halo2/src/primitives/sinsemilla/addition.rs

use std::ops::Add;

use group::{cofactor::CofactorCurveAffine, Group};
use pasta_curves::pallas;
use subtle::{ConstantTimeEq, CtOption};

/// P ∪ {⊥}
///
/// Simulated incomplete addition built over complete addition.
#[derive(Clone, Copy, Debug)]
pub(super) struct IncompletePoint(CtOption<pallas::Point>);

impl From<pallas::Point> for IncompletePoint {
    fn from(p: pallas::Point) -> Self {
        IncompletePoint(CtOption::new(p, 1.into()))
    }
}

impl From<IncompletePoint> for CtOption<pallas::Point> {
    fn from(p: IncompletePoint) -> Self {
        p.0
    }
}

impl Add for IncompletePoint {
    type Output = IncompletePoint;

    #[allow(clippy::suspicious_arithmetic_impl)]
    fn add(self, rhs: Self) -> Self::Output {
        // ⊥ ⊹ ⊥ = ⊥
        // ⊥ ⊹ P = ⊥
        IncompletePoint(self.0.and_then(|p| {
            // P ⊹ ⊥ = ⊥
            rhs.0.and_then(|q| {
                // 0 ⊹ 0 = ⊥
                // 0 ⊹ P = ⊥
                // P ⊹ 0 = ⊥
                // (x, y) ⊹ (x', y') = ⊥ if x == x'
                // (x, y) ⊹ (x', y') = (x, y) + (x', y') if x != x'
                CtOption::new(
                    p + q,
                    !(p.is_identity() | q.is_identity() | p.ct_eq(&q) | p.ct_eq(&-q)),
                )
            })
        }))
    }
}

impl Add<pallas::Point> for IncompletePoint {
    type Output = IncompletePoint;

    fn add(self, rhs: pallas::Point) -> Self::Output {
        self + IncompletePoint(CtOption::new(rhs, 1.into()))
    }
}

impl Add<pallas::Affine> for IncompletePoint {
    type Output = IncompletePoint;

    /// Specialisation of incomplete addition for mixed addition.
    fn add(self, rhs: pallas::Affine) -> Self::Output {
        // ⊥ ⊹ ⊥ = ⊥
        // ⊥ ⊹ P = ⊥
        IncompletePoint(self.0.and_then(|p| {
            // P ⊹ ⊥ = ⊥ is satisfied by definition.
            let q = rhs.to_curve();

            // 0 ⊹ 0 = ⊥
            // 0 ⊹ P = ⊥
            // P ⊹ 0 = ⊥
            // (x, y) ⊹ (x', y') = ⊥ if x == x'
            // (x, y) ⊹ (x', y') = (x, y) + (x', y') if x != x'
            CtOption::new(
                // Use mixed addition for efficiency.
                p + rhs,
                !(p.is_identity() | q.is_identity() | p.ct_eq(&q) | p.ct_eq(&-q)),
            )
        }))
    }
}
-												Simulate incomplete addition

Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.

											
										
										
											2021-04-19 15:02:59 -07:00
+								use std::ops::Add;
-												Use mixed addition for Sinsemilla bases

Performance improvements:
- MerkleCRH:  ~5%
- Commit^ivk: ~1%
- NoteCommit: ~3%

											
										
										
											2021-08-12 07:43:19 -07:00
+								use group::{cofactor::CofactorCurveAffine, Group};
-												Improve performance of IncompletePoint addition

We only need to track the occurrence of any edge cases, and we can do so
without expensive inversions at every addition step, by instead
performing the checks on the projective form directly.

											
										
										
											2021-04-21 16:59:55 -07:00
+								use pasta_curves::pallas;
-												Simulate incomplete addition

Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.

											
										
										
											2021-04-19 15:02:59 -07:00
+								use subtle::{ConstantTimeEq, CtOption};
 								/// P ∪ {⊥}
 								///
 								/// Simulated incomplete addition built over complete addition.
 								#[derive(Clone, Copy, Debug)]
 								pub(super) struct IncompletePoint(CtOption<pallas::Point>);
 								impl From<pallas::Point> for IncompletePoint {
 								    fn from(p: pallas::Point) -> Self {
 								        IncompletePoint(CtOption::new(p, 1.into()))
 								    }
 								}
 								impl From<IncompletePoint> for CtOption<pallas::Point> {
 								    fn from(p: IncompletePoint) -> Self {
 								        p.0
 								    }
 								}
 								impl Add for IncompletePoint {
 								    type Output = IncompletePoint;
-												clippy: Allow binary operators in IncompletePoint addition

It's not suspicious, it's constant time! :D

											
										
										
											2021-04-21 17:08:51 -07:00
+								    #[allow(clippy::suspicious_arithmetic_impl)]
-												Simulate incomplete addition

Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.

											
										
										
											2021-04-19 15:02:59 -07:00
+								    fn add(self, rhs: Self) -> Self::Output {
 								        // ⊥ ⊹ ⊥ = ⊥
 								        // ⊥ ⊹ P = ⊥
 								        IncompletePoint(self.0.and_then(|p| {
 								            // P ⊹ ⊥ = ⊥
 								            rhs.0.and_then(|q| {
 								                // 0 ⊹ 0 = ⊥
 								                // 0 ⊹ P = ⊥
-												Improve performance of IncompletePoint addition

We only need to track the occurrence of any edge cases, and we can do so
without expensive inversions at every addition step, by instead
performing the checks on the projective form directly.

											
										
										
											2021-04-21 16:59:55 -07:00
+								                // P ⊹ 0 = ⊥
 								                // (x, y) ⊹ (x', y') = ⊥ if x == x'
 								                // (x, y) ⊹ (x', y') = (x, y) + (x', y') if x != x'
 								                CtOption::new(
 								                    p + q,
 								                    !(p.is_identity() | q.is_identity() | p.ct_eq(&q) | p.ct_eq(&-q)),
 								                )
-												Simulate incomplete addition

Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.

											
										
										
											2021-04-19 15:02:59 -07:00
+								            })
 								        }))
 								    }
 								}
 								impl Add<pallas::Point> for IncompletePoint {
 								    type Output = IncompletePoint;
 								    fn add(self, rhs: pallas::Point) -> Self::Output {
 								        self + IncompletePoint(CtOption::new(rhs, 1.into()))
 								    }
 								}
-												Use mixed addition for Sinsemilla bases

Performance improvements:
- MerkleCRH:  ~5%
- Commit^ivk: ~1%
- NoteCommit: ~3%

											
										
										
											2021-08-12 07:43:19 -07:00
 								impl Add<pallas::Affine> for IncompletePoint {
 								    type Output = IncompletePoint;
 								    /// Specialisation of incomplete addition for mixed addition.
 								    fn add(self, rhs: pallas::Affine) -> Self::Output {
 								        // ⊥ ⊹ ⊥ = ⊥
 								        // ⊥ ⊹ P = ⊥
 								        IncompletePoint(self.0.and_then(|p| {
 								            // P ⊹ ⊥ = ⊥ is satisfied by definition.
 								            let q = rhs.to_curve();
 								            // 0 ⊹ 0 = ⊥
 								            // 0 ⊹ P = ⊥
 								            // P ⊹ 0 = ⊥
 								            // (x, y) ⊹ (x', y') = ⊥ if x == x'
 								            // (x, y) ⊹ (x', y') = (x, y) + (x', y') if x != x'
 								            CtOption::new(
 								                // Use mixed addition for efficiency.
 								                p + rhs,
 								                !(p.is_identity() | q.is_identity() | p.ct_eq(&q) | p.ct_eq(&-q)),
 								            )
 								        }))
 								    }
 								}