From aa862604d7087f33492541e7491a1e50155ef469 Mon Sep 17 00:00:00 2001 From: giulio Date: Thu, 18 Apr 2024 09:29:40 +0200 Subject: [PATCH 01/12] Add new teal opcodes mimc_BN254 and mimc_BLS12_381 --- data/transactions/logic/assembler_test.go | 43 +++++++++----- data/transactions/logic/crypto.go | 61 ++++++++++++++++++++ data/transactions/logic/crypto_test.go | 2 +- data/transactions/logic/doc.go | 9 ++- data/transactions/logic/evalStateful_test.go | 4 ++ data/transactions/logic/opcodes.go | 3 + data/transactions/logic/teal.tmLanguage.json | 2 +- 7 files changed, 105 insertions(+), 19 deletions(-) diff --git a/data/transactions/logic/assembler_test.go b/data/transactions/logic/assembler_test.go index 3f609fd7ee..4b2966a529 100644 --- a/data/transactions/logic/assembler_test.go +++ b/data/transactions/logic/assembler_test.go @@ -434,6 +434,15 @@ dup; dup falcon_verify ` +const mimcBN254Nonsense = ` +pushbytes 0x11223344556677889900aabbccddeeff11223344556677889900aabbccddeeff +mimc_BN254 +` +const mimcBLS12381Nonsense = ` +pushbytes 0x11223344556677889900aabbccddeeff11223344556677889900aabbccddeeff +mimc_BLS12_381 +` + const v8Nonsense = v7Nonsense + switchNonsense + frameNonsense + matchNonsense + boxNonsense const v9Nonsense = v8Nonsense @@ -445,7 +454,7 @@ const spliceNonsence = ` const v10Nonsense = v9Nonsense + pairingNonsense + spliceNonsence -const v11Nonsense = v10Nonsense + stateProofNonsense +const v11Nonsense = v10Nonsense + stateProofNonsense + mimcBN254Nonsense + mimcBLS12381Nonsense const v6Compiled = "2004010002b7a60c26050242420c68656c6c6f20776f726c6421070123456789abcd208dae2087fbba51304eb02b91f656948397a7946390e8cb70fc9ea4d95f92251d047465737400320032013202320380021234292929292b0431003101310231043105310731083109310a310b310c310d310e310f3111311231133114311533000033000133000233000433000533000733000833000933000a33000b33000c33000d33000e33000f3300113300123300133300143300152d2e01022581f8acd19181cf959a1281f8acd19181cf951a81f8acd19181cf1581f8acd191810f082209240a220b230c240d250e230f2310231123122313231418191a1b1c28171615400003290349483403350222231d4a484848482b50512a632223524100034200004322602261222704634848222862482864286548482228246628226723286828692322700048482371004848361c0037001a0031183119311b311d311e311f312023221e312131223123312431253126312731283129312a312b312c312d312e312f447825225314225427042455220824564c4d4b0222382124391c0081e80780046a6f686e2281d00f23241f880003420001892224902291922494249593a0a1a2a3a4a5a6a7a8a9aaabacadae24af3a00003b003c003d816472064e014f012a57000823810858235b235a2359b03139330039b1b200b322c01a23c1001a2323c21a23c3233e233f8120af06002a494905002a49490700b400b53a03b6b7043cb8033a0c2349c42a9631007300810881088120978101c53a8101c6003a" @@ -468,8 +477,10 @@ const spliceCompiled = "d2d3" const v10Compiled = v9Compiled + pairingCompiled + spliceCompiled const stateProofCompiled = "80070123456789abcd86494985" +const mimcBN254Compiled = "802011223344556677889900aabbccddeeff11223344556677889900aabbccddeefff0" +const mimcBLS12381Compiled = "802011223344556677889900aabbccddeeff11223344556677889900aabbccddeefff1" -const V11Compiled = v10Compiled + stateProofCompiled +const V11Compiled = v10Compiled + stateProofCompiled + mimcBN254Compiled + mimcBLS12381Compiled var nonsense = map[uint64]string{ 1: v1Nonsense, @@ -3168,7 +3179,7 @@ func TestMacros(t *testing.T) { #define ==? ==; bnz pushint 1; pushint 2; ==? label1 err - label1: + label1: pushint 1`, ) @@ -3206,19 +3217,19 @@ func TestMacros(t *testing.T) { pushbytes 0xddf2554d txna ApplicationArgs 0 == - bnz kickstart - pushbytes 0x903f4535 + bnz kickstart + pushbytes 0x903f4535 txna ApplicationArgs 0 == - bnz portal_transfer + bnz portal_transfer kickstart: pushint 1 portal_transfer: pushint 1 `, ` - #define abi-route txna ApplicationArgs 0; ==; bnz - method "kickstart(account)void"; abi-route kickstart - method "portal_transfer(byte[])byte[]"; abi-route portal_transfer + #define abi-route txna ApplicationArgs 0; ==; bnz + method "kickstart(account)void"; abi-route kickstart + method "portal_transfer(byte[])byte[]"; abi-route portal_transfer kickstart: pushint 1 portal_transfer: @@ -3274,7 +3285,7 @@ add: extract_uint32 stores - load 1; load 2; + + load 1; load 2; + store 255 int 255 @@ -3298,11 +3309,11 @@ add: #define abi-decode-uint32 ;int 0; extract_uint32; #define abi-encode-uint32 ;itob;extract 4 0; -#define abi-encode-bytes ;dup; len; abi-encode-uint16; swap; concat; +#define abi-encode-bytes ;dup; len; abi-encode-uint16; swap; concat; #define abi-decode-bytes ;extract 2 0; -// abi method handling -#define abi-route ;txna ApplicationArgs 0; ==; bnz +// abi method handling +#define abi-route ;txna ApplicationArgs 0; ==; bnz #define abi-return ;pushbytes 0x151f7c75; swap; concat; log; int 1; return; // stanza: "set $var from-{type}" @@ -3331,15 +3342,15 @@ echo: // add handler -method "add(uint32,uint32)uint32"; abi-route add +method "add(uint32,uint32)uint32"; abi-route add add: #define x 1 - parse x from-uint32 + parse x from-uint32 #define y 2 parse y from-uint32 - #define sum 255 + #define sum 255 load x; load y; +; store sum returns sum as-uint32 diff --git a/data/transactions/logic/crypto.go b/data/transactions/logic/crypto.go index c5c39b654c..cd67ecdcc5 100644 --- a/data/transactions/logic/crypto.go +++ b/data/transactions/logic/crypto.go @@ -30,8 +30,69 @@ import ( "github.com/algorand/go-algorand/protocol" "github.com/algorand/go-sumhash" "golang.org/x/crypto/sha3" + + bls12_381fr "github.com/consensys/gnark-crypto/ecc/bls12-381/fr" + bls12_381mimc "github.com/consensys/gnark-crypto/ecc/bls12-381/fr/mimc" + bn254fr "github.com/consensys/gnark-crypto/ecc/bn254/fr" + bn254mimc "github.com/consensys/gnark-crypto/ecc/bn254/fr/mimc" ) +// mimc on curve BLS12-381 is implemented for compatibility with zk circuits, +// matching the implementation in circuits generated by gnark +func opMimcBLS12381(cx *EvalContext) error { + last := len(cx.Stack) - 1 + data := cx.Stack[last].Bytes + if len(data)%32 != 0 { + return fmt.Errorf("the input data must be a multiple of 32 bytes") + } + hasher := bls12_381mimc.NewMiMC() + blockSize := hasher.BlockSize() + for i := 0; i < len(data); i += 32 { + d := data[i : i+32] + // ensure the input to hasher.Write is smaller than the curve modulus, + // otherwise hasher.Write will fail + n := new(big.Int).SetBytes(d) + n.Mod(n, bls12_381fr.Modulus()) + d = n.Bytes() + if len(d) < blockSize { + d = n.FillBytes(make([]byte, blockSize)) + } + hasher.Write(d) + } + hv := make([]byte, 0, hasher.Size()) + hv = hasher.Sum(hv) + cx.Stack[last].Bytes = hv + return nil +} + +// mimc on curve BN254 is implemented for compatibility with zk circuits, +// matching the implementation in circuits generated by gnark +func opMimcBN254(cx *EvalContext) error { + last := len(cx.Stack) - 1 + data := cx.Stack[last].Bytes + if len(data)%32 != 0 { + return fmt.Errorf("the input data must be a multiple of 32 bytes") + } + hasher := bn254mimc.NewMiMC() + blockSize := hasher.BlockSize() + for i := 0; i < len(data); i += 32 { + d := data[i : i+32] + // ensure the input to hasher.Write is smaller than the curve modulus, + // otherwise hasher.Write will fail + n := new(big.Int).SetBytes(d) + n.Mod(n, bn254fr.Modulus()) + d = n.Bytes() + if len(d) < blockSize { + d = n.FillBytes(make([]byte, blockSize)) + } + hasher.Write(d) + } + hv := make([]byte, 0, hasher.Size()) + hv = hasher.Sum(hv) + cx.Stack[last].Bytes = hv + return nil +} + func opSHA256(cx *EvalContext) error { last := len(cx.Stack) - 1 hash := sha256.Sum256(cx.Stack[last].Bytes) diff --git a/data/transactions/logic/crypto_test.go b/data/transactions/logic/crypto_test.go index 5aad230289..214adef8b2 100644 --- a/data/transactions/logic/crypto_test.go +++ b/data/transactions/logic/crypto_test.go @@ -713,7 +713,7 @@ int ` + fmt.Sprintf("%d", testLogicBudget-2500-8) + ` } func BenchmarkHashes(b *testing.B) { - for _, hash := range []string{"sha256", "keccak256" /* skip, same as keccak "sha3_256", */, "sha512_256", "sumhash512"} { + for _, hash := range []string{"sha256", "keccak256" /* skip, same as keccak "sha3_256", */, "sha512_256", "sumhash512", "mimc_BN254", "mimc_BLS12_381"} { for _, size := range []int{0, 32, 128, 512, 1024, 4096} { b.Run(hash+"-"+strconv.Itoa(size), func(b *testing.B) { benchmarkOperation(b, "", fmt.Sprintf("int %d; bzero; %s; pop", size, hash), "int 1") diff --git a/data/transactions/logic/doc.go b/data/transactions/logic/doc.go index fde870a9d4..84f846eddb 100644 --- a/data/transactions/logic/doc.go +++ b/data/transactions/logic/doc.go @@ -41,6 +41,13 @@ var opDescByName = map[string]OpDesc{ "sumhash512": {"sumhash512 of value A, yields [64]byte", "", nil}, "falcon_verify": {"for (data A, compressed-format signature B, pubkey C) verify the signature of data against the pubkey", "", nil}, + "mimc_BN254": {"MIMC hash of value A in the BN254 curve field, yields [32]byte", + "A is split into 32-byte chunks, each reduced by the curve modulus, and written to the hasher to finally compute the MiMC hash. Fail if A's length is not a multiple of 32", nil, + }, + "mimc_BLS12_381": {"MIMC hash of value A in the BLS12-381 curve field, yields [32]byte", + "A is split into 32-byte chunks, each reduced by the curve modulus, and written to the hasher to finally compute the MiMC hash. Fail if A's length is not a multiple of 32", nil, + }, + "ed25519verify": {"for (data A, signature B, pubkey C) verify the signature of (\"ProgData\" || program_hash || data) against the pubkey => {0 or 1}", "The 32 byte public key is the last element on the stack, preceded by the 64 byte signature at the second-to-last element on the stack, preceded by the data which was signed at the third-to-last element on the stack.", nil}, "ed25519verify_bare": {"for (data A, signature B, pubkey C) verify the signature of the data against the pubkey => {0 or 1}", "", nil}, "ecdsa_verify": {"for (data A, signature B, C and pubkey D, E) verify the signature of the data against the pubkey => {0 or 1}", "The 32 byte Y-component of a public key is the last element on the stack, preceded by X-component of a pubkey, preceded by S and R components of a signature, preceded by the data that is fifth element on the stack. All values are big-endian encoded. The signed data must be 32 bytes long, and signatures in lower-S form are only accepted.", []string{"curve index"}}, @@ -352,7 +359,7 @@ var OpGroups = map[string][]string{ "Byte Array Manipulation": {"getbit", "setbit", "getbyte", "setbyte", "concat", "len", "substring", "substring3", "extract", "extract3", "extract_uint16", "extract_uint32", "extract_uint64", "replace2", "replace3", "base64_decode", "json_ref"}, "Byte Array Arithmetic": {"b+", "b-", "b/", "b*", "b<", "b>", "b<=", "b>=", "b==", "b!=", "b%", "bsqrt"}, "Byte Array Logic": {"b|", "b&", "b^", "b~"}, - "Cryptography": {"sha256", "keccak256", "sha512_256", "sha3_256", "sumhash512", "falcon_verify", "ed25519verify", "ed25519verify_bare", "ecdsa_verify", "ecdsa_pk_recover", "ecdsa_pk_decompress", "vrf_verify", "ec_add", "ec_scalar_mul", "ec_pairing_check", "ec_multi_scalar_mul", "ec_subgroup_check", "ec_map_to"}, + "Cryptography": {"sha256", "keccak256", "sha512_256", "sha3_256", "sumhash512", "falcon_verify", "ed25519verify", "ed25519verify_bare", "ecdsa_verify", "ecdsa_pk_recover", "ecdsa_pk_decompress", "vrf_verify", "ec_add", "ec_scalar_mul", "ec_pairing_check", "ec_multi_scalar_mul", "ec_subgroup_check", "ec_map_to", "mimc_BN254", "mimc_BLS12_381"}, "Loading Values": {"intcblock", "intc", "intc_0", "intc_1", "intc_2", "intc_3", "pushint", "pushints", "bytecblock", "bytec", "bytec_0", "bytec_1", "bytec_2", "bytec_3", "pushbytes", "pushbytess", "bzero", "arg", "arg_0", "arg_1", "arg_2", "arg_3", "args", "txn", "gtxn", "txna", "txnas", "gtxna", "gtxnas", "gtxns", "gtxnsa", "gtxnsas", "global", "load", "loads", "store", "stores", "gload", "gloads", "gloadss", "gaid", "gaids"}, "Flow Control": {"err", "bnz", "bz", "b", "return", "pop", "popn", "dup", "dup2", "dupn", "dig", "bury", "cover", "uncover", "frame_dig", "frame_bury", "swap", "select", "assert", "callsub", "proto", "retsub", "switch", "match"}, "State Access": {"balance", "min_balance", "app_opted_in", "app_local_get", "app_local_get_ex", "app_global_get", "app_global_get_ex", "app_local_put", "app_global_put", "app_local_del", "app_global_del", "asset_holding_get", "asset_params_get", "app_params_get", "acct_params_get", "log", "block"}, diff --git a/data/transactions/logic/evalStateful_test.go b/data/transactions/logic/evalStateful_test.go index 91ad91d1fe..fe2ad59f38 100644 --- a/data/transactions/logic/evalStateful_test.go +++ b/data/transactions/logic/evalStateful_test.go @@ -3200,6 +3200,10 @@ func TestReturnTypes(t *testing.T) { "box_create": "int 9; +; box_create", // make the size match the 10 in CreateBox "box_put": "byte 0x010203040506; concat; box_put", // make the 4 byte arg into a 10 + + // the mimc_BN254 and mimc_BLS12_381 opcodes require an input size multiple of 32 bytes + "mimc_BN254": ": byte 0x0000000000000000000000000000000000000000000000000000000000000001; mimc_BN254", + "mimc_BLS12_381": ": byte 0x0000000000000000000000000000000000000000000000000000000000000001; mimc_BLS12_381", } /* Make sure the specialCmd tests the opcode in question */ diff --git a/data/transactions/logic/opcodes.go b/data/transactions/logic/opcodes.go index b8ecd76cac..64ce702234 100644 --- a/data/transactions/logic/opcodes.go +++ b/data/transactions/logic/opcodes.go @@ -793,6 +793,9 @@ var OpSpecs = []OpSpec{ costByField("g", &EcGroups, []int{ BN254g1: 630, BN254g2: 3_300, BLS12_381g1: 1_950, BLS12_381g2: 8_150})}, + + {0xf0, "mimc_BN254", opMimcBN254, proto("b:b{32}"), 11, costByLength(1, 620, 32, 0)}, + {0xf1, "mimc_BLS12_381", opMimcBLS12381, proto("b:b{32}"), 11, costByLength(1, 620, 32, 0)}, } // OpcodesByVersion returns list of opcodes available in a specific version of TEAL diff --git a/data/transactions/logic/teal.tmLanguage.json b/data/transactions/logic/teal.tmLanguage.json index 915957f7f0..2c788d99ed 100644 --- a/data/transactions/logic/teal.tmLanguage.json +++ b/data/transactions/logic/teal.tmLanguage.json @@ -76,7 +76,7 @@ }, { "name": "keyword.operator.teal", - "match": "^(\\!|\\!\\=|%|\u0026|\u0026\u0026|\\*|\\+|\\-|/|\\\u003c|\\\u003c\\=|\\=\\=|\\\u003e|\\\u003e\\=|\\^|addw|bitlen|btoi|divmodw|divw|exp|expw|itob|mulw|shl|shr|sqrt|\\||\\|\\||\\~|b\\!\\=|b%|b\\*|b\\+|b\\-|b/|b\\\u003c|b\\\u003c\\=|b\\=\\=|b\\\u003e|b\\\u003e\\=|bsqrt|b\u0026|b\\^|b\\||b\\~|base64_decode|concat|extract|extract3|extract_uint16|extract_uint32|extract_uint64|getbit|getbyte|json_ref|len|replace2|replace3|setbit|setbyte|substring|substring3|ec_add|ec_map_to|ec_multi_scalar_mul|ec_pairing_check|ec_scalar_mul|ec_subgroup_check|ecdsa_pk_decompress|ecdsa_pk_recover|ecdsa_verify|ed25519verify|ed25519verify_bare|falcon_verify|keccak256|sha256|sha3_256|sha512_256|sumhash512|vrf_verify|gitxn|gitxna|gitxnas|itxn|itxn_begin|itxn_field|itxn_next|itxn_submit|itxna|itxnas)\\b" + "match": "^(\\!|\\!\\=|%|\u0026|\u0026\u0026|\\*|\\+|\\-|/|\\\u003c|\\\u003c\\=|\\=\\=|\\\u003e|\\\u003e\\=|\\^|addw|bitlen|btoi|divmodw|divw|exp|expw|itob|mulw|shl|shr|sqrt|\\||\\|\\||\\~|b\\!\\=|b%|b\\*|b\\+|b\\-|b/|b\\\u003c|b\\\u003c\\=|b\\=\\=|b\\\u003e|b\\\u003e\\=|bsqrt|b\u0026|b\\^|b\\||b\\~|base64_decode|concat|extract|extract3|extract_uint16|extract_uint32|extract_uint64|getbit|getbyte|json_ref|len|replace2|replace3|setbit|setbyte|substring|substring3|ec_add|ec_map_to|ec_multi_scalar_mul|ec_pairing_check|ec_scalar_mul|ec_subgroup_check|ecdsa_pk_decompress|ecdsa_pk_recover|ecdsa_verify|ed25519verify|ed25519verify_bare|falcon_verify|keccak256|mimc_BLS12_381|mimc_BN254|sha256|sha3_256|sha512_256|sumhash512|vrf_verify|gitxn|gitxna|gitxnas|itxn|itxn_begin|itxn_field|itxn_next|itxn_submit|itxna|itxnas)\\b" } ] }, From d44a8a7153446fdeeea10e5d85016b369809d679 Mon Sep 17 00:00:00 2001 From: John Jannotti Date: Tue, 14 May 2024 12:27:49 -0400 Subject: [PATCH 02/12] Make mimc a single opcode It's a little ugly to re-use the ec constants, maybe that should be changed. This also changes the opcode to panic on buffers than contain elements greater than the curve's modulus. It's unclear what mimc should do with a zero buffer. Even gnark seems unsure. Their code says: ``` // TODO @ThomasPiellard shouldn't Sum() returns an error if there is no data? // TODO: @Tabaie, @Thomas Piellard Now sure what to make of this /*if len(d.data) == 0 { d.data = make([]byte, BlockSize) }*/ ``` --- data/transactions/logic/assembler_test.go | 15 ++-- data/transactions/logic/crypto.go | 72 +++++++------------- data/transactions/logic/crypto_test.go | 2 +- data/transactions/logic/doc.go | 9 +-- data/transactions/logic/evalStateful_test.go | 5 +- data/transactions/logic/opcodes.go | 25 ++++++- 6 files changed, 59 insertions(+), 69 deletions(-) diff --git a/data/transactions/logic/assembler_test.go b/data/transactions/logic/assembler_test.go index 4b2966a529..41962bb933 100644 --- a/data/transactions/logic/assembler_test.go +++ b/data/transactions/logic/assembler_test.go @@ -434,13 +434,9 @@ dup; dup falcon_verify ` -const mimcBN254Nonsense = ` +const mimcNonsense = ` pushbytes 0x11223344556677889900aabbccddeeff11223344556677889900aabbccddeeff -mimc_BN254 -` -const mimcBLS12381Nonsense = ` -pushbytes 0x11223344556677889900aabbccddeeff11223344556677889900aabbccddeeff -mimc_BLS12_381 +mimc BLS12_381g1 ` const v8Nonsense = v7Nonsense + switchNonsense + frameNonsense + matchNonsense + boxNonsense @@ -454,7 +450,7 @@ const spliceNonsence = ` const v10Nonsense = v9Nonsense + pairingNonsense + spliceNonsence -const v11Nonsense = v10Nonsense + stateProofNonsense + mimcBN254Nonsense + mimcBLS12381Nonsense +const v11Nonsense = v10Nonsense + stateProofNonsense + mimcNonsense const v6Compiled = "2004010002b7a60c26050242420c68656c6c6f20776f726c6421070123456789abcd208dae2087fbba51304eb02b91f656948397a7946390e8cb70fc9ea4d95f92251d047465737400320032013202320380021234292929292b0431003101310231043105310731083109310a310b310c310d310e310f3111311231133114311533000033000133000233000433000533000733000833000933000a33000b33000c33000d33000e33000f3300113300123300133300143300152d2e01022581f8acd19181cf959a1281f8acd19181cf951a81f8acd19181cf1581f8acd191810f082209240a220b230c240d250e230f2310231123122313231418191a1b1c28171615400003290349483403350222231d4a484848482b50512a632223524100034200004322602261222704634848222862482864286548482228246628226723286828692322700048482371004848361c0037001a0031183119311b311d311e311f312023221e312131223123312431253126312731283129312a312b312c312d312e312f447825225314225427042455220824564c4d4b0222382124391c0081e80780046a6f686e2281d00f23241f880003420001892224902291922494249593a0a1a2a3a4a5a6a7a8a9aaabacadae24af3a00003b003c003d816472064e014f012a57000823810858235b235a2359b03139330039b1b200b322c01a23c1001a2323c21a23c3233e233f8120af06002a494905002a49490700b400b53a03b6b7043cb8033a0c2349c42a9631007300810881088120978101c53a8101c6003a" @@ -477,10 +473,9 @@ const spliceCompiled = "d2d3" const v10Compiled = v9Compiled + pairingCompiled + spliceCompiled const stateProofCompiled = "80070123456789abcd86494985" -const mimcBN254Compiled = "802011223344556677889900aabbccddeeff11223344556677889900aabbccddeefff0" -const mimcBLS12381Compiled = "802011223344556677889900aabbccddeeff11223344556677889900aabbccddeefff1" +const mimcCompiled = "802011223344556677889900aabbccddeeff11223344556677889900aabbccddeeffe602" -const V11Compiled = v10Compiled + stateProofCompiled + mimcBN254Compiled + mimcBLS12381Compiled +const V11Compiled = v10Compiled + stateProofCompiled + mimcCompiled var nonsense = map[uint64]string{ 1: v1Nonsense, diff --git a/data/transactions/logic/crypto.go b/data/transactions/logic/crypto.go index cd67ecdcc5..829bc35c8c 100644 --- a/data/transactions/logic/crypto.go +++ b/data/transactions/logic/crypto.go @@ -23,6 +23,7 @@ import ( "crypto/sha512" "errors" "fmt" + "hash" "math/big" "github.com/algorand/go-algorand/crypto" @@ -31,65 +32,44 @@ import ( "github.com/algorand/go-sumhash" "golang.org/x/crypto/sha3" - bls12_381fr "github.com/consensys/gnark-crypto/ecc/bls12-381/fr" bls12_381mimc "github.com/consensys/gnark-crypto/ecc/bls12-381/fr/mimc" - bn254fr "github.com/consensys/gnark-crypto/ecc/bn254/fr" bn254mimc "github.com/consensys/gnark-crypto/ecc/bn254/fr/mimc" ) -// mimc on curve BLS12-381 is implemented for compatibility with zk circuits, +// mimc is implemented for compatibility with zk circuits, // matching the implementation in circuits generated by gnark -func opMimcBLS12381(cx *EvalContext) error { - last := len(cx.Stack) - 1 - data := cx.Stack[last].Bytes - if len(data)%32 != 0 { - return fmt.Errorf("the input data must be a multiple of 32 bytes") - } - hasher := bls12_381mimc.NewMiMC() - blockSize := hasher.BlockSize() - for i := 0; i < len(data); i += 32 { - d := data[i : i+32] - // ensure the input to hasher.Write is smaller than the curve modulus, - // otherwise hasher.Write will fail - n := new(big.Int).SetBytes(d) - n.Mod(n, bls12_381fr.Modulus()) - d = n.Bytes() - if len(d) < blockSize { - d = n.FillBytes(make([]byte, blockSize)) - } - hasher.Write(d) +func opMimc(cx *EvalContext) error { + group := EcGroup(cx.program[cx.pc+1]) + fs, ok := ecGroupSpecByField(group) + if !ok { // no version check yet, all groups appeared at once + return fmt.Errorf("invalid mimc group %s", group) } - hv := make([]byte, 0, hasher.Size()) - hv = hasher.Sum(hv) - cx.Stack[last].Bytes = hv - return nil -} -// mimc on curve BN254 is implemented for compatibility with zk circuits, -// matching the implementation in circuits generated by gnark -func opMimcBN254(cx *EvalContext) error { last := len(cx.Stack) - 1 data := cx.Stack[last].Bytes if len(data)%32 != 0 { return fmt.Errorf("the input data must be a multiple of 32 bytes") } - hasher := bn254mimc.NewMiMC() - blockSize := hasher.BlockSize() - for i := 0; i < len(data); i += 32 { - d := data[i : i+32] - // ensure the input to hasher.Write is smaller than the curve modulus, - // otherwise hasher.Write will fail - n := new(big.Int).SetBytes(d) - n.Mod(n, bn254fr.Modulus()) - d = n.Bytes() - if len(d) < blockSize { - d = n.FillBytes(make([]byte, blockSize)) - } - hasher.Write(d) + + var mimc hash.Hash + + switch fs.field { + case BN254g1, BN254g2: + mimc = bn254mimc.NewMiMC() + case BLS12_381g1, BLS12_381g2: + mimc = bls12_381mimc.NewMiMC() + default: + return fmt.Errorf("invalid mimc group %s", group) } - hv := make([]byte, 0, hasher.Size()) - hv = hasher.Sum(hv) - cx.Stack[last].Bytes = hv + + // unlike most hash.Hash objects, a mimc hasher has strict requirements. The + // input must be a multiple of the curve's encoded element size, and no + // element may exceed the corve modulus. + if _, err := mimc.Write(cx.Stack[last].Bytes); err != nil { + return fmt.Errorf("invalid mimc input %w", err) + } + + cx.Stack[last].Bytes = mimc.Sum(nil) return nil } diff --git a/data/transactions/logic/crypto_test.go b/data/transactions/logic/crypto_test.go index 214adef8b2..4f4856c098 100644 --- a/data/transactions/logic/crypto_test.go +++ b/data/transactions/logic/crypto_test.go @@ -713,7 +713,7 @@ int ` + fmt.Sprintf("%d", testLogicBudget-2500-8) + ` } func BenchmarkHashes(b *testing.B) { - for _, hash := range []string{"sha256", "keccak256" /* skip, same as keccak "sha3_256", */, "sha512_256", "sumhash512", "mimc_BN254", "mimc_BLS12_381"} { + for _, hash := range []string{"sha256", "keccak256" /* skip, same as keccak "sha3_256", */, "sha512_256", "sumhash512", "mimc BN254g1", "mimc BLS12_381g1"} { for _, size := range []int{0, 32, 128, 512, 1024, 4096} { b.Run(hash+"-"+strconv.Itoa(size), func(b *testing.B) { benchmarkOperation(b, "", fmt.Sprintf("int %d; bzero; %s; pop", size, hash), "int 1") diff --git a/data/transactions/logic/doc.go b/data/transactions/logic/doc.go index 84f846eddb..431c5e030b 100644 --- a/data/transactions/logic/doc.go +++ b/data/transactions/logic/doc.go @@ -41,11 +41,8 @@ var opDescByName = map[string]OpDesc{ "sumhash512": {"sumhash512 of value A, yields [64]byte", "", nil}, "falcon_verify": {"for (data A, compressed-format signature B, pubkey C) verify the signature of data against the pubkey", "", nil}, - "mimc_BN254": {"MIMC hash of value A in the BN254 curve field, yields [32]byte", - "A is split into 32-byte chunks, each reduced by the curve modulus, and written to the hasher to finally compute the MiMC hash. Fail if A's length is not a multiple of 32", nil, - }, - "mimc_BLS12_381": {"MIMC hash of value A in the BLS12-381 curve field, yields [32]byte", - "A is split into 32-byte chunks, each reduced by the curve modulus, and written to the hasher to finally compute the MiMC hash. Fail if A's length is not a multiple of 32", nil, + "mimc": {"MIMC hash of value A in the curve field G, yields [32]byte", + "A is split into 32-byte chunks and written to the hasher to finally compute the MiMC hash. Fail if A's length is not a multiple of 32 or any chunk encodes a value greater than the curve modulus", []string{"curve index"}, }, "ed25519verify": {"for (data A, signature B, pubkey C) verify the signature of (\"ProgData\" || program_hash || data) against the pubkey => {0 or 1}", "The 32 byte public key is the last element on the stack, preceded by the 64 byte signature at the second-to-last element on the stack, preceded by the data which was signed at the third-to-last element on the stack.", nil}, @@ -359,7 +356,7 @@ var OpGroups = map[string][]string{ "Byte Array Manipulation": {"getbit", "setbit", "getbyte", "setbyte", "concat", "len", "substring", "substring3", "extract", "extract3", "extract_uint16", "extract_uint32", "extract_uint64", "replace2", "replace3", "base64_decode", "json_ref"}, "Byte Array Arithmetic": {"b+", "b-", "b/", "b*", "b<", "b>", "b<=", "b>=", "b==", "b!=", "b%", "bsqrt"}, "Byte Array Logic": {"b|", "b&", "b^", "b~"}, - "Cryptography": {"sha256", "keccak256", "sha512_256", "sha3_256", "sumhash512", "falcon_verify", "ed25519verify", "ed25519verify_bare", "ecdsa_verify", "ecdsa_pk_recover", "ecdsa_pk_decompress", "vrf_verify", "ec_add", "ec_scalar_mul", "ec_pairing_check", "ec_multi_scalar_mul", "ec_subgroup_check", "ec_map_to", "mimc_BN254", "mimc_BLS12_381"}, + "Cryptography": {"sha256", "keccak256", "sha512_256", "sha3_256", "sumhash512", "falcon_verify", "ed25519verify", "ed25519verify_bare", "ecdsa_verify", "ecdsa_pk_recover", "ecdsa_pk_decompress", "vrf_verify", "ec_add", "ec_scalar_mul", "ec_pairing_check", "ec_multi_scalar_mul", "ec_subgroup_check", "ec_map_to", "mimc"}, "Loading Values": {"intcblock", "intc", "intc_0", "intc_1", "intc_2", "intc_3", "pushint", "pushints", "bytecblock", "bytec", "bytec_0", "bytec_1", "bytec_2", "bytec_3", "pushbytes", "pushbytess", "bzero", "arg", "arg_0", "arg_1", "arg_2", "arg_3", "args", "txn", "gtxn", "txna", "txnas", "gtxna", "gtxnas", "gtxns", "gtxnsa", "gtxnsas", "global", "load", "loads", "store", "stores", "gload", "gloads", "gloadss", "gaid", "gaids"}, "Flow Control": {"err", "bnz", "bz", "b", "return", "pop", "popn", "dup", "dup2", "dupn", "dig", "bury", "cover", "uncover", "frame_dig", "frame_bury", "swap", "select", "assert", "callsub", "proto", "retsub", "switch", "match"}, "State Access": {"balance", "min_balance", "app_opted_in", "app_local_get", "app_local_get_ex", "app_global_get", "app_global_get_ex", "app_local_put", "app_global_put", "app_local_del", "app_global_del", "asset_holding_get", "asset_params_get", "app_params_get", "acct_params_get", "log", "block"}, diff --git a/data/transactions/logic/evalStateful_test.go b/data/transactions/logic/evalStateful_test.go index fe2ad59f38..688988bec0 100644 --- a/data/transactions/logic/evalStateful_test.go +++ b/data/transactions/logic/evalStateful_test.go @@ -3201,9 +3201,8 @@ func TestReturnTypes(t *testing.T) { "box_create": "int 9; +; box_create", // make the size match the 10 in CreateBox "box_put": "byte 0x010203040506; concat; box_put", // make the 4 byte arg into a 10 - // the mimc_BN254 and mimc_BLS12_381 opcodes require an input size multiple of 32 bytes - "mimc_BN254": ": byte 0x0000000000000000000000000000000000000000000000000000000000000001; mimc_BN254", - "mimc_BLS12_381": ": byte 0x0000000000000000000000000000000000000000000000000000000000000001; mimc_BLS12_381", + // mimc requires an input size multiple of 32 bytes. + "mimc": ": byte 0x0000000000000000000000000000000000000000000000000000000000000001; mimc BN254g1", } /* Make sure the specialCmd tests the opcode in question */ diff --git a/data/transactions/logic/opcodes.go b/data/transactions/logic/opcodes.go index 64ce702234..47ccf0bae2 100644 --- a/data/transactions/logic/opcodes.go +++ b/data/transactions/logic/opcodes.go @@ -78,6 +78,7 @@ const pairingVersion = 10 // bn256 opcodes. will add bls12-381, and unify the av const spliceVersion = 10 // box splicing/resizing const spOpcodesVersion = 11 // falcon_verify, sumhash512 +const mimcVersion = 11 // Unlimited Global Storage opcodes const boxVersion = 8 // box_* @@ -793,9 +794,27 @@ var OpSpecs = []OpSpec{ costByField("g", &EcGroups, []int{ BN254g1: 630, BN254g2: 3_300, BLS12_381g1: 1_950, BLS12_381g2: 8_150})}, - - {0xf0, "mimc_BN254", opMimcBN254, proto("b:b{32}"), 11, costByLength(1, 620, 32, 0)}, - {0xf1, "mimc_BLS12_381", opMimcBLS12381, proto("b:b{32}"), 11, costByLength(1, 620, 32, 0)}, + {0xe6, "mimc", opMimc, proto("b:b{32}"), mimcVersion, costByFieldAndLength("g", &EcGroups, []linearCost{ + BN254g1: { + baseCost: 10, + chunkCost: 650, + chunkSize: 32, + }, + BN254g2: { + baseCost: 10, + chunkCost: 650, + chunkSize: 32, + }, + BLS12_381g1: { + baseCost: 10, + chunkCost: 650, + chunkSize: 32, + }, + BLS12_381g2: { + baseCost: 10, + chunkCost: 650, + chunkSize: 32, + }})}, } // OpcodesByVersion returns list of opcodes available in a specific version of TEAL From 3979001541cd65edf79185d22402c58760ced0e2 Mon Sep 17 00:00:00 2001 From: giulio Date: Wed, 15 May 2024 16:05:39 +0200 Subject: [PATCH 03/12] Make mimc fail on empty input and add test vectors --- data/transactions/logic/crypto.go | 3 + data/transactions/logic/crypto_test.go | 69 ++++++++++++++++++++ data/transactions/logic/teal.tmLanguage.json | 2 +- 3 files changed, 73 insertions(+), 1 deletion(-) diff --git a/data/transactions/logic/crypto.go b/data/transactions/logic/crypto.go index 829bc35c8c..b7c3be1cd0 100644 --- a/data/transactions/logic/crypto.go +++ b/data/transactions/logic/crypto.go @@ -47,6 +47,9 @@ func opMimc(cx *EvalContext) error { last := len(cx.Stack) - 1 data := cx.Stack[last].Bytes + if len(data) == 0 { + return fmt.Errorf("the input data cannot be empty") + } if len(data)%32 != 0 { return fmt.Errorf("the input data must be a multiple of 32 bytes") } diff --git a/data/transactions/logic/crypto_test.go b/data/transactions/logic/crypto_test.go index 4f4856c098..5f211e4ba9 100644 --- a/data/transactions/logic/crypto_test.go +++ b/data/transactions/logic/crypto_test.go @@ -117,6 +117,72 @@ byte 0x98D2C31612EA500279B6753E5F6E780CA63EBA8274049664DAD66A2565ED1D2A testAccepts(t, progText, 1) } +func TestMimc(t *testing.T) { + partitiontest.PartitionTest(t) + t.Parallel() + + // Test vectors from https://github.com/giuliop/test-mimc-opcodes/blob/main/testcases/circuit.go + // generated by instantiating a zk-circuit that processes MiMC hash of the preimages. + // We test success for 32-byte and 96-byte preimages, and failure for preimage input size of 0, + // input size not multiple of 32 bytes, and chunks representing values greater than the modulus. + + preImageTestVectors := []string{ + // FAIL: zero-length + "0x", + // SUCCEED: 32 bytes, less than modulus + "0x23a950068dd3d1e21cee48e7919be7ae32cdef70311fc486336ea9d4b5042535", + // FAIL: 32 bytes, more than modulus + "0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000002", + // FAIL: less than 32 byte + "0xdeadf00d", + // SUCCEED: 32 bytes, less than modulus | 32 bytes, less than modulus | 32 bytes, less than modulus + "0x183de351a72141d79c51a27d10405549c98302cb2536c5968deeb3cba635121723a950068dd3d1e21cee48e7919be7ae32cdef70311fc486336ea9d4b504253530644e72e131a029b85045b68181585d2833e84879b9709143e1f593ef676981", + // FAIL: 32 bytes, less than modulus | 32 bytes, less than modulus | 32 bytes, more than modulus + "0x183de351a72141d79c51a27d10405549c98302cb2536c5968deeb3cba635121723a950068dd3d1e21cee48e7919be7ae32cdef70311fc486336ea9d4b504253573eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000002", + // FAIL: 32 bytes, less than modulus | 32 bytes, less than modulus | 32 bytes, more than modulus + "0x183de351a72141d79c51a27d10405549c98302cb2536c5968deeb3cba635121723a950068dd3d1e21cee48e7919be7ae32cdef70311fc486336ea9d4b5042535abba", + } + circuitHashTestVectors := map[string][]string{ + "BN254": { + "20104241803663641422577121134203490505137011783614913652735802145961801733870", + "12886436712380113721405259596386800092738845035233065858332878701083870690753", + "19565877911319815535452130675266047290072088868113536892077808700068649624391", + "1037254799353855871006189384309576393135431139055333626960622147300727796413", + "6040222623731283351958201178122781676432899642144860863024149088913741383362", + "21691351735381703396517600859480938764038501053226864452091917666642352837076", + "10501393540371963307040960561318023073151272109639330842515119353134949995409", + }, + "BLS12_381": { + "17991912493598890696181760734961918471863781118188078948205844982816313445306", + "8791766422525455185980675814845076441443662947059416063736889106252015893524", + "35137972692771717943992759113612269767581262500164574105059686144346651628747", + "15039173432183897369859775531867817848264266283034981501223857291379142522368", + "12964111614552580241101202600014316932811348627866250816177200046290462797607", + "21773894974440411325489312534417904228129169539217646609523079291104496302656", + "9873666029497961930790892458408217321483390383568592297687427911011295910871", + }, + } + shouldSucceed := []bool{false, true, false, false, true, false, false} + + for _, curve := range []string{"BN254", "BLS12_381"} { + for i, preImage := range preImageTestVectors { + var n big.Int + n.SetString(circuitHashTestVectors[curve][i], 10) + circuitHash := n.Bytes() + progText := fmt.Sprintf(`byte %s +mimc %sg1 + +byte 0x%x +==`, preImage, curve, circuitHash) + if shouldSucceed[i] { + testAccepts(t, progText, 11) + } else { + testPanics(t, progText, 11) + } + } + } +} + // This is patterned off vrf_test.go, but we don't create proofs here, we only // check that the output is correct, given the proof. func testVrfApp(pubkey, proof, data string, output string) string { @@ -715,6 +781,9 @@ int ` + fmt.Sprintf("%d", testLogicBudget-2500-8) + ` func BenchmarkHashes(b *testing.B) { for _, hash := range []string{"sha256", "keccak256" /* skip, same as keccak "sha3_256", */, "sha512_256", "sumhash512", "mimc BN254g1", "mimc BLS12_381g1"} { for _, size := range []int{0, 32, 128, 512, 1024, 4096} { + if size == 0 && (hash == "mimc BN254g1" || hash == "mimc BLS12_381g1") { + continue + } b.Run(hash+"-"+strconv.Itoa(size), func(b *testing.B) { benchmarkOperation(b, "", fmt.Sprintf("int %d; bzero; %s; pop", size, hash), "int 1") }) diff --git a/data/transactions/logic/teal.tmLanguage.json b/data/transactions/logic/teal.tmLanguage.json index 2c788d99ed..82e2e45f6d 100644 --- a/data/transactions/logic/teal.tmLanguage.json +++ b/data/transactions/logic/teal.tmLanguage.json @@ -76,7 +76,7 @@ }, { "name": "keyword.operator.teal", - "match": "^(\\!|\\!\\=|%|\u0026|\u0026\u0026|\\*|\\+|\\-|/|\\\u003c|\\\u003c\\=|\\=\\=|\\\u003e|\\\u003e\\=|\\^|addw|bitlen|btoi|divmodw|divw|exp|expw|itob|mulw|shl|shr|sqrt|\\||\\|\\||\\~|b\\!\\=|b%|b\\*|b\\+|b\\-|b/|b\\\u003c|b\\\u003c\\=|b\\=\\=|b\\\u003e|b\\\u003e\\=|bsqrt|b\u0026|b\\^|b\\||b\\~|base64_decode|concat|extract|extract3|extract_uint16|extract_uint32|extract_uint64|getbit|getbyte|json_ref|len|replace2|replace3|setbit|setbyte|substring|substring3|ec_add|ec_map_to|ec_multi_scalar_mul|ec_pairing_check|ec_scalar_mul|ec_subgroup_check|ecdsa_pk_decompress|ecdsa_pk_recover|ecdsa_verify|ed25519verify|ed25519verify_bare|falcon_verify|keccak256|mimc_BLS12_381|mimc_BN254|sha256|sha3_256|sha512_256|sumhash512|vrf_verify|gitxn|gitxna|gitxnas|itxn|itxn_begin|itxn_field|itxn_next|itxn_submit|itxna|itxnas)\\b" + "match": "^(\\!|\\!\\=|%|\u0026|\u0026\u0026|\\*|\\+|\\-|/|\\\u003c|\\\u003c\\=|\\=\\=|\\\u003e|\\\u003e\\=|\\^|addw|bitlen|btoi|divmodw|divw|exp|expw|itob|mulw|shl|shr|sqrt|\\||\\|\\||\\~|b\\!\\=|b%|b\\*|b\\+|b\\-|b/|b\\\u003c|b\\\u003c\\=|b\\=\\=|b\\\u003e|b\\\u003e\\=|bsqrt|b\u0026|b\\^|b\\||b\\~|base64_decode|concat|extract|extract3|extract_uint16|extract_uint32|extract_uint64|getbit|getbyte|json_ref|len|replace2|replace3|setbit|setbyte|substring|substring3|ec_add|ec_map_to|ec_multi_scalar_mul|ec_pairing_check|ec_scalar_mul|ec_subgroup_check|ecdsa_pk_decompress|ecdsa_pk_recover|ecdsa_verify|ed25519verify|ed25519verify_bare|falcon_verify|keccak256|mimc|sha256|sha3_256|sha512_256|sumhash512|vrf_verify|gitxn|gitxna|gitxnas|itxn|itxn_begin|itxn_field|itxn_next|itxn_submit|itxna|itxnas)\\b" } ] }, From ad777e38b54b3c1ff92e6f43ce162a135322ade7 Mon Sep 17 00:00:00 2001 From: giulio Date: Wed, 15 May 2024 22:46:33 +0200 Subject: [PATCH 04/12] Add mimcVersion to experiments and improve tests --- data/transactions/logic/assembler_test.go | 2 +- data/transactions/logic/crypto_test.go | 42 +++++++++++++---------- 2 files changed, 24 insertions(+), 20 deletions(-) diff --git a/data/transactions/logic/assembler_test.go b/data/transactions/logic/assembler_test.go index ce6fc251a1..fa89255d0d 100644 --- a/data/transactions/logic/assembler_test.go +++ b/data/transactions/logic/assembler_test.go @@ -556,7 +556,7 @@ func TestAssemble(t *testing.T) { } } -var experiments = []uint64{spOpcodesVersion} +var experiments = []uint64{spOpcodesVersion, mimcVersion} // TestExperimental forces a conscious choice to promote "experimental" opcode // groups. This will fail when we increment vFuture's LogicSigVersion. If we had diff --git a/data/transactions/logic/crypto_test.go b/data/transactions/logic/crypto_test.go index 5f211e4ba9..62116b8a12 100644 --- a/data/transactions/logic/crypto_test.go +++ b/data/transactions/logic/crypto_test.go @@ -126,22 +126,27 @@ func TestMimc(t *testing.T) { // We test success for 32-byte and 96-byte preimages, and failure for preimage input size of 0, // input size not multiple of 32 bytes, and chunks representing values greater than the modulus. - preImageTestVectors := []string{ - // FAIL: zero-length - "0x", - // SUCCEED: 32 bytes, less than modulus - "0x23a950068dd3d1e21cee48e7919be7ae32cdef70311fc486336ea9d4b5042535", - // FAIL: 32 bytes, more than modulus - "0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000002", - // FAIL: less than 32 byte - "0xdeadf00d", - // SUCCEED: 32 bytes, less than modulus | 32 bytes, less than modulus | 32 bytes, less than modulus - "0x183de351a72141d79c51a27d10405549c98302cb2536c5968deeb3cba635121723a950068dd3d1e21cee48e7919be7ae32cdef70311fc486336ea9d4b504253530644e72e131a029b85045b68181585d2833e84879b9709143e1f593ef676981", - // FAIL: 32 bytes, less than modulus | 32 bytes, less than modulus | 32 bytes, more than modulus - "0x183de351a72141d79c51a27d10405549c98302cb2536c5968deeb3cba635121723a950068dd3d1e21cee48e7919be7ae32cdef70311fc486336ea9d4b504253573eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000002", - // FAIL: 32 bytes, less than modulus | 32 bytes, less than modulus | 32 bytes, more than modulus - "0x183de351a72141d79c51a27d10405549c98302cb2536c5968deeb3cba635121723a950068dd3d1e21cee48e7919be7ae32cdef70311fc486336ea9d4b5042535abba", + type PreImageTestVector struct { + PreImage string + ShouldSucceed bool } + preImageTestVectors := []PreImageTestVector{ + {"0x", + false}, // zero-length input + {"0x23a950068dd3d1e21cee48e7919be7ae32cdef70311fc486336ea9d4b5042535", + true}, // 32 bytes, less than modulus + {"0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000002", + false}, // 32 bytes, more than modulus + {"0xdeadf00d", + false}, // less than 32 byte + {"0x183de351a72141d79c51a27d10405549c98302cb2536c5968deeb3cba635121723a950068dd3d1e21cee48e7919be7ae32cdef70311fc486336ea9d4b504253530644e72e131a029b85045b68181585d2833e84879b9709143e1f593ef676981", + true}, // 32 bytes, less than modulus | 32 bytes, less than modulus | 32 bytes, less than modulus + {"0x183de351a72141d79c51a27d10405549c98302cb2536c5968deeb3cba635121723a950068dd3d1e21cee48e7919be7ae32cdef70311fc486336ea9d4b504253573eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000002", + false}, // 32 bytes, less than modulus | 32 bytes, less than modulus | 32 bytes, more than modulus + {"0x183de351a72141d79c51a27d10405549c98302cb2536c5968deeb3cba635121723a950068dd3d1e21cee48e7919be7ae32cdef70311fc486336ea9d4b5042535abba", + false}, // 32 bytes, less than modulus | 32 bytes, less than modulus | less than 32 bytes + } + circuitHashTestVectors := map[string][]string{ "BN254": { "20104241803663641422577121134203490505137011783614913652735802145961801733870", @@ -162,10 +167,9 @@ func TestMimc(t *testing.T) { "9873666029497961930790892458408217321483390383568592297687427911011295910871", }, } - shouldSucceed := []bool{false, true, false, false, true, false, false} for _, curve := range []string{"BN254", "BLS12_381"} { - for i, preImage := range preImageTestVectors { + for i, preImageTestVector := range preImageTestVectors { var n big.Int n.SetString(circuitHashTestVectors[curve][i], 10) circuitHash := n.Bytes() @@ -173,8 +177,8 @@ func TestMimc(t *testing.T) { mimc %sg1 byte 0x%x -==`, preImage, curve, circuitHash) - if shouldSucceed[i] { +==`, preImageTestVector.PreImage, curve, circuitHash) + if preImageTestVector.ShouldSucceed { testAccepts(t, progText, 11) } else { testPanics(t, progText, 11) From 2de29ea7e95164a6c60f3bc90553ef0bf458fb0b Mon Sep 17 00:00:00 2001 From: giulio Date: Thu, 16 May 2024 17:26:08 +0200 Subject: [PATCH 05/12] Correct link to mimc test cases --- data/transactions/logic/crypto_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/transactions/logic/crypto_test.go b/data/transactions/logic/crypto_test.go index 62116b8a12..d464b20313 100644 --- a/data/transactions/logic/crypto_test.go +++ b/data/transactions/logic/crypto_test.go @@ -121,7 +121,7 @@ func TestMimc(t *testing.T) { partitiontest.PartitionTest(t) t.Parallel() - // Test vectors from https://github.com/giuliop/test-mimc-opcodes/blob/main/testcases/circuit.go + // Test vectors from https://github.com/giuliop/test-mimc-opcodes/blob/main/mimctest/main.go // generated by instantiating a zk-circuit that processes MiMC hash of the preimages. // We test success for 32-byte and 96-byte preimages, and failure for preimage input size of 0, // input size not multiple of 32 bytes, and chunks representing values greater than the modulus. From 809067d9b9454ac3f50befe0f7c152f0af14ed78 Mon Sep 17 00:00:00 2001 From: giulio Date: Tue, 8 Oct 2024 23:38:29 +0200 Subject: [PATCH 06/12] Change MIMC api Make the parameters of the MIMC construction explicit. Better document its intended use case. --- data/transactions/logic/assembler_test.go | 4 +- data/transactions/logic/crypto.go | 14 ++-- data/transactions/logic/crypto_test.go | 16 ++--- data/transactions/logic/doc.go | 7 +- data/transactions/logic/evalStateful_test.go | 2 +- data/transactions/logic/fields.go | 71 +++++++++++++++++++- data/transactions/logic/fields_string.go | 21 +++++- data/transactions/logic/opcodes.go | 16 +---- 8 files changed, 116 insertions(+), 35 deletions(-) diff --git a/data/transactions/logic/assembler_test.go b/data/transactions/logic/assembler_test.go index 157166cfaf..b4342df46a 100644 --- a/data/transactions/logic/assembler_test.go +++ b/data/transactions/logic/assembler_test.go @@ -441,7 +441,7 @@ falcon_verify const mimcNonsense = ` pushbytes 0x11223344556677889900aabbccddeeff11223344556677889900aabbccddeeff -mimc BLS12_381g1 +mimc BLS12_381_MP_111 ` const v8Nonsense = v7Nonsense + switchNonsense + frameNonsense + matchNonsense + boxNonsense @@ -480,7 +480,7 @@ const v10Compiled = v9Compiled + pairingCompiled + spliceCompiled const incentiveCompiled = "757401" const stateProofCompiled = "80070123456789abcd86494985" -const mimcCompiled = "802011223344556677889900aabbccddeeff11223344556677889900aabbccddeeffe602" +const mimcCompiled = "802011223344556677889900aabbccddeeff11223344556677889900aabbccddeeffe601" const V11Compiled = v10Compiled + incentiveCompiled + stateProofCompiled + mimcCompiled diff --git a/data/transactions/logic/crypto.go b/data/transactions/logic/crypto.go index b7c3be1cd0..7422258c76 100644 --- a/data/transactions/logic/crypto.go +++ b/data/transactions/logic/crypto.go @@ -39,10 +39,10 @@ import ( // mimc is implemented for compatibility with zk circuits, // matching the implementation in circuits generated by gnark func opMimc(cx *EvalContext) error { - group := EcGroup(cx.program[cx.pc+1]) - fs, ok := ecGroupSpecByField(group) - if !ok { // no version check yet, all groups appeared at once - return fmt.Errorf("invalid mimc group %s", group) + config := MimcConfig(cx.program[cx.pc+1]) + fs, ok := mimcConfigSpecByField(config) + if !ok { // no version check yet, all configs appeared at once + return fmt.Errorf("invalid mimc config %s", config) } last := len(cx.Stack) - 1 @@ -57,12 +57,12 @@ func opMimc(cx *EvalContext) error { var mimc hash.Hash switch fs.field { - case BN254g1, BN254g2: + case BN254_MP_110: mimc = bn254mimc.NewMiMC() - case BLS12_381g1, BLS12_381g2: + case BLS12_381_MP_111: mimc = bls12_381mimc.NewMiMC() default: - return fmt.Errorf("invalid mimc group %s", group) + return fmt.Errorf("invalid mimc group %s", config) } // unlike most hash.Hash objects, a mimc hasher has strict requirements. The diff --git a/data/transactions/logic/crypto_test.go b/data/transactions/logic/crypto_test.go index 4b6355d005..bfd1b5830a 100644 --- a/data/transactions/logic/crypto_test.go +++ b/data/transactions/logic/crypto_test.go @@ -148,7 +148,7 @@ func TestMimc(t *testing.T) { } circuitHashTestVectors := map[string][]string{ - "BN254": { + "BN254_MP_110": { "20104241803663641422577121134203490505137011783614913652735802145961801733870", "12886436712380113721405259596386800092738845035233065858332878701083870690753", "19565877911319815535452130675266047290072088868113536892077808700068649624391", @@ -157,7 +157,7 @@ func TestMimc(t *testing.T) { "21691351735381703396517600859480938764038501053226864452091917666642352837076", "10501393540371963307040960561318023073151272109639330842515119353134949995409", }, - "BLS12_381": { + "BLS12_381_MP_111": { "17991912493598890696181760734961918471863781118188078948205844982816313445306", "8791766422525455185980675814845076441443662947059416063736889106252015893524", "35137972692771717943992759113612269767581262500164574105059686144346651628747", @@ -168,16 +168,16 @@ func TestMimc(t *testing.T) { }, } - for _, curve := range []string{"BN254", "BLS12_381"} { + for _, config := range []string{"BN254_MP_110", "BLS12_381_MP_111"} { for i, preImageTestVector := range preImageTestVectors { var n big.Int - n.SetString(circuitHashTestVectors[curve][i], 10) + n.SetString(circuitHashTestVectors[config][i], 10) circuitHash := n.Bytes() progText := fmt.Sprintf(`byte %s -mimc %sg1 +mimc %s byte 0x%x -==`, preImageTestVector.PreImage, curve, circuitHash) +==`, preImageTestVector.PreImage, config, circuitHash) if preImageTestVector.ShouldSucceed { testAccepts(t, progText, 11) } else { @@ -783,9 +783,9 @@ int ` + fmt.Sprintf("%d", testLogicBudget-2500-8) + ` } func BenchmarkHashes(b *testing.B) { - for _, hash := range []string{"sha256", "keccak256" /* skip, same as keccak "sha3_256", */, "sha512_256", "sumhash512", "mimc BN254g1", "mimc BLS12_381g1"} { + for _, hash := range []string{"sha256", "keccak256" /* skip, same as keccak "sha3_256", */, "sha512_256", "sumhash512", "mimc BN254_MP_110", "mimc BLS12_381_MP_111"} { for _, size := range []int{0, 32, 128, 512, 1024, 4096} { - if size == 0 && (hash == "mimc BN254g1" || hash == "mimc BLS12_381g1") { + if size == 0 && (hash == "mimc BN254_MP_110" || hash == "mimc BLS12_381_MP_111") { continue } b.Run(hash+"-"+strconv.Itoa(size), func(b *testing.B) { diff --git a/data/transactions/logic/doc.go b/data/transactions/logic/doc.go index 88a6e7d346..31c6944102 100644 --- a/data/transactions/logic/doc.go +++ b/data/transactions/logic/doc.go @@ -41,8 +41,11 @@ var opDescByName = map[string]OpDesc{ "sumhash512": {"sumhash512 of value A, yields [64]byte", "", nil}, "falcon_verify": {"for (data A, compressed-format signature B, pubkey C) verify the signature of data against the pubkey", "", nil}, - "mimc": {"MIMC hash of value A in the curve field G, yields [32]byte", - "A is split into 32-byte chunks and written to the hasher to finally compute the MiMC hash. Fail if A's length is not a multiple of 32 or any chunk encodes a value greater than the curve modulus", []string{"curve index"}, + "mimc": {"MIMC hash of value A in the curve field specified by configuration C, yields [32]byte", "" + + "A is split into 32-byte chunks and written to the hasher to finally compute the MiMC hash. Fail if A's length is not a multiple of 32 or any chunk encodes a value greater than the curve modulus.\n\n" + + "Note that the MIMC hash function has known collisions since any input which is a multiple of the elliptic curve modulus it uses will hash to the same value.\n" + + "MIMC is thus not a general purpose hash function, but meant to be used in zero knowledge applications to match a zk-circuit implementation.", + []string{"configuration index"}, }, "ed25519verify": {"for (data A, signature B, pubkey C) verify the signature of (\"ProgData\" || program_hash || data) against the pubkey => {0 or 1}", "The 32 byte public key is the last element on the stack, preceded by the 64 byte signature at the second-to-last element on the stack, preceded by the data which was signed at the third-to-last element on the stack.", nil}, diff --git a/data/transactions/logic/evalStateful_test.go b/data/transactions/logic/evalStateful_test.go index b497fc7884..2c5150a07a 100644 --- a/data/transactions/logic/evalStateful_test.go +++ b/data/transactions/logic/evalStateful_test.go @@ -3256,7 +3256,7 @@ func TestReturnTypes(t *testing.T) { "box_put": "byte 0x010203040506; concat; box_put", // make the 4 byte arg into a 10 // mimc requires an input size multiple of 32 bytes. - "mimc": ": byte 0x0000000000000000000000000000000000000000000000000000000000000001; mimc BN254g1", + "mimc": ": byte 0x0000000000000000000000000000000000000000000000000000000000000001; mimc BN254_MP_110", } /* Make sure the specialCmd tests the opcode in question */ diff --git a/data/transactions/logic/fields.go b/data/transactions/logic/fields.go index 99cc08bad2..f48474a819 100644 --- a/data/transactions/logic/fields.go +++ b/data/transactions/logic/fields.go @@ -23,7 +23,7 @@ import ( "github.com/algorand/go-algorand/protocol" ) -//go:generate stringer -type=TxnField,GlobalField,AssetParamsField,AppParamsField,AcctParamsField,AssetHoldingField,OnCompletionConstType,EcdsaCurve,EcGroup,Base64Encoding,JSONRefType,VoterParamsField,VrfStandard,BlockField -output=fields_string.go +//go:generate stringer -type=TxnField,GlobalField,AssetParamsField,AppParamsField,AcctParamsField,AssetHoldingField,OnCompletionConstType,EcdsaCurve,EcGroup,MimcConfig,Base64Encoding,JSONRefType,VoterParamsField,VrfStandard,BlockField -output=fields_string.go // FieldSpec unifies the various specs for assembly, disassembly, and doc generation. type FieldSpec interface { @@ -785,6 +785,68 @@ var EcGroups = FieldGroup{ ecGroupSpecByName, } +// MimcConf is an enum for the `mimc` opcode +type MimcConfig int + +const ( + // BN254_MP_110 is the default MiMC configuration for the BN254 curve with Miyaguchi-Preneel mode, 110 rounds, exponent 5, seed "seed" + BN254_MP_110 MimcConfig = iota + // BLS12_381_MP_111 is the default MiMC configuration for the BLS12-381 curve with Miyaguchi-Preneel mode, 111 rounds, exponent 5, seed "seed" + BLS12_381_MP_111 + invalidMimcConfig // compile-time constant for number of fields +) + +var mimcConfigNames [invalidMimcConfig]string + +type mimcConfigSpec struct { + field MimcConfig + doc string +} + +func (fs mimcConfigSpec) Field() byte { + return byte(fs.field) +} +func (fs mimcConfigSpec) Type() StackType { + return StackNone // Will not show, since all are untyped +} +func (fs mimcConfigSpec) OpVersion() uint64 { + return mimcVersion +} +func (fs mimcConfigSpec) Version() uint64 { + return mimcVersion +} +func (fs mimcConfigSpec) Note() string { + return fs.doc +} + +var mimcConfigSpecs = [...]mimcConfigSpec{ + {BN254_MP_110, "MiMC configuration for the BN254 curve with Miyaguchi-Preneel mode, 110 rounds, exponent 5, seed \"seed\""}, + {BLS12_381_MP_111, "MiMC configuration for the BLS12-381 curve with Miyaguchi-Preneel mode, 111 rounds, exponent 5, seed \"seed\""}, +} + +func mimcConfigSpecByField(c MimcConfig) (mimcConfigSpec, bool) { + if int(c) >= len(mimcConfigSpecs) { + return mimcConfigSpec{}, false + } + return mimcConfigSpecs[c], true +} + +var mimcConfigSpecByName = make(mimcConfigNameSpecMap, len(mimcConfigNames)) + +type mimcConfigNameSpecMap map[string]mimcConfigSpec + +func (s mimcConfigNameSpecMap) get(name string) (FieldSpec, bool) { + fs, ok := s[name] + return fs, ok +} + +// MimcConfigs collects details about the constants used to describe MimcConfigs +var MimcConfigs = FieldGroup{ + "Mimc Configurations", "Parameters", + mimcConfigNames[:], + mimcConfigSpecByName, +} + // Base64Encoding is an enum for the `base64decode` opcode type Base64Encoding int @@ -1533,6 +1595,13 @@ func init() { ecGroupSpecByName[s.field.String()] = s } + equal(len(mimcConfigSpecs), len(mimcConfigNames)) + for i, s := range mimcConfigSpecs { + equal(int(s.field), i) + mimcConfigNames[s.field] = s.field.String() + mimcConfigSpecByName[s.field.String()] = s + } + equal(len(base64EncodingSpecs), len(base64EncodingNames)) for i, s := range base64EncodingSpecs { equal(int(s.field), i) diff --git a/data/transactions/logic/fields_string.go b/data/transactions/logic/fields_string.go index 3463da269c..bb35aa63b7 100644 --- a/data/transactions/logic/fields_string.go +++ b/data/transactions/logic/fields_string.go @@ -1,4 +1,4 @@ -// Code generated by "stringer -type=TxnField,GlobalField,AssetParamsField,AppParamsField,AcctParamsField,AssetHoldingField,OnCompletionConstType,EcdsaCurve,EcGroup,Base64Encoding,JSONRefType,VoterParamsField,VrfStandard,BlockField -output=fields_string.go"; DO NOT EDIT. +// Code generated by "stringer -type=TxnField,GlobalField,AssetParamsField,AppParamsField,AcctParamsField,AssetHoldingField,OnCompletionConstType,EcdsaCurve,EcGroup,MimcConfig,Base64Encoding,JSONRefType,VoterParamsField,VrfStandard,BlockField -output=fields_string.go"; DO NOT EDIT. package logic @@ -297,6 +297,25 @@ func (i EcGroup) String() string { } return _EcGroup_name[_EcGroup_index[i]:_EcGroup_index[i+1]] } +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[BN254_MP_110-0] + _ = x[BLS12_381_MP_111-1] + _ = x[invalidMimcConfig-2] +} + +const _MimcConfig_name = "BN254_MP_110BLS12_381_MP_111invalidMimcConfig" + +var _MimcConfig_index = [...]uint8{0, 12, 28, 45} + +func (i MimcConfig) String() string { + if i < 0 || i >= MimcConfig(len(_MimcConfig_index)-1) { + return "MimcConfig(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _MimcConfig_name[_MimcConfig_index[i]:_MimcConfig_index[i+1]] +} func _() { // An "invalid array index" compiler error signifies that the constant values have changed. // Re-run the stringer command to generate them again. diff --git a/data/transactions/logic/opcodes.go b/data/transactions/logic/opcodes.go index 7f91738545..47f69c033d 100644 --- a/data/transactions/logic/opcodes.go +++ b/data/transactions/logic/opcodes.go @@ -799,23 +799,13 @@ var OpSpecs = []OpSpec{ costByField("g", &EcGroups, []int{ BN254g1: 630, BN254g2: 3_300, BLS12_381g1: 1_950, BLS12_381g2: 8_150})}, - {0xe6, "mimc", opMimc, proto("b:b{32}"), mimcVersion, costByFieldAndLength("g", &EcGroups, []linearCost{ - BN254g1: { + {0xe6, "mimc", opMimc, proto("b:b{32}"), mimcVersion, costByFieldAndLength("c", &MimcConfigs, []linearCost{ + BN254_MP_110: { baseCost: 10, chunkCost: 650, chunkSize: 32, }, - BN254g2: { - baseCost: 10, - chunkCost: 650, - chunkSize: 32, - }, - BLS12_381g1: { - baseCost: 10, - chunkCost: 650, - chunkSize: 32, - }, - BLS12_381g2: { + BLS12_381_MP_111: { baseCost: 10, chunkCost: 650, chunkSize: 32, From fa2e74890c2021931925136fefc3efddd2a55fba Mon Sep 17 00:00:00 2001 From: giulio Date: Wed, 9 Oct 2024 09:01:17 +0200 Subject: [PATCH 07/12] Make mimc cost more accurate --- data/transactions/logic/opcodes.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/transactions/logic/opcodes.go b/data/transactions/logic/opcodes.go index 47f69c033d..69b82abd36 100644 --- a/data/transactions/logic/opcodes.go +++ b/data/transactions/logic/opcodes.go @@ -802,12 +802,12 @@ var OpSpecs = []OpSpec{ {0xe6, "mimc", opMimc, proto("b:b{32}"), mimcVersion, costByFieldAndLength("c", &MimcConfigs, []linearCost{ BN254_MP_110: { baseCost: 10, - chunkCost: 650, + chunkCost: 350, chunkSize: 32, }, BLS12_381_MP_111: { baseCost: 10, - chunkCost: 650, + chunkCost: 350, chunkSize: 32, }})}, } From d9c32823872e25acf1b828947c1ee188fff2ee1c Mon Sep 17 00:00:00 2001 From: giulio Date: Sat, 9 Nov 2024 22:29:18 +0100 Subject: [PATCH 08/12] Fix lint warnings --- data/transactions/logic/assembler_test.go | 2 +- data/transactions/logic/crypto.go | 4 ++-- data/transactions/logic/crypto_test.go | 10 +++++----- data/transactions/logic/evalStateful_test.go | 2 +- data/transactions/logic/fields.go | 14 +++++++------- data/transactions/logic/fields_string.go | 8 ++++---- data/transactions/logic/opcodes.go | 4 ++-- 7 files changed, 22 insertions(+), 22 deletions(-) diff --git a/data/transactions/logic/assembler_test.go b/data/transactions/logic/assembler_test.go index 665b2bfbba..fa271469bb 100644 --- a/data/transactions/logic/assembler_test.go +++ b/data/transactions/logic/assembler_test.go @@ -441,7 +441,7 @@ falcon_verify const mimcNonsense = ` pushbytes 0x11223344556677889900aabbccddeeff11223344556677889900aabbccddeeff -mimc BLS12_381_MP_111 +mimc BLS12_381Mp111 ` const v8Nonsense = v7Nonsense + switchNonsense + frameNonsense + matchNonsense + boxNonsense diff --git a/data/transactions/logic/crypto.go b/data/transactions/logic/crypto.go index 7422258c76..cb05242d8c 100644 --- a/data/transactions/logic/crypto.go +++ b/data/transactions/logic/crypto.go @@ -57,9 +57,9 @@ func opMimc(cx *EvalContext) error { var mimc hash.Hash switch fs.field { - case BN254_MP_110: + case BN254Mp110: mimc = bn254mimc.NewMiMC() - case BLS12_381_MP_111: + case BLS12_381Mp111: mimc = bls12_381mimc.NewMiMC() default: return fmt.Errorf("invalid mimc group %s", config) diff --git a/data/transactions/logic/crypto_test.go b/data/transactions/logic/crypto_test.go index bfd1b5830a..be0e90873b 100644 --- a/data/transactions/logic/crypto_test.go +++ b/data/transactions/logic/crypto_test.go @@ -148,7 +148,7 @@ func TestMimc(t *testing.T) { } circuitHashTestVectors := map[string][]string{ - "BN254_MP_110": { + "BN254Mp110": { "20104241803663641422577121134203490505137011783614913652735802145961801733870", "12886436712380113721405259596386800092738845035233065858332878701083870690753", "19565877911319815535452130675266047290072088868113536892077808700068649624391", @@ -157,7 +157,7 @@ func TestMimc(t *testing.T) { "21691351735381703396517600859480938764038501053226864452091917666642352837076", "10501393540371963307040960561318023073151272109639330842515119353134949995409", }, - "BLS12_381_MP_111": { + "BLS12_381Mp111": { "17991912493598890696181760734961918471863781118188078948205844982816313445306", "8791766422525455185980675814845076441443662947059416063736889106252015893524", "35137972692771717943992759113612269767581262500164574105059686144346651628747", @@ -168,7 +168,7 @@ func TestMimc(t *testing.T) { }, } - for _, config := range []string{"BN254_MP_110", "BLS12_381_MP_111"} { + for _, config := range []string{"BN254Mp110", "BLS12_381Mp111"} { for i, preImageTestVector := range preImageTestVectors { var n big.Int n.SetString(circuitHashTestVectors[config][i], 10) @@ -783,9 +783,9 @@ int ` + fmt.Sprintf("%d", testLogicBudget-2500-8) + ` } func BenchmarkHashes(b *testing.B) { - for _, hash := range []string{"sha256", "keccak256" /* skip, same as keccak "sha3_256", */, "sha512_256", "sumhash512", "mimc BN254_MP_110", "mimc BLS12_381_MP_111"} { + for _, hash := range []string{"sha256", "keccak256" /* skip, same as keccak "sha3_256", */, "sha512_256", "sumhash512", "mimc BN254Mp110", "mimc BLS12_381Mp111"} { for _, size := range []int{0, 32, 128, 512, 1024, 4096} { - if size == 0 && (hash == "mimc BN254_MP_110" || hash == "mimc BLS12_381_MP_111") { + if size == 0 && (hash == "mimc BN254Mp110" || hash == "mimc BLS12_381Mp111") { continue } b.Run(hash+"-"+strconv.Itoa(size), func(b *testing.B) { diff --git a/data/transactions/logic/evalStateful_test.go b/data/transactions/logic/evalStateful_test.go index 2c5150a07a..f97800aee8 100644 --- a/data/transactions/logic/evalStateful_test.go +++ b/data/transactions/logic/evalStateful_test.go @@ -3256,7 +3256,7 @@ func TestReturnTypes(t *testing.T) { "box_put": "byte 0x010203040506; concat; box_put", // make the 4 byte arg into a 10 // mimc requires an input size multiple of 32 bytes. - "mimc": ": byte 0x0000000000000000000000000000000000000000000000000000000000000001; mimc BN254_MP_110", + "mimc": ": byte 0x0000000000000000000000000000000000000000000000000000000000000001; mimc BN254Mp110", } /* Make sure the specialCmd tests the opcode in question */ diff --git a/data/transactions/logic/fields.go b/data/transactions/logic/fields.go index c022a52630..b4d3ca53c9 100644 --- a/data/transactions/logic/fields.go +++ b/data/transactions/logic/fields.go @@ -785,14 +785,14 @@ var EcGroups = FieldGroup{ ecGroupSpecByName, } -// MimcConf is an enum for the `mimc` opcode +// MimcConfig is an enum for the `mimc` opcode type MimcConfig int const ( - // BN254_MP_110 is the default MiMC configuration for the BN254 curve with Miyaguchi-Preneel mode, 110 rounds, exponent 5, seed "seed" - BN254_MP_110 MimcConfig = iota - // BLS12_381_MP_111 is the default MiMC configuration for the BLS12-381 curve with Miyaguchi-Preneel mode, 111 rounds, exponent 5, seed "seed" - BLS12_381_MP_111 + // BN254Mp110 is the default MiMC configuration for the BN254 curve with Miyaguchi-Preneel mode, 110 rounds, exponent 5, seed "seed" + BN254Mp110 MimcConfig = iota + // BLS12_381Mp111 is the default MiMC configuration for the BLS12-381 curve with Miyaguchi-Preneel mode, 111 rounds, exponent 5, seed "seed" + BLS12_381Mp111 invalidMimcConfig // compile-time constant for number of fields ) @@ -820,8 +820,8 @@ func (fs mimcConfigSpec) Note() string { } var mimcConfigSpecs = [...]mimcConfigSpec{ - {BN254_MP_110, "MiMC configuration for the BN254 curve with Miyaguchi-Preneel mode, 110 rounds, exponent 5, seed \"seed\""}, - {BLS12_381_MP_111, "MiMC configuration for the BLS12-381 curve with Miyaguchi-Preneel mode, 111 rounds, exponent 5, seed \"seed\""}, + {BN254Mp110, "MiMC configuration for the BN254 curve with Miyaguchi-Preneel mode, 110 rounds, exponent 5, seed \"seed\""}, + {BLS12_381Mp111, "MiMC configuration for the BLS12-381 curve with Miyaguchi-Preneel mode, 111 rounds, exponent 5, seed \"seed\""}, } func mimcConfigSpecByField(c MimcConfig) (mimcConfigSpec, bool) { diff --git a/data/transactions/logic/fields_string.go b/data/transactions/logic/fields_string.go index d793fa4b4d..81f1b33d29 100644 --- a/data/transactions/logic/fields_string.go +++ b/data/transactions/logic/fields_string.go @@ -301,14 +301,14 @@ func _() { // An "invalid array index" compiler error signifies that the constant values have changed. // Re-run the stringer command to generate them again. var x [1]struct{} - _ = x[BN254_MP_110-0] - _ = x[BLS12_381_MP_111-1] + _ = x[BN254Mp110-0] + _ = x[BLS12_381Mp111-1] _ = x[invalidMimcConfig-2] } -const _MimcConfig_name = "BN254_MP_110BLS12_381_MP_111invalidMimcConfig" +const _MimcConfig_name = "BN254Mp110BLS12_381Mp111invalidMimcConfig" -var _MimcConfig_index = [...]uint8{0, 12, 28, 45} +var _MimcConfig_index = [...]uint8{0, 10, 24, 41} func (i MimcConfig) String() string { if i < 0 || i >= MimcConfig(len(_MimcConfig_index)-1) { diff --git a/data/transactions/logic/opcodes.go b/data/transactions/logic/opcodes.go index 69b82abd36..4cf6238cad 100644 --- a/data/transactions/logic/opcodes.go +++ b/data/transactions/logic/opcodes.go @@ -800,12 +800,12 @@ var OpSpecs = []OpSpec{ BN254g1: 630, BN254g2: 3_300, BLS12_381g1: 1_950, BLS12_381g2: 8_150})}, {0xe6, "mimc", opMimc, proto("b:b{32}"), mimcVersion, costByFieldAndLength("c", &MimcConfigs, []linearCost{ - BN254_MP_110: { + BN254Mp110: { baseCost: 10, chunkCost: 350, chunkSize: 32, }, - BLS12_381_MP_111: { + BLS12_381Mp111: { baseCost: 10, chunkCost: 350, chunkSize: 32, From 9feb871f044e7dd1bbf928f224ed7ec95f3d13b1 Mon Sep 17 00:00:00 2001 From: John Jannotti Date: Fri, 13 Dec 2024 14:06:45 -0500 Subject: [PATCH 09/12] Update cost and some docs --- cmd/opdoc/opdoc.go | 2 +- data/transactions/logic/README.md | 13 + data/transactions/logic/TEAL_opcodes_v11.md | 1830 +++++++ data/transactions/logic/assembler_test.go | 2 +- data/transactions/logic/crypto.go | 7 +- data/transactions/logic/doc.go | 8 +- data/transactions/logic/langspec_v11.json | 4949 ++++++++++++++++++ data/transactions/logic/opcodes.go | 4 +- data/transactions/logic/teal.tmLanguage.json | 2 +- 9 files changed, 6805 insertions(+), 12 deletions(-) create mode 100644 data/transactions/logic/TEAL_opcodes_v11.md create mode 100644 data/transactions/logic/langspec_v11.json diff --git a/cmd/opdoc/opdoc.go b/cmd/opdoc/opdoc.go index a6e77504b5..2090462261 100644 --- a/cmd/opdoc/opdoc.go +++ b/cmd/opdoc/opdoc.go @@ -443,7 +443,7 @@ func create(file string) *os.File { } func main() { - const docVersion = uint64(10) + const docVersion = uint64(11) opGroups := make(map[string][]string, len(logic.OpSpecs)) for grp, names := range logic.OpGroups { diff --git a/data/transactions/logic/README.md b/data/transactions/logic/README.md index e1c5cfe218..ca5e04bef4 100644 --- a/data/transactions/logic/README.md +++ b/data/transactions/logic/README.md @@ -463,6 +463,8 @@ these results may contain leading zero bytes. | `keccak256` | Keccak256 hash of value A, yields [32]byte | | `sha512_256` | SHA512_256 hash of value A, yields [32]byte | | `sha3_256` | SHA3_256 hash of value A, yields [32]byte | +| `sumhash512` | sumhash512 of value A, yields [64]byte | +| `falcon_verify` | for (data A, compressed-format signature B, pubkey C) verify the signature of data against the pubkey | | `ed25519verify` | for (data A, signature B, pubkey C) verify the signature of ("ProgData" \|\| program_hash \|\| data) against the pubkey => {0 or 1} | | `ed25519verify_bare` | for (data A, signature B, pubkey C) verify the signature of the data against the pubkey => {0 or 1} | | `ecdsa_verify v` | for (data A, signature B, C and pubkey D, E) verify the signature of the data against the pubkey => {0 or 1} | @@ -475,6 +477,7 @@ these results may contain leading zero bytes. | `ec_multi_scalar_mul g` | for curve points A and scalars B, return curve point B0A0 + B1A1 + B2A2 + ... + BnAn | | `ec_subgroup_check g` | 1 if A is in the main prime-order subgroup of G (including the point at infinity) else 0. Program fails if A is not in G at all. | | `ec_map_to g` | maps field element A to group G | +| `mimc c` | MiMC hash of scalars A, using curve and parameters specified by configuration C | ### Loading Values @@ -631,6 +634,11 @@ Global fields are fields that are common to all the transactions in the group. I | 15 | AssetCreateMinBalance | uint64 | v10 | The additional minimum balance required to create (and opt-in to) an asset. | | 16 | AssetOptInMinBalance | uint64 | v10 | The additional minimum balance required to opt-in to an asset. | | 17 | GenesisHash | [32]byte | v10 | The Genesis Hash for the network. | +| 18 | PayoutsEnabled | bool | v11 | Whether block proposal payouts are enabled. | +| 19 | PayoutsGoOnlineFee | uint64 | v11 | The fee required in a keyreg transaction to make an account incentive eligible. | +| 20 | PayoutsPercent | uint64 | v11 | The percentage of transaction fees in a block that can be paid to the block proposer. | +| 21 | PayoutsMinBalance | uint64 | v11 | The minimum algo balance an account must have in the agreement round to receive block payouts in the proposal round. | +| 22 | PayoutsMaxBalance | uint64 | v11 | The maximum algo balance an account can have in the agreement round to receive block payouts in the proposal round. | **Asset Fields** @@ -694,6 +702,9 @@ Account fields used in the `acct_params_get` opcode. | 9 | AcctTotalAssets | uint64 | v8 | The numbers of ASAs held by this account (including ASAs this account created). | | 10 | AcctTotalBoxes | uint64 | v8 | The number of existing boxes created by this account's app. | | 11 | AcctTotalBoxBytes | uint64 | v8 | The total number of bytes used by this account's app's box keys and values. | +| 12 | AcctIncentiveEligible | bool | v11 | Has this account opted into block payouts | +| 13 | AcctLastProposed | uint64 | v11 | The round number of the last block this account proposed. | +| 14 | AcctLastHeartbeat | uint64 | v11 | The round number of the last block this account sent a heartbeat. | ### Flow Control @@ -744,6 +755,8 @@ Account fields used in the `acct_params_get` opcode. | `asset_params_get f` | X is field F from asset A. Y is 1 if A exists, else 0 | | `app_params_get f` | X is field F from app A. Y is 1 if A exists, else 0 | | `acct_params_get f` | X is field F from account A. Y is 1 if A owns positive algos, else 0 | +| `voter_params_get f` | X is field F from online account A as of the balance round: 320 rounds before the current round. Y is 1 if A had positive algos online in the agreement round, else Y is 0 and X is a type specific zero-value | +| `online_stake` | the total online stake in the agreement round | | `log` | write A to log state of the current application | | `block f` | field F of block A. Fail unless A falls between txn.LastValid-1002 and txn.FirstValid (exclusive) | diff --git a/data/transactions/logic/TEAL_opcodes_v11.md b/data/transactions/logic/TEAL_opcodes_v11.md new file mode 100644 index 0000000000..345ebca43e --- /dev/null +++ b/data/transactions/logic/TEAL_opcodes_v11.md @@ -0,0 +1,1830 @@ +# v11 Opcodes + +Ops have a 'cost' of 1 unless otherwise specified. + + +## err + +- Bytecode: 0x00 +- Stack: ... → _exits_ +- Fail immediately. + +## sha256 + +- Bytecode: 0x01 +- Stack: ..., A: []byte → ..., [32]byte +- SHA256 hash of value A, yields [32]byte +- **Cost**: 35 + +## keccak256 + +- Bytecode: 0x02 +- Stack: ..., A: []byte → ..., [32]byte +- Keccak256 hash of value A, yields [32]byte +- **Cost**: 130 + +## sha512_256 + +- Bytecode: 0x03 +- Stack: ..., A: []byte → ..., [32]byte +- SHA512_256 hash of value A, yields [32]byte +- **Cost**: 45 + +## ed25519verify + +- Bytecode: 0x04 +- Stack: ..., A: []byte, B: [64]byte, C: [32]byte → ..., bool +- for (data A, signature B, pubkey C) verify the signature of ("ProgData" || program_hash || data) against the pubkey => {0 or 1} +- **Cost**: 1900 + +The 32 byte public key is the last element on the stack, preceded by the 64 byte signature at the second-to-last element on the stack, preceded by the data which was signed at the third-to-last element on the stack. + +## ecdsa_verify + +- Syntax: `ecdsa_verify V` where V: [ECDSA](#field-group-ecdsa) +- Bytecode: 0x05 {uint8} +- Stack: ..., A: [32]byte, B: [32]byte, C: [32]byte, D: [32]byte, E: [32]byte → ..., bool +- for (data A, signature B, C and pubkey D, E) verify the signature of the data against the pubkey => {0 or 1} +- **Cost**: Secp256k1=1700; Secp256r1=2500 +- Availability: v5 + +### ECDSA + +Curves + +| Index | Name | In | Notes | +| - | ------ | - | --------- | +| 0 | Secp256k1 | | secp256k1 curve, used in Bitcoin | +| 1 | Secp256r1 | v7 | secp256r1 curve, NIST standard | + + +The 32 byte Y-component of a public key is the last element on the stack, preceded by X-component of a pubkey, preceded by S and R components of a signature, preceded by the data that is fifth element on the stack. All values are big-endian encoded. The signed data must be 32 bytes long, and signatures in lower-S form are only accepted. + +## ecdsa_pk_decompress + +- Syntax: `ecdsa_pk_decompress V` where V: [ECDSA](#field-group-ecdsa) +- Bytecode: 0x06 {uint8} +- Stack: ..., A: [33]byte → ..., X: [32]byte, Y: [32]byte +- decompress pubkey A into components X, Y +- **Cost**: Secp256k1=650; Secp256r1=2400 +- Availability: v5 + +The 33 byte public key in a compressed form to be decompressed into X and Y (top) components. All values are big-endian encoded. + +## ecdsa_pk_recover + +- Syntax: `ecdsa_pk_recover V` where V: [ECDSA](#field-group-ecdsa) +- Bytecode: 0x07 {uint8} +- Stack: ..., A: [32]byte, B: uint64, C: [32]byte, D: [32]byte → ..., X: [32]byte, Y: [32]byte +- for (data A, recovery id B, signature C, D) recover a public key +- **Cost**: 2000 +- Availability: v5 + +S (top) and R elements of a signature, recovery id and data (bottom) are expected on the stack and used to deriver a public key. All values are big-endian encoded. The signed data must be 32 bytes long. + +## + + +- Bytecode: 0x08 +- Stack: ..., A: uint64, B: uint64 → ..., uint64 +- A plus B. Fail on overflow. + +Overflow is an error condition which halts execution and fails the transaction. Full precision is available from `addw`. + +## - + +- Bytecode: 0x09 +- Stack: ..., A: uint64, B: uint64 → ..., uint64 +- A minus B. Fail if B > A. + +## / + +- Bytecode: 0x0a +- Stack: ..., A: uint64, B: uint64 → ..., uint64 +- A divided by B (truncated division). Fail if B == 0. + +`divmodw` is available to divide the two-element values produced by `mulw` and `addw`. + +## * + +- Bytecode: 0x0b +- Stack: ..., A: uint64, B: uint64 → ..., uint64 +- A times B. Fail on overflow. + +Overflow is an error condition which halts execution and fails the transaction. Full precision is available from `mulw`. + +## < + +- Bytecode: 0x0c +- Stack: ..., A: uint64, B: uint64 → ..., bool +- A less than B => {0 or 1} + +## > + +- Bytecode: 0x0d +- Stack: ..., A: uint64, B: uint64 → ..., bool +- A greater than B => {0 or 1} + +## <= + +- Bytecode: 0x0e +- Stack: ..., A: uint64, B: uint64 → ..., bool +- A less than or equal to B => {0 or 1} + +## >= + +- Bytecode: 0x0f +- Stack: ..., A: uint64, B: uint64 → ..., bool +- A greater than or equal to B => {0 or 1} + +## && + +- Bytecode: 0x10 +- Stack: ..., A: uint64, B: uint64 → ..., bool +- A is not zero and B is not zero => {0 or 1} + +## || + +- Bytecode: 0x11 +- Stack: ..., A: uint64, B: uint64 → ..., bool +- A is not zero or B is not zero => {0 or 1} + +## == + +- Bytecode: 0x12 +- Stack: ..., A, B → ..., bool +- A is equal to B => {0 or 1} + +## != + +- Bytecode: 0x13 +- Stack: ..., A, B → ..., bool +- A is not equal to B => {0 or 1} + +## ! + +- Bytecode: 0x14 +- Stack: ..., A: uint64 → ..., uint64 +- A == 0 yields 1; else 0 + +## len + +- Bytecode: 0x15 +- Stack: ..., A: []byte → ..., uint64 +- yields length of byte value A + +## itob + +- Bytecode: 0x16 +- Stack: ..., A: uint64 → ..., [8]byte +- converts uint64 A to big-endian byte array, always of length 8 + +## btoi + +- Bytecode: 0x17 +- Stack: ..., A: []byte → ..., uint64 +- converts big-endian byte array A to uint64. Fails if len(A) > 8. Padded by leading 0s if len(A) < 8. + +`btoi` fails if the input is longer than 8 bytes. + +## % + +- Bytecode: 0x18 +- Stack: ..., A: uint64, B: uint64 → ..., uint64 +- A modulo B. Fail if B == 0. + +## | + +- Bytecode: 0x19 +- Stack: ..., A: uint64, B: uint64 → ..., uint64 +- A bitwise-or B + +## & + +- Bytecode: 0x1a +- Stack: ..., A: uint64, B: uint64 → ..., uint64 +- A bitwise-and B + +## ^ + +- Bytecode: 0x1b +- Stack: ..., A: uint64, B: uint64 → ..., uint64 +- A bitwise-xor B + +## ~ + +- Bytecode: 0x1c +- Stack: ..., A: uint64 → ..., uint64 +- bitwise invert value A + +## mulw + +- Bytecode: 0x1d +- Stack: ..., A: uint64, B: uint64 → ..., X: uint64, Y: uint64 +- A times B as a 128-bit result in two uint64s. X is the high 64 bits, Y is the low + +## addw + +- Bytecode: 0x1e +- Stack: ..., A: uint64, B: uint64 → ..., X: uint64, Y: uint64 +- A plus B as a 128-bit result. X is the carry-bit, Y is the low-order 64 bits. +- Availability: v2 + +## divmodw + +- Bytecode: 0x1f +- Stack: ..., A: uint64, B: uint64, C: uint64, D: uint64 → ..., W: uint64, X: uint64, Y: uint64, Z: uint64 +- W,X = (A,B / C,D); Y,Z = (A,B modulo C,D) +- **Cost**: 20 +- Availability: v4 + +The notation J,K indicates that two uint64 values J and K are interpreted as a uint128 value, with J as the high uint64 and K the low. + +## intcblock + +- Syntax: `intcblock UINT ...` where UINT ...: a block of int constant values +- Bytecode: 0x20 {varuint count, [varuint ...]} +- Stack: ... → ... +- prepare block of uint64 constants for use by intc + +`intcblock` loads following program bytes into an array of integer constants in the evaluator. These integer constants can be referred to by `intc` and `intc_*` which will push the value onto the stack. Subsequent calls to `intcblock` reset and replace the integer constants available to the script. + +## intc + +- Syntax: `intc I` where I: an index in the intcblock +- Bytecode: 0x21 {uint8} +- Stack: ... → ..., uint64 +- Ith constant from intcblock + +## intc_0 + +- Bytecode: 0x22 +- Stack: ... → ..., uint64 +- constant 0 from intcblock + +## intc_1 + +- Bytecode: 0x23 +- Stack: ... → ..., uint64 +- constant 1 from intcblock + +## intc_2 + +- Bytecode: 0x24 +- Stack: ... → ..., uint64 +- constant 2 from intcblock + +## intc_3 + +- Bytecode: 0x25 +- Stack: ... → ..., uint64 +- constant 3 from intcblock + +## bytecblock + +- Syntax: `bytecblock BYTES ...` where BYTES ...: a block of byte constant values +- Bytecode: 0x26 {varuint count, [varuint length, bytes ...]} +- Stack: ... → ... +- prepare block of byte-array constants for use by bytec + +`bytecblock` loads the following program bytes into an array of byte-array constants in the evaluator. These constants can be referred to by `bytec` and `bytec_*` which will push the value onto the stack. Subsequent calls to `bytecblock` reset and replace the bytes constants available to the script. + +## bytec + +- Syntax: `bytec I` where I: an index in the bytecblock +- Bytecode: 0x27 {uint8} +- Stack: ... → ..., []byte +- Ith constant from bytecblock + +## bytec_0 + +- Bytecode: 0x28 +- Stack: ... → ..., []byte +- constant 0 from bytecblock + +## bytec_1 + +- Bytecode: 0x29 +- Stack: ... → ..., []byte +- constant 1 from bytecblock + +## bytec_2 + +- Bytecode: 0x2a +- Stack: ... → ..., []byte +- constant 2 from bytecblock + +## bytec_3 + +- Bytecode: 0x2b +- Stack: ... → ..., []byte +- constant 3 from bytecblock + +## arg + +- Syntax: `arg N` where N: an arg index +- Bytecode: 0x2c {uint8} +- Stack: ... → ..., []byte +- Nth LogicSig argument +- Mode: Signature + +## arg_0 + +- Bytecode: 0x2d +- Stack: ... → ..., []byte +- LogicSig argument 0 +- Mode: Signature + +## arg_1 + +- Bytecode: 0x2e +- Stack: ... → ..., []byte +- LogicSig argument 1 +- Mode: Signature + +## arg_2 + +- Bytecode: 0x2f +- Stack: ... → ..., []byte +- LogicSig argument 2 +- Mode: Signature + +## arg_3 + +- Bytecode: 0x30 +- Stack: ... → ..., []byte +- LogicSig argument 3 +- Mode: Signature + +## txn + +- Syntax: `txn F` where F: [txn](#field-group-txn) +- Bytecode: 0x31 {uint8} +- Stack: ... → ..., any +- field F of current transaction + +### txn + +Fields (see [transaction reference](https://developer.algorand.org/docs/reference/transactions/)) + +| Index | Name | Type | In | Notes | +| - | ------ | -- | - | --------- | +| 0 | Sender | address | | 32 byte address | +| 1 | Fee | uint64 | | microalgos | +| 2 | FirstValid | uint64 | | round number | +| 3 | FirstValidTime | uint64 | v7 | UNIX timestamp of block before txn.FirstValid. Fails if negative | +| 4 | LastValid | uint64 | | round number | +| 5 | Note | []byte | | Any data up to 1024 bytes | +| 6 | Lease | [32]byte | | 32 byte lease value | +| 7 | Receiver | address | | 32 byte address | +| 8 | Amount | uint64 | | microalgos | +| 9 | CloseRemainderTo | address | | 32 byte address | +| 10 | VotePK | [32]byte | | 32 byte address | +| 11 | SelectionPK | [32]byte | | 32 byte address | +| 12 | VoteFirst | uint64 | | The first round that the participation key is valid. | +| 13 | VoteLast | uint64 | | The last round that the participation key is valid. | +| 14 | VoteKeyDilution | uint64 | | Dilution for the 2-level participation key | +| 15 | Type | []byte | | Transaction type as bytes | +| 16 | TypeEnum | uint64 | | Transaction type as integer | +| 17 | XferAsset | uint64 | | Asset ID | +| 18 | AssetAmount | uint64 | | value in Asset's units | +| 19 | AssetSender | address | | 32 byte address. Source of assets if Sender is the Asset's Clawback address. | +| 20 | AssetReceiver | address | | 32 byte address | +| 21 | AssetCloseTo | address | | 32 byte address | +| 22 | GroupIndex | uint64 | | Position of this transaction within an atomic transaction group. A stand-alone transaction is implicitly element 0 in a group of 1 | +| 23 | TxID | [32]byte | | The computed ID for this transaction. 32 bytes. | +| 24 | ApplicationID | uint64 | v2 | ApplicationID from ApplicationCall transaction | +| 25 | OnCompletion | uint64 | v2 | ApplicationCall transaction on completion action | +| 27 | NumAppArgs | uint64 | v2 | Number of ApplicationArgs | +| 29 | NumAccounts | uint64 | v2 | Number of Accounts | +| 30 | ApprovalProgram | []byte | v2 | Approval program | +| 31 | ClearStateProgram | []byte | v2 | Clear state program | +| 32 | RekeyTo | address | v2 | 32 byte Sender's new AuthAddr | +| 33 | ConfigAsset | uint64 | v2 | Asset ID in asset config transaction | +| 34 | ConfigAssetTotal | uint64 | v2 | Total number of units of this asset created | +| 35 | ConfigAssetDecimals | uint64 | v2 | Number of digits to display after the decimal place when displaying the asset | +| 36 | ConfigAssetDefaultFrozen | bool | v2 | Whether the asset's slots are frozen by default or not, 0 or 1 | +| 37 | ConfigAssetUnitName | []byte | v2 | Unit name of the asset | +| 38 | ConfigAssetName | []byte | v2 | The asset name | +| 39 | ConfigAssetURL | []byte | v2 | URL | +| 40 | ConfigAssetMetadataHash | [32]byte | v2 | 32 byte commitment to unspecified asset metadata | +| 41 | ConfigAssetManager | address | v2 | 32 byte address | +| 42 | ConfigAssetReserve | address | v2 | 32 byte address | +| 43 | ConfigAssetFreeze | address | v2 | 32 byte address | +| 44 | ConfigAssetClawback | address | v2 | 32 byte address | +| 45 | FreezeAsset | uint64 | v2 | Asset ID being frozen or un-frozen | +| 46 | FreezeAssetAccount | address | v2 | 32 byte address of the account whose asset slot is being frozen or un-frozen | +| 47 | FreezeAssetFrozen | bool | v2 | The new frozen value, 0 or 1 | +| 49 | NumAssets | uint64 | v3 | Number of Assets | +| 51 | NumApplications | uint64 | v3 | Number of Applications | +| 52 | GlobalNumUint | uint64 | v3 | Number of global state integers in ApplicationCall | +| 53 | GlobalNumByteSlice | uint64 | v3 | Number of global state byteslices in ApplicationCall | +| 54 | LocalNumUint | uint64 | v3 | Number of local state integers in ApplicationCall | +| 55 | LocalNumByteSlice | uint64 | v3 | Number of local state byteslices in ApplicationCall | +| 56 | ExtraProgramPages | uint64 | v4 | Number of additional pages for each of the application's approval and clear state programs. An ExtraProgramPages of 1 means 2048 more total bytes, or 1024 for each program. | +| 57 | Nonparticipation | bool | v5 | Marks an account nonparticipating for rewards | +| 59 | NumLogs | uint64 | v5 | Number of Logs (only with `itxn` in v5). Application mode only | +| 60 | CreatedAssetID | uint64 | v5 | Asset ID allocated by the creation of an ASA (only with `itxn` in v5). Application mode only | +| 61 | CreatedApplicationID | uint64 | v5 | ApplicationID allocated by the creation of an application (only with `itxn` in v5). Application mode only | +| 62 | LastLog | []byte | v6 | The last message emitted. Empty bytes if none were emitted. Application mode only | +| 63 | StateProofPK | []byte | v6 | 64 byte state proof public key | +| 65 | NumApprovalProgramPages | uint64 | v7 | Number of Approval Program pages | +| 67 | NumClearStateProgramPages | uint64 | v7 | Number of ClearState Program pages | + + +## global + +- Syntax: `global F` where F: [global](#field-group-global) +- Bytecode: 0x32 {uint8} +- Stack: ... → ..., any +- global field F + +### global + +Fields + +| Index | Name | Type | In | Notes | +| - | ------ | -- | - | --------- | +| 0 | MinTxnFee | uint64 | | microalgos | +| 1 | MinBalance | uint64 | | microalgos | +| 2 | MaxTxnLife | uint64 | | rounds | +| 3 | ZeroAddress | address | | 32 byte address of all zero bytes | +| 4 | GroupSize | uint64 | | Number of transactions in this atomic transaction group. At least 1 | +| 5 | LogicSigVersion | uint64 | v2 | Maximum supported version | +| 6 | Round | uint64 | v2 | Current round number. Application mode only. | +| 7 | LatestTimestamp | uint64 | v2 | Last confirmed block UNIX timestamp. Fails if negative. Application mode only. | +| 8 | CurrentApplicationID | uint64 | v2 | ID of current application executing. Application mode only. | +| 9 | CreatorAddress | address | v3 | Address of the creator of the current application. Application mode only. | +| 10 | CurrentApplicationAddress | address | v5 | Address that the current application controls. Application mode only. | +| 11 | GroupID | [32]byte | v5 | ID of the transaction group. 32 zero bytes if the transaction is not part of a group. | +| 12 | OpcodeBudget | uint64 | v6 | The remaining cost that can be spent by opcodes in this program. | +| 13 | CallerApplicationID | uint64 | v6 | The application ID of the application that called this application. 0 if this application is at the top-level. Application mode only. | +| 14 | CallerApplicationAddress | address | v6 | The application address of the application that called this application. ZeroAddress if this application is at the top-level. Application mode only. | +| 15 | AssetCreateMinBalance | uint64 | v10 | The additional minimum balance required to create (and opt-in to) an asset. | +| 16 | AssetOptInMinBalance | uint64 | v10 | The additional minimum balance required to opt-in to an asset. | +| 17 | GenesisHash | [32]byte | v10 | The Genesis Hash for the network. | +| 18 | PayoutsEnabled | bool | v11 | Whether block proposal payouts are enabled. | +| 19 | PayoutsGoOnlineFee | uint64 | v11 | The fee required in a keyreg transaction to make an account incentive eligible. | +| 20 | PayoutsPercent | uint64 | v11 | The percentage of transaction fees in a block that can be paid to the block proposer. | +| 21 | PayoutsMinBalance | uint64 | v11 | The minimum algo balance an account must have in the agreement round to receive block payouts in the proposal round. | +| 22 | PayoutsMaxBalance | uint64 | v11 | The maximum algo balance an account can have in the agreement round to receive block payouts in the proposal round. | + + +## gtxn + +- Syntax: `gtxn T F` where T: transaction group index, F: [txn](#field-group-txn) +- Bytecode: 0x33 {uint8}, {uint8} +- Stack: ... → ..., any +- field F of the Tth transaction in the current group + +for notes on transaction fields available, see `txn`. If this transaction is _i_ in the group, `gtxn i field` is equivalent to `txn field`. + +## load + +- Syntax: `load I` where I: position in scratch space to load from +- Bytecode: 0x34 {uint8} +- Stack: ... → ..., any +- Ith scratch space value. All scratch spaces are 0 at program start. + +## store + +- Syntax: `store I` where I: position in scratch space to store to +- Bytecode: 0x35 {uint8} +- Stack: ..., A → ... +- store A to the Ith scratch space + +## txna + +- Syntax: `txna F I` where F: [txna](#field-group-txna), I: transaction field array index +- Bytecode: 0x36 {uint8}, {uint8} +- Stack: ... → ..., any +- Ith value of the array field F of the current transaction
`txna` can be called using `txn` with 2 immediates. +- Availability: v2 + +### txna + +Fields (see [transaction reference](https://developer.algorand.org/docs/reference/transactions/)) + +| Index | Name | Type | In | Notes | +| - | ------ | -- | - | --------- | +| 26 | ApplicationArgs | []byte | v2 | Arguments passed to the application in the ApplicationCall transaction | +| 28 | Accounts | address | v2 | Accounts listed in the ApplicationCall transaction | +| 48 | Assets | uint64 | v3 | Foreign Assets listed in the ApplicationCall transaction | +| 50 | Applications | uint64 | v3 | Foreign Apps listed in the ApplicationCall transaction | +| 58 | Logs | []byte | v5 | Log messages emitted by an application call (only with `itxn` in v5). Application mode only | +| 64 | ApprovalProgramPages | []byte | v7 | Approval Program as an array of pages | +| 66 | ClearStateProgramPages | []byte | v7 | ClearState Program as an array of pages | + + +## gtxna + +- Syntax: `gtxna T F I` where T: transaction group index, F: [txna](#field-group-txna), I: transaction field array index +- Bytecode: 0x37 {uint8}, {uint8}, {uint8} +- Stack: ... → ..., any +- Ith value of the array field F from the Tth transaction in the current group
`gtxna` can be called using `gtxn` with 3 immediates. +- Availability: v2 + +## gtxns + +- Syntax: `gtxns F` where F: [txn](#field-group-txn) +- Bytecode: 0x38 {uint8} +- Stack: ..., A: uint64 → ..., any +- field F of the Ath transaction in the current group +- Availability: v3 + +for notes on transaction fields available, see `txn`. If top of stack is _i_, `gtxns field` is equivalent to `gtxn _i_ field`. gtxns exists so that _i_ can be calculated, often based on the index of the current transaction. + +## gtxnsa + +- Syntax: `gtxnsa F I` where F: [txna](#field-group-txna), I: transaction field array index +- Bytecode: 0x39 {uint8}, {uint8} +- Stack: ..., A: uint64 → ..., any +- Ith value of the array field F from the Ath transaction in the current group
`gtxnsa` can be called using `gtxns` with 2 immediates. +- Availability: v3 + +## gload + +- Syntax: `gload T I` where T: transaction group index, I: position in scratch space to load from +- Bytecode: 0x3a {uint8}, {uint8} +- Stack: ... → ..., any +- Ith scratch space value of the Tth transaction in the current group +- Availability: v4 +- Mode: Application + +`gload` fails unless the requested transaction is an ApplicationCall and T < GroupIndex. + +## gloads + +- Syntax: `gloads I` where I: position in scratch space to load from +- Bytecode: 0x3b {uint8} +- Stack: ..., A: uint64 → ..., any +- Ith scratch space value of the Ath transaction in the current group +- Availability: v4 +- Mode: Application + +`gloads` fails unless the requested transaction is an ApplicationCall and A < GroupIndex. + +## gaid + +- Syntax: `gaid T` where T: transaction group index +- Bytecode: 0x3c {uint8} +- Stack: ... → ..., uint64 +- ID of the asset or application created in the Tth transaction of the current group +- Availability: v4 +- Mode: Application + +`gaid` fails unless the requested transaction created an asset or application and T < GroupIndex. + +## gaids + +- Bytecode: 0x3d +- Stack: ..., A: uint64 → ..., uint64 +- ID of the asset or application created in the Ath transaction of the current group +- Availability: v4 +- Mode: Application + +`gaids` fails unless the requested transaction created an asset or application and A < GroupIndex. + +## loads + +- Bytecode: 0x3e +- Stack: ..., A: uint64 → ..., any +- Ath scratch space value. All scratch spaces are 0 at program start. +- Availability: v5 + +## stores + +- Bytecode: 0x3f +- Stack: ..., A: uint64, B → ... +- store B to the Ath scratch space +- Availability: v5 + +## bnz + +- Syntax: `bnz TARGET` where TARGET: branch offset +- Bytecode: 0x40 {int16 (big-endian)} +- Stack: ..., A: uint64 → ... +- branch to TARGET if value A is not zero + +The `bnz` instruction opcode 0x40 is followed by two immediate data bytes which are a high byte first and low byte second which together form a 16 bit offset which the instruction may branch to. For a bnz instruction at `pc`, if the last element of the stack is not zero then branch to instruction at `pc + 3 + N`, else proceed to next instruction at `pc + 3`. Branch targets must be aligned instructions. (e.g. Branching to the second byte of a 2 byte op will be rejected.) Starting at v4, the offset is treated as a signed 16 bit integer allowing for backward branches and looping. In prior version (v1 to v3), branch offsets are limited to forward branches only, 0-0x7fff. + +At v2 it became allowed to branch to the end of the program exactly after the last instruction: bnz to byte N (with 0-indexing) was illegal for a TEAL program with N bytes before v2, and is legal after it. This change eliminates the need for a last instruction of no-op as a branch target at the end. (Branching beyond the end--in other words, to a byte larger than N--is still illegal and will cause the program to fail.) + +## bz + +- Syntax: `bz TARGET` where TARGET: branch offset +- Bytecode: 0x41 {int16 (big-endian)} +- Stack: ..., A: uint64 → ... +- branch to TARGET if value A is zero +- Availability: v2 + +See `bnz` for details on how branches work. `bz` inverts the behavior of `bnz`. + +## b + +- Syntax: `b TARGET` where TARGET: branch offset +- Bytecode: 0x42 {int16 (big-endian)} +- Stack: ... → ... +- branch unconditionally to TARGET +- Availability: v2 + +See `bnz` for details on how branches work. `b` always jumps to the offset. + +## return + +- Bytecode: 0x43 +- Stack: ..., A: uint64 → _exits_ +- use A as success value; end +- Availability: v2 + +## assert + +- Bytecode: 0x44 +- Stack: ..., A: uint64 → ... +- immediately fail unless A is a non-zero number +- Availability: v3 + +## bury + +- Syntax: `bury N` where N: depth +- Bytecode: 0x45 {uint8} +- Stack: ..., A → ... +- replace the Nth value from the top of the stack with A. bury 0 fails. +- Availability: v8 + +## popn + +- Syntax: `popn N` where N: stack depth +- Bytecode: 0x46 {uint8} +- Stack: ..., [N items] → ... +- remove N values from the top of the stack +- Availability: v8 + +## dupn + +- Syntax: `dupn N` where N: copy count +- Bytecode: 0x47 {uint8} +- Stack: ..., A → ..., A, [N copies of A] +- duplicate A, N times +- Availability: v8 + +## pop + +- Bytecode: 0x48 +- Stack: ..., A → ... +- discard A + +## dup + +- Bytecode: 0x49 +- Stack: ..., A → ..., A, A +- duplicate A + +## dup2 + +- Bytecode: 0x4a +- Stack: ..., A, B → ..., A, B, A, B +- duplicate A and B +- Availability: v2 + +## dig + +- Syntax: `dig N` where N: depth +- Bytecode: 0x4b {uint8} +- Stack: ..., A, [N items] → ..., A, [N items], A +- Nth value from the top of the stack. dig 0 is equivalent to dup +- Availability: v3 + +## swap + +- Bytecode: 0x4c +- Stack: ..., A, B → ..., B, A +- swaps A and B on stack +- Availability: v3 + +## select + +- Bytecode: 0x4d +- Stack: ..., A, B, C: uint64 → ..., A or B +- selects one of two values based on top-of-stack: B if C != 0, else A +- Availability: v3 + +## cover + +- Syntax: `cover N` where N: depth +- Bytecode: 0x4e {uint8} +- Stack: ..., [N items], A → ..., A, [N items] +- remove top of stack, and place it deeper in the stack such that N elements are above it. Fails if stack depth <= N. +- Availability: v5 + +## uncover + +- Syntax: `uncover N` where N: depth +- Bytecode: 0x4f {uint8} +- Stack: ..., A, [N items] → ..., [N items], A +- remove the value at depth N in the stack and shift above items down so the Nth deep value is on top of the stack. Fails if stack depth <= N. +- Availability: v5 + +## concat + +- Bytecode: 0x50 +- Stack: ..., A: []byte, B: []byte → ..., []byte +- join A and B +- Availability: v2 + +`concat` fails if the result would be greater than 4096 bytes. + +## substring + +- Syntax: `substring S E` where S: start position, E: end position +- Bytecode: 0x51 {uint8}, {uint8} +- Stack: ..., A: []byte → ..., []byte +- A range of bytes from A starting at S up to but not including E. If E < S, or either is larger than the array length, the program fails +- Availability: v2 + +## substring3 + +- Bytecode: 0x52 +- Stack: ..., A: []byte, B: uint64, C: uint64 → ..., []byte +- A range of bytes from A starting at B up to but not including C. If C < B, or either is larger than the array length, the program fails +- Availability: v2 + +## getbit + +- Bytecode: 0x53 +- Stack: ..., A, B: uint64 → ..., uint64 +- Bth bit of (byte-array or integer) A. If B is greater than or equal to the bit length of the value (8*byte length), the program fails +- Availability: v3 + +see explanation of bit ordering in setbit + +## setbit + +- Bytecode: 0x54 +- Stack: ..., A, B: uint64, C: uint64 → ..., any +- Copy of (byte-array or integer) A, with the Bth bit set to (0 or 1) C. If B is greater than or equal to the bit length of the value (8*byte length), the program fails +- Availability: v3 + +When A is a uint64, index 0 is the least significant bit. Setting bit 3 to 1 on the integer 0 yields 8, or 2^3. When A is a byte array, index 0 is the leftmost bit of the leftmost byte. Setting bits 0 through 11 to 1 in a 4-byte-array of 0s yields the byte array 0xfff00000. Setting bit 3 to 1 on the 1-byte-array 0x00 yields the byte array 0x10. + +## getbyte + +- Bytecode: 0x55 +- Stack: ..., A: []byte, B: uint64 → ..., uint64 +- Bth byte of A, as an integer. If B is greater than or equal to the array length, the program fails +- Availability: v3 + +## setbyte + +- Bytecode: 0x56 +- Stack: ..., A: []byte, B: uint64, C: uint64 → ..., []byte +- Copy of A with the Bth byte set to small integer (between 0..255) C. If B is greater than or equal to the array length, the program fails +- Availability: v3 + +## extract + +- Syntax: `extract S L` where S: start position, L: length +- Bytecode: 0x57 {uint8}, {uint8} +- Stack: ..., A: []byte → ..., []byte +- A range of bytes from A starting at S up to but not including S+L. If L is 0, then extract to the end of the string. If S or S+L is larger than the array length, the program fails +- Availability: v5 + +## extract3 + +- Bytecode: 0x58 +- Stack: ..., A: []byte, B: uint64, C: uint64 → ..., []byte +- A range of bytes from A starting at B up to but not including B+C. If B+C is larger than the array length, the program fails
`extract3` can be called using `extract` with no immediates. +- Availability: v5 + +## extract_uint16 + +- Bytecode: 0x59 +- Stack: ..., A: []byte, B: uint64 → ..., uint64 +- A uint16 formed from a range of big-endian bytes from A starting at B up to but not including B+2. If B+2 is larger than the array length, the program fails +- Availability: v5 + +## extract_uint32 + +- Bytecode: 0x5a +- Stack: ..., A: []byte, B: uint64 → ..., uint64 +- A uint32 formed from a range of big-endian bytes from A starting at B up to but not including B+4. If B+4 is larger than the array length, the program fails +- Availability: v5 + +## extract_uint64 + +- Bytecode: 0x5b +- Stack: ..., A: []byte, B: uint64 → ..., uint64 +- A uint64 formed from a range of big-endian bytes from A starting at B up to but not including B+8. If B+8 is larger than the array length, the program fails +- Availability: v5 + +## replace2 + +- Syntax: `replace2 S` where S: start position +- Bytecode: 0x5c {uint8} +- Stack: ..., A: []byte, B: []byte → ..., []byte +- Copy of A with the bytes starting at S replaced by the bytes of B. Fails if S+len(B) exceeds len(A)
`replace2` can be called using `replace` with 1 immediate. +- Availability: v7 + +## replace3 + +- Bytecode: 0x5d +- Stack: ..., A: []byte, B: uint64, C: []byte → ..., []byte +- Copy of A with the bytes starting at B replaced by the bytes of C. Fails if B+len(C) exceeds len(A)
`replace3` can be called using `replace` with no immediates. +- Availability: v7 + +## base64_decode + +- Syntax: `base64_decode E` where E: [base64](#field-group-base64) +- Bytecode: 0x5e {uint8} +- Stack: ..., A: []byte → ..., []byte +- decode A which was base64-encoded using _encoding_ E. Fail if A is not base64 encoded with encoding E +- **Cost**: 1 + 1 per 16 bytes of A +- Availability: v7 + +### base64 + +Encodings + +| Index | Name | Notes | +| - | ------ | --------- | +| 0 | URLEncoding | | +| 1 | StdEncoding | | + + +*Warning*: Usage should be restricted to very rare use cases. In almost all cases, smart contracts should directly handle non-encoded byte-strings. This opcode should only be used in cases where base64 is the only available option, e.g. interoperability with a third-party that only signs base64 strings. + + Decodes A using the base64 encoding E. Specify the encoding with an immediate arg either as URL and Filename Safe (`URLEncoding`) or Standard (`StdEncoding`). See [RFC 4648 sections 4 and 5](https://rfc-editor.org/rfc/rfc4648.html#section-4). It is assumed that the encoding ends with the exact number of `=` padding characters as required by the RFC. When padding occurs, any unused pad bits in the encoding must be set to zero or the decoding will fail. The special cases of `\n` and `\r` are allowed but completely ignored. An error will result when attempting to decode a string with a character that is not in the encoding alphabet or not one of `=`, `\r`, or `\n`. + +## json_ref + +- Syntax: `json_ref R` where R: [json_ref](#field-group-json_ref) +- Bytecode: 0x5f {uint8} +- Stack: ..., A: []byte, B: []byte → ..., any +- key B's value, of type R, from a [valid](jsonspec.md) utf-8 encoded json object A +- **Cost**: 25 + 2 per 7 bytes of A +- Availability: v7 + +### json_ref + +Types + +| Index | Name | Type | Notes | +| - | ------ | -- | --------- | +| 0 | JSONString | []byte | | +| 1 | JSONUint64 | uint64 | | +| 2 | JSONObject | []byte | | + + +*Warning*: Usage should be restricted to very rare use cases, as JSON decoding is expensive and quite limited. In addition, JSON objects are large and not optimized for size. + +Almost all smart contracts should use simpler and smaller methods (such as the [ABI](https://arc.algorand.foundation/ARCs/arc-0004). This opcode should only be used in cases where JSON is only available option, e.g. when a third-party only signs JSON. + +## balance + +- Bytecode: 0x60 +- Stack: ..., A → ..., uint64 +- balance for account A, in microalgos. The balance is observed after the effects of previous transactions in the group, and after the fee for the current transaction is deducted. Changes caused by inner transactions are observable immediately following `itxn_submit` +- Availability: v2 +- Mode: Application + +params: Txn.Accounts offset (or, since v4, an _available_ account address), _available_ application id (or, since v4, a Txn.ForeignApps offset). Return: value. + +## app_opted_in + +- Bytecode: 0x61 +- Stack: ..., A, B: uint64 → ..., bool +- 1 if account A is opted in to application B, else 0 +- Availability: v2 +- Mode: Application + +params: Txn.Accounts offset (or, since v4, an _available_ account address), _available_ application id (or, since v4, a Txn.ForeignApps offset). Return: 1 if opted in and 0 otherwise. + +## app_local_get + +- Bytecode: 0x62 +- Stack: ..., A, B: stateKey → ..., any +- local state of the key B in the current application in account A +- Availability: v2 +- Mode: Application + +params: Txn.Accounts offset (or, since v4, an _available_ account address), state key. Return: value. The value is zero (of type uint64) if the key does not exist. + +## app_local_get_ex + +- Bytecode: 0x63 +- Stack: ..., A, B: uint64, C: stateKey → ..., X: any, Y: bool +- X is the local state of application B, key C in account A. Y is 1 if key existed, else 0 +- Availability: v2 +- Mode: Application + +params: Txn.Accounts offset (or, since v4, an _available_ account address), _available_ application id (or, since v4, a Txn.ForeignApps offset), state key. Return: did_exist flag (top of the stack, 1 if the application and key existed and 0 otherwise), value. The value is zero (of type uint64) if the key does not exist. + +## app_global_get + +- Bytecode: 0x64 +- Stack: ..., A: stateKey → ..., any +- global state of the key A in the current application +- Availability: v2 +- Mode: Application + +params: state key. Return: value. The value is zero (of type uint64) if the key does not exist. + +## app_global_get_ex + +- Bytecode: 0x65 +- Stack: ..., A: uint64, B: stateKey → ..., X: any, Y: bool +- X is the global state of application A, key B. Y is 1 if key existed, else 0 +- Availability: v2 +- Mode: Application + +params: Txn.ForeignApps offset (or, since v4, an _available_ application id), state key. Return: did_exist flag (top of the stack, 1 if the application and key existed and 0 otherwise), value. The value is zero (of type uint64) if the key does not exist. + +## app_local_put + +- Bytecode: 0x66 +- Stack: ..., A, B: stateKey, C → ... +- write C to key B in account A's local state of the current application +- Availability: v2 +- Mode: Application + +params: Txn.Accounts offset (or, since v4, an _available_ account address), state key, value. + +## app_global_put + +- Bytecode: 0x67 +- Stack: ..., A: stateKey, B → ... +- write B to key A in the global state of the current application +- Availability: v2 +- Mode: Application + +## app_local_del + +- Bytecode: 0x68 +- Stack: ..., A, B: stateKey → ... +- delete key B from account A's local state of the current application +- Availability: v2 +- Mode: Application + +params: Txn.Accounts offset (or, since v4, an _available_ account address), state key. + +Deleting a key which is already absent has no effect on the application local state. (In particular, it does _not_ cause the program to fail.) + +## app_global_del + +- Bytecode: 0x69 +- Stack: ..., A: stateKey → ... +- delete key A from the global state of the current application +- Availability: v2 +- Mode: Application + +params: state key. + +Deleting a key which is already absent has no effect on the application global state. (In particular, it does _not_ cause the program to fail.) + +## asset_holding_get + +- Syntax: `asset_holding_get F` where F: [asset_holding](#field-group-asset_holding) +- Bytecode: 0x70 {uint8} +- Stack: ..., A, B: uint64 → ..., X: any, Y: bool +- X is field F from account A's holding of asset B. Y is 1 if A is opted into B, else 0 +- Availability: v2 +- Mode: Application + +### asset_holding + +Fields + +| Index | Name | Type | Notes | +| - | ------ | -- | --------- | +| 0 | AssetBalance | uint64 | Amount of the asset unit held by this account | +| 1 | AssetFrozen | bool | Is the asset frozen or not | + + +params: Txn.Accounts offset (or, since v4, an _available_ address), asset id (or, since v4, a Txn.ForeignAssets offset). Return: did_exist flag (1 if the asset existed and 0 otherwise), value. + +## asset_params_get + +- Syntax: `asset_params_get F` where F: [asset_params](#field-group-asset_params) +- Bytecode: 0x71 {uint8} +- Stack: ..., A: uint64 → ..., X: any, Y: bool +- X is field F from asset A. Y is 1 if A exists, else 0 +- Availability: v2 +- Mode: Application + +### asset_params + +Fields + +| Index | Name | Type | In | Notes | +| - | ------ | -- | - | --------- | +| 0 | AssetTotal | uint64 | | Total number of units of this asset | +| 1 | AssetDecimals | uint64 | | See AssetParams.Decimals | +| 2 | AssetDefaultFrozen | bool | | Frozen by default or not | +| 3 | AssetUnitName | []byte | | Asset unit name | +| 4 | AssetName | []byte | | Asset name | +| 5 | AssetURL | []byte | | URL with additional info about the asset | +| 6 | AssetMetadataHash | [32]byte | | Arbitrary commitment | +| 7 | AssetManager | address | | Manager address | +| 8 | AssetReserve | address | | Reserve address | +| 9 | AssetFreeze | address | | Freeze address | +| 10 | AssetClawback | address | | Clawback address | +| 11 | AssetCreator | address | v5 | Creator address | + + +params: Txn.ForeignAssets offset (or, since v4, an _available_ asset id. Return: did_exist flag (1 if the asset existed and 0 otherwise), value. + +## app_params_get + +- Syntax: `app_params_get F` where F: [app_params](#field-group-app_params) +- Bytecode: 0x72 {uint8} +- Stack: ..., A: uint64 → ..., X: any, Y: bool +- X is field F from app A. Y is 1 if A exists, else 0 +- Availability: v5 +- Mode: Application + +### app_params + +Fields + +| Index | Name | Type | Notes | +| - | ------ | -- | --------- | +| 0 | AppApprovalProgram | []byte | Bytecode of Approval Program | +| 1 | AppClearStateProgram | []byte | Bytecode of Clear State Program | +| 2 | AppGlobalNumUint | uint64 | Number of uint64 values allowed in Global State | +| 3 | AppGlobalNumByteSlice | uint64 | Number of byte array values allowed in Global State | +| 4 | AppLocalNumUint | uint64 | Number of uint64 values allowed in Local State | +| 5 | AppLocalNumByteSlice | uint64 | Number of byte array values allowed in Local State | +| 6 | AppExtraProgramPages | uint64 | Number of Extra Program Pages of code space | +| 7 | AppCreator | address | Creator address | +| 8 | AppAddress | address | Address for which this application has authority | + + +params: Txn.ForeignApps offset or an _available_ app id. Return: did_exist flag (1 if the application existed and 0 otherwise), value. + +## acct_params_get + +- Syntax: `acct_params_get F` where F: [acct_params](#field-group-acct_params) +- Bytecode: 0x73 {uint8} +- Stack: ..., A → ..., X: any, Y: bool +- X is field F from account A. Y is 1 if A owns positive algos, else 0 +- Availability: v6 +- Mode: Application + +### acct_params + +Fields + +| Index | Name | Type | In | Notes | +| - | ------ | -- | - | --------- | +| 0 | AcctBalance | uint64 | | Account balance in microalgos | +| 1 | AcctMinBalance | uint64 | | Minimum required balance for account, in microalgos | +| 2 | AcctAuthAddr | address | | Address the account is rekeyed to. | +| 3 | AcctTotalNumUint | uint64 | v8 | The total number of uint64 values allocated by this account in Global and Local States. | +| 4 | AcctTotalNumByteSlice | uint64 | v8 | The total number of byte array values allocated by this account in Global and Local States. | +| 5 | AcctTotalExtraAppPages | uint64 | v8 | The number of extra app code pages used by this account. | +| 6 | AcctTotalAppsCreated | uint64 | v8 | The number of existing apps created by this account. | +| 7 | AcctTotalAppsOptedIn | uint64 | v8 | The number of apps this account is opted into. | +| 8 | AcctTotalAssetsCreated | uint64 | v8 | The number of existing ASAs created by this account. | +| 9 | AcctTotalAssets | uint64 | v8 | The numbers of ASAs held by this account (including ASAs this account created). | +| 10 | AcctTotalBoxes | uint64 | v8 | The number of existing boxes created by this account's app. | +| 11 | AcctTotalBoxBytes | uint64 | v8 | The total number of bytes used by this account's app's box keys and values. | +| 12 | AcctIncentiveEligible | bool | v11 | Has this account opted into block payouts | +| 13 | AcctLastProposed | uint64 | v11 | The round number of the last block this account proposed. | +| 14 | AcctLastHeartbeat | uint64 | v11 | The round number of the last block this account sent a heartbeat. | + + +## voter_params_get + +- Syntax: `voter_params_get F` where F: [voter_params](#field-group-voter_params) +- Bytecode: 0x74 {uint8} +- Stack: ..., A → ..., X: any, Y: bool +- X is field F from online account A as of the balance round: 320 rounds before the current round. Y is 1 if A had positive algos online in the agreement round, else Y is 0 and X is a type specific zero-value +- Availability: v11 +- Mode: Application + +### voter_params + +Fields + +| Index | Name | Type | In | Notes | +| - | ------ | -- | - | --------- | +| 0 | VoterBalance | uint64 | v6 | Online stake in microalgos | +| 1 | VoterIncentiveEligible | bool | | Had this account opted into block payouts | + + +## online_stake + +- Bytecode: 0x75 +- Stack: ... → ..., uint64 +- the total online stake in the agreement round +- Availability: v11 +- Mode: Application + +## min_balance + +- Bytecode: 0x78 +- Stack: ..., A → ..., uint64 +- minimum required balance for account A, in microalgos. Required balance is affected by ASA, App, and Box usage. When creating or opting into an app, the minimum balance grows before the app code runs, therefore the increase is visible there. When deleting or closing out, the minimum balance decreases after the app executes. Changes caused by inner transactions or box usage are observable immediately following the opcode effecting the change. +- Availability: v3 +- Mode: Application + +params: Txn.Accounts offset (or, since v4, an _available_ account address), _available_ application id (or, since v4, a Txn.ForeignApps offset). Return: value. + +## pushbytes + +- Syntax: `pushbytes BYTES` where BYTES: a byte constant +- Bytecode: 0x80 {varuint length, bytes} +- Stack: ... → ..., []byte +- immediate BYTES +- Availability: v3 + +pushbytes args are not added to the bytecblock during assembly processes + +## pushint + +- Syntax: `pushint UINT` where UINT: an int constant +- Bytecode: 0x81 {varuint} +- Stack: ... → ..., uint64 +- immediate UINT +- Availability: v3 + +pushint args are not added to the intcblock during assembly processes + +## pushbytess + +- Syntax: `pushbytess BYTES ...` where BYTES ...: a list of byte constants +- Bytecode: 0x82 {varuint count, [varuint length, bytes ...]} +- Stack: ... → ..., [N items] +- push sequences of immediate byte arrays to stack (first byte array being deepest) +- Availability: v8 + +pushbytess args are not added to the bytecblock during assembly processes + +## pushints + +- Syntax: `pushints UINT ...` where UINT ...: a list of int constants +- Bytecode: 0x83 {varuint count, [varuint ...]} +- Stack: ... → ..., [N items] +- push sequence of immediate uints to stack in the order they appear (first uint being deepest) +- Availability: v8 + +pushints args are not added to the intcblock during assembly processes + +## ed25519verify_bare + +- Bytecode: 0x84 +- Stack: ..., A: []byte, B: [64]byte, C: [32]byte → ..., bool +- for (data A, signature B, pubkey C) verify the signature of the data against the pubkey => {0 or 1} +- **Cost**: 1900 +- Availability: v7 + +## falcon_verify + +- Bytecode: 0x85 +- Stack: ..., A: []byte, B: [1232]byte, C: [1793]byte → ..., bool +- for (data A, compressed-format signature B, pubkey C) verify the signature of data against the pubkey +- **Cost**: 1700 +- Availability: v11 + +## sumhash512 + +- Bytecode: 0x86 +- Stack: ..., A: []byte → ..., [64]byte +- sumhash512 of value A, yields [64]byte +- **Cost**: 150 + 7 per 4 bytes of A +- Availability: v11 + +## callsub + +- Syntax: `callsub TARGET` where TARGET: branch offset +- Bytecode: 0x88 {int16 (big-endian)} +- Stack: ... → ... +- branch unconditionally to TARGET, saving the next instruction on the call stack +- Availability: v4 + +The call stack is separate from the data stack. Only `callsub`, `retsub`, and `proto` manipulate it. + +## retsub + +- Bytecode: 0x89 +- Stack: ... → ... +- pop the top instruction from the call stack and branch to it +- Availability: v4 + +If the current frame was prepared by `proto A R`, `retsub` will remove the 'A' arguments from the stack, move the `R` return values down, and pop any stack locations above the relocated return values. + +## proto + +- Syntax: `proto A R` where A: number of arguments, R: number of return values +- Bytecode: 0x8a {uint8}, {uint8} +- Stack: ... → ... +- Prepare top call frame for a retsub that will assume A args and R return values. +- Availability: v8 + +Fails unless the last instruction executed was a `callsub`. + +## frame_dig + +- Syntax: `frame_dig I` where I: frame slot +- Bytecode: 0x8b {int8} +- Stack: ... → ..., any +- Nth (signed) value from the frame pointer. +- Availability: v8 + +## frame_bury + +- Syntax: `frame_bury I` where I: frame slot +- Bytecode: 0x8c {int8} +- Stack: ..., A → ... +- replace the Nth (signed) value from the frame pointer in the stack with A +- Availability: v8 + +## switch + +- Syntax: `switch TARGET ...` where TARGET ...: list of labels +- Bytecode: 0x8d {varuint count, [int16 (big-endian) ...]} +- Stack: ..., A: uint64 → ... +- branch to the Ath label. Continue at following instruction if index A exceeds the number of labels. +- Availability: v8 + +## match + +- Syntax: `match TARGET ...` where TARGET ...: list of labels +- Bytecode: 0x8e {varuint count, [int16 (big-endian) ...]} +- Stack: ..., [A1, A2, ..., AN], B → ... +- given match cases from A[1] to A[N], branch to the Ith label where A[I] = B. Continue to the following instruction if no matches are found. +- Availability: v8 + +`match` consumes N+1 values from the stack. Let the top stack value be B. The following N values represent an ordered list of match cases/constants (A), where the first value (A[0]) is the deepest in the stack. The immediate arguments are an ordered list of N labels (T). `match` will branch to target T[I], where A[I] = B. If there are no matches then execution continues on to the next instruction. + +## shl + +- Bytecode: 0x90 +- Stack: ..., A: uint64, B: uint64 → ..., uint64 +- A times 2^B, modulo 2^64 +- Availability: v4 + +## shr + +- Bytecode: 0x91 +- Stack: ..., A: uint64, B: uint64 → ..., uint64 +- A divided by 2^B +- Availability: v4 + +## sqrt + +- Bytecode: 0x92 +- Stack: ..., A: uint64 → ..., uint64 +- The largest integer I such that I^2 <= A +- **Cost**: 4 +- Availability: v4 + +## bitlen + +- Bytecode: 0x93 +- Stack: ..., A → ..., uint64 +- The highest set bit in A. If A is a byte-array, it is interpreted as a big-endian unsigned integer. bitlen of 0 is 0, bitlen of 8 is 4 +- Availability: v4 + +bitlen interprets arrays as big-endian integers, unlike setbit/getbit + +## exp + +- Bytecode: 0x94 +- Stack: ..., A: uint64, B: uint64 → ..., uint64 +- A raised to the Bth power. Fail if A == B == 0 and on overflow +- Availability: v4 + +## expw + +- Bytecode: 0x95 +- Stack: ..., A: uint64, B: uint64 → ..., X: uint64, Y: uint64 +- A raised to the Bth power as a 128-bit result in two uint64s. X is the high 64 bits, Y is the low. Fail if A == B == 0 or if the results exceeds 2^128-1 +- **Cost**: 10 +- Availability: v4 + +## bsqrt + +- Bytecode: 0x96 +- Stack: ..., A: bigint → ..., bigint +- The largest integer I such that I^2 <= A. A and I are interpreted as big-endian unsigned integers +- **Cost**: 40 +- Availability: v6 + +## divw + +- Bytecode: 0x97 +- Stack: ..., A: uint64, B: uint64, C: uint64 → ..., uint64 +- A,B / C. Fail if C == 0 or if result overflows. +- Availability: v6 + +The notation A,B indicates that A and B are interpreted as a uint128 value, with A as the high uint64 and B the low. + +## sha3_256 + +- Bytecode: 0x98 +- Stack: ..., A: []byte → ..., [32]byte +- SHA3_256 hash of value A, yields [32]byte +- **Cost**: 130 +- Availability: v7 + +## b+ + +- Bytecode: 0xa0 +- Stack: ..., A: bigint, B: bigint → ..., []byte +- A plus B. A and B are interpreted as big-endian unsigned integers +- **Cost**: 10 +- Availability: v4 + +## b- + +- Bytecode: 0xa1 +- Stack: ..., A: bigint, B: bigint → ..., bigint +- A minus B. A and B are interpreted as big-endian unsigned integers. Fail on underflow. +- **Cost**: 10 +- Availability: v4 + +## b/ + +- Bytecode: 0xa2 +- Stack: ..., A: bigint, B: bigint → ..., bigint +- A divided by B (truncated division). A and B are interpreted as big-endian unsigned integers. Fail if B is zero. +- **Cost**: 20 +- Availability: v4 + +## b* + +- Bytecode: 0xa3 +- Stack: ..., A: bigint, B: bigint → ..., []byte +- A times B. A and B are interpreted as big-endian unsigned integers. +- **Cost**: 20 +- Availability: v4 + +## b< + +- Bytecode: 0xa4 +- Stack: ..., A: bigint, B: bigint → ..., bool +- 1 if A is less than B, else 0. A and B are interpreted as big-endian unsigned integers +- Availability: v4 + +## b> + +- Bytecode: 0xa5 +- Stack: ..., A: bigint, B: bigint → ..., bool +- 1 if A is greater than B, else 0. A and B are interpreted as big-endian unsigned integers +- Availability: v4 + +## b<= + +- Bytecode: 0xa6 +- Stack: ..., A: bigint, B: bigint → ..., bool +- 1 if A is less than or equal to B, else 0. A and B are interpreted as big-endian unsigned integers +- Availability: v4 + +## b>= + +- Bytecode: 0xa7 +- Stack: ..., A: bigint, B: bigint → ..., bool +- 1 if A is greater than or equal to B, else 0. A and B are interpreted as big-endian unsigned integers +- Availability: v4 + +## b== + +- Bytecode: 0xa8 +- Stack: ..., A: bigint, B: bigint → ..., bool +- 1 if A is equal to B, else 0. A and B are interpreted as big-endian unsigned integers +- Availability: v4 + +## b!= + +- Bytecode: 0xa9 +- Stack: ..., A: bigint, B: bigint → ..., bool +- 0 if A is equal to B, else 1. A and B are interpreted as big-endian unsigned integers +- Availability: v4 + +## b% + +- Bytecode: 0xaa +- Stack: ..., A: bigint, B: bigint → ..., bigint +- A modulo B. A and B are interpreted as big-endian unsigned integers. Fail if B is zero. +- **Cost**: 20 +- Availability: v4 + +## b| + +- Bytecode: 0xab +- Stack: ..., A: []byte, B: []byte → ..., []byte +- A bitwise-or B. A and B are zero-left extended to the greater of their lengths +- **Cost**: 6 +- Availability: v4 + +## b& + +- Bytecode: 0xac +- Stack: ..., A: []byte, B: []byte → ..., []byte +- A bitwise-and B. A and B are zero-left extended to the greater of their lengths +- **Cost**: 6 +- Availability: v4 + +## b^ + +- Bytecode: 0xad +- Stack: ..., A: []byte, B: []byte → ..., []byte +- A bitwise-xor B. A and B are zero-left extended to the greater of their lengths +- **Cost**: 6 +- Availability: v4 + +## b~ + +- Bytecode: 0xae +- Stack: ..., A: []byte → ..., []byte +- A with all bits inverted +- **Cost**: 4 +- Availability: v4 + +## bzero + +- Bytecode: 0xaf +- Stack: ..., A: uint64 → ..., []byte +- zero filled byte-array of length A +- Availability: v4 + +## log + +- Bytecode: 0xb0 +- Stack: ..., A: []byte → ... +- write A to log state of the current application +- Availability: v5 +- Mode: Application + +`log` fails if called more than MaxLogCalls times in a program, or if the sum of logged bytes exceeds 1024 bytes. + +## itxn_begin + +- Bytecode: 0xb1 +- Stack: ... → ... +- begin preparation of a new inner transaction in a new transaction group +- Availability: v5 +- Mode: Application + +`itxn_begin` initializes Sender to the application address; Fee to the minimum allowable, taking into account MinTxnFee and credit from overpaying in earlier transactions; FirstValid/LastValid to the values in the invoking transaction, and all other fields to zero or empty values. + +## itxn_field + +- Syntax: `itxn_field F` where F: [txn](#field-group-txn) +- Bytecode: 0xb2 {uint8} +- Stack: ..., A → ... +- set field F of the current inner transaction to A +- Availability: v5 +- Mode: Application + +`itxn_field` fails if A is of the wrong type for F, including a byte array of the wrong size for use as an address when F is an address field. `itxn_field` also fails if A is an account, asset, or app that is not _available_, or an attempt is made extend an array field beyond the limit imposed by consensus parameters. (Addresses set into asset params of acfg transactions need not be _available_.) + +## itxn_submit + +- Bytecode: 0xb3 +- Stack: ... → ... +- execute the current inner transaction group. Fail if executing this group would exceed the inner transaction limit, or if any transaction in the group fails. +- Availability: v5 +- Mode: Application + +`itxn_submit` resets the current transaction so that it can not be resubmitted. A new `itxn_begin` is required to prepare another inner transaction. + +## itxn + +- Syntax: `itxn F` where F: [txn](#field-group-txn) +- Bytecode: 0xb4 {uint8} +- Stack: ... → ..., any +- field F of the last inner transaction +- Availability: v5 +- Mode: Application + +## itxna + +- Syntax: `itxna F I` where F: [txna](#field-group-txna), I: a transaction field array index +- Bytecode: 0xb5 {uint8}, {uint8} +- Stack: ... → ..., any +- Ith value of the array field F of the last inner transaction +- Availability: v5 +- Mode: Application + +## itxn_next + +- Bytecode: 0xb6 +- Stack: ... → ... +- begin preparation of a new inner transaction in the same transaction group +- Availability: v6 +- Mode: Application + +`itxn_next` initializes the transaction exactly as `itxn_begin` does + +## gitxn + +- Syntax: `gitxn T F` where T: transaction group index, F: [txn](#field-group-txn) +- Bytecode: 0xb7 {uint8}, {uint8} +- Stack: ... → ..., any +- field F of the Tth transaction in the last inner group submitted +- Availability: v6 +- Mode: Application + +## gitxna + +- Syntax: `gitxna T F I` where T: transaction group index, F: [txna](#field-group-txna), I: transaction field array index +- Bytecode: 0xb8 {uint8}, {uint8}, {uint8} +- Stack: ... → ..., any +- Ith value of the array field F from the Tth transaction in the last inner group submitted +- Availability: v6 +- Mode: Application + +## box_create + +- Bytecode: 0xb9 +- Stack: ..., A: boxName, B: uint64 → ..., bool +- create a box named A, of length B. Fail if the name A is empty or B exceeds 32,768. Returns 0 if A already existed, else 1 +- Availability: v8 +- Mode: Application + +Newly created boxes are filled with 0 bytes. `box_create` will fail if the referenced box already exists with a different size. Otherwise, existing boxes are unchanged by `box_create`. + +## box_extract + +- Bytecode: 0xba +- Stack: ..., A: boxName, B: uint64, C: uint64 → ..., []byte +- read C bytes from box A, starting at offset B. Fail if A does not exist, or the byte range is outside A's size. +- Availability: v8 +- Mode: Application + +## box_replace + +- Bytecode: 0xbb +- Stack: ..., A: boxName, B: uint64, C: []byte → ... +- write byte-array C into box A, starting at offset B. Fail if A does not exist, or the byte range is outside A's size. +- Availability: v8 +- Mode: Application + +## box_del + +- Bytecode: 0xbc +- Stack: ..., A: boxName → ..., bool +- delete box named A if it exists. Return 1 if A existed, 0 otherwise +- Availability: v8 +- Mode: Application + +## box_len + +- Bytecode: 0xbd +- Stack: ..., A: boxName → ..., X: uint64, Y: bool +- X is the length of box A if A exists, else 0. Y is 1 if A exists, else 0. +- Availability: v8 +- Mode: Application + +## box_get + +- Bytecode: 0xbe +- Stack: ..., A: boxName → ..., X: []byte, Y: bool +- X is the contents of box A if A exists, else ''. Y is 1 if A exists, else 0. +- Availability: v8 +- Mode: Application + +For boxes that exceed 4,096 bytes, consider `box_create`, `box_extract`, and `box_replace` + +## box_put + +- Bytecode: 0xbf +- Stack: ..., A: boxName, B: []byte → ... +- replaces the contents of box A with byte-array B. Fails if A exists and len(B) != len(box A). Creates A if it does not exist +- Availability: v8 +- Mode: Application + +For boxes that exceed 4,096 bytes, consider `box_create`, `box_extract`, and `box_replace` + +## txnas + +- Syntax: `txnas F` where F: [txna](#field-group-txna) +- Bytecode: 0xc0 {uint8} +- Stack: ..., A: uint64 → ..., any +- Ath value of the array field F of the current transaction +- Availability: v5 + +## gtxnas + +- Syntax: `gtxnas T F` where T: transaction group index, F: [txna](#field-group-txna) +- Bytecode: 0xc1 {uint8}, {uint8} +- Stack: ..., A: uint64 → ..., any +- Ath value of the array field F from the Tth transaction in the current group +- Availability: v5 + +## gtxnsas + +- Syntax: `gtxnsas F` where F: [txna](#field-group-txna) +- Bytecode: 0xc2 {uint8} +- Stack: ..., A: uint64, B: uint64 → ..., any +- Bth value of the array field F from the Ath transaction in the current group +- Availability: v5 + +## args + +- Bytecode: 0xc3 +- Stack: ..., A: uint64 → ..., []byte +- Ath LogicSig argument +- Availability: v5 +- Mode: Signature + +## gloadss + +- Bytecode: 0xc4 +- Stack: ..., A: uint64, B: uint64 → ..., any +- Bth scratch space value of the Ath transaction in the current group +- Availability: v6 +- Mode: Application + +## itxnas + +- Syntax: `itxnas F` where F: [txna](#field-group-txna) +- Bytecode: 0xc5 {uint8} +- Stack: ..., A: uint64 → ..., any +- Ath value of the array field F of the last inner transaction +- Availability: v6 +- Mode: Application + +## gitxnas + +- Syntax: `gitxnas T F` where T: transaction group index, F: [txna](#field-group-txna) +- Bytecode: 0xc6 {uint8}, {uint8} +- Stack: ..., A: uint64 → ..., any +- Ath value of the array field F from the Tth transaction in the last inner group submitted +- Availability: v6 +- Mode: Application + +## vrf_verify + +- Syntax: `vrf_verify S` where S: [vrf_verify](#field-group-vrf_verify) +- Bytecode: 0xd0 {uint8} +- Stack: ..., A: []byte, B: [80]byte, C: [32]byte → ..., X: [64]byte, Y: bool +- Verify the proof B of message A against pubkey C. Returns vrf output and verification flag. +- **Cost**: 5700 +- Availability: v7 + +### vrf_verify + +Standards + +| Index | Name | Notes | +| - | ------ | --------- | +| 0 | VrfAlgorand | | + + +`VrfAlgorand` is the VRF used in Algorand. It is ECVRF-ED25519-SHA512-Elligator2, specified in the IETF internet draft [draft-irtf-cfrg-vrf-03](https://datatracker.ietf.org/doc/draft-irtf-cfrg-vrf/03/). + +## block + +- Syntax: `block F` where F: [block](#field-group-block) +- Bytecode: 0xd1 {uint8} +- Stack: ..., A: uint64 → ..., any +- field F of block A. Fail unless A falls between txn.LastValid-1002 and txn.FirstValid (exclusive) +- Availability: v7 + +### block + +Fields + +| Index | Name | Type | In | Notes | +| - | ------ | -- | - | --------- | +| 0 | BlkSeed | [32]byte | | | +| 1 | BlkTimestamp | uint64 | | | +| 2 | BlkProposer | address | v11 | | +| 3 | BlkFeesCollected | uint64 | v11 | | +| 4 | BlkBonus | uint64 | v11 | | +| 5 | BlkBranch | [32]byte | v11 | | +| 6 | BlkFeeSink | address | v11 | | +| 7 | BlkProtocol | []byte | v11 | | +| 8 | BlkTxnCounter | uint64 | v11 | | +| 9 | BlkProposerPayout | uint64 | v11 | | + + +## box_splice + +- Bytecode: 0xd2 +- Stack: ..., A: boxName, B: uint64, C: uint64, D: []byte → ... +- set box A to contain its previous bytes up to index B, followed by D, followed by the original bytes of A that began at index B+C. +- Availability: v10 +- Mode: Application + +Boxes are of constant length. If C < len(D), then len(D)-C bytes will be removed from the end. If C > len(D), zero bytes will be appended to the end to reach the box length. + +## box_resize + +- Bytecode: 0xd3 +- Stack: ..., A: boxName, B: uint64 → ... +- change the size of box named A to be of length B, adding zero bytes to end or removing bytes from the end, as needed. Fail if the name A is empty, A is not an existing box, or B exceeds 32,768. +- Availability: v10 +- Mode: Application + +## ec_add + +- Syntax: `ec_add G` where G: [EC](#field-group-ec) +- Bytecode: 0xe0 {uint8} +- Stack: ..., A: []byte, B: []byte → ..., []byte +- for curve points A and B, return the curve point A + B +- **Cost**: BN254g1=125; BN254g2=170; BLS12_381g1=205; BLS12_381g2=290 +- Availability: v10 + +### EC + +Groups + +| Index | Name | Notes | +| - | ------ | --------- | +| 0 | BN254g1 | G1 of the BN254 curve. Points encoded as 32 byte X following by 32 byte Y | +| 1 | BN254g2 | G2 of the BN254 curve. Points encoded as 64 byte X following by 64 byte Y | +| 2 | BLS12_381g1 | G1 of the BLS 12-381 curve. Points encoded as 48 byte X following by 48 byte Y | +| 3 | BLS12_381g2 | G2 of the BLS 12-381 curve. Points encoded as 96 byte X following by 96 byte Y | + + +A and B are curve points in affine representation: field element X concatenated with field element Y. Field element `Z` is encoded as follows. +For the base field elements (Fp), `Z` is encoded as a big-endian number and must be lower than the field modulus. +For the quadratic field extension (Fp2), `Z` is encoded as the concatenation of the individual encoding of the coefficients. For an Fp2 element of the form `Z = Z0 + Z1 i`, where `i` is a formal quadratic non-residue, the encoding of Z is the concatenation of the encoding of `Z0` and `Z1` in this order. (`Z0` and `Z1` must be less than the field modulus). + +The point at infinity is encoded as `(X,Y) = (0,0)`. +Groups G1 and G2 are denoted additively. + +Fails if A or B is not in G. +A and/or B are allowed to be the point at infinity. +Does _not_ check if A and B are in the main prime-order subgroup. + +## ec_scalar_mul + +- Syntax: `ec_scalar_mul G` where G: [EC](#field-group-ec) +- Bytecode: 0xe1 {uint8} +- Stack: ..., A: []byte, B: []byte → ..., []byte +- for curve point A and scalar B, return the curve point BA, the point A multiplied by the scalar B. +- **Cost**: BN254g1=1810; BN254g2=3430; BLS12_381g1=2950; BLS12_381g2=6530 +- Availability: v10 + +A is a curve point encoded and checked as described in `ec_add`. Scalar B is interpreted as a big-endian unsigned integer. Fails if B exceeds 32 bytes. + +## ec_pairing_check + +- Syntax: `ec_pairing_check G` where G: [EC](#field-group-ec) +- Bytecode: 0xe2 {uint8} +- Stack: ..., A: []byte, B: []byte → ..., bool +- 1 if the product of the pairing of each point in A with its respective point in B is equal to the identity element of the target group Gt, else 0 +- **Cost**: BN254g1=8000 + 7400 per 64 bytes of B; BN254g2=8000 + 7400 per 128 bytes of B; BLS12_381g1=13000 + 10000 per 96 bytes of B; BLS12_381g2=13000 + 10000 per 192 bytes of B +- Availability: v10 + +A and B are concatenated points, encoded and checked as described in `ec_add`. A contains points of the group G, B contains points of the associated group (G2 if G is G1, and vice versa). Fails if A and B have a different number of points, or if any point is not in its described group or outside the main prime-order subgroup - a stronger condition than other opcodes. AVM values are limited to 4096 bytes, so `ec_pairing_check` is limited by the size of the points in the groups being operated upon. + +## ec_multi_scalar_mul + +- Syntax: `ec_multi_scalar_mul G` where G: [EC](#field-group-ec) +- Bytecode: 0xe3 {uint8} +- Stack: ..., A: []byte, B: []byte → ..., []byte +- for curve points A and scalars B, return curve point B0A0 + B1A1 + B2A2 + ... + BnAn +- **Cost**: BN254g1=3600 + 90 per 32 bytes of B; BN254g2=7200 + 270 per 32 bytes of B; BLS12_381g1=6500 + 95 per 32 bytes of B; BLS12_381g2=14850 + 485 per 32 bytes of B +- Availability: v10 + +A is a list of concatenated points, encoded and checked as described in `ec_add`. B is a list of concatenated scalars which, unlike ec_scalar_mul, must all be exactly 32 bytes long. +The name `ec_multi_scalar_mul` was chosen to reflect common usage, but a more consistent name would be `ec_multi_scalar_mul`. AVM values are limited to 4096 bytes, so `ec_multi_scalar_mul` is limited by the size of the points in the group being operated upon. + +## ec_subgroup_check + +- Syntax: `ec_subgroup_check G` where G: [EC](#field-group-ec) +- Bytecode: 0xe4 {uint8} +- Stack: ..., A: []byte → ..., bool +- 1 if A is in the main prime-order subgroup of G (including the point at infinity) else 0. Program fails if A is not in G at all. +- **Cost**: BN254g1=20; BN254g2=3100; BLS12_381g1=1850; BLS12_381g2=2340 +- Availability: v10 + +## ec_map_to + +- Syntax: `ec_map_to G` where G: [EC](#field-group-ec) +- Bytecode: 0xe5 {uint8} +- Stack: ..., A: []byte → ..., []byte +- maps field element A to group G +- **Cost**: BN254g1=630; BN254g2=3300; BLS12_381g1=1950; BLS12_381g2=8150 +- Availability: v10 + +BN254 points are mapped by the SVDW map. BLS12-381 points are mapped by the SSWU map. +G1 element inputs are base field elements and G2 element inputs are quadratic field elements, with nearly the same encoding rules (for field elements) as defined in `ec_add`. There is one difference of encoding rule: G1 element inputs do not need to be 0-padded if they fit in less than 32 bytes for BN254 and less than 48 bytes for BLS12-381. (As usual, the empty byte array represents 0.) G2 elements inputs need to be always have the required size. + +## mimc + +- Syntax: `mimc C` where C: [Mimc Configurations](#field-group-mimc configurations) +- Bytecode: 0xe6 {uint8} +- Stack: ..., A: []byte → ..., [32]byte +- MiMC hash of scalars A, using curve and parameters specified by configuration C +- **Cost**: BN254Mp110=10 + 550 per 32 bytes of A; BLS12_381Mp111=10 + 550 per 32 bytes of A +- Availability: v11 + +### Mimc Configurations + +Parameters + +| Index | Name | Notes | +| - | ------ | --------- | +| 0 | BN254Mp110 | MiMC configuration for the BN254 curve with Miyaguchi-Preneel mode, 110 rounds, exponent 5, seed "seed" | +| 1 | BLS12_381Mp111 | MiMC configuration for the BLS12-381 curve with Miyaguchi-Preneel mode, 111 rounds, exponent 5, seed "seed" | + + +A is a list of concatenated 32 byte big-endian unsigned integer scalars. Fail if A's length is not a multiple of 32 or any element exceeds the curve modulus. + +The MiMC hash function has known collisions since any input which is a multiple of the elliptic curve modulus will hash to the same value. MiMC is thus not a general purpose hash function, but meant to be used in zero knowledge applications to match a zk-circuit implementation. diff --git a/data/transactions/logic/assembler_test.go b/data/transactions/logic/assembler_test.go index fa271469bb..db2fea24ff 100644 --- a/data/transactions/logic/assembler_test.go +++ b/data/transactions/logic/assembler_test.go @@ -563,7 +563,7 @@ func TestAssemble(t *testing.T) { } } -var experiments = []uint64{spOpcodesVersion, mimcVersion} +var experiments = []uint64{spOpcodesVersion} // TestExperimental forces a conscious choice to promote "experimental" opcode // groups. This will fail when we increment vFuture's LogicSigVersion. If we had diff --git a/data/transactions/logic/crypto.go b/data/transactions/logic/crypto.go index cb05242d8c..043f670ee5 100644 --- a/data/transactions/logic/crypto.go +++ b/data/transactions/logic/crypto.go @@ -65,9 +65,10 @@ func opMimc(cx *EvalContext) error { return fmt.Errorf("invalid mimc group %s", config) } - // unlike most hash.Hash objects, a mimc hasher has strict requirements. The - // input must be a multiple of the curve's encoded element size, and no - // element may exceed the corve modulus. + // unlike most hash.Hash objects, a mimc hasher has strict requirements, + // therefore Write() can return an error. The input must be a multiple of + // the curve's encoded element size, and no element may exceed the curve + // modulus. if _, err := mimc.Write(cx.Stack[last].Bytes); err != nil { return fmt.Errorf("invalid mimc input %w", err) } diff --git a/data/transactions/logic/doc.go b/data/transactions/logic/doc.go index 31c6944102..2b2f88b850 100644 --- a/data/transactions/logic/doc.go +++ b/data/transactions/logic/doc.go @@ -41,10 +41,10 @@ var opDescByName = map[string]OpDesc{ "sumhash512": {"sumhash512 of value A, yields [64]byte", "", nil}, "falcon_verify": {"for (data A, compressed-format signature B, pubkey C) verify the signature of data against the pubkey", "", nil}, - "mimc": {"MIMC hash of value A in the curve field specified by configuration C, yields [32]byte", "" + - "A is split into 32-byte chunks and written to the hasher to finally compute the MiMC hash. Fail if A's length is not a multiple of 32 or any chunk encodes a value greater than the curve modulus.\n\n" + - "Note that the MIMC hash function has known collisions since any input which is a multiple of the elliptic curve modulus it uses will hash to the same value.\n" + - "MIMC is thus not a general purpose hash function, but meant to be used in zero knowledge applications to match a zk-circuit implementation.", + "mimc": {"MiMC hash of scalars A, using curve and parameters specified by configuration C", "" + + "A is a list of concatenated 32 byte big-endian unsigned integer scalars. Fail if A's length is not a multiple of 32 or any element exceeds the curve modulus.\n\n" + + "The MiMC hash function has known collisions since any input which is a multiple of the elliptic curve modulus will hash to the same value. " + + "MiMC is thus not a general purpose hash function, but meant to be used in zero knowledge applications to match a zk-circuit implementation.", []string{"configuration index"}, }, diff --git a/data/transactions/logic/langspec_v11.json b/data/transactions/logic/langspec_v11.json new file mode 100644 index 0000000000..cb054ebcd8 --- /dev/null +++ b/data/transactions/logic/langspec_v11.json @@ -0,0 +1,4949 @@ +{ + "Version": 11, + "LogicSigVersion": 10, + "NamedTypes": [ + { + "Name": "[]byte", + "Abbreviation": "b", + "Bound": [ + 0, + 4096 + ], + "AVMType": "[]byte" + }, + { + "Name": "address", + "Abbreviation": "A", + "Bound": [ + 32, + 32 + ], + "AVMType": "[]byte" + }, + { + "Name": "any", + "Abbreviation": "a", + "Bound": [ + 0, + 0 + ], + "AVMType": "any" + }, + { + "Name": "bigint", + "Abbreviation": "I", + "Bound": [ + 0, + 64 + ], + "AVMType": "[]byte" + }, + { + "Name": "bool", + "Abbreviation": "T", + "Bound": [ + 0, + 1 + ], + "AVMType": "uint64" + }, + { + "Name": "boxName", + "Abbreviation": "N", + "Bound": [ + 1, + 64 + ], + "AVMType": "[]byte" + }, + { + "Name": "method", + "Abbreviation": "M", + "Bound": [ + 4, + 4 + ], + "AVMType": "[]byte" + }, + { + "Name": "none", + "Abbreviation": "x", + "Bound": [ + 0, + 0 + ], + "AVMType": "none" + }, + { + "Name": "stateKey", + "Abbreviation": "K", + "Bound": [ + 0, + 64 + ], + "AVMType": "[]byte" + }, + { + "Name": "uint64", + "Abbreviation": "i", + "Bound": [ + 0, + 18446744073709551615 + ], + "AVMType": "uint64" + } + ], + "Ops": [ + { + "Opcode": 0, + "Name": "err", + "Size": 1, + "DocCost": "1", + "Doc": "Fail immediately.", + "IntroducedVersion": 1, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 1, + "Name": "sha256", + "Args": [ + "[]byte" + ], + "Returns": [ + "[32]byte" + ], + "Size": 1, + "DocCost": "35", + "Doc": "SHA256 hash of value A, yields [32]byte", + "IntroducedVersion": 1, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 2, + "Name": "keccak256", + "Args": [ + "[]byte" + ], + "Returns": [ + "[32]byte" + ], + "Size": 1, + "DocCost": "130", + "Doc": "Keccak256 hash of value A, yields [32]byte", + "IntroducedVersion": 1, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 3, + "Name": "sha512_256", + "Args": [ + "[]byte" + ], + "Returns": [ + "[32]byte" + ], + "Size": 1, + "DocCost": "45", + "Doc": "SHA512_256 hash of value A, yields [32]byte", + "IntroducedVersion": 1, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 4, + "Name": "ed25519verify", + "Args": [ + "[]byte", + "[64]byte", + "[32]byte" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1900", + "Doc": "for (data A, signature B, pubkey C) verify the signature of (\"ProgData\" || program_hash || data) against the pubkey =\u003e {0 or 1}", + "DocExtra": "The 32 byte public key is the last element on the stack, preceded by the 64 byte signature at the second-to-last element on the stack, preceded by the data which was signed at the third-to-last element on the stack.", + "IntroducedVersion": 1, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 5, + "Name": "ecdsa_verify", + "Args": [ + "[32]byte", + "[32]byte", + "[32]byte", + "[32]byte", + "[32]byte" + ], + "Returns": [ + "bool" + ], + "Size": 2, + "ArgEnum": [ + "Secp256k1", + "Secp256r1" + ], + "DocCost": "Secp256k1=1700; Secp256r1=2500", + "Doc": "for (data A, signature B, C and pubkey D, E) verify the signature of the data against the pubkey =\u003e {0 or 1}", + "DocExtra": "The 32 byte Y-component of a public key is the last element on the stack, preceded by X-component of a pubkey, preceded by S and R components of a signature, preceded by the data that is fifth element on the stack. All values are big-endian encoded. The signed data must be 32 bytes long, and signatures in lower-S form are only accepted.", + "ImmediateNote": [ + { + "Comment": "curve index", + "Encoding": "uint8", + "Name": "V", + "Reference": "ECDSA" + } + ], + "IntroducedVersion": 5, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 6, + "Name": "ecdsa_pk_decompress", + "Args": [ + "[33]byte" + ], + "Returns": [ + "[32]byte", + "[32]byte" + ], + "Size": 2, + "ArgEnum": [ + "Secp256k1", + "Secp256r1" + ], + "DocCost": "Secp256k1=650; Secp256r1=2400", + "Doc": "decompress pubkey A into components X, Y", + "DocExtra": "The 33 byte public key in a compressed form to be decompressed into X and Y (top) components. All values are big-endian encoded.", + "ImmediateNote": [ + { + "Comment": "curve index", + "Encoding": "uint8", + "Name": "V", + "Reference": "ECDSA" + } + ], + "IntroducedVersion": 5, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 7, + "Name": "ecdsa_pk_recover", + "Args": [ + "[32]byte", + "uint64", + "[32]byte", + "[32]byte" + ], + "Returns": [ + "[32]byte", + "[32]byte" + ], + "Size": 2, + "ArgEnum": [ + "Secp256k1", + "Secp256r1" + ], + "DocCost": "2000", + "Doc": "for (data A, recovery id B, signature C, D) recover a public key", + "DocExtra": "S (top) and R elements of a signature, recovery id and data (bottom) are expected on the stack and used to deriver a public key. All values are big-endian encoded. The signed data must be 32 bytes long.", + "ImmediateNote": [ + { + "Comment": "curve index", + "Encoding": "uint8", + "Name": "V", + "Reference": "ECDSA" + } + ], + "IntroducedVersion": 5, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 8, + "Name": "+", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A plus B. Fail on overflow.", + "DocExtra": "Overflow is an error condition which halts execution and fails the transaction. Full precision is available from `addw`.", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 9, + "Name": "-", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A minus B. Fail if B \u003e A.", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 10, + "Name": "/", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A divided by B (truncated division). Fail if B == 0.", + "DocExtra": "`divmodw` is available to divide the two-element values produced by `mulw` and `addw`.", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 11, + "Name": "*", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A times B. Fail on overflow.", + "DocExtra": "Overflow is an error condition which halts execution and fails the transaction. Full precision is available from `mulw`.", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 12, + "Name": "\u003c", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A less than B =\u003e {0 or 1}", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 13, + "Name": "\u003e", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A greater than B =\u003e {0 or 1}", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 14, + "Name": "\u003c=", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A less than or equal to B =\u003e {0 or 1}", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 15, + "Name": "\u003e=", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A greater than or equal to B =\u003e {0 or 1}", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 16, + "Name": "\u0026\u0026", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A is not zero and B is not zero =\u003e {0 or 1}", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 17, + "Name": "||", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A is not zero or B is not zero =\u003e {0 or 1}", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 18, + "Name": "==", + "Args": [ + "any", + "any" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A is equal to B =\u003e {0 or 1}", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 19, + "Name": "!=", + "Args": [ + "any", + "any" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A is not equal to B =\u003e {0 or 1}", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 20, + "Name": "!", + "Args": [ + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A == 0 yields 1; else 0", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 21, + "Name": "len", + "Args": [ + "[]byte" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "yields length of byte value A", + "IntroducedVersion": 1, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 22, + "Name": "itob", + "Args": [ + "uint64" + ], + "Returns": [ + "[8]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "converts uint64 A to big-endian byte array, always of length 8", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 23, + "Name": "btoi", + "Args": [ + "[]byte" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "converts big-endian byte array A to uint64. Fails if len(A) \u003e 8. Padded by leading 0s if len(A) \u003c 8.", + "DocExtra": "`btoi` fails if the input is longer than 8 bytes.", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 24, + "Name": "%", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A modulo B. Fail if B == 0.", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 25, + "Name": "|", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A bitwise-or B", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 26, + "Name": "\u0026", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A bitwise-and B", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 27, + "Name": "^", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A bitwise-xor B", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 28, + "Name": "~", + "Args": [ + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "bitwise invert value A", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 29, + "Name": "mulw", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64", + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A times B as a 128-bit result in two uint64s. X is the high 64 bits, Y is the low", + "IntroducedVersion": 1, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 30, + "Name": "addw", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64", + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A plus B as a 128-bit result. X is the carry-bit, Y is the low-order 64 bits.", + "IntroducedVersion": 2, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 31, + "Name": "divmodw", + "Args": [ + "uint64", + "uint64", + "uint64", + "uint64" + ], + "Returns": [ + "uint64", + "uint64", + "uint64", + "uint64" + ], + "Size": 1, + "DocCost": "20", + "Doc": "W,X = (A,B / C,D); Y,Z = (A,B modulo C,D)", + "DocExtra": "The notation J,K indicates that two uint64 values J and K are interpreted as a uint128 value, with J as the high uint64 and K the low.", + "IntroducedVersion": 4, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 32, + "Name": "intcblock", + "Size": 0, + "DocCost": "1", + "Doc": "prepare block of uint64 constants for use by intc", + "DocExtra": "`intcblock` loads following program bytes into an array of integer constants in the evaluator. These integer constants can be referred to by `intc` and `intc_*` which will push the value onto the stack. Subsequent calls to `intcblock` reset and replace the integer constants available to the script.", + "ImmediateNote": [ + { + "Comment": "a block of int constant values", + "Encoding": "varuint count, [varuint ...]", + "Name": "UINT ..." + } + ], + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 33, + "Name": "intc", + "Returns": [ + "uint64" + ], + "Size": 2, + "DocCost": "1", + "Doc": "Ith constant from intcblock", + "ImmediateNote": [ + { + "Comment": "an index in the intcblock", + "Encoding": "uint8", + "Name": "I" + } + ], + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 34, + "Name": "intc_0", + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "constant 0 from intcblock", + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 35, + "Name": "intc_1", + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "constant 1 from intcblock", + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 36, + "Name": "intc_2", + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "constant 2 from intcblock", + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 37, + "Name": "intc_3", + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "constant 3 from intcblock", + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 38, + "Name": "bytecblock", + "Size": 0, + "DocCost": "1", + "Doc": "prepare block of byte-array constants for use by bytec", + "DocExtra": "`bytecblock` loads the following program bytes into an array of byte-array constants in the evaluator. These constants can be referred to by `bytec` and `bytec_*` which will push the value onto the stack. Subsequent calls to `bytecblock` reset and replace the bytes constants available to the script.", + "ImmediateNote": [ + { + "Comment": "a block of byte constant values", + "Encoding": "varuint count, [varuint length, bytes ...]", + "Name": "BYTES ..." + } + ], + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 39, + "Name": "bytec", + "Returns": [ + "[]byte" + ], + "Size": 2, + "DocCost": "1", + "Doc": "Ith constant from bytecblock", + "ImmediateNote": [ + { + "Comment": "an index in the bytecblock", + "Encoding": "uint8", + "Name": "I" + } + ], + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 40, + "Name": "bytec_0", + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "constant 0 from bytecblock", + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 41, + "Name": "bytec_1", + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "constant 1 from bytecblock", + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 42, + "Name": "bytec_2", + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "constant 2 from bytecblock", + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 43, + "Name": "bytec_3", + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "constant 3 from bytecblock", + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 44, + "Name": "arg", + "Returns": [ + "[]byte" + ], + "Size": 2, + "DocCost": "1", + "Doc": "Nth LogicSig argument", + "ImmediateNote": [ + { + "Comment": "an arg index", + "Encoding": "uint8", + "Name": "N" + } + ], + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 45, + "Name": "arg_0", + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "LogicSig argument 0", + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 46, + "Name": "arg_1", + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "LogicSig argument 1", + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 47, + "Name": "arg_2", + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "LogicSig argument 2", + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 48, + "Name": "arg_3", + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "LogicSig argument 3", + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 49, + "Name": "txn", + "Returns": [ + "any" + ], + "Size": 2, + "ArgEnum": [ + "Sender", + "Fee", + "FirstValid", + "FirstValidTime", + "LastValid", + "Note", + "Lease", + "Receiver", + "Amount", + "CloseRemainderTo", + "VotePK", + "SelectionPK", + "VoteFirst", + "VoteLast", + "VoteKeyDilution", + "Type", + "TypeEnum", + "XferAsset", + "AssetAmount", + "AssetSender", + "AssetReceiver", + "AssetCloseTo", + "GroupIndex", + "TxID", + "ApplicationID", + "OnCompletion", + "ApplicationArgs", + "NumAppArgs", + "Accounts", + "NumAccounts", + "ApprovalProgram", + "ClearStateProgram", + "RekeyTo", + "ConfigAsset", + "ConfigAssetTotal", + "ConfigAssetDecimals", + "ConfigAssetDefaultFrozen", + "ConfigAssetUnitName", + "ConfigAssetName", + "ConfigAssetURL", + "ConfigAssetMetadataHash", + "ConfigAssetManager", + "ConfigAssetReserve", + "ConfigAssetFreeze", + "ConfigAssetClawback", + "FreezeAsset", + "FreezeAssetAccount", + "FreezeAssetFrozen", + "Assets", + "NumAssets", + "Applications", + "NumApplications", + "GlobalNumUint", + "GlobalNumByteSlice", + "LocalNumUint", + "LocalNumByteSlice", + "ExtraProgramPages", + "Nonparticipation", + "Logs", + "NumLogs", + "CreatedAssetID", + "CreatedApplicationID", + "LastLog", + "StateProofPK", + "ApprovalProgramPages", + "NumApprovalProgramPages", + "ClearStateProgramPages", + "NumClearStateProgramPages" + ], + "ArgEnumTypes": [ + "address", + "uint64", + "uint64", + "uint64", + "uint64", + "[]byte", + "[32]byte", + "address", + "uint64", + "address", + "[32]byte", + "[32]byte", + "uint64", + "uint64", + "uint64", + "[]byte", + "uint64", + "uint64", + "uint64", + "address", + "address", + "address", + "uint64", + "[32]byte", + "uint64", + "uint64", + "[]byte", + "uint64", + "address", + "uint64", + "[]byte", + "[]byte", + "address", + "uint64", + "uint64", + "uint64", + "bool", + "[]byte", + "[]byte", + "[]byte", + "[32]byte", + "address", + "address", + "address", + "address", + "uint64", + "address", + "bool", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "bool", + "[]byte", + "uint64", + "uint64", + "uint64", + "[]byte", + "[]byte", + "[]byte", + "uint64", + "[]byte", + "uint64" + ], + "DocCost": "1", + "Doc": "field F of current transaction", + "ImmediateNote": [ + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txn" + } + ], + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 50, + "Name": "global", + "Returns": [ + "any" + ], + "Size": 2, + "ArgEnum": [ + "MinTxnFee", + "MinBalance", + "MaxTxnLife", + "ZeroAddress", + "GroupSize", + "LogicSigVersion", + "Round", + "LatestTimestamp", + "CurrentApplicationID", + "CreatorAddress", + "CurrentApplicationAddress", + "GroupID", + "OpcodeBudget", + "CallerApplicationID", + "CallerApplicationAddress", + "AssetCreateMinBalance", + "AssetOptInMinBalance", + "GenesisHash", + "PayoutsEnabled", + "PayoutsGoOnlineFee", + "PayoutsPercent", + "PayoutsMinBalance", + "PayoutsMaxBalance" + ], + "ArgEnumTypes": [ + "uint64", + "uint64", + "uint64", + "address", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "address", + "address", + "[32]byte", + "uint64", + "uint64", + "address", + "uint64", + "uint64", + "[32]byte", + "bool", + "uint64", + "uint64", + "uint64", + "uint64" + ], + "DocCost": "1", + "Doc": "global field F", + "ImmediateNote": [ + { + "Comment": "a global field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "global" + } + ], + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 51, + "Name": "gtxn", + "Returns": [ + "any" + ], + "Size": 3, + "ArgEnum": [ + "Sender", + "Fee", + "FirstValid", + "FirstValidTime", + "LastValid", + "Note", + "Lease", + "Receiver", + "Amount", + "CloseRemainderTo", + "VotePK", + "SelectionPK", + "VoteFirst", + "VoteLast", + "VoteKeyDilution", + "Type", + "TypeEnum", + "XferAsset", + "AssetAmount", + "AssetSender", + "AssetReceiver", + "AssetCloseTo", + "GroupIndex", + "TxID", + "ApplicationID", + "OnCompletion", + "ApplicationArgs", + "NumAppArgs", + "Accounts", + "NumAccounts", + "ApprovalProgram", + "ClearStateProgram", + "RekeyTo", + "ConfigAsset", + "ConfigAssetTotal", + "ConfigAssetDecimals", + "ConfigAssetDefaultFrozen", + "ConfigAssetUnitName", + "ConfigAssetName", + "ConfigAssetURL", + "ConfigAssetMetadataHash", + "ConfigAssetManager", + "ConfigAssetReserve", + "ConfigAssetFreeze", + "ConfigAssetClawback", + "FreezeAsset", + "FreezeAssetAccount", + "FreezeAssetFrozen", + "Assets", + "NumAssets", + "Applications", + "NumApplications", + "GlobalNumUint", + "GlobalNumByteSlice", + "LocalNumUint", + "LocalNumByteSlice", + "ExtraProgramPages", + "Nonparticipation", + "Logs", + "NumLogs", + "CreatedAssetID", + "CreatedApplicationID", + "LastLog", + "StateProofPK", + "ApprovalProgramPages", + "NumApprovalProgramPages", + "ClearStateProgramPages", + "NumClearStateProgramPages" + ], + "ArgEnumTypes": [ + "address", + "uint64", + "uint64", + "uint64", + "uint64", + "[]byte", + "[32]byte", + "address", + "uint64", + "address", + "[32]byte", + "[32]byte", + "uint64", + "uint64", + "uint64", + "[]byte", + "uint64", + "uint64", + "uint64", + "address", + "address", + "address", + "uint64", + "[32]byte", + "uint64", + "uint64", + "[]byte", + "uint64", + "address", + "uint64", + "[]byte", + "[]byte", + "address", + "uint64", + "uint64", + "uint64", + "bool", + "[]byte", + "[]byte", + "[]byte", + "[32]byte", + "address", + "address", + "address", + "address", + "uint64", + "address", + "bool", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "bool", + "[]byte", + "uint64", + "uint64", + "uint64", + "[]byte", + "[]byte", + "[]byte", + "uint64", + "[]byte", + "uint64" + ], + "DocCost": "1", + "Doc": "field F of the Tth transaction in the current group", + "DocExtra": "for notes on transaction fields available, see `txn`. If this transaction is _i_ in the group, `gtxn i field` is equivalent to `txn field`.", + "ImmediateNote": [ + { + "Comment": "transaction group index", + "Encoding": "uint8", + "Name": "T" + }, + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txn" + } + ], + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 52, + "Name": "load", + "Returns": [ + "any" + ], + "Size": 2, + "DocCost": "1", + "Doc": "Ith scratch space value. All scratch spaces are 0 at program start.", + "ImmediateNote": [ + { + "Comment": "position in scratch space to load from", + "Encoding": "uint8", + "Name": "I" + } + ], + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 53, + "Name": "store", + "Args": [ + "any" + ], + "Size": 2, + "DocCost": "1", + "Doc": "store A to the Ith scratch space", + "ImmediateNote": [ + { + "Comment": "position in scratch space to store to", + "Encoding": "uint8", + "Name": "I" + } + ], + "IntroducedVersion": 1, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 54, + "Name": "txna", + "Returns": [ + "any" + ], + "Size": 3, + "ArgEnum": [ + "ApplicationArgs", + "Accounts", + "Assets", + "Applications", + "Logs", + "ApprovalProgramPages", + "ClearStateProgramPages" + ], + "ArgEnumTypes": [ + "[]byte", + "address", + "uint64", + "uint64", + "[]byte", + "[]byte", + "[]byte" + ], + "DocCost": "1", + "Doc": "Ith value of the array field F of the current transaction\n`txna` can be called using `txn` with 2 immediates.", + "ImmediateNote": [ + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txna" + }, + { + "Comment": "transaction field array index", + "Encoding": "uint8", + "Name": "I" + } + ], + "IntroducedVersion": 2, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 55, + "Name": "gtxna", + "Returns": [ + "any" + ], + "Size": 4, + "ArgEnum": [ + "ApplicationArgs", + "Accounts", + "Assets", + "Applications", + "Logs", + "ApprovalProgramPages", + "ClearStateProgramPages" + ], + "ArgEnumTypes": [ + "[]byte", + "address", + "uint64", + "uint64", + "[]byte", + "[]byte", + "[]byte" + ], + "DocCost": "1", + "Doc": "Ith value of the array field F from the Tth transaction in the current group\n`gtxna` can be called using `gtxn` with 3 immediates.", + "ImmediateNote": [ + { + "Comment": "transaction group index", + "Encoding": "uint8", + "Name": "T" + }, + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txna" + }, + { + "Comment": "transaction field array index", + "Encoding": "uint8", + "Name": "I" + } + ], + "IntroducedVersion": 2, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 56, + "Name": "gtxns", + "Args": [ + "uint64" + ], + "Returns": [ + "any" + ], + "Size": 2, + "ArgEnum": [ + "Sender", + "Fee", + "FirstValid", + "FirstValidTime", + "LastValid", + "Note", + "Lease", + "Receiver", + "Amount", + "CloseRemainderTo", + "VotePK", + "SelectionPK", + "VoteFirst", + "VoteLast", + "VoteKeyDilution", + "Type", + "TypeEnum", + "XferAsset", + "AssetAmount", + "AssetSender", + "AssetReceiver", + "AssetCloseTo", + "GroupIndex", + "TxID", + "ApplicationID", + "OnCompletion", + "ApplicationArgs", + "NumAppArgs", + "Accounts", + "NumAccounts", + "ApprovalProgram", + "ClearStateProgram", + "RekeyTo", + "ConfigAsset", + "ConfigAssetTotal", + "ConfigAssetDecimals", + "ConfigAssetDefaultFrozen", + "ConfigAssetUnitName", + "ConfigAssetName", + "ConfigAssetURL", + "ConfigAssetMetadataHash", + "ConfigAssetManager", + "ConfigAssetReserve", + "ConfigAssetFreeze", + "ConfigAssetClawback", + "FreezeAsset", + "FreezeAssetAccount", + "FreezeAssetFrozen", + "Assets", + "NumAssets", + "Applications", + "NumApplications", + "GlobalNumUint", + "GlobalNumByteSlice", + "LocalNumUint", + "LocalNumByteSlice", + "ExtraProgramPages", + "Nonparticipation", + "Logs", + "NumLogs", + "CreatedAssetID", + "CreatedApplicationID", + "LastLog", + "StateProofPK", + "ApprovalProgramPages", + "NumApprovalProgramPages", + "ClearStateProgramPages", + "NumClearStateProgramPages" + ], + "ArgEnumTypes": [ + "address", + "uint64", + "uint64", + "uint64", + "uint64", + "[]byte", + "[32]byte", + "address", + "uint64", + "address", + "[32]byte", + "[32]byte", + "uint64", + "uint64", + "uint64", + "[]byte", + "uint64", + "uint64", + "uint64", + "address", + "address", + "address", + "uint64", + "[32]byte", + "uint64", + "uint64", + "[]byte", + "uint64", + "address", + "uint64", + "[]byte", + "[]byte", + "address", + "uint64", + "uint64", + "uint64", + "bool", + "[]byte", + "[]byte", + "[]byte", + "[32]byte", + "address", + "address", + "address", + "address", + "uint64", + "address", + "bool", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "bool", + "[]byte", + "uint64", + "uint64", + "uint64", + "[]byte", + "[]byte", + "[]byte", + "uint64", + "[]byte", + "uint64" + ], + "DocCost": "1", + "Doc": "field F of the Ath transaction in the current group", + "DocExtra": "for notes on transaction fields available, see `txn`. If top of stack is _i_, `gtxns field` is equivalent to `gtxn _i_ field`. gtxns exists so that _i_ can be calculated, often based on the index of the current transaction.", + "ImmediateNote": [ + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txn" + } + ], + "IntroducedVersion": 3, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 57, + "Name": "gtxnsa", + "Args": [ + "uint64" + ], + "Returns": [ + "any" + ], + "Size": 3, + "ArgEnum": [ + "ApplicationArgs", + "Accounts", + "Assets", + "Applications", + "Logs", + "ApprovalProgramPages", + "ClearStateProgramPages" + ], + "ArgEnumTypes": [ + "[]byte", + "address", + "uint64", + "uint64", + "[]byte", + "[]byte", + "[]byte" + ], + "DocCost": "1", + "Doc": "Ith value of the array field F from the Ath transaction in the current group\n`gtxnsa` can be called using `gtxns` with 2 immediates.", + "ImmediateNote": [ + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txna" + }, + { + "Comment": "transaction field array index", + "Encoding": "uint8", + "Name": "I" + } + ], + "IntroducedVersion": 3, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 58, + "Name": "gload", + "Returns": [ + "any" + ], + "Size": 3, + "DocCost": "1", + "Doc": "Ith scratch space value of the Tth transaction in the current group", + "DocExtra": "`gload` fails unless the requested transaction is an ApplicationCall and T \u003c GroupIndex.", + "ImmediateNote": [ + { + "Comment": "transaction group index", + "Encoding": "uint8", + "Name": "T" + }, + { + "Comment": "position in scratch space to load from", + "Encoding": "uint8", + "Name": "I" + } + ], + "IntroducedVersion": 4, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 59, + "Name": "gloads", + "Args": [ + "uint64" + ], + "Returns": [ + "any" + ], + "Size": 2, + "DocCost": "1", + "Doc": "Ith scratch space value of the Ath transaction in the current group", + "DocExtra": "`gloads` fails unless the requested transaction is an ApplicationCall and A \u003c GroupIndex.", + "ImmediateNote": [ + { + "Comment": "position in scratch space to load from", + "Encoding": "uint8", + "Name": "I" + } + ], + "IntroducedVersion": 4, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 60, + "Name": "gaid", + "Returns": [ + "uint64" + ], + "Size": 2, + "DocCost": "1", + "Doc": "ID of the asset or application created in the Tth transaction of the current group", + "DocExtra": "`gaid` fails unless the requested transaction created an asset or application and T \u003c GroupIndex.", + "ImmediateNote": [ + { + "Comment": "transaction group index", + "Encoding": "uint8", + "Name": "T" + } + ], + "IntroducedVersion": 4, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 61, + "Name": "gaids", + "Args": [ + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "ID of the asset or application created in the Ath transaction of the current group", + "DocExtra": "`gaids` fails unless the requested transaction created an asset or application and A \u003c GroupIndex.", + "IntroducedVersion": 4, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 62, + "Name": "loads", + "Args": [ + "uint64" + ], + "Returns": [ + "any" + ], + "Size": 1, + "DocCost": "1", + "Doc": "Ath scratch space value. All scratch spaces are 0 at program start.", + "IntroducedVersion": 5, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 63, + "Name": "stores", + "Args": [ + "uint64", + "any" + ], + "Size": 1, + "DocCost": "1", + "Doc": "store B to the Ath scratch space", + "IntroducedVersion": 5, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 64, + "Name": "bnz", + "Args": [ + "uint64" + ], + "Size": 3, + "DocCost": "1", + "Doc": "branch to TARGET if value A is not zero", + "DocExtra": "The `bnz` instruction opcode 0x40 is followed by two immediate data bytes which are a high byte first and low byte second which together form a 16 bit offset which the instruction may branch to. For a bnz instruction at `pc`, if the last element of the stack is not zero then branch to instruction at `pc + 3 + N`, else proceed to next instruction at `pc + 3`. Branch targets must be aligned instructions. (e.g. Branching to the second byte of a 2 byte op will be rejected.) Starting at v4, the offset is treated as a signed 16 bit integer allowing for backward branches and looping. In prior version (v1 to v3), branch offsets are limited to forward branches only, 0-0x7fff.\n\nAt v2 it became allowed to branch to the end of the program exactly after the last instruction: bnz to byte N (with 0-indexing) was illegal for a TEAL program with N bytes before v2, and is legal after it. This change eliminates the need for a last instruction of no-op as a branch target at the end. (Branching beyond the end--in other words, to a byte larger than N--is still illegal and will cause the program to fail.)", + "ImmediateNote": [ + { + "Comment": "branch offset", + "Encoding": "int16 (big-endian)", + "Name": "TARGET" + } + ], + "IntroducedVersion": 1, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 65, + "Name": "bz", + "Args": [ + "uint64" + ], + "Size": 3, + "DocCost": "1", + "Doc": "branch to TARGET if value A is zero", + "DocExtra": "See `bnz` for details on how branches work. `bz` inverts the behavior of `bnz`.", + "ImmediateNote": [ + { + "Comment": "branch offset", + "Encoding": "int16 (big-endian)", + "Name": "TARGET" + } + ], + "IntroducedVersion": 2, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 66, + "Name": "b", + "Size": 3, + "DocCost": "1", + "Doc": "branch unconditionally to TARGET", + "DocExtra": "See `bnz` for details on how branches work. `b` always jumps to the offset.", + "ImmediateNote": [ + { + "Comment": "branch offset", + "Encoding": "int16 (big-endian)", + "Name": "TARGET" + } + ], + "IntroducedVersion": 2, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 67, + "Name": "return", + "Args": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "use A as success value; end", + "IntroducedVersion": 2, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 68, + "Name": "assert", + "Args": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "immediately fail unless A is a non-zero number", + "IntroducedVersion": 3, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 69, + "Name": "bury", + "Args": [ + "any" + ], + "Size": 2, + "DocCost": "1", + "Doc": "replace the Nth value from the top of the stack with A. bury 0 fails.", + "ImmediateNote": [ + { + "Comment": "depth", + "Encoding": "uint8", + "Name": "N" + } + ], + "IntroducedVersion": 8, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 70, + "Name": "popn", + "Size": 2, + "DocCost": "1", + "Doc": "remove N values from the top of the stack", + "ImmediateNote": [ + { + "Comment": "stack depth", + "Encoding": "uint8", + "Name": "N" + } + ], + "IntroducedVersion": 8, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 71, + "Name": "dupn", + "Args": [ + "any" + ], + "Size": 2, + "DocCost": "1", + "Doc": "duplicate A, N times", + "ImmediateNote": [ + { + "Comment": "copy count", + "Encoding": "uint8", + "Name": "N" + } + ], + "IntroducedVersion": 8, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 72, + "Name": "pop", + "Args": [ + "any" + ], + "Size": 1, + "DocCost": "1", + "Doc": "discard A", + "IntroducedVersion": 1, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 73, + "Name": "dup", + "Args": [ + "any" + ], + "Returns": [ + "any", + "any" + ], + "Size": 1, + "DocCost": "1", + "Doc": "duplicate A", + "IntroducedVersion": 1, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 74, + "Name": "dup2", + "Args": [ + "any", + "any" + ], + "Returns": [ + "any", + "any", + "any", + "any" + ], + "Size": 1, + "DocCost": "1", + "Doc": "duplicate A and B", + "IntroducedVersion": 2, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 75, + "Name": "dig", + "Args": [ + "any" + ], + "Returns": [ + "any", + "any" + ], + "Size": 2, + "DocCost": "1", + "Doc": "Nth value from the top of the stack. dig 0 is equivalent to dup", + "ImmediateNote": [ + { + "Comment": "depth", + "Encoding": "uint8", + "Name": "N" + } + ], + "IntroducedVersion": 3, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 76, + "Name": "swap", + "Args": [ + "any", + "any" + ], + "Returns": [ + "any", + "any" + ], + "Size": 1, + "DocCost": "1", + "Doc": "swaps A and B on stack", + "IntroducedVersion": 3, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 77, + "Name": "select", + "Args": [ + "any", + "any", + "uint64" + ], + "Returns": [ + "any" + ], + "Size": 1, + "DocCost": "1", + "Doc": "selects one of two values based on top-of-stack: B if C != 0, else A", + "IntroducedVersion": 3, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 78, + "Name": "cover", + "Args": [ + "any" + ], + "Returns": [ + "any" + ], + "Size": 2, + "DocCost": "1", + "Doc": "remove top of stack, and place it deeper in the stack such that N elements are above it. Fails if stack depth \u003c= N.", + "ImmediateNote": [ + { + "Comment": "depth", + "Encoding": "uint8", + "Name": "N" + } + ], + "IntroducedVersion": 5, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 79, + "Name": "uncover", + "Args": [ + "any" + ], + "Returns": [ + "any" + ], + "Size": 2, + "DocCost": "1", + "Doc": "remove the value at depth N in the stack and shift above items down so the Nth deep value is on top of the stack. Fails if stack depth \u003c= N.", + "ImmediateNote": [ + { + "Comment": "depth", + "Encoding": "uint8", + "Name": "N" + } + ], + "IntroducedVersion": 5, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 80, + "Name": "concat", + "Args": [ + "[]byte", + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "join A and B", + "DocExtra": "`concat` fails if the result would be greater than 4096 bytes.", + "IntroducedVersion": 2, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 81, + "Name": "substring", + "Args": [ + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 3, + "DocCost": "1", + "Doc": "A range of bytes from A starting at S up to but not including E. If E \u003c S, or either is larger than the array length, the program fails", + "ImmediateNote": [ + { + "Comment": "start position", + "Encoding": "uint8", + "Name": "S" + }, + { + "Comment": "end position", + "Encoding": "uint8", + "Name": "E" + } + ], + "IntroducedVersion": 2, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 82, + "Name": "substring3", + "Args": [ + "[]byte", + "uint64", + "uint64" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A range of bytes from A starting at B up to but not including C. If C \u003c B, or either is larger than the array length, the program fails", + "IntroducedVersion": 2, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 83, + "Name": "getbit", + "Args": [ + "any", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "Bth bit of (byte-array or integer) A. If B is greater than or equal to the bit length of the value (8*byte length), the program fails", + "DocExtra": "see explanation of bit ordering in setbit", + "IntroducedVersion": 3, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 84, + "Name": "setbit", + "Args": [ + "any", + "uint64", + "uint64" + ], + "Returns": [ + "any" + ], + "Size": 1, + "DocCost": "1", + "Doc": "Copy of (byte-array or integer) A, with the Bth bit set to (0 or 1) C. If B is greater than or equal to the bit length of the value (8*byte length), the program fails", + "DocExtra": "When A is a uint64, index 0 is the least significant bit. Setting bit 3 to 1 on the integer 0 yields 8, or 2^3. When A is a byte array, index 0 is the leftmost bit of the leftmost byte. Setting bits 0 through 11 to 1 in a 4-byte-array of 0s yields the byte array 0xfff00000. Setting bit 3 to 1 on the 1-byte-array 0x00 yields the byte array 0x10.", + "IntroducedVersion": 3, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 85, + "Name": "getbyte", + "Args": [ + "[]byte", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "Bth byte of A, as an integer. If B is greater than or equal to the array length, the program fails", + "IntroducedVersion": 3, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 86, + "Name": "setbyte", + "Args": [ + "[]byte", + "uint64", + "uint64" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "Copy of A with the Bth byte set to small integer (between 0..255) C. If B is greater than or equal to the array length, the program fails", + "IntroducedVersion": 3, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 87, + "Name": "extract", + "Args": [ + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 3, + "DocCost": "1", + "Doc": "A range of bytes from A starting at S up to but not including S+L. If L is 0, then extract to the end of the string. If S or S+L is larger than the array length, the program fails", + "ImmediateNote": [ + { + "Comment": "start position", + "Encoding": "uint8", + "Name": "S" + }, + { + "Comment": "length", + "Encoding": "uint8", + "Name": "L" + } + ], + "IntroducedVersion": 5, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 88, + "Name": "extract3", + "Args": [ + "[]byte", + "uint64", + "uint64" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A range of bytes from A starting at B up to but not including B+C. If B+C is larger than the array length, the program fails\n`extract3` can be called using `extract` with no immediates.", + "IntroducedVersion": 5, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 89, + "Name": "extract_uint16", + "Args": [ + "[]byte", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A uint16 formed from a range of big-endian bytes from A starting at B up to but not including B+2. If B+2 is larger than the array length, the program fails", + "IntroducedVersion": 5, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 90, + "Name": "extract_uint32", + "Args": [ + "[]byte", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A uint32 formed from a range of big-endian bytes from A starting at B up to but not including B+4. If B+4 is larger than the array length, the program fails", + "IntroducedVersion": 5, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 91, + "Name": "extract_uint64", + "Args": [ + "[]byte", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A uint64 formed from a range of big-endian bytes from A starting at B up to but not including B+8. If B+8 is larger than the array length, the program fails", + "IntroducedVersion": 5, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 92, + "Name": "replace2", + "Args": [ + "[]byte", + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 2, + "DocCost": "1", + "Doc": "Copy of A with the bytes starting at S replaced by the bytes of B. Fails if S+len(B) exceeds len(A)\n`replace2` can be called using `replace` with 1 immediate.", + "ImmediateNote": [ + { + "Comment": "start position", + "Encoding": "uint8", + "Name": "S" + } + ], + "IntroducedVersion": 7, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 93, + "Name": "replace3", + "Args": [ + "[]byte", + "uint64", + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "Copy of A with the bytes starting at B replaced by the bytes of C. Fails if B+len(C) exceeds len(A)\n`replace3` can be called using `replace` with no immediates.", + "IntroducedVersion": 7, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 94, + "Name": "base64_decode", + "Args": [ + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 2, + "ArgEnum": [ + "URLEncoding", + "StdEncoding" + ], + "ArgEnumTypes": [ + "any", + "any" + ], + "DocCost": "1 + 1 per 16 bytes of A", + "Doc": "decode A which was base64-encoded using _encoding_ E. Fail if A is not base64 encoded with encoding E", + "DocExtra": "*Warning*: Usage should be restricted to very rare use cases. In almost all cases, smart contracts should directly handle non-encoded byte-strings.\tThis opcode should only be used in cases where base64 is the only available option, e.g. interoperability with a third-party that only signs base64 strings.\n\n Decodes A using the base64 encoding E. Specify the encoding with an immediate arg either as URL and Filename Safe (`URLEncoding`) or Standard (`StdEncoding`). See [RFC 4648 sections 4 and 5](https://rfc-editor.org/rfc/rfc4648.html#section-4). It is assumed that the encoding ends with the exact number of `=` padding characters as required by the RFC. When padding occurs, any unused pad bits in the encoding must be set to zero or the decoding will fail. The special cases of `\\n` and `\\r` are allowed but completely ignored. An error will result when attempting to decode a string with a character that is not in the encoding alphabet or not one of `=`, `\\r`, or `\\n`.", + "ImmediateNote": [ + { + "Comment": "encoding index", + "Encoding": "uint8", + "Name": "E", + "Reference": "base64" + } + ], + "IntroducedVersion": 7, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 95, + "Name": "json_ref", + "Args": [ + "[]byte", + "[]byte" + ], + "Returns": [ + "any" + ], + "Size": 2, + "ArgEnum": [ + "JSONString", + "JSONUint64", + "JSONObject" + ], + "ArgEnumTypes": [ + "[]byte", + "uint64", + "[]byte" + ], + "DocCost": "25 + 2 per 7 bytes of A", + "Doc": "key B's value, of type R, from a [valid](jsonspec.md) utf-8 encoded json object A", + "DocExtra": "*Warning*: Usage should be restricted to very rare use cases, as JSON decoding is expensive and quite limited. In addition, JSON objects are large and not optimized for size.\n\nAlmost all smart contracts should use simpler and smaller methods (such as the [ABI](https://arc.algorand.foundation/ARCs/arc-0004). This opcode should only be used in cases where JSON is only available option, e.g. when a third-party only signs JSON.", + "ImmediateNote": [ + { + "Comment": "return type index", + "Encoding": "uint8", + "Name": "R", + "Reference": "json_ref" + } + ], + "IntroducedVersion": 7, + "Groups": [ + "Byte Array Manipulation" + ] + }, + { + "Opcode": 96, + "Name": "balance", + "Args": [ + "any" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "balance for account A, in microalgos. The balance is observed after the effects of previous transactions in the group, and after the fee for the current transaction is deducted. Changes caused by inner transactions are observable immediately following `itxn_submit`", + "DocExtra": "params: Txn.Accounts offset (or, since v4, an _available_ account address), _available_ application id (or, since v4, a Txn.ForeignApps offset). Return: value.", + "IntroducedVersion": 2, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 97, + "Name": "app_opted_in", + "Args": [ + "any", + "uint64" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "1 if account A is opted in to application B, else 0", + "DocExtra": "params: Txn.Accounts offset (or, since v4, an _available_ account address), _available_ application id (or, since v4, a Txn.ForeignApps offset). Return: 1 if opted in and 0 otherwise.", + "IntroducedVersion": 2, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 98, + "Name": "app_local_get", + "Args": [ + "any", + "stateKey" + ], + "Returns": [ + "any" + ], + "Size": 1, + "DocCost": "1", + "Doc": "local state of the key B in the current application in account A", + "DocExtra": "params: Txn.Accounts offset (or, since v4, an _available_ account address), state key. Return: value. The value is zero (of type uint64) if the key does not exist.", + "IntroducedVersion": 2, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 99, + "Name": "app_local_get_ex", + "Args": [ + "any", + "uint64", + "stateKey" + ], + "Returns": [ + "any", + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "X is the local state of application B, key C in account A. Y is 1 if key existed, else 0", + "DocExtra": "params: Txn.Accounts offset (or, since v4, an _available_ account address), _available_ application id (or, since v4, a Txn.ForeignApps offset), state key. Return: did_exist flag (top of the stack, 1 if the application and key existed and 0 otherwise), value. The value is zero (of type uint64) if the key does not exist.", + "IntroducedVersion": 2, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 100, + "Name": "app_global_get", + "Args": [ + "stateKey" + ], + "Returns": [ + "any" + ], + "Size": 1, + "DocCost": "1", + "Doc": "global state of the key A in the current application", + "DocExtra": "params: state key. Return: value. The value is zero (of type uint64) if the key does not exist.", + "IntroducedVersion": 2, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 101, + "Name": "app_global_get_ex", + "Args": [ + "uint64", + "stateKey" + ], + "Returns": [ + "any", + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "X is the global state of application A, key B. Y is 1 if key existed, else 0", + "DocExtra": "params: Txn.ForeignApps offset (or, since v4, an _available_ application id), state key. Return: did_exist flag (top of the stack, 1 if the application and key existed and 0 otherwise), value. The value is zero (of type uint64) if the key does not exist.", + "IntroducedVersion": 2, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 102, + "Name": "app_local_put", + "Args": [ + "any", + "stateKey", + "any" + ], + "Size": 1, + "DocCost": "1", + "Doc": "write C to key B in account A's local state of the current application", + "DocExtra": "params: Txn.Accounts offset (or, since v4, an _available_ account address), state key, value.", + "IntroducedVersion": 2, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 103, + "Name": "app_global_put", + "Args": [ + "stateKey", + "any" + ], + "Size": 1, + "DocCost": "1", + "Doc": "write B to key A in the global state of the current application", + "IntroducedVersion": 2, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 104, + "Name": "app_local_del", + "Args": [ + "any", + "stateKey" + ], + "Size": 1, + "DocCost": "1", + "Doc": "delete key B from account A's local state of the current application", + "DocExtra": "params: Txn.Accounts offset (or, since v4, an _available_ account address), state key.\n\nDeleting a key which is already absent has no effect on the application local state. (In particular, it does _not_ cause the program to fail.)", + "IntroducedVersion": 2, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 105, + "Name": "app_global_del", + "Args": [ + "stateKey" + ], + "Size": 1, + "DocCost": "1", + "Doc": "delete key A from the global state of the current application", + "DocExtra": "params: state key.\n\nDeleting a key which is already absent has no effect on the application global state. (In particular, it does _not_ cause the program to fail.)", + "IntroducedVersion": 2, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 112, + "Name": "asset_holding_get", + "Args": [ + "any", + "uint64" + ], + "Returns": [ + "any", + "bool" + ], + "Size": 2, + "ArgEnum": [ + "AssetBalance", + "AssetFrozen" + ], + "ArgEnumTypes": [ + "uint64", + "bool" + ], + "DocCost": "1", + "Doc": "X is field F from account A's holding of asset B. Y is 1 if A is opted into B, else 0", + "DocExtra": "params: Txn.Accounts offset (or, since v4, an _available_ address), asset id (or, since v4, a Txn.ForeignAssets offset). Return: did_exist flag (1 if the asset existed and 0 otherwise), value.", + "ImmediateNote": [ + { + "Comment": "asset holding field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "asset_holding" + } + ], + "IntroducedVersion": 2, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 113, + "Name": "asset_params_get", + "Args": [ + "uint64" + ], + "Returns": [ + "any", + "bool" + ], + "Size": 2, + "ArgEnum": [ + "AssetTotal", + "AssetDecimals", + "AssetDefaultFrozen", + "AssetUnitName", + "AssetName", + "AssetURL", + "AssetMetadataHash", + "AssetManager", + "AssetReserve", + "AssetFreeze", + "AssetClawback", + "AssetCreator" + ], + "ArgEnumTypes": [ + "uint64", + "uint64", + "bool", + "[]byte", + "[]byte", + "[]byte", + "[32]byte", + "address", + "address", + "address", + "address", + "address" + ], + "DocCost": "1", + "Doc": "X is field F from asset A. Y is 1 if A exists, else 0", + "DocExtra": "params: Txn.ForeignAssets offset (or, since v4, an _available_ asset id. Return: did_exist flag (1 if the asset existed and 0 otherwise), value.", + "ImmediateNote": [ + { + "Comment": "asset params field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "asset_params" + } + ], + "IntroducedVersion": 2, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 114, + "Name": "app_params_get", + "Args": [ + "uint64" + ], + "Returns": [ + "any", + "bool" + ], + "Size": 2, + "ArgEnum": [ + "AppApprovalProgram", + "AppClearStateProgram", + "AppGlobalNumUint", + "AppGlobalNumByteSlice", + "AppLocalNumUint", + "AppLocalNumByteSlice", + "AppExtraProgramPages", + "AppCreator", + "AppAddress" + ], + "ArgEnumTypes": [ + "[]byte", + "[]byte", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "address", + "address" + ], + "DocCost": "1", + "Doc": "X is field F from app A. Y is 1 if A exists, else 0", + "DocExtra": "params: Txn.ForeignApps offset or an _available_ app id. Return: did_exist flag (1 if the application existed and 0 otherwise), value.", + "ImmediateNote": [ + { + "Comment": "app params field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "app_params" + } + ], + "IntroducedVersion": 5, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 115, + "Name": "acct_params_get", + "Args": [ + "any" + ], + "Returns": [ + "any", + "bool" + ], + "Size": 2, + "ArgEnum": [ + "AcctBalance", + "AcctMinBalance", + "AcctAuthAddr", + "AcctTotalNumUint", + "AcctTotalNumByteSlice", + "AcctTotalExtraAppPages", + "AcctTotalAppsCreated", + "AcctTotalAppsOptedIn", + "AcctTotalAssetsCreated", + "AcctTotalAssets", + "AcctTotalBoxes", + "AcctTotalBoxBytes", + "AcctIncentiveEligible", + "AcctLastProposed", + "AcctLastHeartbeat" + ], + "ArgEnumTypes": [ + "uint64", + "uint64", + "address", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "bool", + "uint64", + "uint64" + ], + "DocCost": "1", + "Doc": "X is field F from account A. Y is 1 if A owns positive algos, else 0", + "ImmediateNote": [ + { + "Comment": "account params field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "acct_params" + } + ], + "IntroducedVersion": 6, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 116, + "Name": "voter_params_get", + "Args": [ + "any" + ], + "Returns": [ + "any", + "bool" + ], + "Size": 2, + "DocCost": "1", + "Doc": "X is field F from online account A as of the balance round: 320 rounds before the current round. Y is 1 if A had positive algos online in the agreement round, else Y is 0 and X is a type specific zero-value", + "ImmediateNote": [ + { + "Comment": "voter params field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "voter_params" + } + ], + "IntroducedVersion": 11, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 117, + "Name": "online_stake", + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "the total online stake in the agreement round", + "IntroducedVersion": 11, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 120, + "Name": "min_balance", + "Args": [ + "any" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "minimum required balance for account A, in microalgos. Required balance is affected by ASA, App, and Box usage. When creating or opting into an app, the minimum balance grows before the app code runs, therefore the increase is visible there. When deleting or closing out, the minimum balance decreases after the app executes. Changes caused by inner transactions or box usage are observable immediately following the opcode effecting the change.", + "DocExtra": "params: Txn.Accounts offset (or, since v4, an _available_ account address), _available_ application id (or, since v4, a Txn.ForeignApps offset). Return: value.", + "IntroducedVersion": 3, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 128, + "Name": "pushbytes", + "Returns": [ + "[]byte" + ], + "Size": 0, + "DocCost": "1", + "Doc": "immediate BYTES", + "DocExtra": "pushbytes args are not added to the bytecblock during assembly processes", + "ImmediateNote": [ + { + "Comment": "a byte constant", + "Encoding": "varuint length, bytes", + "Name": "BYTES" + } + ], + "IntroducedVersion": 3, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 129, + "Name": "pushint", + "Returns": [ + "uint64" + ], + "Size": 0, + "DocCost": "1", + "Doc": "immediate UINT", + "DocExtra": "pushint args are not added to the intcblock during assembly processes", + "ImmediateNote": [ + { + "Comment": "an int constant", + "Encoding": "varuint", + "Name": "UINT" + } + ], + "IntroducedVersion": 3, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 130, + "Name": "pushbytess", + "Size": 0, + "DocCost": "1", + "Doc": "push sequences of immediate byte arrays to stack (first byte array being deepest)", + "DocExtra": "pushbytess args are not added to the bytecblock during assembly processes", + "ImmediateNote": [ + { + "Comment": "a list of byte constants", + "Encoding": "varuint count, [varuint length, bytes ...]", + "Name": "BYTES ..." + } + ], + "IntroducedVersion": 8, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 131, + "Name": "pushints", + "Size": 0, + "DocCost": "1", + "Doc": "push sequence of immediate uints to stack in the order they appear (first uint being deepest)", + "DocExtra": "pushints args are not added to the intcblock during assembly processes", + "ImmediateNote": [ + { + "Comment": "a list of int constants", + "Encoding": "varuint count, [varuint ...]", + "Name": "UINT ..." + } + ], + "IntroducedVersion": 8, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 132, + "Name": "ed25519verify_bare", + "Args": [ + "[]byte", + "[64]byte", + "[32]byte" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1900", + "Doc": "for (data A, signature B, pubkey C) verify the signature of the data against the pubkey =\u003e {0 or 1}", + "IntroducedVersion": 7, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 133, + "Name": "falcon_verify", + "Args": [ + "[]byte", + "[1232]byte", + "[1793]byte" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1700", + "Doc": "for (data A, compressed-format signature B, pubkey C) verify the signature of data against the pubkey", + "IntroducedVersion": 11, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 134, + "Name": "sumhash512", + "Args": [ + "[]byte" + ], + "Returns": [ + "[64]byte" + ], + "Size": 1, + "DocCost": "150 + 7 per 4 bytes of A", + "Doc": "sumhash512 of value A, yields [64]byte", + "IntroducedVersion": 11, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 136, + "Name": "callsub", + "Size": 3, + "DocCost": "1", + "Doc": "branch unconditionally to TARGET, saving the next instruction on the call stack", + "DocExtra": "The call stack is separate from the data stack. Only `callsub`, `retsub`, and `proto` manipulate it.", + "ImmediateNote": [ + { + "Comment": "branch offset", + "Encoding": "int16 (big-endian)", + "Name": "TARGET" + } + ], + "IntroducedVersion": 4, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 137, + "Name": "retsub", + "Size": 1, + "DocCost": "1", + "Doc": "pop the top instruction from the call stack and branch to it", + "DocExtra": "If the current frame was prepared by `proto A R`, `retsub` will remove the 'A' arguments from the stack, move the `R` return values down, and pop any stack locations above the relocated return values.", + "IntroducedVersion": 4, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 138, + "Name": "proto", + "Size": 3, + "DocCost": "1", + "Doc": "Prepare top call frame for a retsub that will assume A args and R return values.", + "DocExtra": "Fails unless the last instruction executed was a `callsub`.", + "ImmediateNote": [ + { + "Comment": "number of arguments", + "Encoding": "uint8", + "Name": "A" + }, + { + "Comment": "number of return values", + "Encoding": "uint8", + "Name": "R" + } + ], + "IntroducedVersion": 8, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 139, + "Name": "frame_dig", + "Returns": [ + "any" + ], + "Size": 2, + "DocCost": "1", + "Doc": "Nth (signed) value from the frame pointer.", + "ImmediateNote": [ + { + "Comment": "frame slot", + "Encoding": "int8", + "Name": "I" + } + ], + "IntroducedVersion": 8, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 140, + "Name": "frame_bury", + "Args": [ + "any" + ], + "Size": 2, + "DocCost": "1", + "Doc": "replace the Nth (signed) value from the frame pointer in the stack with A", + "ImmediateNote": [ + { + "Comment": "frame slot", + "Encoding": "int8", + "Name": "I" + } + ], + "IntroducedVersion": 8, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 141, + "Name": "switch", + "Args": [ + "uint64" + ], + "Size": 0, + "DocCost": "1", + "Doc": "branch to the Ath label. Continue at following instruction if index A exceeds the number of labels.", + "ImmediateNote": [ + { + "Comment": "list of labels", + "Encoding": "varuint count, [int16 (big-endian) ...]", + "Name": "TARGET ..." + } + ], + "IntroducedVersion": 8, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 142, + "Name": "match", + "Size": 0, + "DocCost": "1", + "Doc": "given match cases from A[1] to A[N], branch to the Ith label where A[I] = B. Continue to the following instruction if no matches are found.", + "DocExtra": "`match` consumes N+1 values from the stack. Let the top stack value be B. The following N values represent an ordered list of match cases/constants (A), where the first value (A[0]) is the deepest in the stack. The immediate arguments are an ordered list of N labels (T). `match` will branch to target T[I], where A[I] = B. If there are no matches then execution continues on to the next instruction.", + "ImmediateNote": [ + { + "Comment": "list of labels", + "Encoding": "varuint count, [int16 (big-endian) ...]", + "Name": "TARGET ..." + } + ], + "IntroducedVersion": 8, + "Groups": [ + "Flow Control" + ] + }, + { + "Opcode": 144, + "Name": "shl", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A times 2^B, modulo 2^64", + "IntroducedVersion": 4, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 145, + "Name": "shr", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A divided by 2^B", + "IntroducedVersion": 4, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 146, + "Name": "sqrt", + "Args": [ + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "4", + "Doc": "The largest integer I such that I^2 \u003c= A", + "IntroducedVersion": 4, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 147, + "Name": "bitlen", + "Args": [ + "any" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "The highest set bit in A. If A is a byte-array, it is interpreted as a big-endian unsigned integer. bitlen of 0 is 0, bitlen of 8 is 4", + "DocExtra": "bitlen interprets arrays as big-endian integers, unlike setbit/getbit", + "IntroducedVersion": 4, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 148, + "Name": "exp", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A raised to the Bth power. Fail if A == B == 0 and on overflow", + "IntroducedVersion": 4, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 149, + "Name": "expw", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "uint64", + "uint64" + ], + "Size": 1, + "DocCost": "10", + "Doc": "A raised to the Bth power as a 128-bit result in two uint64s. X is the high 64 bits, Y is the low. Fail if A == B == 0 or if the results exceeds 2^128-1", + "IntroducedVersion": 4, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 150, + "Name": "bsqrt", + "Args": [ + "bigint" + ], + "Returns": [ + "bigint" + ], + "Size": 1, + "DocCost": "40", + "Doc": "The largest integer I such that I^2 \u003c= A. A and I are interpreted as big-endian unsigned integers", + "IntroducedVersion": 6, + "Groups": [ + "Byte Array Arithmetic" + ] + }, + { + "Opcode": 151, + "Name": "divw", + "Args": [ + "uint64", + "uint64", + "uint64" + ], + "Returns": [ + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "A,B / C. Fail if C == 0 or if result overflows.", + "DocExtra": "The notation A,B indicates that A and B are interpreted as a uint128 value, with A as the high uint64 and B the low.", + "IntroducedVersion": 6, + "Groups": [ + "Arithmetic" + ] + }, + { + "Opcode": 152, + "Name": "sha3_256", + "Args": [ + "[]byte" + ], + "Returns": [ + "[32]byte" + ], + "Size": 1, + "DocCost": "130", + "Doc": "SHA3_256 hash of value A, yields [32]byte", + "IntroducedVersion": 7, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 160, + "Name": "b+", + "Args": [ + "bigint", + "bigint" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "10", + "Doc": "A plus B. A and B are interpreted as big-endian unsigned integers", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Arithmetic" + ] + }, + { + "Opcode": 161, + "Name": "b-", + "Args": [ + "bigint", + "bigint" + ], + "Returns": [ + "bigint" + ], + "Size": 1, + "DocCost": "10", + "Doc": "A minus B. A and B are interpreted as big-endian unsigned integers. Fail on underflow.", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Arithmetic" + ] + }, + { + "Opcode": 162, + "Name": "b/", + "Args": [ + "bigint", + "bigint" + ], + "Returns": [ + "bigint" + ], + "Size": 1, + "DocCost": "20", + "Doc": "A divided by B (truncated division). A and B are interpreted as big-endian unsigned integers. Fail if B is zero.", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Arithmetic" + ] + }, + { + "Opcode": 163, + "Name": "b*", + "Args": [ + "bigint", + "bigint" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "20", + "Doc": "A times B. A and B are interpreted as big-endian unsigned integers.", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Arithmetic" + ] + }, + { + "Opcode": 164, + "Name": "b\u003c", + "Args": [ + "bigint", + "bigint" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "1 if A is less than B, else 0. A and B are interpreted as big-endian unsigned integers", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Arithmetic" + ] + }, + { + "Opcode": 165, + "Name": "b\u003e", + "Args": [ + "bigint", + "bigint" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "1 if A is greater than B, else 0. A and B are interpreted as big-endian unsigned integers", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Arithmetic" + ] + }, + { + "Opcode": 166, + "Name": "b\u003c=", + "Args": [ + "bigint", + "bigint" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "1 if A is less than or equal to B, else 0. A and B are interpreted as big-endian unsigned integers", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Arithmetic" + ] + }, + { + "Opcode": 167, + "Name": "b\u003e=", + "Args": [ + "bigint", + "bigint" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "1 if A is greater than or equal to B, else 0. A and B are interpreted as big-endian unsigned integers", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Arithmetic" + ] + }, + { + "Opcode": 168, + "Name": "b==", + "Args": [ + "bigint", + "bigint" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "1 if A is equal to B, else 0. A and B are interpreted as big-endian unsigned integers", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Arithmetic" + ] + }, + { + "Opcode": 169, + "Name": "b!=", + "Args": [ + "bigint", + "bigint" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "0 if A is equal to B, else 1. A and B are interpreted as big-endian unsigned integers", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Arithmetic" + ] + }, + { + "Opcode": 170, + "Name": "b%", + "Args": [ + "bigint", + "bigint" + ], + "Returns": [ + "bigint" + ], + "Size": 1, + "DocCost": "20", + "Doc": "A modulo B. A and B are interpreted as big-endian unsigned integers. Fail if B is zero.", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Arithmetic" + ] + }, + { + "Opcode": 171, + "Name": "b|", + "Args": [ + "[]byte", + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "6", + "Doc": "A bitwise-or B. A and B are zero-left extended to the greater of their lengths", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Logic" + ] + }, + { + "Opcode": 172, + "Name": "b\u0026", + "Args": [ + "[]byte", + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "6", + "Doc": "A bitwise-and B. A and B are zero-left extended to the greater of their lengths", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Logic" + ] + }, + { + "Opcode": 173, + "Name": "b^", + "Args": [ + "[]byte", + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "6", + "Doc": "A bitwise-xor B. A and B are zero-left extended to the greater of their lengths", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Logic" + ] + }, + { + "Opcode": 174, + "Name": "b~", + "Args": [ + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "4", + "Doc": "A with all bits inverted", + "IntroducedVersion": 4, + "Groups": [ + "Byte Array Logic" + ] + }, + { + "Opcode": 175, + "Name": "bzero", + "Args": [ + "uint64" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "zero filled byte-array of length A", + "IntroducedVersion": 4, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 176, + "Name": "log", + "Args": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "write A to log state of the current application", + "DocExtra": "`log` fails if called more than MaxLogCalls times in a program, or if the sum of logged bytes exceeds 1024 bytes.", + "IntroducedVersion": 5, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 177, + "Name": "itxn_begin", + "Size": 1, + "DocCost": "1", + "Doc": "begin preparation of a new inner transaction in a new transaction group", + "DocExtra": "`itxn_begin` initializes Sender to the application address; Fee to the minimum allowable, taking into account MinTxnFee and credit from overpaying in earlier transactions; FirstValid/LastValid to the values in the invoking transaction, and all other fields to zero or empty values.", + "IntroducedVersion": 5, + "Groups": [ + "Inner Transactions" + ] + }, + { + "Opcode": 178, + "Name": "itxn_field", + "Args": [ + "any" + ], + "Size": 2, + "ArgEnum": [ + "Sender", + "Fee", + "Note", + "Receiver", + "Amount", + "CloseRemainderTo", + "VotePK", + "SelectionPK", + "VoteFirst", + "VoteLast", + "VoteKeyDilution", + "Type", + "TypeEnum", + "XferAsset", + "AssetAmount", + "AssetSender", + "AssetReceiver", + "AssetCloseTo", + "ApplicationID", + "OnCompletion", + "ApplicationArgs", + "Accounts", + "ApprovalProgram", + "ClearStateProgram", + "RekeyTo", + "ConfigAsset", + "ConfigAssetTotal", + "ConfigAssetDecimals", + "ConfigAssetDefaultFrozen", + "ConfigAssetUnitName", + "ConfigAssetName", + "ConfigAssetURL", + "ConfigAssetMetadataHash", + "ConfigAssetManager", + "ConfigAssetReserve", + "ConfigAssetFreeze", + "ConfigAssetClawback", + "FreezeAsset", + "FreezeAssetAccount", + "FreezeAssetFrozen", + "Assets", + "Applications", + "GlobalNumUint", + "GlobalNumByteSlice", + "LocalNumUint", + "LocalNumByteSlice", + "ExtraProgramPages", + "Nonparticipation", + "StateProofPK", + "ApprovalProgramPages", + "ClearStateProgramPages" + ], + "ArgEnumTypes": [ + "address", + "uint64", + "[]byte", + "address", + "uint64", + "address", + "[32]byte", + "[32]byte", + "uint64", + "uint64", + "uint64", + "[]byte", + "uint64", + "uint64", + "uint64", + "address", + "address", + "address", + "uint64", + "uint64", + "[]byte", + "address", + "[]byte", + "[]byte", + "address", + "uint64", + "uint64", + "uint64", + "bool", + "[]byte", + "[]byte", + "[]byte", + "[32]byte", + "address", + "address", + "address", + "address", + "uint64", + "address", + "bool", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "bool", + "[]byte", + "[]byte", + "[]byte" + ], + "DocCost": "1", + "Doc": "set field F of the current inner transaction to A", + "DocExtra": "`itxn_field` fails if A is of the wrong type for F, including a byte array of the wrong size for use as an address when F is an address field. `itxn_field` also fails if A is an account, asset, or app that is not _available_, or an attempt is made extend an array field beyond the limit imposed by consensus parameters. (Addresses set into asset params of acfg transactions need not be _available_.)", + "ImmediateNote": [ + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txn" + } + ], + "IntroducedVersion": 5, + "Groups": [ + "Inner Transactions" + ] + }, + { + "Opcode": 179, + "Name": "itxn_submit", + "Size": 1, + "DocCost": "1", + "Doc": "execute the current inner transaction group. Fail if executing this group would exceed the inner transaction limit, or if any transaction in the group fails.", + "DocExtra": "`itxn_submit` resets the current transaction so that it can not be resubmitted. A new `itxn_begin` is required to prepare another inner transaction.", + "IntroducedVersion": 5, + "Groups": [ + "Inner Transactions" + ] + }, + { + "Opcode": 180, + "Name": "itxn", + "Returns": [ + "any" + ], + "Size": 2, + "ArgEnum": [ + "Sender", + "Fee", + "FirstValid", + "FirstValidTime", + "LastValid", + "Note", + "Lease", + "Receiver", + "Amount", + "CloseRemainderTo", + "VotePK", + "SelectionPK", + "VoteFirst", + "VoteLast", + "VoteKeyDilution", + "Type", + "TypeEnum", + "XferAsset", + "AssetAmount", + "AssetSender", + "AssetReceiver", + "AssetCloseTo", + "GroupIndex", + "TxID", + "ApplicationID", + "OnCompletion", + "ApplicationArgs", + "NumAppArgs", + "Accounts", + "NumAccounts", + "ApprovalProgram", + "ClearStateProgram", + "RekeyTo", + "ConfigAsset", + "ConfigAssetTotal", + "ConfigAssetDecimals", + "ConfigAssetDefaultFrozen", + "ConfigAssetUnitName", + "ConfigAssetName", + "ConfigAssetURL", + "ConfigAssetMetadataHash", + "ConfigAssetManager", + "ConfigAssetReserve", + "ConfigAssetFreeze", + "ConfigAssetClawback", + "FreezeAsset", + "FreezeAssetAccount", + "FreezeAssetFrozen", + "Assets", + "NumAssets", + "Applications", + "NumApplications", + "GlobalNumUint", + "GlobalNumByteSlice", + "LocalNumUint", + "LocalNumByteSlice", + "ExtraProgramPages", + "Nonparticipation", + "Logs", + "NumLogs", + "CreatedAssetID", + "CreatedApplicationID", + "LastLog", + "StateProofPK", + "ApprovalProgramPages", + "NumApprovalProgramPages", + "ClearStateProgramPages", + "NumClearStateProgramPages" + ], + "ArgEnumTypes": [ + "address", + "uint64", + "uint64", + "uint64", + "uint64", + "[]byte", + "[32]byte", + "address", + "uint64", + "address", + "[32]byte", + "[32]byte", + "uint64", + "uint64", + "uint64", + "[]byte", + "uint64", + "uint64", + "uint64", + "address", + "address", + "address", + "uint64", + "[32]byte", + "uint64", + "uint64", + "[]byte", + "uint64", + "address", + "uint64", + "[]byte", + "[]byte", + "address", + "uint64", + "uint64", + "uint64", + "bool", + "[]byte", + "[]byte", + "[]byte", + "[32]byte", + "address", + "address", + "address", + "address", + "uint64", + "address", + "bool", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "bool", + "[]byte", + "uint64", + "uint64", + "uint64", + "[]byte", + "[]byte", + "[]byte", + "uint64", + "[]byte", + "uint64" + ], + "DocCost": "1", + "Doc": "field F of the last inner transaction", + "ImmediateNote": [ + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txn" + } + ], + "IntroducedVersion": 5, + "Groups": [ + "Inner Transactions" + ] + }, + { + "Opcode": 181, + "Name": "itxna", + "Returns": [ + "any" + ], + "Size": 3, + "ArgEnum": [ + "ApplicationArgs", + "Accounts", + "Assets", + "Applications", + "Logs", + "ApprovalProgramPages", + "ClearStateProgramPages" + ], + "ArgEnumTypes": [ + "[]byte", + "address", + "uint64", + "uint64", + "[]byte", + "[]byte", + "[]byte" + ], + "DocCost": "1", + "Doc": "Ith value of the array field F of the last inner transaction", + "ImmediateNote": [ + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txna" + }, + { + "Comment": "a transaction field array index", + "Encoding": "uint8", + "Name": "I" + } + ], + "IntroducedVersion": 5, + "Groups": [ + "Inner Transactions" + ] + }, + { + "Opcode": 182, + "Name": "itxn_next", + "Size": 1, + "DocCost": "1", + "Doc": "begin preparation of a new inner transaction in the same transaction group", + "DocExtra": "`itxn_next` initializes the transaction exactly as `itxn_begin` does", + "IntroducedVersion": 6, + "Groups": [ + "Inner Transactions" + ] + }, + { + "Opcode": 183, + "Name": "gitxn", + "Returns": [ + "any" + ], + "Size": 3, + "ArgEnum": [ + "Sender", + "Fee", + "FirstValid", + "FirstValidTime", + "LastValid", + "Note", + "Lease", + "Receiver", + "Amount", + "CloseRemainderTo", + "VotePK", + "SelectionPK", + "VoteFirst", + "VoteLast", + "VoteKeyDilution", + "Type", + "TypeEnum", + "XferAsset", + "AssetAmount", + "AssetSender", + "AssetReceiver", + "AssetCloseTo", + "GroupIndex", + "TxID", + "ApplicationID", + "OnCompletion", + "ApplicationArgs", + "NumAppArgs", + "Accounts", + "NumAccounts", + "ApprovalProgram", + "ClearStateProgram", + "RekeyTo", + "ConfigAsset", + "ConfigAssetTotal", + "ConfigAssetDecimals", + "ConfigAssetDefaultFrozen", + "ConfigAssetUnitName", + "ConfigAssetName", + "ConfigAssetURL", + "ConfigAssetMetadataHash", + "ConfigAssetManager", + "ConfigAssetReserve", + "ConfigAssetFreeze", + "ConfigAssetClawback", + "FreezeAsset", + "FreezeAssetAccount", + "FreezeAssetFrozen", + "Assets", + "NumAssets", + "Applications", + "NumApplications", + "GlobalNumUint", + "GlobalNumByteSlice", + "LocalNumUint", + "LocalNumByteSlice", + "ExtraProgramPages", + "Nonparticipation", + "Logs", + "NumLogs", + "CreatedAssetID", + "CreatedApplicationID", + "LastLog", + "StateProofPK", + "ApprovalProgramPages", + "NumApprovalProgramPages", + "ClearStateProgramPages", + "NumClearStateProgramPages" + ], + "ArgEnumTypes": [ + "address", + "uint64", + "uint64", + "uint64", + "uint64", + "[]byte", + "[32]byte", + "address", + "uint64", + "address", + "[32]byte", + "[32]byte", + "uint64", + "uint64", + "uint64", + "[]byte", + "uint64", + "uint64", + "uint64", + "address", + "address", + "address", + "uint64", + "[32]byte", + "uint64", + "uint64", + "[]byte", + "uint64", + "address", + "uint64", + "[]byte", + "[]byte", + "address", + "uint64", + "uint64", + "uint64", + "bool", + "[]byte", + "[]byte", + "[]byte", + "[32]byte", + "address", + "address", + "address", + "address", + "uint64", + "address", + "bool", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "uint64", + "bool", + "[]byte", + "uint64", + "uint64", + "uint64", + "[]byte", + "[]byte", + "[]byte", + "uint64", + "[]byte", + "uint64" + ], + "DocCost": "1", + "Doc": "field F of the Tth transaction in the last inner group submitted", + "ImmediateNote": [ + { + "Comment": "transaction group index", + "Encoding": "uint8", + "Name": "T" + }, + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txn" + } + ], + "IntroducedVersion": 6, + "Groups": [ + "Inner Transactions" + ] + }, + { + "Opcode": 184, + "Name": "gitxna", + "Returns": [ + "any" + ], + "Size": 4, + "ArgEnum": [ + "ApplicationArgs", + "Accounts", + "Assets", + "Applications", + "Logs", + "ApprovalProgramPages", + "ClearStateProgramPages" + ], + "ArgEnumTypes": [ + "[]byte", + "address", + "uint64", + "uint64", + "[]byte", + "[]byte", + "[]byte" + ], + "DocCost": "1", + "Doc": "Ith value of the array field F from the Tth transaction in the last inner group submitted", + "ImmediateNote": [ + { + "Comment": "transaction group index", + "Encoding": "uint8", + "Name": "T" + }, + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txna" + }, + { + "Comment": "transaction field array index", + "Encoding": "uint8", + "Name": "I" + } + ], + "IntroducedVersion": 6, + "Groups": [ + "Inner Transactions" + ] + }, + { + "Opcode": 185, + "Name": "box_create", + "Args": [ + "boxName", + "uint64" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "create a box named A, of length B. Fail if the name A is empty or B exceeds 32,768. Returns 0 if A already existed, else 1", + "DocExtra": "Newly created boxes are filled with 0 bytes. `box_create` will fail if the referenced box already exists with a different size. Otherwise, existing boxes are unchanged by `box_create`.", + "IntroducedVersion": 8, + "Groups": [ + "Box Access" + ] + }, + { + "Opcode": 186, + "Name": "box_extract", + "Args": [ + "boxName", + "uint64", + "uint64" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "read C bytes from box A, starting at offset B. Fail if A does not exist, or the byte range is outside A's size.", + "IntroducedVersion": 8, + "Groups": [ + "Box Access" + ] + }, + { + "Opcode": 187, + "Name": "box_replace", + "Args": [ + "boxName", + "uint64", + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "write byte-array C into box A, starting at offset B. Fail if A does not exist, or the byte range is outside A's size.", + "IntroducedVersion": 8, + "Groups": [ + "Box Access" + ] + }, + { + "Opcode": 188, + "Name": "box_del", + "Args": [ + "boxName" + ], + "Returns": [ + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "delete box named A if it exists. Return 1 if A existed, 0 otherwise", + "IntroducedVersion": 8, + "Groups": [ + "Box Access" + ] + }, + { + "Opcode": 189, + "Name": "box_len", + "Args": [ + "boxName" + ], + "Returns": [ + "uint64", + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "X is the length of box A if A exists, else 0. Y is 1 if A exists, else 0.", + "IntroducedVersion": 8, + "Groups": [ + "Box Access" + ] + }, + { + "Opcode": 190, + "Name": "box_get", + "Args": [ + "boxName" + ], + "Returns": [ + "[]byte", + "bool" + ], + "Size": 1, + "DocCost": "1", + "Doc": "X is the contents of box A if A exists, else ''. Y is 1 if A exists, else 0.", + "DocExtra": "For boxes that exceed 4,096 bytes, consider `box_create`, `box_extract`, and `box_replace`", + "IntroducedVersion": 8, + "Groups": [ + "Box Access" + ] + }, + { + "Opcode": 191, + "Name": "box_put", + "Args": [ + "boxName", + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "replaces the contents of box A with byte-array B. Fails if A exists and len(B) != len(box A). Creates A if it does not exist", + "DocExtra": "For boxes that exceed 4,096 bytes, consider `box_create`, `box_extract`, and `box_replace`", + "IntroducedVersion": 8, + "Groups": [ + "Box Access" + ] + }, + { + "Opcode": 192, + "Name": "txnas", + "Args": [ + "uint64" + ], + "Returns": [ + "any" + ], + "Size": 2, + "ArgEnum": [ + "ApplicationArgs", + "Accounts", + "Assets", + "Applications", + "Logs", + "ApprovalProgramPages", + "ClearStateProgramPages" + ], + "ArgEnumTypes": [ + "[]byte", + "address", + "uint64", + "uint64", + "[]byte", + "[]byte", + "[]byte" + ], + "DocCost": "1", + "Doc": "Ath value of the array field F of the current transaction", + "ImmediateNote": [ + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txna" + } + ], + "IntroducedVersion": 5, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 193, + "Name": "gtxnas", + "Args": [ + "uint64" + ], + "Returns": [ + "any" + ], + "Size": 3, + "ArgEnum": [ + "ApplicationArgs", + "Accounts", + "Assets", + "Applications", + "Logs", + "ApprovalProgramPages", + "ClearStateProgramPages" + ], + "ArgEnumTypes": [ + "[]byte", + "address", + "uint64", + "uint64", + "[]byte", + "[]byte", + "[]byte" + ], + "DocCost": "1", + "Doc": "Ath value of the array field F from the Tth transaction in the current group", + "ImmediateNote": [ + { + "Comment": "transaction group index", + "Encoding": "uint8", + "Name": "T" + }, + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txna" + } + ], + "IntroducedVersion": 5, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 194, + "Name": "gtxnsas", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "any" + ], + "Size": 2, + "ArgEnum": [ + "ApplicationArgs", + "Accounts", + "Assets", + "Applications", + "Logs", + "ApprovalProgramPages", + "ClearStateProgramPages" + ], + "ArgEnumTypes": [ + "[]byte", + "address", + "uint64", + "uint64", + "[]byte", + "[]byte", + "[]byte" + ], + "DocCost": "1", + "Doc": "Bth value of the array field F from the Ath transaction in the current group", + "ImmediateNote": [ + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txna" + } + ], + "IntroducedVersion": 5, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 195, + "Name": "args", + "Args": [ + "uint64" + ], + "Returns": [ + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "Ath LogicSig argument", + "IntroducedVersion": 5, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 196, + "Name": "gloadss", + "Args": [ + "uint64", + "uint64" + ], + "Returns": [ + "any" + ], + "Size": 1, + "DocCost": "1", + "Doc": "Bth scratch space value of the Ath transaction in the current group", + "IntroducedVersion": 6, + "Groups": [ + "Loading Values" + ] + }, + { + "Opcode": 197, + "Name": "itxnas", + "Args": [ + "uint64" + ], + "Returns": [ + "any" + ], + "Size": 2, + "DocCost": "1", + "Doc": "Ath value of the array field F of the last inner transaction", + "ImmediateNote": [ + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txna" + } + ], + "IntroducedVersion": 6, + "Groups": [ + "Inner Transactions" + ] + }, + { + "Opcode": 198, + "Name": "gitxnas", + "Args": [ + "uint64" + ], + "Returns": [ + "any" + ], + "Size": 3, + "DocCost": "1", + "Doc": "Ath value of the array field F from the Tth transaction in the last inner group submitted", + "ImmediateNote": [ + { + "Comment": "transaction group index", + "Encoding": "uint8", + "Name": "T" + }, + { + "Comment": "transaction field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "txna" + } + ], + "IntroducedVersion": 6, + "Groups": [ + "Inner Transactions" + ] + }, + { + "Opcode": 208, + "Name": "vrf_verify", + "Args": [ + "[]byte", + "[80]byte", + "[32]byte" + ], + "Returns": [ + "[64]byte", + "bool" + ], + "Size": 2, + "ArgEnum": [ + "VrfAlgorand" + ], + "DocCost": "5700", + "Doc": "Verify the proof B of message A against pubkey C. Returns vrf output and verification flag.", + "DocExtra": "`VrfAlgorand` is the VRF used in Algorand. It is ECVRF-ED25519-SHA512-Elligator2, specified in the IETF internet draft [draft-irtf-cfrg-vrf-03](https://datatracker.ietf.org/doc/draft-irtf-cfrg-vrf/03/).", + "ImmediateNote": [ + { + "Comment": " parameters index", + "Encoding": "uint8", + "Name": "S", + "Reference": "vrf_verify" + } + ], + "IntroducedVersion": 7, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 209, + "Name": "block", + "Args": [ + "uint64" + ], + "Returns": [ + "any" + ], + "Size": 2, + "ArgEnum": [ + "BlkSeed", + "BlkTimestamp", + "BlkProposer", + "BlkFeesCollected", + "BlkBonus", + "BlkBranch", + "BlkFeeSink", + "BlkProtocol", + "BlkTxnCounter", + "BlkProposerPayout" + ], + "ArgEnumTypes": [ + "[32]byte", + "uint64", + "address", + "uint64", + "uint64", + "[32]byte", + "address", + "[]byte", + "uint64", + "uint64" + ], + "DocCost": "1", + "Doc": "field F of block A. Fail unless A falls between txn.LastValid-1002 and txn.FirstValid (exclusive)", + "ImmediateNote": [ + { + "Comment": " block field index", + "Encoding": "uint8", + "Name": "F", + "Reference": "block" + } + ], + "IntroducedVersion": 7, + "Groups": [ + "State Access" + ] + }, + { + "Opcode": 210, + "Name": "box_splice", + "Args": [ + "boxName", + "uint64", + "uint64", + "[]byte" + ], + "Size": 1, + "DocCost": "1", + "Doc": "set box A to contain its previous bytes up to index B, followed by D, followed by the original bytes of A that began at index B+C.", + "DocExtra": "Boxes are of constant length. If C \u003c len(D), then len(D)-C bytes will be removed from the end. If C \u003e len(D), zero bytes will be appended to the end to reach the box length.", + "IntroducedVersion": 10, + "Groups": [ + "Box Access" + ] + }, + { + "Opcode": 211, + "Name": "box_resize", + "Args": [ + "boxName", + "uint64" + ], + "Size": 1, + "DocCost": "1", + "Doc": "change the size of box named A to be of length B, adding zero bytes to end or removing bytes from the end, as needed. Fail if the name A is empty, A is not an existing box, or B exceeds 32,768.", + "IntroducedVersion": 10, + "Groups": [ + "Box Access" + ] + }, + { + "Opcode": 224, + "Name": "ec_add", + "Args": [ + "[]byte", + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 2, + "DocCost": "BN254g1=125; BN254g2=170; BLS12_381g1=205; BLS12_381g2=290", + "Doc": "for curve points A and B, return the curve point A + B", + "DocExtra": "A and B are curve points in affine representation: field element X concatenated with field element Y. Field element `Z` is encoded as follows.\nFor the base field elements (Fp), `Z` is encoded as a big-endian number and must be lower than the field modulus.\nFor the quadratic field extension (Fp2), `Z` is encoded as the concatenation of the individual encoding of the coefficients. For an Fp2 element of the form `Z = Z0 + Z1 i`, where `i` is a formal quadratic non-residue, the encoding of Z is the concatenation of the encoding of `Z0` and `Z1` in this order. (`Z0` and `Z1` must be less than the field modulus).\n\nThe point at infinity is encoded as `(X,Y) = (0,0)`.\nGroups G1 and G2 are denoted additively.\n\nFails if A or B is not in G.\nA and/or B are allowed to be the point at infinity.\nDoes _not_ check if A and B are in the main prime-order subgroup.", + "ImmediateNote": [ + { + "Comment": "curve index", + "Encoding": "uint8", + "Name": "G", + "Reference": "EC" + } + ], + "IntroducedVersion": 10, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 225, + "Name": "ec_scalar_mul", + "Args": [ + "[]byte", + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 2, + "DocCost": "BN254g1=1810; BN254g2=3430; BLS12_381g1=2950; BLS12_381g2=6530", + "Doc": "for curve point A and scalar B, return the curve point BA, the point A multiplied by the scalar B.", + "DocExtra": "A is a curve point encoded and checked as described in `ec_add`. Scalar B is interpreted as a big-endian unsigned integer. Fails if B exceeds 32 bytes.", + "ImmediateNote": [ + { + "Comment": "curve index", + "Encoding": "uint8", + "Name": "G", + "Reference": "EC" + } + ], + "IntroducedVersion": 10, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 226, + "Name": "ec_pairing_check", + "Args": [ + "[]byte", + "[]byte" + ], + "Returns": [ + "bool" + ], + "Size": 2, + "DocCost": "BN254g1=8000 + 7400 per 64 bytes of B; BN254g2=8000 + 7400 per 128 bytes of B; BLS12_381g1=13000 + 10000 per 96 bytes of B; BLS12_381g2=13000 + 10000 per 192 bytes of B", + "Doc": "1 if the product of the pairing of each point in A with its respective point in B is equal to the identity element of the target group Gt, else 0", + "DocExtra": "A and B are concatenated points, encoded and checked as described in `ec_add`. A contains points of the group G, B contains points of the associated group (G2 if G is G1, and vice versa). Fails if A and B have a different number of points, or if any point is not in its described group or outside the main prime-order subgroup - a stronger condition than other opcodes. AVM values are limited to 4096 bytes, so `ec_pairing_check` is limited by the size of the points in the groups being operated upon.", + "ImmediateNote": [ + { + "Comment": "curve index", + "Encoding": "uint8", + "Name": "G", + "Reference": "EC" + } + ], + "IntroducedVersion": 10, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 227, + "Name": "ec_multi_scalar_mul", + "Args": [ + "[]byte", + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 2, + "DocCost": "BN254g1=3600 + 90 per 32 bytes of B; BN254g2=7200 + 270 per 32 bytes of B; BLS12_381g1=6500 + 95 per 32 bytes of B; BLS12_381g2=14850 + 485 per 32 bytes of B", + "Doc": "for curve points A and scalars B, return curve point B0A0 + B1A1 + B2A2 + ... + BnAn", + "DocExtra": "A is a list of concatenated points, encoded and checked as described in `ec_add`. B is a list of concatenated scalars which, unlike ec_scalar_mul, must all be exactly 32 bytes long.\nThe name `ec_multi_scalar_mul` was chosen to reflect common usage, but a more consistent name would be `ec_multi_scalar_mul`. AVM values are limited to 4096 bytes, so `ec_multi_scalar_mul` is limited by the size of the points in the group being operated upon.", + "ImmediateNote": [ + { + "Comment": "curve index", + "Encoding": "uint8", + "Name": "G", + "Reference": "EC" + } + ], + "IntroducedVersion": 10, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 228, + "Name": "ec_subgroup_check", + "Args": [ + "[]byte" + ], + "Returns": [ + "bool" + ], + "Size": 2, + "DocCost": "BN254g1=20; BN254g2=3100; BLS12_381g1=1850; BLS12_381g2=2340", + "Doc": "1 if A is in the main prime-order subgroup of G (including the point at infinity) else 0. Program fails if A is not in G at all.", + "ImmediateNote": [ + { + "Comment": "curve index", + "Encoding": "uint8", + "Name": "G", + "Reference": "EC" + } + ], + "IntroducedVersion": 10, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 229, + "Name": "ec_map_to", + "Args": [ + "[]byte" + ], + "Returns": [ + "[]byte" + ], + "Size": 2, + "DocCost": "BN254g1=630; BN254g2=3300; BLS12_381g1=1950; BLS12_381g2=8150", + "Doc": "maps field element A to group G", + "DocExtra": "BN254 points are mapped by the SVDW map. BLS12-381 points are mapped by the SSWU map.\nG1 element inputs are base field elements and G2 element inputs are quadratic field elements, with nearly the same encoding rules (for field elements) as defined in `ec_add`. There is one difference of encoding rule: G1 element inputs do not need to be 0-padded if they fit in less than 32 bytes for BN254 and less than 48 bytes for BLS12-381. (As usual, the empty byte array represents 0.) G2 elements inputs need to be always have the required size.", + "ImmediateNote": [ + { + "Comment": "curve index", + "Encoding": "uint8", + "Name": "G", + "Reference": "EC" + } + ], + "IntroducedVersion": 10, + "Groups": [ + "Cryptography" + ] + }, + { + "Opcode": 230, + "Name": "mimc", + "Args": [ + "[]byte" + ], + "Returns": [ + "[32]byte" + ], + "Size": 2, + "DocCost": "BN254Mp110=10 + 550 per 32 bytes of A; BLS12_381Mp111=10 + 550 per 32 bytes of A", + "Doc": "MiMC hash of scalars A, using curve and parameters specified by configuration C", + "DocExtra": "A is a list of concatenated 32 byte big-endian unsigned integer scalars. Fail if A's length is not a multiple of 32 or any element exceeds the curve modulus.\n\nThe MiMC hash function has known collisions since any input which is a multiple of the elliptic curve modulus will hash to the same value. MiMC is thus not a general purpose hash function, but meant to be used in zero knowledge applications to match a zk-circuit implementation.", + "ImmediateNote": [ + { + "Comment": "configuration index", + "Encoding": "uint8", + "Name": "C", + "Reference": "Mimc Configurations" + } + ], + "IntroducedVersion": 11, + "Groups": [ + "Cryptography" + ] + } + ] +} diff --git a/data/transactions/logic/opcodes.go b/data/transactions/logic/opcodes.go index 4cf6238cad..3e101405a1 100644 --- a/data/transactions/logic/opcodes.go +++ b/data/transactions/logic/opcodes.go @@ -802,12 +802,12 @@ var OpSpecs = []OpSpec{ {0xe6, "mimc", opMimc, proto("b:b{32}"), mimcVersion, costByFieldAndLength("c", &MimcConfigs, []linearCost{ BN254Mp110: { baseCost: 10, - chunkCost: 350, + chunkCost: 550, chunkSize: 32, }, BLS12_381Mp111: { baseCost: 10, - chunkCost: 350, + chunkCost: 550, chunkSize: 32, }})}, } diff --git a/data/transactions/logic/teal.tmLanguage.json b/data/transactions/logic/teal.tmLanguage.json index 60cb76281b..1a86c280e8 100644 --- a/data/transactions/logic/teal.tmLanguage.json +++ b/data/transactions/logic/teal.tmLanguage.json @@ -112,7 +112,7 @@ }, { "name": "variable.parameter.teal", - "match": "\\b(unknown|pay|keyreg|acfg|axfer|afrz|appl|NoOp|OptIn|CloseOut|ClearState|UpdateApplication|DeleteApplication|Secp256k1|Secp256r1|Sender|Fee|FirstValid|FirstValidTime|LastValid|Note|Lease|Receiver|Amount|CloseRemainderTo|VotePK|SelectionPK|VoteFirst|VoteLast|VoteKeyDilution|Type|TypeEnum|XferAsset|AssetAmount|AssetSender|AssetReceiver|AssetCloseTo|GroupIndex|TxID|ApplicationID|OnCompletion|NumAppArgs|NumAccounts|ApprovalProgram|ClearStateProgram|RekeyTo|ConfigAsset|ConfigAssetTotal|ConfigAssetDecimals|ConfigAssetDefaultFrozen|ConfigAssetUnitName|ConfigAssetName|ConfigAssetURL|ConfigAssetMetadataHash|ConfigAssetManager|ConfigAssetReserve|ConfigAssetFreeze|ConfigAssetClawback|FreezeAsset|FreezeAssetAccount|FreezeAssetFrozen|NumAssets|NumApplications|GlobalNumUint|GlobalNumByteSlice|LocalNumUint|LocalNumByteSlice|ExtraProgramPages|Nonparticipation|NumLogs|CreatedAssetID|CreatedApplicationID|LastLog|StateProofPK|NumApprovalProgramPages|NumClearStateProgramPages|MinTxnFee|MinBalance|MaxTxnLife|ZeroAddress|GroupSize|LogicSigVersion|Round|LatestTimestamp|CurrentApplicationID|CreatorAddress|CurrentApplicationAddress|GroupID|OpcodeBudget|CallerApplicationID|CallerApplicationAddress|AssetCreateMinBalance|AssetOptInMinBalance|GenesisHash|ApplicationArgs|Accounts|Assets|Applications|Logs|ApprovalProgramPages|ClearStateProgramPages|URLEncoding|StdEncoding|JSONString|JSONUint64|JSONObject|AssetBalance|AssetFrozen|AssetTotal|AssetDecimals|AssetDefaultFrozen|AssetUnitName|AssetName|AssetURL|AssetMetadataHash|AssetManager|AssetReserve|AssetFreeze|AssetClawback|AssetCreator|AppApprovalProgram|AppClearStateProgram|AppGlobalNumUint|AppGlobalNumByteSlice|AppLocalNumUint|AppLocalNumByteSlice|AppExtraProgramPages|AppCreator|AppAddress|AcctBalance|AcctMinBalance|AcctAuthAddr|AcctTotalNumUint|AcctTotalNumByteSlice|AcctTotalExtraAppPages|AcctTotalAppsCreated|AcctTotalAppsOptedIn|AcctTotalAssetsCreated|AcctTotalAssets|AcctTotalBoxes|AcctTotalBoxBytes|VrfAlgorand|BlkSeed|BlkTimestamp|BN254g1|BN254g2|BLS12_381g1|BLS12_381g2)\\b" + "match": "\\b(unknown|pay|keyreg|acfg|axfer|afrz|appl|NoOp|OptIn|CloseOut|ClearState|UpdateApplication|DeleteApplication|Secp256k1|Secp256r1|Sender|Fee|FirstValid|FirstValidTime|LastValid|Note|Lease|Receiver|Amount|CloseRemainderTo|VotePK|SelectionPK|VoteFirst|VoteLast|VoteKeyDilution|Type|TypeEnum|XferAsset|AssetAmount|AssetSender|AssetReceiver|AssetCloseTo|GroupIndex|TxID|ApplicationID|OnCompletion|NumAppArgs|NumAccounts|ApprovalProgram|ClearStateProgram|RekeyTo|ConfigAsset|ConfigAssetTotal|ConfigAssetDecimals|ConfigAssetDefaultFrozen|ConfigAssetUnitName|ConfigAssetName|ConfigAssetURL|ConfigAssetMetadataHash|ConfigAssetManager|ConfigAssetReserve|ConfigAssetFreeze|ConfigAssetClawback|FreezeAsset|FreezeAssetAccount|FreezeAssetFrozen|NumAssets|NumApplications|GlobalNumUint|GlobalNumByteSlice|LocalNumUint|LocalNumByteSlice|ExtraProgramPages|Nonparticipation|NumLogs|CreatedAssetID|CreatedApplicationID|LastLog|StateProofPK|NumApprovalProgramPages|NumClearStateProgramPages|MinTxnFee|MinBalance|MaxTxnLife|ZeroAddress|GroupSize|LogicSigVersion|Round|LatestTimestamp|CurrentApplicationID|CreatorAddress|CurrentApplicationAddress|GroupID|OpcodeBudget|CallerApplicationID|CallerApplicationAddress|AssetCreateMinBalance|AssetOptInMinBalance|GenesisHash|PayoutsEnabled|PayoutsGoOnlineFee|PayoutsPercent|PayoutsMinBalance|PayoutsMaxBalance|ApplicationArgs|Accounts|Assets|Applications|Logs|ApprovalProgramPages|ClearStateProgramPages|URLEncoding|StdEncoding|JSONString|JSONUint64|JSONObject|AssetBalance|AssetFrozen|AssetTotal|AssetDecimals|AssetDefaultFrozen|AssetUnitName|AssetName|AssetURL|AssetMetadataHash|AssetManager|AssetReserve|AssetFreeze|AssetClawback|AssetCreator|AppApprovalProgram|AppClearStateProgram|AppGlobalNumUint|AppGlobalNumByteSlice|AppLocalNumUint|AppLocalNumByteSlice|AppExtraProgramPages|AppCreator|AppAddress|AcctBalance|AcctMinBalance|AcctAuthAddr|AcctTotalNumUint|AcctTotalNumByteSlice|AcctTotalExtraAppPages|AcctTotalAppsCreated|AcctTotalAppsOptedIn|AcctTotalAssetsCreated|AcctTotalAssets|AcctTotalBoxes|AcctTotalBoxBytes|AcctIncentiveEligible|AcctLastProposed|AcctLastHeartbeat|VoterBalance|VoterIncentiveEligible|VrfAlgorand|BlkSeed|BlkTimestamp|BlkProposer|BlkFeesCollected|BlkBonus|BlkBranch|BlkFeeSink|BlkProtocol|BlkTxnCounter|BlkProposerPayout|BN254g1|BN254g2|BLS12_381g1|BLS12_381g2|BN254Mp110|BLS12_381Mp111)\\b" } ] }, From 3d300f88ac8ce89edfcca75d48e48c0d4f1f69e1 Mon Sep 17 00:00:00 2001 From: giulio Date: Fri, 13 Dec 2024 21:24:26 +0100 Subject: [PATCH 10/12] Bump gnark-crypto to v0.14.0 --- data/transactions/logic/pairing.go | 28 ++++++++++++---------------- go.mod | 10 +++++----- go.sum | 23 ++++++++++++----------- 3 files changed, 29 insertions(+), 32 deletions(-) diff --git a/data/transactions/logic/pairing.go b/data/transactions/logic/pairing.go index fc61996e66..13df35c570 100644 --- a/data/transactions/logic/pairing.go +++ b/data/transactions/logic/pairing.go @@ -477,20 +477,18 @@ func bls12381G1MultiMulLarge(points []bls12381.G1Affine, scalarBytes []byte) ([] func bls12381G1MultiMulSmall(points []bls12381.G1Affine, scalarBytes []byte) ([]byte, error) { // There must be at least one point. Start with it, rather than the identity. k := new(big.Int).SetBytes(scalarBytes[:scalarSize]) - var sum bls12381.G1Jac - sum.ScalarMultiplicationAffine(&points[0], k) + var sum bls12381.G1Affine + sum.ScalarMultiplication(&points[0], k) for i := range points { if i == 0 { continue } k.SetBytes(scalarBytes[i*scalarSize : (i+1)*scalarSize]) - var prod bls12381.G1Jac - prod.ScalarMultiplicationAffine(&points[i], k) - sum.AddAssign(&prod) + var prod bls12381.G1Affine + prod.ScalarMultiplication(&points[i], k) + sum.Add(&sum, &prod) } - var res bls12381.G1Affine - res.FromJacobian(&sum) - return bls12381G1ToBytes(&res), nil + return bls12381G1ToBytes(&sum), nil } const bls12381G2MultiMulThreshold = 2 // determined by BenchmarkFindMultiMulCutoff @@ -794,20 +792,18 @@ func bn254G1MultiMulLarge(points []bn254.G1Affine, scalarBytes []byte) ([]byte, func bn254G1MultiMulSmall(points []bn254.G1Affine, scalarBytes []byte) ([]byte, error) { // There must be at least one point. Start with it, rather than the identity. k := new(big.Int).SetBytes(scalarBytes[:scalarSize]) - var sum bn254.G1Jac - sum.ScalarMultiplicationAffine(&points[0], k) + var sum bn254.G1Affine + sum.ScalarMultiplication(&points[0], k) for i := range points { if i == 0 { continue } k.SetBytes(scalarBytes[i*scalarSize : (i+1)*scalarSize]) - var prod bn254.G1Jac - prod.ScalarMultiplicationAffine(&points[i], k) - sum.AddAssign(&prod) + var prod bn254.G1Affine + prod.ScalarMultiplication(&points[i], k) + sum.Add(&sum, &prod) } - var res bn254.G1Affine - res.FromJacobian(&sum) - return bn254G1ToBytes(&res), nil + return bn254G1ToBytes(&sum), nil } const bn254G2MultiMulThreshold = 2 // determined by BenchmarkFindMultiMulCutoff diff --git a/go.mod b/go.mod index 9ec11b823e..9dd2e7a80a 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/algorand/websocket v1.4.6 github.com/aws/aws-sdk-go v1.34.0 github.com/cockroachdb/pebble v0.0.0-20230807162746-af8c5f279001 - github.com/consensys/gnark-crypto v0.12.1 + github.com/consensys/gnark-crypto v0.14.0 github.com/davidlazar/go-crypto v0.0.0-20200604182044-b73af7476f6c github.com/dchest/siphash v1.2.1 github.com/fatih/color v1.13.0 @@ -46,7 +46,7 @@ require ( github.com/prometheus/client_golang v1.20.5 github.com/prometheus/client_model v0.6.1 github.com/sirupsen/logrus v1.8.1 - github.com/spf13/cobra v1.5.0 + github.com/spf13/cobra v1.8.1 github.com/stretchr/testify v1.9.0 go.opencensus.io v0.24.0 go.uber.org/zap v1.27.0 @@ -63,7 +63,7 @@ require ( github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect github.com/benbjohnson/clock v1.3.5 // indirect github.com/beorn7/perks v1.0.1 // indirect - github.com/bits-and-blooms/bitset v1.7.0 // indirect + github.com/bits-and-blooms/bitset v1.14.2 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/cockroachdb/errors v1.8.1 // indirect github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f // indirect @@ -73,7 +73,7 @@ require ( github.com/consensys/bavard v0.1.13 // indirect github.com/containerd/cgroups v1.1.0 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect github.com/docker/go-units v0.5.0 // indirect @@ -99,7 +99,7 @@ require ( github.com/hashicorp/golang-lru v1.0.2 // indirect github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect github.com/huin/goupnp v1.3.0 // indirect - github.com/inconshreveable/mousetrap v1.0.0 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/invopop/yaml v0.1.0 // indirect github.com/ipfs/boxo v0.24.3 // indirect github.com/ipfs/go-cid v0.4.1 // indirect diff --git a/go.sum b/go.sum index fdee6063f8..06f65adcac 100644 --- a/go.sum +++ b/go.sum @@ -52,8 +52,8 @@ github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZx github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/bits-and-blooms/bitset v1.7.0 h1:YjAGVd3XmtK9ktAbX8Zg2g2PwLIMjGREZJHlV4j7NEo= -github.com/bits-and-blooms/bitset v1.7.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA= +github.com/bits-and-blooms/bitset v1.14.2 h1:YXVoyPndbdvcEVcseEovVfp0qjJp7S+i5+xgp/Nfbdc= +github.com/bits-and-blooms/bitset v1.14.2/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8= github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= @@ -86,8 +86,8 @@ github.com/cockroachdb/tokenbucket v0.0.0-20230613231145-182959a1fad6/go.mod h1: github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM= github.com/consensys/bavard v0.1.13 h1:oLhMLOFGTLdlda/kma4VOJazblc7IM5y5QPd2A/YjhQ= github.com/consensys/bavard v0.1.13/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI= -github.com/consensys/gnark-crypto v0.12.1 h1:lHH39WuuFgVHONRl3J0LRBtuYdQTumFSDtJF7HpyG8M= -github.com/consensys/gnark-crypto v0.12.1/go.mod h1:v2Gy7L/4ZRosZ7Ivs+9SfUDr0f5UlG+EM5t7MPHiLuY= +github.com/consensys/gnark-crypto v0.14.0 h1:DDBdl4HaBtdQsq/wfMwJvZNE80sHidrK3Nfrefatm0E= +github.com/consensys/gnark-crypto v0.14.0/go.mod h1:CU4UijNPsHawiVGNxe9co07FkzCeWHHrb1li/n1XoU0= github.com/containerd/cgroups v0.0.0-20201119153540-4cbc285b3327/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE= github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw= @@ -101,8 +101,8 @@ github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -267,8 +267,9 @@ github.com/huin/goupnp v1.3.0 h1:UvLUlWDNpoUdYzb2TCn+MuTWtcjXKSza2n6CBdQ0xXc= github.com/huin/goupnp v1.3.0/go.mod h1:gnGPsThkYa7bFi/KWmEysQRf48l2dvR5bxr2OFckNX8= github.com/hydrogen18/memlistener v0.0.0-20141126152155-54553eb933fb/go.mod h1:qEIFzExnS6016fRpRfxrExeVn2gbClQA99gQhnIcdhE= github.com/imkira/go-interpol v1.1.0/go.mod h1:z0h2/2T3XF8kyEPpRgJ3kmNv+C43p+I/CoI+jC3w2iA= -github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/invopop/yaml v0.1.0 h1:YW3WGUoJEXYfzWBjn00zIlrw7brGVD0fUKRYDPAPhrc= github.com/invopop/yaml v0.1.0/go.mod h1:2XuRLgs/ouIrW3XNzuNj7J3Nvu/Dig5MXvbCEdiBN3Q= github.com/ipfs/boxo v0.24.3 h1:gldDPOWdM3Rz0v5LkVLtZu7A7gFNvAlWcmxhCqlHR3c= @@ -356,8 +357,8 @@ github.com/labstack/echo/v4 v4.9.1/go.mod h1:Pop5HLc+xoc4qhTZ1ip6C0RtP7Z+4VzRLWZ github.com/labstack/gommon v0.3.0/go.mod h1:MULnywXg0yavhxWKc+lOruYdAhDwPK9wf0OL7NoOu+k= github.com/labstack/gommon v0.4.0 h1:y7cvthEAEbU0yHOf4axH8ZG2NH8knB9iNSoTO8dyIk8= github.com/labstack/gommon v0.4.0/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM= -github.com/leanovate/gopter v0.2.9 h1:fQjYxZaynp97ozCzfOyOuAGOU4aU/z37zf/tOujFk7c= -github.com/leanovate/gopter v0.2.9/go.mod h1:U2L/78B+KVFIx2VmW6onHJQzXtFb+p5y3y2Sh+Jxxv8= +github.com/leanovate/gopter v0.2.11 h1:vRjThO1EKPb/1NsDXuDrzldR28RLkBflWYcU9CvzWu4= +github.com/leanovate/gopter v0.2.11/go.mod h1:aK3tzZP/C+p1m3SPRE4SYZFGP7jjkuSI4f7Xvpt0S9c= github.com/lib/pq v1.0.0 h1:X5PMW56eZitiTeO7tKzZxFCSpbFZJtkMMooicw2us9A= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/libp2p/go-buffer-pool v0.1.0 h1:oK4mSFcQz7cTQIfqbe4MIj9gLW+mnanjyFtc6cdF0Y8= @@ -627,8 +628,8 @@ github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= -github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU= -github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= From 7aa9f45c9a5ccef0e739c7654368e0464422fbca Mon Sep 17 00:00:00 2001 From: giulio Date: Fri, 13 Dec 2024 21:25:06 +0100 Subject: [PATCH 11/12] Clarify mimc test cases generation --- data/transactions/logic/crypto_test.go | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/data/transactions/logic/crypto_test.go b/data/transactions/logic/crypto_test.go index c850e921c6..c0ffd76242 100644 --- a/data/transactions/logic/crypto_test.go +++ b/data/transactions/logic/crypto_test.go @@ -118,14 +118,23 @@ byte 0x98D2C31612EA500279B6753E5F6E780CA63EBA8274049664DAD66A2565ED1D2A } func TestMimc(t *testing.T) { + // We created test vectors for the MiMC hash function by defining a set of preimages for different + // input sizes and calling gnark-crypto's MiMC implementation to compute the expected hash values. + // E.g.: + // import "github.com/consensys/gnark-crypto/ecc/bn254/fr/mimc" + // hasher := mimc.NewMiMC() + // hasher.Write(inputBytes) + // hashBytes := hasher.Sum(nil) + // Since we are hardcoding the expected hash values, we are also testing that gnark-crypto's MiMC + // output does not change under the hood with new versions. + // + // We test that malformed inputs panic, in particular we test malfornmed inputs of: + // 0 length, lenghts not multiple of 32 bytes, chunks representing values greater than the modulus. + // We test that well formed inputs hash correctly, testing both single chunk inputs (32-byte) and + // multiple chunk inputs (96 bytes). partitiontest.PartitionTest(t) t.Parallel() - // Test vectors from https://github.com/giuliop/test-mimc-opcodes/blob/main/mimctest/main.go - // generated by instantiating a zk-circuit that processes MiMC hash of the preimages. - // We test success for 32-byte and 96-byte preimages, and failure for preimage input size of 0, - // input size not multiple of 32 bytes, and chunks representing values greater than the modulus. - type PreImageTestVector struct { PreImage string ShouldSucceed bool @@ -175,7 +184,6 @@ func TestMimc(t *testing.T) { circuitHash := n.Bytes() progText := fmt.Sprintf(`byte %s mimc %s - byte 0x%x ==`, preImageTestVector.PreImage, config, circuitHash) if preImageTestVector.ShouldSucceed { From 59376ee4a5e3f52c86e30423e426e6e0503ab7be Mon Sep 17 00:00:00 2001 From: giulio Date: Fri, 13 Dec 2024 22:45:20 +0100 Subject: [PATCH 12/12] Roll back gnark-crypto --- go.mod | 10 +++++----- go.sum | 23 +++++++++++------------ 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index 9dd2e7a80a..9ec11b823e 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/algorand/websocket v1.4.6 github.com/aws/aws-sdk-go v1.34.0 github.com/cockroachdb/pebble v0.0.0-20230807162746-af8c5f279001 - github.com/consensys/gnark-crypto v0.14.0 + github.com/consensys/gnark-crypto v0.12.1 github.com/davidlazar/go-crypto v0.0.0-20200604182044-b73af7476f6c github.com/dchest/siphash v1.2.1 github.com/fatih/color v1.13.0 @@ -46,7 +46,7 @@ require ( github.com/prometheus/client_golang v1.20.5 github.com/prometheus/client_model v0.6.1 github.com/sirupsen/logrus v1.8.1 - github.com/spf13/cobra v1.8.1 + github.com/spf13/cobra v1.5.0 github.com/stretchr/testify v1.9.0 go.opencensus.io v0.24.0 go.uber.org/zap v1.27.0 @@ -63,7 +63,7 @@ require ( github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect github.com/benbjohnson/clock v1.3.5 // indirect github.com/beorn7/perks v1.0.1 // indirect - github.com/bits-and-blooms/bitset v1.14.2 // indirect + github.com/bits-and-blooms/bitset v1.7.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/cockroachdb/errors v1.8.1 // indirect github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f // indirect @@ -73,7 +73,7 @@ require ( github.com/consensys/bavard v0.1.13 // indirect github.com/containerd/cgroups v1.1.0 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect github.com/docker/go-units v0.5.0 // indirect @@ -99,7 +99,7 @@ require ( github.com/hashicorp/golang-lru v1.0.2 // indirect github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect github.com/huin/goupnp v1.3.0 // indirect - github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/invopop/yaml v0.1.0 // indirect github.com/ipfs/boxo v0.24.3 // indirect github.com/ipfs/go-cid v0.4.1 // indirect diff --git a/go.sum b/go.sum index 06f65adcac..fdee6063f8 100644 --- a/go.sum +++ b/go.sum @@ -52,8 +52,8 @@ github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZx github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/bits-and-blooms/bitset v1.14.2 h1:YXVoyPndbdvcEVcseEovVfp0qjJp7S+i5+xgp/Nfbdc= -github.com/bits-and-blooms/bitset v1.14.2/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8= +github.com/bits-and-blooms/bitset v1.7.0 h1:YjAGVd3XmtK9ktAbX8Zg2g2PwLIMjGREZJHlV4j7NEo= +github.com/bits-and-blooms/bitset v1.7.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA= github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= @@ -86,8 +86,8 @@ github.com/cockroachdb/tokenbucket v0.0.0-20230613231145-182959a1fad6/go.mod h1: github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM= github.com/consensys/bavard v0.1.13 h1:oLhMLOFGTLdlda/kma4VOJazblc7IM5y5QPd2A/YjhQ= github.com/consensys/bavard v0.1.13/go.mod h1:9ItSMtA/dXMAiL7BG6bqW2m3NdSEObYWoH223nGHukI= -github.com/consensys/gnark-crypto v0.14.0 h1:DDBdl4HaBtdQsq/wfMwJvZNE80sHidrK3Nfrefatm0E= -github.com/consensys/gnark-crypto v0.14.0/go.mod h1:CU4UijNPsHawiVGNxe9co07FkzCeWHHrb1li/n1XoU0= +github.com/consensys/gnark-crypto v0.12.1 h1:lHH39WuuFgVHONRl3J0LRBtuYdQTumFSDtJF7HpyG8M= +github.com/consensys/gnark-crypto v0.12.1/go.mod h1:v2Gy7L/4ZRosZ7Ivs+9SfUDr0f5UlG+EM5t7MPHiLuY= github.com/containerd/cgroups v0.0.0-20201119153540-4cbc285b3327/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE= github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw= @@ -101,8 +101,8 @@ github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= -github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w= +github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -267,9 +267,8 @@ github.com/huin/goupnp v1.3.0 h1:UvLUlWDNpoUdYzb2TCn+MuTWtcjXKSza2n6CBdQ0xXc= github.com/huin/goupnp v1.3.0/go.mod h1:gnGPsThkYa7bFi/KWmEysQRf48l2dvR5bxr2OFckNX8= github.com/hydrogen18/memlistener v0.0.0-20141126152155-54553eb933fb/go.mod h1:qEIFzExnS6016fRpRfxrExeVn2gbClQA99gQhnIcdhE= github.com/imkira/go-interpol v1.1.0/go.mod h1:z0h2/2T3XF8kyEPpRgJ3kmNv+C43p+I/CoI+jC3w2iA= +github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= -github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= -github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/invopop/yaml v0.1.0 h1:YW3WGUoJEXYfzWBjn00zIlrw7brGVD0fUKRYDPAPhrc= github.com/invopop/yaml v0.1.0/go.mod h1:2XuRLgs/ouIrW3XNzuNj7J3Nvu/Dig5MXvbCEdiBN3Q= github.com/ipfs/boxo v0.24.3 h1:gldDPOWdM3Rz0v5LkVLtZu7A7gFNvAlWcmxhCqlHR3c= @@ -357,8 +356,8 @@ github.com/labstack/echo/v4 v4.9.1/go.mod h1:Pop5HLc+xoc4qhTZ1ip6C0RtP7Z+4VzRLWZ github.com/labstack/gommon v0.3.0/go.mod h1:MULnywXg0yavhxWKc+lOruYdAhDwPK9wf0OL7NoOu+k= github.com/labstack/gommon v0.4.0 h1:y7cvthEAEbU0yHOf4axH8ZG2NH8knB9iNSoTO8dyIk8= github.com/labstack/gommon v0.4.0/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM= -github.com/leanovate/gopter v0.2.11 h1:vRjThO1EKPb/1NsDXuDrzldR28RLkBflWYcU9CvzWu4= -github.com/leanovate/gopter v0.2.11/go.mod h1:aK3tzZP/C+p1m3SPRE4SYZFGP7jjkuSI4f7Xvpt0S9c= +github.com/leanovate/gopter v0.2.9 h1:fQjYxZaynp97ozCzfOyOuAGOU4aU/z37zf/tOujFk7c= +github.com/leanovate/gopter v0.2.9/go.mod h1:U2L/78B+KVFIx2VmW6onHJQzXtFb+p5y3y2Sh+Jxxv8= github.com/lib/pq v1.0.0 h1:X5PMW56eZitiTeO7tKzZxFCSpbFZJtkMMooicw2us9A= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/libp2p/go-buffer-pool v0.1.0 h1:oK4mSFcQz7cTQIfqbe4MIj9gLW+mnanjyFtc6cdF0Y8= @@ -628,8 +627,8 @@ github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= -github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= -github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= +github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU= +github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=