halo2/halo2_gadgets/src/sinsemilla/primitives/addition.rs

use std::ops::Add;

use group::{CurveAffine, Group};
use pasta_curves::pallas;
use subtle::{ConstantTimeEq, CtOption};

/// P ∪ {⊥}
///
/// Simulated incomplete addition built over complete addition.
#[derive(Clone, Copy, Debug)]
pub(super) struct IncompletePoint(CtOption<pallas::Point>);

impl From<pallas::Point> for IncompletePoint {
    fn from(p: pallas::Point) -> Self {
        IncompletePoint(CtOption::new(p, 1.into()))
    }
}

impl From<IncompletePoint> for CtOption<pallas::Point> {
    fn from(p: IncompletePoint) -> Self {
        p.0
    }
}

impl Add for IncompletePoint {
    type Output = IncompletePoint;

    #[allow(clippy::suspicious_arithmetic_impl)]
    fn add(self, rhs: Self) -> Self::Output {
        // ⊥ ⸭ ⊥ = ⊥
        // ⊥ ⸭ P = ⊥
        IncompletePoint(self.0.and_then(|p| {
            // P ⸭ ⊥ = ⊥
            rhs.0.and_then(|q| {
                // 0 ⸭ 0 = ⊥
                // 0 ⸭ P = ⊥
                // P ⸭ 0 = ⊥
                // (x, y) ⸭ (x', y') = ⊥ if x == x'
                // (x, y) ⸭ (x', y') = (x, y) + (x', y') if x != x'
                CtOption::new(
                    p + q,
                    !(p.is_identity() | q.is_identity() | p.ct_eq(&q) | p.ct_eq(&-q)),
                )
            })
        }))
    }
}

impl Add<pallas::Affine> for IncompletePoint {
    type Output = IncompletePoint;

    /// Specialisation of incomplete addition for mixed addition.
    #[allow(clippy::suspicious_arithmetic_impl)]
    fn add(self, rhs: pallas::Affine) -> Self::Output {
        // ⊥ ⸭ ⊥ = ⊥
        // ⊥ ⸭ P = ⊥
        IncompletePoint(self.0.and_then(|p| {
            // P ⸭ ⊥ = ⊥ is satisfied by definition.
            let q = rhs.to_curve();

            // 0 ⸭ 0 = ⊥
            // 0 ⸭ P = ⊥
            // P ⸭ 0 = ⊥
            // (x, y) ⸭ (x', y') = ⊥ if x == x'
            // (x, y) ⸭ (x', y') = (x, y) + (x', y') if x != x'
            CtOption::new(
                // Use mixed addition for efficiency.
                p + rhs,
                !(p.is_identity() | q.is_identity() | p.ct_eq(&q) | p.ct_eq(&-q)),
            )
        }))
    }
}
-												Simulate incomplete addition

Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.

											
										
										
											2021-04-19 15:02:59 -07:00
+								use std::ops::Add;
-												Migrate to `group::CurveAffine`

											
										
										
											2023-07-29 12:10:20 -07:00
+								use group::{CurveAffine, Group};
-												Improve performance of IncompletePoint addition

We only need to track the occurrence of any edge cases, and we can do so
without expensive inversions at every addition step, by instead
performing the checks on the projective form directly.

											
										
										
											2021-04-21 16:59:55 -07:00
+								use pasta_curves::pallas;
-												Simulate incomplete addition

Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.

											
										
										
											2021-04-19 15:02:59 -07:00
+								use subtle::{ConstantTimeEq, CtOption};
 								/// P ∪ {⊥}
 								///
 								/// Simulated incomplete addition built over complete addition.
 								#[derive(Clone, Copy, Debug)]
 								pub(super) struct IncompletePoint(CtOption<pallas::Point>);
 								impl From<pallas::Point> for IncompletePoint {
 								    fn from(p: pallas::Point) -> Self {
 								        IncompletePoint(CtOption::new(p, 1.into()))
 								    }
 								}
 								impl From<IncompletePoint> for CtOption<pallas::Point> {
 								    fn from(p: IncompletePoint) -> Self {
 								        p.0
 								    }
 								}
 								impl Add for IncompletePoint {
 								    type Output = IncompletePoint;
-												clippy: Allow binary operators in IncompletePoint addition

It's not suspicious, it's constant time! :D

											
										
										
											2021-04-21 17:08:51 -07:00
+								    #[allow(clippy::suspicious_arithmetic_impl)]
-												Simulate incomplete addition

Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.

											
										
										
											2021-04-19 15:02:59 -07:00
+								    fn add(self, rhs: Self) -> Self::Output {
-												Use correct symbol for incomplete addition

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
											
										
										
											2021-08-12 13:33:19 -07:00
+								        // ⊥ ⸭ ⊥ = ⊥
 								        // ⊥ ⸭ P = ⊥
-												Simulate incomplete addition

Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.

											
										
										
											2021-04-19 15:02:59 -07:00
+								        IncompletePoint(self.0.and_then(|p| {
-												Use correct symbol for incomplete addition

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
											
										
										
											2021-08-12 13:33:19 -07:00
+								            // P ⸭ ⊥ = ⊥
-												Simulate incomplete addition

Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.

											
										
										
											2021-04-19 15:02:59 -07:00
+								            rhs.0.and_then(|q| {
-												Use correct symbol for incomplete addition

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
											
										
										
											2021-08-12 13:33:19 -07:00
+								                // 0 ⸭ 0 = ⊥
 								                // 0 ⸭ P = ⊥
 								                // P ⸭ 0 = ⊥
 								                // (x, y) ⸭ (x', y') = ⊥ if x == x'
 								                // (x, y) ⸭ (x', y') = (x, y) + (x', y') if x != x'
-												Improve performance of IncompletePoint addition

We only need to track the occurrence of any edge cases, and we can do so
without expensive inversions at every addition step, by instead
performing the checks on the projective form directly.

											
										
										
											2021-04-21 16:59:55 -07:00
+								                CtOption::new(
 								                    p + q,
 								                    !(p.is_identity() | q.is_identity() | p.ct_eq(&q) | p.ct_eq(&-q)),
 								                )
-												Simulate incomplete addition

Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.

											
										
										
											2021-04-19 15:02:59 -07:00
+								            })
 								        }))
 								    }
 								}
-												Use mixed addition for Sinsemilla bases

Performance improvements:
- MerkleCRH:  ~5%
- Commit^ivk: ~1%
- NoteCommit: ~3%

											
										
										
											2021-08-12 07:43:19 -07:00
+								impl Add<pallas::Affine> for IncompletePoint {
 								    type Output = IncompletePoint;
 								    /// Specialisation of incomplete addition for mixed addition.
-												Fix clippy lint

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
											
										
										
											2021-08-12 13:32:14 -07:00
+								    #[allow(clippy::suspicious_arithmetic_impl)]
-												Use mixed addition for Sinsemilla bases

Performance improvements:
- MerkleCRH:  ~5%
- Commit^ivk: ~1%
- NoteCommit: ~3%

											
										
										
											2021-08-12 07:43:19 -07:00
+								    fn add(self, rhs: pallas::Affine) -> Self::Output {
-												Use correct symbol for incomplete addition

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
											
										
										
											2021-08-12 13:33:19 -07:00
+								        // ⊥ ⸭ ⊥ = ⊥
 								        // ⊥ ⸭ P = ⊥
-												Use mixed addition for Sinsemilla bases

Performance improvements:
- MerkleCRH:  ~5%
- Commit^ivk: ~1%
- NoteCommit: ~3%

											
										
										
											2021-08-12 07:43:19 -07:00
+								        IncompletePoint(self.0.and_then(|p| {
-												Use correct symbol for incomplete addition

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
											
										
										
											2021-08-12 13:33:19 -07:00
+								            // P ⸭ ⊥ = ⊥ is satisfied by definition.
-												Use mixed addition for Sinsemilla bases

Performance improvements:
- MerkleCRH:  ~5%
- Commit^ivk: ~1%
- NoteCommit: ~3%

											
										
										
											2021-08-12 07:43:19 -07:00
+								            let q = rhs.to_curve();
-												Use correct symbol for incomplete addition

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
											
										
										
											2021-08-12 13:33:19 -07:00
+								            // 0 ⸭ 0 = ⊥
 								            // 0 ⸭ P = ⊥
 								            // P ⸭ 0 = ⊥
 								            // (x, y) ⸭ (x', y') = ⊥ if x == x'
 								            // (x, y) ⸭ (x', y') = (x, y) + (x', y') if x != x'
-												Use mixed addition for Sinsemilla bases

Performance improvements:
- MerkleCRH:  ~5%
- Commit^ivk: ~1%
- NoteCommit: ~3%

											
										
										
											2021-08-12 07:43:19 -07:00
+								            CtOption::new(
 								                // Use mixed addition for efficiency.
 								                p + rhs,
 								                !(p.is_identity() | q.is_identity() | p.ct_eq(&q) | p.ct_eq(&-q)),
 								            )
 								        }))
 								    }
 								}