MPT initial

[miha-stopar]

MPT (from mpt2 branch) reduced to only have two chips (to simplify the reviewing process):

• branch hash in parent (checking hash of the branch is at the proper position in the parent branch)
• branch RLC (checking the branch RLC is computed properly - used for a keccak lookup for the first point)

Tests are included also.

[adria0]

@miha-stopar WoW!! 🌟

Since this is a really huge PR would you like to provide some kind of document to help and guide the reviewers?

[miha-stopar]

@miha-stopar WoW!! 🌟

Since this is a really huge PR would you like to provide some kind of document to help and guide the reviewers?

Oh no, that's the small one :). The purpose of this PR is to make mpt circuit easier to review. We reduced yesterday with @ChihChengLiang the original PR to only have two simple chips, so that the review process can start. But it will be reduced further and I agree - I will add more comments to the code to explain the internals. Otherwise, some initial docs are here.

[adria0]

Oh no, that's the small one :)

LoL ;-)

[ChihChengLiang]

I think it'll improve more after another Clippy round and a coding style review. Then it would be easier to do a review on the content part.

[ChihChengLiang]

Some quick comments

[smtmfft]

Should it be c_advices??

[miha-stopar]

s_advices is ok. s_advices and c_advices in branch children rows are used for children hashes (that's why 32 columns). However, there is a special row before branch children rows, named branch_init. This row contains some RLP specific data, but also some other information, for example which of the children is being changed (going from s to c) and whether the branch is a regular branch or extension node. This last is used in the code above. All this additional info is stored in s_advices simply because there is enough space there and it is something that is the same for s and c.

[smtmfft]

Got it. Thanks!

[adria0]

use helpers::get_bool_constraint here?

[adria0]

Missing documentation for these constants

[miha-stopar]

Added in 9c0c058.

[adria0]

Undocumented constants

[adria0]

@miha-stopar, added a bunch of comments for the initial review :)

[adria0]

I think that these constants should be hidden and kept defined or enumerated.

As an excercise I tryed to create a new struct called MptWitness and I think that makes code easier to read

#[derive(Eq, PartialEq, IntoPrimitive, TryFromPrimitive)]
#[repr(u8)]
pub enum MptWitnessRowType {
    InitBranch = 0,
    BranchChild = 1,
    StorageLeafSKey = 2,
    StorageLeafCKey = 3,
    HashToBeComputed = 5,
    AccountLeafKeyS = 6,
    AccountLeafKeyC = 4,
    AccountLeafNonceBalanceS = 7,
    AccountLeafNonceBalanceC = 8,
    AccountLeafRootCodehashS = 9,
    AccountLeafNeighbouringLeaf = 10,
    AccountLeafRootCodehashC = 11,
    StorageLeafSValue = 13,
    StorateLeafCValue = 14,
    NeighbouringStorageLeaf = 15, 
    ExtensionNodeS = 16,
    ExtensionNodeC = 17,
    NonExistingProof = 18
}

pub struct MptWitnessRow(pub Vec<u8>);
impl MptWitnessRow {
    pub fn get_type(&self) -> MptWitnessRowType {
        MptWitnessRowType::try_from(self.row(1)).unwrap()
    }
    fn row(&self, rev_index: usize) -> u8 {
        self.0[self.0.len() - rev_index]
    }
    pub fn not_first_level(&self) -> u8 {
        self.row(NOT_FIRST_LEVEL_POS)
    }

    pub fn is_storage_mod(&self) -> u8 {
        self.row(IS_STORAGE_MOD_POS)
    }
    ...
    pub fn s_root_bytes(&self) -> &[u8] { 
                            &self.0[self.0.len()
                                - 4 * HASH_WIDTH
                                - COUNTER_MptWitness_LEN
                                - IS_NON_EXISTING_ACCOUNT_POS
                                .. self.0.len() - 4 * HASH_WIDTH
                                    - COUNTER_MptWitness_LEN
                                    - IS_NON_EXISTING_ACCOUNT_POS
                                    + HASH_WIDTH]
    }
}

impl Index<usize> for MptWitnessRow {
    type Output = u8;
    fn index<'a>(&'a self, i: usize) -> &'a u8 {
        &self.0[i]
    }
}

pub struct MptWitness(pub Vec<MptWitnessRow>);
impl MptWitness {
    pub fn from(raw : &[Vec<u8>]) -> Self {
        let rows = raw.iter().map(|row| MptWitnessRow(row.clone())).collect();
        MptWitness(rows)
    }
}

impl Index<usize> for MptWitness {
    type Output = MptWitnessRow;
    fn index<'a>(&'a self, i: usize) -> &'a MptWitnessRow {
        &self.0[i]
    }
}

[miha-stopar]

Nice!! Implemented in the main PR.

[adria0]

we check here that offset > 0 , but, since the operation to be done is clearing pv, and in offset==0 is already cleared, this condition seems irrelevant

[miha-stopar]

It's needed because there is no previous row when offset = 0.

[adria0]

previously you filter the rows with witness.iter().filter(|r| r[r.len() - 1] != 5).enumerate() , so this condition it will be always true?

[miha-stopar]

Agree, removed. 👍

[adria0]

I think that all those row[BRANCH_0_S_start + x] can be removed if your create some variables over them like

let s_len = [0, 1, 2].map(|i| row[BRANCH_0_S_START + i] as u64);, then you can use s_len[0], s_len[1], s_len[2]

[miha-stopar]

Agree, added in db1a700

[adria0]

IMO is better to put all the specific code that relates to branch_init here, it's easy to pass here a pv: &mut ProofVariables

[miha-stopar]

Agree :), I planned to refactor this when adding branch assignment in branch related files, but this the refactor you proposed now already in bd867f5

[adria0]

Suggested change

	self.load_keccak_table(_layouter, to_be_hashed).ok();
	self.load_fixed_table(_layouter).ok();
	self.load_keccak_table(_layouter, to_be_hashed)?;
	self.load_fixed_table(_layouter)?;

[adria0]

Config or Chip? IMO makes more sense if is Chip

[miha-stopar]

I think it suffices to have Config. Or do you think it's better to have Chips?

[adria0]

I see that branch_rlc_init works for S and C, but branch_rlc only works for one (S or C). Why this? I think that is going to be more clear to have a unique branch_rlc ( that are instantiated twice, one for S and other for C) that also includes init branch row.

[adria0]

this is called acc_s in branch_rlc_init.rs, what about renaming it to acc? (or renaming it in branch_rlc_init.rs to branch_acc_s ?)

[adria0]

Why not to encode the C RLP length in the "C" section of the circuit (the second half of rows)?

[miha-stopar]

All such information is stored in the S part in the branch init row (also for example whether the branch S or branch C are placeholders ...). Agree, it might be better to store C related info into C part, but then there is also information like drifted_pos which applies to both parts, so there would be some asymmetry in storing these fields in any case. But might be changed later, it should be easy.

[miha-stopar]

@miha-stopar, added a bunch of comments for the initial review :)

Thanks @adria0 ! I realised it's better to apply the modifications you propose in the original PR (otherwise the two PRs will go too far apart), will see later whether to proceed with this PR or not. I will do these changes in parallel with improving the specs - there will be quite some new structs introduced and I would like to properly document them in the specs.

[miha-stopar]

Closed in favour of #398.