mirror of https://github.com/zcash/halo2.git
[book] merkle-crh.md: formatting.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
ed20d539b2
commit
4a5a4cc437
|
@ -3,23 +3,23 @@
|
|||
## Message decomposition
|
||||
$\mathsf{SinsemillaHash}$ is used in the [$\mathsf{MerkleCRH^{Orchard}}$ hash function](https://zips.z.cash/protocol/protocol.pdf#orchardmerklecrh). The input to $\mathsf{SinsemillaHash}$ is:
|
||||
|
||||
$$l_{\star} || \textsf{left}_{\star} || \textsf{right}_{\star}, $$
|
||||
$${l\star} \,||\, {\textsf{left}\star} \,||\, {\textsf{right}\star},$$
|
||||
|
||||
where:
|
||||
- $l_{\star} = \textsf{I2LEBSP}_{10}(l) = \textsf{I2LEBSP}_{10}(\textsf{MerkleDepth}^\textsf{Orchard} - 1 - \textsf{layer})$,
|
||||
- $\textsf{left}_{\star} = \textsf{I2LEBSP}_{\ell_{\textsf{Merkle}}^{\textsf{Orchard}}}(\textsf{left})$,
|
||||
- $\textsf{right}_{\star} = \textsf{I2LEBSP}_{\ell_{\textsf{Merkle}}^{\textsf{Orchard}}}(\textsf{right})$,
|
||||
- ${l\star} = \textsf{I2LEBSP}_{10}(l) = \textsf{I2LEBSP}_{10}(\textsf{MerkleDepth}^\textsf{Orchard} - 1 - \textsf{layer})$,
|
||||
- ${\textsf{left}\star} = \textsf{I2LEBSP}_{\ell_{\textsf{Merkle}}^{\textsf{Orchard}}}(\textsf{left})$,
|
||||
- ${\textsf{right}\star} = \textsf{I2LEBSP}_{\ell_{\textsf{Merkle}}^{\textsf{Orchard}}}(\textsf{right})$,
|
||||
|
||||
where $\ell_{\textsf{Merkle}}^{\textsf{Orchard}} = 255.$ $\textsf{left}$ and $\textsf{right}$ are allowed to be non-canonical $255$-bit encodings.
|
||||
with $\ell_{\textsf{Merkle}}^{\textsf{Orchard}} = 255.$ $\textsf{left}$ and $\textsf{right}$ are allowed to be non-canonical $255$-bit encodings.
|
||||
|
||||
We break these inputs into the following `MessagePiece`s:
|
||||
|
||||
$$
|
||||
\begin{aligned}
|
||||
a \text{ (250 bits)} &= a_0||a_1 \\
|
||||
&= l_\star || (\text{bits } 0..=239 \text{ of } \textsf{ left }) \\
|
||||
b \text{ (20 bits)} &= b_0||b_1||b_2 \\
|
||||
&= (\text{bits } 240..=249 \text{ of } \textsf{left}) || (\text{bits } 250..=254 \text{ of } \textsf{left}) || (\text{bits } 0..=4 \text{ of } \textsf{right}) \\
|
||||
a \text{ (250 bits)} &= a_0 \,||\, a_1 \\
|
||||
&= {l\star} \,||\, (\text{bits } 0..=239 \text{ of } \textsf{ left }) \\
|
||||
b \text{ (20 bits)} &= b_0 \,||\, b_1 \,||\, b_2 \\
|
||||
&= (\text{bits } 240..=249 \text{ of } \textsf{left}) \,||\, (\text{bits } 250..=254 \text{ of } \textsf{left}) \,||\, (\text{bits } 0..=4 \text{ of } \textsf{right}) \\
|
||||
c \text{ (250 bits)} &= \text{bits } 5..=254 \text{ of } \textsf{right}
|
||||
\end{aligned}
|
||||
$$
|
||||
|
@ -35,7 +35,7 @@ $$
|
|||
\begin{aligned}
|
||||
z_{1,a} &= \frac{a - a_0}{2^{10}}\\
|
||||
&= a_1 \\
|
||||
\implies a_0 &= a - (z_{1,a} \cdot 2^{10}).
|
||||
\implies a_0 &= a - z_{1,a} \cdot 2^{10}.
|
||||
\end{aligned}
|
||||
$$
|
||||
$l + 1$ is loaded into a fixed column at each layer of the hash. It is used both as a gate selector, and to fix the value of $l$. We check that $$a_0 = (l + 1) - 1.$$
|
||||
|
@ -66,4 +66,4 @@ and we use them to reconstruct the original field element inputs:
|
|||
4. $\mathsf{right} = b_2 + 2^5 \cdot c$
|
||||
|
||||
## Circuit components
|
||||
The Orchard circuit spans $10$ advice columns while the $\textsf{Sinsemilla}$ chip only uses $5$ advice columns. We distribute the path hashing evenly across two $\textsf{Sinsemilla}$ chips to make better use of the available circuit area. Since the output from the previous layer hash is copied into the next layer hash, we maintain continuity even when moving from one chip to the other.
|
||||
The Orchard circuit spans $10$ advice columns while the $\textsf{Sinsemilla}$ chip only uses $5$ advice columns. We distribute the path hashing evenly across two $\textsf{Sinsemilla}$ chips to make better use of the available circuit area. Since the output from the previous layer hash is copied into the next layer hash, we maintain continuity even when moving from one chip to the other.
|
||||
|
|
Loading…
Reference in New Issue