CC-Sector Update Circuit

General Notation

F_{q}

A prime field element (i.e. an integer

mod q

). Filecoin uses the BLS12-381 scalar field as its prime field.

F_{q} |_{{0, 1}}

A field element whose value is constrained to either

0

1

{F_{q}}^{[n]}

An array containing

n

field elements.

x : F_{q}

A variable

x

which has type

F_{q}

(x_{1}, x_{2})

An array containing two values.

0 .. n

The range of values

(0, 1, \dots, n - 1)

arr [m .. n]

A slice (subarray) of an array

arr

containing the values

(arr [m], arr [m + 1], \dots, arr [n - 1])

y \overset{⋄}{=} some_gadget (\dots)

Denotes

y

as a being a value allocated in a constraint system by a gadget

some_gadget

Circuit Notation and Constants

N = {\begin{cases} 2^{30} & if sector-size = 32 GiB \\ 2^{31} & otherwise if sector-size = 64 GiB \end{cases}

The number of nodes per sector.

C = 2200

The number of challenges per sector (one proof is generated for per update CC-sector).

c \in 0 .. N

A Merkle challenge (i.e. the index of a node in a sector of size

N

). There are

C

number of challenges

c_{i}

generated per proof.

ρ : F_{q}

A random value generated for each challenge

c

bitlen (digest) = bitlen (F_{q}) = ⌈ \log_{2} (q) ⌉ = 255

The bit-length of a Poseidon digest. Our Poseidon hash function is instantiated over a

\approx

256-bit field (BLS12-381's scalar field

F_{q}

), thus targets a security level of 128 bits.

q

is the Poseidon field modulus.

bitlen (c) = \log_{2} (N) = {\begin{cases} 30 & if sector-size is 32GiB \\ 31 & otherwise if sector-size is 64GiB \end{cases}

The bit-length of a challenge

c

. Each challenge

c

is the index of a node in a sector

c \in 0 .. N

⌊ \frac{bitlen (digest)}{bitlen (c)} ⌋ = ⌊ \frac{255}{\log_{2} (N)} ⌋ = 8

The number of challenges generated using a single Poseidon digest, i.e. the

j^{t h}

digest is used to generate the challenges

(c_{j 8}, c_{j 8 + 1}, \dots, c_{j 8 + 7})

C / 8 = 275

The number of Poseidon digests required to generate

C

number of challenges, i.e. a single Poseidon digest generates

8

of the required

C = 2200

challenges.

\boldsymbol H = (2^{7}, 2^{8}, 2^{9}, 2^{10}, 2^{11}, 2^{12})

An array containing the possible values of

H

H \in \boldsymbol H

Specifies the number of bits extracted from a challenge

c

's binary representation

c_bits

and appended onto

CommDNew

to generate the preimage for

c

's random value

ρ

H

is chosen from

\boldsymbol H

using the

HSelect

public-input.

HSelect : F_{q} \in {2^{0}, 2^{1}, 2^{2}, 2^{3}, 2^{4}, 2^{5}}

Selects

H \in \boldsymbol H

via

H = \boldsymbol H [\log_{2} (HSelect)]

. Note that each possible value of

HSelect

has either no bits set or exactly one bit set, thus

\log_{2} (HSelect)

is a unique integer in

0 .. 6

. Within the circuit we allocate

HSelect

as 6 bits

h_select_bits

and extract the

\log_{2} (H)

high bits from each challenge

c

using the linear combination

c * \sum_{k \in 0 .. 6} h_select_bits [k] * 2^{\log_{2} (N) - \log_{2} (\boldsymbol H [k])}

CommDNew : F_{q}

Commitment to the sector's plaintext data after updating; the root of

TreeDNew

CommROld, CommRNew : F_{q}

Commitments to the replicated sector before and after updating;

CommR = {poseidon}_{2} ((CommC, CommRLast))

CommRLastOld, CommRLastNew : F_{q}

Roots of the sector's

TreeR

trees before and after updating.

CommC : F_{q}

The original/unupdated sector's

CommC

. Note that

CommC

is not changed when updating a CC-sector.

{TreeDNewProof}_{c} : struct {leaf : F_{q}, path : {F_{q}}^{[1]}^{[\log_{2} (N)]}}

{TreeROldProof}_{c}, {TreeRNewProof}_{c} : struct {leaf : F_{q}, path : {F_{q}}^{[7]}^{[\log_{8} (N)]}}

Three Merkle proofs (1 bintree, 2 octtree) are generated for each challenge

c

: one in

TreeDNew

, one in

TreeROld

, and one in

TreeRNew

. The

leaf

field is the Merkel challenge

c

's (leaf) label. The field

path

is the Merkle path generated for

c

Summary

Generate

C

number of challenges using

C / 8

Poseidon digests, i.e. one digest generates

8

challenges.

\forall j \in 0 .. C / 8 : {digest}_{j} = poseidon ((CommDNew, j))

Each challenge is a

\log_{2} (N)

-bit unsigned integer, thus split each digest into

8

\log_{2} (N)

-bit, partitions interpreting each as the little-endian bits of a challenge

c

\forall i \in 0 .. 8 : c_{8 j + i} = {digest}_{j} [\log_{2} (N) i .. \log_{2} (N) (i + 1)] as F_{q}

Isolate the most-significant

H

bits of

c

denoted

c_high

where

H

is chosen from

\boldsymbol H

using the public input bit-array

HSelect

. Calculate each challenge's random value

ρ

using

c_high

ρ_{c} = poseidon ((poseideon (CommDNew, CommROld), c_high))

Verify each challenge

c

's Merkle proofs in

TreeDNew

TreeROld

, and

TreeRNew

(i.e. the trees built over the new plaintext data, old replica, and new replica).

Verify each

c

's new replica label

R_{c}^{*}

using

c

's old replica label

R_{c}

, new plaintext label

D_{c}^{*}

, and

ρ_{c}

R_{c}^{*} = R_{c} + D_{c}^{*} ρ_{c}

Circuit

Public Inputs:

CommDNew, CommROld, CommRNew, HSelect

Private Inputs:

CommC, CommRLastOld, CommRLastNew, \forall c \in (c_{1}, \dots, c_{2200}) : {TreeDNewProof}_{c}, {TreeROldProof}_{c}, {TreeRNewProof}_{c}

\overset{―}{\underset{―}{Circuit: SDR CC-Sector Update}}

1. comm_d_new \overset{⋄}{=} alloc_pub ({CommDNew}_{pub})

2. comm_r_old \overset{⋄}{=} alloc_pub ({CommROld}_{pub})

3. comm_r_new \overset{⋄}{=} alloc_pub ({CommRNew}_{pub})

4. ϕ : F_{q} \overset{⋄}{=} {poseidon_gadget}_{2} ((comm_d_new, comm_r_old))

5. h_select \overset{⋄}{=} alloc_pub ({HSelect}_{pub})

6. h_select_bits : {F_{q} |_{{0, 1}}}^{[6]} \overset{⋄}{=} le_bits_gadget (h_select, 6)

7. comm_c \overset{⋄}{=} alloc ({CommC}_{priv})

8. comm_r_last_old \overset{⋄}{=} alloc ({CommRLastOld}_{priv})

9. comm_r_last_new \overset{⋄}{=} alloc ({CommRLastNew}_{priv})

TODO: do we need to prove

CommRLastOld

using

CommROld

10. comm_r_old_calc : F_{q} \overset{⋄}{=} {poseidon_gadget}_{2} ((comm_c, comm_r_last_old))

11. assert_eq (comm_r_old_calc, comm_r_old)

10. comm_r_new_calc : F_{q} \overset{⋄}{=} {poseidon_gadget}_{2} ((comm_c, comm_r_last_new))

11. assert_eq (comm_r_new_calc, comm_r_new)

12. for j \in 0 .. C / 8 :

13. j \overset{⋄}{=} alloc (j)

14. digest : F_{q} \overset{⋄}{=} {poseidon_gadget}_{2} ((comm_r_new, j))

15. digest_bits : {F_{q} |_{{0, 1}}}^{[8 \log_{2} (N)]} \overset{⋄}{=} le_bits_gadget (digest, 8 \log_{2} (N))

16. for i \in 0 .. 8 :

17. c_bits : {F_{q} |_{{0, 1}}}^{[\log_{2} (N)]} = digest_bits [\log_{2} (N) i .. \log_{2} (N) (i + 1)]

18. c_high \overset{⋄}{=} lc_gadget (\sum_{k \in 0 .. 6} h_select_bits [k] * (c_bits ≫ (\log_{2} (N) - \log_{2} (\boldsymbol H [k]))))

19. ρ : F_{q} \overset{⋄}{=} {poseidon_gadget}_{2} ((ϕ, c_high))

20. (label_d_new, path_d_new) \overset{⋄}{=} alloc_bintree_proof ({TreeDNewProof}_{c, priv})

21. (label_r_old, path_r_old) \overset{⋄}{=} alloc_octtree_proof ({TreeROldProof}_{c, priv})

22. (label_r_new, path_r_new) \overset{⋄}{=} alloc_octtree_proof ({TreeRNewProof}_{c, priv})

23. comm_d_new_calc \overset{⋄}{=} bintree_root_gadget (c_bits, label_d_new, path_d_new)

24. comm_r_last_old_calc \overset{⋄}{=} octtree_root_gadget (c_bits, label_r_old, path_r_old)

25. comm_r_last_new_calc \overset{⋄}{=} octtree_root_gadget (c_bits, label_r_new, path_r_new)

26. assert_eq (comm_d_new_calc, comm_d_new)

27. assert_eq (comm_r_last_old_calc, comm_r_last_old)

28. assert_eq (comm_r_last_new_calc, comm_r_last_new)

29. rho_label_d_new \overset{⋄}{=} mul_gadget (ρ, label_d_new)

30. label_r_new_calc \overset{⋄}{=} add_gadget (label_r_old, rho_label_d_new)

31. assert_eq (label_r_new_calc, label_r_new)

Gadgets

alloc (x)

allocates

x

in the constraint-system and does not add constraints.

alloc_pub (x)

makes one public and one private allocation in the constraint-system and adds one constraint asserting equality between the two.

alloc_bintree_proof/alloc_octtree_proof (leaf, path)

allocate a challenge

c

's Merkle leaf label and its Merkle path elements and doe not add constraints to the constraint system.

assert_eq (x, y)

adds one constraint asserting the equality

x == y

add_gadget (x, y)

allocates the sum

x + y

and adds one constraint asserting the correctness of the allocated value.

mul_gadget (x, y)

allocates the product

x * y

and adds one constraint asserting the correctness of the allocated value.

lc_gadget (\sum_{i} {const}_{i} * {prev_alloc_value}_{i})

makes one allocation for the output of the linear combination ("lc") and adds one constraint asserting that the allocated value is consistent with the sum of (scaled) previously allocated values. Note that each constant

{const}_{i}

is unallocated.

{poseidon_gadget}_{2} ((x, y))

calculates the arity-2 Poseidon digest of the preimage array

(x, y)

le_bits_gadget (x, n)

allocates

x

n

bits in the constraint system, i.e. makes

n

allocations, add a boolean constraint for each allocated bit, and adds

1

constraint asserting that the allocated bits are the correct binary representation for

x

assert_eq (\sum_{i \in 0 .. n} 2^{i} * bits [i], x)

bintree_root_gadget/octtree_root_gadget (c_bits, leaf, path)

calculates the root of a Merkle bintree/octtree given a challenge

c

's Merkle leaf label and Merkle path. Bintrees use arity-2 SHA256 and octtrees use arity-8 Poseidon.

Circuit (Updated)

const P = 16

const A = 128

const C = 86

const Hs = (7, 8, 9, 10, 11, 12)

const PartitionTreeHeight = \log_{2} (P) = 4

const ApexTreeHeight = \log_{2} (A) = 7

config SectorSize \in {32 GiB, 64 GiB}

config k \in 0 .. P

config HsIndex \in {0, 1, 2, 3, 4, 5}

type TreeD = BinTree

type TreeR = {\begin{cases} OctTree & if SectorSize = 32 GiB \\ OctBinTree & if SectorSize = 64 GiB \end{cases}

Nodes = {\begin{cases} 2^{30} & if SectorSize = 32 Gib \\ 2^{31} & if SectorSize = 64 Gib \end{cases}

input R_{old} \in {F_{q}}^{[Nodes]}

input D_{new} \in {F_{q}}^{[Nodes]}

input R_{new} \in {F_{q}}^{[Nodes]}

ChallengeBits = \log_{2} (Nodes)

PartitionBits = \log_{2} (P)

RandChallengeBits = ChallengeBits - PartitionBits

HSelect = 2^{HsIndex}

H = Hs [HsIndex] = Hs [\log_{2} (HSelect)]

TreeROld = TreeR (R_{old})

TreeDNew = TreeD (D_{new})

TreeRNew = TreeR (R_{new})

CommROld = TreeROld .root

CommDNew = TreeDNew .root

CommRNew = TreeRNew .root

TreeDHeight = \log_{2} (Nodes)

TreeRHeight = {\begin{cases} \log_{8} (Nodes) & if SectorSize = 32 GiB \\ \log_{8} (Nodes / 2) + 1 & if SectorSize = 64 GiB \end{cases}

ApexRootsRow = TreeDHeight - PartitionTreeHeight

ApexLeafsRow = ApexRootsRow - ApexTreeHeight

ApexLeafs = TreeD [ApexLeafsRow] [k * A .. (k + 1) * A]

ApexTree = TreeD (ApexLeafs)

ApexRoots = TreeD [ApexRootsRow]

ApexRoot = ApexRoots [k] = ApexTree .root

PartitionBits = ((k ≫ i) \land 1 ∣ i \in \log_{2} (P)) = le_bits (k)

PartitionPath = ({TreeD}_{new} [ApexRootsRow + i] [(k ≫ i) + j] ∣ i \in 0 .. ApexTreeHeight, j = {\begin{cases} 1 & if is_even (k ≫ i) \\ - 1 & if is_odd (k ≫ i) \end{cases}) = {TreeDNewProof}_{c} [TreeDHeight - PartitionTreeHeight ..]

PubInputs = (k, CommROld, CommDNew, CommRNew, HSelect)

PrivInputs = (CommC, RootROld, RootRNew, ApexLeafs, ChallengeProofs)

\overset{―}{\underset{―}{Circuit: SDR Empty Sector Update}}

1. k \overset{⋄}{=} alloc_pub (k_{pub})

2. comm_r_old \overset{⋄}{=} alloc_pub ({CommROld}_{pub})

3. comm_d_new \overset{⋄}{=} alloc_pub ({CommDNew}_{pub})

4. comm_r_new \overset{⋄}{=} alloc_pub ({CommRNew}_{pub})

5. h_select \overset{⋄}{=} alloc_pub ({HSelect}_{pub})

6. k_bits \overset{⋄}{=} le_bits_gadget (k, 255) [.. \log_{2} (P)]

7. h_select_bits \overset{⋄}{=} le_bits_gadget (h_select, 255) [.. 6]

8. phi \overset{⋄}{=} poseidon_gadget ((comm_d_new, comm_r_old))

9. comm_c \overset{⋄}{=} alloc ({CommC}_{priv})

10. root_r_old \overset{⋄}{=} alloc ({RootROld}_{priv})

11. root_r_new \overset{⋄}{=} alloc ({RootRNew}_{priv})

12. apex_leafs : {F_{q}}^{[A]} \overset{⋄}{=} (alloc (apex_leaf) ∣ apex_leaf \in {ApexLeafs}_{priv})

13. partition_path : {F_{q}}^{[1]}^{[PartitionTreeHeight]} \overset{⋄}{=} ((alloc (el)) ∣ el \in {PartitionPath}_{priv})

14. comm_r_old_calc \overset{⋄}{=} poseidon_gadget ((comm_c, root_r_old))

15. assert_eq (comm_r_old_calc, comm_r_old)

16. comm_r_new_calc \overset{⋄}{=} poseidon_gadget ((comm_c, root_r_new))

17. assert_eq (comm_r_new_calc, comm_r_new)

18. apex_tree : ({F_{q}}^{[A]}, {F_{q}}^{[A / 2]}, \dots, {F_{q}}^{[1]}) \overset{⋄}{=} bin_tree_gadget (apex_leafs)

19. apex_root = apex_tree [ApexTreeHeight] [0]

20. comm_d_new_calc \overset{⋄}{=} bintree_root_gadget (k_bits, apex_root, partition_path)

21. assert_eq (comm_d_new_calc, comm_d_new)

22. rand_bits : {F_{q} |_{{0, 1}}}^{[RandChallengeBits]}^{[C]} \overset{⋄}{=} gen_challenge_bits_gadget (comm_r_new, k)

23. for c_rand_bits \in rand_bits :

24. c_high_and_zeros : {F_{q}}^{[6]} = ()

25. for h, h_select_bit \in zip (Hs, h_select_bits) :

26. c_high_bits = c_rand_bits [RandChallengeBits - h ..]

27. c_high \overset{⋄}{=} lc_gadget (\sum_{i \in 0 .. h} 2^{i} * c_high_bits [i])

28. c_high_or_zero \overset{⋄}{=} mul_gadget (h_select_bit, c_high)

29. c_high_and_zeros . push (c_high_or_zero)

30. c_high_selected \overset{⋄}{=} lc_gadget (\sum_{i \in 0 .. 6} c_high_and_zeros [i])

31. rho \overset{⋄}{=} poseidon_gadget ((phi, c_high_selected))