2022-05-10 13:26:49 -07:00
|
|
|
//! The [Sinsemilla] hash function.
|
|
|
|
//!
|
|
|
|
//! [Sinsemilla]: https://zips.z.cash/protocol/protocol.pdf#concretesinsemillahash
|
2022-01-27 13:53:10 -08:00
|
|
|
use crate::{
|
2021-08-18 23:59:39 -07:00
|
|
|
ecc::{self, EccInstructions, FixedPoints},
|
2022-05-02 09:01:07 -07:00
|
|
|
utilities::{FieldValue, RangeConstrained, Var},
|
2021-06-18 19:42:14 -07:00
|
|
|
};
|
2021-12-15 07:24:01 -08:00
|
|
|
use group::ff::{Field, PrimeField};
|
2022-06-08 13:37:52 -07:00
|
|
|
use halo2_proofs::{
|
|
|
|
circuit::{Layouter, Value},
|
|
|
|
plonk::Error,
|
|
|
|
};
|
2021-12-07 10:02:03 -08:00
|
|
|
use pasta_curves::arithmetic::CurveAffine;
|
|
|
|
use std::fmt::Debug;
|
2021-06-18 19:42:14 -07:00
|
|
|
|
2021-06-18 19:59:39 -07:00
|
|
|
pub mod chip;
|
2021-06-04 09:53:09 -07:00
|
|
|
pub mod merkle;
|
2021-06-18 19:44:54 -07:00
|
|
|
mod message;
|
2022-05-08 19:54:04 -07:00
|
|
|
pub mod primitives;
|
2021-06-18 19:42:14 -07:00
|
|
|
|
|
|
|
/// The set of circuit instructions required to use the [`Sinsemilla`](https://zcash.github.io/halo2/design/gadgets/sinsemilla.html) gadget.
|
|
|
|
/// This trait is bounded on two constant parameters: `K`, the number of bits
|
|
|
|
/// in each word accepted by the Sinsemilla hash, and `MAX_WORDS`, the maximum
|
|
|
|
/// number of words that a single hash instance can process.
|
|
|
|
pub trait SinsemillaInstructions<C: CurveAffine, const K: usize, const MAX_WORDS: usize> {
|
|
|
|
/// A variable in the circuit.
|
|
|
|
type CellValue: Var<C::Base>;
|
|
|
|
|
|
|
|
/// A message composed of [`Self::MessagePiece`]s.
|
|
|
|
type Message: From<Vec<Self::MessagePiece>>;
|
|
|
|
|
|
|
|
/// A piece in a message containing a number of `K`-bit words.
|
|
|
|
/// A [`Self::MessagePiece`] fits in a single base field element,
|
|
|
|
/// which means it can only contain up to `N` words, where
|
2021-12-15 08:29:28 -08:00
|
|
|
/// `N*K <= C::Base::CAPACITY`.
|
2021-06-18 19:42:14 -07:00
|
|
|
///
|
2021-12-15 08:29:28 -08:00
|
|
|
/// For example, in the case `K = 10`, `CAPACITY = 254`, we can fit
|
2021-06-18 19:42:14 -07:00
|
|
|
/// up to `N = 25` words in a single base field element.
|
2021-12-01 04:51:33 -08:00
|
|
|
type MessagePiece: Clone + Debug;
|
2021-06-18 19:42:14 -07:00
|
|
|
|
2021-06-15 06:19:26 -07:00
|
|
|
/// A cumulative sum `z` is used to decompose a Sinsemilla message. It
|
|
|
|
/// produces intermediate values for each word in the message, such
|
|
|
|
/// that `z_next` = (`z_cur` - `word_next`) / `2^K`.
|
|
|
|
///
|
|
|
|
/// These intermediate values are useful for range checks on subsets
|
|
|
|
/// of the Sinsemilla message. Sinsemilla messages in the Orchard
|
|
|
|
/// protocol are composed of field elements, and we need to check
|
|
|
|
/// the canonicity of the field element encodings in certain cases.
|
|
|
|
type RunningSum;
|
|
|
|
|
2021-06-18 19:42:14 -07:00
|
|
|
/// The x-coordinate of a point output of [`Self::hash_to_point`].
|
|
|
|
type X;
|
|
|
|
/// A point output of [`Self::hash_to_point`].
|
2021-09-27 07:33:57 -07:00
|
|
|
type NonIdentityPoint: Clone + Debug;
|
2021-06-05 00:49:55 -07:00
|
|
|
/// A type enumerating the fixed points used in `CommitDomains`.
|
2021-08-18 23:59:39 -07:00
|
|
|
type FixedPoints: FixedPoints<C>;
|
2021-06-18 19:42:14 -07:00
|
|
|
|
|
|
|
/// HashDomains used in this instruction.
|
|
|
|
type HashDomains: HashDomains<C>;
|
2021-06-05 00:49:55 -07:00
|
|
|
/// CommitDomains used in this instruction.
|
|
|
|
type CommitDomains: CommitDomains<C, Self::FixedPoints, Self::HashDomains>;
|
2021-06-18 19:42:14 -07:00
|
|
|
|
|
|
|
/// Witness a message piece given a field element. Returns a [`Self::MessagePiece`]
|
|
|
|
/// encoding the given message.
|
|
|
|
///
|
|
|
|
/// # Panics
|
|
|
|
///
|
|
|
|
/// Panics if `num_words` exceed the maximum number of `K`-bit words that
|
|
|
|
/// can fit into a single base field element.
|
2021-06-24 01:29:55 -07:00
|
|
|
fn witness_message_piece(
|
2021-06-18 19:42:14 -07:00
|
|
|
&self,
|
|
|
|
layouter: impl Layouter<C::Base>,
|
2022-06-08 13:37:52 -07:00
|
|
|
value: Value<C::Base>,
|
2021-06-18 19:42:14 -07:00
|
|
|
num_words: usize,
|
|
|
|
) -> Result<Self::MessagePiece, Error>;
|
|
|
|
|
|
|
|
/// Hashes a message to an ECC curve point.
|
|
|
|
/// This returns both the resulting point, as well as the message
|
|
|
|
/// decomposition in the form of intermediate values in a cumulative
|
|
|
|
/// sum.
|
|
|
|
///
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
#[allow(clippy::type_complexity)]
|
|
|
|
fn hash_to_point(
|
|
|
|
&self,
|
|
|
|
layouter: impl Layouter<C::Base>,
|
|
|
|
Q: C,
|
|
|
|
message: Self::Message,
|
2021-09-27 07:33:57 -07:00
|
|
|
) -> Result<(Self::NonIdentityPoint, Vec<Self::RunningSum>), Error>;
|
2021-06-18 19:42:14 -07:00
|
|
|
|
|
|
|
/// Extracts the x-coordinate of the output of a Sinsemilla hash.
|
2021-09-27 07:33:57 -07:00
|
|
|
fn extract(point: &Self::NonIdentityPoint) -> Self::X;
|
2021-06-18 19:42:14 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
/// A message to be hashed.
|
|
|
|
///
|
|
|
|
/// Composed of [`MessagePiece`]s with bitlength some multiple of `K`.
|
|
|
|
///
|
|
|
|
/// [`MessagePiece`]: SinsemillaInstructions::MessagePiece
|
|
|
|
#[derive(Clone, Debug)]
|
|
|
|
pub struct Message<C: CurveAffine, SinsemillaChip, const K: usize, const MAX_WORDS: usize>
|
|
|
|
where
|
|
|
|
SinsemillaChip: SinsemillaInstructions<C, K, MAX_WORDS> + Clone + Debug + Eq,
|
|
|
|
{
|
|
|
|
chip: SinsemillaChip,
|
|
|
|
inner: SinsemillaChip::Message,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl<C: CurveAffine, SinsemillaChip, const K: usize, const MAX_WORDS: usize>
|
|
|
|
Message<C, SinsemillaChip, K, MAX_WORDS>
|
|
|
|
where
|
|
|
|
SinsemillaChip: SinsemillaInstructions<C, K, MAX_WORDS> + Clone + Debug + Eq,
|
|
|
|
{
|
2022-09-09 10:57:37 -07:00
|
|
|
#![allow(dead_code)]
|
2021-06-18 19:42:14 -07:00
|
|
|
fn from_bitstring(
|
|
|
|
chip: SinsemillaChip,
|
2021-06-24 01:29:55 -07:00
|
|
|
mut layouter: impl Layouter<C::Base>,
|
2022-06-08 13:37:52 -07:00
|
|
|
bitstring: Vec<Value<bool>>,
|
2021-06-18 19:42:14 -07:00
|
|
|
) -> Result<Self, Error> {
|
2021-06-24 01:29:55 -07:00
|
|
|
// Message must be composed of `K`-bit words.
|
|
|
|
assert_eq!(bitstring.len() % K, 0);
|
|
|
|
|
|
|
|
// Message must have at most `MAX_WORDS` words.
|
|
|
|
assert!(bitstring.len() / K <= MAX_WORDS);
|
|
|
|
|
2021-12-15 08:29:28 -08:00
|
|
|
// Each message piece must have at most `floor(C::CAPACITY / K)` words.
|
|
|
|
let piece_num_words = C::Base::CAPACITY as usize / K;
|
2021-06-24 01:29:55 -07:00
|
|
|
let pieces: Result<Vec<_>, _> = bitstring
|
|
|
|
.chunks(piece_num_words * K)
|
|
|
|
.enumerate()
|
|
|
|
.map(
|
|
|
|
|(i, piece)| -> Result<MessagePiece<C, SinsemillaChip, K, MAX_WORDS>, Error> {
|
|
|
|
MessagePiece::from_bitstring(
|
|
|
|
chip.clone(),
|
|
|
|
layouter.namespace(|| format!("message piece {}", i)),
|
|
|
|
piece,
|
|
|
|
)
|
|
|
|
},
|
|
|
|
)
|
|
|
|
.collect();
|
|
|
|
|
|
|
|
pieces.map(|pieces| Self::from_pieces(chip, pieces))
|
2021-06-18 19:42:14 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
/// Constructs a message from a vector of [`MessagePiece`]s.
|
|
|
|
///
|
|
|
|
/// [`MessagePiece`]: SinsemillaInstructions::MessagePiece
|
2021-12-20 21:04:49 -08:00
|
|
|
pub fn from_pieces(
|
2021-06-24 01:29:55 -07:00
|
|
|
chip: SinsemillaChip,
|
|
|
|
pieces: Vec<MessagePiece<C, SinsemillaChip, K, MAX_WORDS>>,
|
|
|
|
) -> Self {
|
2021-06-18 19:42:14 -07:00
|
|
|
Self {
|
|
|
|
chip,
|
2021-06-24 01:29:55 -07:00
|
|
|
inner: pieces
|
2021-06-28 21:02:54 -07:00
|
|
|
.into_iter()
|
|
|
|
.map(|piece| piece.inner)
|
2021-06-24 01:29:55 -07:00
|
|
|
.collect::<Vec<_>>()
|
|
|
|
.into(),
|
2021-06-18 19:42:14 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-01-27 13:53:10 -08:00
|
|
|
/// A message piece with a bitlength of some multiple of `K`.
|
2021-06-06 05:11:03 -07:00
|
|
|
#[derive(Copy, Clone, Debug)]
|
2021-06-24 01:29:55 -07:00
|
|
|
pub struct MessagePiece<C: CurveAffine, SinsemillaChip, const K: usize, const MAX_WORDS: usize>
|
|
|
|
where
|
|
|
|
SinsemillaChip: SinsemillaInstructions<C, K, MAX_WORDS> + Clone + Debug + Eq,
|
|
|
|
{
|
|
|
|
chip: SinsemillaChip,
|
|
|
|
inner: SinsemillaChip::MessagePiece,
|
|
|
|
}
|
|
|
|
|
2021-06-06 05:11:03 -07:00
|
|
|
impl<C: CurveAffine, SinsemillaChip, const K: usize, const MAX_WORDS: usize>
|
|
|
|
MessagePiece<C, SinsemillaChip, K, MAX_WORDS>
|
|
|
|
where
|
|
|
|
SinsemillaChip: SinsemillaInstructions<C, K, MAX_WORDS> + Clone + Debug + Eq,
|
|
|
|
{
|
2021-12-20 21:04:49 -08:00
|
|
|
/// Returns the inner MessagePiece contained in this gadget.
|
|
|
|
pub fn inner(&self) -> SinsemillaChip::MessagePiece {
|
2021-12-01 04:51:33 -08:00
|
|
|
self.inner.clone()
|
2021-06-06 05:11:03 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-24 01:29:55 -07:00
|
|
|
impl<C: CurveAffine, SinsemillaChip, const K: usize, const MAX_WORDS: usize>
|
|
|
|
MessagePiece<C, SinsemillaChip, K, MAX_WORDS>
|
|
|
|
where
|
|
|
|
SinsemillaChip: SinsemillaInstructions<C, K, MAX_WORDS> + Clone + Debug + Eq,
|
|
|
|
{
|
2022-09-09 10:57:37 -07:00
|
|
|
#![allow(dead_code)]
|
2021-06-24 01:29:55 -07:00
|
|
|
fn from_bitstring(
|
|
|
|
chip: SinsemillaChip,
|
|
|
|
layouter: impl Layouter<C::Base>,
|
2022-06-08 13:37:52 -07:00
|
|
|
bitstring: &[Value<bool>],
|
2021-06-24 01:29:55 -07:00
|
|
|
) -> Result<Self, Error> {
|
|
|
|
// Message must be composed of `K`-bit words.
|
|
|
|
assert_eq!(bitstring.len() % K, 0);
|
|
|
|
let num_words = bitstring.len() / K;
|
|
|
|
|
2021-12-15 08:29:28 -08:00
|
|
|
// Each message piece must have at most `floor(C::Base::CAPACITY / K)` words.
|
|
|
|
// This ensures that the all-ones bitstring is canonical in the field.
|
|
|
|
let piece_max_num_words = C::Base::CAPACITY as usize / K;
|
2021-06-24 01:29:55 -07:00
|
|
|
assert!(num_words <= piece_max_num_words as usize);
|
|
|
|
|
|
|
|
// Closure to parse a bitstring (little-endian) into a base field element.
|
2022-06-08 13:37:52 -07:00
|
|
|
let to_base_field = |bits: &[Value<bool>]| -> Value<C::Base> {
|
|
|
|
let bits: Value<Vec<bool>> = bits.iter().cloned().collect();
|
2021-12-15 07:24:01 -08:00
|
|
|
bits.map(|bits| {
|
|
|
|
bits.into_iter().rev().fold(C::Base::zero(), |acc, bit| {
|
|
|
|
if bit {
|
|
|
|
acc.double() + C::Base::one()
|
|
|
|
} else {
|
|
|
|
acc.double()
|
|
|
|
}
|
|
|
|
})
|
2021-12-07 10:02:03 -08:00
|
|
|
})
|
2021-06-24 01:29:55 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
let piece_value = to_base_field(bitstring);
|
|
|
|
Self::from_field_elem(chip, layouter, piece_value, num_words)
|
|
|
|
}
|
|
|
|
|
2021-12-20 21:04:49 -08:00
|
|
|
/// Constructs a MessagePiece from a field element.
|
|
|
|
pub fn from_field_elem(
|
2021-06-24 01:29:55 -07:00
|
|
|
chip: SinsemillaChip,
|
|
|
|
layouter: impl Layouter<C::Base>,
|
2022-06-08 13:37:52 -07:00
|
|
|
field_elem: Value<C::Base>,
|
2021-06-24 01:29:55 -07:00
|
|
|
num_words: usize,
|
|
|
|
) -> Result<Self, Error> {
|
|
|
|
let inner = chip.witness_message_piece(layouter, field_elem, num_words)?;
|
|
|
|
Ok(Self { chip, inner })
|
|
|
|
}
|
2022-05-02 09:01:07 -07:00
|
|
|
|
|
|
|
/// Constructs a `MessagePiece` by concatenating a sequence of [`RangeConstrained`]
|
2022-05-10 13:26:49 -07:00
|
|
|
/// subpiece values.
|
|
|
|
///
|
|
|
|
/// The `MessagePiece` is assigned to the circuit, but not constrained in any way.
|
2022-05-02 09:01:07 -07:00
|
|
|
///
|
|
|
|
/// # Panics
|
|
|
|
///
|
|
|
|
/// Panics if the total number of bits across the subpieces is not a multiple of the
|
|
|
|
/// word size, or if the required bitshift for any subpiece is greater than 63 bits.
|
|
|
|
pub fn from_subpieces(
|
|
|
|
chip: SinsemillaChip,
|
|
|
|
layouter: impl Layouter<C::Base>,
|
2022-06-08 13:37:52 -07:00
|
|
|
subpieces: impl IntoIterator<Item = RangeConstrained<C::Base, Value<C::Base>>>,
|
2022-05-02 09:01:07 -07:00
|
|
|
) -> Result<Self, Error> {
|
2022-06-08 13:37:52 -07:00
|
|
|
let (field_elem, total_bits) = subpieces.into_iter().fold(
|
|
|
|
(Value::known(C::Base::zero()), 0),
|
|
|
|
|(acc, bits), subpiece| {
|
|
|
|
assert!(bits < 64);
|
|
|
|
let subpiece_shifted = subpiece
|
|
|
|
.inner()
|
|
|
|
.value()
|
|
|
|
.map(|v| C::Base::from(1 << bits) * v);
|
|
|
|
(acc + subpiece_shifted, bits + subpiece.num_bits())
|
|
|
|
},
|
|
|
|
);
|
2022-05-02 09:01:07 -07:00
|
|
|
|
|
|
|
// Message must be composed of `K`-bit words.
|
|
|
|
assert_eq!(total_bits % K, 0);
|
|
|
|
let num_words = total_bits / K;
|
|
|
|
|
|
|
|
Self::from_field_elem(chip, layouter, field_elem, num_words)
|
|
|
|
}
|
2021-06-24 01:29:55 -07:00
|
|
|
}
|
|
|
|
|
2021-06-18 19:42:14 -07:00
|
|
|
/// A domain in which $\mathsf{SinsemillaHashToPoint}$ and $\mathsf{SinsemillaHash}$ can
|
|
|
|
/// be used.
|
2022-01-27 13:53:10 -08:00
|
|
|
#[derive(Debug)]
|
2021-06-18 19:42:14 -07:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
pub struct HashDomain<
|
|
|
|
C: CurveAffine,
|
|
|
|
SinsemillaChip,
|
|
|
|
EccChip,
|
|
|
|
const K: usize,
|
|
|
|
const MAX_WORDS: usize,
|
|
|
|
> where
|
|
|
|
SinsemillaChip: SinsemillaInstructions<C, K, MAX_WORDS> + Clone + Debug + Eq,
|
|
|
|
EccChip: EccInstructions<
|
|
|
|
C,
|
2021-09-27 07:33:57 -07:00
|
|
|
NonIdentityPoint = <SinsemillaChip as SinsemillaInstructions<C, K, MAX_WORDS>>::NonIdentityPoint,
|
2021-06-05 00:49:55 -07:00
|
|
|
FixedPoints = <SinsemillaChip as SinsemillaInstructions<C, K, MAX_WORDS>>::FixedPoints,
|
2021-06-18 19:42:14 -07:00
|
|
|
> + Clone
|
|
|
|
+ Debug
|
|
|
|
+ Eq,
|
|
|
|
{
|
|
|
|
sinsemilla_chip: SinsemillaChip,
|
|
|
|
ecc_chip: EccChip,
|
|
|
|
Q: C,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl<C: CurveAffine, SinsemillaChip, EccChip, const K: usize, const MAX_WORDS: usize>
|
|
|
|
HashDomain<C, SinsemillaChip, EccChip, K, MAX_WORDS>
|
|
|
|
where
|
|
|
|
SinsemillaChip: SinsemillaInstructions<C, K, MAX_WORDS> + Clone + Debug + Eq,
|
|
|
|
EccChip: EccInstructions<
|
|
|
|
C,
|
2021-09-27 07:33:57 -07:00
|
|
|
NonIdentityPoint = <SinsemillaChip as SinsemillaInstructions<C, K, MAX_WORDS>>::NonIdentityPoint,
|
2021-06-05 00:49:55 -07:00
|
|
|
FixedPoints = <SinsemillaChip as SinsemillaInstructions<C, K, MAX_WORDS>>::FixedPoints,
|
2021-06-18 19:42:14 -07:00
|
|
|
> + Clone
|
|
|
|
+ Debug
|
|
|
|
+ Eq,
|
|
|
|
{
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
/// Constructs a new `HashDomain` for the given domain.
|
|
|
|
pub fn new(
|
|
|
|
sinsemilla_chip: SinsemillaChip,
|
|
|
|
ecc_chip: EccChip,
|
|
|
|
domain: &SinsemillaChip::HashDomains,
|
|
|
|
) -> Self {
|
|
|
|
HashDomain {
|
|
|
|
sinsemilla_chip,
|
|
|
|
ecc_chip,
|
|
|
|
Q: domain.Q(),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-15 06:19:26 -07:00
|
|
|
#[allow(clippy::type_complexity)]
|
2021-06-18 19:42:14 -07:00
|
|
|
/// $\mathsf{SinsemillaHashToPoint}$ from [§ 5.4.1.9][concretesinsemillahash].
|
|
|
|
///
|
|
|
|
/// [concretesinsemillahash]: https://zips.z.cash/protocol/protocol.pdf#concretesinsemillahash
|
|
|
|
pub fn hash_to_point(
|
|
|
|
&self,
|
|
|
|
layouter: impl Layouter<C::Base>,
|
|
|
|
message: Message<C, SinsemillaChip, K, MAX_WORDS>,
|
2021-09-27 07:33:57 -07:00
|
|
|
) -> Result<(ecc::NonIdentityPoint<C, EccChip>, Vec<SinsemillaChip::RunningSum>), Error> {
|
2021-06-18 19:42:14 -07:00
|
|
|
assert_eq!(self.sinsemilla_chip, message.chip);
|
2021-07-22 07:14:34 -07:00
|
|
|
self.sinsemilla_chip
|
|
|
|
.hash_to_point(layouter, self.Q, message.inner)
|
2021-09-27 07:33:57 -07:00
|
|
|
.map(|(point, zs)| (ecc::NonIdentityPoint::from_inner(self.ecc_chip.clone(), point), zs))
|
2021-06-18 19:42:14 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
/// $\mathsf{SinsemillaHash}$ from [§ 5.4.1.9][concretesinsemillahash].
|
|
|
|
///
|
|
|
|
/// [concretesinsemillahash]: https://zips.z.cash/protocol/protocol.pdf#concretesinsemillahash
|
2021-07-22 07:14:34 -07:00
|
|
|
#[allow(clippy::type_complexity)]
|
2021-06-18 19:42:14 -07:00
|
|
|
pub fn hash(
|
|
|
|
&self,
|
|
|
|
layouter: impl Layouter<C::Base>,
|
|
|
|
message: Message<C, SinsemillaChip, K, MAX_WORDS>,
|
2021-07-22 07:14:34 -07:00
|
|
|
) -> Result<(ecc::X<C, EccChip>, Vec<SinsemillaChip::RunningSum>), Error> {
|
2021-06-18 19:42:14 -07:00
|
|
|
assert_eq!(self.sinsemilla_chip, message.chip);
|
2021-07-22 07:14:34 -07:00
|
|
|
let (p, zs) = self.hash_to_point(layouter, message)?;
|
|
|
|
Ok((p.extract_p(), zs))
|
2021-06-18 19:42:14 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-05 00:49:55 -07:00
|
|
|
/// Trait allowing circuit's Sinsemilla CommitDomains to be enumerated.
|
2021-08-18 23:59:39 -07:00
|
|
|
pub trait CommitDomains<C: CurveAffine, F: FixedPoints<C>, H: HashDomains<C>>:
|
2021-06-05 00:49:55 -07:00
|
|
|
Clone + Debug
|
|
|
|
{
|
2021-07-19 05:26:03 -07:00
|
|
|
/// Returns the fixed point corresponding to the R constant used for
|
|
|
|
/// randomization in this CommitDomain.
|
2021-08-18 23:59:39 -07:00
|
|
|
fn r(&self) -> F::FullScalar;
|
2021-06-05 00:49:55 -07:00
|
|
|
|
|
|
|
/// Returns the HashDomain contained in this CommitDomain
|
|
|
|
fn hash_domain(&self) -> H;
|
|
|
|
}
|
|
|
|
|
2021-06-18 19:42:14 -07:00
|
|
|
/// Trait allowing circuit's Sinsemilla HashDomains to be enumerated.
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
pub trait HashDomains<C: CurveAffine>: Clone + Debug {
|
2022-01-27 13:53:10 -08:00
|
|
|
/// Returns the `Q` constant for this domain.
|
2021-06-18 19:42:14 -07:00
|
|
|
fn Q(&self) -> C;
|
|
|
|
}
|
2021-06-19 01:29:09 -07:00
|
|
|
|
2022-01-27 13:53:10 -08:00
|
|
|
/// Gadget representing a domain in which $\mathsf{SinsemillaCommit}$ and
|
|
|
|
/// $\mathsf{SinsemillaShortCommit}$ can be used.
|
|
|
|
#[derive(Debug)]
|
2021-06-05 00:49:55 -07:00
|
|
|
#[allow(non_snake_case)]
|
|
|
|
pub struct CommitDomain<
|
|
|
|
C: CurveAffine,
|
|
|
|
SinsemillaChip,
|
|
|
|
EccChip,
|
|
|
|
const K: usize,
|
|
|
|
const MAX_WORDS: usize,
|
|
|
|
> where
|
|
|
|
SinsemillaChip: SinsemillaInstructions<C, K, MAX_WORDS> + Clone + Debug + Eq,
|
|
|
|
EccChip: EccInstructions<
|
|
|
|
C,
|
2021-09-27 07:33:57 -07:00
|
|
|
NonIdentityPoint = <SinsemillaChip as SinsemillaInstructions<C, K, MAX_WORDS>>::NonIdentityPoint,
|
2021-06-05 00:49:55 -07:00
|
|
|
FixedPoints = <SinsemillaChip as SinsemillaInstructions<C, K, MAX_WORDS>>::FixedPoints,
|
|
|
|
> + Clone
|
|
|
|
+ Debug
|
|
|
|
+ Eq,
|
|
|
|
{
|
|
|
|
M: HashDomain<C, SinsemillaChip, EccChip, K, MAX_WORDS>,
|
|
|
|
R: ecc::FixedPoint<C, EccChip>,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl<C: CurveAffine, SinsemillaChip, EccChip, const K: usize, const MAX_WORDS: usize>
|
|
|
|
CommitDomain<C, SinsemillaChip, EccChip, K, MAX_WORDS>
|
|
|
|
where
|
|
|
|
SinsemillaChip: SinsemillaInstructions<C, K, MAX_WORDS> + Clone + Debug + Eq,
|
|
|
|
EccChip: EccInstructions<
|
|
|
|
C,
|
2021-09-27 07:33:57 -07:00
|
|
|
NonIdentityPoint = <SinsemillaChip as SinsemillaInstructions<C, K, MAX_WORDS>>::NonIdentityPoint,
|
2021-06-05 00:49:55 -07:00
|
|
|
FixedPoints = <SinsemillaChip as SinsemillaInstructions<C, K, MAX_WORDS>>::FixedPoints,
|
|
|
|
> + Clone
|
|
|
|
+ Debug
|
|
|
|
+ Eq,
|
|
|
|
{
|
|
|
|
/// Constructs a new `CommitDomain` for the given domain.
|
|
|
|
pub fn new(
|
|
|
|
sinsemilla_chip: SinsemillaChip,
|
|
|
|
ecc_chip: EccChip,
|
2022-01-27 08:45:44 -08:00
|
|
|
// TODO: Instead of using SinsemilllaChip::CommitDomains, just use something that implements a CommitDomains trait
|
2021-06-05 00:49:55 -07:00
|
|
|
domain: &SinsemillaChip::CommitDomains,
|
|
|
|
) -> Self {
|
|
|
|
CommitDomain {
|
|
|
|
M: HashDomain::new(sinsemilla_chip, ecc_chip.clone(), &domain.hash_domain()),
|
|
|
|
R: ecc::FixedPoint::from_inner(ecc_chip, domain.r()),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-15 06:19:26 -07:00
|
|
|
#[allow(clippy::type_complexity)]
|
2021-06-05 00:49:55 -07:00
|
|
|
/// $\mathsf{SinsemillaCommit}$ from [§ 5.4.8.4][concretesinsemillacommit].
|
|
|
|
///
|
|
|
|
/// [concretesinsemillacommit]: https://zips.z.cash/protocol/nu5.pdf#concretesinsemillacommit
|
|
|
|
pub fn commit(
|
|
|
|
&self,
|
|
|
|
mut layouter: impl Layouter<C::Base>,
|
|
|
|
message: Message<C, SinsemillaChip, K, MAX_WORDS>,
|
2022-05-08 22:18:05 -07:00
|
|
|
r: ecc::ScalarFixed<C, EccChip>,
|
2021-09-27 01:50:39 -07:00
|
|
|
) -> Result<
|
|
|
|
(
|
2021-09-28 08:35:35 -07:00
|
|
|
ecc::Point<C, EccChip>,
|
2021-09-27 01:50:39 -07:00
|
|
|
Vec<SinsemillaChip::RunningSum>,
|
|
|
|
),
|
|
|
|
Error,
|
|
|
|
> {
|
2021-06-05 00:49:55 -07:00
|
|
|
assert_eq!(self.M.sinsemilla_chip, message.chip);
|
|
|
|
let (blind, _) = self.R.mul(layouter.namespace(|| "[r] R"), r)?;
|
2021-06-15 06:19:26 -07:00
|
|
|
let (p, zs) = self.M.hash_to_point(layouter.namespace(|| "M"), message)?;
|
2021-09-28 08:35:35 -07:00
|
|
|
let commitment = p.add(layouter.namespace(|| "M + [r] R"), &blind)?;
|
2021-06-15 06:19:26 -07:00
|
|
|
Ok((commitment, zs))
|
2021-06-05 00:49:55 -07:00
|
|
|
}
|
|
|
|
|
2021-06-15 06:19:26 -07:00
|
|
|
#[allow(clippy::type_complexity)]
|
2021-06-05 00:49:55 -07:00
|
|
|
/// $\mathsf{SinsemillaShortCommit}$ from [§ 5.4.8.4][concretesinsemillacommit].
|
|
|
|
///
|
|
|
|
/// [concretesinsemillacommit]: https://zips.z.cash/protocol/nu5.pdf#concretesinsemillacommit
|
|
|
|
pub fn short_commit(
|
|
|
|
&self,
|
|
|
|
mut layouter: impl Layouter<C::Base>,
|
|
|
|
message: Message<C, SinsemillaChip, K, MAX_WORDS>,
|
2022-05-08 22:18:05 -07:00
|
|
|
r: ecc::ScalarFixed<C, EccChip>,
|
2021-06-15 06:19:26 -07:00
|
|
|
) -> Result<(ecc::X<C, EccChip>, Vec<SinsemillaChip::RunningSum>), Error> {
|
2021-06-05 00:49:55 -07:00
|
|
|
assert_eq!(self.M.sinsemilla_chip, message.chip);
|
2021-06-15 06:19:26 -07:00
|
|
|
let (p, zs) = self.commit(layouter.namespace(|| "commit"), message, r)?;
|
|
|
|
Ok((p.extract_p(), zs))
|
2021-06-05 00:49:55 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-19 01:29:09 -07:00
|
|
|
#[cfg(test)]
|
2022-01-27 13:15:41 -08:00
|
|
|
pub(crate) mod tests {
|
2022-01-27 15:28:02 -08:00
|
|
|
use halo2_proofs::{
|
2022-06-08 13:37:52 -07:00
|
|
|
circuit::{Layouter, SimpleFloorPlanner, Value},
|
2021-06-19 01:29:09 -07:00
|
|
|
dev::MockProver,
|
2021-07-08 18:56:27 -07:00
|
|
|
plonk::{Circuit, ConstraintSystem, Error},
|
2021-06-19 01:29:09 -07:00
|
|
|
};
|
2022-01-18 06:30:55 -08:00
|
|
|
use rand::rngs::OsRng;
|
2021-06-19 01:29:09 -07:00
|
|
|
|
|
|
|
use super::{
|
2021-08-18 23:59:39 -07:00
|
|
|
chip::{SinsemillaChip, SinsemillaConfig},
|
2022-01-27 13:15:41 -08:00
|
|
|
CommitDomain, CommitDomains, HashDomain, HashDomains, Message, MessagePiece,
|
2021-06-19 01:29:09 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
use crate::{
|
2022-05-08 22:18:05 -07:00
|
|
|
ecc::ScalarFixed,
|
2022-05-08 19:54:04 -07:00
|
|
|
sinsemilla::primitives::{self as sinsemilla, K},
|
2022-01-27 13:53:10 -08:00
|
|
|
{
|
2021-07-21 07:59:08 -07:00
|
|
|
ecc::{
|
2022-01-27 13:15:41 -08:00
|
|
|
chip::{find_zs_and_us, EccChip, EccConfig, H, NUM_WINDOWS},
|
|
|
|
tests::{FullWidth, TestFixedBases},
|
2021-09-27 03:14:01 -07:00
|
|
|
NonIdentityPoint,
|
2021-07-21 07:59:08 -07:00
|
|
|
},
|
|
|
|
utilities::lookup_range_check::LookupRangeCheckConfig,
|
2021-06-19 01:29:09 -07:00
|
|
|
},
|
|
|
|
};
|
|
|
|
|
2022-01-18 06:30:55 -08:00
|
|
|
use group::{ff::Field, Curve};
|
2022-01-27 13:15:41 -08:00
|
|
|
use lazy_static::lazy_static;
|
2022-01-18 06:30:55 -08:00
|
|
|
use pasta_curves::pallas;
|
2021-06-19 01:29:09 -07:00
|
|
|
|
|
|
|
use std::convert::TryInto;
|
|
|
|
|
2022-01-28 07:50:14 -08:00
|
|
|
pub(crate) const PERSONALIZATION: &str = "MerkleCRH";
|
2022-01-27 13:15:41 -08:00
|
|
|
|
|
|
|
lazy_static! {
|
|
|
|
static ref COMMIT_DOMAIN: sinsemilla::CommitDomain =
|
|
|
|
sinsemilla::CommitDomain::new(PERSONALIZATION);
|
|
|
|
static ref Q: pallas::Affine = COMMIT_DOMAIN.Q().to_affine();
|
|
|
|
static ref R: pallas::Affine = COMMIT_DOMAIN.R().to_affine();
|
|
|
|
static ref R_ZS_AND_US: Vec<(u64, [pallas::Base; H])> =
|
|
|
|
find_zs_and_us(*R, NUM_WINDOWS).unwrap();
|
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Debug, Clone, Eq, PartialEq)]
|
|
|
|
pub(crate) struct TestHashDomain;
|
|
|
|
impl HashDomains<pallas::Affine> for TestHashDomain {
|
|
|
|
fn Q(&self) -> pallas::Affine {
|
|
|
|
*Q
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// This test does not make use of the CommitDomain.
|
|
|
|
#[derive(Debug, Clone, Eq, PartialEq)]
|
|
|
|
pub(crate) struct TestCommitDomain;
|
|
|
|
impl CommitDomains<pallas::Affine, TestFixedBases, TestHashDomain> for TestCommitDomain {
|
|
|
|
fn r(&self) -> FullWidth {
|
|
|
|
FullWidth::from_parts(*R, &R_ZS_AND_US)
|
|
|
|
}
|
|
|
|
|
|
|
|
fn hash_domain(&self) -> TestHashDomain {
|
|
|
|
TestHashDomain
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-19 01:29:09 -07:00
|
|
|
struct MyCircuit {}
|
|
|
|
|
|
|
|
impl Circuit<pallas::Base> for MyCircuit {
|
2021-08-18 23:59:39 -07:00
|
|
|
#[allow(clippy::type_complexity)]
|
|
|
|
type Config = (
|
2022-01-27 13:15:41 -08:00
|
|
|
EccConfig<TestFixedBases>,
|
|
|
|
SinsemillaConfig<TestHashDomain, TestCommitDomain, TestFixedBases>,
|
|
|
|
SinsemillaConfig<TestHashDomain, TestCommitDomain, TestFixedBases>,
|
2021-08-18 23:59:39 -07:00
|
|
|
);
|
2021-07-08 18:56:27 -07:00
|
|
|
type FloorPlanner = SimpleFloorPlanner;
|
|
|
|
|
|
|
|
fn without_witnesses(&self) -> Self {
|
|
|
|
MyCircuit {}
|
|
|
|
}
|
2021-06-19 01:29:09 -07:00
|
|
|
|
|
|
|
#[allow(non_snake_case)]
|
|
|
|
fn configure(meta: &mut ConstraintSystem<pallas::Base>) -> Self::Config {
|
|
|
|
let advices = [
|
|
|
|
meta.advice_column(),
|
|
|
|
meta.advice_column(),
|
|
|
|
meta.advice_column(),
|
|
|
|
meta.advice_column(),
|
|
|
|
meta.advice_column(),
|
|
|
|
meta.advice_column(),
|
|
|
|
meta.advice_column(),
|
|
|
|
meta.advice_column(),
|
|
|
|
meta.advice_column(),
|
|
|
|
meta.advice_column(),
|
|
|
|
];
|
|
|
|
|
2021-07-20 01:22:08 -07:00
|
|
|
// Shared fixed column for loading constants
|
|
|
|
let constants = meta.fixed_column();
|
|
|
|
meta.enable_constant(constants);
|
|
|
|
|
2021-07-27 10:32:32 -07:00
|
|
|
let table_idx = meta.lookup_table_column();
|
2021-07-21 04:13:47 -07:00
|
|
|
let lagrange_coeffs = [
|
|
|
|
meta.fixed_column(),
|
|
|
|
meta.fixed_column(),
|
|
|
|
meta.fixed_column(),
|
|
|
|
meta.fixed_column(),
|
|
|
|
meta.fixed_column(),
|
|
|
|
meta.fixed_column(),
|
|
|
|
meta.fixed_column(),
|
|
|
|
meta.fixed_column(),
|
|
|
|
];
|
2021-06-19 04:08:46 -07:00
|
|
|
|
|
|
|
// Fixed columns for the Sinsemilla generator lookup table
|
2021-07-27 10:32:32 -07:00
|
|
|
let lookup = (
|
|
|
|
table_idx,
|
|
|
|
meta.lookup_table_column(),
|
|
|
|
meta.lookup_table_column(),
|
|
|
|
);
|
2021-06-24 22:39:37 -07:00
|
|
|
|
2021-07-21 07:59:08 -07:00
|
|
|
let range_check = LookupRangeCheckConfig::configure(meta, advices[9], table_idx);
|
|
|
|
|
2022-01-27 13:15:41 -08:00
|
|
|
let ecc_config =
|
|
|
|
EccChip::<TestFixedBases>::configure(meta, advices, lagrange_coeffs, range_check);
|
2021-07-21 07:59:08 -07:00
|
|
|
|
|
|
|
let config1 = SinsemillaChip::configure(
|
|
|
|
meta,
|
|
|
|
advices[..5].try_into().unwrap(),
|
2021-07-21 08:47:49 -07:00
|
|
|
advices[2],
|
2021-07-23 05:25:02 -07:00
|
|
|
lagrange_coeffs[0],
|
2021-07-21 07:59:08 -07:00
|
|
|
lookup,
|
2021-11-30 11:31:42 -08:00
|
|
|
range_check,
|
2021-07-21 07:59:08 -07:00
|
|
|
);
|
|
|
|
let config2 = SinsemillaChip::configure(
|
|
|
|
meta,
|
|
|
|
advices[5..].try_into().unwrap(),
|
2021-07-21 08:47:49 -07:00
|
|
|
advices[7],
|
2021-07-23 05:25:02 -07:00
|
|
|
lagrange_coeffs[1],
|
2021-07-21 07:59:08 -07:00
|
|
|
lookup,
|
|
|
|
range_check,
|
|
|
|
);
|
2021-06-19 01:29:09 -07:00
|
|
|
(ecc_config, config1, config2)
|
|
|
|
}
|
|
|
|
|
|
|
|
fn synthesize(
|
|
|
|
&self,
|
|
|
|
config: Self::Config,
|
2021-07-08 18:56:27 -07:00
|
|
|
mut layouter: impl Layouter<pallas::Base>,
|
2021-06-19 01:29:09 -07:00
|
|
|
) -> Result<(), Error> {
|
2022-01-18 06:30:55 -08:00
|
|
|
let rng = OsRng;
|
|
|
|
|
2021-06-19 01:29:09 -07:00
|
|
|
let ecc_chip = EccChip::construct(config.0);
|
|
|
|
|
|
|
|
// The two `SinsemillaChip`s share the same lookup table.
|
2022-01-27 13:15:41 -08:00
|
|
|
SinsemillaChip::<TestHashDomain, TestCommitDomain, TestFixedBases>::load(
|
2021-08-18 23:59:39 -07:00
|
|
|
config.1.clone(),
|
|
|
|
&mut layouter,
|
|
|
|
)?;
|
2021-06-19 01:29:09 -07:00
|
|
|
|
|
|
|
// This MerkleCRH example is purely for illustrative purposes.
|
|
|
|
// It is not an implementation of the Orchard protocol spec.
|
|
|
|
{
|
|
|
|
let chip1 = SinsemillaChip::construct(config.1);
|
|
|
|
|
2022-01-27 13:15:41 -08:00
|
|
|
let merkle_crh = HashDomain::new(chip1.clone(), ecc_chip.clone(), &TestHashDomain);
|
2021-06-19 01:29:09 -07:00
|
|
|
|
2021-11-29 12:39:41 -08:00
|
|
|
// Layer 31, l = MERKLE_DEPTH - 1 - layer = 0
|
2022-06-08 13:37:52 -07:00
|
|
|
let l_bitstring = vec![Value::known(false); K];
|
2021-06-24 01:29:55 -07:00
|
|
|
let l = MessagePiece::from_bitstring(
|
|
|
|
chip1.clone(),
|
|
|
|
layouter.namespace(|| "l"),
|
|
|
|
&l_bitstring,
|
|
|
|
)?;
|
2021-06-19 01:29:09 -07:00
|
|
|
|
|
|
|
// Left leaf
|
2022-06-08 13:37:52 -07:00
|
|
|
let left_bitstring: Vec<Value<bool>> = (0..250)
|
|
|
|
.map(|_| Value::known(rand::random::<bool>()))
|
|
|
|
.collect();
|
2021-06-24 01:29:55 -07:00
|
|
|
let left = MessagePiece::from_bitstring(
|
|
|
|
chip1.clone(),
|
2021-06-19 01:29:09 -07:00
|
|
|
layouter.namespace(|| "left"),
|
|
|
|
&left_bitstring,
|
|
|
|
)?;
|
|
|
|
|
|
|
|
// Right leaf
|
2022-06-08 13:37:52 -07:00
|
|
|
let right_bitstring: Vec<Value<bool>> = (0..250)
|
|
|
|
.map(|_| Value::known(rand::random::<bool>()))
|
|
|
|
.collect();
|
2021-06-24 01:29:55 -07:00
|
|
|
let right = MessagePiece::from_bitstring(
|
|
|
|
chip1.clone(),
|
2021-06-19 01:29:09 -07:00
|
|
|
layouter.namespace(|| "right"),
|
|
|
|
&right_bitstring,
|
|
|
|
)?;
|
|
|
|
|
2022-06-08 13:37:52 -07:00
|
|
|
let l_bitstring: Value<Vec<bool>> = l_bitstring.into_iter().collect();
|
|
|
|
let left_bitstring: Value<Vec<bool>> = left_bitstring.into_iter().collect();
|
|
|
|
let right_bitstring: Value<Vec<bool>> = right_bitstring.into_iter().collect();
|
2021-06-19 01:29:09 -07:00
|
|
|
|
|
|
|
// Witness expected parent
|
|
|
|
let expected_parent = {
|
2022-06-08 13:37:52 -07:00
|
|
|
let expected_parent = l_bitstring.zip(left_bitstring.zip(right_bitstring)).map(
|
|
|
|
|(l, (left, right))| {
|
|
|
|
let merkle_crh = sinsemilla::HashDomain::from_Q((*Q).into());
|
|
|
|
let point = merkle_crh
|
|
|
|
.hash_to_point(
|
|
|
|
l.into_iter()
|
|
|
|
.chain(left.into_iter())
|
|
|
|
.chain(right.into_iter()),
|
|
|
|
)
|
|
|
|
.unwrap();
|
|
|
|
point.to_affine()
|
|
|
|
},
|
|
|
|
);
|
2021-06-19 01:29:09 -07:00
|
|
|
|
2021-09-27 03:14:01 -07:00
|
|
|
NonIdentityPoint::new(
|
2021-06-05 01:28:52 -07:00
|
|
|
ecc_chip.clone(),
|
2021-06-19 01:29:09 -07:00
|
|
|
layouter.namespace(|| "Witness expected parent"),
|
|
|
|
expected_parent,
|
|
|
|
)?
|
|
|
|
};
|
|
|
|
|
|
|
|
// Parent
|
2021-06-15 06:19:26 -07:00
|
|
|
let (parent, _) = {
|
2021-06-19 01:29:09 -07:00
|
|
|
let message = Message::from_pieces(chip1, vec![l, left, right]);
|
|
|
|
merkle_crh.hash_to_point(layouter.namespace(|| "parent"), message)?
|
|
|
|
};
|
|
|
|
|
|
|
|
parent.constrain_equal(
|
|
|
|
layouter.namespace(|| "parent == expected parent"),
|
|
|
|
&expected_parent,
|
|
|
|
)?;
|
|
|
|
}
|
|
|
|
|
2021-06-05 01:28:52 -07:00
|
|
|
{
|
|
|
|
let chip2 = SinsemillaChip::construct(config.2);
|
|
|
|
|
2022-01-27 13:15:41 -08:00
|
|
|
let test_commit =
|
|
|
|
CommitDomain::new(chip2.clone(), ecc_chip.clone(), &TestCommitDomain);
|
2022-01-18 06:30:55 -08:00
|
|
|
let r_val = pallas::Scalar::random(rng);
|
2022-06-08 13:37:52 -07:00
|
|
|
let message: Vec<Value<bool>> = (0..500)
|
|
|
|
.map(|_| Value::known(rand::random::<bool>()))
|
|
|
|
.collect();
|
2021-06-05 01:28:52 -07:00
|
|
|
|
2021-06-15 06:19:26 -07:00
|
|
|
let (result, _) = {
|
2022-05-08 22:18:05 -07:00
|
|
|
let r = ScalarFixed::new(
|
|
|
|
ecc_chip.clone(),
|
|
|
|
layouter.namespace(|| "r"),
|
2022-06-08 13:37:52 -07:00
|
|
|
Value::known(r_val),
|
2022-05-08 22:18:05 -07:00
|
|
|
)?;
|
2021-07-08 22:33:57 -07:00
|
|
|
let message = Message::from_bitstring(
|
|
|
|
chip2,
|
|
|
|
layouter.namespace(|| "witness message"),
|
|
|
|
message.clone(),
|
|
|
|
)?;
|
2022-05-08 22:18:05 -07:00
|
|
|
test_commit.commit(layouter.namespace(|| "commit"), message, r)?
|
2021-07-08 22:33:57 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
// Witness expected result.
|
|
|
|
let expected_result = {
|
2022-06-08 13:37:52 -07:00
|
|
|
let message: Value<Vec<bool>> = message.into_iter().collect();
|
|
|
|
let expected_result = message.map(|message| {
|
2022-01-27 13:15:41 -08:00
|
|
|
let domain = sinsemilla::CommitDomain::new(PERSONALIZATION);
|
2021-07-08 22:33:57 -07:00
|
|
|
let point = domain.commit(message.into_iter(), &r_val).unwrap();
|
2022-06-08 13:37:52 -07:00
|
|
|
point.to_affine()
|
|
|
|
});
|
2021-07-08 22:33:57 -07:00
|
|
|
|
2021-09-27 03:14:01 -07:00
|
|
|
NonIdentityPoint::new(
|
2021-07-08 22:33:57 -07:00
|
|
|
ecc_chip,
|
|
|
|
layouter.namespace(|| "Witness expected result"),
|
|
|
|
expected_result,
|
|
|
|
)?
|
|
|
|
};
|
|
|
|
|
|
|
|
result.constrain_equal(
|
|
|
|
layouter.namespace(|| "result == expected result"),
|
|
|
|
&expected_result,
|
|
|
|
)
|
|
|
|
}
|
2021-06-19 01:29:09 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn sinsemilla_chip() {
|
|
|
|
let k = 11;
|
|
|
|
let circuit = MyCircuit {};
|
|
|
|
let prover = MockProver::run(k, &circuit, vec![]).unwrap();
|
|
|
|
assert_eq!(prover.verify(), Ok(()))
|
|
|
|
}
|
2021-06-20 03:51:33 -07:00
|
|
|
|
|
|
|
#[cfg(feature = "dev-graph")]
|
|
|
|
#[test]
|
|
|
|
fn print_sinsemilla_chip() {
|
|
|
|
use plotters::prelude::*;
|
|
|
|
|
|
|
|
let root =
|
|
|
|
BitMapBackend::new("sinsemilla-hash-layout.png", (1024, 7680)).into_drawing_area();
|
|
|
|
root.fill(&WHITE).unwrap();
|
|
|
|
let root = root.titled("SinsemillaHash", ("sans-serif", 60)).unwrap();
|
|
|
|
|
|
|
|
let circuit = MyCircuit {};
|
2022-01-27 15:28:02 -08:00
|
|
|
halo2_proofs::dev::CircuitLayout::default()
|
2021-07-26 05:54:27 -07:00
|
|
|
.render(11, &circuit, &root)
|
2021-07-08 18:56:27 -07:00
|
|
|
.unwrap();
|
2021-06-20 03:51:33 -07:00
|
|
|
}
|
2021-06-19 01:29:09 -07:00
|
|
|
}
|