miden-core 0.23.0

Miden VM core components
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279

//! Low-level Poseidon2 hasher functions and constants.
//!
//! This module provides core hashing primitives for the Poseidon2 hash function, including:
//! - Constants defining the hasher state layout (STATE_WIDTH, RATE_LEN, NUM_ROUNDS)
//! - Pass-through functions for common hash operations (merge, hash_elements)
//! - Step-by-step permutation functions for fine-grained control (apply_round, apply_permutation)
//!
//! This module serves as a thin wrapper around `miden_crypto::hash::Poseidon2`, providing
//! a consistent interface for the Miden VM's hashing needs. For higher-level hasher chiplet
//! functionality, see the trace and processor modules.

use miden_crypto::Word as Digest;

use super::Felt;
pub use crate::crypto::hash::Poseidon2 as Hasher;

/// Number of field element needed to represent the sponge state for the hash function.
///
/// This value is set to 12: 8 elements are reserved for rate and the remaining 4 elements are
/// reserved for capacity. This configuration enables computation of 2-to-1 hash in a single
/// permutation.
pub const STATE_WIDTH: usize = Hasher::STATE_WIDTH;

/// Number of field elements in the rate portion of the hasher's state.
pub const RATE_LEN: usize = 8;

/// Number of Poseidon2 step transitions used by the hasher reference schedule.
///
/// For Poseidon2, we model the permutation as 31 step transitions. This corresponds to an
/// initial external linear layer, 4 initial external rounds, 22 internal rounds, and 4 terminal
/// external rounds:
/// - step 0: initial external linear layer
/// - steps 1..=4: initial external rounds
/// - steps 5..=26: internal rounds
/// - steps 27..=30: terminal external rounds
///
/// The hasher chiplet packs this 31-step schedule into a 16-row permutation cycle, but the
/// stepwise reference API keeps the original 31-step numbering because it is convenient for tests
/// and cross-checking against the uncompressed permutation schedule.
pub const NUM_ROUNDS: usize = 31;

// PASS-THROUGH FUNCTIONS
// ================================================================================================

/// Returns a hash of two digests. This method is intended for use in construction of Merkle trees.
#[inline(always)]
pub fn merge(values: &[Digest; 2]) -> Digest {
    Hasher::merge(values)
}

/// Returns a hash of two digests with a specified domain.
#[inline(always)]
pub fn merge_in_domain(values: &[Digest; 2], domain: Felt) -> Digest {
    Hasher::merge_in_domain(values, domain)
}

/// Returns a hash of the provided list of field elements.
#[inline(always)]
pub fn hash_elements(elements: &[Felt]) -> Digest {
    Hasher::hash_elements(elements)
}

/// Applies a single Poseidon2 "step" to the provided state.
///
/// The step number must be specified via `round` parameter, which must be between 0 and 30
/// (both inclusive).
#[inline(always)]
pub fn apply_round(state: &mut [Felt; STATE_WIDTH], round: usize) {
    apply_poseidon2_step(state, round)
}

/// Applies the Poseidon2 permutation to the provided state.
#[inline(always)]
pub fn apply_permutation(state: &mut [Felt; STATE_WIDTH]) {
    Hasher::apply_permutation(state)
}

// POSEIDON2 STEP IMPLEMENTATION
// ================================================================================================

/// Applies a single Poseidon2 permutation step to the state.
///
/// The step number maps to the hasher chiplet trace rows:
/// - step 0: initial external linear layer
/// - steps 1..=4: initial external rounds
/// - steps 5..=26: internal rounds
/// - steps 27..=30: terminal external rounds
#[inline(always)]
fn apply_poseidon2_step(state: &mut [Felt; STATE_WIDTH], step: usize) {
    match step {
        0 => {
            // Initial external linear layer.
            Hasher::apply_matmul_external(state);
        },
        1..=4 => {
            // Initial external partial rounds.
            Hasher::add_rc(state, &Hasher::ARK_EXT_INITIAL[step - 1]);
            Hasher::apply_sbox(state);
            Hasher::apply_matmul_external(state);
        },
        5..=26 => {
            // Internal full rounds.
            state[0] += Hasher::ARK_INT[step - 5];
            state[0] = state[0].exp_const_u64::<7>();
            Hasher::matmul_internal(state, Hasher::MAT_DIAG);
        },
        27..=30 => {
            // Terminal external partial rounds.
            Hasher::add_rc(state, &Hasher::ARK_EXT_TERMINAL[step - 27]);
            Hasher::apply_sbox(state);
            Hasher::apply_matmul_external(state);
        },
        _ => panic!("invalid poseidon2 step {step}, expected 0..30"),
    }
}

// TESTS
// ================================================================================================

#[cfg(test)]
mod tests {
    use super::*;

    /// Verifies that applying all 31 steps produces the same result as `apply_permutation`.
    #[test]
    fn apply_round_matches_permutation() {
        // Test with zeros
        let mut state_stepwise = [Felt::ZERO; STATE_WIDTH];
        let mut state_permutation = [Felt::ZERO; STATE_WIDTH];

        for i in 0..NUM_ROUNDS {
            apply_round(&mut state_stepwise, i);
        }
        apply_permutation(&mut state_permutation);

        assert_eq!(state_stepwise, state_permutation, "mismatch with zero state");

        // Test with sequential values
        let mut state_stepwise: [Felt; STATE_WIDTH] =
            core::array::from_fn(|i| Felt::new_unchecked(i as u64));
        let mut state_permutation = state_stepwise;

        for i in 0..NUM_ROUNDS {
            apply_round(&mut state_stepwise, i);
        }
        apply_permutation(&mut state_permutation);

        assert_eq!(state_stepwise, state_permutation, "mismatch with sequential state");

        // Test with arbitrary values
        let mut state_stepwise: [Felt; STATE_WIDTH] = [
            Felt::new_unchecked(0x123456789abcdef0_u64),
            Felt::new_unchecked(0xfedcba9876543210_u64),
            Felt::new_unchecked(0x0011223344556677_u64),
            Felt::new_unchecked(0x8899aabbccddeeff_u64),
            Felt::new_unchecked(0xdeadbeefcafebabe_u64),
            Felt::new_unchecked(0x1234567890abcdef_u64),
            Felt::new_unchecked(0x1234567890abcdef_u64),
            Felt::new_unchecked(0x0badc0debadf00d0_u64),
            Felt::new_unchecked(0x1111111111111111_u64),
            Felt::new_unchecked(0x2222222222222222_u64),
            Felt::new_unchecked(0x3333333333333333_u64),
            Felt::new_unchecked(0x4444444444444444_u64),
        ];
        let mut state_permutation = state_stepwise;

        for i in 0..NUM_ROUNDS {
            apply_round(&mut state_stepwise, i);
        }
        apply_permutation(&mut state_permutation);

        assert_eq!(state_stepwise, state_permutation, "mismatch with random state");
    }

    /// Verifies that intermediate steps are computed correctly by checking that two
    /// half-permutations produce the same result as a full permutation.
    #[test]
    fn apply_round_intermediate_states() {
        let init_state: [Felt; STATE_WIDTH] =
            core::array::from_fn(|i| Felt::new_unchecked((i + 1) as u64));

        // Apply first half of rounds
        let mut state_half1 = init_state;
        for i in 0..15 {
            apply_round(&mut state_half1, i);
        }

        // Apply second half of rounds
        let mut state_half2 = state_half1;
        for i in 15..NUM_ROUNDS {
            apply_round(&mut state_half2, i);
        }

        // Compare with full permutation
        let mut state_full = init_state;
        apply_permutation(&mut state_full);

        assert_eq!(state_half2, state_full, "split application doesn't match full permutation");
    }

    /// Verifies that the 16-row packed permutation schedule produces the same result
    /// as the reference `apply_permutation`.
    ///
    /// The packed schedule:
    /// - init + ext1 (merged)
    /// - ext2, ext3, ext4
    /// - 7 x (3 packed internal rounds)
    /// - int22 + ext5 (merged)
    /// - ext6, ext7, ext8
    #[test]
    fn packed_16row_matches_permutation() {
        let test_states: [_; 3] = [
            [Felt::ZERO; STATE_WIDTH],
            core::array::from_fn(|i| Felt::new_unchecked(i as u64)),
            [
                Felt::new_unchecked(0x123456789abcdef0),
                Felt::new_unchecked(0xfedcba9876543210),
                Felt::new_unchecked(0x0011223344556677),
                Felt::new_unchecked(0x8899aabbccddeeff),
                Felt::new_unchecked(0xdeadbeefcafebabe),
                Felt::new_unchecked(0x1234567890abcdef),
                Felt::new_unchecked(0x1234567890abcdef),
                Felt::new_unchecked(0x0badc0debadf00d0),
                Felt::new_unchecked(0x1111111111111111),
                Felt::new_unchecked(0x2222222222222222),
                Felt::new_unchecked(0x3333333333333333),
                Felt::new_unchecked(0x4444444444444444),
            ],
        ];

        for (idx, init_state) in test_states.iter().enumerate() {
            let mut state = *init_state;

            // Init + ext1 (merged)
            Hasher::apply_matmul_external(&mut state);
            Hasher::add_rc(&mut state, &Hasher::ARK_EXT_INITIAL[0]);
            Hasher::apply_sbox(&mut state);
            Hasher::apply_matmul_external(&mut state);

            // Ext2, ext3, ext4
            for r in 1..=3 {
                Hasher::add_rc(&mut state, &Hasher::ARK_EXT_INITIAL[r]);
                Hasher::apply_sbox(&mut state);
                Hasher::apply_matmul_external(&mut state);
            }

            // 7 x (3 packed internal rounds)
            for triple in 0..7_usize {
                let base = triple * 3;
                for k in 0..3 {
                    state[0] += Hasher::ARK_INT[base + k];
                    state[0] = state[0].exp_const_u64::<7>();
                    Hasher::matmul_internal(&mut state, Hasher::MAT_DIAG);
                }
            }

            // Int22 + ext5 (merged)
            state[0] += Hasher::ARK_INT[21];
            state[0] = state[0].exp_const_u64::<7>();
            Hasher::matmul_internal(&mut state, Hasher::MAT_DIAG);
            Hasher::add_rc(&mut state, &Hasher::ARK_EXT_TERMINAL[0]);
            Hasher::apply_sbox(&mut state);
            Hasher::apply_matmul_external(&mut state);

            // Ext6, ext7, ext8
            for r in 1..=3 {
                Hasher::add_rc(&mut state, &Hasher::ARK_EXT_TERMINAL[r]);
                Hasher::apply_sbox(&mut state);
                Hasher::apply_matmul_external(&mut state);
            }

            // Compare with reference
            let mut reference = *init_state;
            apply_permutation(&mut reference);

            assert_eq!(state, reference, "packed schedule mismatch for test state {idx}");
        }
    }
}