zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[book] Update NoteCommit page to match Commit^ivk style 

Constraint tables have been added along with the region layout. I also
fixed numerous bugs in the constraints (most of which appeared to be
copy-pasta bugs).
This commit is contained in:
Jack Grigg 2021-07-24 17:02:11 +01:00
parent 5aa05713e7
commit 0375c64801
2 changed files with 322 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
book/macros.txt
View File

@ -1,6 +1,7 @@
# Conventions
\bconcat:{\mathop{\kern 0.1em||\kern 0.1em}}
\Repr:{\star}
# Conversions
@ -15,12 +16,18 @@
\AuthSignPublic:{\mathsf{ak}}
\NullifierKey:{\mathsf{nk}}
\InViewingKey:{\mathsf{ivk}}
\DiversifiedTransmitBase:{\mathsf{g_d}}
\DiversifiedTransmitBaseRepr:{\mathsf{g\Repr_d}}
\DiversifiedTransmitPublic:{\mathsf{pk_d}}
\DiversifiedTransmitPublicRepr:{\mathsf{pk\Repr_d}}
# Commitments and hashes
\SinsemillaHash:{\mathsf{SinsemillaHash}}
\SinsemillaCommit:{\mathsf{SinsemillaCommit}}
\SinsemillaShortCommit:{\mathsf{SinsemillaShortCommit}}
\CommitIvk:{\mathsf{Commit}^{\InViewingKey}}
\NoteCommit:{\mathsf{NoteCommit}}
# Circuit constraint helper methods

411
book/src/design/circuit/gadgets/sinsemilla/note-commit.md
View File

@ -1,155 +1,374 @@
# NoteCommit
## Message decomposition
$\mathsf{SinsemillaCommit}$ is used in the [$\mathsf{NoteCommit}$ function](https://zips.z.cash/protocol/protocol.pdf#concretesinsemillacommit). The input to $\mathsf{SinsemillaCommit}$ is:
$$\mathsf{g\star_d} || \mathsf{pk\star_d} || \mathsf{I2LEBSP}_{64}(v) || \mathsf{I2LEBSP}_{\ell_{\textsf{base}}^{\textsf{Orchard}}}(\rho) || \mathsf{I2LEBSP}_{\ell_{\textsf{base}}^{\textsf{Orchard}}}(\psi),$$
$\SinsemillaCommit$ is used in the
[$\NoteCommit$ function](https://zips.z.cash/protocol/protocol.pdf#concretesinsemillacommit).
The input to $\SinsemillaCommit$ is:
where $\mathsf{g\star_d, pk\star_d}$ are representations of Pallas curve points, with $255$ bits used for the $x$-coordinate and $1$ bit used for the $y$-coordinate; $\rho, \psi$ are Pallas base field elements, $v$ is a $64$-bit value, and $\ell_{\textsf{base}}^{\textsf{Orchard}} = 255.$
$$\DiversifiedTransmitBaseRepr \bconcat
\DiversifiedTransmitPublicRepr \bconcat
\ItoLEBSP{64}(\mathsf{v}) \bconcat
\ItoLEBSP{\BaseLength{Orchard}}(\rho) \bconcat
\ItoLEBSP{\BaseLength{Orchard}}(\psi),$$
We break these inputs into the following `MessagePiece`s:
where:
- $\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr$ are representations of
Pallas curve points, with $255$ bits used for the $x$-coordinate and $1$ bit used for
the $y$-coordinate.
- $\rho, \psi$ are Pallas base field elements.
- $\mathsf{v}$ is a $64$-bit value.
- $\BaseLength{Orchard} = 255.$
Sinsemilla operates on multiples of 10 bits, so we start by decomposing the message into
chunks:
$$
\begin{aligned}
a \text{ (250 bits)} &= \text{bits } 0..=249 \text{ of } \mathsf{x(g_d)} \\
b \text{ (10 bits)} &= b_0 || b_1 || b_2 || b_3 \\
&= (\text{bits } 250..=253 \textsf{ of } \mathsf{x(g_d)}) || (bit 254 \textsf{ of } \mathsf{x(g_d)}) || (ỹ \text{ bit of } \mathsf{g_d}) || (\text{bits } 0..=3 \textsf{ of } \mathsf{pk\star_d}) \\
c \text{ (250 bits)} &= \text{bits } 4..=253 \textsf{ of } \mathsf{pk\star_d} \\
d \text{ (60 bits)} &= d_0 || d_1 || d_2 || d_3 \\
&= (\text{bit } 254 \text{ of } \mathsf{x(pk_d)}) || (ỹ \text{ bit of } \mathsf{pk_d}) || (0..=7 \text{ of v}) || (8..=57 \text{ of v}) \\
e \text{ (10 bits)} &= e_0 || e_1 \\
&= (\text{bits } 58..=63 \text{ of v}) || (\text{bits } 0..=3 \text{ of} \rho) \\
f \text{ (250 bits)} &= \text{bits } 4..=253 \text{ of } \rho \\
g \text{ (250 bits)} &= g_0 || g_1 || g_2 \\
&= (\text{bit } 254 \text{ of } \rho) || (\text{bits } 0..=8 \text{ of } \psi) || (\text{bits } 9..=248 \text{ of } \psi) \\
h \text{ (10 bits)} &= h_0 || h_1 || h_2 \\
&= (\text{bits } 249..=253 \text{ of } \psi) || (\text{bit } 254 \text{ of } \psi) || 4 \text{ zero bits } \\
\DiversifiedTransmitBaseRepr &= a \bconcat b_0 \bconcat b_1 \bconcat b_2 \\
&= (\text{bits 0..=249 of } \mathsf{x(g_d)}) \bconcat
(\text{bits 250..=253 of } \mathsf{x(g_d)}) \bconcat
(\text{bit 254 of } \mathsf{x(g_d)}) \bconcat
(ỹ \text{ bit of } \mathsf{g_d}) \\
\DiversifiedTransmitPublicRepr &= b_3 \bconcat c \bconcat d_0 \bconcat d_1 \\
&= (\text{bits 0..=3 of } \mathsf{x(pk_d)}) \bconcat
(\text{bits 4..=253 of } \mathsf{x(pk_d)}) \bconcat
(\text{bit 254 of } \mathsf{x(pk_d)}) \bconcat
(ỹ \text{ bit of } \mathsf{pk_d}) \\
\ItoLEBSP{64}(v) &= d_2 \bconcat d_3 \bconcat e_0 \\
&= (\text{bits 0..=7 of } v) \bconcat
(\text{bits 8..=57 of } v) \bconcat
(\text{bits 58..=63 of } v) \\
\ItoLEBSP{\BaseLength{Orchard}}(\rho) &= e_1 \bconcat f \bconcat g_0 \\
&= (\text{bits 0..=3 of } \rho) \bconcat
(\text{bits 4..=253 of } \rho) \bconcat
(\text{bit 254 of } \rho) \\
\ItoLEBSP{\BaseLength{Orchard}}(\psi) &= g_1 \bconcat g_2 \bconcat h_0 \bconcat h_1 \\
&= (\text{bits 0..=8 of } \psi) \bconcat
(\text{bits 9..=248 of } \psi) \bconcat
(\text{bits 249..=253 of } \psi) \bconcat
(\text{bit 254 of } \psi) \\
\end{aligned}
$$
$a,b,c,d$ are constrained by the $\textsf{SinsemillaHash}$ to be:
- $a = 250$ bits,
- $b = 10$ bits,
- $c = 250$ bits,
- $d = 60$ bits,
- $e = 10$ bits,
- $f = 250$ bits,
- $g = 250$ bits,
- $h = 10$ bits.
Then we recompose the chunks into message pieces:
In a custom gate, we check this message decomposition by enforcing the following constraints:
1. $b = b_0 + 2^4 \cdot b_1 + 2^5 \cdot b_2 + 2^6 \cdot b_3$
<br>
$b_0, b_3$ are witnessed outside this gate, and constrained to be $4$ bits each. $b_1, b_2$ are witnessed and boolean-constrained in this gate:
$$
\begin{aligned}
(b_1)(1 - b_1) &= 0 \\
(b_2)(1 - b_2) &= 0 \\
\end{aligned}
\begin{array}{|c|l|}
\hline
\text{Length (bits)} & \text{Piece} \\\hline
250 & a \\
10 & b = b_0 \bconcat b_1 \bconcat b_2 \bconcat b_3 \\
250 & c \\
60 & d = d_0 \bconcat d_1 \bconcat d_2 \bconcat d_3 \\
10 & e = e_0 \bconcat e_1 \\
250 & f \\
250 & g = g_0 \bconcat g_1 \bconcat g_2 \\
10 & h = h_0 \bconcat h_1 \bconcat h_2 \\\hline
\end{array}
$$
From these witnessed subpieces, we check that we recover the original `MessagePiece` input to the hash:
$$b = b_0 + 2^4 \cdot b_1 + 2^5 \cdot b_2 + 2^6 \cdot b_3$$
2. $d = d_0 + 2 \cdot d_1 + 2^2 \cdot d_2 + 2^{10} \cdot d_3$
<br>
$d_0, d_1$ are witnessed and boolean-constrained in this gate:
where $h_2$ is 4 zero bits (corresponding to the padding applied by the Sinsemilla
[$\mathsf{pad}$ function](https://zips.z.cash/protocol/protocol.pdf#concretesinsemillahash)).
Each message piece is constrained by $\SinsemillaHash$ to its stated length. Additionally:
- $\DiversifiedTransmitBase$ and $\DiversifiedTransmitPublic$ are witnessed and checked
to be valid elliptic curve points.
- $\mathsf{v}$ is witnessed as a field element, but its decomposition is sufficient to
constrain it to be a 64-bit value.
- $\rho$ and $\psi$ are witnessed as field elements, so we know they are canonical.
However, we need additional constraints to enforce that:
- The chunks are the correct bit lengths (or else they could overlap in the decompositions
and allow the prover to witness an arbitrary $\SinsemillaCommit$ message).
- The chunks contain the canonical decompositions of $\DiversifiedTransmitBase$,
$\DiversifiedTransmitPublic$, $\rho$, and $\psi$ (or else the prover could witness
multiple equivalent inputs to $\SinsemillaCommit$).
Some of these constraints are implemented with reusable circuit gadgets. We define a
custom gate controlled by a pair of selectors $(q_{\NoteCommit,1}, q_{\NoteCommit,2})$ to
hold the remaining constraints. We will need to witness 40 separate variables in a single
region, so we use two selectors that we activate on adjacent rows, in order to limit the
required rotations to the set `[Rotation::prev(), Rotation::cur(), Rotation::next()]`.
## Bit length constraints
Chunks $a$, $c$, and $f$ are directly constrained by Sinsemilla. For the remaining chunks,
we use the following constraints:
$$
\begin{aligned}
(d_0)(1 - d_0) &= 0 \\
(d_1)(1 - d_1) &= 0 \\
\end{aligned}
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
& \ShortLookupRangeCheck{b_0, 4} \\\hline
& \ShortLookupRangeCheck{b_3, 4} \\\hline
& \ShortLookupRangeCheck{d_2, 8} \\\hline
& \ShortLookupRangeCheck{e_0, 6} \\\hline
& \ShortLookupRangeCheck{e_1, 4} \\\hline
& \ShortLookupRangeCheck{g_1, 9} \\\hline
& \ShortLookupRangeCheck{h_0, 5} \\\hline
3 & q_{\NoteCommit,1} \cdot \BoolCheck{b_1} = 0 \\\hline
3 & q_{\NoteCommit,1} \cdot \BoolCheck{b_2} = 0 \\\hline
3 & q_{\NoteCommit,1} \cdot \BoolCheck{d_0} = 0 \\\hline
3 & q_{\NoteCommit,1} \cdot \BoolCheck{d_1} = 0 \\\hline
3 & q_{\NoteCommit,1} \cdot \BoolCheck{g_0} = 0 \\\hline
3 & q_{\NoteCommit,1} \cdot \BoolCheck{h_1} = 0 \\\hline
& d_3 := z_{d,1} \\\hline
& g_2 := z_{g,1} \\\hline
\end{array}
$$
$d_2$ is witnessed outside this gate, and constrained to be $8$ bits. $d_3$ is copied into this gate as $d_3 = z_{1,d}$, where $z_{1,d}$ is the index-1 running sum output of $\textsf{SinsemillaHash}(d),$ constrained by the hash to be $50$ bits. From these witnessed subpieces, we check that we recover the original `MessagePiece` input to the hash:
$$d = d_0 + 2 \cdot d_1 + 2^2 \cdot d_2 + 2^{10} \cdot d_3$$
3. $e = e_0 + 2^6 \cdot e_1$
<br>
$e_0, e_1$ are witnessed outside this gate, and constrained to be $6$ bits and $4$ bits respectively.
From these witnessed subpieces, we check that we recover the original `MessagePiece` input to the hash:
$$e_0 + 2^6 \cdot e_1$$
where:
- $\BoolCheck{x} = x \cdot (1 - x)$.
- $\ShortLookupRangeCheck{}$ is a [short lookup range check](../lookup_range_check.md#short-range-check).
- $z_{d,1}$ is the index-1 running sum output of $\SinsemillaHash(d),$ constrained by the
hash to be 50 bits.
- $z_{g,1}$ is the index-1 running sum output of $\SinsemillaHash(g),$ constrained by the
hash to be 240 bits.
- $d_3$ and $g_2$ are equality-constrained to their respective running sum outputs.
4. $g = g_0 + 2 \cdot g_1 + 2^{10} \cdot g_2$
<br>
$g_0$ is witnessed and boolean-constrained in this gate: $$(g_0)(g_0 - 1) = 0.$$ $g_1$ is witnessed outside this gate, and constrained to be $9$ bits. $g_2$ is copied into this gate as $g_2 = z_{1,g}$, where $z_{1,g}$ is the index-1 running sum output of $\textsf{SinsemillaHash}(g),$ constrained by the hash to be $240$ bits. From these witnessed subpieces, we check that we recover the original `MessagePiece` input to the hash:
$$g = g_0 + 2 \cdot g_1 + 2^{10} \cdot g_2.$$
5. $h = h_0 + 2^5 \cdot h_1$
<br>
$h_0$ is witnessed outside this gate, and constrained to be $5$ bits. $h_1$ is witnessed and boolean-constrained in this gate: $$(h_1)(h_1 - 1) = 0.$$ From these witnessed subpieces, we check that we recover the original `MessagePiece` input to the hash:
$$h = h_0 + 2^5 \cdot h_1$$
## Decomposition constraints
We have now derived or witnessed every subpiece, and range-constrained every subpiece:
- $a$ ($250$ bits) is witnessed and constrained outside the gate;
- $b_0$ ($4$ bits) is witnessed and constrained outside the gate;
- $b_1$ ($1$ bit) is witnessed and boolean-constrained in the gate;
- $b_2$ ($1$ bit) is witnessed and boolean-constrained in the gate;
- $b_3$ ($4$ bits) is witnessed and constrained outside the gate;
- $c$ ($250$ bits) is witnessed and constrained outside the gate;
- $d_0$ ($1$ bit) is witnessed and boolean-constrained in the gate;
- $d_1$ ($1$ bit) is witnessed and boolean-constrained in the gate;
- $d_2$ ($8$ bits) is witnessed and constrained outside the gate;
- $d_3$ ($50$ bits), equal to $z_{1,d}$;
- $d_3$ ($50$ bits), equal to $z_{d,1}$;
- $e_0$ ($6$ bits) is witnessed and constrained outside the gate;
- $e_1$ ($4$ bit) is witnessed and constrained outside the gate;
- $f$ ($250$ bits) is witnessed and constrained outside the gate;
- $g_0$ ($1$ bit) is witnessed and boolean-constrained in the gate;
- $g_1$ ($9$ bits) is witnessed and constrained outside the gate;
- $g_2$ ($240$ bits), equal to $z_{1,g}$;
- $g_2$ ($240$ bits), equal to $z_{g,1}$;
- $h_0$ ($5$ bits) is witnessed and constrained outside the gate;
- $h_1$ ($1$ bit) is witnessed and boolean-constrained in the gate;
- $h_2$ ($4$ bit) is a zero term, and can be omitted as the other chunks will not overlap it.
and we use them to reconstruct the original field element inputs:
We can now use them to reconstruct both the (chunked) message pieces, and the original
field element inputs:
6. $\mathsf{x(g_d)} = a + 2^250 \cdot b_0 + 2^254 \cdot b_1$
7. $\mathsf{pk_d} = b_3 + 2^4 \cdot c + 2^254 \cdot d_0$
8. $\mathsf{v} = d_2 + 2^8 \cdot d_3 + 2^58 \cdot e_0$
9. $\rho = e_1 + 2^4 \cdot f + 2^254 \cdot g_0$
10. $\psi = g_1 + 2^9 \cdot g_2 + 2^249 \cdot h_0 + 2^254 \cdot h_1$
$$
\begin{align}
b &= b_0 + 2^4 \cdot b_1 + 2^5 \cdot b_2 + 2^6 \cdot b_3 \\
d &= d_0 + 2 \cdot d_1 + 2^2 \cdot d_2 + 2^{10} \cdot d_3 \\
e &= e_0 + 2^6 \cdot e_1 \\
g &= g_0 + 2 \cdot g_1 + 2^{10} \cdot g_2 \\
h &= h_0 + 2^5 \cdot h_1 \\
\mathsf{x(g_d)} &= a + 2^{250} \cdot b_0 + 2^{254} \cdot b_1 \\
\mathsf{x(pk_d)} &= b_3 + 2^4 \cdot c + 2^{254} \cdot d_0 \\
\mathsf{v} &= d_2 + 2^8 \cdot d_3 + 2^{58} \cdot e_0 \\
\rho &= e_1 + 2^4 \cdot f + 2^{254} \cdot g_0 \\
\psi &= g_1 + 2^9 \cdot g_2 + 2^{249} \cdot h_0 + 2^{254} \cdot h_1 \\
\end{align}
$$
## Canonicity
The modulus of the Pallas base field is $p = 2^{254} + t_p,$ where $t_p = 45560315531419706090280762371685220353 < 2^{126}.$
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
2 & q_{\NoteCommit,1} \cdot (b - (b_0 + b_1 \cdot 2^4 + b_2 \cdot 2^5 + b_3 \cdot 2^6)) = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (d - (d_0 + d_1 \cdot 2 + d_2 \cdot 2^2 + d_3 \cdot 2^{10})) = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (e - (e_0 + e_1 \cdot 2^6)) = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (g - (g_0 + g_1 \cdot 2 + g_2 \cdot 2^{10})) = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (h - (h_0 + h_1 \cdot 2^5)) = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (a + b_0 \cdot 2^{250} + b_1 \cdot 2^{254} - \mathsf{x(g_d)}) = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (b_3 + c \cdot 2^4 + d_0 \cdot 2^{254} - \mathsf{x(pk_d)} = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (d_2 + d_3 \cdot 2^8 + e_0 \cdot 2^{58} - \mathsf{v}) = 0 \\\hline
2 & q_{\NoteCommit,2} \cdot (e_1 + f \cdot 2^4 + g_0 \cdot 2^{254} - \rho) = 0 \\\hline
2 & q_{\NoteCommit,2} \cdot (g_1 + g_2 \cdot 2^9 + h_0 \cdot 2^{249} + h_1 \cdot 2^{254} - \psi) = 0 \\\hline
\end{array}
$$
### $\mathsf{x(g_d)} = a \text{ (250 bits) } || b_0 \text{ (4 bits) } || b_1 \text{ (1 bit) }$
We check that $\mathsf{x(g_d)}$ is a canonically-encoded $255$-bit value, i.e. $\mathsf{x(g_d)} < p$. If the high bit is not set $b_1 = 0$, we are guaranteed that $\mathsf{x(g_d)} < 2^{254}$. Thus, we are only interested in cases when $b_1 = 1 \implies \mathsf{x(g_d)} \geq 2^{254}$. In these cases, we check that $\mathsf{x(g_d)}_{0..=253} < t_p < 2^{126}$:
## Canonicity checks
At this point, we have constrained $\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(g_d)})$,
$\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(pk_d)})$,
$\ItoLEBSP{\BaseLength{Orchard}}(\rho)$, and $\ItoLEBSP{\BaseLength{Orchard}}(\psi)$ to be
255-bit values, with top bits $b_1$, $d_0$, $g_0$, and $h_1$ respectively. We have also
constrained:
$$
\begin{align}
\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(g_d)}) &= \mathsf{x(g_d)} \pmod{q_\mathbb{P}} \\
\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(pk_d)}) &= \mathsf{x(pk_d)} \pmod{q_\mathbb{P}} \\
\ItoLEBSP{\BaseLength{Orchard}}(\rho) &= \rho \pmod{q_\mathbb{P}} \\
\ItoLEBSP{\BaseLength{Orchard}}(\psi) &= \psi \pmod{q_\mathbb{P}} \\
\end{align}
$$
where $q_\mathbb{P}$ is the Pallas base field modulus. The remaining constraints will
enforce that these are indeed canonically-encoded field elements, i.e.
$$
\begin{align}
\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(g_d)}) &< q_\mathbb{P} \\
\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(pk_d)}) &< q_\mathbb{P} \\
\ItoLEBSP{\BaseLength{Orchard}}(\rho) &< q_\mathbb{P} \\
\ItoLEBSP{\BaseLength{Orchard}}(\psi) &< q_\mathbb{P} \\
\end{align}
$$
The Pallas base field modulus has the form $q_\mathbb{P} = 2^{254} + t_\mathbb{P}$, where
$$t_\mathbb{P} = \mathtt{0x224698fc094cf91b992d30ed00000001}$$
is 126 bits. We therefore know that if the top bit is not set, then the remaining bits
will always comprise a canonical encoding of a field element. Thus the canonicity checks
below are enforced if and only if the corresponding top bit is set to 1.
> In the constraints below we use a base-$2^{10}$ variant of the method used in libsnark
> (originally from [[SVPBABW2012](https://eprint.iacr.org/2012/598.pdf), Appendix C.1]) for
> range constraints $0 \leq x < t$:
>
> - Let $t'$ be the smallest power of $2^{10}$ greater than $t$.
> - Enforce $0 \leq x < t'$.
> - Let $x' = x + t' - t$.
> - Enforce $0 \leq x' < t'$.
### $\mathsf{x(g_d)}$ with $b_1 = 1 \implies \mathsf{x(g_d)} \geq 2^{254}$
In these cases, we check that $\mathsf{x(g_d)}_{0..=253} < t_\mathbb{P} < 2^{126}$:
1. $b_1 = 1 \implies b_0 = 0.$
Since $b_1 = 1 \implies \mathsf{x(g_d)}_{0..=253} < 2^{126},$ we know that $\mathsf{x(g_d)}_{126..=253} = 0,$ and in particular $b_0 = \mathsf{x(g_d)}_{250..=253} = 0.$
Since $b_1 = 1 \implies \mathsf{x(g_d)}_{0..=253} < 2^{126},$ we know that
$\mathsf{x(g_d)}_{126..=253} = 0,$ and in particular
$$b_0 := \mathsf{x(g_d)}_{250..=253} = 0.$$
2. $b_1 = 1 \implies 0 \leq a < 2^{126}.$
To check that $a < 2^{126}$, we use two constraints:
a) $0 \leq a < 2^{130}$. This is expressed in the custom gate as $$b_1 \cdot z_{13,a} = 0,$$ where $z_{13,a}$ is the index-13 running sum output by $\textsf{SinsemillaHash}(a).$
To check that $a < 2^{126}$, we use two constraints:
b) $0 \leq a + 2^{130} - t_p < 2^{130}$. To check this, we decompose $a' = a + 2^{130} - t_p$ into thirteen 10-bit words (little-endian) using a running sum $z_{a'}$, looking up each word in a $10$-bit lookup table. We then enforce in the custom gate that $$b_1 \cdot z_{13, a'} = 0.$$
a) $0 \leq a < 2^{130}$. This is expressed in the custom gate as
$$b_1 \cdot z_{a,13} = 0,$$
where $z_{a,13}$ is the index-13 running sum output by $\SinsemillaHash(a).$
b) $0 \leq a + 2^{130} - t_\mathbb{P} < 2^{130}$. To check this, we decompose
$a' = a + 2^{130} - t_\mathbb{P}$ into thirteen 10-bit words (little-endian) using
a running sum $z_{a'}$, looking up each word in a $10$-bit lookup table. We then
enforce in the custom gate that
$$b_1 \cdot z_{a',13} = 0.$$
### $\mathsf{x(pk_d)} = b_3 \text{ (4 bits) } || c \text{ (250 bits) } || d_0 \text{ (1 bit) }$
We check that $\mathsf{x(pk_d)}$ is a canonically-encoded $255$-bit value, i.e. $\mathsf{x(pk_d)} < p$. If the high bit is not set $d_0 = 0$, we are guaranteed that $\mathsf{x(pk_d)} < 2^{254}$. Thus, we are only interested in cases when $d_0 = 1 \implies \mathsf{x(pk_d)} \geq 2^{254}$. In these cases, we check that $\mathsf{x(pk_d)}_{0..=253} < t_p < 2^{126}$:
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,2} \cdot b_1 \cdot b_0 = 0 \\\hline
3 & q_{\NoteCommit,2} \cdot b_1 \cdot z_{a,13} = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (a + 2^{130} - t_\mathbb{P} - a') = 0 \\\hline
3 & q_{\NoteCommit,2} \cdot b_1 \cdot z_{a',13} = 0 \\\hline
\end{array}
$$
1. $d_0 = 0 \implies 0 \leq b_3 + 2^{4} \cdot c < 2^{126}.$
To check that $0 \leq b_3 + 2^{4} \cdot c < 2^{126},$ we use two constraints:
### $\mathsf{x(pk_d)}$ with $d_0 = 1 \implies \mathsf{x(pk_d)} \geq 2^{254}$
a) $0 \leq b_3 + 2^{4} \cdot c < 2^{140}.$ $b_3$ is already constrained individually to be a $4$-bit value. $z_{13, c}$ is the index-13 running sum output by $\textsf{SinsemillaHash}(c).$ By constraining $$d_0 \cdot z_{13,c} = 0,$$ we constrain $b_3 + 2^4 \cdot c < 2^{134} < 2^{140}.$
In these cases, we check that $\mathsf{x(pk_d)}_{0..=253} < t_\mathbb{P} < 2^{126}$:
b) $0 \leq b_3 + 2^{4} \cdot c + 2^{140} - t_p < 2^{140}$. To check this, we decompose $b' = b_3 + 2^{4} \cdot c + 2^{140} - t_p$ into fourteen 10-bit words (little-endian) using a running sum $z_{b'}$, looking up each word in a $10$-bit lookup table. We then enforce in the custom gate that $$d_0 \cdot z_{14, b'} = 0.$$
1. $d_0 = 1 \implies 0 \leq b_3 + 2^{4} \cdot c < 2^{126}.$
### $\rho = e_1 \text{ (4 bits) } || f \text{ (250 bits) } || g_0 \text{ (1 bit) }$
We check that $\rho$ is a canonically-encoded $255$-bit value, i.e. $\rho < p$. If the high bit is not set $g_0 = 0$, we are guaranteed that $\rho < 2^{254}$. Thus, we are only interested in cases when $g_0 = 1 \implies \rho \geq 2^{254}$. In these cases, we check that $\rho_{0..=253} < t_p < 2^{126}$:
To check that $0 \leq b_3 + 2^{4} \cdot c < 2^{126},$ we use two constraints:
1. $g_0 = 0 \implies 0 \leq e_1 + 2^{4} \cdot f < 2^{126}.$
To check that $0 \leq e_1 + 2^{4} \cdot f < 2^{126},$ we use two constraints:
a) $0 \leq b_3 + 2^{4} \cdot c < 2^{140}.$ $b_3$ is already constrained individually
to be a $4$-bit value. $z_{c,13}$ is the index-13 running sum output by
$\SinsemillaHash(c).$ By constraining $$d_0 \cdot z_{c,13} = 0,$$ we constrain
$b_3 + 2^4 \cdot c < 2^{134} < 2^{140}.$
a) $0 \leq e_1 + 2^{4} \cdot f < 2^{140}.$ $e_1$ is already constrained individually to be a $4$-bit value. $z_{13, f}$ is the index-13 running sum output by $\textsf{SinsemillaHash}(c).$ By constraining $$g_0 \cdot z_{13, f} = 0,$$ we constrain $e_1 + 2^4 \cdot f < 2^{134} < 2^{140}.$
b) $0 \leq b_3 + 2^{4} \cdot c + 2^{140} - t_\mathbb{P} < 2^{140}$. To check this, we
decompose ${b_3}c' = b_3 + 2^{4} \cdot c + 2^{140} - t_\mathbb{P}$ into fourteen
10-bit words (little-endian) using a running sum $z_{{b_3}c'}$, looking up each
word in a $10$-bit lookup table. We then enforce in the custom gate that
$$d_0 \cdot z_{{b_3}c',14} = 0.$$
b) $0 \leq e_1 + 2^{4} \cdot f + 2^{140} - t_p < 2^{140}$. To check this, we decompose $e' = e_1 + 2^{4} \cdot f + 2^{140} - t_p$ into fourteen 10-bit words (little-endian) using a running sum $z_{e'}$, looking up each word in a $10$-bit lookup table. We then enforce in the custom gate that $$g_0 \cdot z_{14, e'} = 0.$$
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,2} \cdot d_0 \cdot z_{c,13} = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (b_3 + c \cdot 2^4 + 2^{140} - t_\mathbb{P} - {b_3}c') = 0 \\\hline
3 & q_{\NoteCommit,2} \cdot d_0 \cdot z_{{b_3}c',14} = 0 \\\hline
\end{array}
$$
### $\psi = g_1 \text{ (9 bits) } || g_2 \text{ (240 bits) } || h_0 \text{ (5 bits) } || h_1 \text{ (1 bit) }$
We check that $\psi$ is a canonically-encoded $255$-bit value, i.e. $\psi < p$. If the high bit is not set $h_1 = 0$, we are guaranteed that $\psi < 2^{254}$. Thus, we are only interested in cases when $h_1 = 1 \implies \psi \geq 2^{254}$. In these cases, we check that $\psi_{0..=253} < t_p < 2^{126}$:
### $\rho$ with $g_0 = 1 \implies \rho \geq 2^{254}$
1. $h_1 = 0 \implies h_0 = 0.$
Since $h_1 = 1 \implies \psi_{0..=253} < 2^{126},$ we know that $\psi_{126..=253} = 0,$ and in particular $h_0 = \psi_{249..=253} = 0.$ So, we constrain $$h_1 \cdot h_0 = 0.$$
In these cases, we check that $\rho_{0..=253} < t_\mathbb{P} < 2^{126}$:
2. $h_1 = 0 \implies 0 \leq g_1 + 2^{9} \cdot g_2 < 2^{126}.$
To check that $0 \leq g_1 + 2^{9} \cdot g_2 < 2^{126},$ we use two constraints:
1. $g_0 = 1 \implies 0 \leq e_1 + 2^{4} \cdot f < 2^{126}.$
a) $0 \leq g_1 + 2^{9} \cdot g_2 < 2^{140}.$ $e_1$ is already constrained individually to be a $4$-bit value. $z_{13, f}$ is the index-13 running sum output by $\textsf{SinsemillaHash}(c).$ By constraining $$h_1 \cdot z_{13, f} = 0,$$ we constrain $e_1 + 2^4 \cdot f < 2^{134} < 2^{140}.$
To check that $0 \leq e_1 + 2^{4} \cdot f < 2^{126},$ we use two constraints:
b) $0 \leq g_1 + 2^{9} \cdot g_2 + 2^{140} - t_p < 2^{140}$. To check this, we decompose $e' = g_1 + 2^{9} \cdot g_2 + 2^{140} - t_p$ into fourteen 10-bit words (little-endian) using a running sum $z_{e'}$, looking up each word in a $10$-bit lookup table. We then enforce in the custom gate that $$h_1 \cdot z_{14, e'} = 0.$$
a) $0 \leq e_1 + 2^{4} \cdot f < 2^{140}.$ $e_1$ is already constrained individually
to be a $4$-bit value. $z_{f,13}$ is the index-13 running sum output by
$\SinsemillaHash(f).$ By constraining $$g_0 \cdot z_{f,13} = 0,$$ we constrain
$e_1 + 2^4 \cdot f < 2^{134} < 2^{140}.$
b) $0 \leq e_1 + 2^{4} \cdot f + 2^{140} - t_\mathbb{P} < 2^{140}$. To check this, we
decompose ${e_1}f' = e_1 + 2^{4} \cdot f + 2^{140} - t_\mathbb{P}$ into fourteen
10-bit words (little-endian) using a running sum $z_{{e_1}f'}$, looking up each
word in a $10$-bit lookup table. We then enforce in the custom gate that
$$g_0 \cdot z_{{e_1}f',14} = 0.$$
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,2} \cdot g_0 \cdot z_{f,13} = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (e_1 + f \cdot 2^4 + 2^{140} - t_\mathbb{P} - {e_1}f') = 0 \\\hline
3 & q_{\NoteCommit,2} \cdot g_0 \cdot z_{{e_1}f',14} = 0 \\\hline
\end{array}
$$
### $\psi$ with $h_1 = 1 \implies \psi \geq 2^{254}$
In these cases, we check that $\psi_{0..=253} < t_\mathbb{P} < 2^{126}$:
1. $h_1 = 1 \implies h_0 = 0.$
Since $h_1 = 1 \implies \psi_{0..=253} < 2^{126},$ we know that $\psi_{126..=253} = 0,$
and in particular $h_0 := \psi_{249..=253} = 0.$
2. $h_1 = 1 \implies 0 \leq g_1 + 2^{9} \cdot g_2 < 2^{126}.$
To check that $0 \leq g_1 + 2^{9} \cdot g_2 < 2^{126},$ we use two constraints:
a) $0 \leq g_1 + 2^{9} \cdot g_2 < 2^{140}.$ $g_1$ is already constrained individually
to be a $9$-bit value. $z_{g,13}$ is the index-13 running sum output by
$\SinsemillaHash(g).$ By constraining $$h_1 \cdot z_{g,13} = 0,$$ we constrain
$g_1 + 2^9 \cdot g_2 < 2^{129} < 2^{140}.$
b) $0 \leq g_1 + 2^{9} \cdot g_2 + 2^{140} - t_\mathbb{P} < 2^{140}$. To check this,
we decompose ${g_1}{g_2}' = g_1 + 2^{9} \cdot g_2 + 2^{140} - t_\mathbb{P}$ into
fourteen 10-bit words (little-endian) using a running sum $z_{{g_1}{g_2}'}$,
looking up each word in a $10$-bit lookup table. We then enforce in the custom gate
that $$h_1 \cdot z_{{g_1}{g_2}',14} = 0.$$
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,2} \cdot h_1 \cdot h_0 = 0 \\\hline
3 & q_{\NoteCommit,2} \cdot h_1 \cdot z_{g,13} = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (g_1 + g_2 \cdot 2^9 + 2^{140} - t_\mathbb{P} - {g_1}{g_2}') = 0 \\\hline
3 & q_{\NoteCommit,2} \cdot g_0 \cdot z_{{g_1}{g_2}',14} = 0 \\\hline
\end{array}
$$
## Region layout
The constraints controlled by the $(q_{\NoteCommit,1}, q_{\NoteCommit,2})$ selectors are
arranged in a single region across 10 advice columns, requiring four rows.
$$
\begin{array}{|c|c|c|c|c|c|c|c|c|c|cc}
& & & & & & & & & & q_{\NoteCommit,1} & q_{\NoteCommit,2} \\\hline
a' & {b_3}c' & {e_1}f' & {g_1}{g_2}' & a & b & b_2 & b_3 & c & d & 0 & 0 \\\hline
d_1 & d_2 & z_{d,1} & e & e_0 & e_1 & f & g & g_1 & h & 1 & 0 \\\hline
h_0 & h_1 & x(g_d) & x(pk_d) & v & b_0 & b_1 & d_0 & g_0 & z_{g,1} & 0 & 1 \\\hline
z_{a',13} & z_{{b_3}c',14} & z_{{e_1}f',14} & z_{{g_1}{g_2}',14} & z_{a,13} & z_{c,13} & z_{f,13} & z_{g,13} & \psi & \rho & 0 & 0 \\\hline
\end{array}
$$