Skip to content

Comments

Optimizations: ROM Fusion, Spread Multiset Fusion & Constant Spread Path#297

Open
rose2221 wants to merge 3 commits intomainfrom
rs/sha_micro_ops
Open

Optimizations: ROM Fusion, Spread Multiset Fusion & Constant Spread Path#297
rose2221 wants to merge 3 commits intomainfrom
rs/sha_micro_ops

Conversation

@rose2221
Copy link
Collaborator

ROM Table Constraint Fusion (rom.rs)

Added add_indexed_table_entry_quotient() replacing the old
add_indexed_lookup_factor() + add_product() pattern.

Before:

  • 3 constraints per table entry
    (denominator definition + denom × inverse = 1 + mult × inverse = quotient)

After:

  • 2 constraints per table entry
    (denominator definition + fused denom × quotient = mult)

The inverse witness is still created for batch inversion but is no longer separately constrained.
Soundness holds since denom × quotient = mult uniquely implies quotient = mult / denom in the field.


Spread Table Multiset Fusion (spread.rs)

Replaced two add_sum() calls + grand sum equality with a single fused A-vector constraint (same pattern as add_range_check_via_lookup()).

Before:

  • 2 sum witnesses
  • 3 constraints (query sum + table sum + equality)

After:

  • 0 extra witnesses
  • 1 constraint
    ((Σ table_quotients − Σ query_inverses) × 1 = 0)

Savings: 2 witnesses + 2 constraints per spread table instance.

Updated cost model:
2 × 2^w + 4 → 2 × 2^w + 2


decompose_constant_to_spread_word — Constant-Path Spread Decomposition

Previously, spread decomposition panicked for constant witnesses.
Now constants (e.g. SHA256 IV H[0]..H[7]) are handled via a dedicated compile-time path:

  • Chunk values + spreads precomputed at compile time
  • Each spread witness pinned via an R1CS equality constraint
  • No spread table lookups required

Saves ~3 spread table lookups per constant
(no multiplicity / inverse / quotient witnesses)

Soundness

  • Compile-time assert verifies decomposition round-trip
  • R1CS constraint pins packed_witness = constant_value inside the function, preventing under-constrained usage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant