Range-Checks

In most cases, tables deal with U256 words, split into 32-bit limbs (to avoid overflowing the field). To prevent a malicious prover from cheating, it is crucial to range-check those limbs.

One can note that every element that ever appears on the stack has been pushed. Therefore, enforcing a range-check on pushed elements is enough to range-check all elements on the stack. Similarly, all elements in memory must have been written prior, and therefore it is enough to range-check memory writes. However, range-checking the PUSH and MSTORE opcodes is not sufficient.

Pushes and memory writes for "MSTORE_32BYTES" are range-checked in "BytePackingStark", except PUSH operations happening in privileged mode. See push_general_view.
Syscalls, exceptions and prover inputs are range-checked in "ArithmeticStark".
The inputs and outputs of binary and ternary arithmetic operations are range-checked in "ArithmeticStark".
The inputs' bits of logic operations are checked to be either 1 or 0 in "LogicStark". Since "LogicStark" only deals with bitwise operations, this is enough to have range-checked outputs as well.
The inputs of Keccak operations are range-checked in "KeccakStark". The output digest is written as bytes in "KeccakStark". Those bytes are used to reconstruct the associated 32-bit limbs checked against the limbs in "CpuStark". This implicitly ensures that the output is range-checked.

Note that some operations do not require a range-check:

"MSTORE_GENERAL" read the value to write from the stack. Thus, the written value was already range-checked by a previous push.
"EQ" reads two -- already range-checked -- elements on the stack, and checks they are equal. The output is either 0 or 1, and does therefore not need to be checked.
"NOT" reads one -- already range-checked -- element. The result is constrained to be equal to $0xFFFFFFFF - input$ , which implicitly enforces the range check.
"PC": the program counter cannot be greater than $2^{32}$ in user mode. Indeed, the user code cannot be longer than $2^{32}$ , and jumps are constrained to be JUMPDESTs. Moreover, in kernel mode, every jump is towards a location within the kernel, and the kernel code is smaller than $2^{32}$ . These two points implicitly enforce $PC$ 's range check.
"GET_CONTEXT", "DUP" and "SWAP" all read and push values that were already written in memory. The pushed values were therefore already range-checked.

Range-checks are performed on the range $[0, 2^{16} - 1]$ , to limit the trace length.

Lookup Argument

To enforce the range-checks, we leverage logUp, a lookup argument by Ulrich Häbock. Given a looking table $s = (s_{1}, ..., s_{n})$ and a looked table $t = (t_{1}, ..., t_{m})$ , the goal is to prove that $\forall1 \leq i \leq n, \exists1 \leq j \leq r such that s_{i} = t_{j}$

In our case, $t = (0, .., 2^{16} - 1)$ and $s$ is composed of all the columns in each STARK that must be range-checked.

The logUp paper explains that proving the previous assertion is actually equivalent to proving that there exists a sequence $l$ such that:

$i = 1 \sum n \frac{1}{X - s _{i}} = j = 1 \sum r \frac{l _{j}}{X - t _{j}}$

The values of $s$ can be stored in $c$ different columns of length $n$ each. In that case, the equality becomes:

$k = 1 \sum c i = 1 \sum n \frac{1}{X - s _{i}^{k}} = j = 1 \sum r \frac{l _{j}}{X - t _{j}}$

The 'multiplicity' $m_{i}$ of value $t_{i}$ is defined as the number of times $t_{i}$ appears in $s$ . In other words:

$m_{i} = ∣ s_{j} \in s; s_{j} = t_{i} ∣$

Multiplicities provide a valid sequence of values in the previously stated equation. Thus, if we store the multiplicities, and are provided with a challenge $α$ , we can prove the lookup argument by ensuring:

$k = 1 \sum c i = 1 \sum n \frac{1}{α - s _{i}^{k}} = j = 1 \sum r \frac{m _{j}}{α - t _{j}}$

However, the equation is too high degree. To circumvent this issue, Häbock suggests providing helper columns $h_{i}$ and $d$ such that at a given row $i$ : $h_{i}^{k} = \frac{1}{α + s _{i}^{k}} \forall1 \leq k \leq c d_{i} = \frac{1}{α + t _{i}}$

The $h$ helper columns can be batched together to save columns. We can batch at most $constraint_degree - 1$ helper functions together. In our case, we batch them 2 by 2. At row $i$ , we now have: $h_{i}^{k} = \frac{1}{α + s _{i}^{2 k}} + \frac{1}{α + s _{i}^{2 k + 1}} \forall1 \leq k \leq c /2$

If $c$ is odd, then we have one extra helper column: $h_{i}^{c /2 + 1} = \frac{1}{α + s _{i}^{c}}$

For clarity, we will assume that $c$ is even in what follows.

Let $g$ be a generator of a subgroup of order $n$ . We extrapolate $h, m$ and $d$ to get polynomials such that, for $f \in {h^{k}, m, g}$ : $f (g^{i}) = f_{i}$ .

We can define the following polynomial: $Z (x) := i = 1 \sum n [k = 1 \sum c /2 h^{k} (x) - m (x) * d (x)]$

Constraints

With these definitions and a challenge $α$ , we can finally check that the assertion holds with the following constraints: $Z (1) = 0 Z (gα) = Z (α) + k = 1 \sum c /2 h^{k} (α) - m (α) d (α)$

These ensure that We also need to ensure that $h^{k}$ is well constructed for all $1 \leq k \leq c /2$ :

$h (α)^{k} \cdot (α + s_{2 k}) \cdot (α + s_{2 k + 1}) = (α + s_{2 k}) + (α + s_{2 k + 1})$

Note: if $c$ is odd, we have one unbatched helper column $h^{c /2 + 1}$ for which we need a last constraint:

$h (α)^{c /2 + 1} \cdot (α + s_{c}) = 1$

Finally, the verifier needs to ensure that the table $t$ was also correctly computed. In each STARK, $t$ is computed starting from 0 and adding at most 1 at each row. This construction is constrained as follows:

$t (1) = 0$
$(t (g^{i + 1}) - t (g^{i})) \cdot ((t (g^{i + 1}) - t (g^{i})) - 1) = 0$
$t (g^{n - 1}) = 2^{16} - 1$

The Polygon Zero zkEVM Book

Range-checks

What to range-check?

Lookup Argument

Constraints