Kernel ROM chiplet

The kernel ROM enables executing predefined kernel procedures. These procedures are always executed in the root context and can only be accessed by a SYSCALL operation. The chiplet tracks and enforces correctness of all kernel procedure calls as well as maintaining a list of all the procedures defined for the kernel, whether they are executed or not. More background about Miden VM execution contexts can be found here.

Kernel ROM trace

The kernel ROM table consists of five columns. The following example table shows the execution trace of the kernel ROM with procedure digests $a, b, c$ , which were called 1, 2, and 0 times, respectively. Each digest is included once to respond to the initialization request by the public inputs, and then repeated for each call made by the decoder.

$s_{f i rs t}$	$r_{0}$	$r_{1}$	$r_{2}$	$r_{3}$
1	$a_{0}$	$a_{1}$	$a_{2}$	$a_{3}$
0	$a_{0}$	$a_{1}$	$a_{2}$	$a_{3}$
1	$b_{0}$	$b_{1}$	$b_{2}$	$b_{3}$
0	$b_{0}$	$b_{1}$	$b_{2}$	$b_{3}$
0	$b_{0}$	$b_{1}$	$b_{2}$	$b_{3}$
1	$c_{0}$	$c_{1}$	$c_{2}$	$c_{3}$

The meaning of columns in the above is as follows:

Column $s_{f i rs t}$ specifies the start of a block of rows with identical kernel procedure digests.
$r_{0}, ..., r_{3}$ contain the digests of the kernel procedures. The values in these columns can change only when $s_{f i rs t}$ is set to 1 in the next row. Otherwise, the values in the $r$ columns remain the same.

Constraints

Note: the following assumes the ACE chiplet is included in the previous slot, whose documentation will be included in a subsequent PR.

The following constraints are required to enforce the correctness of the kernel ROM trace.

Note: Unless otherwise stated, these constraints should also be multiplied by chiplets module's virtual flag $f_{k ro m}$ which is active in all rows the kernel ROM chiplet.

The $s_{f i rs t}$ column is a selector indicating the start of a new digest included in the kernel ROM chiplet trace. In this row, the chiplet responds to a bus request made by the verifier to ensure consistency with the set of kernel procedure digests given as public inputs.

As $s_{f i rs t}$ is a selector, it must be binary.

$s_{f i rs t}^{2} - s_{f i rs t} = 0 | degree = 2$

The flag $s_{f i rs t}$ must be set to be 1 in the first row of the kernel ROM chiplet. Otherwise, the digest in this row would not be matched with one of the input procedure roots. This constraint is enforced in the last row of the previous trace, using selector columns from the chiplets module. More precisely, we use the virtual $f_{A CE}$ flag from the chiplet selectors $s_{0}, s_{1}, \dots, s_{A CE}$ which is active in all rows of the previous (in this case ACE) chiplet, along with the selector $s_{A CE}$ which transitions from 0 to 1 in the last row, allowing us to target the first row of the kernel ROM trace.

$f_{A CE} \cdot s_{A CE}^{'} \cdot (1 - s_{f i rs t}^{'}) = 0 | degree = de g (f_{p re v}) + 2$

Note that this selector need not be multiplied by the kernel ROM chiplet flag $c hi p$ s4, since it is only active when the previous chiplet is active._

The contiguity of the digests in a block is ensured by enforcing equality between digests across two consecutive rows, whenever the next row is not the start of a new block. That is, when $s_{f i rs t}^{'} = 0$ , it must hold that $r_{i} = r_{i}^{'}$ . We disable this constraint in the last row of the kernel ROM chiplet trace by using the kernel ROM chiplet selector $s_{4}^{'}$ , since the latter transitions from 0 to 1 when the next chiplet starts.

$(1 - s_{4}^{'}) \cdot (1 - s_{f i rs t}^{'}) \cdot (r_{i}^{'} - r_{i}) = 0 | degree = 3$

Note: we could technically remove the selector $(1 - s_{4}^{'})$ since $s_{4}$ and $s_{f i rs t}$ correspond to the same column. We include it here for completeness though.

Chiplets bus constraints

The kernel ROM chiplet must ensure that all kernel procedure digests requested by the decoder correspond to one of the digests provided by the verifier through public inputs. This is achieved by making use of the chiplet bus $b_{b u s}$ , responding to requests made by the decoder and by the verifier through public inputs.

In the first row of each new block of hashes in the kernel ROM chiplet trace (i.e., when $s_{f i rs t} = 1$ ), the chiplet responds to a message $v_{ini t}$ requested by the verifier. Since these initialization messages must match, the set of digests across all blocks must be equal to the set of procedure digests provided by the verifier (though not necessarily in the same order).

Whenever a digest is requested by the decoder during program block hashing of the SYSCALL operation, a new row is added to the trace after the first row which is used to respond to one of the initialization requests made by the verifier using public inputs. The chiplet responds to the request with a message $v_{c a ll}$ .

In other words, the selector $s_{f i rs t}$ indicates whether the chiplet should respond to the decoder or the verifier initialization requests. If a digest is requested $n$ times by the decoder, the same digest appears in a single block of length $n + 1$ .

The variables $v_{ini t}$ and $v_{c a ll}$ representing the bus messages contain reduced bus messages containing a kernel procedure digest. Denoting the random values received from the verifier as $α_{0}, α_{1}$ , etc., this can be defined as

$r v_{ini t} v_{c a ll} = i = 0 \sum 3 (α_{i + 2} \cdot r_{i}) = α_{0} + α_{1} \cdot KERNEL_PROC_INIT + r = α_{0} + α_{1} \cdot KERNEL_PROC_CALL + \tilde{r}$

Here, $KERNEL_PROC_INIT$ and $KERNEL_PROC_CALL$ are the unique operation labels for the kernel ROM bus message.

Each row of the kernel ROM chiplet trace responds to either a procedure digest initialization or decoder call request. Since the $s_{f i rs t}$ column defines which type of response is sent to the bus, it is used to combine both requests into a single constraint given by

$b_{c hi p}^{'} = b_{c hi p} \cdot (s_{f i rs t} \cdot v_{ini t} + (1 - s_{f i rs t}) \cdot v_{c a ll}) | degree = 3.$

The above simplifies to

$s_{f i rs t} = 1$ : $b_{c hi p}^{'} = b_{c hi p} \cdot v_{ini t}$ , when responding to a $KERNEL_PROC_INIT$ request.
$s_{f i rs t} = 0$ : $b_{c hi p}^{'} = b_{c hi p} \cdot v_{c a ll}$ , when responding to a $KERNEL_PROC_CALL$ request.

The kernel procedure digests initialization requests are implemented by imposing a boundary constraint in the first row of the $b_{c hi p}$ column. This is described in the chiplets bus constraints.

By using the bus to initialize the kernel ROM procedure digest in this way, the verifier only learns which procedures can be invoked but doesn't learn how often they were called, if at all.

The full set of constraints applied to the $b_{c hi p}$ are described as part of the chiplets bus constraints.

Keyboard shortcuts

The Miden virtual machine

Kernel ROM chiplet

Kernel ROM trace

Constraints

Chiplets bus constraints