Miden VM decoder AIR constraints

In this section we describe AIR constraint for Miden VM program decoder. These constraints enforce that the execution trace generated by the prover when executing a particular program complies with the rules described in the previous section.

To refer to decoder execution trace columns, we use the names shown on the diagram below (these are the same names as in the previous section). Additionally, we denote the register containing the value at the top of the stack as $s_{0}$ .

air_decoder_columns

We assume that the VM exposes a flag per operation which is set to $1$ when the operation is executed, and to $0$ otherwise. The notation for such flags is $f_{o p nam e}$ . For example, when the VM executes a PUSH operation, flag $f_{p u s h} = 1$ . All flags are mutually exclusive - i.e., when one flag is set to $1$ all other flags are set to $0$ . The flags are computed based on values in op_bits columns.

AIR constraints for the decoder involve operations listed in the table below. For each operation we also provide the degree of the corresponding flag and the effect that the operation has on the operand stack (however, in this section we do not cover the constraints needed to enforce the correct transition of the operand stack).

Operation	Flag	Degree	Effect on stack
`JOIN`	$f_{j o in}$	5	Stack remains unchanged.
`SPLIT`	$f_{s pl i t}$	5	Top stack element is dropped.
`LOOP`	$f_{l oo p}$	5	Top stack element is dropped.
`REPEAT`	$f_{re p e a t}$	4	Top stack element is dropped.
`SPAN`	$f_{s p an}$	5	Stack remains unchanged.
`RESPAN`	$f_{res p an}$	4	Stack remains unchanged.
`DYN`	$f_{d y n}$	5	Stack remains unchanged.
`CALL`	$f_{c a ll}$	4	Stack remains unchanged.
`SYSCALL`	$f_{sysc a ll}$	4	Stack remains unchanged.
`END`	$f_{e n d}$	4	When exiting a loop block, top stack element is dropped; otherwise, the stack remains unchanged.
`HALT`	$f_{ha lt}$	4	Stack remains unchanged.
`PUSH`	$f_{p u s h}$	4	An immediate value is pushed onto the stack.

We also use the control flow flag $f_{c t r l}$ exposed by the VM, which is set when any one of the above control flow operations is being executed. It has degree $5$ .

As described previously, the general idea of the decoder is that the prover provides the program to the VM by populating some of cells in the trace non-deterministically. Values in these are then used to update virtual tables (represented via multiset checks) such as block hash table, block stack table etc. Transition constraints are used to enforce that the tables are updates correctly, and we also apply boundary constraints to enforce the correct initial and final states of these tables. One of these boundary constraints binds the execution trace to the hash of the program being executed. Thus, if the virtual tables were updated correctly and boundary constraints hold, we can be convinced that the prover executed the claimed program on the VM.

In the sections below, we describe constraints according to their logical grouping. However, we start out with a set of general constraints which are applicable to multiple parts of the decoder.

General constraints

When SPLIT or LOOP operation is executed, the top of the operand stack must contain a binary value:

$(f_{s pl i t} + f_{l oo p}) \cdot (s_{0}^{2} - s_{0}) = 0 | degree = 7$

When a DYN operation is executed, the hasher registers must all be set to $0$ :

$f_{d y n} \cdot (1 - h_{i}) = 0 for i \in [0, 8) | degree = 6$

When REPEAT operation is executed, the value at the top of the operand stack must be $1$ :

$f_{re p e a t} \cdot (1 - s_{0}) = 0 | degree = 5$

Also, when REPEAT operation is executed, the value in $h_{4}$ column (the is_loop_body flag), must be set to $1$ . This ensures that REPEAT operation can be executed only inside a loop:

$f_{re p e a t} \cdot (1 - h_{4}) = 0 | degree = 5$

When RESPAN operation is executed, we need to make sure that the block ID is incremented by $8$ :

$f_{res p an} \cdot (a^{'} - a - 8) = 0 | degree = 5$

When END operation is executed and we are exiting a loop block (i.e., is_loop, value which is stored in $h_{5}$ , is $1$ ), the value at the top of the operand stack must be $0$ :

$f_{e n d} \cdot h_{5} \cdot s_{0} = 0 | degree = 6$

Also, when END operation is executed and the next operation is REPEAT, values in $h_{0}, ..., h_{4}$ (the hash of the current block and the is_loop_body flag) must be copied to the next row:

$f_{e n d} \cdot f_{re p e a t}^{'} \cdot (h_{i}^{'} - h_{i}) = 0 for i \in [0, 5) | degree = 9$

A HALT instruction can be followed only by another HALT instruction:

$f_{ha lt} \cdot (1 - f_{ha lt}^{'}) = 0 | degree = 8$

When a HALT operation is executed, block address column must be $0$ :

$f_{ha lt} \cdot a = 0 | degree = 5$

Values in op_bits columns must be binary (i.e., either $1$ or $0$ ):

$b_{i}^{2} - b_{i} = 0 for i \in [0, 7) | degree = 2$

When the value in in_span column is set to $1$ , control flow operations cannot be executed on the VM, but when in_span flag is $0$ , only control flow operations can be executed on the VM:

$1 - s p - f_{c t r l} = 0 | degree = 5$

Block hash computation constraints

As described previously, when the VM starts executing a new block, it also initiates computation of the block's hash. There are two separate methodologies for computing block hashes.

For join, split, and loop blocks, the hash is computed directly from the hashes of the block's children. The prover provides these child hashes non-deterministically by populating registers $h_{0}, ..., h_{7}$ . For dyn, the hasher registers are populated with zeros, so the resulting hash is a constant value. The hasher is initialized using the hash chiplet, and we use the address of the hasher as the block's ID. The result of the hash is available $7$ rows down in the hasher table (i.e., at row with index equal to block ID plus $7$ ). We read the result from the hasher table at the time the END operation is executed for a given block.

For span blocks, the hash is computed by absorbing a linear sequence of instructions (organized into operation groups and batches) into the hasher and then returning the result. The prover provides operation batches non-deterministically by populating registers $h_{0}, ..., h_{7}$ . Similarly to other blocks, the hasher is initialized using the hash chiplet at the start of the block, and we use the address of the hasher as the ID of the first operation batch in the block. As we absorb additional operation batches into the hasher (by executing RESPAN operation), the batch address is incremented by $8$ . This moves the "pointer" into the hasher table $8$ rows down with every new batch. We read the result from the hasher table at the time the END operation is executed for a given block.

Chiplets bus constraints

The decoder communicates with the hash chiplet via the chiplets bus. This works by dividing values of the multiset check column $b_{c hi p}$ by the values of operations providing inputs to or reading outputs from the hash chiplet. A constraint to enforce this would look as $b_{c hi p}^{'} \cdot u = b_{c hi p}$ , where $u$ is the value which defines the operation.

In constructing value of $u$ for decoder AIR constraints, we will use the following labels (see here for an explanation of how values for these labels are computed):

$m_{b p}$ this label specifies that we are starting a new hash computation.
$m_{ab p}$ this label specifies that we are absorbing the next sequence of $8$ elements into an ongoing hash computation.
$m_{h o u t}$ this label specifies that we are reading the result of a hash computation.

To simplify constraint description, we define the following variables:

$h_{ini t} = α_{0} + α_{1} \cdot m_{b p} + α_{2} \cdot a^{'} + i = 0 \sum 7 (α_{i + 8} \cdot h_{i})$

In the above, $h_{ini t}$ can be thought of as initiating a hasher with address $a^{'}$ and absorbing $8$ elements from the hasher state ( $h_{0}, ..., h_{7}$ ) into it. Control blocks are always padded to fill the hasher rate and as such the $α_{4}$ (first capacity register) term is set to $0$ .

$h_{ab p} = α_{0} + α_{1} \cdot m_{ab p} + α_{2} \cdot a^{'} + i = 0 \sum 7 (α_{i + 8} \cdot h_{i})$

It should be noted that $a$ refers to a column in the decoder, as depicted. The addresses in this column are set using the address from the hasher chiplet for the corresponding hash initialization / absorption / return. In the case of $h_{ab p}$ the value of the address in column $a$ in the current row of the decoder is set to equal the value of the address of the row in the hasher chiplet where the previous absorption (or initialization) occurred. $a^{'}$ is the address of the next row of the decoder, which is set to equal the address in the hasher chiplet where the absorption referred to by the $h_{ab p}$ label is happening.

$h_{res} = α_{0} + α_{1} \cdot m_{h o u t} + α_{2} \cdot (a + 7) + i = 0 \sum 3 (α_{i + 8} \cdot h_{i})$

In the above, $a$ represents the address value in the decoder which corresponds to the hasher chiplet address at which the hasher was initialized (or the last absorption took place). As such, $a + 7$ corresponds to the hasher chiplet address at which the result is returned.

$f_{c t r l i} = f_{j o in} + f_{s pl i t} + f_{l oo p} + f_{d y n} + f_{c a ll} | degree = 5$

In the above, $f_{c t r l i}$ is set to $1$ when a control flow operation that signifies the initialization of a control block is being executed on the VM. Otherwise, it is set to $0$ . An exception is made for the SYSCALL operation. Although it also signifies the initialization of a control block, it must additionally send a procedure access request to the kernel ROM chiplet via the chiplets bus. Therefore, it is excluded from this flag and its communication with the chiplets bus is handled separately.

$d = b = 0 \sum 6 (b_{i} \cdot 2^{i})$

In the above, $d$ represents the opcode value of the opcode being executed on the virtual machine. It is calculated via a bitwise combination of the op bits. We leverage the opcode value to achieve domain separation when hashing control blocks. This is done by populating the second capacity register of the hasher with the value $d$ via the $α_{5}$ term when initializing the hasher.

Using the above variables, we define operation values as described below.

When a control block initializer operation (JOIN, SPLIT, LOOP, DYN, CALL, SYSCALL) is executed, a new hasher is initialized and the contents of $h_{0}, ..., h_{7}$ are absorbed into the hasher. As mentioned above, the opcode value $d$ is populated in the second capacity resister via the $α_{5}$ term.

$u_{c t r l i} = f_{c t r l i} \cdot (h_{ini t} + α_{5} \cdot d) | degree = 6$

As mentioned previously, the value sent by the SYSCALL operation is defined separately, since in addition to communicating with the hash chiplet it must also send a kernel procedure access request to the kernel ROM chiplet. This value of this kernel procedure request is described by $k_{p roc}$ .

$k_{p roc} = α_{6} + α_{7} \cdot o p_{k ro m} + i = 0 \sum 3 (α_{i + 8} \cdot h_{i})$

In the above, $o p_{k ro m}$ is the unique operation label of the kernel procedure call operation. The values $h_{0}, h_{1}, h_{2}, h_{3}$ contain the root hash of the procedure being called, which is the procedure that must be requested from the kernel ROM chiplet.

$u_{sysc a ll} = f_{sysc a ll} \cdot (h_{ini t} + α_{5} \cdot d) \cdot k_{p roc} | degree = 7$

The above value sends both the hash initialization request and the kernel procedure access request to the chiplets bus when the SYSCALL operation is executed.

When SPAN operation is executed, a new hasher is initialized and contents of $h_{0}, ..., h_{7}$ are absorbed into the hasher. The number of operation groups to be hashed is padded to a multiple of the rate width ( $8$ ) and so the $α_{4}$ is set to 0:

$u_{s p an} = f_{s p an} \cdot h_{ini t} | degree = 6$

When RESPAN operation is executed, contents of $h_{0}, ..., h_{7}$ (which contain the new operation batch) are absorbed into the hasher:

$u_{res p an} = f_{res p an} \cdot h_{ab p} | degree = 5$

When END operation is executed, the hash result is copied into registers $h_{0}, .., h_{3}$ :

$u_{e n d} = f_{e n d} \cdot h_{res} | degree = 5$

Using the above definitions, we can describe the constraint for computing block hashes as follows:

$b_{c hi p}^{'} \cdot (u_{c t r l i} + u_{sysc a ll} + u_{s p an} + u_{res p an} + u_{e n d} + 1 - (f_{c t r l i} + f_{sysc a ll} + f_{s p an} + f_{res p an} + f_{e n d})) = b_{c hi p}$

We need to add $1$ and subtract the sum of the relevant operation flags to ensure that when none of the flags is set to $1$ , the above constraint reduces to $b_{c hi p}^{'} = b_{c hi p}$ .

The degree of this constraint is $8$ .

Block stack table constraints

As described previously, block stack table keeps track of program blocks currently executing on the VM. Thus, whenever the VM starts executing a new block, an entry for this block is added to the block stack table. And when execution of a block completes, it is removed from the block stack table.

Adding and removing entries to/from the block stack table is accomplished as follows:

To add an entry, we multiply the value in column $p_{1}$ by a value representing a tuple (blk_id, prnt_id, is_loop). A constraint to enforce this would look as $p_{1}^{'} = p_{1} \cdot v$ , where $v$ is the value representing the row to be added.
To remove an entry, we divide the value in column $p_{1}$ by a value representing a tuple (blk_id, prnt_id, is_loop). A constraint to enforce this would look as $p_{1}^{'} \cdot u = p_{1}$ , where $u$ is the value representing the row to be removed.

Before describing the constraints for the block stack table, we first describe how we compute the values to be added and removed from the table for each operation. In the below, for block start operations (JOIN, SPLIT, LOOP, SPAN) $a$ refers to the ID of the parent block, and $a^{'}$ refers to the ID of the starting block. For END operation, the situation is reversed: $a$ is the ID of the ending block, and $a^{'}$ is the ID of the parent block. For RESPAN operation, $a$ refers to the ID of the current operation batch, $a^{'}$ refers to the ID of the next batch, and the parent ID for both batches is set by the prover non-deterministically in register $h_{1}$ .

When JOIN operation is executed, row $(a^{'}, a, 0)$ is added to the block stack table:

$v_{j o in} = f_{j o in} \cdot (α_{0} + α_{1} \cdot a^{'} + α_{2} \cdot a) | degree = 6$

When SPLIT operation is executed, row $(a^{'}, a, 0)$ is added to the block stack table:

$v_{s pl i t} = f_{s pl i t} \cdot (α_{0} + α_{1} \cdot a^{'} + α_{2} \cdot a) | degree = 6$

When LOOP operation is executed, row $(a^{'}, a, 1)$ is added to the block stack table if the value at the top of the operand stack is $1$ , and row $(a^{'}, a, 0)$ is added to the block stack table if the value at the top of the operand stack is $0$ :

$v_{l oo p} = f_{l oo p} \cdot (α_{0} + α_{1} \cdot a^{'} + α_{2} \cdot a + α_{3} \cdot s_{0}) | degree = 6$

When SPAN operation is executed, row $(a^{'}, a, 0)$ is added to the block stack table:

$v_{s p an} = f_{s p an} \cdot (α_{0} + α_{1} \cdot a^{'} + α_{2} \cdot a) | degree = 6$

When RESPAN operation is executed, row $(a, h_{1}^{'}, 0)$ is removed from the block stack table, and row $(a^{'}, h_{1}^{'}, 0)$ is added to the table. The prover sets the value of register $h_{1}$ at the next row to the ID of the parent block:

$u_{res p an} = f_{res p an} \cdot (α_{0} + α_{1} \cdot a + α_{2} \cdot h_{1}^{'}) | degree = 5 v_{res p an} = f_{res p an} \cdot (α_{0} + α_{1} \cdot a^{'} + α_{2} \cdot h_{1}^{'}) | degree = 5$

When a DYN operation is executed, row $(a^{'}, a, 0)$ is added to the block stack table:

$v_{d y n} = f_{d y n} \cdot (α_{0} + α_{1} \cdot a^{'} + α_{2} \cdot a) | degree = 6$

When END operation is executed, row $(a, a^{'}, h_{5})$ is removed from the block span table. Register $h_{5}$ contains the is_loop flag:

$u_{e n d} = f_{e n d} \cdot (α_{0} + α_{1} \cdot a + α_{2} \cdot a^{'} + α_{3} \cdot h_{5}) | degree = 5$

Using the above definitions, we can describe the constraint for updating the block stack table as follows:

$p_{1}^{'} \cdot (u_{e n d} + u_{res p an} + 1 - (f_{e n d} + f_{res p an})) = p_{1} \cdot (v_{j o in} + v_{s pl i t} + v_{l oo p} + v_{s p an} + v_{res p an} + v_{d y n} + 1 - (f_{j o in} + f_{s pl i t} + f_{l oo p} + f_{s p an} + f_{res p an} + f_{d y n}))$

We need to add $1$ and subtract the sum of the relevant operation flags from each side to ensure that when none of the flags is set to $1$ , the above constraint reduces to $p_{1}^{'} = p_{1}$ .

The degree of this constraint is $7$ .

In addition to the above transition constraint, we also need to impose boundary constraints against the $p_{1}$ column to make sure the first and the last value in the column is set to $1$ . This enforces that the block stack table starts and ends in an empty state.

Block hash table constraints

As described previously, when the VM starts executing a new program block, it adds hashes of the block's children to the block hash table. And when the VM finishes executing a block, it removes the block's hash from the block hash table. This means that the block hash table gets updated when we execute the JOIN, SPLIT, LOOP, REPEAT, DYN, and END operations (executing SPAN operation does not affect the block hash table because a span block has no children).

Adding and removing entries to/from the block hash table is accomplished as follows:

To add an entry, we multiply the value in column $p_{2}$ by a value representing a tuple (prnt_id, block_hash, is_first_child, is_loop_body). A constraint to enforce this would look as $p_{2}^{'} = p_{2} \cdot v$ , where $v$ is the value representing the row to be added.
To remove an entry, we divide the value in column $p_{2}$ by a value representing a tuple (prnt_id, block_hash, is_first_child, is_loop_body). A constraint to enforce this would look as $p_{2}^{'} \cdot u = p_{2}$ , where $u$ is the value representing the row to be removed.

To simplify constraint descriptions, we define values representing left and right children of a block as follows:

$c h_{1} = α_{0} + α_{1} \cdot a^{'} + i = 0 \sum 3 (α_{i + 2} \cdot h_{i}) | degree = 1 c h_{2} = α_{0} + α_{1} \cdot a^{'} + i = 0 \sum 3 (α_{i + 2} \cdot h_{i + 4}) | degree = 1$

Graphically, this looks like so:

air_decoder_left_right_child

In a similar manner, we define a value representing the result of hash computation as follows:

$bh = α_{0} + α_{1} \cdot a + i = 0 \sum 3 (α_{i + 2} \cdot h_{i}) + α_{7} \cdot h_{4} | degree = 1$

Note that in the above we use $a$ (block address from the current row) rather than $a^{'}$ (block address from the next row) as we did for for values of $c h_{1}$ and $c h_{2}$ . Also, note that we are not adding a flag indicating whether the block is the first child of a join block (i.e., $α_{6}$ term is missing). It will be added later on.

Using the above variables, we define row values to be added to and removed from the block hash table as follows.

When JOIN operation is executed, hashes of both child nodes are added to the block hash table. We add $α_{6}$ term to the first child value to differentiate it from the second child (i.e., this sets is_first_child to $1$ ):

$v_{j o in} = f_{j o in} \cdot (c h_{1} + α_{6}) \cdot c h_{2} | degree = 7$

When SPLIT operation is executed and the top of the stack is $1$ , hash of the true branch is added to the block hash table, but when the top of the stack is $0$ , hash of the false branch is added to the block hash table:

$v_{s pl i t} = f_{s pl i t} \cdot (s_{0} \cdot c h_{1} + (1 - s_{0}) \cdot c h_{2}) | degree = 7$

When LOOP operation is executed and the top of the stack is $1$ , hash of loop body is added to the block hash table. We add $α_{7}$ term to indicate that the child is a body of a loop. The below also means that if the top of the stack is $0$ , nothing is added to the block hash table as the expression evaluates to $0$ :

$v_{l oo p} = f_{l oo p} \cdot s_{0} \cdot (c h_{1} + α_{7}) | degree = 7$

When REPEAT operation is executed, hash of loop body is added to the block hash table. We add $α_{7}$ term to indicate that the child is a body of a loop:

$v_{re p e a t} = f_{re p e a t} \cdot (c h_{1} + α_{7}) | degree = 5$

When the DYN operation is executed, the hash of the dynamic child is added to the block hash table. Since the child is dynamically specified by the top four elements of the stack, the value representing the dyn block's child must be computed based on the stack rather than from the decoder's hasher registers:

$c h_{d y n} = α_{0} + α_{1} \cdot a^{'} + i = 0 \sum 3 (α_{i + 2} \cdot s_{3 - i}) | degree = 1$

$v_{d y n} = f_{d y n} \cdot c h_{d y n} | degree = 6$

When END operation is executed, hash of the completed block is removed from the block hash table. However, we also need to differentiate between removing the first and the second child of a join block. We do this by looking at the next operation. Specifically, if the next operation is neither END nor REPEAT we know that another block is about to be executed, and thus, we have just finished executing the first child of a join block. Thus, if the next operation is neither END nor REPEAT we need to set the term for $α_{6}$ coefficient to $1$ as shown below:

$u_{e n d} = f_{e n d} \cdot (bh + α_{6} \cdot (1 - (f_{e n d}^{'} + f_{re p e a t}^{'}))) | degree = 8$

Using the above definitions, we can describe the constraint for updating the block hash table as follows:

$p_{2}^{'} \cdot (u_{e n d} + 1 - f_{e n d}) = p_{2} \cdot (v_{j o in} + v_{s pl i t} + v_{l oo p} + v_{re p e a t} + v_{d y n} + 1 - (f_{j o in} + f_{s pl i t} + f_{l oo p} + f_{re p e a t} + f_{d y n}))$

We need to add $1$ and subtract the sum of the relevant operation flags from each side to ensure that when none of the flags is set to $1$ , the above constraint reduces to $p_{2}^{'} = p_{2}$ .

The degree of this constraint is $9$ .

In addition to the above transition constraint, we also need to set the following boundary constraints against the $p_{2}$ column:

The first value in the column represents a row for the entire program. Specifically, the row tuple would be (0, program_hash, 0, 0). This row should be removed from the table when the last END operation is executed.
The last value in the column is $1$ - i.e., the block hash table is empty.

Span block

Span block constraints ensure proper decoding of span blocks. In addition to the block stack table constraints and block hash table constraints described previously, decoding of span blocks requires constraints described below.

In-span column constraints

The in_span column (denoted as $s p$ ) is used to identify rows which execute non-control flow operations. The values in this column are set as follows:

Executing a SPAN operation sets the value of in_span column to $1$ .
The value remains $1$ until the END operation is executed.
If RESPAN operation is executed between SPAN and END operations, in the row at which RESPAN operation is executed in_span is set to $0$ . It is then reset to $1$ in the following row.
In all other cases, value in the in_span column should be $0$ .

The picture below illustrates the above rules.

air_decoder_in_spans_column_constraint

To enforce the above rules we need the following constraints.

When executing SPAN or RESPAN operation, the next value in $s p$ column must be set to $1$ :

$(f_{s p an} + f_{res p an}) \cdot (1 - s p^{'}) = 0 | degree = 6$

When the next operation is END or RESPAN, the next value in $s p$ column must be set $0$ .

$(f_{e n d}^{'} + f_{res p an}^{'}) \cdot s p^{'} = 0 | degree = 5$

In all other cases, the value in $s p$ column must be copied over to the next row:

$(1 - f_{s p an} - f_{res p an} - f_{e n d}^{'} - f_{res p an}^{'}) \cdot (s p^{'} - s p) = 0 | degree = 6$

Additionally, we will need to impose a boundary constraint which specifies that the first value in $s p = 0$ . Note, however, that we do not need to impose a constraint ensuring that values in $s p$ are binary - this will follow naturally from the above constraints.

Also, note that the combination of the above constraints makes it impossible to execute END or RESPAN operations right after SPAN or RESPAN operations.

Block address constraints

When we are inside a span block, values in block address columns (denoted as $a$ ) must remain the same. This can be enforced with the following constraint:

$s p \cdot (a^{'} - a) = 0 | degree = 2$

Notice that this constraint does not apply when we execute any of the control flow operations. For such operations, the prover sets the value of the $a$ column non-deterministically, except for the RESPAN operation. For the RESPAN operation the value in the $a$ column is incremented by $8$ , which is enforced by a constraint described previously.

Notice also that this constraint implies that when the next operation is the END operation, the value in the $a$ column must also be copied over to the next row. This is exactly the behavior we want to enforce so that when the END operation is executed, the block address is set to the address of the current span batch.

Group count constraints

The group_count column (denoted as $g c$ ) is used to keep track of the number of operation groups which remains to be executed in a span block.

In the beginning of a span block (i.e., when SPAN operation is executed), the prover sets the value of $g c$ non-deterministically. This value is subsequently decremented according to the rules described below. By the time we exit the span block (i.e., when END operation is executed), the value in $g c$ must be $0$ .

The rules for decrementing values in the $g c$ column are as follows:

The count cannot be decremented by more than $1$ in a single row.
When an operation group is fully executed (which happens when $h_{0} = 0$ inside a span block), the count is decremented by $1$ .
When SPAN, RESPAN, or PUSH operations are executed, the count is decremented by $1$ .

Note that these rules imply that PUSH operation cannot be the last operation in an operation group (otherwise the count would have to be decremented by $2$ ).

To simplify the description of the constraints, we will define the following variable:

$Δ g c = g c - g c^{'}$

Using this variable, we can describe the constraints against the $g c$ column as follows:

Inside a span block, group count can either stay the same or decrease by one:

$s p \cdot Δ g c \cdot (Δ g c - 1) = 0 | degree = 3$

When group count is decremented inside a span block, either $h_{0}$ must be $0$ (we consumed all operations in a group) or we must be executing PUSH operation:

$s p \cdot Δ g c \cdot (1 - f_{p u s h}) \cdot h_{0} = 0 | degree = 7$

Notice that the above constraint does not preclude $f_{p u s h} = 1$ and $h_{0} = 0$ from being true at the same time. If this happens, op group decoding constraints (described here) will force that the operation following the PUSH operation is a NOOP.

When executing a SPAN, a RESPAN, or a PUSH operation, group count must be decremented by $1$ :

$(f_{s p an} + f_{res p an} + f_{p u s h}) \cdot (Δ g c - 1) = 0 | degree = 6$

If the next operation is either an END or a RESPAN, group count must remain the same:

$Δ g c \cdot (f_{e n d}^{'} + f_{res p an}^{'}) = 0 | degree = 5$

When an END operation is executed, group count must be $0$ :

$f_{e n d} \cdot g c = 0 | degree = 5$

Op group decoding constraints

Inside a span block, register $h_{0}$ is used to keep track of operations to be executed in the current operation group. The value of this register is set by the prover non-deterministically at the time when the prover executes a SPAN or a RESPAN operation, or when processing of a new operation group within a batch starts. The picture below illustrates this.

air_decoder_op_group_constraint

In the above:

The prover sets the value of $h_{0}$ non-deterministically at row $0$ . The value is set to an operation group containing operations op0 through op8.
As we start executing the group, at every row we "remove" the least significant operation from the group. This can be done by subtracting opcode of the operation from the group, and then dividing the result by $2^{7}$ .
By row $9$ the group is fully executed. This decrements the group count and set op_index to $0$ (constraints against op_index column are described in the next section).
At row $10$ we start executing the next group with operations op9 through op11. In this case, the prover populates $h_{0}$ with the group having its first operation (op9) already removed, and sets the op_bits registers to the value encoding op9.
By row $12$ this group is also fully executed.

To simplify the description of the constraints, we define the following variables:

$o p = i = 0 \sum 6 (b_{i} \cdot 2^{i}) f_{s g c} = s p \cdot s p^{'} \cdot (1 - Δ g c)$

$o p$ is just an opcode value implied by the values in op_bits registers. $f_{s g c}$ is a flag which is set to $1$ when the group count within a span block does not change. We multiply it by $s p^{'}$ to make sure the flag is $0$ when we are about to end decoding of an operation batch. Note that $f_{s g c}$ flag is mutually exclusive with $f_{s p an}$ , $f_{res p an}$ , and $f_{p u s h}$ flags as these three operations decrement the group count.

Using these variables, we can describe operation group decoding constraints as follows:

When a SPAN, a RESPAN, or a PUSH operation is executed or when the group count does not change, the value in $h_{0}$ should be decremented by the value of the opcode in the next row.

$(f_{s p an} + f_{res p an} + f_{p u s h} + f_{s g c}) \cdot (h_{0} - h_{0}^{'} \cdot 2^{7} - o p^{'}) = 0 | degree = 6$

Notice that when the group count does change, and we are not executing $f_{s p an}$ , $f_{res p an}$ , or $f_{p u s h}$ operations, no constraints are placed against $h_{0}$ , and thus, the prover can populate this register non-deterministically.

When we are in a span block and the next operation is END or RESPAN, the current value in $h_{0}$ column must be $0$ .

$s p \cdot (f_{e n d}^{'} + f_{res p an}^{'}) \cdot h_{0} = 0 | degree = 6$

Op index constraints

The op_index column (denoted as $o x$ ) tracks index of an operation within its operation group. It is used to ensure that the number of operations executed per group never exceeds $9$ . The index is zero-based, and thus, the possible set of values for $o x$ is between $0$ and $8$ (both inclusive).

To simplify the description of the constraints, we will define the following variables:

$n g = Δ g c - f_{p u s h} Δ o x = o x^{'} - o x$

The value of $n g$ is set to $1$ when we are about to start executing a new operation group (i.e., group count is decremented but we did not execute a PUSH operation). Using these variables, we can describe the constraints against the $o x$ column as follows.

When executing SPAN or RESPAN operations the next value of op_index must be set to $0$ :

$(f_{s p an} + f_{res p an}) \cdot o x^{'} = 0 | degree = 6$

When starting a new operation group inside a span block, the next value of op_index must be set to $0$ . Note that we multiply by $s p$ to exclude the cases when the group count is decremented because of SPAN or RESPAN operations:

$s p \cdot n g \cdot o x^{'} = 0 | degree = 6$

When inside a span block but not starting a new operation group, op_index must be incremented by $1$ . Note that we multiply by $s p^{'}$ to exclude the cases when we are about to exit processing of an operation batch (i.e., the next operation is either END or RESPAN):

$s p \cdot s p^{'} \cdot (1 - n g) \cdot (Δ o x - 1) = 0 | degree = 7$

Values of op_index must be in the range $[0, 8]$ .

$i = 0 \prod 8 (o x - i) = 0 | degree = 9$

Op batch flags constraints

Operation batch flag columns (denoted $b c_{0}$ , $b c_{1}$ , and $b c_{2}$ ) are used to specify how many operation groups are present in an operation batch. This is relevant for the last batch in a span block (or the first batch if there is only one batch in a block) as all other batches should be completely full (i.e., contain 8 operation groups).

These columns are used to define the following 4 flags:

$f_{g 8} = b c_{0}$ : there are 8 operation groups in the batch.
$f_{g 4} = (1 - b c_{0}) \cdot b c_{1} \cdot b c_{2}$ : there are 4 operation groups in the batch.
$f_{g 2} = (1 - b c_{0}) \cdot (1 - b c_{1}) \cdot b c_{2}$ : there are 2 operation groups in the batch.
$f_{g 1} = (1 - b c_{0}) \cdot b c_{1} \cdot (1 - b c_{2})$ : there is only 1 operation groups in the batch.

Notice that the degree of $f_{g 8}$ is $1$ , while the degree of the remaining flags is $3$ .

These flags can be set to $1$ only when we are executing SPAN or RESPAN operations as this is when the VM starts processing new operation batches. Also, for a given flag we need to ensure that only the specified number of operations groups are present in a batch. This can be done with the following constraints.

All batch flags must be binary:

$b c_{i}^{2} - b c_{i} = 0 for i \in [0, 3) | degree = 2$

When SPAN or RESPAN operations is executed, one of the batch flags must be set to $1$ .

$(f_{s p an} + f_{res p an}) - (f_{g 1} + f_{g 2} + f_{g 4} + f_{g 8}) = 0 | degree = 5$

When we have at most 4 groups in a batch, registers $h_{4}, ..., h_{7}$ should be set to $0$ 's.

$(f_{g 1} + f_{g 2} + f_{g 4}) \cdot h_{i} = 0 for i \in [4, 8) | degree = 4$

When we have at most 2 groups in a batch, registers $h_{2}$ and $h_{3}$ should also be set to $0$ 's.

$(f_{g 1} + f_{g 2}) \cdot h_{i} = 0 for i \in 2, 3 | degree = 4$

When we have at most 1 groups in a batch, register $h_{1}$ should also be set to $0$ .

$f_{g 1} \cdot h_{1} = 0 | degree = 4$

Op group table constraints

Op group table is used to ensure that all operation groups in a given batch are consumed before a new batch is started (i.e., via a RESPAN operation) or the execution of a span block is complete (i.e., via an END operation). The op group table is updated according to the following rules:

When a new operation batch is started, we add groups from this batch to the table. To add a group to the table, we multiply the value in column $p_{3}$ by a value representing a tuple (batch_id, group_pos, group). A constraint to enforce this would look as $p_{3}^{'} = p_{3} \cdot v$ , where $v$ is the value representing the row to be added. Depending on the batch, we may need to add multiple groups to the table (i.e., $p_{3}^{'} = p_{3} \cdot v_{1} \cdot v_{2} \cdot v_{3} ...$ ). Flags $f_{g 1}$ , $f_{g 2}$ , $f_{g 4}$ , and $f_{g 8}$ are used to define how many groups to add.
When a new operation group starts executing or when an immediate value is consumed, we remove the corresponding group from the table. To do this, we divide the value in column $p_{3}$ by a value representing a tuple (batch_id, group_pos, group). A constraint to enforce this would look as $p_{3}^{'} \cdot u = p_{3}$ , where $u$ is the value representing the row to be removed.

To simplify constraint descriptions, we first define variables representing the rows to be added to and removed from the op group table.

When a SPAN or a RESPAN operation is executed, we compute the values of the rows to be added to the op group table as follows:

$v_{i} = α_{0} + α_{1} \cdot a^{'} + α_{2} \cdot (g c - i) + α_{3} \cdot h_{i} | degree = 1$

Where $i \in [1, 8)$ . Thus, $v_{1}$ defines row value for group in $h_{1}$ , $v_{2}$ defines row value for group $h_{2}$ etc. Note that batch address column comes from the next row of the block address column ( $a^{'}$ ).

We compute the value of the row to be removed from the op group table as follows:

$u = α_{0} + α_{1} \cdot a + α_{2} \cdot g c + α_{3} \cdot ((h_{0}^{'} \cdot 2^{7} + o p^{'}) \cdot (1 - f_{p u s h}) + s_{0}^{'} \cdot f_{p u s h}) | degree = 5$

In the above, the value of the group is computed as $(h_{0}^{'} \cdot 2^{7} + o p^{'}) \cdot (1 - f_{p u s h}) + s_{0}^{'} \cdot f_{p u s h}$ . This basically says that when we execute a PUSH operation we need to remove the immediate value from the table. This value is at the top of the stack (column $s_{0}$ ) in the next row. However, when we are not executing a PUSH operation, the value to be removed is an op group value which is a combination of values in $h_{0}$ and op_bits columns (also in the next row). Note also that value for batch address comes from the current value in the block address column ( $a$ ), and the group position comes from the current value of the group count column ( $g c$ ).

We also define a flag which is set to $1$ when a group needs to be removed from the op group table.

$f_{d g} = s p \cdot Δ g c$

The above says that we remove groups from the op group table whenever group count is decremented. We multiply by $s p$ to exclude the cases when the group count is decremented due to SPAN or RESPAN operations.

Using the above variables together with flags $f_{g 2}$ , $f_{g 4}$ , $f_{g 8}$ defined in the previous section, we describe the constraint for updating op group table as follows (note that we do not use $f_{g 1}$ flag as when a batch consists of a single group, nothing is added to the op group table):

$p_{3}^{'} \cdot (f_{d g} \cdot u + 1 - f_{d g}) = p_{3} \cdot (f_{g 2} \cdot v_{1} + f_{g 4} \cdot i = 1 \prod 3 v_{i} + f_{g 8} \cdot i = 1 \prod 7 v_{i} - 1 + (f_{s p an} + f_{res p an}))$

The above constraint specifies that:

When SPAN or RESPAN operations are executed, we add between $1$ and $7$ groups to the op group table.
When group count is decremented inside a span block, we remove a group from the op group table.

The degree of this constraint is $9$ .

In addition to the above transition constraint, we also need to impose boundary constraints against the $p_{3}$ column to make sure the first and the last value in the column is set to $1$ . This enforces that the op group table table starts and ends in an empty state.

Polygon Miden VM