Merge pull request #3201 from ProvableHQ/feat/raw-commitments

[Feat] Introduce `commit.*.raw` instructions

Author: vicsn

console/network/src/consensus_heights.rs

@@ -54,7 +54,7 @@ pub enum ConsensusVersion {
     ///      Introduces `aleo::GENERATOR`, `aleo::GENERATOR_POWERS`, `snark.verify` opcodes,
     ///      and dynamic dispatch, and identifier literal types.
     V14 = 14,
-    /// V15: Introduces the record-existence check.
+    /// V15: Introduces the record-existence check and `commit.*.raw` instruction variants.
     V15 = 15,
 }
 

synthesizer/process/src/cost.rs

@@ -542,6 +542,24 @@ pub fn cost_per_command<N: Network>(
         Command::Instruction(Instruction::CommitPED128(commit)) => {
             cost_in_size(stack, finalize_types, commit.operands(), HASH_PER_BYTE_COST, HASH_BASE_COST)
         }
+        Command::Instruction(Instruction::CommitBHP256Raw(commit)) => {
+            cost_in_size(stack, finalize_types, commit.operands(), HASH_BHP_PER_BYTE_COST, HASH_BHP_BASE_COST)
+        }
+        Command::Instruction(Instruction::CommitBHP512Raw(commit)) => {
+            cost_in_size(stack, finalize_types, commit.operands(), HASH_BHP_PER_BYTE_COST, HASH_BHP_BASE_COST)
+        }
+        Command::Instruction(Instruction::CommitBHP768Raw(commit)) => {
+            cost_in_size(stack, finalize_types, commit.operands(), HASH_BHP_PER_BYTE_COST, HASH_BHP_BASE_COST)
+        }
+        Command::Instruction(Instruction::CommitBHP1024Raw(commit)) => {
+            cost_in_size(stack, finalize_types, commit.operands(), HASH_BHP_PER_BYTE_COST, HASH_BHP_BASE_COST)
+        }
+        Command::Instruction(Instruction::CommitPED64Raw(commit)) => {
+            cost_in_size(stack, finalize_types, commit.operands(), HASH_PER_BYTE_COST, HASH_BASE_COST)
+        }
+        Command::Instruction(Instruction::CommitPED128Raw(commit)) => {
+            cost_in_size(stack, finalize_types, commit.operands(), HASH_PER_BYTE_COST, HASH_BASE_COST)
+        }
         Command::Instruction(Instruction::DeserializeBits(deserialize)) => {
             Ok(plaintext_size_in_bytes(stack, &PlaintextType::Array(deserialize.operand_type().clone()))?
                 .saturating_mul(CAST_PER_BYTE_COST)

synthesizer/process/src/stack/register_types/initialize.rs

@@ -686,6 +686,30 @@ impl<N: Network> RegisterTypes<N> {
                 matches!(instruction, Instruction::CommitPED128(..)),
                 "Instruction '{instruction}' is not for opcode '{opcode}'."
             ),
+            "commit.bhp256.raw" => ensure!(
+                matches!(instruction, Instruction::CommitBHP256Raw(..)),
+                "Instruction '{instruction}' is not for opcode '{opcode}'."
+            ),
+            "commit.bhp512.raw" => ensure!(
+                matches!(instruction, Instruction::CommitBHP512Raw(..)),
+                "Instruction '{instruction}' is not for opcode '{opcode}'."
+            ),
+            "commit.bhp768.raw" => ensure!(
+                matches!(instruction, Instruction::CommitBHP768Raw(..)),
+                "Instruction '{instruction}' is not for opcode '{opcode}'."
+            ),
+            "commit.bhp1024.raw" => ensure!(
+                matches!(instruction, Instruction::CommitBHP1024Raw(..)),
+                "Instruction '{instruction}' is not for opcode '{opcode}'."
+            ),
+            "commit.ped64.raw" => ensure!(
+                matches!(instruction, Instruction::CommitPED64Raw(..)),
+                "Instruction '{instruction}' is not for opcode '{opcode}'."
+            ),
+            "commit.ped128.raw" => ensure!(
+                matches!(instruction, Instruction::CommitPED128Raw(..)),
+                "Instruction '{instruction}' is not for opcode '{opcode}'."
+            ),
             _ => bail!("Instruction '{instruction}' is not for opcode '{opcode}'."),
         }
         Ok(())

synthesizer/program/src/lib.rs

@@ -1323,6 +1323,36 @@ impl<N: Network> ProgramCore<N> {
         Ok(false)
     }
 
+    /// Returns `true` if a program contains any V15 syntax.
+    /// This includes:
+    /// 1. `commit.*.raw` opcodes (raw commit variants).
+    ///
+    /// This is enforced to be `false` for programs before `ConsensusVersion::V15`.
+    #[inline]
+    pub fn contains_v15_syntax(&self) -> bool {
+        // Helper to check if an opcode is a raw commit variant.
+        let has_op = |opcode: &str| opcode.starts_with("commit.") && opcode.ends_with(".raw");
+
+        // Determine if any function instructions contain the new syntax.
+        let function_contains = cfg_iter!(self.functions())
+            .flat_map(|(_, function)| function.instructions())
+            .any(|instruction| has_op(*instruction.opcode()));
+
+        // Determine if any closure instructions contain the new syntax.
+        let closure_contains = cfg_iter!(self.closures())
+            .flat_map(|(_, closure)| closure.instructions())
+            .any(|instruction| has_op(*instruction.opcode()));
+
+        // Determine if any finalize commands or constructor commands contain the new syntax.
+        let command_contains = cfg_iter!(self.functions())
+            .flat_map(|(_, function)| function.finalize_logic().map(|finalize| finalize.commands()))
+            .flatten()
+            .chain(cfg_iter!(self.constructor).flat_map(|constructor| constructor.commands()))
+            .any(|command| matches!(command, Command::Instruction(instruction) if has_op(*instruction.opcode())));
+
+        function_contains || closure_contains || command_contains
+    }
+
     /// Returns `true` if a program contains any string type.
     /// Before ConsensusVersion::V12, variable-length string sampling when using them as inputs caused deployment synthesis to be inconsistent and abort with probability 63/64.
     /// After ConsensusVersion::V12, string types are disallowed.

synthesizer/program/src/logic/instruction/mod.rs

@@ -93,6 +93,18 @@ pub enum Instruction<N: Network> {
     CommitPED64(CommitPED64<N>),
     /// Performs a Pedersen commitment on up to a 128-bit input.
     CommitPED128(CommitPED128<N>),
+    /// Performs a BHP commitment on the input's raw bits in 256-bit chunks.
+    CommitBHP256Raw(CommitBHP256Raw<N>),
+    /// Performs a BHP commitment on the input's raw bits in 512-bit chunks.
+    CommitBHP512Raw(CommitBHP512Raw<N>),
+    /// Performs a BHP commitment on the input's raw bits in 768-bit chunks.
+    CommitBHP768Raw(CommitBHP768Raw<N>),
+    /// Performs a BHP commitment on the input's raw bits in 1024-bit chunks.
+    CommitBHP1024Raw(CommitBHP1024Raw<N>),
+    /// Performs a Pedersen commitment on the input's raw bits up to a 64-bit input.
+    CommitPED64Raw(CommitPED64Raw<N>),
+    /// Performs a Pedersen commitment on the input's raw bits up to a 128-bit input.
+    CommitPED128Raw(CommitPED128Raw<N>),
     /// Deserializes the bits into a value.
     DeserializeBits(DeserializeBits<N>),
     /// Deserializes the raw bits into a value.
@@ -462,6 +474,14 @@ macro_rules! instruction {
             SnarkVerify,
             SnarkVerifyBatch,
 
+            // New opcodes added in `ConsensusVersion::V15`
+            CommitBHP256Raw,
+            CommitBHP512Raw,
+            CommitBHP768Raw,
+            CommitBHP1024Raw,
+            CommitPED64Raw,
+            CommitPED128Raw,
+
             // New opcodes should be added here, with a comment on which consensus version they were added in.
         }}
     };
@@ -685,7 +705,7 @@ mod tests {
         // Sanity check the number of instructions is unchanged.
         // Note that the number of opcodes **MUST NOT** exceed u16::MAX.
         assert_eq!(
-            123,
+            129,
             Instruction::<CurrentNetwork>::OPCODES.len(),
             "Update me if the number of instructions changes."
         );

synthesizer/program/src/logic/instruction/operation/commit.rs

@@ -33,15 +33,35 @@ pub type CommitPED64<N> = CommitInstruction<N, { CommitVariant::CommitPED64 as u
 /// Pedersen128 is a collision-resistant function that processes inputs in 128-bit chunks.
 pub type CommitPED128<N> = CommitInstruction<N, { CommitVariant::CommitPED128 as u8 }>;
 
+/// BHP256 commit over raw bits (no type-tagged serialization).
+pub type CommitBHP256Raw<N> = CommitInstruction<N, { CommitVariant::CommitBHP256Raw as u8 }>;
+/// BHP512 commit over raw bits.
+pub type CommitBHP512Raw<N> = CommitInstruction<N, { CommitVariant::CommitBHP512Raw as u8 }>;
+/// BHP768 commit over raw bits.
+pub type CommitBHP768Raw<N> = CommitInstruction<N, { CommitVariant::CommitBHP768Raw as u8 }>;
+/// BHP1024 commit over raw bits.
+pub type CommitBHP1024Raw<N> = CommitInstruction<N, { CommitVariant::CommitBHP1024Raw as u8 }>;
+/// Pedersen64 commit over raw bits.
+pub type CommitPED64Raw<N> = CommitInstruction<N, { CommitVariant::CommitPED64Raw as u8 }>;
+/// Pedersen128 commit over raw bits.
+pub type CommitPED128Raw<N> = CommitInstruction<N, { CommitVariant::CommitPED128Raw as u8 }>;
+
 /// Which commit function to use.
-#[derive(Debug, Clone, Eq, PartialEq)]
+#[derive(Debug, Copy, Clone, Eq, PartialEq)]
 pub enum CommitVariant {
     CommitBHP256,
     CommitBHP512,
     CommitBHP768,
     CommitBHP1024,
     CommitPED64,
     CommitPED128,
+    // The variants that commit over raw inputs.
+    CommitBHP256Raw,
+    CommitBHP512Raw,
+    CommitBHP768Raw,
+    CommitBHP1024Raw,
+    CommitPED64Raw,
+    CommitPED128Raw,
 }
 
 impl CommitVariant {
@@ -54,9 +74,21 @@ impl CommitVariant {
             3 => "commit.bhp1024",
             4 => "commit.ped64",
             5 => "commit.ped128",
-            6.. => panic!("Invalid 'commit' instruction opcode"),
+            // The variants that commit over raw inputs.
+            6 => "commit.bhp256.raw",
+            7 => "commit.bhp512.raw",
+            8 => "commit.bhp768.raw",
+            9 => "commit.bhp1024.raw",
+            10 => "commit.ped64.raw",
+            11 => "commit.ped128.raw",
+            12.. => panic!("Invalid 'commit' instruction opcode"),
         }
     }
+
+    // Returns `true` if the variant commits over raw bits.
+    pub const fn is_raw(variant: u8) -> bool {
+        matches!(variant, 6..=11)
+    }
 }
 
 /// Returns 'true' if the destination type is valid.
@@ -129,16 +161,21 @@ impl<N: Network, const VARIANT: u8> CommitInstruction<N, VARIANT> {
 macro_rules! do_commit {
     ($N: ident, $variant: expr, $destination_type: expr, $input: expr, $randomizer: expr, $ty: ty, $q: expr) => {{
         let func = match $variant {
-            0 => $N::commit_to_group_bhp256,
-            1 => $N::commit_to_group_bhp512,
-            2 => $N::commit_to_group_bhp768,
-            3 => $N::commit_to_group_bhp1024,
-            4 => $N::commit_to_group_ped64,
-            5 => $N::commit_to_group_ped128,
-            6.. => bail!("Invalid 'commit' variant: {}", $variant),
+            0 | 6 => $N::commit_to_group_bhp256,
+            1 | 7 => $N::commit_to_group_bhp512,
+            2 | 8 => $N::commit_to_group_bhp768,
+            3 | 9 => $N::commit_to_group_bhp1024,
+            4 | 10 => $N::commit_to_group_ped64,
+            5 | 11 => $N::commit_to_group_ped128,
+            12.. => bail!("Invalid 'commit' variant: {}", $variant),
         };
 
-        let literal_output: $ty = $q(func(&$input.to_bits_le(), $randomizer))?.into();
+        let bits = match CommitVariant::is_raw($variant) {
+            true => $input.to_bits_raw_le(),
+            false => $input.to_bits_le(),
+        };
+
+        let literal_output: $ty = $q(func(&bits, $randomizer))?.into();
         literal_output.cast_lossy($destination_type)?
     }};
 }
@@ -196,7 +233,7 @@ impl<N: Network, const VARIANT: u8> CommitInstruction<N, VARIANT> {
         stack: &impl StackTrait<N>,
         registers: &mut impl RegistersCircuit<N, A>,
     ) -> Result<()> {
-        use circuit::traits::ToBits;
+        use circuit::traits::{ToBits, ToBitsRaw};
 
         // Ensure the number of operands is correct.
         if self.operands.len() != 2 {
@@ -251,8 +288,8 @@ impl<N: Network, const VARIANT: u8> CommitInstruction<N, VARIANT> {
         // TODO (howardwu): If the operation is Pedersen, check that it is within the number of bits.
 
         match VARIANT {
-            0..=5 => Ok(vec![RegisterType::Plaintext(PlaintextType::Literal(self.destination_type))]),
-            6.. => bail!("Invalid 'commit' variant: {VARIANT}"),
+            0..=11 => Ok(vec![RegisterType::Plaintext(PlaintextType::Literal(self.destination_type))]),
+            12.. => bail!("Invalid 'commit' variant: {VARIANT}"),
         }
     }
 }
@@ -397,4 +434,46 @@ mod tests {
             assert_eq!(commit.destination_type, *destination_type, "The destination type is incorrect");
         }
     }
+
+    #[test]
+    fn test_parse_raw() {
+        for destination_type in valid_destination_types() {
+            let instruction = format!("commit.bhp256.raw r0 r1 into r2 as {destination_type}");
+            let (string, commit) = CommitBHP256Raw::<CurrentNetwork>::parse(&instruction).unwrap();
+            assert!(string.is_empty(), "Parser did not consume all of the string: '{string}'");
+            assert_eq!(commit.operands.len(), 2, "The number of operands is incorrect");
+            assert_eq!(commit.operands[0], Operand::Register(Register::Locator(0)), "The first operand is incorrect");
+            assert_eq!(commit.operands[1], Operand::Register(Register::Locator(1)), "The second operand is incorrect");
+            assert_eq!(commit.destination, Register::Locator(2), "The destination register is incorrect");
+            assert_eq!(commit.destination_type, *destination_type, "The destination type is incorrect");
+        }
+    }
+
+    #[test]
+    fn test_raw_differs_from_standard() {
+        use console::{
+            program::{Literal, Plaintext, Value},
+            types::{Field, Scalar},
+        };
+
+        type N = CurrentNetwork;
+
+        // Use a non-trivial field literal (not zero) so the bits actually differ between
+        // to_bits_le (type-tagged) and to_bits_raw_le (untagged).
+        let input_field = Field::<N>::one();
+        let randomizer = Scalar::<N>::one();
+        let value = Value::Plaintext(Plaintext::from(Literal::Field(input_field)));
+
+        let standard = evaluate_commit(CommitVariant::CommitBHP256, &value, &randomizer, LiteralType::Field).unwrap();
+        let raw = evaluate_commit(CommitVariant::CommitBHP256Raw, &value, &randomizer, LiteralType::Field).unwrap();
+
+        assert_ne!(
+            standard, raw,
+            "commit.bhp256 and commit.bhp256.raw must produce different outputs for the same input"
+        );
+
+        // Check that committing on the field element is equivalent to the raw commit via the instruction.
+        let expected_commitment = N::commit_bhp256(&input_field.to_bits_le(), &randomizer).unwrap();
+        assert_eq!(Literal::Field(expected_commitment), raw);
+    }
 }