16-bit table chip for SHA-256

This chip implementation is based around a single 16-bit lookup table. It requires a minimum of $2^{16}$ circuit rows, and is therefore suitable for use in larger circuits.

We target a maximum constraint degree of $9$. That will allow us to handle constraining carries and "small pieces" to a range of up to $\{\mathrm{0..7}\}$ in one row.

Compression round

There are $64$ compression rounds. Each round takes 32-bit values $A,B,C,D,E,F,G,H$ as input, and performs the following operations:

$$\begin{array}{rcl}Ch(E,F,G)& =& (E\wedge F)\oplus (\neg E\wedge G)\\ Maj(A,B,C)& =& (A\wedge B)\oplus (A\wedge C)\oplus (B\wedge C)\\ & =& count(A,B,C)\ge 2\\ {\Sigma }_0(A)& =& (A⋙2)\oplus (A⋙13)\oplus (A⋙22)\\ {\Sigma }_1(E)& =& (E⋙6)\oplus (E⋙11)\oplus (E⋙25)\\ H^{\prime }& =& H+Ch(E,F,G)+{\Sigma }_1(E)+K_t+W_t\\ E_{new}& =& reduc{e}_6(H^{\prime }+D)\\ A_{new}& =& reduc{e}_7(H^{\prime }+Maj(A,B,C)+{\Sigma }_0(A))\end{array}$$

where $reduc{e}_i$ must handle a carry $0\le carry<i$.

Define $\mathtt{spread}$ as a table mapping a $16$-bit input to an output interleaved with zero bits. We do not require a separate table for range checks because $\mathtt{spread}$ can be used.

Modular addition

To implement addition modulo $2^{32}$, we note that this is equivalent to adding the operands using field addition, and then masking away all but the lowest 32 bits of the result. For example, if we have two operands $a$ and $b$:

$$a⊞b=c,$$

we decompose each operand (along with the result) into 16-bit chunks:

$$(a_L:{\mathbb{Z}}_{2^{16}},a_H:{\mathbb{Z}}_{2^{16}})⊞(b_L:{\mathbb{Z}}_{2^{16}},b_H:{\mathbb{Z}}_{2^{16}})=(c_L:{\mathbb{Z}}_{2^{16}},c_H:{\mathbb{Z}}_{2^{16}}),$$

and then reformulate the constraint using field addition:

$$\mathsf{carry}\cdot 2^{32}+c_H\cdot 2^{16}+c_L=(a_H+b_H)\cdot 2^{16}+a_L+b_L.$$

More generally, any bit-decomposition of the output can be used, not just a decomposition into 16-bit chunks. Note that this correctly handles the carry from $a_L+b_L$.

This constraint requires that each chunk is correctly range-checked (or else an assignment could overflow the field).

• The operand and result chunks can be constrained using $\mathtt{spread}$, by looking up each chunk in the "dense" column within a subset of the table. This way we additionally get the "spread" form of the output for free; in particular this is true for the output of the bottom-right $⊞$ which becomes $A_{new}$, and the output of the leftmost $⊞$ which becomes $E_{new}$. We will use this below to optimize $Maj$ and $Ch$.

• $\mathsf{carry}$ must be constrained to the precise range of allowed carry values for the number of operands. We do this with a small range constraint.

Maj function

$Maj$ can be done in $4$ lookups: $2\mathtt{spread}\ast 2$ chunks

• As mentioned above, after the first round we already have $A$ in spread form $A^{\prime }$. Similarly, $B$ and $C$ are equal to the $A$ and $B$ respectively of the previous round, and therefore in the steady state we already have them in spread form $B^{\prime }$ and $C^{\prime }$. In fact we can also assume we have them in spread form in the first round, either from the fixed IV or from the use of $\mathtt{spread}$ to reduce the output of the feedforward in the previous block.
• Add the spread forms in the field: $M^{\prime }=A^{\prime }+B^{\prime }+C^{\prime }$;
  • We can add them as $32$-bit words or in pieces; it's equivalent
• Witness the compressed even bits $M_i^{even}$ and the compressed odd bits $M_i^{odd}$ for $i=\{\mathrm{0..1}\}$;
• Constrain $M^{\prime }=\mathtt{spread}(M_0^{even})+2\cdot \mathtt{spread}(M_0^{odd})+2^{32}\cdot \mathtt{spread}(M_1^{even})+2^{33}\cdot \mathtt{spread}(M_1^{odd})$, where $M_i^{odd}$ is the $Maj$ function output.

Note: by "even" bits we mean the bits of weight an even-power of $2$, i.e. of weight $2^0,2^2,\dots$. Similarly by "odd" bits we mean the bits of weight an odd-power of $2$.

Ch function

TODO: can probably be optimized to $4$ or $5$ lookups using an additional table.

$Ch$ can be done in $8$ lookups: $4\mathtt{spread}\ast 2$ chunks

• As mentioned above, after the first round we already have $E$ in spread form $E^{\prime }$. Similarly, $F$ and $G$ are equal to the $E$ and $F$ respectively of the previous round, and therefore in the steady state we already have them in spread form $F^{\prime }$ and $G^{\prime }$. In fact we can also assume we have them in spread form in the first round, either from the fixed IV or from the use of $\mathtt{spread}$ to reduce the output of the feedforward in the previous block.
• Calculate $P^{\prime }=E^{\prime }+F^{\prime }$ and $Q^{\prime }=(evens-E^{\prime })+G^{\prime }$, where $evens=\mathtt{spread}(2^{32}-1)$.
  • We can add them as $32$-bit words or in pieces; it's equivalent.
  • $evens-E^{\prime }$ works to compute the spread of $\neg E$ even though negation and $\mathtt{spread}$ do not commute in general. It works because each spread bit in $E^{\prime }$ is subtracted from $1$, so there are no borrows.
• Witness $P_i^{even},P_i^{odd},Q_i^{even},Q_i^{odd}$ such that $P^{\prime }=\mathtt{spread}(P_0^{even})+2\cdot \mathtt{spread}(P_0^{odd})+2^{32}\cdot \mathtt{spread}(P_1^{even})+2^{33}\cdot \mathtt{spread}(P_1^{odd})$, and similarly for $Q^{\prime }$.
• $\{P_i^{odd}+Q_i^{odd}{\}}_{i=\mathrm{0..1}}$ is the $Ch$ function output.

Σ_0 function

${\Sigma }_0(A)$ can be done in $6$ lookups.

To achieve this we first split $A$ into pieces $(a,b,c,d)$, of lengths $(2,11,9,10)$ bits respectively counting from the little end. At the same time we obtain the spread forms of these pieces. This can all be done in two PLONK rows, because the $10$ and $11$-bit pieces can be handled using $\mathtt{spread}$ lookups, and the $9$-bit piece can be split into $3\ast 3$-bit subpieces. The latter and the remaining $2$-bit piece can be range-checked by polynomial constraints in parallel with the two lookups, two small pieces in each row. The spread forms of these small pieces are found by interpolation.

Note that the splitting into pieces can be combined with the reduction of $A_{new}$, i.e. no extra lookups are needed for the latter. In the last round we reduce $A_{new}$ after adding the feedforward (requiring a carry of up to $7$ which is fine).

$(A⋙2)\oplus (A⋙13)\oplus (A⋙22)$ is equivalent to $(A⋙2)\oplus (A⋙13)\oplus (A⋘10)$:

Then, using $4$ more $\mathtt{spread}$ lookups we obtain the result as the even bits of a linear combination of the pieces:

$$\begin{array}{rcccccccl}& (a& ||& d& ||& c& ||& b)& \oplus \\ & (b& ||& a& ||& d& ||& c)& \oplus \\ & (c& ||& b& ||& a& ||& d)& \\ & & & & \Downarrow & & & & \\ R^{\prime }=& 4^{30}a& +& 4^{20}d& +& 4^{11}c& +& b& +\\ & 4^{21}b& +& 4^{19}a& +& 4^{9}d& +& c& +\\ & 4^{23}c& +& 4^{12}b& +& 4^{10}a& +& d& \end{array}$$

That is, we witness the compressed even bits $R_i^{even}$ and the compressed odd bits $R_i^{odd}$, and constrain $$R^{\prime }=\mathtt{spread}(R_0^{even})+2\cdot \mathtt{spread}(R_0^{odd})+2^{32}\cdot \mathtt{spread}(R_1^{even})+2^{33}\cdot \mathtt{spread}(R_1^{odd})$$ where $\{R_i^{even}{\}}_{i=\mathrm{0..1}}$ is the ${\Sigma }_0$ function output.

Σ_1 function

${\Sigma }_1(E)$ can be done in $6$ lookups.

To achieve this we first split $E$ into pieces $(a,b,c,d)$, of lengths $(6,5,14,7)$ bits respectively counting from the little end. At the same time we obtain the spread forms of these pieces. This can all be done in two PLONK rows, because the $7$ and $14$-bit pieces can be handled using $\mathtt{spread}$ lookups, the $5$-bit piece can be split into $3$ and $2$-bit subpieces, and the $6$-bit piece can be split into $2\ast 3$-bit subpieces. The four small pieces can be range-checked by polynomial constraints in parallel with the two lookups, two small pieces in each row. The spread forms of these small pieces are found by interpolation.

Note that the splitting into pieces can be combined with the reduction of $E_{new}$, i.e. no extra lookups are needed for the latter. In the last round we reduce $E_{new}$ after adding the feedforward (requiring a carry of up to $6$ which is fine).

$(E⋙6)\oplus (E⋙11)\oplus (E⋙25)$ is equivalent to $(E⋙6)\oplus (E⋙11)\oplus (E⋘7)$.

Then, using $4$ more $\mathtt{spread}$ lookups we obtain the result as the even bits of a linear combination of the pieces, in the same way we did for ${\Sigma }_0$:

$$\begin{array}{rcccccccl}& (a& ||& d& ||& c& ||& b)& \oplus \\ & (b& ||& a& ||& d& ||& c)& \oplus \\ & (c& ||& b& ||& a& ||& d)& \\ & & & & \Downarrow & & & & \\ R^{\prime }=& 4^{26}a& +& 4^{19}d& +& 4^{5}c& +& b& +\\ & 4^{27}b& +& 4^{21}a& +& 4^{14}d& +& c& +\\ & 4^{18}c& +& 4^{13}b& +& 4^{7}a& +& d& \end{array}$$

That is, we witness the compressed even bits $R_i^{even}$ and the compressed odd bits $R_i^{odd}$, and constrain $$R^{\prime }=\mathtt{spread}(R_0^{even})+2\cdot \mathtt{spread}(R_0^{odd})+2^{32}\cdot \mathtt{spread}(R_1^{even})+2^{33}\cdot \mathtt{spread}(R_1^{odd})$$ where $\{R_i^{even}{\}}_{i=\mathrm{0..1}}$ is the ${\Sigma }_1$ function output.

Block decomposition

For each block $M\in \{0,1{\}}^{512}$ of the padded message, $64$ words of $32$ bits each are constructed as follows:

• The first $16$ are obtained by splitting $M$ into $32$-bit blocks $$M=W_0||W_1||\cdots ||W_{14}||W_{15};$$
• The remaining $48$ words are constructed using the formula: $$W_i={\sigma }_1(W_{i-2})⊞W_{i-7}⊞{\sigma }_0(W_{i-15})⊞W_{i-16},$$ for $16\le i<64$.

Note: $0$-based numbering is used for the $W$ word indices.

$$\begin{array}{ccc}{\sigma }_0(X)& =& (X⋙7)\oplus (X⋙18)\oplus (X\gg 3)\\ {\sigma }_1(X)& =& (X⋙17)\oplus (X⋙19)\oplus (X\gg 10)\end{array}$$

Note: $\gg$ is a right-shift, not a rotation.

σ_0 function

$(X⋙7)\oplus (X⋙18)\oplus (X\gg 3)$ is equivalent to $(X⋙7)\oplus (X⋘14)\oplus (X\gg 3)$.

As above but with pieces $(a,b,c,d)$ of lengths $(3,4,11,14)$ counting from the little end. Split $b$ into two $2$-bit subpieces.

$$\begin{array}{rcccccccl}& (0^{[3]}& ||& d& ||& c& ||& b)& \oplus \\ & (b& ||& a& ||& d& ||& c)& \oplus \\ & (c& ||& b& ||& a& ||& d)& \\ & & & & \Downarrow & & & & \\ R^{\prime }=& & & 4^{15}d& +& 4^{4}c& +& b& +\\ & 4^{28}b& +& 4^{25}a& +& 4^{11}d& +& c& +\\ & 4^{21}c& +& 4^{17}b& +& 4^{14}a& +& d& \end{array}$$

σ_1 function

$(X⋙17)\oplus (X⋙19)\oplus (X\gg 10)$ is equivalent to $(X⋘15)\oplus (X⋘13)\oplus (X\gg 10)$.

TODO: this diagram doesn't match the expression on the right. This is just for consistency with the other diagrams.

As above but with pieces $(a,b,c,d)$ of lengths $(10,7,2,13)$ counting from the little end. Split $b$ into $(3,2,2)$-bit subpieces.

$$\begin{array}{rcccccccl}& (0^{[10]}& ||& d& ||& c& ||& b)& \oplus \\ & (b& ||& a& ||& d& ||& c)& \oplus \\ & (c& ||& b& ||& a& ||& d)& \\ & & & & \Downarrow & & & & \\ R^{\prime }=& & & 4^{9}d& +& 4^{7}c& +& b& +\\ & 4^{25}b& +& 4^{15}a& +& 4^{2}d& +& c& +\\ & 4^{30}c& +& 4^{23}b& +& 4^{13}a& +& d& \end{array}$$

Message scheduling

We apply ${\sigma }_0$ to $W_{\mathrm{1..48}}$, and ${\sigma }_1$ to $W_{\mathrm{14..61}}$. In order to avoid redundant applications of $\mathtt{spread}$, we can merge the splitting into pieces for ${\sigma }_0$ and ${\sigma }_1$ in the case of $W_{\mathrm{14..48}}$. Merging the piece lengths $(3,4,11,14)$ and $(10,7,2,13)$ gives pieces of lengths $(3,4,3,7,1,1,13)$.

If we can do the merged split in $3$ rows (as opposed to a total of $4$ rows when splitting for ${\sigma }_0$ and ${\sigma }_1$ separately), we save $35$ rows.

These might even be doable in $2$ rows; not sure. —Daira

We can merge the reduction mod $2^{32}$ of $W_{\mathrm{16..61}}$ into their splitting when they are used to compute subsequent words, similarly to what we did for $A$ and $E$ in the round function.

We will still need to reduce $W_{\mathrm{62..63}}$ since they are not split. (Technically we could leave them unreduced since they will be reduced later when they are used to compute $A_{new}$ and $E_{new}$ -- but that would require handling a carry of up to $10$ rather than $6$, so it's not worth the complexity.)

The resulting message schedule cost is:

• $2$ rows to constrain $W_0$ to $32$ bits
  • This is technically optional, but let's do it for robustness, since the rest of the input is constrained for free.
• $13\ast 2$ rows to split $W_{\mathrm{1..13}}$ into $(3,4,11,14)$-bit pieces
• $35\ast 3$ rows to split $W_{\mathrm{14..48}}$ into $(3,4,3,7,1,1,13)$-bit pieces (merged with a reduction for $W_{\mathrm{16..48}}$)
• $13\ast 2$ rows to split $W_{\mathrm{49..61}}$ into $(10,7,2,13)$-bit pieces (merged with a reduction)
• $4\ast 48$ rows to extract the results of ${\sigma }_0$ for $W_{\mathrm{1..48}}$
• $4\ast 48$ rows to extract the results of ${\sigma }_1$ for $W_{\mathrm{14..61}}$
• $2\ast 2$ rows to reduce $W_{\mathrm{62..63}}$
• $=547$ rows.

Overall cost

For each round:

• $8$ rows for $Ch$
• $4$ rows for $Maj$
• $6$ rows for ${\Sigma }_0$
• $6$ rows for ${\Sigma }_1$
• $reduc{e}_6$ and $reduc{e}_7$ are always free
• $=24$ per round

This gives $24\ast 64=1792$ rows for all of "step 3", to which we need to add:

• $547$ rows for message scheduling
• $2\ast 8$ rows for $8$ reductions mod $2^{32}$ in "step 4"

giving a total of $2099$ rows.

Tables

We only require one table $\mathtt{spread}$, with $2^{16}$ rows and $3$ columns. We need a tag column to allow selecting $(7,10,11,13,14)$-bit subsets of the table for ${\Sigma }_{\mathrm{0..1}}$ and ${\sigma }_{\mathrm{0..1}}$.

spread table

For example, to do an $11$-bit $\mathtt{spread}$ lookup, we polynomial-constrain the tag to be in $\{0,1,2\}$. For the most common case of a $16$-bit lookup, we don't need to constrain the tag. Note that we can fill any unused rows beyond $2^{16}$ with a duplicate entry, e.g. all-zeroes.

Gates

Choice gate

Input from previous operations:

• $E^{\prime },F^{\prime },G^{\prime },$ 64-bit spread forms of 32-bit words $E,F,G$, assumed to be constrained by previous operations
  • in practice, we'll have the spread forms of $E^{\prime },F^{\prime },G^{\prime }$ after they've been decomposed into 16-bit subpieces
• $evens$ is defined as $\mathtt{spread}(2^{32}-1)$
  • $even{s}_0=even{s}_1=\mathtt{spread}(2^{16}-1)$

E ∧ F

¬E ∧ G

Constraints:

• s_ch (choice): $LHS-RHS=0$
  • $LHS=a_3{\omega }^{-1}+a_3\omega +2^{32}(a_4{\omega }^{-1}+a_4\omega )$
  • $RHS=a_2{\omega }^{-1}+2\ast a_2+2^{32}(a_2\omega +2\ast a_3)$
• s_ch_neg (negation): s_ch with an extra negation check
• $\mathtt{spread}$ lookup on $(a_0,a_1,a_2)$
• permutation between $(a_2,a_3)$

Output: $Ch(E,F,G)=P^{odd}+Q^{odd}=(P_0^{odd}+Q_0^{odd})+2^{16}(P_1^{odd}+Q_1^{odd})$

Majority gate

Input from previous operations:

• $A^{\prime },B^{\prime },C^{\prime },$ 64-bit spread forms of 32-bit words $A,B,C$, assumed to be constrained by previous operations
  • in practice, we'll have the spread forms of $A^{\prime },B^{\prime },C^{\prime }$ after they've been decomposed into $16$-bit subpieces

Constraints:

• s_maj (majority): $LHS-RHS=0$
  • $LHS=\mathtt{spread}(M_0^{even})+2\cdot \mathtt{spread}(M_0^{odd})+2^{32}\cdot \mathtt{spread}(M_1^{even})+2^{33}\cdot \mathtt{spread}(M_1^{odd})$
  • $RHS=A^{\prime }+B^{\prime }+C^{\prime }$
• $\mathtt{spread}$ lookup on $(a_0,a_1,a_2)$
• permutation between $(a_2,a_3)$

Output: $Maj(A,B,C)=M^{odd}=M_0^{odd}+2^{16}{M}_1^{odd}$

Σ_0 gate

$A$ is a 32-bit word split into $(2,11,9,10)$-bit chunks, starting from the little end. We refer to these chunks as $(a(2),b(11),c(9),d(10))$ respectively, and further split $c(9)$ into three 3-bit chunks $c(9{)}^{lo},c(9{)}^{mid},c(9{)}^{hi}$. We witness the spread versions of the small chunks.

$$\begin{array}{ccc}{\Sigma }_0(A)& =& (A⋙2)\oplus (A⋙13)\oplus (A⋙22)\\ & =& (A⋙2)\oplus (A⋙13)\oplus (A⋘10)\end{array}$$

Constraints:

• s_upp_sigma_0 (${\Sigma }_0$ constraint): $LHS-RHS+tag+decompose=0$

$$\begin{array}{ccc}tag& =& constrai{n}_1(a_0{\omega }^{-1})+constrai{n}_2(a_0\omega )\\ decompose& =& a(2)+2^{2}b(11)+2^{13}c(9{)}^{lo}+2^{16}c(9{)}^{mid}+2^{19}c(9{)}^{hi}+2^{22}d(10)-A\\ LHS& =& \mathtt{spread}(R_0^{even})+2\cdot \mathtt{spread}(R_0^{odd})+2^{32}\cdot \mathtt{spread}(R_1^{even})+2^{33}\cdot \mathtt{spread}(R_1^{odd})\end{array}$$ $$\begin{array}{rccccccccclcc}RHS=& 4^{30}\text{spread}(a(2))& +& 4^{20}\text{spread}(d(10))& +& 4^{17}\text{spread}(c(9{)}^{hi})& +& 4^{14}\text{spread}(c(9{)}^{mid})& +& 4^{11}\text{spread}(c(9{)}^{lo})& +& \text{spread}(b(11))& +\\ & 4^{21}\text{spread}(b(11))& +& 4^{19}\text{spread}(a(2))& +& 4^9\text{spread}(d(10))& +& 4^6\text{spread}(c(9{)}^{hi})& +& 4^3\text{spread}(c(9{)}^{mid})& +& \text{spread}(c(9{)}^{lo})& +\\ & 4^{29}\text{spread}(c(9{)}^{hi})& +& 4^{26}\text{spread}(c(9{)}^{mid})& +& 4^{23}\text{spread}(c(9{)}^{lo})& +& 4^{12}\text{spread}(b(11))& +& 4^{10}\text{spread}(a(2))& +& \text{spread}(d(10))& \end{array}$$

• $\mathtt{spread}$ lookup on $a_0,a_1,a_2$
• 2-bit range check and 2-bit spread check on $a(2)$
• 3-bit range check and 3-bit spread check on $c(9{)}^{lo},c(9{)}^{mid},c(9{)}^{hi}$

(see section Helper gates)

Output: ${\Sigma }_0(A)=R^{even}=R_0^{even}+2^{16}{R}_1^{even}$

Σ_1 gate

$E$ is a 32-bit word split into $(6,5,14,7)$-bit chunks, starting from the little end. We refer to these chunks as $(a(6),b(5),c(14),d(7))$ respectively, and further split $a(6)$ into two 3-bit chunks $a(6{)}^{lo},a(6{)}^{hi}$ and $b$ into (2,3)-bit chunks $b(5{)}^{lo},b(5{)}^{hi}$. We witness the spread versions of the small chunks.

$$\begin{array}{ccc}{\Sigma }_1(E)& =& (E⋙6)\oplus (E⋙11)\oplus (E⋙25)\\ & =& (E⋙6)\oplus (E⋙11)\oplus (E⋘7)\end{array}$$

Constraints:

• s_upp_sigma_1 (${\Sigma }_1$ constraint): $LHS-RHS+tag+decompose=0$

$$\begin{array}{ccc}tag& =& a_0{\omega }^{-1}+constrai{n}_4(a_0\omega )\\ decompose& =& a(6{)}^{lo}+2^{3}a(6{)}^{hi}+2^{6}b(5{)}^{lo}+2^{8}b(5{)}^{hi}+2^{11}c(14)+2^{25}d(7)-E\\ LHS& =& \mathtt{spread}(R_0^{even})+2\cdot \mathtt{spread}(R_0^{odd})+2^{32}\cdot \mathtt{spread}(R_1^{even})+2^{33}\cdot \mathtt{spread}(R_1^{odd})\end{array}$$ $$\begin{array}{rccccccccclcc}RHS=& 4^{29}\text{spread}(a(6{)}^{hi})& +& 4^{26}\text{spread}(a(6{)}^{lo})& +& 4^{19}\text{spread}(d(7))& +& 4^5\text{spread}(c(14))& +& 4^2\text{spread}(b(5{)}^{hi})& +& \text{spread}(b(5{)}^{lo})& +\\ & 4^{29}\text{spread}(b(5{)}^{hi})& +& 4^{27}\text{spread}(b(5{)}^{lo})& +& 4^{24}\text{spread}(a(6{)}^{hi})& +& 4^{21}\text{spread}(a(6{)}^{lo})& +& 4^{14}\text{spread}(d(7))& +& \text{spread}(c(14))& +\\ & 4^{18}\text{spread}(c(14))& +& 4^{15}\text{spread}(b(5{)}^{hi})& +& 4^{13}\text{spread}(b(5{)}^{lo})& +& 4^{10}\text{spread}(a(6{)}^{hi})& +& 4^7\text{spread}(a(6{)}^{lo})& +& \text{spread}(d(7))& \end{array}$$

• $\mathtt{spread}$ lookup on $a_0,a_1,a_2$
• 2-bit range check and 2-bit spread check on $b(5{)}^{lo}$
• 3-bit range check and 3-bit spread check on $a(6{)}^{lo},a(6{)}^{hi},b(4{)}^{hi}$

(see section Helper gates)

Output: ${\Sigma }_1(E)=R^{even}=R_0^{even}+2^{16}{R}_1^{even}$

σ_0 gate

v1

v1 of the ${\sigma }_0$ gate takes in a word that's split into $(3,4,11,14)$-bit chunks (already constrained by message scheduling). We refer to these chunks respectively as $(a(3),b(4),c(11),d(14)).$ $b(4)$ is further split into two 2-bit chunks $b(4{)}^{lo},b(4{)}^{hi}.$ We witness the spread versions of the small chunks. We already have $\text{spread}(c(11))$ and $\text{spread}(d(14))$ from the message scheduling.

$(X⋙7)\oplus (X⋙18)\oplus (X\gg 3)$ is equivalent to $(X⋙7)\oplus (X⋘14)\oplus (X\gg 3)$.

Constraints:

• s_low_sigma_0 (${\sigma }_0$ v1 constraint): $LHS-RHS=0$

$$\begin{array}{ccc}LHS& =& \mathtt{spread}(R_0^{even})+2\cdot \mathtt{spread}(R_0^{odd})+2^{32}\cdot \mathtt{spread}(R_1^{even})+2^{33}\cdot \mathtt{spread}(R_1^{odd})\end{array}$$ $$\begin{array}{rcccccccclc}RHS=& & & 4^{15}d(14)& +& 4^{4}c(11)& +& 4^{2}b(4{)}^{hi}& +& b(4{)}^{lo}& +\\ & 4^{30}b(4{)}^{hi}& +& 4^{28}b(4{)}^{lo}& +& 4^{25}a(3)& +& 4^{11}d(14)& +& c(11)& +\\ & 4^{21}c(11)& +& 4^{19}b(4{)}^{hi}& +& 4^{17}b(4{)}^{lo}& +& 4^{14}a(3)& +& d(14)& \end{array}$$

• check that b was properly split into subsections for 4-bit pieces.
  • $W^{b(4)lo}+2^2{W}^{b(4)hi}-W=0$
• 2-bit range check and 2-bit spread check on $b(4{)}^{lo},b(4{)}^{hi}$
• 3-bit range check and 3-bit spread check on $a(3)$

v2

v2 of the ${\sigma }_0$ gate takes in a word that's split into $(3,4,3,7,1,1,13)$-bit chunks (already constrained by message scheduling). We refer to these chunks respectively as $(a(3),b(4),c(3),d(7),e(1),f(1),g(13)).$ We already have $\mathtt{spread}(d(7)),\mathtt{spread}(g(13))$ from the message scheduling. The 1-bit $e(1),f(1)$ remain unchanged by the spread operation and can be used directly. We further split $b(4)$ into two 2-bit chunks $b(4{)}^{lo},b(4{)}^{hi}.$ We witness the spread versions of the small chunks.

$(X⋙7)\oplus (X⋙18)\oplus (X\gg 3)$ is equivalent to $(X⋙7)\oplus (X⋘14)\oplus (X\gg 3)$.

Constraints:

• s_low_sigma_0_v2 (${\sigma }_0$ v2 constraint): $LHS-RHS=0$

$$\begin{array}{ccc}LHS& =& \mathtt{spread}(R_0^{even})+2\cdot \mathtt{spread}(R_0^{odd})+2^{32}\cdot \mathtt{spread}(R_1^{even})+2^{33}\cdot \mathtt{spread}(R_1^{odd})\end{array}$$ $$\begin{array}{rccccccccccclcccc}RHS=& & & 4^{16}g(13)& +& 4^{15}f(1)& +& 4^{14}e(1)& +& 4^{7}d(7)& +& 4^{4}c(3)& +& 4^{2}b(4{)}^{hi}& +& b(4{)}^{lo}& +\\ & 4^{30}b(4{)}^{hi}& +& 4^{28}b(4{)}^{lo}& +& 4^{25}a(3)& +& 4^{12}g(13)& +& 4^{11}f(1)& +& 4^{10}e(1)& +& 4^{3}d(7)& +& c(3)& +\\ & 4^{31}e(1)& +& 4^{24}d(7)& +& 4^{21}c(3)& +& 4^{19}b(4{)}^{hi}& +& 4^{17}b(4{)}^{lo}& +& 4^{14}a(3)& +& 4^{1}g(13)& +& f(1)& \end{array}$$