fix keccak precompile e2e (#1036)

build on top of #1034 & #1035 & #1038

This PR fix keccak precompile e2e error, some previous left over.

- [x] rom check error => fixed ecall instrunction specs
- [x] logup sum error => The logup sum != 0 error, see
https://github.com/scroll-tech/ceno/pull/1036/files#r2301146794. Need to
fix ceno-recursion verifier as well
- [x] prod_r != prod_w => remove X11 read, which cause ts to bump and
mismatch with circuit definition.
https://github.com/scroll-tech/ceno/pull/1036/files#r2301152148

Author: hero78119

.github/workflows/integration.yml

@@ -65,6 +65,10 @@ jobs:
           RUSTFLAGS: "-C opt-level=3"
         run: cargo run --release --package ceno_zkvm --no-default-features --features goldilocks --bin e2e -- --field=goldilocks --platform=ceno --hints=10 --public-io=4191 examples/target/riscv32im-ceno-zkvm-elf/release/examples/fibonacci
 
+      - name: Run keccak_syscall (release)
+        env:
+          RUSTFLAGS: "-C opt-level=3"
+        run: cargo run --release --package ceno_zkvm --bin e2e -- --platform=ceno examples/target/riscv32im-ceno-zkvm-elf/release/examples/keccak_syscall
 
       - name: Install cargo make
         run: |

ceno_emul/src/syscalls/keccak_permute.rs

@@ -13,7 +13,7 @@ pub struct KeccakSpec;
 impl SyscallSpec for KeccakSpec {
     const NAME: &'static str = "KECCAK";
 
-    const REG_OPS_COUNT: usize = 2;
+    const REG_OPS_COUNT: usize = 1;
     const MEM_OPS_COUNT: usize = KECCAK_WORDS;
     const CODE: u32 = ceno_rt::syscalls::KECCAK_PERMUTE;
     const HAS_LOOKUPS: bool = true;
@@ -55,22 +55,12 @@ impl From<KeccakState> for [Word; KECCAK_WORDS] {
 pub fn keccak_permute(vm: &VMState) -> SyscallEffects {
     let state_ptr = vm.peek_register(Platform::reg_arg0());
 
-    // for compatibility with sp1 spec
-    assert_eq!(vm.peek_register(Platform::reg_arg1()), 0);
-
     // Read the argument `state_ptr`.
-    let reg_ops = vec![
-        WriteOp::new_register_op(
-            Platform::reg_arg0(),
-            Change::new(state_ptr, state_ptr),
-            0, // Cycle set later in finalize().
-        ),
-        WriteOp::new_register_op(
-            Platform::reg_arg1(),
-            Change::new(0, 0),
-            0, // Cycle set later in finalize().
-        ),
-    ];
+    let reg_ops = vec![WriteOp::new_register_op(
+        Platform::reg_arg0(),
+        Change::new(state_ptr, state_ptr),
+        0, // Cycle set later in finalize().
+    )];
 
     let mut state_view = MemoryView::<KECCAK_WORDS>::new(vm, state_ptr);
     let mut state = KeccakState::from(state_view.words());

ceno_emul/src/syscalls/secp256k1.rs

@@ -139,22 +139,12 @@ pub fn secp256k1_add(vm: &VMState) -> SyscallEffects {
 pub fn secp256k1_double(vm: &VMState) -> SyscallEffects {
     let p_ptr = vm.peek_register(Platform::reg_arg0());
 
-    // for compatibility with sp1 spec
-    assert_eq!(vm.peek_register(Platform::reg_arg1()), 0);
-
     // Read the argument pointers
-    let reg_ops = vec![
-        WriteOp::new_register_op(
-            Platform::reg_arg0(),
-            Change::new(p_ptr, p_ptr),
-            0, // Cycle set later in finalize().
-        ),
-        WriteOp::new_register_op(
-            Platform::reg_arg1(),
-            Change::new(0, 0),
-            0, // Cycle set later in finalize().
-        ),
-    ];
+    let reg_ops = vec![WriteOp::new_register_op(
+        Platform::reg_arg0(),
+        Change::new(p_ptr, p_ptr),
+        0, // Cycle set later in finalize().
+    )];
 
     // P's memory segment
     let mut p_view = MemoryView::<SECP256K1_ARG_WORDS>::new(vm, p_ptr);

ceno_emul/src/syscalls/sha256.rs

@@ -45,22 +45,12 @@ pub fn sha_extend(w: &mut [u32]) {
 pub fn extend(vm: &VMState) -> SyscallEffects {
     let state_ptr = vm.peek_register(Platform::reg_arg0());
 
-    // for compatibility with sp1 spec
-    assert_eq!(vm.peek_register(Platform::reg_arg1()), 0);
-
     // Read the argument `state_ptr`.
-    let reg_ops = vec![
-        WriteOp::new_register_op(
-            Platform::reg_arg0(),
-            Change::new(state_ptr, state_ptr),
-            0, // Cycle set later in finalize().
-        ),
-        WriteOp::new_register_op(
-            Platform::reg_arg1(),
-            Change::new(0, 0),
-            0, // Cycle set later in finalize().
-        ),
-    ];
+    let reg_ops = vec![WriteOp::new_register_op(
+        Platform::reg_arg0(),
+        Change::new(state_ptr, state_ptr),
+        0, // Cycle set later in finalize().
+    )];
 
     let mut state_view = MemoryView::<SHA_EXTEND_WORDS>::new(vm, state_ptr);
     let mut sha_extend_words = ShaExtendWords::from(state_view.words());

ceno_host/tests/test_elf.rs

@@ -256,9 +256,8 @@ fn test_keccak_syscall() -> Result<()> {
 
     // Check the syscall effects.
     for (witness, expect) in izip!(syscalls, keccak_first_iter_outs) {
-        assert_eq!(witness.reg_ops.len(), 2);
+        assert_eq!(witness.reg_ops.len(), 1);
         assert_eq!(witness.reg_ops[0].register_index(), Platform::reg_arg0());
-        assert_eq!(witness.reg_ops[1].register_index(), Platform::reg_arg1());
 
         assert_eq!(witness.mem_ops.len(), expect.len() * 2);
         let got = witness
@@ -353,7 +352,7 @@ fn test_secp256k1_double() -> Result<()> {
     assert_eq!(syscalls.len(), 1);
 
     let witness = syscalls[0];
-    assert_eq!(witness.reg_ops.len(), 2);
+    assert_eq!(witness.reg_ops.len(), 1);
     assert_eq!(witness.reg_ops[0].register_index(), Platform::reg_arg0());
 
     let p_address = witness.reg_ops[0].value.after;
@@ -444,9 +443,8 @@ fn test_sha256_extend() -> Result<()> {
     assert_eq!(syscalls.len(), 1);
 
     let witness = syscalls[0];
-    assert_eq!(witness.reg_ops.len(), 2);
+    assert_eq!(witness.reg_ops.len(), 1);
     assert_eq!(witness.reg_ops[0].register_index(), Platform::reg_arg0());
-    assert_eq!(witness.reg_ops[1].register_index(), Platform::reg_arg1());
 
     let state_ptr = witness.reg_ops[0].value.after;
     assert_eq!(state_ptr, witness.reg_ops[0].value.before);

ceno_rt/src/syscalls.rs

@@ -28,7 +28,6 @@ pub fn syscall_keccak_permute(state: &mut [u64; 25]) {
             "ecall",
             in("t0") KECCAK_PERMUTE,
             in("a0") state as *mut [u64; 25],
-            in("a1") 0
         );
     }
     #[cfg(not(target_os = "zkvm"))]

ceno_zkvm/benches/keccak.rs

@@ -7,11 +7,12 @@ use ceno_zkvm::{
     e2e::{Checkpoint, Preset, run_e2e_with_checkpoint, setup_platform},
 };
 mod alloc;
+use ceno_zkvm::scheme::verifier::ZKVMVerifier;
 use criterion::*;
-
 use ff_ext::BabyBearExt4;
 use gkr_iop::cpu::{CpuBackend, CpuProver};
 use mpcs::BasefoldDefault;
+use transcript::BasicTranscript;
 
 criterion_group! {
   name = keccak_prove_group;
@@ -44,29 +45,28 @@ fn keccak_prove(c: &mut Criterion) {
     let _ = hints.write(&vec![1, 2, 3]);
     let max_steps = usize::MAX;
     // estimate proof size data first
-    // let result = run_e2e_with_checkpoint::<E, Pcs>(
-    //     program.clone(),
-    //     platform.clone(),
-    //     &Vec::from(&hints),
-    //     &[],
-    //     max_steps,
-    //     MAX_NUM_VARIABLES,
-    //     SecurityLevel::default(),
-    //     Checkpoint::Complete,
-    // );
-    // let proof = result.proof.expect("PrepSanityCheck do not provide proof");
-    // let vk = result.vk.expect("PrepSanityCheck do not provide verifier");
+    let result = run_e2e_with_checkpoint::<E, Pcs, _, _>(
+        CpuProver::new(backend.clone()),
+        program.clone(),
+        platform.clone(),
+        &Vec::from(&hints),
+        &[],
+        max_steps,
+        Checkpoint::Complete,
+    );
+    let proof = result.proof.expect("PrepSanityCheck do not provide proof");
+    let vk = result.vk.expect("PrepSanityCheck do not provide verifier");
 
-    // println!("e2e proof {}", proof);
-    // let transcript = BasicTranscript::new(b"riscv");
-    // let verifier = ZKVMVerifier::<E, Pcs>::new(vk);
-    // assert!(
-    //     verifier
-    //         .verify_proof_halt(proof, transcript, false)
-    //         .expect("verify proof return with error"),
-    // );
-    // println!();
-    // println!("max_steps = {}", max_steps);
+    println!("e2e proof {}", proof);
+    let transcript = BasicTranscript::new(b"riscv");
+    let verifier = ZKVMVerifier::<E, Pcs>::new(vk);
+    assert!(
+        verifier
+            .verify_proof_halt(proof, transcript, true)
+            .expect("verify proof return with error"),
+    );
+    println!();
+    println!("max_steps = {}", max_steps);
 
     // expand more input size once runtime is acceptable
     let mut group = c.benchmark_group(format!("keccak_max_steps_{}", max_steps));

ceno_zkvm/src/instructions.rs

@@ -62,20 +62,23 @@ pub trait Instruction<E: ExtensionField> {
         let (out_evals, mut chip) = (
             [
                 // r_record
-                (selector_type.clone(), (0..r_len).collect_vec()),
+                (0..r_len).collect_vec(),
                 // w_record
-                (selector_type.clone(), (r_len..r_len + w_len).collect_vec()),
+                (r_len..r_len + w_len).collect_vec(),
                 // lk_record
-                (
-                    selector_type.clone(),
-                    (r_len + w_len..r_len + w_len + lk_len).collect_vec(),
-                ),
+                (r_len + w_len..r_len + w_len + lk_len).collect_vec(),
                 // zero_record
-                (selector_type, (0..zero_len).collect_vec()),
+                (0..zero_len).collect_vec(),
             ],
             Chip::new_from_cb(cb, 0),
         );
 
+        // register selector to legacy constrain system
+        cb.cs.r_selector = Some(selector_type.clone());
+        cb.cs.w_selector = Some(selector_type.clone());
+        cb.cs.lk_selector = Some(selector_type.clone());
+        cb.cs.zero_selector = Some(selector_type.clone());
+
         let layer = Layer::from_circuit_builder(cb, "Rounds".to_string(), 0, out_evals);
         chip.add_layer(layer);