mirror of https://github.com/zcash/halo2.git
[book] Update NoteCommit page to match Commit^ivk style
Constraint tables have been added along with the region layout. I also fixed numerous bugs in the constraints (most of which appeared to be copy-pasta bugs).
This commit is contained in:
parent
5aa05713e7
commit
0375c64801
|
@ -1,6 +1,7 @@
|
||||||
# Conventions
|
# Conventions
|
||||||
|
|
||||||
\bconcat:{\mathop{\kern 0.1em||\kern 0.1em}}
|
\bconcat:{\mathop{\kern 0.1em||\kern 0.1em}}
|
||||||
|
\Repr:{\star}
|
||||||
|
|
||||||
# Conversions
|
# Conversions
|
||||||
|
|
||||||
|
@ -15,12 +16,18 @@
|
||||||
\AuthSignPublic:{\mathsf{ak}}
|
\AuthSignPublic:{\mathsf{ak}}
|
||||||
\NullifierKey:{\mathsf{nk}}
|
\NullifierKey:{\mathsf{nk}}
|
||||||
\InViewingKey:{\mathsf{ivk}}
|
\InViewingKey:{\mathsf{ivk}}
|
||||||
|
\DiversifiedTransmitBase:{\mathsf{g_d}}
|
||||||
|
\DiversifiedTransmitBaseRepr:{\mathsf{g\Repr_d}}
|
||||||
|
\DiversifiedTransmitPublic:{\mathsf{pk_d}}
|
||||||
|
\DiversifiedTransmitPublicRepr:{\mathsf{pk\Repr_d}}
|
||||||
|
|
||||||
# Commitments and hashes
|
# Commitments and hashes
|
||||||
|
|
||||||
\SinsemillaHash:{\mathsf{SinsemillaHash}}
|
\SinsemillaHash:{\mathsf{SinsemillaHash}}
|
||||||
|
\SinsemillaCommit:{\mathsf{SinsemillaCommit}}
|
||||||
\SinsemillaShortCommit:{\mathsf{SinsemillaShortCommit}}
|
\SinsemillaShortCommit:{\mathsf{SinsemillaShortCommit}}
|
||||||
\CommitIvk:{\mathsf{Commit}^{\InViewingKey}}
|
\CommitIvk:{\mathsf{Commit}^{\InViewingKey}}
|
||||||
|
\NoteCommit:{\mathsf{NoteCommit}}
|
||||||
|
|
||||||
# Circuit constraint helper methods
|
# Circuit constraint helper methods
|
||||||
|
|
||||||
|
|
|
@ -1,155 +1,374 @@
|
||||||
# NoteCommit
|
# NoteCommit
|
||||||
|
|
||||||
## Message decomposition
|
## Message decomposition
|
||||||
$\mathsf{SinsemillaCommit}$ is used in the [$\mathsf{NoteCommit}$ function](https://zips.z.cash/protocol/protocol.pdf#concretesinsemillacommit). The input to $\mathsf{SinsemillaCommit}$ is:
|
|
||||||
|
|
||||||
$$\mathsf{g\star_d} || \mathsf{pk\star_d} || \mathsf{I2LEBSP}_{64}(v) || \mathsf{I2LEBSP}_{\ell_{\textsf{base}}^{\textsf{Orchard}}}(\rho) || \mathsf{I2LEBSP}_{\ell_{\textsf{base}}^{\textsf{Orchard}}}(\psi),$$
|
$\SinsemillaCommit$ is used in the
|
||||||
|
[$\NoteCommit$ function](https://zips.z.cash/protocol/protocol.pdf#concretesinsemillacommit).
|
||||||
|
The input to $\SinsemillaCommit$ is:
|
||||||
|
|
||||||
where $\mathsf{g\star_d, pk\star_d}$ are representations of Pallas curve points, with $255$ bits used for the $x$-coordinate and $1$ bit used for the $y$-coordinate; $\rho, \psi$ are Pallas base field elements, $v$ is a $64$-bit value, and $\ell_{\textsf{base}}^{\textsf{Orchard}} = 255.$
|
$$\DiversifiedTransmitBaseRepr \bconcat
|
||||||
|
\DiversifiedTransmitPublicRepr \bconcat
|
||||||
|
\ItoLEBSP{64}(\mathsf{v}) \bconcat
|
||||||
|
\ItoLEBSP{\BaseLength{Orchard}}(\rho) \bconcat
|
||||||
|
\ItoLEBSP{\BaseLength{Orchard}}(\psi),$$
|
||||||
|
|
||||||
We break these inputs into the following `MessagePiece`s:
|
where:
|
||||||
|
- $\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr$ are representations of
|
||||||
|
Pallas curve points, with $255$ bits used for the $x$-coordinate and $1$ bit used for
|
||||||
|
the $y$-coordinate.
|
||||||
|
- $\rho, \psi$ are Pallas base field elements.
|
||||||
|
- $\mathsf{v}$ is a $64$-bit value.
|
||||||
|
- $\BaseLength{Orchard} = 255.$
|
||||||
|
|
||||||
|
Sinsemilla operates on multiples of 10 bits, so we start by decomposing the message into
|
||||||
|
chunks:
|
||||||
|
|
||||||
$$
|
$$
|
||||||
\begin{aligned}
|
\begin{aligned}
|
||||||
a \text{ (250 bits)} &= \text{bits } 0..=249 \text{ of } \mathsf{x(g_d)} \\
|
\DiversifiedTransmitBaseRepr &= a \bconcat b_0 \bconcat b_1 \bconcat b_2 \\
|
||||||
b \text{ (10 bits)} &= b_0 || b_1 || b_2 || b_3 \\
|
&= (\text{bits 0..=249 of } \mathsf{x(g_d)}) \bconcat
|
||||||
&= (\text{bits } 250..=253 \textsf{ of } \mathsf{x(g_d)}) || (bit 254 \textsf{ of } \mathsf{x(g_d)}) || (ỹ \text{ bit of } \mathsf{g_d}) || (\text{bits } 0..=3 \textsf{ of } \mathsf{pk\star_d}) \\
|
(\text{bits 250..=253 of } \mathsf{x(g_d)}) \bconcat
|
||||||
c \text{ (250 bits)} &= \text{bits } 4..=253 \textsf{ of } \mathsf{pk\star_d} \\
|
(\text{bit 254 of } \mathsf{x(g_d)}) \bconcat
|
||||||
d \text{ (60 bits)} &= d_0 || d_1 || d_2 || d_3 \\
|
(ỹ \text{ bit of } \mathsf{g_d}) \\
|
||||||
&= (\text{bit } 254 \text{ of } \mathsf{x(pk_d)}) || (ỹ \text{ bit of } \mathsf{pk_d}) || (0..=7 \text{ of v}) || (8..=57 \text{ of v}) \\
|
\DiversifiedTransmitPublicRepr &= b_3 \bconcat c \bconcat d_0 \bconcat d_1 \\
|
||||||
e \text{ (10 bits)} &= e_0 || e_1 \\
|
&= (\text{bits 0..=3 of } \mathsf{x(pk_d)}) \bconcat
|
||||||
&= (\text{bits } 58..=63 \text{ of v}) || (\text{bits } 0..=3 \text{ of} \rho) \\
|
(\text{bits 4..=253 of } \mathsf{x(pk_d)}) \bconcat
|
||||||
f \text{ (250 bits)} &= \text{bits } 4..=253 \text{ of } \rho \\
|
(\text{bit 254 of } \mathsf{x(pk_d)}) \bconcat
|
||||||
g \text{ (250 bits)} &= g_0 || g_1 || g_2 \\
|
(ỹ \text{ bit of } \mathsf{pk_d}) \\
|
||||||
&= (\text{bit } 254 \text{ of } \rho) || (\text{bits } 0..=8 \text{ of } \psi) || (\text{bits } 9..=248 \text{ of } \psi) \\
|
\ItoLEBSP{64}(v) &= d_2 \bconcat d_3 \bconcat e_0 \\
|
||||||
h \text{ (10 bits)} &= h_0 || h_1 || h_2 \\
|
&= (\text{bits 0..=7 of } v) \bconcat
|
||||||
&= (\text{bits } 249..=253 \text{ of } \psi) || (\text{bit } 254 \text{ of } \psi) || 4 \text{ zero bits } \\
|
(\text{bits 8..=57 of } v) \bconcat
|
||||||
|
(\text{bits 58..=63 of } v) \\
|
||||||
|
\ItoLEBSP{\BaseLength{Orchard}}(\rho) &= e_1 \bconcat f \bconcat g_0 \\
|
||||||
|
&= (\text{bits 0..=3 of } \rho) \bconcat
|
||||||
|
(\text{bits 4..=253 of } \rho) \bconcat
|
||||||
|
(\text{bit 254 of } \rho) \\
|
||||||
|
\ItoLEBSP{\BaseLength{Orchard}}(\psi) &= g_1 \bconcat g_2 \bconcat h_0 \bconcat h_1 \\
|
||||||
|
&= (\text{bits 0..=8 of } \psi) \bconcat
|
||||||
|
(\text{bits 9..=248 of } \psi) \bconcat
|
||||||
|
(\text{bits 249..=253 of } \psi) \bconcat
|
||||||
|
(\text{bit 254 of } \psi) \\
|
||||||
\end{aligned}
|
\end{aligned}
|
||||||
$$
|
$$
|
||||||
|
|
||||||
$a,b,c,d$ are constrained by the $\textsf{SinsemillaHash}$ to be:
|
Then we recompose the chunks into message pieces:
|
||||||
- $a = 250$ bits,
|
|
||||||
- $b = 10$ bits,
|
|
||||||
- $c = 250$ bits,
|
|
||||||
- $d = 60$ bits,
|
|
||||||
- $e = 10$ bits,
|
|
||||||
- $f = 250$ bits,
|
|
||||||
- $g = 250$ bits,
|
|
||||||
- $h = 10$ bits.
|
|
||||||
|
|
||||||
In a custom gate, we check this message decomposition by enforcing the following constraints:
|
|
||||||
|
|
||||||
1. $b = b_0 + 2^4 \cdot b_1 + 2^5 \cdot b_2 + 2^6 \cdot b_3$
|
|
||||||
<br>
|
|
||||||
$b_0, b_3$ are witnessed outside this gate, and constrained to be $4$ bits each. $b_1, b_2$ are witnessed and boolean-constrained in this gate:
|
|
||||||
$$
|
$$
|
||||||
\begin{aligned}
|
\begin{array}{|c|l|}
|
||||||
(b_1)(1 - b_1) &= 0 \\
|
\hline
|
||||||
(b_2)(1 - b_2) &= 0 \\
|
\text{Length (bits)} & \text{Piece} \\\hline
|
||||||
\end{aligned}
|
250 & a \\
|
||||||
|
10 & b = b_0 \bconcat b_1 \bconcat b_2 \bconcat b_3 \\
|
||||||
|
250 & c \\
|
||||||
|
60 & d = d_0 \bconcat d_1 \bconcat d_2 \bconcat d_3 \\
|
||||||
|
10 & e = e_0 \bconcat e_1 \\
|
||||||
|
250 & f \\
|
||||||
|
250 & g = g_0 \bconcat g_1 \bconcat g_2 \\
|
||||||
|
10 & h = h_0 \bconcat h_1 \bconcat h_2 \\\hline
|
||||||
|
\end{array}
|
||||||
$$
|
$$
|
||||||
From these witnessed subpieces, we check that we recover the original `MessagePiece` input to the hash:
|
|
||||||
$$b = b_0 + 2^4 \cdot b_1 + 2^5 \cdot b_2 + 2^6 \cdot b_3$$
|
|
||||||
|
|
||||||
2. $d = d_0 + 2 \cdot d_1 + 2^2 \cdot d_2 + 2^{10} \cdot d_3$
|
where $h_2$ is 4 zero bits (corresponding to the padding applied by the Sinsemilla
|
||||||
<br>
|
[$\mathsf{pad}$ function](https://zips.z.cash/protocol/protocol.pdf#concretesinsemillahash)).
|
||||||
$d_0, d_1$ are witnessed and boolean-constrained in this gate:
|
|
||||||
|
Each message piece is constrained by $\SinsemillaHash$ to its stated length. Additionally:
|
||||||
|
- $\DiversifiedTransmitBase$ and $\DiversifiedTransmitPublic$ are witnessed and checked
|
||||||
|
to be valid elliptic curve points.
|
||||||
|
- $\mathsf{v}$ is witnessed as a field element, but its decomposition is sufficient to
|
||||||
|
constrain it to be a 64-bit value.
|
||||||
|
- $\rho$ and $\psi$ are witnessed as field elements, so we know they are canonical.
|
||||||
|
|
||||||
|
However, we need additional constraints to enforce that:
|
||||||
|
|
||||||
|
- The chunks are the correct bit lengths (or else they could overlap in the decompositions
|
||||||
|
and allow the prover to witness an arbitrary $\SinsemillaCommit$ message).
|
||||||
|
- The chunks contain the canonical decompositions of $\DiversifiedTransmitBase$,
|
||||||
|
$\DiversifiedTransmitPublic$, $\rho$, and $\psi$ (or else the prover could witness
|
||||||
|
multiple equivalent inputs to $\SinsemillaCommit$).
|
||||||
|
|
||||||
|
Some of these constraints are implemented with reusable circuit gadgets. We define a
|
||||||
|
custom gate controlled by a pair of selectors $(q_{\NoteCommit,1}, q_{\NoteCommit,2})$ to
|
||||||
|
hold the remaining constraints. We will need to witness 40 separate variables in a single
|
||||||
|
region, so we use two selectors that we activate on adjacent rows, in order to limit the
|
||||||
|
required rotations to the set `[Rotation::prev(), Rotation::cur(), Rotation::next()]`.
|
||||||
|
|
||||||
|
## Bit length constraints
|
||||||
|
|
||||||
|
Chunks $a$, $c$, and $f$ are directly constrained by Sinsemilla. For the remaining chunks,
|
||||||
|
we use the following constraints:
|
||||||
|
|
||||||
$$
|
$$
|
||||||
\begin{aligned}
|
\begin{array}{|c|l|}
|
||||||
(d_0)(1 - d_0) &= 0 \\
|
\hline
|
||||||
(d_1)(1 - d_1) &= 0 \\
|
\text{Degree} & \text{Constraint} \\\hline
|
||||||
\end{aligned}
|
& \ShortLookupRangeCheck{b_0, 4} \\\hline
|
||||||
|
& \ShortLookupRangeCheck{b_3, 4} \\\hline
|
||||||
|
& \ShortLookupRangeCheck{d_2, 8} \\\hline
|
||||||
|
& \ShortLookupRangeCheck{e_0, 6} \\\hline
|
||||||
|
& \ShortLookupRangeCheck{e_1, 4} \\\hline
|
||||||
|
& \ShortLookupRangeCheck{g_1, 9} \\\hline
|
||||||
|
& \ShortLookupRangeCheck{h_0, 5} \\\hline
|
||||||
|
3 & q_{\NoteCommit,1} \cdot \BoolCheck{b_1} = 0 \\\hline
|
||||||
|
3 & q_{\NoteCommit,1} \cdot \BoolCheck{b_2} = 0 \\\hline
|
||||||
|
3 & q_{\NoteCommit,1} \cdot \BoolCheck{d_0} = 0 \\\hline
|
||||||
|
3 & q_{\NoteCommit,1} \cdot \BoolCheck{d_1} = 0 \\\hline
|
||||||
|
3 & q_{\NoteCommit,1} \cdot \BoolCheck{g_0} = 0 \\\hline
|
||||||
|
3 & q_{\NoteCommit,1} \cdot \BoolCheck{h_1} = 0 \\\hline
|
||||||
|
& d_3 := z_{d,1} \\\hline
|
||||||
|
& g_2 := z_{g,1} \\\hline
|
||||||
|
\end{array}
|
||||||
$$
|
$$
|
||||||
$d_2$ is witnessed outside this gate, and constrained to be $8$ bits. $d_3$ is copied into this gate as $d_3 = z_{1,d}$, where $z_{1,d}$ is the index-1 running sum output of $\textsf{SinsemillaHash}(d),$ constrained by the hash to be $50$ bits. From these witnessed subpieces, we check that we recover the original `MessagePiece` input to the hash:
|
|
||||||
$$d = d_0 + 2 \cdot d_1 + 2^2 \cdot d_2 + 2^{10} \cdot d_3$$
|
|
||||||
|
|
||||||
3. $e = e_0 + 2^6 \cdot e_1$
|
where:
|
||||||
<br>
|
- $\BoolCheck{x} = x \cdot (1 - x)$.
|
||||||
$e_0, e_1$ are witnessed outside this gate, and constrained to be $6$ bits and $4$ bits respectively.
|
- $\ShortLookupRangeCheck{}$ is a [short lookup range check](../lookup_range_check.md#short-range-check).
|
||||||
From these witnessed subpieces, we check that we recover the original `MessagePiece` input to the hash:
|
- $z_{d,1}$ is the index-1 running sum output of $\SinsemillaHash(d),$ constrained by the
|
||||||
$$e_0 + 2^6 \cdot e_1$$
|
hash to be 50 bits.
|
||||||
|
- $z_{g,1}$ is the index-1 running sum output of $\SinsemillaHash(g),$ constrained by the
|
||||||
|
hash to be 240 bits.
|
||||||
|
- $d_3$ and $g_2$ are equality-constrained to their respective running sum outputs.
|
||||||
|
|
||||||
4. $g = g_0 + 2 \cdot g_1 + 2^{10} \cdot g_2$
|
## Decomposition constraints
|
||||||
<br>
|
|
||||||
$g_0$ is witnessed and boolean-constrained in this gate: $$(g_0)(g_0 - 1) = 0.$$ $g_1$ is witnessed outside this gate, and constrained to be $9$ bits. $g_2$ is copied into this gate as $g_2 = z_{1,g}$, where $z_{1,g}$ is the index-1 running sum output of $\textsf{SinsemillaHash}(g),$ constrained by the hash to be $240$ bits. From these witnessed subpieces, we check that we recover the original `MessagePiece` input to the hash:
|
|
||||||
$$g = g_0 + 2 \cdot g_1 + 2^{10} \cdot g_2.$$
|
|
||||||
|
|
||||||
5. $h = h_0 + 2^5 \cdot h_1$
|
|
||||||
<br>
|
|
||||||
$h_0$ is witnessed outside this gate, and constrained to be $5$ bits. $h_1$ is witnessed and boolean-constrained in this gate: $$(h_1)(h_1 - 1) = 0.$$ From these witnessed subpieces, we check that we recover the original `MessagePiece` input to the hash:
|
|
||||||
$$h = h_0 + 2^5 \cdot h_1$$
|
|
||||||
|
|
||||||
We have now derived or witnessed every subpiece, and range-constrained every subpiece:
|
We have now derived or witnessed every subpiece, and range-constrained every subpiece:
|
||||||
|
- $a$ ($250$ bits) is witnessed and constrained outside the gate;
|
||||||
- $b_0$ ($4$ bits) is witnessed and constrained outside the gate;
|
- $b_0$ ($4$ bits) is witnessed and constrained outside the gate;
|
||||||
- $b_1$ ($1$ bit) is witnessed and boolean-constrained in the gate;
|
- $b_1$ ($1$ bit) is witnessed and boolean-constrained in the gate;
|
||||||
- $b_2$ ($1$ bit) is witnessed and boolean-constrained in the gate;
|
- $b_2$ ($1$ bit) is witnessed and boolean-constrained in the gate;
|
||||||
- $b_3$ ($4$ bits) is witnessed and constrained outside the gate;
|
- $b_3$ ($4$ bits) is witnessed and constrained outside the gate;
|
||||||
|
- $c$ ($250$ bits) is witnessed and constrained outside the gate;
|
||||||
- $d_0$ ($1$ bit) is witnessed and boolean-constrained in the gate;
|
- $d_0$ ($1$ bit) is witnessed and boolean-constrained in the gate;
|
||||||
- $d_1$ ($1$ bit) is witnessed and boolean-constrained in the gate;
|
- $d_1$ ($1$ bit) is witnessed and boolean-constrained in the gate;
|
||||||
- $d_2$ ($8$ bits) is witnessed and constrained outside the gate;
|
- $d_2$ ($8$ bits) is witnessed and constrained outside the gate;
|
||||||
- $d_3$ ($50$ bits), equal to $z_{1,d}$;
|
- $d_3$ ($50$ bits), equal to $z_{d,1}$;
|
||||||
- $e_0$ ($6$ bits) is witnessed and constrained outside the gate;
|
- $e_0$ ($6$ bits) is witnessed and constrained outside the gate;
|
||||||
- $e_1$ ($4$ bit) is witnessed and constrained outside the gate;
|
- $e_1$ ($4$ bit) is witnessed and constrained outside the gate;
|
||||||
|
- $f$ ($250$ bits) is witnessed and constrained outside the gate;
|
||||||
- $g_0$ ($1$ bit) is witnessed and boolean-constrained in the gate;
|
- $g_0$ ($1$ bit) is witnessed and boolean-constrained in the gate;
|
||||||
- $g_1$ ($9$ bits) is witnessed and constrained outside the gate;
|
- $g_1$ ($9$ bits) is witnessed and constrained outside the gate;
|
||||||
- $g_2$ ($240$ bits), equal to $z_{1,g}$;
|
- $g_2$ ($240$ bits), equal to $z_{g,1}$;
|
||||||
- $h_0$ ($5$ bits) is witnessed and constrained outside the gate;
|
- $h_0$ ($5$ bits) is witnessed and constrained outside the gate;
|
||||||
- $h_1$ ($1$ bit) is witnessed and boolean-constrained in the gate;
|
- $h_1$ ($1$ bit) is witnessed and boolean-constrained in the gate;
|
||||||
|
- $h_2$ ($4$ bit) is a zero term, and can be omitted as the other chunks will not overlap it.
|
||||||
|
|
||||||
and we use them to reconstruct the original field element inputs:
|
We can now use them to reconstruct both the (chunked) message pieces, and the original
|
||||||
|
field element inputs:
|
||||||
|
|
||||||
6. $\mathsf{x(g_d)} = a + 2^250 \cdot b_0 + 2^254 \cdot b_1$
|
$$
|
||||||
7. $\mathsf{pk_d} = b_3 + 2^4 \cdot c + 2^254 \cdot d_0$
|
\begin{align}
|
||||||
8. $\mathsf{v} = d_2 + 2^8 \cdot d_3 + 2^58 \cdot e_0$
|
b &= b_0 + 2^4 \cdot b_1 + 2^5 \cdot b_2 + 2^6 \cdot b_3 \\
|
||||||
9. $\rho = e_1 + 2^4 \cdot f + 2^254 \cdot g_0$
|
d &= d_0 + 2 \cdot d_1 + 2^2 \cdot d_2 + 2^{10} \cdot d_3 \\
|
||||||
10. $\psi = g_1 + 2^9 \cdot g_2 + 2^249 \cdot h_0 + 2^254 \cdot h_1$
|
e &= e_0 + 2^6 \cdot e_1 \\
|
||||||
|
g &= g_0 + 2 \cdot g_1 + 2^{10} \cdot g_2 \\
|
||||||
|
h &= h_0 + 2^5 \cdot h_1 \\
|
||||||
|
\mathsf{x(g_d)} &= a + 2^{250} \cdot b_0 + 2^{254} \cdot b_1 \\
|
||||||
|
\mathsf{x(pk_d)} &= b_3 + 2^4 \cdot c + 2^{254} \cdot d_0 \\
|
||||||
|
\mathsf{v} &= d_2 + 2^8 \cdot d_3 + 2^{58} \cdot e_0 \\
|
||||||
|
\rho &= e_1 + 2^4 \cdot f + 2^{254} \cdot g_0 \\
|
||||||
|
\psi &= g_1 + 2^9 \cdot g_2 + 2^{249} \cdot h_0 + 2^{254} \cdot h_1 \\
|
||||||
|
\end{align}
|
||||||
|
$$
|
||||||
|
|
||||||
## Canonicity
|
$$
|
||||||
The modulus of the Pallas base field is $p = 2^{254} + t_p,$ where $t_p = 45560315531419706090280762371685220353 < 2^{126}.$
|
\begin{array}{|c|l|}
|
||||||
|
\hline
|
||||||
|
\text{Degree} & \text{Constraint} \\\hline
|
||||||
|
2 & q_{\NoteCommit,1} \cdot (b - (b_0 + b_1 \cdot 2^4 + b_2 \cdot 2^5 + b_3 \cdot 2^6)) = 0 \\\hline
|
||||||
|
2 & q_{\NoteCommit,1} \cdot (d - (d_0 + d_1 \cdot 2 + d_2 \cdot 2^2 + d_3 \cdot 2^{10})) = 0 \\\hline
|
||||||
|
2 & q_{\NoteCommit,1} \cdot (e - (e_0 + e_1 \cdot 2^6)) = 0 \\\hline
|
||||||
|
2 & q_{\NoteCommit,1} \cdot (g - (g_0 + g_1 \cdot 2 + g_2 \cdot 2^{10})) = 0 \\\hline
|
||||||
|
2 & q_{\NoteCommit,1} \cdot (h - (h_0 + h_1 \cdot 2^5)) = 0 \\\hline
|
||||||
|
2 & q_{\NoteCommit,1} \cdot (a + b_0 \cdot 2^{250} + b_1 \cdot 2^{254} - \mathsf{x(g_d)}) = 0 \\\hline
|
||||||
|
2 & q_{\NoteCommit,1} \cdot (b_3 + c \cdot 2^4 + d_0 \cdot 2^{254} - \mathsf{x(pk_d)} = 0 \\\hline
|
||||||
|
2 & q_{\NoteCommit,1} \cdot (d_2 + d_3 \cdot 2^8 + e_0 \cdot 2^{58} - \mathsf{v}) = 0 \\\hline
|
||||||
|
2 & q_{\NoteCommit,2} \cdot (e_1 + f \cdot 2^4 + g_0 \cdot 2^{254} - \rho) = 0 \\\hline
|
||||||
|
2 & q_{\NoteCommit,2} \cdot (g_1 + g_2 \cdot 2^9 + h_0 \cdot 2^{249} + h_1 \cdot 2^{254} - \psi) = 0 \\\hline
|
||||||
|
\end{array}
|
||||||
|
$$
|
||||||
|
|
||||||
### $\mathsf{x(g_d)} = a \text{ (250 bits) } || b_0 \text{ (4 bits) } || b_1 \text{ (1 bit) }$
|
## Canonicity checks
|
||||||
We check that $\mathsf{x(g_d)}$ is a canonically-encoded $255$-bit value, i.e. $\mathsf{x(g_d)} < p$. If the high bit is not set $b_1 = 0$, we are guaranteed that $\mathsf{x(g_d)} < 2^{254}$. Thus, we are only interested in cases when $b_1 = 1 \implies \mathsf{x(g_d)} \geq 2^{254}$. In these cases, we check that $\mathsf{x(g_d)}_{0..=253} < t_p < 2^{126}$:
|
|
||||||
|
At this point, we have constrained $\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(g_d)})$,
|
||||||
|
$\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(pk_d)})$,
|
||||||
|
$\ItoLEBSP{\BaseLength{Orchard}}(\rho)$, and $\ItoLEBSP{\BaseLength{Orchard}}(\psi)$ to be
|
||||||
|
255-bit values, with top bits $b_1$, $d_0$, $g_0$, and $h_1$ respectively. We have also
|
||||||
|
constrained:
|
||||||
|
|
||||||
|
$$
|
||||||
|
\begin{align}
|
||||||
|
\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(g_d)}) &= \mathsf{x(g_d)} \pmod{q_\mathbb{P}} \\
|
||||||
|
\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(pk_d)}) &= \mathsf{x(pk_d)} \pmod{q_\mathbb{P}} \\
|
||||||
|
\ItoLEBSP{\BaseLength{Orchard}}(\rho) &= \rho \pmod{q_\mathbb{P}} \\
|
||||||
|
\ItoLEBSP{\BaseLength{Orchard}}(\psi) &= \psi \pmod{q_\mathbb{P}} \\
|
||||||
|
\end{align}
|
||||||
|
$$
|
||||||
|
|
||||||
|
where $q_\mathbb{P}$ is the Pallas base field modulus. The remaining constraints will
|
||||||
|
enforce that these are indeed canonically-encoded field elements, i.e.
|
||||||
|
|
||||||
|
$$
|
||||||
|
\begin{align}
|
||||||
|
\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(g_d)}) &< q_\mathbb{P} \\
|
||||||
|
\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(pk_d)}) &< q_\mathbb{P} \\
|
||||||
|
\ItoLEBSP{\BaseLength{Orchard}}(\rho) &< q_\mathbb{P} \\
|
||||||
|
\ItoLEBSP{\BaseLength{Orchard}}(\psi) &< q_\mathbb{P} \\
|
||||||
|
\end{align}
|
||||||
|
$$
|
||||||
|
|
||||||
|
The Pallas base field modulus has the form $q_\mathbb{P} = 2^{254} + t_\mathbb{P}$, where
|
||||||
|
$$t_\mathbb{P} = \mathtt{0x224698fc094cf91b992d30ed00000001}$$
|
||||||
|
is 126 bits. We therefore know that if the top bit is not set, then the remaining bits
|
||||||
|
will always comprise a canonical encoding of a field element. Thus the canonicity checks
|
||||||
|
below are enforced if and only if the corresponding top bit is set to 1.
|
||||||
|
|
||||||
|
> In the constraints below we use a base-$2^{10}$ variant of the method used in libsnark
|
||||||
|
> (originally from [[SVPBABW2012](https://eprint.iacr.org/2012/598.pdf), Appendix C.1]) for
|
||||||
|
> range constraints $0 \leq x < t$:
|
||||||
|
>
|
||||||
|
> - Let $t'$ be the smallest power of $2^{10}$ greater than $t$.
|
||||||
|
> - Enforce $0 \leq x < t'$.
|
||||||
|
> - Let $x' = x + t' - t$.
|
||||||
|
> - Enforce $0 \leq x' < t'$.
|
||||||
|
|
||||||
|
### $\mathsf{x(g_d)}$ with $b_1 = 1 \implies \mathsf{x(g_d)} \geq 2^{254}$
|
||||||
|
|
||||||
|
In these cases, we check that $\mathsf{x(g_d)}_{0..=253} < t_\mathbb{P} < 2^{126}$:
|
||||||
|
|
||||||
1. $b_1 = 1 \implies b_0 = 0.$
|
1. $b_1 = 1 \implies b_0 = 0.$
|
||||||
Since $b_1 = 1 \implies \mathsf{x(g_d)}_{0..=253} < 2^{126},$ we know that $\mathsf{x(g_d)}_{126..=253} = 0,$ and in particular $b_0 = \mathsf{x(g_d)}_{250..=253} = 0.$
|
|
||||||
|
Since $b_1 = 1 \implies \mathsf{x(g_d)}_{0..=253} < 2^{126},$ we know that
|
||||||
|
$\mathsf{x(g_d)}_{126..=253} = 0,$ and in particular
|
||||||
|
$$b_0 := \mathsf{x(g_d)}_{250..=253} = 0.$$
|
||||||
|
|
||||||
2. $b_1 = 1 \implies 0 \leq a < 2^{126}.$
|
2. $b_1 = 1 \implies 0 \leq a < 2^{126}.$
|
||||||
|
|
||||||
To check that $a < 2^{126}$, we use two constraints:
|
To check that $a < 2^{126}$, we use two constraints:
|
||||||
|
|
||||||
a) $0 \leq a < 2^{130}$. This is expressed in the custom gate as $$b_1 \cdot z_{13,a} = 0,$$ where $z_{13,a}$ is the index-13 running sum output by $\textsf{SinsemillaHash}(a).$
|
a) $0 \leq a < 2^{130}$. This is expressed in the custom gate as
|
||||||
|
$$b_1 \cdot z_{a,13} = 0,$$
|
||||||
|
where $z_{a,13}$ is the index-13 running sum output by $\SinsemillaHash(a).$
|
||||||
|
|
||||||
b) $0 \leq a + 2^{130} - t_p < 2^{130}$. To check this, we decompose $a' = a + 2^{130} - t_p$ into thirteen 10-bit words (little-endian) using a running sum $z_{a'}$, looking up each word in a $10$-bit lookup table. We then enforce in the custom gate that $$b_1 \cdot z_{13, a'} = 0.$$
|
b) $0 \leq a + 2^{130} - t_\mathbb{P} < 2^{130}$. To check this, we decompose
|
||||||
|
$a' = a + 2^{130} - t_\mathbb{P}$ into thirteen 10-bit words (little-endian) using
|
||||||
|
a running sum $z_{a'}$, looking up each word in a $10$-bit lookup table. We then
|
||||||
|
enforce in the custom gate that
|
||||||
|
$$b_1 \cdot z_{a',13} = 0.$$
|
||||||
|
|
||||||
|
$$
|
||||||
|
\begin{array}{|c|l|}
|
||||||
|
\hline
|
||||||
|
\text{Degree} & \text{Constraint} \\\hline
|
||||||
|
3 & q_{\NoteCommit,2} \cdot b_1 \cdot b_0 = 0 \\\hline
|
||||||
|
3 & q_{\NoteCommit,2} \cdot b_1 \cdot z_{a,13} = 0 \\\hline
|
||||||
|
2 & q_{\NoteCommit,1} \cdot (a + 2^{130} - t_\mathbb{P} - a') = 0 \\\hline
|
||||||
|
3 & q_{\NoteCommit,2} \cdot b_1 \cdot z_{a',13} = 0 \\\hline
|
||||||
|
\end{array}
|
||||||
|
$$
|
||||||
|
|
||||||
### $\mathsf{x(pk_d)} = b_3 \text{ (4 bits) } || c \text{ (250 bits) } || d_0 \text{ (1 bit) }$
|
### $\mathsf{x(pk_d)}$ with $d_0 = 1 \implies \mathsf{x(pk_d)} \geq 2^{254}$
|
||||||
We check that $\mathsf{x(pk_d)}$ is a canonically-encoded $255$-bit value, i.e. $\mathsf{x(pk_d)} < p$. If the high bit is not set $d_0 = 0$, we are guaranteed that $\mathsf{x(pk_d)} < 2^{254}$. Thus, we are only interested in cases when $d_0 = 1 \implies \mathsf{x(pk_d)} \geq 2^{254}$. In these cases, we check that $\mathsf{x(pk_d)}_{0..=253} < t_p < 2^{126}$:
|
|
||||||
|
In these cases, we check that $\mathsf{x(pk_d)}_{0..=253} < t_\mathbb{P} < 2^{126}$:
|
||||||
|
|
||||||
|
1. $d_0 = 1 \implies 0 \leq b_3 + 2^{4} \cdot c < 2^{126}.$
|
||||||
|
|
||||||
1. $d_0 = 0 \implies 0 \leq b_3 + 2^{4} \cdot c < 2^{126}.$
|
|
||||||
To check that $0 \leq b_3 + 2^{4} \cdot c < 2^{126},$ we use two constraints:
|
To check that $0 \leq b_3 + 2^{4} \cdot c < 2^{126},$ we use two constraints:
|
||||||
|
|
||||||
a) $0 \leq b_3 + 2^{4} \cdot c < 2^{140}.$ $b_3$ is already constrained individually to be a $4$-bit value. $z_{13, c}$ is the index-13 running sum output by $\textsf{SinsemillaHash}(c).$ By constraining $$d_0 \cdot z_{13,c} = 0,$$ we constrain $b_3 + 2^4 \cdot c < 2^{134} < 2^{140}.$
|
a) $0 \leq b_3 + 2^{4} \cdot c < 2^{140}.$ $b_3$ is already constrained individually
|
||||||
|
to be a $4$-bit value. $z_{c,13}$ is the index-13 running sum output by
|
||||||
|
$\SinsemillaHash(c).$ By constraining $$d_0 \cdot z_{c,13} = 0,$$ we constrain
|
||||||
|
$b_3 + 2^4 \cdot c < 2^{134} < 2^{140}.$
|
||||||
|
|
||||||
b) $0 \leq b_3 + 2^{4} \cdot c + 2^{140} - t_p < 2^{140}$. To check this, we decompose $b' = b_3 + 2^{4} \cdot c + 2^{140} - t_p$ into fourteen 10-bit words (little-endian) using a running sum $z_{b'}$, looking up each word in a $10$-bit lookup table. We then enforce in the custom gate that $$d_0 \cdot z_{14, b'} = 0.$$
|
b) $0 \leq b_3 + 2^{4} \cdot c + 2^{140} - t_\mathbb{P} < 2^{140}$. To check this, we
|
||||||
|
decompose ${b_3}c' = b_3 + 2^{4} \cdot c + 2^{140} - t_\mathbb{P}$ into fourteen
|
||||||
|
10-bit words (little-endian) using a running sum $z_{{b_3}c'}$, looking up each
|
||||||
|
word in a $10$-bit lookup table. We then enforce in the custom gate that
|
||||||
|
$$d_0 \cdot z_{{b_3}c',14} = 0.$$
|
||||||
|
|
||||||
### $\rho = e_1 \text{ (4 bits) } || f \text{ (250 bits) } || g_0 \text{ (1 bit) }$
|
$$
|
||||||
We check that $\rho$ is a canonically-encoded $255$-bit value, i.e. $\rho < p$. If the high bit is not set $g_0 = 0$, we are guaranteed that $\rho < 2^{254}$. Thus, we are only interested in cases when $g_0 = 1 \implies \rho \geq 2^{254}$. In these cases, we check that $\rho_{0..=253} < t_p < 2^{126}$:
|
\begin{array}{|c|l|}
|
||||||
|
\hline
|
||||||
|
\text{Degree} & \text{Constraint} \\\hline
|
||||||
|
3 & q_{\NoteCommit,2} \cdot d_0 \cdot z_{c,13} = 0 \\\hline
|
||||||
|
2 & q_{\NoteCommit,1} \cdot (b_3 + c \cdot 2^4 + 2^{140} - t_\mathbb{P} - {b_3}c') = 0 \\\hline
|
||||||
|
3 & q_{\NoteCommit,2} \cdot d_0 \cdot z_{{b_3}c',14} = 0 \\\hline
|
||||||
|
\end{array}
|
||||||
|
$$
|
||||||
|
|
||||||
|
### $\rho$ with $g_0 = 1 \implies \rho \geq 2^{254}$
|
||||||
|
|
||||||
|
In these cases, we check that $\rho_{0..=253} < t_\mathbb{P} < 2^{126}$:
|
||||||
|
|
||||||
|
1. $g_0 = 1 \implies 0 \leq e_1 + 2^{4} \cdot f < 2^{126}.$
|
||||||
|
|
||||||
1. $g_0 = 0 \implies 0 \leq e_1 + 2^{4} \cdot f < 2^{126}.$
|
|
||||||
To check that $0 \leq e_1 + 2^{4} \cdot f < 2^{126},$ we use two constraints:
|
To check that $0 \leq e_1 + 2^{4} \cdot f < 2^{126},$ we use two constraints:
|
||||||
|
|
||||||
a) $0 \leq e_1 + 2^{4} \cdot f < 2^{140}.$ $e_1$ is already constrained individually to be a $4$-bit value. $z_{13, f}$ is the index-13 running sum output by $\textsf{SinsemillaHash}(c).$ By constraining $$g_0 \cdot z_{13, f} = 0,$$ we constrain $e_1 + 2^4 \cdot f < 2^{134} < 2^{140}.$
|
a) $0 \leq e_1 + 2^{4} \cdot f < 2^{140}.$ $e_1$ is already constrained individually
|
||||||
|
to be a $4$-bit value. $z_{f,13}$ is the index-13 running sum output by
|
||||||
|
$\SinsemillaHash(f).$ By constraining $$g_0 \cdot z_{f,13} = 0,$$ we constrain
|
||||||
|
$e_1 + 2^4 \cdot f < 2^{134} < 2^{140}.$
|
||||||
|
|
||||||
b) $0 \leq e_1 + 2^{4} \cdot f + 2^{140} - t_p < 2^{140}$. To check this, we decompose $e' = e_1 + 2^{4} \cdot f + 2^{140} - t_p$ into fourteen 10-bit words (little-endian) using a running sum $z_{e'}$, looking up each word in a $10$-bit lookup table. We then enforce in the custom gate that $$g_0 \cdot z_{14, e'} = 0.$$
|
b) $0 \leq e_1 + 2^{4} \cdot f + 2^{140} - t_\mathbb{P} < 2^{140}$. To check this, we
|
||||||
|
decompose ${e_1}f' = e_1 + 2^{4} \cdot f + 2^{140} - t_\mathbb{P}$ into fourteen
|
||||||
|
10-bit words (little-endian) using a running sum $z_{{e_1}f'}$, looking up each
|
||||||
|
word in a $10$-bit lookup table. We then enforce in the custom gate that
|
||||||
|
$$g_0 \cdot z_{{e_1}f',14} = 0.$$
|
||||||
|
|
||||||
### $\psi = g_1 \text{ (9 bits) } || g_2 \text{ (240 bits) } || h_0 \text{ (5 bits) } || h_1 \text{ (1 bit) }$
|
$$
|
||||||
We check that $\psi$ is a canonically-encoded $255$-bit value, i.e. $\psi < p$. If the high bit is not set $h_1 = 0$, we are guaranteed that $\psi < 2^{254}$. Thus, we are only interested in cases when $h_1 = 1 \implies \psi \geq 2^{254}$. In these cases, we check that $\psi_{0..=253} < t_p < 2^{126}$:
|
\begin{array}{|c|l|}
|
||||||
|
\hline
|
||||||
|
\text{Degree} & \text{Constraint} \\\hline
|
||||||
|
3 & q_{\NoteCommit,2} \cdot g_0 \cdot z_{f,13} = 0 \\\hline
|
||||||
|
2 & q_{\NoteCommit,1} \cdot (e_1 + f \cdot 2^4 + 2^{140} - t_\mathbb{P} - {e_1}f') = 0 \\\hline
|
||||||
|
3 & q_{\NoteCommit,2} \cdot g_0 \cdot z_{{e_1}f',14} = 0 \\\hline
|
||||||
|
\end{array}
|
||||||
|
$$
|
||||||
|
|
||||||
1. $h_1 = 0 \implies h_0 = 0.$
|
### $\psi$ with $h_1 = 1 \implies \psi \geq 2^{254}$
|
||||||
Since $h_1 = 1 \implies \psi_{0..=253} < 2^{126},$ we know that $\psi_{126..=253} = 0,$ and in particular $h_0 = \psi_{249..=253} = 0.$ So, we constrain $$h_1 \cdot h_0 = 0.$$
|
|
||||||
|
In these cases, we check that $\psi_{0..=253} < t_\mathbb{P} < 2^{126}$:
|
||||||
|
|
||||||
|
1. $h_1 = 1 \implies h_0 = 0.$
|
||||||
|
|
||||||
|
Since $h_1 = 1 \implies \psi_{0..=253} < 2^{126},$ we know that $\psi_{126..=253} = 0,$
|
||||||
|
and in particular $h_0 := \psi_{249..=253} = 0.$
|
||||||
|
|
||||||
|
2. $h_1 = 1 \implies 0 \leq g_1 + 2^{9} \cdot g_2 < 2^{126}.$
|
||||||
|
|
||||||
2. $h_1 = 0 \implies 0 \leq g_1 + 2^{9} \cdot g_2 < 2^{126}.$
|
|
||||||
To check that $0 \leq g_1 + 2^{9} \cdot g_2 < 2^{126},$ we use two constraints:
|
To check that $0 \leq g_1 + 2^{9} \cdot g_2 < 2^{126},$ we use two constraints:
|
||||||
|
|
||||||
a) $0 \leq g_1 + 2^{9} \cdot g_2 < 2^{140}.$ $e_1$ is already constrained individually to be a $4$-bit value. $z_{13, f}$ is the index-13 running sum output by $\textsf{SinsemillaHash}(c).$ By constraining $$h_1 \cdot z_{13, f} = 0,$$ we constrain $e_1 + 2^4 \cdot f < 2^{134} < 2^{140}.$
|
a) $0 \leq g_1 + 2^{9} \cdot g_2 < 2^{140}.$ $g_1$ is already constrained individually
|
||||||
|
to be a $9$-bit value. $z_{g,13}$ is the index-13 running sum output by
|
||||||
|
$\SinsemillaHash(g).$ By constraining $$h_1 \cdot z_{g,13} = 0,$$ we constrain
|
||||||
|
$g_1 + 2^9 \cdot g_2 < 2^{129} < 2^{140}.$
|
||||||
|
|
||||||
b) $0 \leq g_1 + 2^{9} \cdot g_2 + 2^{140} - t_p < 2^{140}$. To check this, we decompose $e' = g_1 + 2^{9} \cdot g_2 + 2^{140} - t_p$ into fourteen 10-bit words (little-endian) using a running sum $z_{e'}$, looking up each word in a $10$-bit lookup table. We then enforce in the custom gate that $$h_1 \cdot z_{14, e'} = 0.$$
|
b) $0 \leq g_1 + 2^{9} \cdot g_2 + 2^{140} - t_\mathbb{P} < 2^{140}$. To check this,
|
||||||
|
we decompose ${g_1}{g_2}' = g_1 + 2^{9} \cdot g_2 + 2^{140} - t_\mathbb{P}$ into
|
||||||
|
fourteen 10-bit words (little-endian) using a running sum $z_{{g_1}{g_2}'}$,
|
||||||
|
looking up each word in a $10$-bit lookup table. We then enforce in the custom gate
|
||||||
|
that $$h_1 \cdot z_{{g_1}{g_2}',14} = 0.$$
|
||||||
|
|
||||||
|
$$
|
||||||
|
\begin{array}{|c|l|}
|
||||||
|
\hline
|
||||||
|
\text{Degree} & \text{Constraint} \\\hline
|
||||||
|
3 & q_{\NoteCommit,2} \cdot h_1 \cdot h_0 = 0 \\\hline
|
||||||
|
3 & q_{\NoteCommit,2} \cdot h_1 \cdot z_{g,13} = 0 \\\hline
|
||||||
|
2 & q_{\NoteCommit,1} \cdot (g_1 + g_2 \cdot 2^9 + 2^{140} - t_\mathbb{P} - {g_1}{g_2}') = 0 \\\hline
|
||||||
|
3 & q_{\NoteCommit,2} \cdot g_0 \cdot z_{{g_1}{g_2}',14} = 0 \\\hline
|
||||||
|
\end{array}
|
||||||
|
$$
|
||||||
|
|
||||||
|
## Region layout
|
||||||
|
|
||||||
|
The constraints controlled by the $(q_{\NoteCommit,1}, q_{\NoteCommit,2})$ selectors are
|
||||||
|
arranged in a single region across 10 advice columns, requiring four rows.
|
||||||
|
|
||||||
|
$$
|
||||||
|
\begin{array}{|c|c|c|c|c|c|c|c|c|c|cc}
|
||||||
|
& & & & & & & & & & q_{\NoteCommit,1} & q_{\NoteCommit,2} \\\hline
|
||||||
|
a' & {b_3}c' & {e_1}f' & {g_1}{g_2}' & a & b & b_2 & b_3 & c & d & 0 & 0 \\\hline
|
||||||
|
d_1 & d_2 & z_{d,1} & e & e_0 & e_1 & f & g & g_1 & h & 1 & 0 \\\hline
|
||||||
|
h_0 & h_1 & x(g_d) & x(pk_d) & v & b_0 & b_1 & d_0 & g_0 & z_{g,1} & 0 & 1 \\\hline
|
||||||
|
z_{a',13} & z_{{b_3}c',14} & z_{{e_1}f',14} & z_{{g_1}{g_2}',14} & z_{a,13} & z_{c,13} & z_{f,13} & z_{g,13} & \psi & \rho & 0 & 0 \\\hline
|
||||||
|
\end{array}
|
||||||
|
$$
|
||||||
|
|
Loading…
Reference in New Issue