feat: integrate bytecode and program image reductions

[RadNi]

Generated stack PR from amir/bytecode-commitment-merged.

Depends on spec PR: a16z#1565

Stack position: 04
Base branch: amir/bytecode-stack/03-program-foundation

Owned paths:

jolt-core/src/zkvm/claim_reductions/precommitted.rs
jolt-core/src/zkvm/claim_reductions/mod.rs
jolt-core/src/zkvm/bytecode/read_raf_checking.rs
jolt-core/src/zkvm/bytecode/mod.rs
jolt-core/src/zkvm/ram/mod.rs
jolt-core/src/zkvm/ram/val_check.rs
jolt-core/src/zkvm/claim_reductions/hamming_weight.rs
jolt-core/src/poly/opening_proof.rs
jolt-core/src/poly/commitment/dory/wrappers.rs
jolt-core/src/poly/rlc_polynomial.rs
jolt-core/src/utils/errors.rs
jolt-core/src/zkvm/config.rs
jolt-core/src/zkvm/mod.rs
jolt-core/src/zkvm/program.rs
jolt-core/src/zkvm/prover.rs
jolt-core/src/zkvm/transpilable_verifier.rs
jolt-core/src/zkvm/verifier.rs
jolt-core/src/zkvm/witness.rs
jolt-core/src/guest/prover.rs
jolt-core/src/guest/verifier.rs
jolt-core/benches/e2e_profiling.rs
jolt-sdk/macros/src/lib.rs
jolt-sdk/src/host_utils.rs
src/build_wasm.rs
transpiler/src/main.rs

This PR is expected to be updated manually when amir/bytecode-commitment-merged is resliced.

[github-actions]

Warning

This PR has more than 500 changed lines and does not include a spec.

Large features and architectural changes benefit from a spec-driven workflow.
See CONTRIBUTING.md for details on how to create a spec.

If this PR is a bug fix, refactor, or doesn't warrant a spec, feel free to ignore this message.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 6150eee. Configure here.}

[cursor]

Program image words not padded for precommitted polynomial

Medium Severity

When constructing PrecommittedPolynomial::ProgramImage for Stage 8, the words field is set to the raw bytecode_words from RAM preprocessing (unpadded), but padded_len is set to the padded power-of-two length. The vmp_precommitted_contribution function iterates over words and uses padded_len for matrix dimensions (log_2, balanced sigma/nu), creating a mismatch — the words vector is shorter than padded_len, so indexing row_idx = coeff_idx / precommitted_cols may skip contributions that would exist in a properly padded polynomial, and the matrix shape doesn't match the committed polynomial.

 

^{Reviewed by Cursor Bugbot for commit 6150eee. Configure here.}

[cursor]

ZK sumcheck proof removed from Stage 6a prover

High Severity

The prove_stage6a method previously had a #[cfg(feature = "zk")] block that used BatchedSumcheck::prove_zk with a local BlindFoldAccumulator, because Stage 6a input claims depend on hidden prior-stage outputs in ZK mode. The new code unconditionally uses prove_batched_sumcheck (the non-ZK path), which means Stage 6a no longer produces a ZK sumcheck proof when the zk feature is enabled. This breaks zero-knowledge soundness. The blindfold stage count assertion also changed from 7 to 8, which seems inconsistent with removing a ZK stage.

Additional Locations (1)

• jolt-core/src/zkvm/prover.rs#L2611-L2613

 

^{Reviewed by Cursor Bugbot for commit 6150eee. Configure here.}

[moodlezoup]

This duplicates the logic from BytecodePreprocessing::entry_bytecode_index(). We can move entry_bytecode_index onto ProgramMetadata instead so it can be used by both prover and verifier

[moodlezoup]

this is a potentially heavy clone, when BytecodeClaimReductionParams really only needs the gamma values

[moodlezoup]

this sort of Arc::new(bytecode.clone()) appears a couple of times in this PR; we should avoid cloning the bytecode as much as possible. Can we return an Arc from a preprocessing method?