunks 可使用 $\mathtt{spread}$ 来constrained，通过looking up each chunk in the “dense” column within a subset of the table。This way we additionally get the “spread” form of the output for free; in particular this is true for the output of the bottom-right $\boxplus$ which becomes $A_{new}$ , and the output of the leftmost $\boxplus$ which becomes $E_{new}$ . 后续将使用该方法来优化 $M a j$ 和 $C h$ 。
$\mathsf{carry}$ must be constrained to the precise range of allowed carry values for the number of operands. 采用的方法为：small range constraint。

4.3 Maj function

$M a j$ 函数可通过 $4$ 个lookups来实现： $2\; \mathtt{spread} * 2$ chunks：

如上所述，在第一轮之后，有 $A$ in spread form $A^{'}$ 。类似的，有 $B$ 等于前一轮的 $A$ （可假设其为spread form $B^{'}$ ）， $C$ 等于前一轮的 $B$ （可假设其为spread form $C^{'}$ ），如论是源于the fixed IV，还是源于the use of $\mathtt{spread}$ to reduce the output of the feedforward in the previous block。
Add the spread forms in the field： $M^{'} = A^{'} + B^{'} + C^{'}$ 。
- 可add as $32$ -bit words 或 add in pieces，二者效果是等价的。
Witness the compressed even bits $M_i^{even}$ and the compressed odd bits $M_i^{odd}$ for $i=\{0..1\}$ 。
Constrain $\mathtt{spread}(M^{even}_0) + 2 \cdot \mathtt{spread}(M^{odd}_0) + 2^{32} \cdot \mathtt{spread}(M^{even}_1) + 2^{33} \cdot \mathtt{spread}(M^{odd}_1)$ , 其中 $M^{odd}_i$ 为 $M a j$ 函数的输出。

注意：“even” bits，意味着the bits of weight an even-power of $2$ ，即 of weight $2^0,2^2,\cdots$ 。类似地，“odd” bits意味着the bits of weight an odd-power of $2$ ，即 of weight $2^1,2^3,\cdots$ 。

4.4 Ch function

【TODO：借助an additional table可进一步优化为仅需4个或5个lookups。】
$C h$ 函数可通过 $8$ 个lookups来实现： $4\; \mathtt{spread} * 2$ chunks：

如上所述，在第一轮之后，有 $E$ in spread form $E^{'}$ 。类似的，有 $F$ 等于前一轮的 $E$ （可假设其为spread form $E^{'}$ ）， $G$ 等于前一轮的 $F$ （可假设其为spread form $G^{'}$ ），如论是源于the fixed IV，还是源于the use of $\mathtt{spread}$ to reduce the output of the feedforward in the previous block。
计算： $P^{'} = E^{'} + F^{'}$ ， $Q^{'} = (e v e n s - E^{'}) + G^{'}$ ，其中 $evens=\mathtt{spread}(2^{32}-1)$ 。
- 可add as $32$ -bit words 或 add in pieces，二者效果是等价的。
- $e v e n s - E^{'}$ 用于计算the spread of $\neg E$ ，计算negation和 $\mathtt{spread}$ 并不交互通讯。可实现，是因为 $E^{'}$ 中的每个spread bit都subtracted from $1$ ，因此不存在borrows。
Witness $P_i^{even},P_i^{odd},Q_i^{even}, Q_i^{odd}$ ，使得 $\mathtt{spread}(P^{even}_0) + 2 \cdot \mathtt{spread}(P^{odd}_0) + 2^{32} \cdot \mathtt{spread}(P^{even}_1) + 2^{33} \cdot \mathtt{spread}(P^{odd}_1)$ ， $\mathtt{spread}(Q^{even}_0) + 2 \cdot \mathtt{spread}(Q^{odd}_0) + 2^{32} \cdot \mathtt{spread}(Q^{even}_1) + 2^{33} \cdot \mathtt{spread}(Q^{odd}_1)$
$\{P^{odd}_i + Q^{odd}_i\}_{i=0..1}$ 为 $C h$ 函数的输出。

4.5 Σ_0 function

$\Sigma_0(A)$ 可通过 $6$ 个 lookups来实现。
为此，需将 $A$ 切分为pieces $(a, b, c, d)$ ，lengths分别为 $(2, 11, 9, 10)$ counting from the little end。同时，可获得这些pieces 的spread forms。具体实现方案为：
借助2个PLONK rows。因为 $10$ -bit piece和 $11$ -bit piece可使用 $\mathtt{spread}$ lookup来处理，而 $9$ -bit piece 可切分为 $3 * 3$ subpieces。最后的 $2$ -bit piece可range-checked by polynomial constraints in parallel with the two lookups, two small pieces in each row。可通过插值来找到the spread forms of these small pieces。

注意，切分为pieces的过程可与 $A_{new}$ 的reduction结合在一起实现，即，不再需要为 $A_{new}$ 构建额外的lookup。最后一轮，reduce $A_{new}$ after adding the feedforward (requiring a carry of up to $7$ which is fine)。
$\oplus (A ⋙ 13) \oplus (A ⋙ 22)$ 等价为
$\oplus (A ⋙ 13) \oplus (A ⋘ 10)$ ：
在这里插入图片描述
然后，再使用4个 $\mathtt{spread}$ lookups来获取the even bits of a linear combination of the pieces的结果：
$\begin{array}{rcccccccl} & (a &||& d &||& c &||& b) & \oplus \\ & (b &||& a &||& d &||& c) & \oplus \\ & (c &||& b &||& a &||& d) & \\ &&&&\Downarrow \\ R' = & 4^{30} a &+& 4^{20} d &+& 4^{11} c &+& b\;&+ \\ & 4^{21} b &+& 4^{19} a &+& 4^{ 9} d &+& c\;&+ \\ & 4^{23} c &+& 4^{12} b &+& 4^{10} a &+& d\;& \end{array}$
此时，witness the compressed even bits $R_i^{even}$ and the compressed odd bits $R_i^{odd}$ ，并constrain：
$\mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1)$
其中 $\{R^{even}_i\}_{i=0..1}$ 即为 $\Sigma_0$ 函数的输出。

4.6 Σ_1 function

$\Sigma_1(E)$ 可通过 $6$ 个 lookups来实现。
为此，需将 $E$ 切分为pieces $(a, b, c, d)$ ，lengths分别为 $(6, 5, 14, 7)$ counting from the little end。同时，可获得这些pieces 的spread forms。具体实现方案为：
借助2个PLONK rows。因为 $7$ -bit piece和 $14$ -bit piece可使用 $\mathtt{spread}$ lookup来处理，而 $5$ -bit piece 可切分为 $3$ -bit subpiece 和 $2$ -bit subpiece， $6$ -bit piece可切分为 $2 * 3$ -bit subpieces。这4种small pieces可range-checked by polynomial constraints in parallel with the two lookups, two small pieces in each row。可通过插值来找到the spread forms of these small pieces。

注意，切分为pieces的过程可与 $E_{new}$ 的reduction结合在一起实现，即，不再需要为 $E_{new}$ 构建额外的lookup。最后一轮，reduce $E_{new}$ after adding the feedforward (requiring a carry of up to $6$ which is fine)。
$\oplus (E ⋙ 11) \oplus (E ⋙ 25)$ is equivalent to
$\oplus (E ⋙ 11) \oplus (E ⋘ 7)$ ：
在这里插入图片描述
然后，再使用4个 $\mathtt{spread}$ lookups来获取the even bits of a linear combination of the pieces的结果：（与 $\Sigma_0$ 的实现类似）
$\begin{array}{rcccccccl} & (a &||& d &||& c &||& b) & \oplus \\ & (b &||& a &||& d &||& c) & \oplus \\ & (c &||& b &||& a &||& d) & \\ &&&&\Downarrow \\ R' = & 4^{26} a &+& 4^{19} d &+& 4^{ 5} c &+& b\;&+ \\ & 4^{27} b &+& 4^{21} a &+& 4^{14} d &+& c\;&+ \\ & 4^{18} c &+& 4^{13} b &+& 4^{ 7} a &+& d\;& \end{array}$
此时，witness the compressed even bits $R_i^{even}$ and the compressed odd bits $R_i^{odd}$ ，并constrain：
$\mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1)$
其中 $\{R^{even}_i\}_{i=0..1}$ 即为 $\Sigma_1$ 函数的输出。

5. Block decomposition

对于每一个block $M\in\{0,1\}^{512}$ of the padded message，其每个 $64$ words of $32$ bits的构建方式如下：（注意 $W$ word的索引从 $0$ 开始。）

1）前 $16$ 个words 为将 $M$ 切分为 $32$ -bit blocks：
$W_0 || W_1 || \cdots || W_{14} || W_{15}$
2）剩下的 $48$ 个words采用如下公式构建，for $16\leq i<64$ ：
$W_i = \sigma_1(W_{i-2}) \boxplus W_{i-7} \boxplus \sigma_0(W_{i-15}) \boxplus W_{i-16}$

其中：（注意 $≫$ 为right-shift，而不是rotation。）
$\begin{array}{ccc} \sigma_0(X) &=& (X ⋙ 7) \oplus (X ⋙ 18) \oplus (X ≫ 3) \\ \sigma_1(X) &=& (X ⋙ 17) \oplus (X ⋙ 19) \oplus (X ≫ 10) \\ \end{array}$

5.1 σ_0 function

$\oplus (X ⋙ 18) \oplus (X ≫ 3)$ 等价为
$\oplus (X ⋘ 14) \oplus (X ≫ 3)$ 。
在这里插入图片描述
如上，具有pieces $(a, b, c, d)$ of lengths $(3, 4, 11, 14)$ counting from the little end。将 $b$ 切分为2个 $2$ -bit subpieces。
$\begin{array}{rcccccccl} & (0^{[3]} &||& d &||& c &||& b) & \oplus \\ & (\;\;\;b &||& a &||& d &||& c) & \oplus \\ & (\;\;\;c &||& b &||& a &||& d) & \\ &&&&\Downarrow \\ R' = & & & 4^{15} d &+& 4^{ 4} c &+& b\;&+ \\ & 4^{28} b &+& 4^{25} a &+& 4^{11} d &+& c\;&+ \\ & 4^{21} c &+& 4^{17} b &+& 4^{14} a &+& d\;& \end{array}$

5.2 σ_1 function

$\oplus (X ⋙ 19) \oplus (X ≫ 10)$ 等价为
$\oplus (X ⋘ 13) \oplus (X ≫ 10)$ 。
在这里插入图片描述
TODO：上图与公式表达不匹配，此处只是为了之前的图片保持一致。

如上，具有pieces $(a, b, c, d)$ of lengths $(10, 7, 2, 13)$ counting from the little end。将 $b$ 切分为 $(3, 2, 2)$ -bit subpieces。
$\begin{array}{rcccccccl} & (0^{[10]}&||& d &||& c &||& b) & \oplus \\ & (\;\;\;b &||& a &||& d &||& c) & \oplus \\ & (\;\;\;c &||& b &||& a &||& d) & \\ &&&&\Downarrow \\ R' = & & & 4^{ 9} d &+& 4^{ 7} c &+& b\;&+ \\ & 4^{25} b &+& 4^{15} a &+& 4^{ 2} d &+& c\;&+ \\ & 4^{30} c &+& 4^{23} b &+& 4^{13} a &+& d\;& \end{array}$

5.3 Message scheduling

将 $\sigma_0$ 用于 $W_{1..48}$ ，将 $\sigma_1$ 用于 $W_{14..61}$ ，为了避免重复使用 $\mathtt{spread}$ ，可将 $W_{14..48}$ 的 $\sigma_0$ 和 $\sigma_1$ 合并。将piece lengths $(3, 4, 11, 14)$ 和 $(10, 7, 2, 13)$ 合并为piece lengths $(3, 4, 3, 7, 1, 1, 13)$ 。
在这里插入图片描述
若可将merged结果split 为3行（当分别对 $\sigma_0$ 和 $\sigma_1$ split时，则一共需要4行），则可节约35行。
【TODO：甚至可以将结果split为2行。】

当用于计算subsequent words时，可将reduction mod $2^{32}$ of $W_{16..61}$ 与splitting 过程结合，类似于round function 中对 $A$ 和 $E$ 的处理。

由于 $W_{62..63}$ 未split，仍需对于 $W_{62..63}$ 进行split。（技术上，可让于 $W_{62..63}$ 保持为unreduced，因为当稍后用于计算 $A_{new}$ 和 $E_{new}$ 时会进行reduce，但是，这需要处理的carry将大至 $10$ 而不是 $6$ ，因此不值得采用该方案。）

最终的message schedule cost为：

$2$ rows to constrain $W_0$ to $32$ bits
- This is technically optional, but let’s do it for robustness, since the rest of the input is constrained for free.
$13 * 2$ rows to split $W_{1..13}$ into $(3, 4, 11, 14)$ -bit pieces
$35 * 3$ rows to split $W_{14..48}$ into $(3, 4, 3, 7, 1, 1, 13)$ -bit pieces (merged with a reduction for $W_{16..48}$ )
$13 * 2$ rows to split $W_{49..61}$ into $(10, 7, 2, 13)$ -bit pieces (merged with a reduction)
$4 * 48$ rows to extract the results of $\sigma_0$ for $W_{1..48}$
$4 * 48$ rows to extract the results of $\sigma_1$ for $W_{14..61}$
$2 * 2$ rows to reduce $W_{62..63}$
$= 547$ rows.

6. Overall cost

对于每一轮，有：

$8$ rows for $C h$
$4$ rows for $M a j$
$6$ rows for $\Sigma_0$
$6$ rows for $\Sigma_1$
$reduce_6$ and $reduce_7$ are always free
$= 24$ per round

This gives $24 * 64 = 1792$ rows for all of “step 3”, to which we need to add:

$547$ rows for message scheduling
$2 * 8$ rows for $8$ reductions mod $2^{32}$ in “step 4”

giving a total of $2099$ rows.

7. Tables

最终仅需要一个table $\mathtt{spread}$ ——具有 $2^{16}$ 行和 $3$ 列。同时需要一个tag列来支持selecting $(7, 10, 11, 13, 14)$ -bit subsets of the table for $\Sigma_{0..1}$ 和 $\sigma_{0..1}$ 。

7.1 `spread` table

row	tag	table (16b)	spread (32b)
$0$	0	0000000000000000	00000000000000000000000000000000
$1$	0	0000000000000001	00000000000000000000000000000001
$2$	0	0000000000000010	00000000000000000000000000000100
$3$	0	0000000000000011	00000000000000000000000000000101
…	0	…	…
$2^{7} - 1$	0	0000000001111111	00000000000000000001010101010101
$2^{7}$	1	0000000010000000	00000000000000000100000000000000
…	1	…	…
$2^{10} - 1$	1	0000001111111111	00000000000001010101010101010101
…	2	…	…
$2^{11} - 1$	2	0000011111111111	00000000010101010101010101010101
…	3	…	…
$2^{13} - 1$	3	0001111111111111	00000001010101010101010101010101
…	4	…	…
$2^{14} - 1$	4	0011111111111111	00000101010101010101010101010101
…	5	…	…
$2^{16} - 1$	5	1111111111111111	01010101010101010101010101010101

如需实现 an $11$ -bit $\mathtt{spread}$ lookup，可polynomial-constrain the tag to be in ${0,1,2\}$ 。而对于 $16$ -bit lookup，可不constrain the tag。
注意，可fill any unused rows beyond $2^{16}$ with a duplicate entry，如 all-zeroes。

8. Gates

8.1 Choice gate

来自于之前操作的输入有：

$E^{'}, F^{'}, G^{'},$ 64-bit spread forms of 32-bit words $E, F, G$ , assumed to be constrained by previous operations
- 实际上，当分解为 $16$ -bit subpieces时，将有the spread forms of $E^{'}, F^{'}, G^{'}$ 。
$e v e n s$ 定义为 $\mathtt{spread}(2^{32} - 1)$
- $evens_0 = evens_1 = \mathtt{spread}(2^{16} - 1)$

8.2 E ∧ F

s_ch	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$
0	{0,1,2,3,4,5}	$P_0^{even}$	$\texttt{spread}(P_0^{even})$	$\mathtt{spread}(E^{lo})$	$\mathtt{spread}(E^{hi})$
1	{0,1,2,3,4,5}	$P_0^{odd}$	$\texttt{spread}(P_0^{odd})$	$\texttt{spread}(P_1^{odd})$
0	{0,1,2,3,4,5}	$P_1^{even}$	$\texttt{spread}(P_1^{even})$	$\mathtt{spread}(F^{lo})$	$\mathtt{spread}(F^{hi})$
0	{0,1,2,3,4,5}	$P_1^{odd}$	$\texttt{spread}(P_1^{odd})$

8.3 ¬E ∧ G

s_ch_neg	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$	$a_5$
0	{0,1,2,3,4,5}	$Q_0^{even}$	$\texttt{spread}(Q_0^{even})$	$\mathtt{spread}(E_{neg}^{lo})$	$\mathtt{spread}(E_{neg}^{hi})$	$\mathtt{spread}(E^{lo})$
1	{0,1,2,3,4,5}	$Q_0^{odd}$	$\texttt{spread}(Q_0^{odd})$	$\texttt{spread}(Q_1^{odd})$		$\mathtt{spread}(E^{hi})$
0	{0,1,2,3,4,5}	$Q_1^{even}$	$\texttt{spread}(Q_1^{even})$	$\mathtt{spread}(G^{lo})$	$\mathtt{spread}(G^{hi})$
0	{0,1,2,3,4,5}	$Q_1^{odd}$	$\texttt{spread}(Q_1^{odd})$

Constraints有：

s_ch (choice): $L H S - R H S = 0$
- $a_3 \omega^{-1} + a_3 \omega + 2^{32}(a_4 \omega^{-1} + a_4 \omega)$
- $a_2 \omega^{-1} + 2* a_2 + 2^{32}(a_2 \omega + 2* a_3)$
s_ch_neg (negation): s_ch with an extra negation check
$\mathtt{spread}$ lookup on $a_0, a_1, a_2)$
permutation between $a_2, a_3)$

输出为： $Ch(E, F, G) = P^{odd} + Q^{odd} = (P_0^{odd} + Q_0^{odd}) + 2^{16} (P_1^{odd} + Q_1^{odd})$

8.4 Majority gate

来自于之前操作的输入有：

$A^{'}, B^{'}, C^{'},$ 64-bit spread forms of 32-bit words $A, B, C$ , assumed to be constrained by previous operations
- 实际上，当分解为 $16$ -bit subpieces时，有 the spread forms of $A^{'}, B^{'}, C^{'}$ 。

s_maj	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$	$a_5$
0	{0,1,2,3,4,5}	$M_0^{even}$	$\texttt{spread}(M_0^{even})$		$\mathtt{spread}(A^{lo})$	$\mathtt{spread}(A^{hi})$
1	{0,1,2,3,4,5}	$M_0^{odd}$	$\texttt{spread}(M_0^{odd})$	$\texttt{spread}(M_1^{odd})$	$\mathtt{spread}(B^{lo})$	$\mathtt{spread}(B^{hi})$
0	{0,1,2,3,4,5}	$M_1^{even}$	$\texttt{spread}(M_1^{even})$		$\mathtt{spread}(C^{lo})$	$\mathtt{spread}(C^{hi})$
0	{0,1,2,3,4,5}	$M_1^{odd}$	$\texttt{spread}(M_1^{odd})$

Constraints有：

s_maj (majority): $L H S - R H S = 0$
- $\mathtt{spread}(M^{even}_0) + 2 \cdot \mathtt{spread}(M^{odd}_0) + 2^{32} \cdot \mathtt{spread}(M^{even}_1) + 2^{33} \cdot \mathtt{spread}(M^{odd}_1)$
- $R H S = A^{'} + B^{'} + C^{'}$
$\mathtt{spread}$ lookup on $a_0, a_1, a_2)$
permutation between $a_2, a_3)$

输出为： $Maj(A,B,C) = M^{odd} = M_0^{odd} + 2^{16} M_1^{odd}$

8.5 Σ_0 gate

$A$ 为 a 32-bit word，可切分为 $(2, 11, 9, 10)$ -bit chunks，starting from the little end。We refer to these chunks as $(a (2), b (11), c (9), d (10))$ respectively，可进一步将 $c (9)$ 分解为 three 3-bit chunks $c(9)^{lo}, c(9)^{mid}, c(9)^{hi}$ 。 We witness the spread versions of the small chunks.

$\begin{array}{ccc} \Sigma_0(A) &=& (A ⋙ 2) \oplus (A ⋙ 13) \oplus (A ⋙ 22) \\ &=& (A ⋙ 2) \oplus (A ⋙ 13) \oplus (A ⋘ 10) \end{array}$

s_upp_sigma_0	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$	$a_5$	$a_6$
0	{0,1,2,3,4,5}	$R_0^{even}$	$\texttt{spread}(R_0^{even})$	$c(9)^{lo}$	$\texttt{spread}(c(9)^{lo})$	$c(9)^{mid}$	$\texttt{spread}(c(9)^{mid})$
1	{0,1,2,3,4,5}	$R_0^{odd}$	$\texttt{spread}(R_0^{odd})$	$\texttt{spread}(R_1^{odd})$	$\texttt{spread}(d(10))$	$\texttt{spread}(b(11))$	$c (9)$
0	{0,1,2,3,4,5}	$R_1^{even}$	$\texttt{spread}(R_1^{even})$	$a (2)$	$\texttt{spread}(a(2))$	$c(9)^{hi}$	$\texttt{spread}(c(9)^{hi})$
0	{0,1,2,3,4,5}	$R_1^{odd}$	$\texttt{spread}(R_1^{odd})$

Constraints有：

s_upp_sigma_0 ( $\Sigma_0$ constraint): $L H S - R H S + t a g + d e c o m p o s e = 0$

$\begin{array}{ccc} tag &=& constrain_1(a_0\omega^{-1}) + constrain_2(a_0\omega) \\ decompose &=& a(2) + 2^2 b(11) + 2^{13} c(9)^{lo} + 2^{16} c(9)^{mid} + 2^{19} c(9)^{hi} + 2^{22} d(10) - A\\ LHS &=& \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1) \end{array}$
$\begin{array}{rcccccccccl} RHS = & 4^{30} \texttt{spread}(a(2)) &+& 4^{20} \texttt{spread}(d(10)) &+& 4^{17} \texttt{spread}(c(9)^{hi}) &+& 4^{14} \texttt{spread}(c(9)^{mid}) &+& 4^{11} \texttt{spread}(c(9)^{lo}) &+& \texttt{spread}(b(11))\;&+ \\ & 4^{21} \texttt{spread}(b(11)) &+& 4^{19} \texttt{spread}(a(2)) &+& 4^{9} \texttt{spread}(d(10)) &+& 4^{6} \texttt{spread}(c(9)^{hi}) &+& 4^{3} \texttt{spread}(c(9)^{mid}) &+& \texttt{spread}(c(9)^{lo}) \;&+ \\ & 4^{29} \texttt{spread}(c(9)^{hi}) &+& 4^{26} \texttt{spread}(c(9)^{mid}) &+& 4^{23} \texttt{spread}(c(9)^{lo}) &+& 4^{12} \texttt{spread}(b(11)) &+& 4^{10} \texttt{spread}(a(2)) &+& \texttt{spread}(d(10))\;& \end{array}$

$\mathtt{spread}$ lookup on $a_0, a_1, a_2$
2-bit range check and 2-bit spread check on $a (2)$
3-bit range check and 3-bit spread check on $c(9)^{lo}, c(9)^{mid}, c(9)^{hi}$

（详细参见Helper gates 章节）

输出为： $\Sigma_0(A) = R^{even} = R_0^{even} + 2^{16} R_1^{even}$

8.6 Σ_1 gate

$E$ 为 a 32-bit word 可切分为 $(6, 5, 14, 7)$ -bit chunks, starting from the little end。We refer to these chunks as $(a (6), b (5), c (14), d (7))$ respectively, 可进一步将 $a (6)$ 切分为 two 3-bit chunks $a(6)^{lo}, a(6)^{hi}$ ，将 $b$ 切分为 (2,3)-bit chunks $b(5)^{lo}, b(5)^{hi}$ 。We witness the spread versions of the small chunks.

$\begin{array}{ccc} \Sigma_1(E) &=& (E ⋙ 6) \oplus (E ⋙ 11) \oplus (E ⋙ 25) \\ &=& (E ⋙ 6) \oplus (E ⋙ 11) \oplus (E ⋘ 7) \end{array}$

s_upp_sigma_1	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$	$a_5$	$a_6$	$a_7$
0	{0,1,2,3,4,5}	$R_0^{even}$	$\texttt{spread}(R_0^{even})$	$b(5)^{lo}$	$\texttt{spread}(b(5)^{lo})$	$b(5)^{hi}$	$\texttt{spread}(b(5)^{hi})$	$b (5)$
1	{0,1,2,3,4,5}	$R_0^{odd}$	$\texttt{spread}(R_0^{odd})$	$\texttt{spread}(R_1^{odd})$	$\texttt{spread}(d(7))$	$\texttt{spread}(c(14))$
0	{0,1,2,3,4,5}	$R_1^{even}$	$\texttt{spread}(R_1^{even})$	$a(6)^{lo}$	$\texttt{spread}(a(6)^{lo})$	$a(6)^{hi}$	$\texttt{spread}(a(6)^{hi})$	$a (6)$
0	{0,1,2,3,4,5}	$R_1^{odd}$	$\texttt{spread}(R_1^{odd})$

Constraints有：

s_upp_sigma_1 ( $\Sigma_1$ constraint): $L H S - R H S + t a g + d e c o m p o s e = 0$

$\begin{array}{ccc} tag &=& a_0\omega^{-1} + constrain_4(a_0\omega) \\ decompose &=& a(6)^{lo} + 2^3 a(6)^{hi} + 2^6 b(5)^{lo} + 2^8 b(5)^{hi} + 2^{11} c(14) + 2^{25} d(7) - E \\ LHS &=& \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1) \end{array}$
$\begin{array}{rcccccccccl} RHS = & 4^{29} \texttt{spread}(a(6)^{hi}) &+& 4^{26} \texttt{spread}(a(6)^{lo}) &+& 4^{19} \texttt{spread}(d(7)) &+& 4^{ 5} \texttt{spread}(c(14)) &+& 4^{2} \texttt{spread}(b(5)^{hi}) &+& \texttt{spread}(b(5)^{lo})\;&+ \\ & 4^{29} \texttt{spread}(b(5)^{hi}) &+& 4^{27} \texttt{spread}(b(5)^{lo}) &+& 4^{24} \texttt{spread}(a(6)^{hi}) &+& 4^{21} \texttt{spread}(a(6)^{lo}) &+& 4^{14} \texttt{spread}(d(7)) &+& \texttt{spread}(c(14))\;&+ \\ & 4^{18} \texttt{spread}(c(14)) &+& 4^{15} \texttt{spread}(b(5)^{hi}) &+& 4^{13} \texttt{spread}(b(5)^{lo}) &+& 4^{10} \texttt{spread}(a(6)^{hi}) &+& 4^{7} \texttt{spread}(a(6)^{lo}) &+& \texttt{spread}(d(7))\;& \end{array}$

$\mathtt{spread}$ lookup on $a_0, a_1, a_2$
2-bit range check and 2-bit spread check on $b(5)^{lo}$
3-bit range check and 3-bit spread check on $a(6)^{lo}, a(6)^{hi}, b(4)^{hi}$

（详细参见Helper gates 章节）

输出为： $\Sigma_1(E) = R^{even} = R_0^{even} + 2^{16} R_1^{even}$

8.7 σ_0 gate

8.7.1 σ_0 gate–v1

$\sigma_0$ v1的输入为a word，该word可切分为 $(3, 4, 11, 14)$ -bit chunks（已constrained by message scheduling）。可将这些chunks分别表示为 $(a (3), b (4), c (11), d (14))$ ，其中 $b (4)$ 可进一步切分为two $2$ -bit chunks $b(4)^{lo}, b(4)^{hi}$ 。witness the spread versions of the small chunks。自 message scheduling已有 $\mathtt{spread}(c(11))$ 和 $\mathtt{spread}(d(14))$ 。
$\oplus (X ⋙ 18) \oplus (X ≫ 3)$ is equivalent to
$\oplus (X ⋘ 14) \oplus (X ≫ 3)$ .

s_low_sigma_0	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$	$a_5$	$a_6$
0	{0,1,2,3,4,5}	$R_0^{even}$	$\texttt{spread}(R_0^{even})$	$b(4)^{lo}$	$\texttt{spread}(b(4)^{lo})$	$b(4)^{hi}$	$\texttt{spread}(b(4)^{hi})$
1	{0,1,2,3,4,5}	$R_0^{odd}$	$\texttt{spread}(R_0^{odd})$	$\texttt{spread}(R_1^{odd})$	$\texttt{spread}(c)$	$\texttt{spread}(d)$	$b (4)$
0	{0,1,2,3,4,5}	$R_1^{even}$	$\texttt{spread}(R_1^{even})$	$0$	$0$	$a$	$\texttt{spread}(a)$
0	{0,1,2,3,4,5}	$R_1^{odd}$	$\texttt{spread}(R_1^{odd})$

Constraints有：

s_low_sigma_0 ( $\sigma_0$ v1 constraint): $L H S - R H S = 0$

$\begin{array}{ccc} LHS &=& \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1) \end{array}$
$\begin{array}{rccccccccl} RHS = & & & 4^{15} d(14) &+& 4^{ 4} c(11) &+& 4^2 b(4)^{hi} &+& b(4)^{lo}\;&+ \\ & 4^{30} b(4)^{hi} &+& 4^{28} b(4)^{lo} &+& 4^{25} a(3) &+& 4^{11} d(14) &+& c(11)\;&+ \\ & 4^{21} c(11) &+& 4^{19} b(4)^{hi} &+& 4^{17} b(4)^{lo} &+& 4^{14} a(3) &+& d(14)\;& \end{array}$

check that b was properly split into subsections for 4-bit pieces.
- $W^{b(4)lo} + 2^2 W^{b(4)hi} - W = 0$
2-bit range check and 2-bit spread check on $b(4)^{lo}, b(4)^{hi}$
3-bit range check and 3-bit spread check on $a (3)$

8.7.2 σ_0 gate–v2

$\sigma_0$ v2的输入为a word，该word可切分为 $(3, 4, 3, 7 ， 1, 1, 13)$ -bit chunks（已constrained by message scheduling）。可将这些chunks分别表示为 $(a (3), b (4), c (3), d (7), e (1), f (1), g (13))$ 。其中 $1$ -bit $e (1), f (1)$ remain unchanged by the spread operation and can be used directly。其中 $b (4)$ 可进一步切分为two $2$ -bit chunks $b(4)^{lo}, b(4)^{hi}$ 。witness the spread versions of the small chunks。自 message scheduling已有 $\mathtt{spread}(d(7))$ 和 $\mathtt{spread}(g(13))$ 。

$\oplus (X ⋙ 18) \oplus (X ≫ 3)$ is equivalent to
$\oplus (X ⋘ 14) \oplus (X ≫ 3)$ .

s_low_sigma_0_v2	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$	$a_5$	$a_6$	$a_7$
0	{0,1,2,3,4,5}	$R_0^{even}$	$\texttt{spread}(R_0^{even})$	$b(4)^{lo}$	$\texttt{spread}(b(4)^{lo})$	$b(4)^{hi}$	$\texttt{spread}(b(4)^{hi})$
1	{0,1,2,3,4,5}	$R_0^{odd}$	$\texttt{spread}(R_0^{odd})$	$\texttt{spread}(R_1^{odd})$	$\texttt{spread}(d(7))$	$\texttt{spread}(g(13))$	$b (4)$	$e (1)$
0	{0,1,2,3,4,5}	$R_1^{even}$	$\texttt{spread}(R_1^{even})$	$a (3)$	$\texttt{spread}(a(3))$	$c (3)$	$\texttt{spread}(c(3))$	$f (1)$
0	{0,1,2,3,4,5}	$R_1^{odd}$	$\texttt{spread}(R_1^{odd})$

Constraints有：

s_low_sigma_0_v2 ( $\sigma_0$ v2 constraint): $L H S - R H S = 0$

$\begin{array}{ccc} LHS &=& \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1) \end{array}$
$\begin{array}{rcccccccccccl} RHS = & & & 4^{16} g(13) &+& 4^{15} f(1) &+& 4^{ 14} e(1) &+& 4^{ 7} d(7) &+& 4^{ 4} c(3) &+& 4^2 b(4)^{hi} &+& b(4)^{lo}\;&+ \\ & 4^{30} b(4)^{hi} &+& 4^{28} b(4)^{lo} &+& 4^{25} a(3) &+& 4^{12} g(13) &+& 4^{11} f(1) &+& 4^{10} e(1) &+& 4^{3} d(7) &+& c(3)\;&+ \\ & 4^{31} e(1) &+& 4^{24} d(7) &+& 4^{21} c(3) &+& 4^{19} b(4)^{hi} &+& 4^{17} b(4)^{lo} &+& 4^{14} a(3) &+& 4^{1} g(13) &+& f(1)\;& \end{array}$

check that b was properly split into subsections for 4-bit pieces.
- $W^{b(4)lo} + 2^2 W^{b(4)hi} - W = 0$
2-bit range check and 2-bit spread check on $b(4)^{lo}, b(4)^{hi}$
3-bit range check and 3-bit spread check on $a (3), c (3)$

8.8 σ_1 gate

8.8.1 σ_1 gate–v1

$\sigma_1$ v1的输入为a word，该word可切分为 $(10, 7, 2, 13)$ -bit chunks（已constrained by message scheduling）。可将这些chunks分别表示为 $(a (10), b (7), c (2), d (13))$ ，其中 $b (7)$ 可进一步切分为two $(2, 2, 3)$ -bit chunks $b(7)^{lo},b(7)^{mid}, b(7)^{hi}$ 。witness the spread versions of the small chunks。自 message scheduling已有 $\mathtt{spread}(a(10))$ 和 $\mathtt{spread}(d(13))$ 。

$\oplus (X ⋙ 19) \oplus (X ≫ 10)$ is equivalent to
$\oplus (X ⋘ 13) \oplus (X ≫ 10)$ .

s_low_sigma_1	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$	$a_5$	$a_6$
0	{0,1,2,3,4,5}	$R_0^{even}$	$\texttt{spread}(R_0^{even})$	$b(7)^{lo}$	$\texttt{spread}(b(7)^{lo})$	$b(7)^{mid}$	$\texttt{spread}(b(7)^{mid})$
1	{0,1,2,3,4,5}	$R_0^{odd}$	$\texttt{spread}(R_0^{odd})$	$\texttt{spread}(R_1^{odd})$	$\texttt{spread}(a(10))$	$\texttt{spread}(d(13))$	$b (7)$
0	{0,1,2,3,4,5}	$R_1^{even}$	$\texttt{spread}(R_1^{even})$	$c (2)$	$\texttt{spread}(c(2))$	$b(7)^{hi}$	$\texttt{spread}(b(7)^{hi})$
0	{0,1,2,3,4,5}	$R_1^{odd}$	$\texttt{spread}(R_1^{odd})$

Constraints有：

s_low_sigma_1 ( $\sigma_1$ v1 constraint): $L H S - R H S = 0$
$\begin{array}{ccc} LHS &=& \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1) \end{array}$
$\begin{array}{rcccccccccl} RHS = & & & 4^{ 9} d(13) &+& 4^{ 7} c(2) &+& 4^{4} b(7)^{hi} &+& 4^{2} b(7)^{mid} &+& b(7)^{lo}\;&+ \\ & 4^{29} b(7)^{hi} &+& 4^{27} b(7)^{mid} &+& 4^{25} b(7)^{lo} &+& 4^{15} a(10) &+& 4^{ 2} d(13) &+& c(2)\;&+ \\ & 4^{30} c(2) &+& 4^{27} b(7)^{hi} &+& 4^{25} b(7)^{mid} &+& 4^{23} b(7)^{lo} &+& 4^{13} a(10) &+& d(13)\;& \end{array}$
check that b was properly split into subsections for 7-bit pieces.
- $W^{b(7)lo} + 2^2 W^{b(7)mid} + 2^4 W^{b(7)hi} - W = 0$
2-bit range check and 2-bit spread check on $b(7)^{lo}, b(7)^{mid}, c(2)$
3-bit range check and 3-bit spread check on $b(7)^{hi}$

8.8.2 σ_1 gate–v2

$\sigma_1$ v2的输入为a word，该word可切分为 $(3, 4, 3, 7 ， 1, 1, 13)$ -bit chunks（已constrained by message scheduling）。可将这些chunks分别表示为 $(a (3), b (4), c (3), d (7), e (1), f (1), g (13))$ 。其中 $1$ -bit $e (1), f (1)$ remain unchanged by the spread operation and can be used directly。其中 $b (4)$ 可进一步切分为two $2$ -bit chunks $b(4)^{lo}, b(4)^{hi}$ 。witness the spread versions of the small chunks。自 message scheduling已有 $\mathtt{spread}(d(7))$ 和 $\mathtt{spread}(g(13))$ 。

$\oplus (X ⋙ 19) \oplus (X ≫ 10)$ is equivalent to
$\oplus (X ⋘ 13) \oplus (X ≫ 10)$ .

s_low_sigma_1_v2	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$	$a_5$	$a_6$	$a_7$
0	{0,1,2,3,4,5}	$R_0^{even}$	$\texttt{spread}(R_0^{even})$	$b(4)^{lo}$	$\texttt{spread}(b(4)^{lo})$	$b(4)^{hi}$	$\texttt{spread}(b(4)^{hi})$
1	{0,1,2,3,4,5}	$R_0^{odd}$	$\texttt{spread}(R_0^{odd})$	$\texttt{spread}(R_1^{odd})$	$\texttt{spread}(d(7))$	$\texttt{spread}(g(13))$	$b (4)$	$e (1)$
0	{0,1,2,3,4,5}	$R_1^{even}$	$\texttt{spread}(R_1^{even})$	$a (3)$	$\texttt{spread}(a(3))$	$c (3)$	$\texttt{spread}(c(3))$	$f (1)$
0	{0,1,2,3,4,5}	$R_1^{odd}$	$\texttt{spread}(R_1^{odd})$

Constraints有：

s_low_sigma_1_v2 ( $\sigma_1$ v2 constraint): $L H S - R H S = 0$

$\begin{array}{ccc} LHS &=& \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1) \end{array}$
$\begin{array}{rccccccccccccl} RHS = & &&&& & & 4^{ 9} g(13) &+& 4^{ 8} f(1) &+& 4^{ 7} e(1) &+& d(7)\;&+ \\ & 4^{25} d(7) &+& 4^{22} c(3) &+& 4^{20} b(4)^{hi} &+& 4^{18} b(4)^{lo} &+& 4^{15} a &+& 4^{ 2} g(13) &+& 4^{1}f(1) &+& e(1)\;&+ \\ & 4^{31} f(1) &+& 4^{30} e(1) &+& 4^{23} d(7) &+& 4^{20} c(3) &+& 4^{18} b(4)^{hi} &+& 4^{16} b(4)^{lo} &+& 4^{13} a &+& g(13)\;& \end{array}$

check that b was properly split into subsections for 4-bit pieces.
- $W^{b(4)lo} + 2^2 W^{b(4)hi} - W = 0$
2-bit range check and 2-bit spread check on $b(4)^{lo}, b(4)^{hi}$
3-bit range check and 3-bit spread check on $a (3), c (3)$

8.9 Helper gates

8.9.1 Small range constraints

令 $constrain_n(x) = \prod_{i=0}^n (x-i)$ 。Constraining this expression to equal zero enforces that $x$ is in $[0 . . n]$ 。

8.9.2 2-bit range check

$(a - 3) (a - 2) (a - 1) (a) = 0$

sr2	$a_0$
1	a

8.9.3 2-bit spread

$l_1(a) + 4*l_2(a) + 5*l_3(a) - a' = 0$

ss2	$a_0$	$a_1$
1	a	a’

with interpolation polynomials：

$l_0(a) = \frac{(a - 3)(a - 2)(a - 1)}{(-3)(-2)(-1)}$ ( $\mathtt{spread}(00) = 0000$ )
$l_1(a) = \frac{(a - 3)(a - 2)(a)}{(-2)(-1)(1)}$ ( $\mathtt{spread}(01) = 0001$ )
$l_2(a) = \frac{(a - 3)(a - 1)(a)}{(-1)(1)(2)}$ ( $\mathtt{spread}(10) = 0100$ )
$l_3(a) = \frac{(a - 2)(a - 1)(a)}{(1)(2)(3)}$ ( $\mathtt{spread}(11) = 0101$ )

8.9.4 3-bit range check

$(a - 7) (a - 6) (a - 5) (a - 4) (a - 3) (a - 2) (a - 1) (a) = 0$

sr3	$a_0$
1	a

8.9.5 3-bit spread

$l_1(a) + 4*l_2(a) + 5*l_3(a) + 16*l_4(a) + 17*l_5(a) + 20*l_6(a) + 21*l_7(a) - a' = 0$

ss3	$a_0$	$a_1$
1	a	a’

with interpolation polynomials：

$l_0(a) = \frac{(a - 7)(a - 6)(a - 5)(a - 4)(a - 3)(a - 2)(a - 1)}{(-7)(-6)(-5)(-4)(-3)(-2)(-1)}$ ( $\mathtt{spread}(000) = 000000$ )
$l_1(a) = \frac{(a - 7)(a - 6)(a - 5)(a - 4)(a - 3)(a - 2)(a)}{(-6)(-5)(-4)(-3)(-2)(-1)(1)}$ ( $\mathtt{spread}(001) = 000001$ )
$l_2(a) = \frac{(a - 7)(a - 6)(a - 5)(a - 4)(a - 3)(a - 1)(a)}{(-5)(-4)(-3)(-2)(-1)(1)(2)}$ ( $\mathtt{spread}(010) = 000100$ )
$l_3(a) = \frac{(a - 7)(a - 6)(a - 5)(a - 3)(a - 2)(a - 1)(a)}{(-4)(-3)(-2)(-1)(1)(2)(3)}$ ( $\mathtt{spread}(011) = 000101$ )
$l_4(a) = \frac{(a - 7)(a - 6)(a - 5)(a - 3)(a - 2)(a - 1)(a)}{(-3)(-2)(-1)(1)(2)(3)(4)}$ ( $\mathtt{spread}(100) = 010000$ )
$l_5(a) = \frac{(a - 7)(a - 6)(a - 4)(a - 3)(a - 2)(a - 1)(a)}{(-2)(-1)(1)(2)(3)(4)(5)}$ ( $\mathtt{spread}(101) = 010001$ )
$l_6(a) = \frac{(a - 7)(a - 5)(a - 4)(a - 3)(a - 2)(a - 1)(a)}{(-1)(1)(2)(3)(4)(5)(6)}$ ( $\mathtt{spread}(110) = 010100$ )
$l_7(a) = \frac{(a - 6)(a - 5)(a - 4)(a - 3)(a - 2)(a - 1)(a)}{(1)(2)(3)(4)(5)(6)(7)}$ ( $\mathtt{spread}(111) = 010101$ )

8.9.6 reduce_6 gate

Addition $\pmod{2^{32}}$ of 6 elements

Input:

$E$
${e_i^{lo}, e_i^{hi}\}_{i=0}^5$
$c a r r y$

Check: $e_0 + e_1 + e_2 + e_3 + e_4 + e_5 \pmod{32}$

Assume inputs are constrained to 16 bits.

Addition gate (sa):
- $a_0 + a_1 + a_2 + a_3 + a_4 + a_5 + a_6 - a_7 = 0$
Carry gate (sc):
- $2^{16} a_6 \omega^{-1} + a_6 + [(a_6 - 5)(a_6 - 4)(a_6 -3)(a_6 - 2)(a_6 - 1)(a_6)] = 0$

sa	sc	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$	$a_5$	$a_6$	$a_7$
1	0	$e_0^{lo}$	$e_1^{lo}$	$e_2^{lo}$	$e_3^{lo}$	$e_4^{lo}$	$e_5^{lo}$	$carry*2^{16}$	$E^{lo}$
1	1	$e_0^{hi}$	$e_1^{hi}$	$e_2^{hi}$	$e_3^{hi}$	$e_4^{hi}$	$e_5^{hi}$	$c a r r y$	$E^{hi}$

Assume inputs are constrained to 16 bits.

Addition gate (sa):
- $a_0 \omega^{-1} + a_1 \omega^{-1} + a_2 \omega^{-1} + a_0 + a_1 + a_2 + a_3 \omega^{-1} - a_3 = 0$
Carry gate (sc):
- $2^{16} a_3 \omega + a_3 \omega^{-1} = 0$

sa	sc	$a_0$	$a_1$	$a_2$	$a_3$
0	0	$e_0^{lo}$	$e_1^{lo}$	$e_2^{lo}$	$carry*2^{16}$
1	1	$e_3^{lo}$	$e_4^{lo}$	$e_5^{lo}$	$E^{lo}$
0	0	$e_0^{hi}$	$e_1^{hi}$	$e_2^{hi}$	$c a r r y$
1	0	$e_3^{hi}$	$e_4^{hi}$	$e_5^{hi}$	$E^{hi}$

8.9.7 reduce_7 gate

Addition $\pmod{2^{32}}$ of 7 elements

Input:

$E$
${e_i^{lo}, e_i^{hi}\}_{i=0}^6$
$c a r r y$

Check: $e_0 + e_1 + e_2 + e_3 + e_4 + e_5 + e_6 \pmod{32}$

Assume inputs are constrained to 16 bits.

Addition gate (sa):
- $a_0 + a_1 + a_2 + a_3 + a_4 + a_5 + a_6 + a_7 - a_8 = 0$
Carry gate (sc):
- $2^{16} a_7 \omega^{-1} + a_7 + [(a_7 - 6)(a_7 - 5)(a_7 - 4)(a_7 -3)(a_7 - 2)(a_7 - 1)(a_7)] = 0$

sa	sc	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$	$a_5$	$a_6$	$a_7$	$a_8$
1	0	$e_0^{lo}$	$e_1^{lo}$	$e_2^{lo}$	$e_3^{lo}$	$e_4^{lo}$	$e_5^{lo}$	$e_6^{lo}$	$carry*2^{16}$	$E^{lo}$
1	1	$e_0^{hi}$	$e_1^{hi}$	$e_2^{hi}$	$e_3^{hi}$	$e_4^{hi}$	$e_5^{hi}$	$e_6^{hi}$	$c a r r y$	$E^{hi}$

8.10 Message scheduling region

For each block $\in \{0,1\}^{512}$ of the padded message, $64$ words of $32$ bits each are constructed as follows:

the first $16$ are obtained by splitting $M$ into $32$ -bit blocks $W_0 || W_1 || \cdots || W_{14} || W_{15};$
the remaining $48$ words are constructed using the formula:
$W_i = \sigma_1(W_{i-2}) \boxplus W_{i-7} \boxplus \sigma_0(W_{i-15}) \boxplus W_{i-16},$ for $\leq i < 64$ .

sw	sd0	sd1	sd2	sd3	ss0	ss0_v2	ss1	ss1_v2	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$	$a_5$	$a_6$	$a_7$	$a_8$	$a_9$
0	1	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$W_{0}^{lo}$	$\texttt{spread}(W_{0}^{lo})$	$W_{0}^{lo}$	$W_{0}^{hi}$	$W_{0}$	$\sigma_0(W_1)^{lo}$	$\sigma_1(W_{14})^{lo}$	$W_{9}^{lo}$
1	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$W_{0}^{hi}$	$\texttt{spread}(W_{0}^{hi})$			$W_{16}$	$\sigma_0(W_1)^{hi}$	$\sigma_1(W_{14})^{hi}$	$W_{9}^{hi}$	$carry_{16}$
0	1	1	0	0	0	0	0	0	{0,1,2,3,4}	$W_{1}^{d(14)}$	$\texttt{spread}(W_{1}^{d(14)})$	$W_{1}^{lo}$	$W_{1}^{hi}$	$W_{1}$	$\sigma_0(W_2)^{lo}$	$\sigma_1(W_{15})^{lo}$	$W_{10}^{lo}$
1	0	0	0	0	0	0	0	0	{0,1,2}	$W_{1}^{c(11)}$	$\texttt{spread}(W_{1}^{c(11)})$	$W_{1}^{a(3)}$	$W_{1}^{b(4)}$	$W_{17}$	$\sigma_0(W_2)^{hi}$	$\sigma_1(W_{15})^{hi}$	$W_{10}^{hi}$	$carry_{17}$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_0^{even}$	$\texttt{spread}(R_0^{even})$	$W_{1}^{b(4)lo}$	$\texttt{spread}(W_{1}^{b(4)lo})$	$W_{1}^{b(4)hi}$	$\texttt{spread}(W_{1}^{b(4)hi})$
0	0	0	0	0	1	0	0	0	{0,1,2,3,4,5}	$R_1^{odd}$	$\texttt{spread}(R_0^{odd})$	$\texttt{spread}(R_1^{odd})$	$\texttt{spread}(W_{1}^{c(11)})$	$\texttt{spread}(W_{1}^{d(14)})$	$W_{1}^{b(4)}$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_0^{odd}$	$\texttt{spread}(R_1^{even})$	$0$	$0$	$W_{1}^{a(3)}$	$\texttt{spread}(W_{1}^{a(3)})$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_1^{even}$	$\texttt{spread}(R_1^{odd})$	$\sigma_0 v1 R_0$	$\sigma_0 v1 R_1$	$\sigma_0 v1 R_0^{even}$	$\sigma_0 v1 R_0^{odd}$
…	…	…	…	…	…	…	…	…	…	…	…	…	…	…	…	…	…
0	0	0	0	0	0	0	0	0	{0,1,2,3}	$W_{14}^{g(13)}$	$\texttt{spread}(W_{14}^{g(13)})$	$W_{14}^{a(3)}$	$W_{14}^{c(3)}$
0	1	0	1	0	0	0	0	0	0	$W_{14}^{d(7)}$	$\texttt{spread}(W_{14}^{d(7)})$	$W_{14}^{lo}$	$W_{14}^{hi}$	$W_{14}$	$\sigma_0(W_{15})^{lo}$	$\sigma_1(W_{28})^{lo}$	$W_{23}^{lo}$
1	0	0	0	0	0	0	0	0	0	$W_{14}^{b(4)}$	$\texttt{spread}(W_{14}^{b(4)})$	$W_{14}^{e(1)}$	$W_{14}^{f(1)}$	$W_{30}$	$\sigma_0(W_{15})^{hi}$	$\sigma_1(W_{28})^{hi}$	$W_{23}^{hi}$	$carry_{30}$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_0^{even}$	$\texttt{spread}(R_0^{even})$	$W_{14}^{b(4)lo}$	$\texttt{spread}(W_{14}^{b(4)lo})$	$W_{14}^{b(4) hi}$	$\texttt{spread}(W_{14}^{b(4)hi})$
0	0	0	0	0	0	1	0	0	{0,1,2,3,4,5}	$R_0^{odd}$	$\texttt{spread}(R_0^{odd})$	$\texttt{spread}(R_1^{odd})$	$\texttt{spread}(W_{14}^{d(7)})$	$\texttt{spread}(W_{14}^{g(13)})$	$W_{1}^{b(14)}$	$W_{14}^{e(1)}$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_1^{even}$	$\texttt{spread}(R_1^{even})$	$W_{14}^{a(3)}$	$\texttt{spread}(W_{14}^{a(3)})$	$W_{14}^{c(3)}$	$\texttt{spread}(W_{14}^{c(3)})$	$W_{14}^{f(1)}$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_1^{odd}$	$\texttt{spread}(R_1^{odd})$	$\sigma_0 v2 R_0$	$\sigma_0 v2 R_1$	$\sigma_0 v2 R_0^{even}$	$\sigma_0 v2 R_0^{odd}$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_0^{even}$	$\texttt{spread}(R_0^{even})$	$W_{14}^{b(4)lo}$	$\texttt{spread}(W_{14}^{b(4)lo})$	$W_{14}^{b(4) hi}$	$\texttt{spread}(W_{14}^{b(4)hi})$
0	0	0	0	0	0	0	0	1	{0,1,2,3,4,5}	$R_0^{odd}$	$\texttt{spread}(R_0^{odd})$	$\texttt{spread}(R_1^{odd})$	$\texttt{spread}(d)$	$\texttt{spread}(g)$		$W_{14}^{e(1)}$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_1^{even}$	$\texttt{spread}(R_1^{even})$	$W_{14}^{a(3)}$	$\texttt{spread}(W_{14}^{a(3)})$	$W_{14}^{c(3)}$	$\texttt{spread}(W_{14}^{c(3)})$	$W_{14}^{f(1)}$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_1^{odd}$	$\texttt{spread}(R_1^{odd})$	$\sigma_1 v2 R_0$	$\sigma_1 v2 R_1$	$\sigma_1 v2 R_0^{even}$	$\sigma_1 v2 R_0^{odd}$
…	…	…	…	…	…	…	…	…	…	…	…	…	…	…	…	…	…
0	1	0	0	1	0	0	0	0	{0,1,2,3}	$W_{49}^{d(13)}$	$\texttt{spread}(W_{49}^{d(13)})$	$W_{49}^{lo}$	$W_{49}^{hi}$	$W_{49}$
0	0	0	0	0	0	0	0	0	{0,1}	$W_{49}^{a(10)}$	$\texttt{spread}(W_{49}^{a(10)})$	$W_{49}^{c(2)}$	$W_{49}^{b(7)}$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_0^{even}$	$\texttt{spread}(R_0^{even})$	$W_{49}^{b(7)lo}$	$\texttt{spread}(W_{49}^{b(7)lo})$	$W_{49}^{b(7)mid}$	$\texttt{spread}(W_{49}^{b(7)mid})$
0	0	0	0	0	0	0	0	1	{0,1,2,3,4,5}	$R_0^{odd}$	$\texttt{spread}(R_0^{odd})$	$\texttt{spread}(R_1^{odd})$	$\texttt{spread}(a)$	$\texttt{spread}(d)$	$W_{1}^{b(49)}$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_1^{even}$	$\texttt{spread}(R_1^{even})$	$W_{49}^{c(2)}$	$\texttt{spread}(W_{49}^{c(2)})$	$W_{49}^{b(7)hi}$	$\texttt{spread}(W_{49}^{b(7)hi})$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_1^{odd}$	$\texttt{spread}(R_1^{odd})$	$\sigma_1 v1 R_0$	$\sigma_1 v1 R_1$	$\sigma_1 v1 R_0^{even}$	$\sigma_1 v1 R_0^{odd}$
…	…	…	…	…	…	…	…	…	…	…	…	…	…	…	…	…	…
0	1	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$W_{62}^{lo}$	$\texttt{spread}(W_{62}^{lo})$	$W_{62}^{lo}$	$W_{62}^{hi}$	$W_{62}$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$W_{62}^{hi}$	$\texttt{spread}(W_{62}^{hi})$
0	1	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$W_{63}^{lo}$	$\texttt{spread}(W_{63}^{lo})$	$W_{63}^{lo}$	$W_{63}^{hi}$	$W_{63}$
0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$W_{63}^{hi}$	$\texttt{spread}(W_{63}^{hi})$

Constraints有：

sw: construct word using $reduce_4$
sd0: decomposition gate for $W_0, W_{62}, W_{63}$
- $W^{lo} + 2^{16} W^{hi} - W = 0$
sd1: decomposition gate for $W_{1..13}$ (split into $(3, 4, 11, 14)$ -bit pieces)
- $W^{a(3)} + 2^3 W^{b(4) lo} + 2^5 W^{b(4) hi} + 2^7 W^{c(11)} + 2^{18} W^{d(14)} - W = 0$
sd2: decomposition gate for $W_{14..48}$ (split into $(3, 4, 3, 7, 1, 1, 13)$ -bit pieces)
- $W^{a(3)} + 2^3 W^{b(4) lo} + 2^5 W^{b(4) hi} + 2^7 W^{c(11)} + 2^{10} W^{d(14)} + 2^{17} W^{e(1)} + 2^{18} W^{f(1)} + 2^{19} W^{g(13)} - W = 0$
sd3: decomposition gate for $W_{49..61}$ (split into $(10, 7, 2, 13)$ -bit pieces)
- $W^{a(10)} + 2^{10} W^{b(7) lo} + 2^{12} W^{b(7) mid} + 2^{15} W^{b(7) hi} + 2^{17} W^{c(2)} + 2^{19} W^{d(13)} - W = 0$

8.11 Compression region

+----------------------------------------------------------+
|                                                          |
|          decompose E,                                    |
|          Σ_1(E)                                          |
|                                                          |
|                  +---------------------------------------+
|                  |                                       |
|                  |        reduce_5() to get H'           |
|                  |                                       |
+----------------------------------------------------------+
|          decompose F, decompose G                        |
|                                                          |
|                        Ch(E,F,G)                         |
|                                                          |
+----------------------------------------------------------+
|                                                          |
|          decompose A,                                    |
|          Σ_0(A)                                          |
|                                                          |
|                                                          |
|                  +---------------------------------------+
|                  |                                       |
|                  |        reduce_7() to get A_new,       |
|                  |              using H'                 |
|                  |                                       |
+------------------+---------------------------------------+
|          decompose B, decompose C                        |
|                                                          |
|          Maj(A,B,C)                                      |
|                                                          |
|                  +---------------------------------------+
|                  |        reduce_6() to get E_new,       |
|                  |              using H'                 |
+------------------+---------------------------------------+

8.11.1 Initial round:

sd_abcd	sd_efgh	ss0	ss1	s_maj	s_ch_neg	s_ch	s_a_new	s_e_new	s_h_prime	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$	$a_5$	$a_6$	$a_7$	$a_8$	$a_9$
0	1	0	0	0	0	0	0	0	0	{0,1,2}	$F_0 d(7)$	$\texttt{spread}(E_0 d(7)) $	$E_0 b(5)^{lo}$	$\texttt{spread}(E_0 b(5)^{lo})$	$E_0 b(5)^{hi}$	$\texttt{spread}(E_0 b(5)^{hi}) $	$E_0^{lo}$	$\mathtt{spread}(E_0^{lo})$
0	0	0	0	0	0	0	0	0	0	{0,1}	$E_0 c(14)$	$\texttt{spread}(E_0 c(14))$	$E_0 a(6)^{lo}$	$\texttt{spread}(E_0 a(6)^{lo})$	$E_0 a(6)^{hi}$	$\texttt{spread}(E_0 a(6)^{hi}) $	$E_0^{hi}$	$\mathtt{spread}(E_0^{hi})$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_0^{even}$	$\texttt{spread}(R_0^{even})$	$\texttt{spread}(E_0 b(5)^{lo})$	$\texttt{spread}(E_0 b(5)^{hi})$
0	0	0	1	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_0^{odd}$	$\texttt{spread}(R_0^{odd})$	$\texttt{spread}(R_1^{odd})$	$\texttt{spread}(E_0 d(7))$	$\texttt{spread}(E_0 c(14))$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_1^{even}$	$\texttt{spread}(R_1^{even})$	$\texttt{spread}(E_0 a(6)^{lo})$	$\texttt{spread}(E_0 a(6)^{hi})$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_1^{odd}$	$\texttt{spread}(R_1^{odd})$
0	1	0	0	0	0	0	0	0	0	{0,1,2}	$F_0 d(7)$	$\texttt{spread}(F_0 d(7)) $	$F_0 b(5)^{lo}$	$\texttt{spread}(F_0 b(5)^{lo})$	$F_0 b(5)^{hi}$	$\texttt{spread}(F_0 b(5)^{hi}) $	$F_0^{lo}$	$\mathtt{spread}(F_0^{lo})$
0	0	0	0	0	0	0	0	0	0	{0,1}	$F_0 c(14)$	$\texttt{spread}(F_0 c(14))$	$F_0 a(6)^{lo}$	$\texttt{spread}(F_0 a(6)^{lo})$	$F_0 a(6)^{hi}$	$\texttt{spread}(F_0 a(6)^{hi}) $	$F_0^{hi}$	$\mathtt{spread}(F_0^{hi})$
0	1	0	0	0	0	0	0	0	0	{0,1,2}	$G_0 d(7)$	$\texttt{spread}(G_0 d(7)) $	$G_0 b(5)^{lo}$	$\texttt{spread}(G_0 b(5)^{lo})$	$G_0 b(5)^{hi}$	$\texttt{spread}(G_0 b(5)^{hi}) $	$G_0^{lo}$	$\mathtt{spread}(G_0^{lo})$
0	0	0	0	0	0	0	0	0	0	{0,1}	$G_0 c(14)$	$\texttt{spread}(G_0 c(14))$	$G_0 a(6)^{lo}$	$\texttt{spread}(G_0 a(6)^{lo})$	$G_0 a(6)^{hi}$	$\texttt{spread}(G_0 a(6)^{hi}) $	$G_0^{hi}$	$\mathtt{spread}(G_0^{hi})$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$P_0^{even}$	$\texttt{spread}(P_0^{even})$	$\mathtt{spread}(E^{lo})$	$\mathtt{spread}(E^{hi})$	$Q_0^{odd}$	$K_0^{lo}$	$H_0^{lo}$	$W_0^{lo}$
0	0	0	0	0	0	1	0	0	1	{0,1,2,3,4,5}	$P_0^{odd}$	$\texttt{spread}(P_0^{odd})$	$\texttt{spread}(P_1^{odd})$	$\Sigma_1(E_0)^{lo}$	$\Sigma_1(E_0)^{hi}$	$K_0^{hi}$	$H_0^{hi}$	$W_0^{hi}$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$P_1^{even}$	$\texttt{spread}(P_1^{even})$	$\mathtt{spread}(F^{lo})$	$\mathtt{spread}(F^{hi})$	$Q_1^{odd}$	$P_1^{odd}$	$Hprime_0^{lo}$	$Hprime_0^{hi}$	$Hprime_0 carry$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$P_1^{odd}$	$\texttt{spread}(P_1^{odd})$					$D_0^{lo}$	$E_1^{lo}$
0	0	0	0	0	0	0	0	1	0	{0,1,2,3,4,5}	$Q_0^{even}$	$\texttt{spread}(Q_0^{even})$	$\mathtt{spread}(E_{neg}^{lo})$	$\mathtt{spread}(E_{neg}^{hi})$	$\mathtt{spread}(E^{lo})$		$D_0^{hi}$	$E_1^{hi}$	$E_1 carry$
0	0	0	0	0	1	0	0	0	0	{0,1,2,3,4,5}	$Q_0^{odd}$	$\texttt{spread}(Q_0^{odd})$	$\texttt{spread}(Q_1^{odd})$		$\mathtt{spread}(E^{hi})$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$Q_1^{even}$	$\texttt{spread}(Q_1^{even})$	$\mathtt{spread}(G^{lo})$	$\mathtt{spread}(G^{hi})$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$Q_1^{odd}$	$\texttt{spread}(Q_1^{odd})$
1	0	0	0	0	0	0	0	0	0	{0,1,2}	$A_0 b(11)$	$\texttt{spread}(A_0 b(11))$	$A_0 c(9)^{lo}$	$\texttt{spread}(A_0 c(9)^{lo})$	$A_0 c(9)^{mid}$	$\texttt{spread}(A_0 c(9)^{mid})$	$A_0^{lo}$	$\mathtt{spread}(A_0^{lo})$
0	0	0	0	0	0	0	0	0	0	{0,1}	$A_0 d(10)$	$\texttt{spread}(A_0 d(10))$	$A_0 a(2)$	$\texttt{spread}(A_0 a(2))$	$A_0 c(9)^{hi}$	$\texttt{spread}(A_0 c(9)^{hi})$	$A_0^{hi}$	$\mathtt{spread}(A_0^{hi})$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_0^{even}$	$\texttt{spread}(R_0^{even})$	$\texttt{spread}(c(9)^{lo})$	$\texttt{spread}(c(9)^{mid})$
0	0	1	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_0^{odd}$	$\texttt{spread}(R_0^{odd})$	$\texttt{spread}(R_1^{odd})$	$\texttt{spread}(d(10))$	$\texttt{spread}(b(11))$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_1^{even}$	$\texttt{spread}(R_1^{even})$	$\texttt{spread}(a(2))$	$\texttt{spread}(c(9)^{hi})$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$R_1^{odd}$	$\texttt{spread}(R_1^{odd})$
1	0	0	0	0	0	0	0	0	0	{0,1,2}	$B_0 b(11)$	$\texttt{spread}(B_0 b(11))$	$B_0 c(9)^{lo}$	$\texttt{spread}(B_0 c(9)^{lo})$	$B_0 c(9)^{mid}$	$\texttt{spread}(B_0 c(9)^{mid})$	$B_0^{lo}$	$\mathtt{spread}(B_0^{lo})$
0	0	0	0	0	0	0	0	0	0	{0,1}	$B_0 d(10)$	$\texttt{spread}(B_0 d(10))$	$B_0 a(2)$	$\texttt{spread}(B_0 a(2))$	$B_0 c(9)^{hi}$	$\texttt{spread}(B_0 c(9)^{hi})$	$B_0^{hi}$	$\mathtt{spread}(B_0^{hi})$
1	0	0	0	0	0	0	0	0	0	{0,1,2}	$C_0 b(11)$	$\texttt{spread}(C_0 b(11))$	$C_0 c(9)^{lo}$	$\texttt{spread}(C_0 c(9)^{lo})$	$C_0 c(9)^{mid}$	$\texttt{spread}(C_0 c(9)^{mid})$	$C_0^{lo}$	$\mathtt{spread}(C_0^{lo})$
0	0	0	0	0	0	0	0	0	0	{0,1}	$C_0 d(10)$	$\texttt{spread}(C_0 d(10))$	$C_0 a(2)$	$\texttt{spread}(C_0 a(2))$	$C_0 c(9)^{hi}$	$\texttt{spread}(C_0 c(9)^{hi})$	$C_0^{hi}$	$\mathtt{spread}(C_0^{hi})$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$M_0^{even}$	$\texttt{spread}(M_0^{even})$	$M_1^{odd}$	$\mathtt{spread}(A_0^{lo})$	$\mathtt{spread}(A_0^{hi})$		$Hprime_0^{lo}$	$Hprime_0^{hi}$
0	0	0	0	1	0	0	1	0	0	{0,1,2,3,4,5}	$M_0^{odd}$	$\texttt{spread}(M_0^{odd})$	$\texttt{spread}(M_1^{odd})$	$\mathtt{spread}(B_0^{lo})$	$\mathtt{spread}(B_0^{hi})$	$\Sigma_0(A_0)^{lo}$		$A_1^{lo}$	$A_1 carry$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$M_1^{even}$	$\texttt{spread}(M_1^{even})$		$\mathtt{spread}(C_0^{lo})$	$\mathtt{spread}(C_0^{hi})$	$\Sigma_0(A_0)^{hi}$		$A_1^{hi}$
0	0	0	0	0	0	0	0	0	0	{0,1,2,3,4,5}	$M_1^{odd}$	$\texttt{spread}(M_1^{odd})$

8.11.2 Steady-state:

s_digest	sd_abcd	sd_efgh	ss0	ss1	s_maj	s_ch_neg	s_ch	s_a_new	s_e_new	s_h_prime	$a_0$	$a_1$	$a_2$	$a_3$	$a_4$	$a_5$	$a_6$	$a_7$	$a_8$	$a_9$

0   |   0   |   1   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |   {0,1,2}   |$F_0 d(7)$  |$\texttt{spread}(E_0 d(7)) $ |          $E_0 b(5)^{lo}$            | $\texttt{spread}(E_0 b(5)^{lo})$    |           $E_0 b(5)^{hi}$              |  $\texttt{spread}(E_0 b(5)^{hi}) $ |             $E_0^{lo}$             |  $\mathtt{spread}(E_0^{lo})$       |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |    {0,1}    |$E_0 c(14)$ |$\texttt{spread}(E_0 c(14))$ |          $E_0 a(6)^{lo}$            | $\texttt{spread}(E_0 a(6)^{lo})$    |           $E_0 a(6)^{hi}$              |  $\texttt{spread}(E_0 a(6)^{hi}) $ |             $E_0^{hi}$             |  $\mathtt{spread}(E_0^{hi})$       |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$R_0^{even}$|$\texttt{spread}(R_0^{even})$|   $\texttt{spread}(E_0 b(5)^{lo})$  |   $\texttt{spread}(E_0 b(5)^{hi})$  |                                        |                                    |                                    |                                    |                                    |
0   |   0   |   0   | 0 | 1 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$R_0^{odd}$ |$\texttt{spread}(R_0^{odd})$ |        $\texttt{spread}(R_1^{odd})$ |    $\texttt{spread}(E_0 d(7))$      |     $\texttt{spread}(E_0 c(14))$       |                                    |                                    |                                    |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$R_1^{even}$|$\texttt{spread}(R_1^{even})$|   $\texttt{spread}(E_0 a(6)^{lo})$  |   $\texttt{spread}(E_0 a(6)^{hi})$  |                                        |                                    |                                    |                                    |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$R_1^{odd}$ |$\texttt{spread}(R_1^{odd})$ |                                     |                                     |                                        |                                    |                                    |                                    |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$P_0^{even}$|$\texttt{spread}(P_0^{even})$|  $\mathtt{spread}(E^{lo})$          |      $\mathtt{spread}(E^{hi})$      |           $Q_0^{odd}$                  |             $K_0^{lo}$             |             $H_0^{lo}$             |             $W_0^{lo}$             |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 1  |    0   |    0   |    1    |{0,1,2,3,4,5}|$P_0^{odd}$ |$\texttt{spread}(P_0^{odd})$ | $\texttt{spread}(P_1^{odd})$        |        $\Sigma_1(E_0)^{lo}$         |       $\Sigma_1(E_0)^{hi}$             |             $K_0^{hi}$             |             $H_0^{hi}$             |             $W_0^{hi}$             |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$P_1^{even}$|$\texttt{spread}(P_1^{even})$|  $\mathtt{spread}(F^{lo})$          |      $\mathtt{spread}(F^{hi})$      |           $Q_1^{odd}$                  |            $P_1^{odd}$             |           $Hprime_0^{lo}$          |           $Hprime_0^{hi}$          |          $Hprime_0 carry$          |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$P_1^{odd}$ |$\texttt{spread}(P_1^{odd})$ |                                     |                                     |                                        |                                    |             $D_0^{lo}$             |             $E_1^{lo}$             |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    1   |    0    |{0,1,2,3,4,5}|$Q_0^{even}$|$\texttt{spread}(Q_0^{even})$| $\mathtt{spread}(E_{neg}^{lo})$     |    $\mathtt{spread}(E_{neg}^{hi})$  |     $\mathtt{spread}(E^{lo})$          |                                    |             $D_0^{hi}$             |             $E_1^{hi}$             |             $E_1 carry$            |
0   |   0   |   0   | 0 | 0 | 0   |    1   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$Q_0^{odd}$ |$\texttt{spread}(Q_0^{odd})$ | $\texttt{spread}(Q_1^{odd})$        |                                     |     $\mathtt{spread}(E^{hi})$          |                                    |                                    |                                    |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$Q_1^{even}$|$\texttt{spread}(Q_1^{even})$| $\mathtt{spread}(G^{lo})$           |       $\mathtt{spread}(G^{hi})$     |                                        |                                    |                                    |                                    |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$Q_1^{odd}$ |$\texttt{spread}(Q_1^{odd})$ |                                     |                                     |                                        |                                    |                                    |                                    |                                    |
0   |   1   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |   {0,1,2}   |$A_0 b(11)$ |$\texttt{spread}(A_0 b(11))$ |          $A_0 c(9)^{lo}$            | $\texttt{spread}(A_0 c(9)^{lo})$    |          $A_0 c(9)^{mid}$              | $\texttt{spread}(A_0 c(9)^{mid})$  |             $A_0^{lo}$             |  $\mathtt{spread}(A_0^{lo})$       |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |    {0,1}    |$A_0 d(10)$ |$\texttt{spread}(A_0 d(10))$ |              $A_0 a(2)$             | $\texttt{spread}(A_0 a(2))$         |          $A_0 c(9)^{hi}$               | $\texttt{spread}(A_0 c(9)^{hi})$   |             $A_0^{hi}$             |  $\mathtt{spread}(A_0^{hi})$       |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$R_0^{even}$|$\texttt{spread}(R_0^{even})$|    $\texttt{spread}(c(9)^{lo})$     |    $\texttt{spread}(c(9)^{mid})$    |                                        |                                    |                                    |                                    |                                    |
0   |   0   |   0   | 1 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$R_0^{odd}$ |$\texttt{spread}(R_0^{odd})$ |        $\texttt{spread}(R_1^{odd})$ |     $\texttt{spread}(d(10))$        |         $\texttt{spread}(b(11))$       |                                    |                                    |                                    |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$R_1^{even}$|$\texttt{spread}(R_1^{even})$|    $\texttt{spread}(a(2))$          |      $\texttt{spread}(c(9)^{hi})$   |                                        |                                    |                                    |                                    |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$R_1^{odd}$ |$\texttt{spread}(R_1^{odd})$ |                                     |                                     |                                        |                                    |                                    |                                    |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$M_0^{even}$|$\texttt{spread}(M_0^{even})$|              $M_1^{odd}$            |     $\mathtt{spread}(A_0^{lo})$     |     $\mathtt{spread}(A_0^{hi})$        |                                    |           $Hprime_0^{lo}$          |           $Hprime_0^{hi}$          |                                    |
0   |   0   |   0   | 0 | 0 | 1   |    0   | 0  |    1   |    0   |    0    |{0,1,2,3,4,5}|$M_0^{odd}$ |$\texttt{spread}(M_0^{odd})$ |    $\texttt{spread}(M_1^{odd})$     |     $\mathtt{spread}(B_0^{lo})$     |     $\mathtt{spread}(B_0^{hi})$        |        $\Sigma_0(A_0)^{lo}$        |                                    |             $A_1^{lo}$             |              $A_1 carry$           |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$M_1^{even}$|$\texttt{spread}(M_1^{even})$|                                     |     $\mathtt{spread}(C_0^{lo})$     |     $\mathtt{spread}(C_0^{hi})$        |        $\Sigma_0(A_0)^{hi}$        |                                    |             $A_1^{hi}$             |                                    |
0   |   0   |   0   | 0 | 0 | 0   |    0   | 0  |    0   |    0   |    0    |{0,1,2,3,4,5}|$M_1^{odd}$ |$\texttt{spread}(M_1^{odd})$ |                                     |                                     |                                        |                                    |                                    |                                    |                                    |

8.11.3 Final digest:

s_digest	$a_3$	$a_4$	$a_5$	$a_6$	$a_7$	$a_8$
1	$A_{63}^{lo}$	$A_{63}^{hi}$	$A_{63}$	$B_{63}^{lo}$	$B_{63}^{hi}$	$B_{63}$
0	$C_{63}^{lo}$	$C_{63}^{hi}$	$C_{63}$	$C_{63}^{lo}$	$C_{63}^{hi}$	$C_{63}$
1	$E_{63}^{lo}$	$E_{63}^{hi}$	$E_{63}$	$G_{63}^{lo}$	$G_{63}^{hi}$	$G_{63}$
0	$F_{63}^{lo}$	$F_{63}^{hi}$	$F_{63}$	$H_{63}^{lo}$	$H_{63}^{hi}$	$H_{63}$

参考资料

[1] Halo2中的SHA-256 Gadget

Halo2 学习笔记——Gadgets 之 SHA-256

1. 引言

2. Gadget interface

3. Chip instructions

4. 16-bit table chip for SHA-256

4.1 Compression round

4.2 Modular addition

4.3 Maj function

4.4 Ch function

4.5 Σ_0 function

4.6 Σ_1 function

5. Block decomposition

5.1 σ_0 function

5.2 σ_1 function

5.3 Message scheduling

6. Overall cost

7. Tables

7.1 spread table

8. Gates

8.1 Choice gate

8.2 E ∧ F

8.3 ¬E ∧ G

8.4 Majority gate

8.5 Σ_0 gate

8.6 Σ_1 gate

8.7 σ_0 gate

8.7.1 σ_0 gate–v1

8.7.2 σ_0 gate–v2

8.8 σ_1 gate

8.8.1 σ_1 gate–v1

8.8.2 σ_1 gate–v2

8.9 Helper gates

8.9.1 Small range constraints

8.9.2 2-bit range check

8.9.3 2-bit spread

8.9.4 3-bit range check

8.9.5 3-bit spread

8.9.6 reduce_6 gate

8.9.7 reduce_7 gate

8.10 Message scheduling region

8.11 Compression region

8.11.1 Initial round:

8.11.2 Steady-state:

8.11.3 Final digest:

参考资料

猜你喜欢

7.1 `spread` table