feat: add keccak guest lib (#1070)

Author: lightsing

Cargo.lock

@@ -7,6 +7,7 @@ members = [
   "ceno_zkvm",
   "examples-builder",
   "examples",
+  "guest_libs/*",
 ]
 resolver = "2"
 
@@ -30,6 +31,7 @@ transcript = { git = "https://github.com/scroll-tech/gkr-backend.git", package =
 whir = { git = "https://github.com/scroll-tech/gkr-backend.git", package = "whir", rev = "v1.0.0-alpha.6" }
 witness = { git = "https://github.com/scroll-tech/gkr-backend.git", package = "witness", rev = "v1.0.0-alpha.6" }
 
+alloy-primitives = "1.3"
 anyhow = { version = "1.0", default-features = false }
 bincode = "1"
 clap = { version = "4.5", features = ["derive"] }

Cargo.toml

@@ -622,6 +622,24 @@ fn test_keccak_no_syscall() -> Result<()> {
     Ok(())
 }
 
+#[test]
+fn test_keccak_guest() -> Result<()> {
+    let _ = ceno_host::run(
+        CENO_PLATFORM,
+        ceno_examples::keccak_lib,
+        &CenoStdin::default(),
+        None,
+    );
+
+    let _ = ceno_host::run(
+        CENO_PLATFORM,
+        ceno_examples::keccak_native,
+        &CenoStdin::default(),
+        None,
+    );
+    Ok(())
+}
+
 fn unsafe_platform() -> Platform {
     let mut platform = CENO_PLATFORM;
     platform.unsafe_ecall_nop = true;

ceno_host/tests/test_elf.rs

@@ -13,6 +13,8 @@ pub const BN254_FP_MUL: u32 = 0x00_01_01_28;
 pub const BN254_FP2_ADD: u32 = 0x00_01_01_29;
 pub const BN254_FP2_MUL: u32 = 0x00_01_01_2B;
 
+pub const KECCAK_STATE_WORDS: usize = 25;
+
 /// Based on https://github.com/succinctlabs/sp1/blob/013c24ea2fa15a0e7ed94f7d11a7ada4baa39ab9/crates/zkvm/entrypoint/src/syscalls/keccak_permute.rs
 /// Executes the Keccak256 permutation on the given state.
 ///
@@ -21,7 +23,7 @@ pub const BN254_FP2_MUL: u32 = 0x00_01_01_2B;
 /// - The caller must ensure that `state` is valid pointer to data that is aligned along a four
 ///   byte boundary.
 #[allow(unused_variables)]
-pub fn syscall_keccak_permute(state: &mut [u64; 25]) {
+pub fn syscall_keccak_permute(state: &mut [u64; KECCAK_STATE_WORDS]) {
     #[cfg(target_os = "zkvm")]
     unsafe {
         asm!(

ceno_rt/src/syscalls.rs

@@ -10,6 +10,8 @@ repository = "https://github.com/scroll-tech/ceno"
 version = "0.1.0"
 
 [dependencies]
+alloy-primitives = { version = "1.3", features = ["native-keccak"] }
+ceno_keccak = { path = "../guest_libs/keccak" }
 ceno_rt = { path = "../ceno_rt" }
 rand.workspace = true
 tiny-keccak.workspace = true

examples/Cargo.toml

@@ -0,0 +1,30 @@
+//! Compute the Keccak-256.
+
+extern crate ceno_rt;
+
+use ceno_keccak::{Hasher, Keccak};
+
+fn main() {
+    let keccak = Keccak::v256();
+    let mut output = [0; 32];
+    let expected = b"\
+        \xc5\xd2\x46\x01\x86\xf7\x23\x3c\x92\x7e\x7d\xb2\xdc\xc7\x03\xc0\
+        \xe5\x00\xb6\x53\xca\x82\x27\x3b\x7b\xfa\xd8\x04\x5d\x85\xa4\x70\
+    ";
+
+    keccak.finalize(&mut output);
+    assert_eq!(expected, &output);
+
+    let mut keccak = Keccak::v256();
+    let mut in_and_out: [u8; 32] = [0; 32];
+    for i in 1..6 {
+        in_and_out[i as usize - 1] = i
+    }
+    let expected = b"\
+        \x7d\x87\xc5\xea\x75\xf7\x37\x8b\xb7\x01\xe4\x04\xc5\x06\x39\x16\
+        \x1a\xf3\xef\xf6\x62\x93\xe9\xf3\x75\xb5\xf1\x7e\xb5\x04\x76\xf4\
+    ";
+    keccak.update(&in_and_out[0..5]);
+    keccak.finalize(&mut in_and_out);
+    assert_eq!(expected, &in_and_out);
+}

examples/examples/keccak_lib.rs

@@ -0,0 +1,26 @@
+//! Compute the Keccak-256 using alloy-primitives with native-keccak hook.
+
+extern crate ceno_keccak;
+extern crate ceno_rt; // Make sure the native keccak hook is linked in.
+
+use alloy_primitives::keccak256;
+
+fn main() {
+    let output = keccak256(b"");
+    let expected = b"\
+        \xc5\xd2\x46\x01\x86\xf7\x23\x3c\x92\x7e\x7d\xb2\xdc\xc7\x03\xc0\
+        \xe5\x00\xb6\x53\xca\x82\x27\x3b\x7b\xfa\xd8\x04\x5d\x85\xa4\x70\
+    ";
+    assert_eq!(expected, &output);
+
+    let mut input: [u8; 5] = [0; 5];
+    for i in 1..6 {
+        input[i as usize - 1] = i;
+    }
+    let output = keccak256(input);
+    let expected = b"\
+        \x7d\x87\xc5\xea\x75\xf7\x37\x8b\xb7\x01\xe4\x04\xc5\x06\x39\x16\
+        \x1a\xf3\xef\xf6\x62\x93\xe9\xf3\x75\xb5\xf1\x7e\xb5\x04\x76\xf4\
+    ";
+    assert_eq!(expected, &output);
+}

examples/examples/keccak_native.rs

@@ -0,0 +1,14 @@
+[package]
+categories = ["cryptography", "zk", "blockchain", "ceno"]
+description = "Ceno zkVM Keccak Guest Library"
+edition = "2021"
+keywords = ["cryptography", "zk", "blockchain", "ceno"]
+license = "MIT OR Apache-2.0"
+name = "ceno_keccak"
+readme = "README.md"
+repository = "https://github.com/scroll-tech/ceno"
+version = "0.1.0"
+
+[dependencies]
+ceno_rt = { path = "../../ceno_rt" }
+tiny-keccak = { workspace = true }

guest_libs/keccak/Cargo.toml

@@ -0,0 +1,4 @@
+# Ceno Keccak zkVM Guest Library
+
+Copied and modified from [tiny-keccak](https://github.com/debris/tiny-keccak)
+under CC0 license.

guest_libs/keccak/README.md

@@ -0,0 +1,54 @@
+//! Ceno Keccak zkVM Guest Library
+
+#![no_std]
+#![deny(missing_docs)]
+extern crate alloc;
+
+/// Re-export the `tiny_keccak` crate's `Hasher` trait.
+pub use tiny_keccak::{self, Hasher};
+
+mod vendor;
+pub use vendor::keccak::Keccak;
+
+pub use ceno_rt::syscalls::syscall_keccak_permute as keccakf;
+
+mod keccakf {
+    use crate::{
+        keccakf,
+        vendor::{Buffer, Permutation},
+    };
+
+    pub struct KeccakF;
+
+    impl Permutation for KeccakF {
+        fn execute(buffer: &mut Buffer) {
+            keccakf(buffer.words());
+        }
+    }
+}
+
+/// Native hook for keccak256 for use with `alloy-primitives` "native-keccak" feature.
+///
+/// # Safety
+///
+/// The VM accepts the preimage by pointer and length, and writes the
+/// 32-byte hash.
+/// - `bytes` must point to an input buffer at least `len` long.
+/// - `output` must point to a buffer that is at least 32-bytes long.
+///
+/// [`keccak256`]: https://en.wikipedia.org/wiki/SHA-3
+/// [`sha3`]: https://docs.rs/sha3/latest/sha3/
+/// [`tiny_keccak`]: https://docs.rs/tiny-keccak/latest/tiny_keccak/
+#[inline(always)]
+#[no_mangle]
+pub unsafe extern "C" fn native_keccak256(bytes: *const u8, len: usize, output: *mut u8) {
+    use crate::{Hasher, Keccak};
+
+    unsafe {
+        let input = core::slice::from_raw_parts(bytes, len);
+        let out = core::slice::from_raw_parts_mut(output, 32);
+        let mut hasher = Keccak::v256();
+        hasher.update(input);
+        hasher.finalize(out);
+    }
+}