Technical Design: VM

The content of this section is largely copied from the Valida Working ISA Spec. This is a work in progress.

Architecture

A Valida zkVM consists of a CPU and several coprocessors, which are connected with communication buses. A basic example of a machine layout, omitting some standard chips for simplicity, would be

Communication buses are iplemented usinpermutation arguments (either grand product or multi-set checks), and may be multiplexed for efficiency when only one of a subset of buses will be used in a given cycle.

There are multiple VM configurations. The "Core" configuration is always present, and provides instructions for basic control flow and memory access. Additional configurations, such as "Field Arithmetic" or "Additional Jump" build upon the core configuration and offer additional instructions.

Instruction format

Instructions are encoded in groups of 6 field elements. The first element in the group contains the opcode, followed by three elements representing the operands and two immediate value flags: $\text{opcode}, \text{op}_a$, $\text{op}_b$, $\text{op}_c$, $\text{imm}_b$, $\text{imm}_c$.

Program ROM

Our VM operates under the Harvard architecture, where progrom code is stored separately from main memory. Code is addressed by any field element, starting from $0$. The program counter pc stores the location (a field element) of the instruction that is being executed.

Memory

Memory is comprised of word-addressable cells. A given cell contains 4 field elements, each of which are typically used to store a single byte (arbitrary field elements can also be stored). All core and ALU-related instructions operate on cells (i.e. any operand address is word aligned -- a multiple of 4). In the VM compiler, the address of newly added local variables in the stack is word aligned.

For example, a U32 is represented in memory by its byte decomposition (4 elements). To initialize a U32 from an immediate value, we use the SETL16 instruction (see the complete instruction list below), which sets the first two bytes in memory. To initialize a U32 value greater than 16 bits, we can also call the SETH16 instruction to set the upper two bytes.

Immediate Values

Our VM cannot represent operand values that are greater than the prime $p$, and cannot distinguish between $0$ and $p$. Therefore, any immediate values greater than or equal to $p$ need to be expanded into smaller values.

Registers

Our zkVM does not operate on general purpose registers. Instead, instructions refer to variables local to the call frame, i.e. relative to the current frame pointer fp.

Notation

The following notation is used throughout this document:

Operand values: opa, opb, opc denote the value encoded in the operand a, b, or c of the current instruction.

CPU registers: fp, pc denote the value of the current frame pointer and program counter, respectively.

Relative addressing: [a] denote the cell value at address a offset from fp, i.e. fp + a. Variables local to the call frame are denoted in this form. Note that we are omitting fp in the expression here, but that the first dereference of an operand is always relative to the frame pointer.

Absolute addressing: [[a]] denotes the cell value at absolute address [a]. Heap-allocated values are denoted in this form.

To refer to relative or absolute element values, we use the notation $[a]_\text{elem}$ or $[[a]]_\text{elem}$ respectively.

Instruction list

Each instruction contains 5 field element operands, $a, b, c, d, e$. Often, $d$ and $e$ are binary flags indicating whther operands $a$ and $b$ are immediate values or relative offets.

Listed below are the instructions offered in each configuration.

Core

Mnemonic	Operands(asm)	Description
LW / LOAD32	a(fp), c(fp)	Follow the pointer stored at offset $c$ from the current frame pointer and write the next 4 byte values to those beginning at offset a. Operand $b$ is unused, but is constrained to $[c]$ in the trace. LOAD32 is used to load 4 bytes from the heap, and is aligned (i.e. the address at offset $c$ is assumed to be a multiple of $4$).
SW / STORE32	b(fp), c(fp)	Write the 4 byte values beginning at the address stroed at offset $c$ to those beginning at offset $b$. Operand $a$ is unused, but is constrained to $[c]$ in the trace. STORE32 is used to write 4 bytes to the heap, and is aligned.
LOADFP	a(fp), b	Load the value of fp + b into local stack variable at offset a.
JAL	a(fp), b, c	Jump to address and link: Store the $pc+1$ to local stack variable at offset $a$, then set $pc$ to field element $b$. Set $fp$ to $fp + c$.
JALV	a(fp), b(fp), c(fp)	Jump to variable and link: Store the $pc+1$ to local stack variable at offset $a$, then set $pc$ to the field element $[b]_{elem}$. Set $fp$ to fp+$[c]$.
BEQ	a, b(fp), c(fp)	If $[b] = [c]$, then set the program counter $\text{pc}$ to $a$
BEQI	a, b(fp), c	If $[b] = c$, then set the program counter $\text{pc}$ to $a$
BNE	a, b(fp), c(fp)	If $[b] \neq [c]$, then set the program counter $\text{pc}$ to $a$
BNEI	a, b(fp), c	If $[b] \neq c$, then set the program counter $\text{pc}$ to $a$
IMM32	a(fp), b, c, d, e	Write the immediate values $b, c, d, e$ to the cell located at offset $a$.
STOP	No operands	Halt the program.
READ_ADVICE	a(fp)	Read the next byte on the input tape into the cell located at offset a.

Field arithmetic

Mnemonic	Operands(asm)	Description
FEADD	a(fp), b(fp), c(fp)	$d$ and $e$ are a flags denoting whether $a$ and $b$ are interpreted as an immediate or offset. Let $A = a$ if $d = 1$ and $[a]_{elem}$ otherwise. Let $B = b$ if $e = 1$ and $[b]_{elem}$ otherwise. The instruction compute $A + B$, and write the result to offset $c$
FEMUL	a(fp), b(fp), c(fp)	$d$ and $e$ are a flags denoting whether $a$ and $b$ are interpreted as an immediate or offset. Let $A = a$ if $d = 1$ and $[a]_{elem}$ otherwise. Let $B = b$ if $e = 1$ and $[b]_{elem}$ otherwise. The instruction compute $A \cdot B$, and write the result to offset $c$
TO_FE	a(fp), b(fp)	Convert an U32, represented by 4 field elements starting at offset b, to a field element stored to the first field element at offset $a$. $a$ is assuemd to be a multiple of $4$.
FROM_FE	a(fp), b(fp)	Convert a field element $[b]_{elem}$ to an U32 stored at offset a, which is assumed to be a multiple of $4$.

Note that field arithmetic instructions only operate on the first element in a cell, which represents a field element instead of a single byte.

U32 Arithmetic

Mnemonic	Operands(asm)	Description
ADD	a(fp), b(fp), c(fp)	Compute the unchecked addition of the U32 values at cell offsets $b$ and $c$ and write the sum to cell offset $a$. Note that because a full 32-bit value does not fit within one field element, we assume that values have been decomposed into 4 8-byte elements. The summed output is stored at cell offset $a$. The same limb decomposition is used for the other U32 operations listed below.
ADDI	a(fp), b(fp), c	Compute the unchecked addition of the U32 variable at cell offsets $b$ and an immediate $c$, and write the sum to cell offset $a$.
SUB	a(fp), b(fp), c(fp)	Unchecked subtraction
SUBI	a(fp), b(fp), c	Unchecked subtraction
MUL	a(fp), b(fp), c(fp)	Unchecked multiplication
MULI	a(fp), b(fp), c	Unchecked multiplication
MULHU	a(fp), b(fp), c(fp)	High bits of unsigned multiplication
MULHUI	a(fp), b(fp), c	High bits of unsigned multiplication
MULHS	a(fp), b(fp), c(fp)	High bits of signed multiplication
MULHSI	a(fp), b(fp), c	High bits of signed multiplication
DIV	a(fp), b(fp), c(fp)	Unsigned division
DIVI	a(fp), b(fp), c	Unsigned division
SDIV	a(fp), b(fp), c(fp)	Signed division
SDIVI	a(fp), b(fp), c	Signed division
SH{L,R}	a(fp), b(fp), c(fp)	Bitwise shift [b] left/right by [c] and write to offset $a$.
SH{L,R}I	a(fp), b(fp), c	Bitwise shift [b] left/right by c and write to offset $a$.
SRA	a(fp), b(fp), c(fp)	Arithmetic shift b right by [c] and write to offset $a$.
SRAI	a(fp), b(fp), c	Arithmetic shift b right by c and write to offset $a$
LT	a(fp), b(fp), c(fp)	Set local variable $a$ to $1$ if $[b] < [c]$ and $0$ otherwise. Uses unsigned comparison.
LTI	a(fp), b(fp), c	Set local variable $a$ to $1$ if $[b] < c$ and $0$ otherwise. Uses unsigned comparison.
NE	a(fp), b(fp), c(fp)	Set local variable a to 0 if [b] = [c] and 1 otherwise.
NEI	a(fp), b(fp), c	Set local variable a to 0 if [b] = c and 1 otherwise.
EQ	a(fp), b(fp), c(fp)	Set local variable a to 1 if [b] = [c] and 0 otherwise.
EQI	a(fp), b(fp), c	Set local variable a to 1 if [b] = c and 0 otherwise.

Bitwise

Mnemonic	Operands(asm)	Description
AND	a(fp), b(fp), c(fp)	Set $[a]$ to $[b]$ bitwise-and $[c]$
ANDI	a(fp), b(fp), c	Set $[a]$ to $[b]$ bitwise-and c
OR	a(fp), b(fp), c(fp)	Set $[a]$ to $[b]$ bitwise-or $[c]$
ORI	a(fp), b(fp), c	Set $[a]$ to $[b]$ bitwise-or c
XOR	a(fp), b(fp), c(fp)	Set $[a]$ to $[b]$ bitwise-xor $[c]$
XORI	a(fp), b(fp), c	Set $[a]$ to $[b]$ bitwise-xor c

Output

Mnemonic	Operands(asm)	Description
WRITE	b(fp)	Write byte $[b]$ to the output

Byte Manipulation

Note: These will not be supported in the initial version.

Instruction	Operands(asm)
LOAD8	a(fp), b(fp)	Load a byte at the address specified by local variable at offset $b$ to local variable at offset $a$.
STORE8	b(fp), c(fp)	Store a byte encoded at offset $c$ to the address encoded in offset $b$
STORE8I	b(fp), c	Store a byte encoded in the field element $c$ to the address encoded in offset $b$

Heap allocation

Notes:

• Fixed configurable stack size (e.g. 8MB), growing in opposite direction of the heap.

• Allocate-only malloc (no de-allocation using free)

Assembly

Instructions

We will closely follow RISC-V assembly, making modifications as necessary. The most important difference between our zkVM assembly and RV32IM is that instead of registers x0-31, we only have two special-purpose registers fp and pc. However, we have (up to $2^{31}-1$) local variables, addressed relative to the current frame point fp.

Calling convention / stack frame

Stack (grows downwards, i.e. address decreases from top row to bottom row)
Arg 2
Arg 1
Return FP offset
Return value
Return address
Local 1 (<- Current fp)
Local 2
...
Local N

We follow the RISC-V convention and grows the stack downwards. For a function call, the arguments are pushed onto the stack in reverse order. We only allow statically sized allocation on the stack, unlike traditional architectures where alloca can be used to allocate dynamically. All dynamic allocation will be compiled to heap allocations. We have a special-purpose register dedicated to holding the frame pointer, but not a special-purpose register dedicated to holding the stack pointer.

Note that:

• Functions arguments are stored at fp+16, fp+20, ...

• Return FP offset (the value to add to FP to get to the value of FP before the call) is stored at fp+12

• Return value is stored at fp+8

• Return address is stored at fp+4

• Local variables are stored at fp, fp-4, fp-8, ...

Pseudo instructions

Pseudo Instruction	Instruction
call label	jal 0(fp), -b, label; addifp b, where b is size of the current stack frame plus the call frame size for instantiate a call to lable
ret	jalv 4(fp), 0(fp), 12(fp), set pc to [fp] where the return address is stored

Implementing MEMCPY/SET/MOVE

Memcpy will require roughly 2 cycles per word. We can follow this memcpy implementation on RISC-V.

Heap allocations

Example programs

Multiply stored immediates and return

define i32 @main() {
  %1 = alloca i32, align 4
  %2 = alloca i32, align 4
  %3 = alloca i32, align 4
  store i32 24, i32* %1, align 4
  store i32 7, i32* %2, align 4
  %4 = load i32, i32* %1, align 4
  %5 = load i32, i32* %2, align 4
  %6 = mul nsw i32 %4, %5
  store i32 %6, i32* %3, align 4
  %7 = load i32, i32* %1, align 4
  ret i32 %7
}

main:
  sub      -4(fp), 0(fp), 0(fp)      # Setup the 0 local variable at fp - 4
  add     -8(fp), -4(fp), 24,    # Set [fp - 8] to 24
  add    -12(fp), -4(fp), 7,     # Set [fp - 12] to 7

  mul     -16(fp), 8(fp), 12(fp)    # Set [fp - 16] to 24 * 7 

  add    4(fp), -8(fp), 0     # Set return value at [fp + 4] to [fp - 8]
  ret

Multiply arguments and return

define i32 @main() {
  %1 = alloca i32, align 4
  store i32 0, i32* %1, align 4
  %2 = call i32 @mul(i32 938253, i32 7)
  ret i32 %2
}

define i32 @mul2(i32 %0, i32 %1) {
  %3 = alloca i32, align 4
  %4 = alloca i32, align 4
  store i32 %0, i32* %3, align 4
  store i32 %1, i32* %4, align 4
  %5 = load i32, i32* %3, align 4
  %6 = load i32, i32* %4, align 4
  %7 = mul nsw i32 %5, %6
  ret i32 %7
}

main: 
    imm32     -4(fp), 938253
    imm32     -8(fp), 7
    call         mul2
    # call translates to
    # jal 0(fp), -16, mul2  " store pc + 1 to [fp], add -16 to fp, set pc to mul2
    # addifp         16

    ret

mul2:
    mul    4(fp), 8(fp), 12(fp)
    ret

The stack at the time of executing mul inside mul (line 11) looks like:

Stack
.. (<- fp of main)
7
938253
0 (before mul2) -> 6567771 (after mul2)
main:7 (<- fp of mul2)

Trace

Main CPU

Columns	Configuration	Description
$\text{clk}$	Core	Clock cycle
$\text{pc}$	Core	Program counter
$\text{fp}$	Core	Frame pointer
$\text{opcode}$	Core	Instruction opcode
$\text{op}_a$	Core	Operand $a$
$\text{op}_b$	Core	Operand $b$
$\text{op}_c$	Core	Operand $c$
$\text{op}_d$	Core	Operand $d$, flag for if $\text{op}_a$ is immediate or offset.
$\text{op}_e$	Core	Operand $e$, flag for if $\text{op}_b$ is immediate or offset.
$\text{addr}_a$	Core	$\text{fp} + \text{op}_a$ (if $\text{op}_d$ is not set)
$\text{addr}_b$	Core	$\text{fp} + \text{op}_b$ (if $\text{op}_e$ is not set)
$\text{addr}_c$	Core	$\text{fp} + \text{op}_c$

Columns $\text{opcode}, \text{op}_a, \text{op}_b, \text{op}_c, \text{op}_d, \text{op}_e$ are specified by the program code (see the "Instruction Trace" section below).

Trace cells are also allocated to hold buffered read memory values for $\text{addr}_a$ and $\text{addr}_b$, and buffered write values for $\text{addr}_c$. We read and write 4 elements from memory at a time to the main trace. These elements are only constrained when the immediate value flags are not set (see the "Instruction Decoding" section below):

Cell	Configuration	Description
$v_{a,0}$	Core	$[\text{addr}_a]_\text{elem}$
$v_{a,1}$	Core	$[\text{addr}_a+1]_\text{elem}$
$v_{a,2}$	Core	$[\text{addr}_a+2]_\text{elem}$
$v_{a,3}$	Core	$[\text{addr}_a+3]_\text{elem}$
$v_{b,0}$	Core	$[\text{addr}_b]_\text{elem}$
$v_{b,1}$	Core	$[\text{addr}_b+1]_\text{elem}$
$v_{b,2}$	Core	$[\text{addr}_b+2]_\text{elem}$
$v_{b,3}$	Core	$[\text{addr}_b+3]_\text{elem}$
$v_{c,0}$	Core	Value written to $\text{addr}_c$
$v_{c,1}$	Core	Value written to $\text{addr}_c+1$
$v_{c,2}$	Core	Value written to $\text{addr}_c+2$
$v_{c,3}$	Core	Value written to $\text{addr}_c+3$

Memory

Cell	Description
$\text{addr}$	Address
$\text{clk}$	Clock cycle
$\text{val}_0$	Value 0
$\text{val}_1$	Value 1
$\text{val}_2$	Value 2
$\text{val}_3$	Value 3
$d_0$	Lower 16 bits of $\text{clk}'-\text{clk}-1$
$d_1$	Upper 16 bits of $\text{clk}'-\text{clk}-1$
$t$	Nondeterministic inverse of $\text{addr}'-\text{addr}$

The memory table is sorted by ($\text{addr}, \text{clk}$)

U32 Arithmetic

TODO: Replace this trace table and associated constraints with more efficient nondeterministic methods

Cell	Description
$\text{clk}$	Clock cycle
$s_\text{instr}$	Requested instruction (constrained by communication bus)
$s_\text{add}$	Selector flag for addition
$s_\text{sub}$	Selector flag for subtraction
$s_\text{mul}$	Selector flag for multiplication
$s_\text{div}$	Selector flag for division
s_\text{checked_add}	Selector flag for checked addition (requires $s_\text{add}$ to be set as well)
s_\text{checked_mul}	Selector flag for checked multiplication (requires $s_\text{mul}$ to be set as well)
$a$	Address of input 1
$b$	Address of input 2
$c$	Address of output
$a_0$	Input 1 (12-bit limb)
$a_1$	Input 1 (12-bit limb)
$a_2$	Input 1 (12-bit limb)
$b_0$	Input 2 (12-bit limb)
$b_1$	Input 2 (12-bit limb)
$b_2$	Input 2 (12-bit limb)
$c_0$	Output (12-bit limb)
$c_1$	Output (12-bit limb)
$c_2$	Output (12-bit limb)
$c_3$	Output (12-bit limb)
$c_4$	Output (12-bit limb)

There are also 5 helper value cells: $h_0$ through $h_{4}$.

Instruction Trace

Each instruction is encoded as 6 field elements

Core

Mnemonic	Operands(asm)	Encoded
LW / LOAD32	a(fp), c(fp)	$\text{OP}_{LW}$, $a$, _, $c$, $0$, $0$
SW / STORE32	b(fp), c(fp)	$\text{OP}_{SW}$, _, $b$, $c$, $0$, $0$
JAL	a(fp), b, c	$\text{OP}_{jump}$, $a$, $b$, $c$, $1$, $1$
JALV	a(fp), b(fp), c	$\text{OP}_{jump}$, $a$, $b$, $c$, $0$, $1$
BEQ	a, b(fp), c(fp)	$\text{OP}_{branch}$, $a$, $b$, $c$, $0$, $0$
BEQI	a, b(fp), c	$\text{OP}_{branch}$, $a$, $b$, $c$, $0$, $1$
BNE	a, b(fp), c(fp)	$\text{OP}_{branch}$, $a$, $b$, $c$, $1$, $0$
BNEI	a, b(fp), c	$\text{OP}_{branch}$, $a$, $b$, $c$, $1$, $1$
IMM32	a, b, c, d, e	$\text{OP}_{IMM}$, $a$, $b$, $c$, $d$, $e$
READ_ADVICE	a(fp)	OP_{READ_ADVICE}, a, 0, 0, 0, 0
STOP	No operands	OP_STOP, 0, 0, 0, 0, 0
LOADFP	a(fp), b	OP_LOADFP, a, b, 0, 0, 0

Field arithmetic

Mnemonic	Operands(asm)	Encoded
FEADD	a(fp), b(fp), c(fp)	$\text{OP}_{FEADD}$, $a$, $b$, $c$, 0, 0
FEADDI	a(fp), b(fp), c	$\text{OP}_{FEADD}$, $a$, $b$, $c$, 0, 1
FEMUL	a(fp), b(fp), c(fp)	$\text{OP}_{FEMUL}$, $a$, $b$, $c$, 0, 0
FEMULI	a(fp), b(fp), c	OP_FEMULI, a, b, c, 0, 1
TO_FE	a(fp), b(fp)	OP_{TO_FE}, a, b, 0, 0, 0
FROM_FE	a(fp), b(fp)	OP_{FROM_FE}, a, b, 0, 0, 0

U32 Arithmetic

Mnemonic	Operands(asm)	Encoded
ADD	a(fp), b(fp), c(fp)	$\text{OP}_{ADD}$, $a$, $b$, $c$, $0$, $0$
ADDI	a(fp), b(fp), c	$\text{OP}_{ADD}$, $a$, $b$, $c_0$, $1$, $c_1$
SUB	a(fp), b(fp), c(fp)	$\text{OP}_{SUB}$, $a$, $b$, $c$, $0$, $0$
SUBI	a(fp), b(fp), c	$\text{OP}_{SUB}$, $a$, $b$, $c_1$, $1$, $c_2$
MUL	a(fp), b(fp), c(fp)	$\text{OP}_{MUL}$, $a$, $b$, $c$, $0$, $0$
MULI	a(fp), b(fp), c	$\text{OP}_{MUL}$, $a$, $b$, $c_1$, $1$, $c_2$
DIV	a(fp), b(fp), c(fp)	$\text{OP}_{MUL}$, $a$, $b$, $c$, $0$, $0$
SH{L,R}	a(fp), b(fp), c(fp)	$\text{OP}_{SHIFT}$, $a$, $b$, $c$, $0$, $0$
SH{L,R}I	a(fp), b(fp), c	$\text{OP}_{SHIFT}$, $a$, $b$, $c$, $0$, $1$
ISH{L,R}	a(fp), b, c(fp)	$\text{OP}_{SHIFT}$, $a$, $b$, $c$, $0$, $1$
SLT	a(fp), b(fp), c(fp)	$\text{OP}_{SLT}$, $a$, $b$, $c$, $0$, $0$
SLT	a(fp), b(fp), c	$\text{OP}_{SLT}$, $a$, $b$, $c$, $0$, $1$

Bitwise

Mnemonic	Operands(asm)	Encoded
AND	a(fp), b(fp), c(fp)	$\text{OP}_{AND}$, $a$, $b$, $c$, $0$, _
OR	a(fp), b(fp), c(fp)	$\text{OP}_{OR}$, $a$, $b$, $c$, $0$, _
XOR	a(fp), b(fp), c(fp)	$\text{OP}_{XOR}$, $a$, $b$, $c$, $0$, _

Instruction decoding

Trace cells are also allocated for each selector. In each cycle, the opcode is decoded into selector flags, including but not limited to the following, which are grouped by type (not configuration) below for convenience. All flags are binary values, except for the instruction code.

Instruction code

Selector	Configuration	Description
$s_\text{instr}$	Core	Instruction code

Operand modifiers

Selector	Configuration	Description
$s_{\text{imm}_a}$	Core	Immediate value flag for operand $a$ ($0$ denotes offset, $1$ denotes immediate value)
$s_{\text{imm}_b}$	Core	Immediate value flag for operand $b$ ($0$ denotes offset, $1$ denotes immediate value)

Field arithmetic

Selector	Configuration	Description
$s_\text{add}$	Field Arithmetic	Addition
$s_\text{mul}$	Field Arithmetic	Multiplication

Memory

Selector	Configuration	Description
$s_\text{store32}$	Core	Store 4 bytes at at a memory address
$s_\text{load32}$	Core	Load 4 bytes from a memory address
$s_\text{store8}$	Core	Store a byte at a memory address
$s_\text{load8}$	Core	Load a byte from a memory address

Call

Selector	Configuration	Description
$s_\text{call}$	Core	Update the frame pointer

Jumps

Selector	Configuration	Description
s_\text{jump_eq}	Core	Jump equal flag
s_\text{jump_neq}	Additional Jumps	Jump not equal flag
s_\text{jump_ge}	Additional Jumps	Jump greater than or equal to flag
s_\text{jump_lt}	Additional Jumps	Jump less than flag

U32 arithmetic

Selector	Configuration	Description
s_\text{u32_add}	U32 Arithmetic
s_\text{u32_sub}	U32 Arithmetic
s_\text{u32_mul}	U32 Arithmetic
s_\text{u32_div}	U32 Arithmetic
s_\text{u32_checked_add}	U32 Arithmetic
s_\text{u32_checked_mul}	U32 Arithmetic

Binary operations

Selector	Configuration	Description
s_\text{bitwise_and}	Bitwise
s_\text{bitwise_or}	Bitwise
s_\text{bitwise_xor}	Bitwise

Design notes

Frontend target

We are writing a compiler from LLVM IR to our ISA.

ZK stack

This is a STARK-based zkVM. We are using Plonky3 to implement the polynomial IOP and PCS.

Field choice

We plan to use the 32-bit field defined by p = 2^31 - 1, which should give very good performance on GPUs or with most vector instruction sets.

Registers

Our VM has no general purpose registers, since memory is cheap.

Memory

We will use a conventional R/W memory.

Tables

The CPU can do up to three memory operations per cycle, to support binary operations involving two reads and one write.

If we used a single-trace model, we could support this by adding columns for 6 memory operations in each row of our trace: 3 for the chronological memory log and 3 for the (address, timestamp) ordered memory log.

Instead, we make the memory a separate table (i.e. a separate STARK which gets connected with a permutation argument). We also use multi-table support to implement other coprocessors that are wasteful to include in the main CPU, as their operations may not be used during most cycles (e.g. Keccak).

Continuations

TODO: Explain the permutation-based continuation implementation.

Lookups

Initially, we will support lookups only against prover-supplied tables. The main use case is range checks. To perform a 16-bit range check, for example, we would have the prover send a table containing [0 .. 2^16 - 1] in order. (If the trace was not already 2^16, we would pad it. If it was longer than 2^16, the prover would include some duplicates.) We would then use constraints to enforce that this table starts at 0, ends at 2^16 - 1, and increments by 0 or 1.

Preprocessed tables can also be useful, particularly for bitwise operations like xor. However, we will not support them initially because they require non-succinct preprocessing.

Floating point arithmetic

Fast floating point arithmetic doesn't seem important for our anticipated use cases, so we do not plan to support compiling source programs which use floating point primitives.