Struct Keccakf

pub struct Keccakf {
    pub input: StateMatrix<Col<B64>>,
    pub output: StateMatrix<Col<B64>>,
    /* private fields */
}

Keccak-f[1600] permutation function verification gadget.

This gadget consists of 3x horizontally combined batches of 8x rounds each, 24 rounds in total. You can think about it as 8x wide SIMD performing one permutation per a table row. Below is the graphical representation of the layout.

| Batch 0  | Batch 1  | Batch 3  |
|----------|----------|----------|
| Round 00 | Round 01 | Round 02 |
| Round 03 | Round 04 | Round 05 |
| Round 06 | Round 07 | Round 08 |
| Round 09 | Round 10 | Round 11 |
| Round 12 | Round 13 | Round 14 |
| Round 15 | Round 16 | Round 17 |
| Round 18 | Round 19 | Round 20 |
| Round 21 | Round 22 | Round 23 |

We refer to each individual round within a batch as a track. For example, the 7th ( zero-based here and henceforth) track of the 1st batch is responsible for the 22nd round.

Each batch exposes two notable columns: state_in and state which are inputs and outputs respectively for the rounds in each batch. Both of those has the type of StateMatrix containing PackedLane8. Let’s break those down.

StateMatrix is a concept coming from the keccak which represents a 5x5 matrix. In keccak each cell is a 64-bit integer called lane. In our case however, since the SIMD-like approach, each cell is represented by a pack of columns - one for each track and this is what PackedLane8 represents.

To feed the input to permutation, you need to initialize the state_in column of the 0th batch with the input state matrix. See Self::populate_state_in if you have values handy.

Fields

input: StateMatrix<Col<B64>>

The lanes of the input and output state columns. These are exposed to make it convenient to use the gadget along with flushing.

output: StateMatrix<Col<B64>>

Implementations

impl Keccakf

pub fn new(table: &mut TableBuilder<'_>) -> Self

Creates a new instance of the gadget.

See the struct documentation for more details.

pub fn populate<P>(&self, index: &mut TableWitnessSegment<'_, P>) -> Result<()>

where P: PackedFieldIndexable<Scalar = B128> + PackedExtension<B1> + PackedExtension<B8> + PackedExtension<B64>, PackedSubfield<P, B8>: PackedTransformationFactory<PackedSubfield<P, B8>>,

Populate the gadget.

Requires state in already to be populated. To populate with known values use Self::populate_state_in.

pub fn packed_state_in(&self) -> &StateMatrix<PackedLane8>

Returns the state_in column for the 0th batch. The input to the permutation is at the 0th track.

pub fn packed_state_out(&self) -> &StateMatrix<PackedLane8>

Returns the state_out column for the 2nd batch. The output of the permutation is at the 7th track.

pub fn populate_state_in<'a, P>( &self, index: &mut TableWitnessSegment<'_, P>, state_ins: impl IntoIterator<Item = &'a StateMatrix<u64>>, ) -> Result<()>

where P: PackedFieldIndexable<Scalar = B128> + PackedExtension<B1> + PackedExtension<B8>, PackedSubfield<P, B8>: PackedTransformationFactory<PackedSubfield<P, B8>>,

Populate the input state of the permutation.

pub fn read_state_outs<'a, P>( &self, index: &'a TableWitnessSegment<'_, P>, ) -> Result<impl Iterator<Item = StateMatrix<u64>> + 'a>

where P: PackedFieldIndexable<Scalar = B128> + PackedExtension<B1> + PackedExtension<B8>, PackedSubfield<P, B8>: PackedTransformationFactory<PackedSubfield<P, B8>>,

Read the resulting states of permutation, one item per row.

Only makes sense to call after Self::populate was called.