announcement writing knowledge base

Valida: a zkVM focused on performance and extensibility

Mar 14th, 2023
Delendum & Lita Foundation

By Daniel Lubarov, Max Gillett, Wei Dai

Github repository: Valida and Valida Compiler

Our vision: We want to make it practical to compile conventional code to a zkVM with reasonable performance. No zkVM today is optimized for this goal. We desire a VM with neither registers nor a dedicated stack, and one that has a small field size with low-degree constraints. We also want efficient compilation from LLVM IR to the set of VM instructions.

Table of Content

Architecture

The zkVM consists of a CPU and several coprocessors, which are connected with communication buses:

graph TD;
CPU* --- Memory*;
CPU* --- Memory*;
CPU* --- Memory*;
CPU* --- Tip5*;
CPU* --- Logic;
CPU* --- u32_mul;
CPU* --- u32_add_sub;
CPU* --- Bls12;
CPU* --- Keccak-f;
Memory* --- Pager*;

* Part of the core (non-optional) configuration

Communication buses are implemented using permutation arguments (either grand product or multi-set checks), and may be multiplexed for efficiency when only one of a subset of buses will be used in a given cycle.

There are multiple VM configurations. The “Core” configuration is always present, and provides instructions for basic control flow and memory access. Additional configurations, such as “Field Arithmetic” or “Additional Jump” build upon the core configuration and offer additional instructions.

Instruction format

Instructions are encoded in groups of 6 field elements. The first element in the group contains the opcode, followed by three elements representing the operands and two immediate value flags: \(\text{opcode}, \text{op}_a\), \(\text{op}_b\), \(\text{op}_c\), \(\text{imm}_b\), \(\text{imm}_c\).

Program ROM

Our VM operates under the Harvard architecture, where progrom code is stored separately from main memory. Code is addressed by any field element, starting from \(0\). The program counter pc stores the location (a field element) of the instruction that is being executed.

Memory

Memory is comprised of word-addressable cells. A given cell contains 4 field elements, each of which are typically used to store a single byte (arbitrary field elements can also be stored). All core and ALU-related instructions operate on cells (i.e. any operand address is word aligned – a multiple of 4). In the VM compiler, the address of newly added local variables in the stack is word aligned.

For example, a U32 is represented in memory by its byte decomposition (4 elements). To initialize a U32 from an immediate value, we use the SETL16 instruction (see the complete instruction list below), which sets the first two bytes in memory. To initialize a U32 value greater than 16 bits, we can also call the SETH16 instruction to set the upper two bytes.

Immediate Values

Our VM cannot represent operand values that are greater than the prime \(p\), and cannot distinguish between \(0\) and \(p\). Therefore, any immediate values greater than or equal to \(p\) need to be expanded into smaller values.

Registers

Our zkVM does not operate on general purpose registers. Instead, instructions refer to variables local to the call frame, i.e. relative to the current frame pointer fp.

Notation

The following notation is used throughout this document:

Operand values: opa, opb, opc denote the value encoded in the operand a, b, or c of the current instruction.

CPU registers: fp, pc denote the value of the current frame pointer and program counter, respectively.

Relative addressing: [a] denote the cell value at address a offset from fp, i.e. fp + a. Variables local to the call frame are denoted in this form. Note that we are omitting fp in the expression here, but that the first dereference of an operand is always relative to the frame pointer.

Absolute addressing: [[a]] denotes the cell value at absolute address [a]. Heap-allocated values are denoted in this form.

To refer to relative or absolute element values, we use the notation \([a]_\text{elem}\) or \([[a]]_\text{elem}\) respectively.

Instruction list

Each instruction contains 5 field element operands, \(a, b, c, d, e\). Often, \(d\) and \(e\) are binary flags indicating whther operands \(a\) and \(b\) are immediate values or relative offets.

Listed below are the instructions offered in each configuration.

Core

Mnemonic Operands(asm) Description
LW / LOAD32 a(fp), c(fp) Follow the pointer stored at offset \(c\) from the current frame pointer and write the next 4 byte values to those beginning at offset a. Operand \(b\) is unused, but is constrained to \([c]\) in the trace. LOAD32 is used to load 4 bytes from the heap, and is aligned (i.e. the address at offset \(c\) is assumed to be a multiple of \(4\)).
SW / STORE32 b(fp), c(fp) Write the 4 byte values beginning at the address stroed at offset \(c\) to those beginning at offset \(b\). Operand \(a\) is unused, but is constrained to \([c]\) in the trace. STORE32 is used to write 4 bytes to the heap, and is aligned.
JAL a(fp), b, c Jump to address and link: Store the \(pc+1\) to local stack variable at offset \(a\), then set \(pc\) to field element \(b\). Set \(fp\) to \(fp + c\).
JALV a(fp), b(fp), c(fp) Jump to variable and link: Store the \(pc+1\) to local stack variable at offset \(a\), then set \(pc\) to the field element \([b]_{elem}\). Set \(fp\) to \([c]\).
BEQ a, b(fp), c(fp) If \([b] = [c]\), then set the program counter \(\text{pc}\) to \(a\)
BEQI a, b(fp), c If \([b] = c\), then set the program counter \(\text{pc}\) to \(a\)
BNE a, b(fp), c(fp) If \([b] \neq [c]\), then set the program counter \(\text{pc}\) to \(a\)
BNEI a, b(fp), c If \([b] \neq c\), then set the program counter \(\text{pc}\) to \(a\)
IMM32 a, b, c, d, e Write the immediate values \(b, c, d, e\) to the cell located at offset \(a\).

Field arithmetic

Mnemonic Operands(asm) Description
FEADD a(fp), b(fp), c(fp) \(d\) and \(e\) are a flags denoting whether \(a\) and \(b\) are interpreted as an immediate or offset. Let \(A = a\) if \(d = 1\) and \([a]_{elem}\) otherwise. Let \(B = b\) if \(e = 1\) and \([b]_{elem}\) otherwise. The instruction compute \(A + B\), and write the result to offset \(c\)
FEMUL a(fp), b(fp), c(fp) \(d\) and \(e\) are a flags denoting whether \(a\) and \(b\) are interpreted as an immediate or offset. Let \(A = a\) if \(d = 1\) and \([a]_{elem}\) otherwise. Let \(B = b\) if \(e = 1\) and \([b]_{elem}\) otherwise. The instruction compute \(A \cdot B\), and write the result to offset \(c\)
TO_FE a(fp), b(fp) Convert an U32, represented by 4 field elements starting at offset b, to a field element stored to the first field element at offset \(a\). \(a\) is assuemd to be a multiple of \(4\).
FROM_FE a(fp), b(fp) Convert a field element \([b]_{elem}\) to an U32 stored at offset a, which is assumed to be a multiple of \(4\).

Note that field arithmetic instructions only operate on the first element in a cell, which represents a field element instead of a single byte.

U32 Arithmetic

Mnemonic Operands(asm) Description
ADD a(fp), b(fp), c(fp) Compute the unchecked addition of the U32 values at cell offsets \(b\) and \(c\) and write the sum to cell offset \(a\). Note that because a full 32-bit value does not fit within one field element, we assume that values have been decomposed into 4 8-byte elements. The summed output is stored at cell offset \(a\). The same limb decomposition is used for the other U32 operations listed below.
ADDI a(fp), b(fp), c Compute the unchecked addition of the U32 variable at cell offsets \(b\) and an immediate \(c\), and write the sum to cell offset \(a\).
SUB a(fp), b(fp), c(fp) Unchecked subtraction
SUBI a(fp), b(fp), c Unchecked subtraction
MUL a(fp), b(fp), c(fp) Unchecked multiplication
MULI a(fp), b(fp), c Unchecked subtraction
DIV a(fp), b(fp), c(fp) Division
SH{L,R} a(fp), b(fp), c(fp) Shift [b] left/right by [c] and write to offset \(a\).
SH{L,R}I a(fp), b(fp), c Shift [b] left/right by c and write to offset \(a\).
ISH{L,R} a(fp), b, c(fp) Shift b left/right by [c] and write to offset \(a\).
SLT a(fp), b(fp), c(fp) Set local variable \(a\) to \(1\) if \([b] < [c]\) and \(0\) otherwise.
SLT a(fp), b(fp), c Set local variable \(a\) to \(1\) if \([b] < c\) and \(0\) otherwise.

Bitwise

Mnemonic Operands(asm) Description
AND a(fp), b(fp), c(fp) Set \([a]\) to \([b]\) bitwise-and \([c]\)
OR a(fp), b(fp), c(fp) Set \([a]\) to \([b]\) bitwise-or \([c]\)
XOR a(fp), b(fp), c(fp) Set \([a]\) to \([b]\) bitwise-xor \([c]\)

Byte Manipulation

Note: These will not be supported in the initial version.

Instruction Operands(asm)  
LOAD8 a(fp), b(fp) Load a byte at the address specified by local variable at offset \(b\) to local variable at offset \(a\).
STORE8 b(fp), c(fp) Store a byte encoded at offset \(c\) to the address encoded in offset \(b\)
STORE8I b(fp), c Store a byte encoded in the field element \(c\) to the address encoded in offset \(b\)

Heap allocation

Notes:

Assembly

Instructions

We will closely follow RISC-V assembly, making modifications as necessary. The most important difference between our zkVM assembly and RV32IM is that instead of registers x0-31, we only have two special-purpose registers fp and pc. However, we have (up to \(2^{31}-1\)) local variables, addressed relative to the current frame point fp.

Calling convention / stack frame

Stack (grows downwards, i.e. address decreases from top row to bottom row)
Arg 2
Arg 1
Return FP
Return value
Return address (<- Current fp)
Local 1
Local 2
Local N

We follow the RISC-V convention and grows the stack downwards. For a function call, the arguments are pushed onto the stack in reverse order. We only allow statically sized allocation on the stack, unlike traditional architectures where alloca can be used to allocate dynamically. All dynamic allocation will be compiled to heap allocations. Instead of using a frame pointer that points at the begining of the frame, we use a stack pointer which points at the first free stack cell.

Note that:

Pseudo instructions

Pseudo Instruction Instruction
call label jal 0(fp), -b, label; addifp b, where b is size of the current stack frame plus the call frame size for instantiate a call to lable
ret jal 4(fp), 0(fp), 0, set pc to [fp] where the return address is stored

Implementing MEMCPY/SET/MOVE

Memcpy will require rougly 2 cycles per word. We can follow this memcpy implementation on RISC-V.

Heap allocations

Example programs

Multiply stored immediates and return

define i32 @main() {
%1 = alloca i32, align 4
%2 = alloca i32, align 4
%3 = alloca i32, align 4
store i32 24, i32* %1, align 4
store i32 7, i32* %2, align 4
%4 = load i32, i32* %1, align 4
%5 = load i32, i32* %2, align 4
%6 = mul nsw i32 %4, %5
store i32 %6, i32* %3, align 4
%7 = load i32, i32* %1, align 4
ret i32 %7
}

main:
sub      -4(fp), 0(fp), 0(fp)      # Setup the 0 local variable at fp - 4
add     -8(fp), -4(fp), 24,    # Set [fp - 8] to 24
add    -12(fp), -4(fp), 7,     # Set [fp - 12] to 7

mul     -16(fp), 8(fp), 12(fp)    # Set [fp - 16] to 24 * 7

add    4(fp), -8(fp), 0     # Set return value at [fp + 4] to [fp - 8]
ret

Multiply arguments and return

define i32 @main() {
%1 = alloca i32, align 4
store i32 0, i32* %1, align 4
%2 = call i32 @mul(i32 938253, i32 7)
ret i32 %2
}

define i32 @mul2(i32 %0, i32 %1) {
%3 = alloca i32, align 4
%4 = alloca i32, align 4
store i32 %0, i32* %3, align 4
store i32 %1, i32* %4, align 4
%5 = load i32, i32* %3, align 4
%6 = load i32, i32* %4, align 4
%7 = mul nsw i32 %5, %6
ret i32 %7
}

main:
imm32     -4(fp), 938253
imm32     -8(fp), 7
call         mul2
# call translates to
# jal 0(fp), -16, mul2  " store pc + 1 to [fp], add -16 to fp, set pc to mul2
# addifp         16

ret

mul2:
mul    4(fp), 8(fp), 12(fp)
ret

The stack at the time of executing mul inside mul (line 11) looks like:

Stack
.. (<- fp of main)
7
938253
0 (before mul2) -> 6567771 (after mul2)
main:7 (<- fp of mul2)

Trace

Main CPU

Columns Configuration Description
\(\text{clk}\) Core Clock cycle
\(\text{pc}\) Core Program counter
\(\text{fp}\) Core Frame pointer
\(\text{opcode}\) Core Instruction opcode
\(\text{op}_a\) Core Operand \(a\)
\(\text{op}_b\) Core Operand \(b\)
\(\text{op}_c\) Core Operand \(c\)
\(\text{op}_d\) Core Operand \(d\), flag for if \(\text{op}_a\) is immediate or offset.
\(\text{op}_e\) Core Operand \(e\), flag for if \(\text{op}_b\) is immediate or offset.
\(\text{addr}_a\) Core \(\text{fp} + \text{op}_a\) (if \(\text{op}_d\) is not set)
\(\text{addr}_b\) Core \(\text{fp} + \text{op}_b\) (if \(\text{op}_e\) is not set)
\(\text{addr}_c\) Core \(\text{fp} + \text{op}_c\)

Columns \(\text{opcode}, \text{op}_a, \text{op}_b, \text{op}_c, \text{op}_d, \text{op}_e\) are specified by the program code (see the “Instruction Trace” section below).

Trace cells are also allocated to hold buffered read memory values for \(\text{addr}_a\) and \(\text{addr}_b\), and buffered write values for \(\text{addr}_c\). We read and write 4 elements from memory at a time to the main trace. These elements are only constrained when the immediate value flags are not set (see the “Instruction Decoding” section below):

Cell Configuration Description
\(v_{a,0}\) Core \([\text{addr}_a]_\text{elem}\)
\(v_{a,1}\) Core \([\text{addr}_a+1]_\text{elem}\)
\(v_{a,2}\) Core \([\text{addr}_a+2]_\text{elem}\)
\(v_{a,3}\) Core \([\text{addr}_a+3]_\text{elem}\)
\(v_{b,0}\) Core \([\text{addr}_b]_\text{elem}\)
\(v_{b,1}\) Core \([\text{addr}_b+1]_\text{elem}\)
\(v_{b,2}\) Core \([\text{addr}_b+2]_\text{elem}\)
\(v_{b,3}\) Core \([\text{addr}_b+3]_\text{elem}\)
\(v_{c,0}\) Core Value written to \(\text{addr}_c\)
\(v_{c,1}\) Core Value written to \(\text{addr}_c+1\)
\(v_{c,2}\) Core Value written to \(\text{addr}_c+2\)
\(v_{c,3}\) Core Value written to \(\text{addr}_c+3\)

Memory

Cell Description
\(\text{addr}\) Address
\(\text{clk}\) Clock cycle
\(\text{val}_0\) Value 0
\(\text{val}_1\) Value 1
\(\text{val}_2\) Value 2
\(\text{val}_3\) Value 3
\(d_0\) Lower 16 bits of \(\text{clk}'-\text{clk}-1\)
\(d_1\) Upper 16 bits of \(\text{clk}'-\text{clk}-1\)
\(t\) Nondeterministic inverse of \(\text{addr}'-\text{addr}\)

The memory table is sorted by (\(\text{addr}, \text{clk}\))

U32 Arithmetic

TODO: Replace this trace table and associated constraints with more efficient nondeterministic methods

Cell Description
\(\text{clk}\) Clock cycle
\(s_\text{instr}\) Requested instruction (constrained by communication bus)
\(s_\text{add}\) Selector flag for addition
\(s_\text{sub}\) Selector flag for subtraction
\(s_\text{mul}\) Selector flag for multiplication
\(s_\text{div}\) Selector flag for division
\(s_\text{checked_add}\) Selector flag for checked addition (requires \(s_\text{add}\) to be set as well)
\(s_\text{checked_mul}\) Selector flag for checked multiplication (requires \(s_\text{mul}\) to be set as well)
\(a\) Address of input 1
\(b\) Address of input 2
\(c\) Address of output
\(a_0\) Input 1 (12-bit limb)
\(a_1\) Input 1 (12-bit limb)
\(a_2\) Input 1 (12-bit limb)
\(b_0\) Input 2 (12-bit limb)
\(b_1\) Input 2 (12-bit limb)
\(b_2\) Input 2 (12-bit limb)
\(c_0\) Output (12-bit limb)
\(c_1\) Output (12-bit limb)
\(c_2\) Output (12-bit limb)
\(c_3\) Output (12-bit limb)
\(c_4\) Output (12-bit limb)

There are also 5 helper value cells: \(h_0\) through \(h_{4}\).

Instruction Trace

Each instruction is encoded as 6 field elements

Core

Mnemonic Operands(asm) Encoded  
LW / LOAD32 a(fp), c(fp) \(\text{OP}_{LW}\), \(a\), _, \(c\), \(0\), \(0\) Follow the pointer stored at offset \(c\) from the current frame pointer and write the next 4 byte values to those beginning at offset a. Operand \(b\) is unused, but is constrained to \([c]\) in the trace. LOAD32 is used to load 4 bytes from the heap, and is aligned (i.e. the address at offset \(c\) is assumed to be a multiple of \(4\)).
SW / STORE32 b(fp), c(fp) \(\text{OP}_{SW}\), _, \(b\), \(c\), \(0\), \(0\) Write the 4 byte values beginning at the address stroed at offset \(c\) to those beginning at offset \(b\). Operand \(a\) is unused, but is constrained to \([c]\) in the trace. STORE32 is used to write 4 bytes to the heap, and is aligned.
JAL a(fp), b, c \(\text{OP}_{jump}\), \(a\), \(b\), \(c\), \(1\), \(1\) Jump to address and link: Store the \(pc+1\) to local stack variable at offset \(a\), then set \(pc\) to field element \(b\). Set \(fp\) to \(fp + c\).
JALV a(fp), b(fp), c \(\text{OP}_{jump}\), \(a\), \(b\), \(c\), \(0\), \(1\) Jump to variable and link: Store the \(pc+1\) to local stack variable at offset \(a\), then set \(pc\) to the field element \([b]_{elem}\). Set \(fp\) to \(fp + c\).
BEQ a, b(fp), c(fp) \(\text{OP}_{branch}\), \(a\), \(b\), \(c\), \(0\), \(0\) If \([b] = [c]\), then set the program counter \(\text{pc}\) to \(a\)
BEQ a, b(fp), c \(\text{OP}_{branch}\), \(a\), \(b\), \(c\), \(0\), \(1\) If \([b] = c\), then set the program counter \(\text{pc}\) to \(a\)
BNE a, b(fp), c(fp) \(\text{OP}_{branch}\), \(a\), \(b\), \(c\), \(1\), \(0\) If \([b] \neq [c]\), then set the program counter \(\text{pc}\) to \(a\)
BNEI a, b(fp), c \(\text{OP}_{branch}\), \(a\), \(b\), \(c\), \(1\), \(1\) If \([b] \neq c\), then set the program counter \(\text{pc}\) to \(a\)
IMM32 a, b, c, d, e \(\text{OP}_{IMM}\), \(a\), \(b\), \(c\), \(d\), \(e\) Write the immediate values \(b, c, d, e\) to the cell located at offset \(a\).

Field arithmetic

Mnemonic Operands(asm) Encoded  
FEADD a(fp), b(fp), c(fp) \(\text{OP}_{FEADD}\), \(a\), \(b\), \(c\), \(d\), \(e\) \(d\) and \(e\) are a flags denoting whether \(a\) and \(b\) are interpreted as an immediate or offset. Let \(A = a\) if \(d = 1\) and \([a]_{elem}\) otherwise. Let \(B = b\) if \(e = 1\) and \([b]_{elem}\) otherwise. The instruction compute \(A + B\), and write the result to offset \(c\)
FEMUL a(fp), b(fp), c(fp) \(\text{OP}_{FEMUL}\), \(a\), \(b\), \(c\), \(d\), \(e\) \(d\) and \(e\) are a flags denoting whether \(a\) and \(b\) are interpreted as an immediate or offset. Let \(A = a\) if \(d = 1\) and \([a]_{elem}\) otherwise. Let \(B = b\) if \(e = 1\) and \([b]_{elem}\) otherwise. The instruction compute \(A \cdot B\), and write the result to offset \(c\)
TO_FE a(fp), b(fp)   Convert an U32, represented by 4 field elements starting at offset b, to a field element stored to the first field element at offset \(a\). \(a\) is assuemd to be a multiple of \(4\).
FROM_FE a(fp), b(fp)   Convert a field element \([b]_{elem}\) to an U32 stored at offset a, which is assumed to be a multiple of \(4\).

U32 Arithmetic

Mnemonic Operands(asm) Encoded  
ADD a(fp), b(fp), c(fp) \(\text{OP}_{ADD}\), \(a\), \(b\), \(c\), \(0\), \(0\) Compute the unchecked addition of the U32 values at cell offsets \(b\) and \(c\) and write the sum to cell offset \(a\). Note that because a full 32-bit value does not fit within one field element, we assume that values have been decomposed into 4 8-byte elements. The summed output is stored at cell offset \(a\). The same limb decomposition is used for the other U32 operations listed below.
ADDI a(fp), b(fp), c \(\text{OP}_{ADD}\), \(a\), \(b\), \(c_0\), \(1\), \(c_1\) Compute the unchecked addition of the U32 variable at cell offsets \(b\) and an immediate \(c\), and write the sum to cell offset \(a\).
SUB a(fp), b(fp), c(fp) \(\text{OP}_{SUB}\), \(a\), \(b\), \(c\), \(0\), \(0\) Unchecked subtraction
SUBI a(fp), b(fp), c \(\text{OP}_{SUB}\), \(a\), \(b\), \(c_1\), \(1\), \(c_2\) Unchecked subtraction
MUL a(fp), b(fp), c(fp) \(\text{OP}_{MUL}\), \(a\), \(b\), \(c\), \(0\), \(0\) Unchecked multiplication
MULI a(fp), b(fp), c \(\text{OP}_{MUL}\), \(a\), \(b\), \(c_1\), \(1\), \(c_2\) Unchecked subtraction
DIV a(fp), b(fp), c(fp) \(\text{OP}_{MUL}\), \(a\), \(b\), \(c\), \(0\), \(0\) Division
SH{L,R} a(fp), b(fp), c(fp) \(\text{OP}_{SHIFT}\), \(a\), \(b\), \(c\), \(0\), \(0\) Shift [b] left/right by [c] and write to offset \(a\).
SH{L,R}I a(fp), b(fp), c \(\text{OP}_{SHIFT}\), \(a\), \(b\), \(c\), \(0\), \(1\) Shift [b] left/right by c and write to offset \(a\).
ISH{L,R} a(fp), b, c(fp) \(\text{OP}_{SHIFT}\), \(a\), \(b\), \(c\), \(0\), \(1\) Shift b left/right by [c] and write to offset \(a\).
SLT a(fp), b(fp), c(fp) \(\text{OP}_{SLT}\), \(a\), \(b\), \(c\), \(0\), \(0\) Set local variable \(a\) to \(1\) if \([b] < [c]\) and \(0\) otherwise.
SLT a(fp), b(fp), c \(\text{OP}_{SLT}\), \(a\), \(b\), \(c\), \(0\), \(1\) Set local variable \(a\) to \(1\) if \([b] < c\) and \(0\) otherwise.

Bitwise

Mnemonic Operands(asm) Encoded  
AND a(fp), b(fp), c(fp) \(\text{OP}_{AND}\), \(a\), \(b\), \(c\), \(0\), _ Set \([a]\) to \([b]\) bitwise-and \([c]\)
OR a(fp), b(fp), c(fp) \(\text{OP}_{OR}\), \(a\), \(b\), \(c\), \(0\), _ Set \([a]\) to \([b]\) bitwise-or \([c]\)
XOR a(fp), b(fp), c(fp) \(\text{OP}_{XOR}\), \(a\), \(b\), \(c\), \(0\), _ Set \([a]\) to \([b]\) bitwise-xor \([c]\)

Instruction decoding

Trace cells are also allocated for each selector. In each cycle, the opcode is decoded into the following selector flags, which are grouped by type (not configuration) below for convenience. All flags are binary values, except for the instruction code.

Instruction code

Selector Configuration Description
\(s_\text{instr}\) Core Instruction code

Operand modifiers

Selector Configuration Description
\(s_{\text{imm}_a}\) Core Immediate value flag for operand \(a\) (\(0\) denotes offset, \(1\) denotes immediate value)
\(s_{\text{imm}_b}\) Core Immediate value flag for operand \(b\) (\(0\) denotes offset, \(1\) denotes immediate value)

Field arithmetic

Selector Configuration Description
\(s_\text{add}\) Field Arithmetic Addition
\(s_\text{mul}\) Field Arithmetic Multiplication

Memory

Selector Configuration Description
\(s_\text{store32}\) Core Store 4 bytes at at a memory address
\(s_\text{load32}\) Core Load 4 bytes from a memory address
\(s_\text{store8}\) Core Store a byte at a memory address
\(s_\text{load8}\) Core Load a byte from a memory address

Call

Selector Configuration Description
\(s_\text{call}\) Core Update the frame pointer

Jumps

Selector Configuration Description
\(s_\text{jump_eq}\) Core Jump equal flag
\(s_\text{jump_neq}\) Additional Jumps Jump not equal flag
\(s_\text{jump_ge}\) Additional Jumps Jump greater than or equal to flag
\(s_\text{jump_lt}\) Additional Jumps Jump less than flag

U32 arithmetic

Selector Configuration Description
\(s_\text{u32_add}\) U32 Arithmetic  
\(s_\text{u32_sub}\) U32 Arithmetic  
\(s_\text{u32_mul}\) U32 Arithmetic  
\(s_\text{u32_div}\) U32 Arithmetic  
\(s_\text{u32_checked_add}\) U32 Arithmetic  
\(s_\text{u32_checked_mul}\) U32 Arithmetic  

Binary operations

Selector Configuration Description
\(s_\text{bitwise_and}\) Bitwise  
\(s_\text{bitwise_or}\) Bitwise  
\(s_\text{bitwise_xor}\) Bitwise  

Design notes

Frontend target

We are writing a compiler from LLVM IR to our ISA.

ZK stack

This is a STARK-based zkVM. We are using Plonky3 to implement the polynomial IOP and PCS.

Field choice

We plan to use the 32-bit field defined by p = 2^31 - 1, which should give very good performance on GPUs or with most vector instruction sets.

Registers

Our VM has no general purpose registers, since memory is cheap.

Memory

We will use a conventional R/W memory.

Tables

The CPU can do up to three memory operations per cycle, to support binary operations involving two reads and one write.

If we used a single-trace model, we could support this by adding columns for 6 memory operations in each row of our trace: 3 for the chronological memory log and 3 for the (address, timestamp) ordered memory log.

Instead, we make the memory a separate table (i.e. a separate STARK which gets connected with a permutation argument). We also use multi-table support to implement other coprocessors that are wasteful to include in the main CPU, as their operations may not be used during most cycles (e.g. Keccak).

Continuations

TODO: Explain the permutation-based continuation implementation.

Lookups

Initially, we will support lookups only against prover-supplied tables. The main use case is range checks. To perform a 16-bit range check, for example, we would have the prover send a table containing [0 .. 2^16 - 1] in order. (If the trace was not already 2^16, we would pad it. If it was longer than 2^16, the prover would include some duplicates.) We would then use constraints to enforce that this table starts at 0, ends at 2^16 - 1, and increments by 0 or 1.

Preprocessed tables can also be useful, particularly for bitwise operations like xor. However, we will not support them initially because they require non-succinct preprocessing.

Floating point arithmetic

Fast floating point arithmetic doesn’t seem important for our anticipated use cases, so we will convert float operations to integer ones during compilation.

Call for collaboration

This open-source project aims to construct a robust, versatile system optimized for wide-ranging use cases, performance, and development productivity. We seek varied perspectives, innovative ideas, and unwavering dedication to quality.

Your contribution can take many forms, each equally valuable. Here are a few ways you can get involved:

We are looking forward to your contributions and are ready to provide guidance and support to anyone who wants to get involved. Please visit our GitHub page to get started and feel free to reach out with any questions or ideas.

If you’re interested in further discussions on this topic or working together on this subject, please consider joining our group chat or reach out to us at research@delendum.xyz.