starkware-libs · ilyalesokhin-starkware · Apr 29, 2026
diff --git a/crates/cairo_verifier/src/privacy_test.rs b/crates/cairo_verifier/src/privacy_test.rs
@@ -46,6 +46,7 @@ fn verify_circuit_proof(
         config: circuit_proof.pcs_config,
         output_addresses: preprocessed_circuit.params.output_addresses.clone(),
         n_blake_gates: preprocessed_circuit.params.n_blake_gates,
+        n_blake_compress: preprocessed_circuit.params.n_blake_compress,
         preprocessed_column_ids: preprocessed_circuit.preprocessed_trace.ids(),
         preprocessed_column_log_sizes: preprocessed_circuit.preprocessed_trace.log_sizes(),
         preprocessed_root,
@@ -240,6 +241,7 @@ fn test_privacy_proof_info() {
         config: pcs_config,
         output_addresses: preprocessed_circuit.params.output_addresses.clone(),
         n_blake_gates: preprocessed_circuit.params.n_blake_gates,
+        n_blake_compress: preprocessed_circuit.params.n_blake_compress,
         preprocessed_column_ids: preprocessed_circuit.preprocessed_trace.ids(),
         preprocessed_column_log_sizes: preprocessed_circuit.preprocessed_trace.log_sizes(),
         preprocessed_root,
@@ -248,15 +250,8 @@ fn test_privacy_proof_info() {
         output_values: vec![QM31::zero(); preprocessed_circuit.params.output_addresses.len()],
     };
     let mut context = Context::<NoValue>::default();
-    let statement = CircuitStatement::new(
-        &mut context,
-        &circuit_config.output_addresses,
-        &public_data.output_values,
-        circuit_config.n_blake_gates,
-        circuit_config.preprocessed_column_ids.clone(),
-        circuit_config.preprocessed_column_log_sizes.clone(),
-        circuit_config.preprocessed_root,
-    );
+    let statement =
+        CircuitStatement::new(&mut context, &circuit_config, &public_data.output_values);
 
     let enabled_bits = vec![true; all_circuit_components::<NoValue>().len()];
     let proof_config = ProofConfig::new(
@@ -269,5 +264,5 @@ fn test_privacy_proof_info() {
     let proof_info = ProofInfo::from_config(&proof_config);
     println!("{proof_info}");
     // Assert the total size in bytes.
-    assert_eq!(proof_info.total_bytes(), 347360);
+    assert_eq!(proof_info.total_bytes(), 347344);
 }
diff --git a/crates/cairo_verifier/src/statement.rs b/crates/cairo_verifier/src/statement.rs
@@ -145,6 +145,7 @@ pub struct CairoStatement<Value: IValue> {
     pub packed_outputs: Simd,
     pub preprocessed_root: HashValue<QM31>,
     pub preprocessed_trace_variant: PreProcessedTraceVariant,
+    pub component_log_sizes: Simd,
 }
 
 impl<Value: IValue> CairoStatement<Value> {
@@ -261,21 +262,29 @@ impl<Value: IValue> CairoStatement<Value> {
 }
 
 impl<Value: IValue> CairoStatement<Value> {
+    /// `public_claim` is the flat public claim laid out as:
+    /// `[public_data (PUBLIC_DATA_LEN + outputs.len() + program.len() M31s) | component_log_sizes
+    /// (components.len() M31s)]`.
     pub fn new(
         context: &mut Context<Value>,
-        public_data: Vec<M31>,
+        public_claim: Vec<M31>,
         outputs: Vec<[M31; MEMORY_VALUES_LIMBS]>,
         program: Arc<[[M31; MEMORY_VALUES_LIMBS]]>,
         components: IndexMap<&'static str, Box<dyn CircuitEval<Value>>>,
         preprocessed_root: HashValue<QM31>,
         preprocessed_trace_variant: PreProcessedTraceVariant,
     ) -> Self {
-        let packed_public_data = pack_into_qm31s(public_data.iter().cloned())
+        let n_components = components.len();
+        let public_data_len = PUBLIC_DATA_LEN + outputs.len() + program.len();
+        assert_eq!(public_claim.len(), public_data_len + n_components);
+        let (public_data_m31s, log_sizes_m31s) = public_claim.split_at(public_data_len);
+
+        let packed_public_data = pack_into_qm31s(public_data_m31s.iter().cloned())
             .into_iter()
             .map(|qm31| Value::from_qm31(qm31).guess(context))
             .collect_vec();
 
-        let packed_public_data = Simd::from_packed(packed_public_data, public_data.len());
+        let packed_public_data = Simd::from_packed(packed_public_data, public_data_m31s.len());
         // Note that we don't enforce anything on the padding M31 in packed_public_data.
         let unpacked_simd = Simd::unpack(context, &packed_public_data);
 
@@ -289,12 +298,19 @@ impl<Value: IValue> CairoStatement<Value> {
             .collect_vec();
         let packed_outputs = Simd::from_packed(packed_outputs, n_outputs * MEMORY_VALUES_LIMBS);
 
+        let packed_log_sizes = pack_into_qm31s(log_sizes_m31s.iter().cloned())
+            .into_iter()
+            .map(|qm31| Value::from_qm31(qm31).guess(context))
+            .collect_vec();
+        let component_log_sizes = Simd::from_packed(packed_log_sizes, n_components);
+
         Self {
             packed_public_data,
             public_data,
             program,
             packed_outputs,
             components,
+            component_log_sizes,
             preprocessed_root,
             preprocessed_trace_variant,
         }
@@ -306,13 +322,18 @@ impl<Value: IValue> Statement<Value> for CairoStatement<Value> {
         &self.components
     }
 
+    fn get_component_log_sizes(&self) -> &Simd {
+        &self.component_log_sizes
+    }
+
     fn claims_to_mix(&self, context: &mut Context<Value>) -> Vec<Vec<Var>> {
         let Self {
             components: _components,
             packed_public_data,
             public_data: _public_data,
             program,
             packed_outputs,
+            component_log_sizes: _component_log_sizes,
             preprocessed_root: _preprocessed_root,
             preprocessed_trace_variant: _preprocessed_trace_variant,
         } = self;

diff --git a/crates/cairo_verifier/src/test.rs b/crates/cairo_verifier/src/test.rs
@@ -53,7 +53,7 @@ pub fn verify_cairo_with_component_set(
     cairo_proof: &CairoProof<Blake2sM31MerkleHasher>,
     component_set: HashSet<&str>,
 ) -> Result<Context<QM31>, String> {
-    let FlatClaim { component_enable_bits, component_log_sizes: _, public_data: _ } =
+    let FlatClaim { component_enable_bits, component_log_sizes, public_data: _ } =
         cairo_proof.claim.flatten_claim();
     let components: indexmap::IndexMap<&'static str, Box<dyn CircuitEval<QM31>>> =
         zip_eq(all_components::<QM31>().into_iter(), &component_enable_bits)
@@ -80,7 +80,8 @@ pub fn verify_cairo_with_component_set(
     );
 
     let (proof, public_data) = prepare_cairo_proof_for_circuit_verifier(cairo_proof, &proof_config);
-    let (public_claim, outputs, program) = public_data.pack_into_u32s();
+    let (mut public_claim, outputs, program) = public_data.pack_into_u32s();
+    public_claim.extend(component_log_sizes);
     let outputs = outputs
         .chunks_exact(MEMORY_VALUES_LIMBS)
         .map(|chunk| array::from_fn(|i| M31::from_u32_unchecked(chunk[i])))
@@ -112,25 +113,27 @@ fn test_verify() {
     let mut novalue_context = Context::<NoValue>::default();
     let output_len = 1;
     let program_len = 128;
-    let flat_claim = vec![M31::zero(); PUBLIC_DATA_LEN + output_len + program_len];
     let outputs = vec![[M31::zero(); MEMORY_VALUES_LIMBS]; output_len];
     let program: Arc<[[M31; MEMORY_VALUES_LIMBS]]> =
         std::iter::repeat_n([M31::zero(); MEMORY_VALUES_LIMBS], program_len).collect();
-    let components = all_components();
-    let mut statement = CairoStatement::new(
+    // Remove the pedersen points table component since it requires long preprocessed columns, which
+    // are not supported.
+    let pedersen_points_index =
+        all_components::<NoValue>().get_full("pedersen_points_table_window_bits_18").unwrap().0;
+    let mut components = all_components();
+    components.shift_remove("pedersen_points_table_window_bits_18");
+
+    let public_claim =
+        vec![M31::zero(); PUBLIC_DATA_LEN + output_len + program_len + components.len()];
+    let statement = CairoStatement::new(
         &mut novalue_context,
-        flat_claim,
+        public_claim,
         outputs,
         program,
         components,
         get_preprocessed_root(20 + pcs_config.fri_config.log_blowup_factor),
         PreProcessedTraceVariant::CanonicalSmall,
     );
-    // Remove the pedersen points table component since it requires long preprocessed columns, which
-    // are not supported.
-    let pedersen_points_index =
-        all_components::<NoValue>().get_full("pedersen_points_table_window_bits_18").unwrap().0;
-    statement.components.shift_remove("pedersen_points_table_window_bits_18");
 
     let mut enabled_bits = vec![true; all_components::<NoValue>().len()];
     enabled_bits[pedersen_points_index] = false;

diff --git a/crates/cairo_verifier/src/verify.rs b/crates/cairo_verifier/src/verify.rs
@@ -10,10 +10,8 @@ use circuits::context::{Context, TraceContext};
 use circuits::ivalue::{IValue, NoValue};
 use circuits::ops::Guess;
 use circuits_stark_verifier::constraint_eval::CircuitEval;
-use circuits_stark_verifier::proof::{Claim, Proof, ProofConfig, empty_proof};
-use circuits_stark_verifier::proof_from_stark_proof::{
-    pack_component_log_sizes, proof_from_stark_proof,
-};
+use circuits_stark_verifier::proof::{Proof, ProofConfig, empty_proof};
+use circuits_stark_verifier::proof_from_stark_proof::proof_from_stark_proof;
 use circuits_stark_verifier::verify::verify;
 use indexmap::IndexMap;
 use itertools::{Itertools, zip_eq};
@@ -139,13 +137,14 @@ pub fn build_cairo_verifier_circuit(verifier_config: &CairoVerifierConfig) -> Co
 
     let n_outputs = verifier_config.n_outputs;
     let program_len = verifier_config.program.len();
-    let public_data = vec![M31::zero(); PUBLIC_DATA_LEN + n_outputs + program_len];
+    let n_components = components.len();
+    let public_claim = vec![M31::zero(); PUBLIC_DATA_LEN + n_outputs + program_len + n_components];
     let outputs = vec![[M31::zero(); MEMORY_VALUES_LIMBS]; n_outputs];
 
     let mut context = Context::<NoValue>::default();
     let statement = CairoStatement::<NoValue>::new(
         &mut context,
-        public_data,
+        public_claim,
         outputs,
         verifier_config.program.clone(),
         components,
@@ -181,15 +180,10 @@ pub fn prepare_cairo_proof_for_circuit_verifier(
     debug_assert_eq!(component_log_sizes.len(), proof_config.n_components());
     debug_assert_eq!(claimed_sums.len(), proof_config.n_components());
 
-    let claim = Claim {
-        packed_component_log_sizes: pack_component_log_sizes(&component_log_sizes),
-        claimed_sums,
-    };
-
     let proof = proof_from_stark_proof(
         extended_stark_proof,
         proof_config,
-        claim,
+        claimed_sums,
         *interaction_pow,
         *channel_salt,
     );

diff --git a/crates/circuit_common/src/lib.rs b/crates/circuit_common/src/lib.rs
@@ -9,6 +9,10 @@ pub struct CircuitParams {
     pub trace_log_size: u32,
     pub first_permutation_row: usize,
     pub n_blake_gates: usize,
+    /// Total number of blake compression blocks across all blake gates, after padding to a
+    /// multiple of `N_LANES` (but not yet to a power of two). Equals `sum(gate.input.len())`
+    /// over the padded gates.
+    pub n_blake_compress: usize,
     pub output_addresses: Vec<usize>,
 }
 

diff --git a/crates/circuit_common/src/preprocessed.rs b/crates/circuit_common/src/preprocessed.rs
@@ -556,10 +556,12 @@ impl PreprocessedCircuit {
         let blake_g_log_size = log_n_blake_updates + 7;
         let trace_log_size = std::cmp::max(max_pp_trace_log_size, blake_g_log_size);
 
+        let n_blake_compress: usize = circuit.blake.iter().map(|gate| gate.input.len()).sum();
         let params = CircuitParams {
             trace_log_size,
             first_permutation_row: qm31_ops_trace_generator.first_permutation_row,
             n_blake_gates: circuit.blake.len(),
+            n_blake_compress,
             output_addresses: circuit.output.iter().map(|out| out.in0).collect(),
         };
 

diff --git a/crates/circuit_prover/src/prover.rs b/crates/circuit_prover/src/prover.rs
@@ -8,13 +8,11 @@ use circuit_common::preprocessed::PreprocessedCircuit;
 use circuit_verifier::circuit_claim::{
     CircuitClaim, CircuitInteractionClaim, CircuitInteractionElements, lookup_sum,
 };
-use circuit_verifier::statement::INTERACTION_POW_BITS;
+use circuit_verifier::statement::{INTERACTION_POW_BITS, component_log_sizes};
 use circuit_verifier::verify::CircuitPublicData;
 use circuits_stark_verifier::proof::Proof;
-use circuits_stark_verifier::proof::{Claim, ProofConfig};
-use circuits_stark_verifier::proof_from_stark_proof::{
-    pack_component_log_sizes, proof_from_stark_proof,
-};
+use circuits_stark_verifier::proof::ProofConfig;
+use circuits_stark_verifier::proof_from_stark_proof::proof_from_stark_proof;
 use itertools::chain;
 use num_traits::Zero;
 use stwo::core::air::Component;
@@ -156,7 +154,13 @@ where
     SimdBackend: stwo::prover::backend::BackendForChannel<MC>,
 {
     let PreprocessedCircuit { preprocessed_trace, params } = preprocessed_circuit;
-    let CircuitParams { first_permutation_row, n_blake_gates, output_addresses, .. } = params;
+    let CircuitParams {
+        first_permutation_row,
+        n_blake_gates,
+        n_blake_compress,
+        output_addresses,
+        ..
+    } = params;
     let trace_generator = TraceGenerator {
         qm31_ops_trace_generator: Qm31OpsTraceGenerator {
             first_permutation_row: *first_permutation_row,
@@ -191,6 +195,13 @@ where
         &trace_generator,
         twiddles,
     );
+
+    let expected_log_sizes = component_log_sizes(
+        *n_blake_compress,
+        &preprocessed_trace.ids(),
+        &preprocessed_trace.log_sizes(),
+    );
+    assert_eq!(claim.log_sizes, expected_log_sizes);
     claim.mix_into(channel);
     tree_builder.commit(channel);
 
@@ -263,15 +274,12 @@ pub fn prepare_circuit_proof_for_circuit_verifier(
 
     let public_data = CircuitPublicData { output_values: claim.output_values.clone() };
 
-    let claim = Claim {
-        packed_component_log_sizes: pack_component_log_sizes(&claim.log_sizes),
-        claimed_sums: interaction_claim.claimed_sums.to_vec(),
-    };
+    let claimed_sums = interaction_claim.claimed_sums.to_vec();
 
     let proof = proof_from_stark_proof(
         &stark_proof,
         proof_config,
-        claim,
+        claimed_sums,
         interaction_pow_nonce,
         channel_salt,
     );

diff --git a/crates/circuit_prover/src/prover_test.rs b/crates/circuit_prover/src/prover_test.rs
@@ -251,6 +251,7 @@ fn circuit_verify(
         config: circuit_proof.pcs_config,
         output_addresses: preprocessed_circuit.params.output_addresses.clone(),
         n_blake_gates: preprocessed_circuit.params.n_blake_gates,
+        n_blake_compress: preprocessed_circuit.params.n_blake_compress,
         preprocessed_column_ids: preprocessed_circuit.preprocessed_trace.ids(),
         preprocessed_column_log_sizes: preprocessed_circuit.preprocessed_trace.log_sizes(),
         preprocessed_root: preprocessed_root.into(),

diff --git a/crates/circuit_prover/src/witness/trace.rs b/crates/circuit_prover/src/witness/trace.rs
@@ -387,28 +387,27 @@ where
 
     let output_values = output_addresses.iter().map(|addr| context_values[*addr]).collect_vec();
 
+    let log_sizes = [
+        eq_log_size,
+        qm31_ops_log_size,
+        blake_gate_interaction_claim_gen.log_size,
+        blake_round_log_size.log_size,
+        crate::circuit_air::components::blake_round_sigma::LOG_SIZE,
+        blake_g_claim.log_size,
+        blake_output_claim.log_size,
+        triple_xor_32_claim.log_size,
+        m_31_to_u_32_claim.log_size,
+        crate::circuit_air::components::verify_bitwise_xor_8::LOG_SIZE,
+        crate::circuit_air::components::verify_bitwise_xor_12::LOG_SIZE,
+        crate::circuit_air::components::verify_bitwise_xor_4::LOG_SIZE,
+        crate::circuit_air::components::verify_bitwise_xor_7::LOG_SIZE,
+        crate::circuit_air::components::verify_bitwise_xor_9::LOG_SIZE,
+        crate::circuit_air::components::range_check_15::LOG_SIZE,
+        crate::circuit_air::components::range_check_16::LOG_SIZE,
+    ];
+
     (
-        CircuitClaim {
-            log_sizes: [
-                eq_log_size,
-                qm31_ops_log_size,
-                blake_gate_interaction_claim_gen.log_size,
-                blake_round_log_size.log_size,
-                crate::circuit_air::components::blake_round_sigma::LOG_SIZE,
-                blake_g_claim.log_size,
-                blake_output_claim.log_size,
-                triple_xor_32_claim.log_size,
-                m_31_to_u_32_claim.log_size,
-                crate::circuit_air::components::verify_bitwise_xor_8::LOG_SIZE,
-                crate::circuit_air::components::verify_bitwise_xor_12::LOG_SIZE,
-                crate::circuit_air::components::verify_bitwise_xor_4::LOG_SIZE,
-                crate::circuit_air::components::verify_bitwise_xor_7::LOG_SIZE,
-                crate::circuit_air::components::verify_bitwise_xor_9::LOG_SIZE,
-                crate::circuit_air::components::range_check_15::LOG_SIZE,
-                crate::circuit_air::components::range_check_16::LOG_SIZE,
-            ],
-            output_values,
-        },
+        CircuitClaim { log_sizes, output_values },
         CircuitInteractionClaimGenerator {
             eq_lookup_data,
             qm31_ops_lookup_data,