-
Notifications
You must be signed in to change notification settings - Fork 809
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement LT & GT opcode #66
Implement LT & GT opcode #66
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work! I only have one consideration - we would need to have carry * (1 - carry) constraint too, right?
@miha-stopar Thanks. I think it is not necessary to check if |
@gaswhat My consideration is that one could set carry so big that rhs wraps around the field modulus so that rhs = lhs + field modulus, which would make the check below to pass. Wouldn't be that possible? rhs = rhs + carry.expr() * exponent; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work. I added some documentation suggestions and nitpicks.
// - a < b, a + c = b, result = 1, is_zero(sumc) = 0 | ||
// - a = b, a + c = b, result = 0, is_zero(sumc) = 1 | ||
// - a > b, a + c = b + 2^256, result = 0, is_zero(sumc) = 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: Using minus sign for bullet points could be confusing sometimes.
// - a < b, a + c = b, result = 1, is_zero(sumc) = 0 | |
// - a = b, a + c = b, result = 0, is_zero(sumc) = 1 | |
// - a > b, a + c = b + 2^256, result = 0, is_zero(sumc) = 0 | |
// a < b, a + c = b, result = 1, is_zero(sumc) = 0 | |
// a = b, a + c = b, result = 0, is_zero(sumc) = 1 | |
// a > b, a + c = b + 2^256, result = 0, is_zero(sumc) = 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree with @miha-stopar that we should constrain the carry
.
It is hard to find a falsifying example, but we couldn't see a way to justify that carry
is binary.
At least for this particular check, it's easy to pass carry=(256^16)^(-1)
that still satisfies the equation.
// a[15..0] + c[15..0] = carry * 256^16 + b[15..0]
Regarding the carry - I think it might be possible to set a > b and result = 1 (result 1 means a < b) following the next steps:
It's difficult to find carry such that: carry * 256^16 < 256^16, but it might be possible and for this reason I think we should add a constraint for a carry to be 0 or 1. |
@ChihChengLiang @miha-stopar Thanks for the thoughts on the carry check. I agree with that we should add a constraint for carry. And I've added it the new commits. Please take a look again. Thank you for your reviews. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank @gaswhat for the update. The commented issues are all addressed. Waiting for a final look from @miha-stopar.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great to me!
The design of LT & GT can refer to this doc.
This PR is ready for review. @han0110 @ChihChengLiang @miha-stopar