zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
halo2/src/circuit/gadget/ecc/chip.rs

473 lines
16 KiB
Rust
Raw Normal View History

ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
use super::{EccInstructions, FixedPoints};
mul::overflow.rs: Overflow check in variable-base scalar mul Simplify the canonicity check for variable-base scalar multiplication, by range-checking the low 130 bits rather than the low 127 bits. Signed-off-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: ying tong <yingtong@z.cash>
2021-06-13 06:06:34 -07:00
use crate::{
circuit::gadget::utilities::{
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
lookup_range_check::LookupRangeCheckConfig, UtilitiesInstructions,
mul::overflow.rs: Overflow check in variable-base scalar mul Simplify the canonicity check for variable-base scalar multiplication, by range-checking the low 130 bits rather than the low 127 bits. Signed-off-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: ying tong <yingtong@z.cash>
2021-06-13 06:06:34 -07:00
},
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
constants,
mul::overflow.rs: Overflow check in variable-base scalar mul Simplify the canonicity check for variable-base scalar multiplication, by range-checking the low 130 bits rather than the low 127 bits. Signed-off-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: ying tong <yingtong@z.cash>
2021-06-13 06:06:34 -07:00
primitives::sinsemilla,
};
ecc::chip.rs: Add EccScalarFixed, EccScalarFixedShort structs
2021-06-11 21:32:31 -07:00
use arrayvec::ArrayVec;
ecc::chip.rs: Use concrete pallas::Affine for Chip impl. The EccInstructions trait is still generic over C: CurveAffine; however, the EccChip implementation is specific to the pasta curves.
2021-06-11 15:29:05 -07:00
circuit: Use `Field::is_zero_vartime`
2021-12-01 04:59:37 -08:00
use ff::Field;
ecc::chip.rs: Use concrete pallas::Affine for Chip impl. The EccInstructions trait is still generic over C: CurveAffine; however, the EccChip implementation is specific to the pasta curves.
2021-06-11 15:29:05 -07:00
use group::prime::PrimeCurveAffine;
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
use halo2::{
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
circuit::{AssignedCell, Chip, Layouter},
mul_fixed::base_field_elem: Refactor base_field_elem::Config. This commit does not result in circuit changes.
2021-11-30 19:31:49 -08:00
plonk::{Advice, Column, ConstraintSystem, Error, Fixed},
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
};
ecc::chip.rs: Use concrete pallas::Affine for Chip impl. The EccInstructions trait is still generic over C: CurveAffine; however, the EccChip implementation is specific to the pasta curves.
2021-06-11 15:29:05 -07:00
use pasta_curves::{arithmetic::CurveAffine, pallas};
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
mul_fixed::base_field_elem: Refactor base_field_elem::Config. This commit does not result in circuit changes.
2021-11-30 19:31:49 -08:00
use std::convert::TryInto;
chip::add.rs: Implement complete addition instruction.
2021-06-04 23:13:56 -07:00
pub(super) mod add;
chip::add_incomplete.rs: Implement add_incomplete() instruction
2021-06-04 23:11:40 -07:00
pub(super) mod add_incomplete;
chip::mul.rs: Implement variable-base scalar mul instruction. This uses the complete addition instruction internally. The module is split up into mul::incomplete.rs and mul::complete.rs, where mul::incomplete handles the incomplete additions used in the starting rounds of the variable-base scalar mul algorithm, and mul::complete handles the complete additions in the final rounds. Incomplete additions are broken into "hi" and "lo" halves and processed on the same rows across different columns. This is an optimization to make full use of the advice columns in this instruction.
2021-06-04 23:17:43 -07:00
pub(super) mod mul;
chip::mul_fixed.rs: Implement fixed-base scalar mul instruction. Fixed-base scalar mul makes use of the add_incomplete and add instructions internally. The full-width and short signed share some common logic, which is captured in chip::mul_fixed.rs. The signed short variant introduces additional logic to handle the scalar's sign. This is done in the submodule mul_fixed::short.
2021-06-04 23:34:44 -07:00
pub(super) mod mul_fixed;
chip::witness_point.rs: Implement witness_point() instruction.
2021-06-04 23:08:51 -07:00
pub(super) mod witness_point;
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
ecc::chip.rs: Introduce NonIdentityEccPoint struct. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:40:21 -07:00
/// A curve point represented in affine (x, y) coordinates, or the
/// identity represented as (0, 0).
/// Each coordinate is assigned to a cell.
circuit: Remove `Copy` impl from `CellValue` We will be replacing it with `halo2::circuit::AssignedCell`, which does not impl `Copy`.
2021-12-01 04:51:33 -08:00
#[derive(Clone, Debug)]
ecc::chip.rs: Use concrete pallas::Affine for Chip impl. The EccInstructions trait is still generic over C: CurveAffine; however, the EccChip implementation is specific to the pasta curves.
2021-06-11 15:29:05 -07:00
pub struct EccPoint {
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
/// x-coordinate
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
x: AssignedCell<pallas::Base, pallas::Base>,
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
/// y-coordinate
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
y: AssignedCell<pallas::Base, pallas::Base>,
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
}
ecc::chip.rs: Use concrete pallas::Affine for Chip impl. The EccInstructions trait is still generic over C: CurveAffine; however, the EccChip implementation is specific to the pasta curves.
2021-06-11 15:29:05 -07:00
impl EccPoint {
ecc::chip.rs: Add Point::from_coordinates_unchecked() API Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-18 23:59:09 -07:00
/// Constructs a point from its coordinates, without checking they are on the curve.
///
/// This is an internal API that we only use where we know we have a valid curve point
/// (specifically inside Sinsemilla).
pub(in crate::circuit::gadget) fn from_coordinates_unchecked(
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
x: AssignedCell<pallas::Base, pallas::Base>,
y: AssignedCell<pallas::Base, pallas::Base>,
ecc::chip.rs: Add Point::from_coordinates_unchecked() API Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-18 23:59:09 -07:00
) -> Self {
EccPoint { x, y }
}
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
/// Returns the value of this curve point, if known.
ecc::chip.rs: Use concrete pallas::Affine for Chip impl. The EccInstructions trait is still generic over C: CurveAffine; however, the EccChip implementation is specific to the pasta curves.
2021-06-11 15:29:05 -07:00
pub fn point(&self) -> Option<pallas::Affine> {
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
match (self.x.value(), self.y.value()) {
(Some(x), Some(y)) => {
circuit: Use `Field::is_zero_vartime`
2021-12-01 04:59:37 -08:00
if x.is_zero_vartime() && y.is_zero_vartime() {
ecc::chip.rs: Use concrete pallas::Affine for Chip impl. The EccInstructions trait is still generic over C: CurveAffine; however, the EccChip implementation is specific to the pasta curves.
2021-06-11 15:29:05 -07:00
Some(pallas::Affine::identity())
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
} else {
Migrate to halo2 version with `AssignedCell` We change `CellValue` into a typedef of `AssignedCell` to simplify the migration in this commit. The migration from `CellValue` to `AssignedCell` requires several other changes: - `<CellValue as Var>::value()` returned `Option<F>`, whereas `AssignedCell::<F, F>::value()` returns `Option<&F>`. This means we need to dereference, use `Option::cloned`, or alter functions to take `&F` arguments. - `StateWord` in the Poseidon chip has been changed to a newtype around `AssignedCell` (the chip was written before `CellValue` existed).
2021-12-01 16:10:00 -08:00
Some(pallas::Affine::from_xy(*x, *y).unwrap())
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
}
}
_ => None,
}
}
ecc::chip.rs: Make EccPoint.x, EccPoint.y private fields Also add public getters x() and y(). Co-authored-by: Jack Grigg <jack@electriccoin.co> Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-10 20:24:12 -07:00
/// The cell containing the affine short-Weierstrass x-coordinate,
/// or 0 for the zero point.
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
pub fn x(&self) -> AssignedCell<pallas::Base, pallas::Base> {
circuit: Remove `Copy` impl from `CellValue` We will be replacing it with `halo2::circuit::AssignedCell`, which does not impl `Copy`.
2021-12-01 04:51:33 -08:00
self.x.clone()
ecc::chip.rs: Make EccPoint.x, EccPoint.y private fields Also add public getters x() and y(). Co-authored-by: Jack Grigg <jack@electriccoin.co> Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-10 20:24:12 -07:00
}
/// The cell containing the affine short-Weierstrass y-coordinate,
/// or 0 for the zero point.
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
pub fn y(&self) -> AssignedCell<pallas::Base, pallas::Base> {
circuit: Remove `Copy` impl from `CellValue` We will be replacing it with `halo2::circuit::AssignedCell`, which does not impl `Copy`.
2021-12-01 04:51:33 -08:00
self.y.clone()
ecc::chip.rs: Make EccPoint.x, EccPoint.y private fields Also add public getters x() and y(). Co-authored-by: Jack Grigg <jack@electriccoin.co> Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-10 20:24:12 -07:00
}
ecc::chip.rs: Introduce NonIdentityEccPoint struct. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:40:21 -07:00
Remove IsIdentity trait from public EccInstructions. We only need is_identity() in tests and can implement it on the concrete EccPoint type. This method is flagged off by #[cfg(test)]. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 09:39:41 -07:00
#[cfg(test)]
Replace is_identity() instruction with IsIdentity trait.
2021-09-28 03:00:11 -07:00
fn is_identity(&self) -> Option<bool> {
circuit: Use `Field::is_zero_vartime`
2021-12-01 04:59:37 -08:00
self.x.value().map(|x| x.is_zero_vartime())
ecc::chip.rs: Introduce NonIdentityEccPoint struct. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:40:21 -07:00
}
}
/// A non-identity point represented in affine (x, y) coordinates.
/// Each coordinate is assigned to a cell.
circuit: Remove `Copy` impl from `CellValue` We will be replacing it with `halo2::circuit::AssignedCell`, which does not impl `Copy`.
2021-12-01 04:51:33 -08:00
#[derive(Clone, Debug)]
ecc::chip.rs: Introduce NonIdentityEccPoint struct. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:40:21 -07:00
pub struct NonIdentityEccPoint {
/// x-coordinate
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
x: AssignedCell<pallas::Base, pallas::Base>,
ecc::chip.rs: Introduce NonIdentityEccPoint struct. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:40:21 -07:00
/// y-coordinate
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
y: AssignedCell<pallas::Base, pallas::Base>,
ecc::chip.rs: Introduce NonIdentityEccPoint struct. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:40:21 -07:00
}
impl NonIdentityEccPoint {
/// Constructs a point from its coordinates, without checking they are on the curve.
///
/// This is an internal API that we only use where we know we have a valid non-identity
/// curve point (specifically inside Sinsemilla).
pub(in crate::circuit::gadget) fn from_coordinates_unchecked(
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
x: AssignedCell<pallas::Base, pallas::Base>,
y: AssignedCell<pallas::Base, pallas::Base>,
ecc::chip.rs: Introduce NonIdentityEccPoint struct. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:40:21 -07:00
) -> Self {
NonIdentityEccPoint { x, y }
}
/// Returns the value of this curve point, if known.
pub fn point(&self) -> Option<pallas::Affine> {
match (self.x.value(), self.y.value()) {
(Some(x), Some(y)) => {
circuit: Use `Field::is_zero_vartime`
2021-12-01 04:59:37 -08:00
assert!(!x.is_zero_vartime() && !y.is_zero_vartime());
Migrate to halo2 version with `AssignedCell` We change `CellValue` into a typedef of `AssignedCell` to simplify the migration in this commit. The migration from `CellValue` to `AssignedCell` requires several other changes: - `<CellValue as Var>::value()` returned `Option<F>`, whereas `AssignedCell::<F, F>::value()` returns `Option<&F>`. This means we need to dereference, use `Option::cloned`, or alter functions to take `&F` arguments. - `StateWord` in the Poseidon chip has been changed to a newtype around `AssignedCell` (the chip was written before `CellValue` existed).
2021-12-01 16:10:00 -08:00
Some(pallas::Affine::from_xy(*x, *y).unwrap())
ecc::chip.rs: Introduce NonIdentityEccPoint struct. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:40:21 -07:00
}
_ => None,
}
}
/// The cell containing the affine short-Weierstrass x-coordinate.
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
pub fn x(&self) -> AssignedCell<pallas::Base, pallas::Base> {
circuit: Remove `Copy` impl from `CellValue` We will be replacing it with `halo2::circuit::AssignedCell`, which does not impl `Copy`.
2021-12-01 04:51:33 -08:00
self.x.clone()
ecc::chip.rs: Introduce NonIdentityEccPoint struct. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:40:21 -07:00
}
/// The cell containing the affine short-Weierstrass y-coordinate.
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
pub fn y(&self) -> AssignedCell<pallas::Base, pallas::Base> {
circuit: Remove `Copy` impl from `CellValue` We will be replacing it with `halo2::circuit::AssignedCell`, which does not impl `Copy`.
2021-12-01 04:51:33 -08:00
self.y.clone()
ecc::chip.rs: Introduce NonIdentityEccPoint struct. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:40:21 -07:00
}
}
impl From<NonIdentityEccPoint> for EccPoint {
fn from(non_id_point: NonIdentityEccPoint) -> Self {
Self {
x: non_id_point.x,
y: non_id_point.y,
}
}
}
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
/// Configuration for the ECC chip
#[derive(Clone, Debug, Eq, PartialEq)]
#[allow(non_snake_case)]
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
pub struct EccConfig<FixedPoints: super::FixedPoints<pallas::Affine>> {
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
/// Advice columns needed by instructions in the ECC chip.
pub advices: [Column<Advice>; 10],
/// Incomplete addition
chip::add_incomplete: Refactor add_incomplete::Config. This is also used in mul_fixed.
2021-11-30 10:29:52 -08:00
add_incomplete: add_incomplete::Config,
mul::overflow.rs: Overflow check in variable-base scalar mul Simplify the canonicity check for variable-base scalar multiplication, by range-checking the low 130 bits rather than the low 127 bits. Signed-off-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: ying tong <yingtong@z.cash>
2021-06-13 06:06:34 -07:00
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
/// Complete addition
chip::add: Refactor add::Config. This is also used in mul and mul_fixed.
2021-11-30 10:41:02 -08:00
add: add::Config,
mul::overflow.rs: Overflow check in variable-base scalar mul Simplify the canonicity check for variable-base scalar multiplication, by range-checking the low 130 bits rather than the low 127 bits. Signed-off-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: ying tong <yingtong@z.cash>
2021-06-13 06:06:34 -07:00
chip::mul: Refactor mul::Config. This commit does not introduce additional circuit changes.
2021-11-30 12:41:57 -08:00
/// Variable-base scalar multiplication
mul: mul::Config,
mul::overflow.rs: Overflow check in variable-base scalar mul Simplify the canonicity check for variable-base scalar multiplication, by range-checking the low 130 bits rather than the low 127 bits. Signed-off-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: ying tong <yingtong@z.cash>
2021-06-13 06:06:34 -07:00
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
/// Fixed-base full-width scalar multiplication
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
mul_fixed_full: mul_fixed::full_width::Config<FixedPoints>,
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
/// Fixed-base signed short scalar multiplication
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
mul_fixed_short: mul_fixed::short::Config<FixedPoints>,
mul_fixed::base_field_elem: Refactor base_field_elem::Config. This commit does not result in circuit changes.
2021-11-30 19:31:49 -08:00
/// Fixed-base mul using a base field element as a scalar
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
mul_fixed_base_field: mul_fixed::base_field_elem::Config<FixedPoints>,
mul::overflow.rs: Overflow check in variable-base scalar mul Simplify the canonicity check for variable-base scalar multiplication, by range-checking the low 130 bits rather than the low 127 bits. Signed-off-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: ying tong <yingtong@z.cash>
2021-06-13 06:06:34 -07:00
chip::witness_point: Refactor witness_point::Config.
2021-11-30 10:47:52 -08:00
/// Witness point
witness_point: witness_point::Config,
ecc::chip.rs: Introduce circuit-wide "constants" fixed column At certain points in the circuit, we need to constrain cells in advice columns to equal a fixed constant. Instead of defining a new fixed column for each constant, we pass around a single shared by all chips, that is included in the permutation over all advice columns. This lets us load all needed constants into a single column and directly constrain advice cells with an equality constraint.
2021-06-19 04:08:46 -07:00
mul_fixed::base_field_elem: Use decompose_running_sum helper.
2021-07-09 17:50:07 -07:00
/// Lookup range check using 10-bit lookup table
mul::overflow.rs: Overflow check in variable-base scalar mul Simplify the canonicity check for variable-base scalar multiplication, by range-checking the low 130 bits rather than the low 127 bits. Signed-off-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: ying tong <yingtong@z.cash>
2021-06-13 06:06:34 -07:00
pub lookup_config: LookupRangeCheckConfig<pallas::Base, { sinsemilla::K }>,
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
}
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
/// Returns information about a fixed point.
///
/// TODO: When associated consts can be used as const generics, introduce a
/// `const NUM_WINDOWS: usize` associated const, and return `NUM_WINDOWS`-sized
/// arrays instead of `Vec`s.
pub trait FixedPoint<C: CurveAffine>: std::fmt::Debug + Eq + Clone {
fn generator(&self) -> C;
fn u(&self) -> Vec<[[u8; 32]; constants::H]>;
fn z(&self) -> Vec<u64>;
fn lagrange_coeffs(&self) -> Vec<[C::Base; constants::H]>;
}
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
/// A chip implementing EccInstructions
#[derive(Clone, Debug, Eq, PartialEq)]
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
pub struct EccChip<FixedPoints: super::FixedPoints<pallas::Affine>> {
config: EccConfig<FixedPoints>,
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
}
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
impl<FixedPoints: super::FixedPoints<pallas::Affine>> Chip<pallas::Base> for EccChip<FixedPoints> {
type Config = EccConfig<FixedPoints>;
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
type Loaded = ();
fn config(&self) -> &Self::Config {
&self.config
}
fn loaded(&self) -> &Self::Loaded {
&()
}
}
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
impl<Fixed: super::FixedPoints<pallas::Affine>> UtilitiesInstructions<pallas::Base>
for EccChip<Fixed>
{
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
type Var = AssignedCell<pallas::Base, pallas::Base>;
gadget::ecc.rs: Bound EccInstructions on UtilitiesInstructions.
2021-07-09 18:09:26 -07:00
}
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
impl<FixedPoints: super::FixedPoints<pallas::Affine>> EccChip<FixedPoints> {
ecc::chip.rs: Use concrete pallas::Affine for Chip impl. The EccInstructions trait is still generic over C: CurveAffine; however, the EccChip implementation is specific to the pasta curves.
2021-06-11 15:29:05 -07:00
pub fn construct(config: <Self as Chip<pallas::Base>>::Config) -> Self {
ecc::chip.rs: Bound EccConfig on <C: CurveAffine>.
2021-06-10 10:09:04 -07:00
Self { config }
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
}
Migrate to latest `halo2` API - `halo2::plonk::{create_proof, verify_proof}` now take instance columns as slices of values. - `halo2::plonk::Permutation` has been replaced by a global permutation, to which columns can be added with `ConstraintSystem::enable_equality`. - The introduction of blinding rows means that various tests now require larger circuit parameters.
2021-07-15 04:52:15 -07:00
/// # Side effects
///
Minor refactors, text fixes, and docfixes. Co-authored-by: Jack Grigg <jack@electriccoin.co> Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-22 07:14:34 -07:00
/// All columns in `advices` will be equality-enabled.
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
#[allow(non_snake_case)]
pub fn configure(
ecc::chip.rs: Use concrete pallas::Affine for Chip impl. The EccInstructions trait is still generic over C: CurveAffine; however, the EccChip implementation is specific to the pasta curves.
2021-06-11 15:29:05 -07:00
meta: &mut ConstraintSystem<pallas::Base>,
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
advices: [Column<Advice>; 10],
Optimise location of Poseidon within Action circuit - Move Poseidon into the right-hand advice columns. The Action circuit has 33 Sinsemilla invocations with 510-bit inputs (the 32 Merkle path hashes, and Commit^ivk). Poseidon fits within the row count of one of these invocations, so we can run it in parallel with these. - Share fixed columns between ECC and Poseidon chips. Poseidon requires four advice columns, while ECC incomplete addition requires six, so we could choose to configure them in parallel. However, we only use a single Poseidon invocation, and we have the rows to accomodate it serially with fixed-base scalar mul. Sharing the ECC chip's 8 Lagrange coefficient fixed columns instead reduces the proof size. - We position Poseidon in the right-most 6 fixed columns, anticipating a further optimisation to Sinsemilla that will occupy the left-most 2 fixed columns.
2021-07-21 04:13:47 -07:00
lagrange_coeffs: [Column<Fixed>; 8],
De-duplicate LookupRangeCheckConfig We were configuring multiple instances of this across all of the advice columns, in order to spread their assignments. However, we are actually more constrained by columns than rows, and we have comparatively few rows of range check logic required for the Action circuit. We now use a single LookupRangeCheckConfig for the entire circuit. The reduction in lookup arguments and fixed columns cuts the proof size in half (now at 6048 bytes when using `floor_planner::V1`). Co-authored-by: therealyingtong <yingtong@z.cash>
2021-07-21 07:59:08 -07:00
range_check: LookupRangeCheckConfig<pallas::Base, { sinsemilla::K }>,
ecc::chip.rs: Use concrete pallas::Affine for Chip impl. The EccInstructions trait is still generic over C: CurveAffine; however, the EccChip implementation is specific to the pasta curves.
2021-06-11 15:29:05 -07:00
) -> <Self as Chip<pallas::Base>>::Config {
chip::witness_point: Refactor witness_point::Config.
2021-11-30 10:47:52 -08:00
// Create witness point gate
let witness_point = witness_point::Config::configure(meta, advices[0], advices[1]);
chip::add_incomplete: Refactor add_incomplete::Config. This is also used in mul_fixed.
2021-11-30 10:29:52 -08:00
// Create incomplete point addition gate
let add_incomplete =
add_incomplete::Config::configure(meta, advices[0], advices[1], advices[2], advices[3]);
chip::witness_point: Refactor witness_point::Config.
2021-11-30 10:47:52 -08:00
chip::add: Refactor add::Config. This is also used in mul and mul_fixed.
2021-11-30 10:41:02 -08:00
// Create complete point addition gate
let add = add::Config::configure(
meta, advices[0], advices[1], advices[2], advices[3], advices[4], advices[5],
advices[6], advices[7], advices[8],
);
chip::mul: Refactor mul::Config. This commit does not introduce additional circuit changes.
2021-11-30 12:41:57 -08:00
// Create variable-base scalar mul gates
let mul = mul::Config::configure(meta, add, range_check, advices);
mul::incomplete: Refactor incomplete::Config. This is only used in chip::mul::Config. In a subsequent commit, this will be configured from mul::Config instead of from ecc::chip::Config. This commit does not result in circuit changes.
2021-11-30 12:59:29 -08:00
chip::mul_fixed: Refactor mul_fixed::Config. This commit does not introduce circuit changes.
2021-12-03 08:51:59 -08:00
// Create config that is shared across short, base-field, and full-width
// fixed-base scalar mul.
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
let mul_fixed = mul_fixed::Config::<FixedPoints>::configure(
chip::mul_fixed: Refactor mul_fixed::Config. This commit does not introduce circuit changes.
2021-12-03 08:51:59 -08:00
meta,
lagrange_coeffs,
advices[4],
advices[0],
advices[1],
advices[5],
add,
add_incomplete,
);
mul_fixed::full_width: Refactor full_width::Config. This commit does not result in circuit changes.
2021-11-30 19:15:19 -08:00
// Create gate that is only used in full-width fixed-base scalar mul.
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
let mul_fixed_full =
mul_fixed::full_width::Config::<FixedPoints>::configure(meta, mul_fixed.clone());
mul_fixed::full_width: Refactor full_width::Config. This commit does not result in circuit changes.
2021-11-30 19:15:19 -08:00
mul_fixed::short: Refactor short::Config. This commit does not result in circuit changes.
2021-11-30 19:20:24 -08:00
// Create gate that is only used in short fixed-base scalar mul.
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
let mul_fixed_short =
mul_fixed::short::Config::<FixedPoints>::configure(meta, mul_fixed.clone());
mul_fixed::short: Refactor short::Config. This commit does not result in circuit changes.
2021-11-30 19:20:24 -08:00
mul_fixed::base_field_elem: Refactor base_field_elem::Config. This commit does not result in circuit changes.
2021-11-30 19:31:49 -08:00
// Create gate that is only used in fixed-base mul using a base field element.
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
let mul_fixed_base_field = mul_fixed::base_field_elem::Config::<FixedPoints>::configure(
mul_fixed::base_field_elem: Refactor base_field_elem::Config. This commit does not result in circuit changes.
2021-11-30 19:31:49 -08:00
meta,
advices[6..9].try_into().unwrap(),
range_check,
mul_fixed,
);
ecc::chip: Remove chip-level permutation. We have now refactored away from the impl From<EccConfig> pattern so that each sub-config can equality-enable the columns they need.
2021-11-30 19:37:12 -08:00
EccConfig {
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
advices,
chip::add_incomplete: Refactor add_incomplete::Config. This is also used in mul_fixed.
2021-11-30 10:29:52 -08:00
add_incomplete,
chip::add: Refactor add::Config. This is also used in mul and mul_fixed.
2021-11-30 10:41:02 -08:00
add,
chip::mul: Refactor mul::Config. This commit does not introduce additional circuit changes.
2021-11-30 12:41:57 -08:00
mul,
mul_fixed::full_width: Refactor full_width::Config. This commit does not result in circuit changes.
2021-11-30 19:15:19 -08:00
mul_fixed_full,
mul_fixed::short: Refactor short::Config. This commit does not result in circuit changes.
2021-11-30 19:20:24 -08:00
mul_fixed_short,
mul_fixed::base_field_elem: Refactor base_field_elem::Config. This commit does not result in circuit changes.
2021-11-30 19:31:49 -08:00
mul_fixed_base_field,
chip::witness_point: Refactor witness_point::Config.
2021-11-30 10:47:52 -08:00
witness_point,
De-duplicate LookupRangeCheckConfig We were configuring multiple instances of this across all of the advice columns, in order to spread their assignments. However, we are actually more constrained by columns than rows, and we have comparatively few rows of range check logic required for the Action circuit. We now use a single LookupRangeCheckConfig for the entire circuit. The reduction in lookup arguments and fixed columns cuts the proof size in half (now at 6048 bytes when using `floor_planner::V1`). Co-authored-by: therealyingtong <yingtong@z.cash>
2021-07-21 07:59:08 -07:00
lookup_config: range_check,
ecc::chip: Remove chip-level permutation. We have now refactored away from the impl From<EccConfig> pattern so that each sub-config can equality-enable the columns they need.
2021-11-30 19:37:12 -08:00
}
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
}
}
ecc::chip.rs: Add EccScalarFixed, EccScalarFixedShort structs
2021-06-11 21:32:31 -07:00
/// A full-width scalar used for fixed-base scalar multiplication.
base_field_elem.rs: Support fixed-base mul using base field element. In Orchard nullifier derivation, we multiply the fixed base K^Orchard by a value encoded as a base field element. This commit introduces an API that allows using a base field element as the "scalar" in fixed-base scalar multiplication. The API currently assumes that the base field element is output by another instruction (i.e. there is no instruction to directly witness it).
2021-06-18 02:41:13 -07:00
/// This is decomposed into 85 3-bit windows in little-endian order,
/// i.e. `windows` = [k_0, k_1, ..., k_84] (for a 255-bit scalar)
/// where `scalar = k_0 + k_1 * (2^3) + ... + k_84 * (2^3)^84` and
/// each `k_i` is in the range [0..2^3).
ecc::chip.rs: Add EccScalarFixed, EccScalarFixedShort structs
2021-06-11 21:32:31 -07:00
#[derive(Clone, Debug)]
pub struct EccScalarFixed {
value: Option<pallas::Scalar>,
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
windows: ArrayVec<AssignedCell<pallas::Base, pallas::Base>, { constants::NUM_WINDOWS }>,
ecc::chip.rs: Add EccScalarFixed, EccScalarFixedShort structs
2021-06-11 21:32:31 -07:00
}
ecc::chip: Define a `MagnitudeSign` type alias This fixes some "complex type" clippy lints, and also will make it easier to change it to a better-typed struct later.
2021-12-07 18:16:59 -08:00
// TODO: Make V a `u64`
type MagnitudeCell = AssignedCell<pallas::Base, pallas::Base>;
// TODO: Make V an enum Sign { Positive, Negative }
type SignCell = AssignedCell<pallas::Base, pallas::Base>;
type MagnitudeSign = (MagnitudeCell, SignCell);
ecc::chip.rs: Add EccScalarFixed, EccScalarFixedShort structs
2021-06-11 21:32:31 -07:00
/// A signed short scalar used for fixed-base scalar multiplication.
base_field_elem.rs: Support fixed-base mul using base field element. In Orchard nullifier derivation, we multiply the fixed base K^Orchard by a value encoded as a base field element. This commit introduces an API that allows using a base field element as the "scalar" in fixed-base scalar multiplication. The API currently assumes that the base field element is output by another instruction (i.e. there is no instruction to directly witness it).
2021-06-18 02:41:13 -07:00
/// A short scalar must have magnitude in the range [0..2^64), with
/// a sign of either 1 or -1.
Minor refactors, cleanups, clippy fixes, docfixes. Co-authored-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 22:14:53 -07:00
/// This is decomposed into 3-bit windows in little-endian order
/// using a running sum `z`, where z_{i+1} = (z_i - a_i) / (2^3)
/// for element α = a_0 + (2^3) a_1 + ... + (2^{3(n-1)}) a_{n-1}.
/// Each `a_i` is in the range [0..2^3).
///
/// `windows` = [k_0, k_1, ..., k_21] (for a 64-bit magnitude)
base_field_elem.rs: Support fixed-base mul using base field element. In Orchard nullifier derivation, we multiply the fixed base K^Orchard by a value encoded as a base field element. This commit introduces an API that allows using a base field element as the "scalar" in fixed-base scalar multiplication. The API currently assumes that the base field element is output by another instruction (i.e. there is no instruction to directly witness it).
2021-06-18 02:41:13 -07:00
/// where `scalar = k_0 + k_1 * (2^3) + ... + k_84 * (2^3)^84` and
/// each `k_i` is in the range [0..2^3).
/// k_21 must be a single bit, i.e. 0 or 1.
ecc::chip.rs: Add EccScalarFixed, EccScalarFixedShort structs
2021-06-11 21:32:31 -07:00
#[derive(Clone, Debug)]
pub struct EccScalarFixedShort {
ecc::chip: Define a `MagnitudeSign` type alias This fixes some "complex type" clippy lints, and also will make it easier to change it to a better-typed struct later.
2021-12-07 18:16:59 -08:00
magnitude: MagnitudeCell,
sign: SignCell,
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
running_sum:
ArrayVec<AssignedCell<pallas::Base, pallas::Base>, { constants::NUM_WINDOWS_SHORT + 1 }>,
ecc::chip.rs: Add EccScalarFixed, EccScalarFixedShort structs
2021-06-11 21:32:31 -07:00
}
base_field_elem.rs: Support fixed-base mul using base field element. In Orchard nullifier derivation, we multiply the fixed base K^Orchard by a value encoded as a base field element. This commit introduces an API that allows using a base field element as the "scalar" in fixed-base scalar multiplication. The API currently assumes that the base field element is output by another instruction (i.e. there is no instruction to directly witness it).
2021-06-18 02:41:13 -07:00
/// A base field element used for fixed-base scalar multiplication.
/// This is decomposed into 3-bit windows in little-endian order
/// using a running sum `z`, where z_{i+1} = (z_i - a_i) / (2^3)
/// for element α = a_0 + (2^3) a_1 + ... + (2^{3(n-1)}) a_{n-1}.
/// Each `a_i` is in the range [0..2^3).
///
Return full running sum [z_0, ..., z_W] from lookup_range_check and decompose_running_sum. Previously, these two helpers were returning different outputs. They have now been standardised to return only the full running sum. Note the z_0 is the original element being decomposed by the helper.
2021-07-24 08:54:54 -07:00
/// `running_sum` = [z_0, ..., z_85], where we expect z_85 = 0.
Cleanups and clippy fixes. Co-authored-by: Jack Grigg <jack@electriccoin.co> Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-03 01:49:15 -07:00
/// Since z_0 is initialized as the scalar α, we store it as
/// `base_field_elem`.
base_field_elem.rs: Support fixed-base mul using base field element. In Orchard nullifier derivation, we multiply the fixed base K^Orchard by a value encoded as a base field element. This commit introduces an API that allows using a base field element as the "scalar" in fixed-base scalar multiplication. The API currently assumes that the base field element is output by another instruction (i.e. there is no instruction to directly witness it).
2021-06-18 02:41:13 -07:00
#[derive(Clone, Debug)]
struct EccBaseFieldElemFixed {
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
base_field_elem: AssignedCell<pallas::Base, pallas::Base>,
running_sum: ArrayVec<AssignedCell<pallas::Base, pallas::Base>, { constants::NUM_WINDOWS + 1 }>,
base_field_elem.rs: Support fixed-base mul using base field element. In Orchard nullifier derivation, we multiply the fixed base K^Orchard by a value encoded as a base field element. This commit introduces an API that allows using a base field element as the "scalar" in fixed-base scalar multiplication. The API currently assumes that the base field element is output by another instruction (i.e. there is no instruction to directly witness it).
2021-06-18 02:41:13 -07:00
}
impl EccBaseFieldElemFixed {
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
fn base_field_elem(&self) -> AssignedCell<pallas::Base, pallas::Base> {
circuit: Remove `Copy` impl from `CellValue` We will be replacing it with `halo2::circuit::AssignedCell`, which does not impl `Copy`.
2021-12-01 04:51:33 -08:00
self.base_field_elem.clone()
base_field_elem.rs: Support fixed-base mul using base field element. In Orchard nullifier derivation, we multiply the fixed base K^Orchard by a value encoded as a base field element. This commit introduces an API that allows using a base field element as the "scalar" in fixed-base scalar multiplication. The API currently assumes that the base field element is output by another instruction (i.e. there is no instruction to directly witness it).
2021-06-18 02:41:13 -07:00
}
}
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
impl<Fixed: FixedPoints<pallas::Affine>> EccInstructions<pallas::Affine> for EccChip<Fixed>
where
<Fixed as FixedPoints<pallas::Affine>>::Base: FixedPoint<pallas::Affine>,
<Fixed as FixedPoints<pallas::Affine>>::FullScalar: FixedPoint<pallas::Affine>,
<Fixed as FixedPoints<pallas::Affine>>::ShortScalar: FixedPoint<pallas::Affine>,
{
ecc::chip.rs: Add EccScalarFixed, EccScalarFixedShort structs
2021-06-11 21:32:31 -07:00
type ScalarFixed = EccScalarFixed;
type ScalarFixedShort = EccScalarFixedShort;
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
type ScalarVar = AssignedCell<pallas::Base, pallas::Base>;
ecc::chip.rs: Use concrete pallas::Affine for Chip impl. The EccInstructions trait is still generic over C: CurveAffine; however, the EccChip implementation is specific to the pasta curves.
2021-06-11 15:29:05 -07:00
type Point = EccPoint;
chip::witness_point.rs: Constraints for non-identity point. The point_non_id() method returns an error if the given point is the identity. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:44:43 -07:00
type NonIdentityPoint = NonIdentityEccPoint;
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
type X = AssignedCell<pallas::Base, pallas::Base>;
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
type FixedPoints = Fixed;
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
gadget::ecc.rs: Add EccInstructions::constrain_equal() instruction. This allows us to constrain two points to be equal in value at the gadget level. Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 06:26:30 -07:00
fn constrain_equal(
&self,
layouter: &mut impl Layouter<pallas::Base>,
a: &Self::Point,
b: &Self::Point,
) -> Result<(), Error> {
layouter.assign_region(
|| "constrain equal",
|mut region| {
// Constrain x-coordinates
Migrate to latest `halo2` API - `halo2::plonk::{create_proof, verify_proof}` now take instance columns as slices of values. - `halo2::plonk::Permutation` has been replaced by a global permutation, to which columns can be added with `ConstraintSystem::enable_equality`. - The introduction of blinding rows means that various tests now require larger circuit parameters.
2021-07-15 04:52:15 -07:00
region.constrain_equal(a.x().cell(), b.x().cell())?;
gadget::ecc.rs: Add EccInstructions::constrain_equal() instruction. This allows us to constrain two points to be equal in value at the gadget level. Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 06:26:30 -07:00
// Constrain x-coordinates
Migrate to latest `halo2` API - `halo2::plonk::{create_proof, verify_proof}` now take instance columns as slices of values. - `halo2::plonk::Permutation` has been replaced by a global permutation, to which columns can be added with `ConstraintSystem::enable_equality`. - The introduction of blinding rows means that various tests now require larger circuit parameters.
2021-07-15 04:52:15 -07:00
region.constrain_equal(a.y().cell(), b.y().cell())
gadget::ecc.rs: Add EccInstructions::constrain_equal() instruction. This allows us to constrain two points to be equal in value at the gadget level. Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 06:26:30 -07:00
},
)
}
Reintroduce Point::new() API and constraints. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 08:56:33 -07:00
fn witness_point(
&self,
layouter: &mut impl Layouter<pallas::Base>,
value: Option<pallas::Affine>,
) -> Result<Self::Point, Error> {
chip::witness_point: Refactor witness_point::Config.
2021-11-30 10:47:52 -08:00
let config = self.config().witness_point;
Reintroduce Point::new() API and constraints. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 08:56:33 -07:00
layouter.assign_region(
|| "witness point",
|mut region| config.point(value, 0, &mut region),
)
}
chip::witness_point.rs: Constraints for non-identity point. The point_non_id() method returns an error if the given point is the identity. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:44:43 -07:00
fn witness_point_non_id(
&self,
layouter: &mut impl Layouter<pallas::Base>,
value: Option<pallas::Affine>,
) -> Result<Self::NonIdentityPoint, Error> {
chip::witness_point: Refactor witness_point::Config.
2021-11-30 10:47:52 -08:00
let config = self.config().witness_point;
chip::witness_point.rs: Constraints for non-identity point. The point_non_id() method returns an error if the given point is the identity. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:44:43 -07:00
layouter.assign_region(
|| "witness non-identity point",
|mut region| config.point_non_id(value, 0, &mut region),
)
}
fn extract_p<Point: Into<Self::Point> + Clone>(point: &Point) -> Self::X {
let point: EccPoint = (point.clone()).into();
point.x()
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
}
fn add_incomplete(
&self,
ecc::chip.rs: Use concrete pallas::Affine for Chip impl. The EccInstructions trait is still generic over C: CurveAffine; however, the EccChip implementation is specific to the pasta curves.
2021-06-11 15:29:05 -07:00
layouter: &mut impl Layouter<pallas::Base>,
chip::witness_point.rs: Constraints for non-identity point. The point_non_id() method returns an error if the given point is the identity. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:44:43 -07:00
a: &Self::NonIdentityPoint,
b: &Self::NonIdentityPoint,
) -> Result<Self::NonIdentityPoint, Error> {
chip::add_incomplete: Refactor add_incomplete::Config. This is also used in mul_fixed.
2021-11-30 10:29:52 -08:00
let config = self.config().add_incomplete;
chip::add_incomplete.rs: Implement add_incomplete() instruction
2021-06-04 23:11:40 -07:00
layouter.assign_region(
|| "incomplete point addition",
|mut region| config.assign_region(a, b, 0, &mut region),
)
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
}
chip::witness_point.rs: Constraints for non-identity point. The point_non_id() method returns an error if the given point is the identity. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:44:43 -07:00
fn add<A: Into<Self::Point> + Clone, B: Into<Self::Point> + Clone>(
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
&self,
ecc::chip.rs: Use concrete pallas::Affine for Chip impl. The EccInstructions trait is still generic over C: CurveAffine; however, the EccChip implementation is specific to the pasta curves.
2021-06-11 15:29:05 -07:00
layouter: &mut impl Layouter<pallas::Base>,
chip::witness_point.rs: Constraints for non-identity point. The point_non_id() method returns an error if the given point is the identity. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:44:43 -07:00
a: &A,
b: &B,
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
) -> Result<Self::Point, Error> {
chip::add: Refactor add::Config. This is also used in mul and mul_fixed.
2021-11-30 10:41:02 -08:00
let config = self.config().add;
chip::add.rs: Implement complete addition instruction.
2021-06-04 23:13:56 -07:00
layouter.assign_region(
|| "complete point addition",
chip::witness_point.rs: Constraints for non-identity point. The point_non_id() method returns an error if the given point is the identity. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:44:43 -07:00
|mut region| {
config.assign_region(&(a.clone()).into(), &(b.clone()).into(), 0, &mut region)
},
chip::add.rs: Implement complete addition instruction.
2021-06-04 23:13:56 -07:00
)
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
}
fn mul(
&self,
chip::mul.rs: Implement variable-base scalar mul instruction. This uses the complete addition instruction internally. The module is split up into mul::incomplete.rs and mul::complete.rs, where mul::incomplete handles the incomplete additions used in the starting rounds of the variable-base scalar mul algorithm, and mul::complete handles the complete additions in the final rounds. Incomplete additions are broken into "hi" and "lo" halves and processed on the same rows across different columns. This is an optimization to make full use of the advice columns in this instruction.
2021-06-04 23:17:43 -07:00
layouter: &mut impl Layouter<pallas::Base>,
gadget::ecc.rs: Inline witness_scalar_* APIs. Witness a scalar in the region where it is used for multiplication, instead of witnessing it separately and then copying it in.
2021-07-09 22:19:42 -07:00
scalar: &Self::Var,
chip::witness_point.rs: Constraints for non-identity point. The point_non_id() method returns an error if the given point is the identity. Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-27 01:44:43 -07:00
base: &Self::NonIdentityPoint,
gadget::ecc.rs: Inline witness_scalar_* APIs. Witness a scalar in the region where it is used for multiplication, instead of witnessing it separately and then copying it in.
2021-07-09 22:19:42 -07:00
) -> Result<(Self::Point, Self::ScalarVar), Error> {
chip::mul: Refactor mul::Config. This commit does not introduce additional circuit changes.
2021-11-30 12:41:57 -08:00
let config = self.config().mul;
mul::overflow.rs: Overflow check in variable-base scalar mul Simplify the canonicity check for variable-base scalar multiplication, by range-checking the low 130 bits rather than the low 127 bits. Signed-off-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: ying tong <yingtong@z.cash>
2021-06-13 06:06:34 -07:00
config.assign(
layouter.namespace(|| "variable-base scalar mul"),
circuit: Remove `Copy` impl from `CellValue` We will be replacing it with `halo2::circuit::AssignedCell`, which does not impl `Copy`.
2021-12-01 04:51:33 -08:00
scalar.clone(),
mul::overflow.rs: Overflow check in variable-base scalar mul Simplify the canonicity check for variable-base scalar multiplication, by range-checking the low 130 bits rather than the low 127 bits. Signed-off-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: ying tong <yingtong@z.cash>
2021-06-13 06:06:34 -07:00
base,
chip::mul.rs: Implement variable-base scalar mul instruction. This uses the complete addition instruction internally. The module is split up into mul::incomplete.rs and mul::complete.rs, where mul::incomplete handles the incomplete additions used in the starting rounds of the variable-base scalar mul algorithm, and mul::complete handles the complete additions in the final rounds. Incomplete additions are broken into "hi" and "lo" halves and processed on the same rows across different columns. This is an optimization to make full use of the advice columns in this instruction.
2021-06-04 23:17:43 -07:00
)
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
}
fn mul_fixed(
&self,
chip::mul_fixed.rs: Implement fixed-base scalar mul instruction. Fixed-base scalar mul makes use of the add_incomplete and add instructions internally. The full-width and short signed share some common logic, which is captured in chip::mul_fixed.rs. The signed short variant introduces additional logic to handle the scalar's sign. This is done in the submodule mul_fixed::short.
2021-06-04 23:34:44 -07:00
layouter: &mut impl Layouter<pallas::Base>,
gadget::ecc.rs: Inline witness_scalar_* APIs. Witness a scalar in the region where it is used for multiplication, instead of witnessing it separately and then copying it in.
2021-07-09 22:19:42 -07:00
scalar: Option<pallas::Scalar>,
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
base: &<Self::FixedPoints as FixedPoints<pallas::Affine>>::FullScalar,
gadget::ecc.rs: Inline witness_scalar_* APIs. Witness a scalar in the region where it is used for multiplication, instead of witnessing it separately and then copying it in.
2021-07-09 22:19:42 -07:00
) -> Result<(Self::Point, Self::ScalarFixed), Error> {
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
let config = self.config().mul_fixed_full.clone();
Update mul_fixed_* APIs to take Layouter instead of Region. These APIs are not called internally.
2021-07-06 20:26:32 -07:00
config.assign(
layouter.namespace(|| format!("fixed-base mul of {:?}", base)),
scalar,
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
base,
chip::mul_fixed.rs: Implement fixed-base scalar mul instruction. Fixed-base scalar mul makes use of the add_incomplete and add instructions internally. The full-width and short signed share some common logic, which is captured in chip::mul_fixed.rs. The signed short variant introduces additional logic to handle the scalar's sign. This is done in the submodule mul_fixed::short.
2021-06-04 23:34:44 -07:00
)
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
}
fn mul_fixed_short(
&self,
chip::mul_fixed.rs: Implement fixed-base scalar mul instruction. Fixed-base scalar mul makes use of the add_incomplete and add instructions internally. The full-width and short signed share some common logic, which is captured in chip::mul_fixed.rs. The signed short variant introduces additional logic to handle the scalar's sign. This is done in the submodule mul_fixed::short.
2021-06-04 23:34:44 -07:00
layouter: &mut impl Layouter<pallas::Base>,
ecc::chip: Define a `MagnitudeSign` type alias This fixes some "complex type" clippy lints, and also will make it easier to change it to a better-typed struct later.
2021-12-07 18:16:59 -08:00
magnitude_sign: MagnitudeSign,
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
base: &<Self::FixedPoints as FixedPoints<pallas::Affine>>::ShortScalar,
gadget::ecc.rs: Inline witness_scalar_* APIs. Witness a scalar in the region where it is used for multiplication, instead of witnessing it separately and then copying it in.
2021-07-09 22:19:42 -07:00
) -> Result<(Self::Point, Self::ScalarFixedShort), Error> {
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
let config = self.config().mul_fixed_short.clone();
Update mul_fixed_* APIs to take Layouter instead of Region. These APIs are not called internally.
2021-07-06 20:26:32 -07:00
config.assign(
layouter.namespace(|| format!("short fixed-base mul of {:?}", base)),
mul_fixed::short: Copy (magnitude, sign) instead of witnessing Scalar. In the Orchard circuit, the short signed scalar is v_old - v_new, which will be witnessed as two cells: a 64-bit magnitude, and a sign that is +/- 1.
2021-07-10 08:56:24 -07:00
magnitude_sign,
Update mul_fixed_* APIs to take Layouter instead of Region. These APIs are not called internally.
2021-07-06 20:26:32 -07:00
base,
chip::mul_fixed.rs: Implement fixed-base scalar mul instruction. Fixed-base scalar mul makes use of the add_incomplete and add instructions internally. The full-width and short signed share some common logic, which is captured in chip::mul_fixed.rs. The signed short variant introduces additional logic to handle the scalar's sign. This is done in the submodule mul_fixed::short.
2021-06-04 23:34:44 -07:00
)
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
}
base_field_elem.rs: Support fixed-base mul using base field element. In Orchard nullifier derivation, we multiply the fixed base K^Orchard by a value encoded as a base field element. This commit introduces an API that allows using a base field element as the "scalar" in fixed-base scalar multiplication. The API currently assumes that the base field element is output by another instruction (i.e. there is no instruction to directly witness it).
2021-06-18 02:41:13 -07:00
fn mul_fixed_base_field_elem(
&self,
layouter: &mut impl Layouter<pallas::Base>,
Remove the `CellValue` type In order to make the changeover easier to review, we redefined `CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and rename throughout the codebase.
2021-12-01 18:51:46 -08:00
base_field_elem: AssignedCell<pallas::Base, pallas::Base>,
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
base: &<Self::FixedPoints as FixedPoints<pallas::Affine>>::Base,
base_field_elem.rs: Support fixed-base mul using base field element. In Orchard nullifier derivation, we multiply the fixed base K^Orchard by a value encoded as a base field element. This commit introduces an API that allows using a base field element as the "scalar" in fixed-base scalar multiplication. The API currently assumes that the base field element is output by another instruction (i.e. there is no instruction to directly witness it).
2021-06-18 02:41:13 -07:00
) -> Result<Self::Point, Error> {
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
let config = self.config().mul_fixed_base_field.clone();
Update mul_fixed_* APIs to take Layouter instead of Region. These APIs are not called internally.
2021-07-06 20:26:32 -07:00
config.assign(
layouter.namespace(|| format!("base-field elem fixed-base mul of {:?}", base)),
base_field_elem,
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2021-08-18 23:59:39 -07:00
base,
base_field_elem.rs: Support fixed-base mul using base field element. In Orchard nullifier derivation, we multiply the fixed base K^Orchard by a value encoded as a base field element. This commit introduces an API that allows using a base field element as the "scalar" in fixed-base scalar multiplication. The API currently assumes that the base field element is output by another instruction (i.e. there is no instruction to directly witness it).
2021-06-18 02:41:13 -07:00
)
}
ecc::chip.rs: Add ECC chip. Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-04 23:05:58 -07:00
}