-
Notifications
You must be signed in to change notification settings - Fork 1
spec: ECSM
#655
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
erik-3milabs
wants to merge
43
commits into
spec/main
Choose a base branch
from
spec/ecsm
base: spec/main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
spec: ECSM
#655
Changes from all commits
Commits
Show all changes
43 commits
Select commit
Hold shift + click to select a range
884c5ad
spec/EC: introduce ECSM
erik-3milabs 1c274bd
spec/ECSM: introduce EC_SCALAR
erik-3milabs d2d08d8
spec/ECSM: introduce ECDAS
erik-3milabs 3a46d5a
spec/ECSM: two carry proofs
erik-3milabs bd64b62
spec/ECSM: update lemma
erik-3milabs d098975
spec/ECSM: carry computation tool
erik-3milabs 47a5be3
spec/ECSM: fix lint issues
erik-3milabs b9530a9
spec/ECSM: update extension names
erik-3milabs 5ae2283
spec/ECSM: update introduction
erik-3milabs e3848b5
Spec/ECSM: update ecsm to work with offsets
erik-3milabs fe4e3dd
spec/ECDAS: update non-inf argumentation
erik-3milabs 7e12156
spec: fix cwrap for repeated subtractions
erik-3milabs 7988057
spec/ECSM: tweaks and fixes
erik-3milabs 6db8da4
spec/ECSM: fix scalar read/serve timestamp
erik-3milabs aab3904
spec/ecsm: more tweaks and fixes
erik-3milabs 0a9d87e
spec/ECSM: update carries
erik-3milabs d9a1c3e
spec/ECSM: drop carry.py
erik-3milabs 33d65ea
Apply suggestions from code review
erik-3milabs bac746b
Update spec/ecsm.typ
erik-3milabs f604cd5
spec/ECSM: fix incorrect carry index
erik-3milabs 18a815a
spec/ECSM: fix recursive `SERVE_K` multiplicity
erik-3milabs d7cefb2
spec/ECSM: define padding
erik-3milabs 1b4a50d
spec/ECSM: fix missing trailing emptyline
erik-3milabs 1764697
spec/ECDAS: fix missing multiplicity range check
erik-3milabs 93c7eb0
spec/ECDAS: fix BIT-interaction multiplicity negation
erik-3milabs 33e846e
spec/ECSM: fix padding bug
erik-3milabs ab4d3de
spec/ECDAS: range-check `op`
erik-3milabs 1bf0b01
spec/ECSM: invert BIT-multiplicities
erik-3milabs 10f7657
spec/ECSM: rename `len_k` as `idx_k`
erik-3milabs 594c17b
spec/ECSM: update ECALL-number
erik-3milabs ba299d4
spec/ECSM: update accelerator's interval for p
erik-3milabs 6e2d99b
spec/ECSM: fix typo
erik-3milabs 601b681
spec/ECSM: update no-inf clarification
erik-3milabs af3818e
spec/ECDAS: codify assumptions
erik-3milabs 0c13fad
spec/ECSM: remove invalid x_G
erik-3milabs 717bfc6
spec/ECMS: generalize impossible y=0 argument
erik-3milabs 845b550
spec/ECSM: extract carry magic numbers as constants.
erik-3milabs 3a90432
spec/ECSM: fix quotient bound off-by-fews
erik-3milabs 674b098
spec/ECSM: fix unclear division notation
erik-3milabs 958f274
spec/ECSM: update ECDAS mathematical overview
erik-3milabs 0e7dffc
spec: introduce attention-block
erik-3milabs 2ff2ac0
spec/ECSM: update background and overview
erik-3milabs f78f9d7
spec: fix lint-breaking typo
erik-3milabs File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| name = "EC_SCALAR" | ||
|
|
||
| [[variables.input]] | ||
| name = "timestamp" | ||
| type = "DWordWL" | ||
| desc = "timestamp at which to serve the constant" | ||
| pad = 0 | ||
|
|
||
| [[variables.input]] | ||
| name = "ptr" | ||
| type = "DWordWL" | ||
| desc = "pointer to the first byte of the scalar" | ||
| pad = 0 | ||
|
|
||
| [[variables.input]] | ||
| name = "offset" | ||
| type = "Byte" | ||
| desc = "index of limb" | ||
| pad = 0 | ||
|
|
||
| [[variables.auxiliary]] | ||
| name = "limb_bits" | ||
| type = ["Bit", 8] | ||
| desc = "bit-decomposition of the limb being read" | ||
| pad = ["arr", 0, 0, 0, 0, 0, 0, 0, 0] | ||
|
|
||
| [[variables.auxiliary]] | ||
| name = "last_limb" | ||
| type = "Bit" | ||
| desc = "whether this is the last limb to read" | ||
| pad = 0 | ||
|
|
||
| [[variables.virtual]] | ||
| name = "limb" | ||
| type = "Byte" | ||
| desc = "limb being read" | ||
| def = {poly=["sum", ["=", "i", 0], 7, ["*", ["^", 2, "i"], ["idx", "limb_bits", "i"]]]} | ||
|
|
||
| [[variables.multiplicity]] | ||
| name = "μ" | ||
| type = "Bit" | ||
| desc = "" | ||
| pad = 0 | ||
|
|
||
| [[assumptions]] | ||
| desc = "$#`ptr` + #`offset`$ does not overflow the bottom limb" | ||
|
|
||
| [[constraint_groups]] | ||
| name = "recv" | ||
|
|
||
| [[constraints.recv]] | ||
| kind = "interaction" | ||
| tag = "SERVE_K" | ||
| input = ["timestamp", "ptr", "offset"] | ||
| multiplicity = ["-", "μ"] | ||
|
|
||
| [[constraints.recv]] | ||
| kind = "template" | ||
| tag = "IS_BIT" | ||
| input = ["μ"] | ||
|
|
||
| [[constraint_groups]] | ||
| name = "read" | ||
|
|
||
| [[constraints.read]] | ||
| kind = "interaction" | ||
| tag = "MEMW" | ||
| input = [0, ["+", "ptr", ["arr", ["cast", "offset", "Word"], 0]], ["arr", "limb", 0, 0, 0, 0, 0, 0, 0], ["+", "timestamp", ["cast", 1, "DWordWL"]], 0, 0, 0] | ||
| output = ["arr", "limb", 0, 0, 0, 0, 0, 0, 0] | ||
| multiplicity = "μ" | ||
|
|
||
| [[constraints.read]] | ||
| kind = "template" | ||
| tag = "IS_BIT" | ||
| input = [["idx", "limb_bits", "i"]] | ||
| iter = ["i", 0, 7] | ||
|
|
||
|
|
||
| [[constraint_groups]] | ||
| name = "serve" | ||
|
|
||
| [[constraints.serve]] | ||
| kind = "interaction" | ||
| tag = "BIT" | ||
| input = ["timestamp", ["+", ["*", 8, "offset"], "i"]] | ||
| iter = ["i", 0, 7] | ||
| multiplicity = ["-", ["idx", "limb_bits", "i"]] | ||
|
|
||
| [[constraints.serve]] | ||
| kind = "arith" | ||
| constraint = "$#`limb_bits`_i = 1 => #`μ` = 1$" | ||
| poly = ["*", ["idx", "limb_bits", "i"], ["not", "μ"]] | ||
| iter = ["i", 0, 7] | ||
|
|
||
| [[constraint_groups]] | ||
| name = "recurse" | ||
|
|
||
| [[constraints.recurse]] | ||
| kind = "template" | ||
| tag = "IS_BIT" | ||
| input = ["last_limb"] | ||
|
|
||
| [[constraints.recurse]] | ||
| kind = "arith" | ||
| constraint = "$#`last_limb` = 1 => #`μ` = 1$" | ||
| poly = ["*", "last_limb", ["not", "μ"]] | ||
|
|
||
| [[constraints.recurse]] | ||
| kind = "arith" | ||
| constraint = "$#`last_limb` = 1 => #`offset` = 0$" | ||
| poly = ["*", "last_limb", "offset"] | ||
|
|
||
| [[constraints.recurse]] | ||
| kind = "interaction" | ||
| tag = "SERVE_K" | ||
| input = ["timestamp", "ptr", ["-", "offset", 1]] | ||
| multiplicity = ["-", "μ", "last_limb"] | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we doing a bunch of MEMWs in this chip? The calling ECSM has already read all of K into byte limbs, so we can just take in the limb as input and decompose it, right?
I guess the reason is that EC_SCALAR recurses onto itself, reducing the interactions in the ECSM table, but I think for total area it'd be better feed in the bytes directly; at which point, there may be some tradeoff between how many bits EC_SCALAR does at once for width vs depth, but again probably total area tells us to just make it 256 wide?
In the case 256 columns wide wouldn't be the right call, just making multiple calls into EC_SCALAR from ECSM should nevertheless still be the same area cost as the recursion, but simpler because there's no recursion logic to be performed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There may even be some approach where we avoid the recursion of ECDAS as well, and simply let the EC_SCALAR chip emit the sequence of double/add steps that need to be performed. Not entirely sure if that wouldn't introduce too many more interactions atm, but it's potentially cleaner than having to reason about the recursion stopping.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ran the numbers, and you're right: switching would save 32 interactions and 160 cells per
ECSM-call.You're right: Making EC-SCALAR work on all 256 bits at once would reduce the cell-footprint by another ~15% (from 320 to 257).
In fact, we can go even one step further, and merge
EC-SCALARintoECSM. This would save 2 interactions (the transfer ofkfrom ECSM to EC-SCALAR, on both chips) and 33 cells (= multiplicity onEC-SCALAR+ the byte representation ofkonECSMcan be virtualized from the individual bits).The thing I keep returning to, is whether padding isn't screwing with minimizing total area as a heuristic. I'll spend some time this afternoon to investigate this for a bit.