zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #182 from zcash/book-notecommit-optimisations 

[book] Document NoteCommit region optimisations
This commit is contained in:
str4d 2021-09-14 02:00:49 +01:00 committed by GitHub
parent 4a85644025 cc0ac1a744
commit 9705ebf353
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 334 additions and 205 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

539
book/src/design/circuit/gadgets/sinsemilla/note-commit.md
View File

@ -26,14 +26,14 @@ chunks:
$$
\begin{aligned}
\DiversifiedTransmitBaseRepr &= a \bconcat b_0 \bconcat b_1 \bconcat b_2 \\
&= (\text{bits 0..=249 of } \mathsf{x(g_d)}) \bconcat
(\text{bits 250..=253 of } \mathsf{x(g_d)}) \bconcat
(\text{bit 254 of } \mathsf{x(g_d)}) \bconcat
&= (\text{bits 0..=249 of } x(\mathsf{g_d})) \bconcat
(\text{bits 250..=253 of } x(\mathsf{g_d})) \bconcat
(\text{bit 254 of } x(\mathsf{g_d})) \bconcat
(ỹ \text{ bit of } \mathsf{g_d}) \\
\DiversifiedTransmitPublicRepr &= b_3 \bconcat c \bconcat d_0 \bconcat d_1 \\
&= (\text{bits 0..=3 of } \mathsf{x(pk_d)}) \bconcat
(\text{bits 4..=253 of } \mathsf{x(pk_d)}) \bconcat
(\text{bit 254 of } \mathsf{x(pk_d)}) \bconcat
&= (\text{bits 0..=3 of } x(\mathsf{pk_d})) \bconcat
(\text{bits 4..=253 of } x(\mathsf{pk_d})) \bconcat
(\text{bit 254 of } x(\mathsf{pk_d})) \bconcat
(ỹ \text{ bit of } \mathsf{pk_d}) \\
\ItoLEBSP{64}(v) &= d_2 \bconcat d_3 \bconcat e_0 \\
&= (\text{bits 0..=7 of } v) \bconcat
@ -86,168 +86,180 @@ However, we need additional constraints to enforce that:
$\DiversifiedTransmitPublic$, $\rho$, and $\psi$ (or else the prover could witness
multiple equivalent inputs to $\SinsemillaCommit$).
Some of these constraints are implemented with reusable circuit gadgets. We define a
custom gate controlled by a pair of selectors $(q_{\NoteCommit,1}, q_{\NoteCommit,2})$ to
hold the remaining constraints. We will need to witness 40 separate variables in a single
region, so we use two selectors that we activate on adjacent rows, in order to limit the
required rotations to the set `[Rotation::prev(), Rotation::cur(), Rotation::next()]`.
Some of these constraints are implemented with a reusable circuit gadget,
$\ShortLookupRangeCheck{}$. We define custom gates for the remainder. Since these gates
use simple boolean selectors activated on different rows, their selectors are eligible
for combining, reducing the overall proof size.
## Bit length constraints
## Message piece decomposition
Chunks $a$, $c$, and $f$ are directly constrained by Sinsemilla. For the remaining chunks,
we use the following constraints:
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
& \ShortLookupRangeCheck{b_0, 4} \\\hline
& \ShortLookupRangeCheck{b_3, 4} \\\hline
& \ShortLookupRangeCheck{d_2, 8} \\\hline
& \ShortLookupRangeCheck{e_0, 6} \\\hline
& \ShortLookupRangeCheck{e_1, 4} \\\hline
& \ShortLookupRangeCheck{g_1, 9} \\\hline
& \ShortLookupRangeCheck{h_0, 5} \\\hline
3 & q_{\NoteCommit,1} \cdot \BoolCheck{b_1} = 0 \\\hline
3 & q_{\NoteCommit,1} \cdot \BoolCheck{b_2} = 0 \\\hline
3 & q_{\NoteCommit,1} \cdot \BoolCheck{d_0} = 0 \\\hline
3 & q_{\NoteCommit,1} \cdot \BoolCheck{d_1} = 0 \\\hline
3 & q_{\NoteCommit,1} \cdot \BoolCheck{g_0} = 0 \\\hline
3 & q_{\NoteCommit,1} \cdot \BoolCheck{h_1} = 0 \\\hline
& d_3 := z_{d,1} \\\hline
& g_2 := z_{g,1} \\\hline
\end{array}
$$
where:
- $\BoolCheck{x} = x \cdot (1 - x)$.
- $\ShortLookupRangeCheck{}$ is a [short lookup range check](../decomposition.md#short-range-check).
- $z_{d,1}$ is the index-1 running sum output of $\SinsemillaHash(d),$ constrained by the
hash to be 50 bits.
- $z_{g,1}$ is the index-1 running sum output of $\SinsemillaHash(g),$ constrained by the
hash to be 240 bits.
- $d_3$ and $g_2$ are equality-constrained to their respective running sum outputs.
## Decomposition constraints
We have now derived or witnessed every subpiece, and range-constrained every subpiece:
We check the decomposition of each message piece in its own region. There is no need to
check the whole pieces:
- $a$ ($250$ bits) is witnessed and constrained outside the gate;
- $b_0$ ($4$ bits) is witnessed and constrained outside the gate;
- $b_1$ ($1$ bit) is witnessed and boolean-constrained in the gate;
- $b_2$ ($1$ bit) is witnessed and boolean-constrained in the gate;
- $b_3$ ($4$ bits) is witnessed and constrained outside the gate;
- $c$ ($250$ bits) is witnessed and constrained outside the gate;
- $d_0$ ($1$ bit) is witnessed and boolean-constrained in the gate;
- $d_1$ ($1$ bit) is witnessed and boolean-constrained in the gate;
- $d_2$ ($8$ bits) is witnessed and constrained outside the gate;
- $d_3$ ($50$ bits), equal to $z_{d,1}$;
- $e_0$ ($6$ bits) is witnessed and constrained outside the gate;
- $e_1$ ($4$ bit) is witnessed and constrained outside the gate;
- $f$ ($250$ bits) is witnessed and constrained outside the gate;
- $g_0$ ($1$ bit) is witnessed and boolean-constrained in the gate;
- $g_1$ ($9$ bits) is witnessed and constrained outside the gate;
- $g_2$ ($240$ bits), equal to $z_{g,1}$;
- $h_0$ ($5$ bits) is witnessed and constrained outside the gate;
- $h_1$ ($1$ bit) is witnessed and boolean-constrained in the gate;
- $h_2$ ($4$ bit) is a zero term, and can be omitted as the other chunks will not overlap it.
We can now use them to reconstruct both the (chunked) message pieces, and the original
field element inputs:
The following helper gates are defined:
- $\BoolCheck{x} = x \cdot (1 - x)$.
- $\ShortLookupRangeCheck{}$ is a
[short lookup range check](../decomposition.md#short-range-check).
$$
\begin{align}
b &= b_0 + 2^4 \cdot b_1 + 2^5 \cdot b_2 + 2^6 \cdot b_3 \\
d &= d_0 + 2 \cdot d_1 + 2^2 \cdot d_2 + 2^{10} \cdot d_3 \\
e &= e_0 + 2^6 \cdot e_1 \\
g &= g_0 + 2 \cdot g_1 + 2^{10} \cdot g_2 \\
h &= h_0 + 2^5 \cdot h_1 \\
\mathsf{x(g_d)} &= a + 2^{250} \cdot b_0 + 2^{254} \cdot b_1 \\
\mathsf{x(pk_d)} &= b_3 + 2^4 \cdot c + 2^{254} \cdot d_0 \\
\mathsf{v} &= d_2 + 2^8 \cdot d_3 + 2^{58} \cdot e_0 \\
\rho &= e_1 + 2^4 \cdot f + 2^{254} \cdot g_0 \\
\psi &= g_1 + 2^9 \cdot g_2 + 2^{249} \cdot h_0 + 2^{254} \cdot h_1 \\
\end{align}
$$
### $b = b_0 \bconcat b_1 \bconcat b_2 \bconcat b_3$
$b$ has been constrained to be $10$ bits by the Sinsemilla hash.
#### Region layout
$$
\begin{array}{|c|l|}
\begin{array}{|c|c|c|c|}
\hline
\text{Degree} & \text{Constraint} \\\hline
2 & q_{\NoteCommit,1} \cdot (b - (b_0 + b_1 \cdot 2^4 + b_2 \cdot 2^5 + b_3 \cdot 2^6)) = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (d - (d_0 + d_1 \cdot 2 + d_2 \cdot 2^2 + d_3 \cdot 2^{10})) = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (e - (e_0 + e_1 \cdot 2^6)) = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (g - (g_0 + g_1 \cdot 2 + g_2 \cdot 2^{10})) = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (h - (h_0 + h_1 \cdot 2^5)) = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (a + b_0 \cdot 2^{250} + b_1 \cdot 2^{254} - \mathsf{x(g_d)}) = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (b_3 + c \cdot 2^4 + d_0 \cdot 2^{254} - \mathsf{x(pk_d)} = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (d_2 + d_3 \cdot 2^8 + e_0 \cdot 2^{58} - \mathsf{v}) = 0 \\\hline
2 & q_{\NoteCommit,2} \cdot (e_1 + f \cdot 2^4 + g_0 \cdot 2^{254} - \rho) = 0 \\\hline
2 & q_{\NoteCommit,2} \cdot (g_1 + g_2 \cdot 2^9 + h_0 \cdot 2^{249} + h_1 \cdot 2^{254} - \psi) = 0 \\\hline
A_6 & A_7 & A_8 & q_{\NoteCommit,b} \\\hline
b & b_0 & b_1 & 1 \\\hline
& b_2 & b_3 & 0 \\\hline
\end{array}
$$
Note that only the $ỹ$ LSB of the $y$-coordinates $\mathsf{y(g_d), y(pk_d)}$ was input to the hash, while the other bits of the $y$-coordinate were unused. However, we must still check that the witnessed $ỹ$ bit matches the original point's $y$-coordinate. The checks for $\mathsf{y(g_d), y(pk_d)}$ will follow the same format. For each $y$-coordinate, we witness:
$$
\begin{align}
y &= \textsf{LSB} \bconcat k_0 \bconcat k_1 \bconcat k_2 \bconcat k_3\\
&= \textsf{LSB}
\bconcat \text{ (bits $1..=9$ of $y$) }
\bconcat \text{ (bits $10..=249$ of $y$) }
\bconcat \text{ (bits $250..=253$ of $y$) }
\bconcat \text{ (bit $254$ of $y$) },
\end{align}
$$
where $\textsf{LSB}$ is $b_2$ for $\mathsf{y(g_d)}$, and $d_1$ for $\mathsf{y(pk_d)}$. Let $$j = \textsf{LSB} + 2 \cdot k_0 + 2^{10} \cdot k_1.$$ We decompose $j$ to be $250$ bits using a strict $25-$word [ten-bit lookup](../decomposition.md#lookup-decomposition). The running sum outputs allow us to susbstitute $k_1 = z_{j, 1}.$
Recall that $b_2 = ỹ(g_d)$ and $d_1 = ỹ(pk_d)$ were pieces input to the Sinsemilla hash and have already been boolean-constrained. To constrain the remaining chunks, we use the following constraints:
#### Constraints
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
& \ShortLookupRangeCheck{k_0, 9} \\\hline
& \ShortLookupRangeCheck{k_2, 4} \\\hline
3 & q_{\NoteCommit,3} \cdot \BoolCheck{k_3} = 0 \\\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,b} \cdot \BoolCheck{b_1} = 0 \\\hline
3 & q_{\NoteCommit,b} \cdot \BoolCheck{b_2} = 0 \\\hline
2 & q_{\NoteCommit,b} \cdot (b - (b_0 + b_1 \cdot 2^4 + b_2 \cdot 2^5 + b_3 \cdot 2^6)) = 0 \\\hline
\end{array}
$$
Then, to check that the decomposition was correct:
Outside this gate, we have constrained:
- $\ShortLookupRangeCheck{b_0, 4}$
- $\ShortLookupRangeCheck{b_3, 4}$
### $d = d_0 \bconcat d_1 \bconcat d_2 \bconcat d_3$
$d$ has been constrained to be $60$ bits by the $\SinsemillaHash$.
#### Region layout
$$
\begin{array}{|c|c|c|c|}
\hline
A_6 & A_7 & A_8 & q_{\NoteCommit,d} \\\hline
d & d_0 & d_1 & 1 \\\hline
& d_2 & d_3 & 0 \\\hline
\end{array}
$$
#### Constraints
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
2 & q_{\NoteCommit,3} \cdot \left(j - (\textsf{LSB} + k_0 \cdot 2 + k_1 \cdot 2^{10}) \right) = 0 \\\hline
2 & q_{\NoteCommit,3} \cdot \left(y - (j + k_2 \cdot 2^{250} + k_3 \cdot 2^{254}) \right) = 0 \\\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,d} \cdot \BoolCheck{d_0} = 0 \\\hline
3 & q_{\NoteCommit,d} \cdot \BoolCheck{d_1} = 0 \\\hline
2 & q_{\NoteCommit,d} \cdot (d - (d_0 + d_1 \cdot 2 + d_2 \cdot 2^2 + d_3 \cdot 2^{10})) = 0 \\\hline
\end{array}
$$
## Canonicity checks
Outside this gate, we have constrained:
- $\ShortLookupRangeCheck{d_2, 8}$
- $d_3$ is equality-constrained to $z_{d,1}$, where the latter is the index-1 running sum
output of $\SinsemillaHash(d),$ constrained by the hash to be $50$ bits.
At this point, we have constrained $\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(g_d)})$,
$\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(pk_d)})$,
$\ItoLEBSP{\BaseLength{Orchard}}(\rho)$, and $\ItoLEBSP{\BaseLength{Orchard}}(\psi)$ to be
255-bit values, with top bits $b_1$, $d_0$, $g_0$, and $h_1$ respectively. We have also
constrained:
### $e = e_0 \bconcat e_1$
$e$ has been constrained to be $10$ bits by the $\SinsemillaHash$.
#### Region layout
$$
\begin{array}{|c|c|c|c|}
\hline
A_6 & A_7 & A_8 & q_{\NoteCommit,e} \\\hline
e & e_0 & e_1 & 1 \\\hline
\end{array}
$$
#### Constraints
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
2 & q_{\NoteCommit,e} \cdot (e - (e_0 + e_1 \cdot 2^6)) = 0 \\\hline
\end{array}
$$
Outside this gate, we have constrained:
- $\ShortLookupRangeCheck{e_0, 6}$
- $\ShortLookupRangeCheck{e_1, 4}$
### $g = g_0 \bconcat g_1 \bconcat g_2$
$g$ has been constrained to be $250$ bits by the $\SinsemillaHash$.
#### Region layout
$$
\begin{array}{|c|c|c|c|}
\hline
A_6 & A_7 & q_{\NoteCommit,g} \\\hline
g & g_0 & 1 \\\hline
g_1 & g_2 & 0 \\\hline
\end{array}
$$
#### Constraints
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,g} \cdot \BoolCheck{g_0} = 0 \\\hline
2 & q_{\NoteCommit,g} \cdot (g - (g_0 + g_1 \cdot 2 + g_2 \cdot 2^{10})) = 0 \\\hline
\end{array}
$$
Outside this gate, we have constrained:
- $\ShortLookupRangeCheck{g_1, 9}$
- $g_2$ is equality-constrained to $z_{g,1}$, where the latter is the index-1 running sum
output of $\SinsemillaHash(g),$ constrained by the hash to be 240 bits.
### $h = h_0 \bconcat h_1 \bconcat h_2$
$h$ has been constrained to be $10$ bits by the $\SinsemillaHash$.
#### Region layout
$$
\begin{array}{|c|c|c|c|}
\hline
A_6 & A_7 & A_8 & q_{\NoteCommit,h} \\\hline
h & h_0 & h_1 & 1 \\\hline
\end{array}
$$
#### Constraints
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,h} \cdot \BoolCheck{h_1} = 0 \\\hline
2 & q_{\NoteCommit,h} \cdot (h - (h_0 + h_1 \cdot 2^5)) = 0 \\\hline
\end{array}
$$
Outside this gate, we have constrained:
- $\ShortLookupRangeCheck{h_0, 5}$
## Field element checks
All message pieces and subpieces have been range-constrained by the earlier decomposition
gates. They are now used to:
- constrain each field element $\ItoLEBSP{\BaseLength{Orchard}}(x(\mathsf{g_d}))$,
$\ItoLEBSP{\BaseLength{Orchard}}(x(\mathsf{pk_d}))$,
$\ItoLEBSP{\BaseLength{Orchard}}(\rho)$, and $\ItoLEBSP{\BaseLength{Orchard}}(\psi)$ to
be 255-bit values, with top bits $b_1$, $d_0$, $g_0$, and $h_1$ respectively.
- constrain $$
\begin{align}
\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(g_d)}) &= \mathsf{x(g_d)} \pmod{q_\mathbb{P}} \\
\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(pk_d)}) &= \mathsf{x(pk_d)} \pmod{q_\mathbb{P}} \\
\ItoLEBSP{\BaseLength{Orchard}}(x(\mathsf{g_d})) &= x(\mathsf{g_d}) \pmod{q_\mathbb{P}} \\
\ItoLEBSP{\BaseLength{Orchard}}(x(\mathsf{pk_d})) &= x(\mathsf{pk_d}) \pmod{q_\mathbb{P}} \\
\ItoLEBSP{\BaseLength{Orchard}}(\rho) &= \rho \pmod{q_\mathbb{P}} \\
\ItoLEBSP{\BaseLength{Orchard}}(\psi) &= \psi \pmod{q_\mathbb{P}} \\
\end{align}
$$
where $q_\mathbb{P}$ is the Pallas base field modulus. The remaining constraints will
enforce that these are indeed canonically-encoded field elements, i.e.
$$
where $q_\mathbb{P}$ is the Pallas base field modulus.
- check that these are indeed canonically-encoded field elements, i.e. $$
\begin{align}
\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(g_d)}) &< q_\mathbb{P} \\
\ItoLEBSP{\BaseLength{Orchard}}(\mathsf{x(pk_d)}) &< q_\mathbb{P} \\
\ItoLEBSP{\BaseLength{Orchard}}(x(\mathsf{g_d})) &< q_\mathbb{P} \\
\ItoLEBSP{\BaseLength{Orchard}}(x(\mathsf{pk_d})) &< q_\mathbb{P} \\
\ItoLEBSP{\BaseLength{Orchard}}(\rho) &< q_\mathbb{P} \\
\ItoLEBSP{\BaseLength{Orchard}}(\psi) &< q_\mathbb{P} \\
\end{align}
@ -268,15 +280,15 @@ below are enforced if and only if the corresponding top bit is set to 1.
> - Let $x' = x + t' - t$.
> - Enforce $0 \leq x' < t'$.
### $\mathsf{x(g_d)}$ with $b_1 = 1 \implies \mathsf{x(g_d)} \geq 2^{254}$
In these cases, we check that $\mathsf{x(g_d)}_{0..=253} < t_\mathbb{P}$:
### $x(\mathsf{g_d})$ with $b_1 = 1 \implies x(\mathsf{g_d}) \geq 2^{254}$
Recall that $x(\mathsf{g_d}) = a + 2^{250} \cdot b_0 + 2^{254} \cdot b_1$. When the top
bit $b_1$ is set, we check that $x(\mathsf{g_d})_{0..=253} < t_\mathbb{P}$:
1. $b_1 = 1 \implies b_0 = 0.$
Since $b_1 = 1 \implies \mathsf{x(g_d)}_{0..=253} < t_\mathbb{P} < 2^{126},$ we know that
$\mathsf{x(g_d)}_{126..=253} = 0,$ and in particular
$$b_0 := \mathsf{x(g_d)}_{250..=253} = 0.$$
Since $b_1 = 1 \implies x(\mathsf{g_d})_{0..=253} < t_\mathbb{P} < 2^{126},$ we know
that $x(\mathsf{g_d})_{126..=253} = 0,$ and in particular
$$b_0 := x(\mathsf{g_d})_{250..=253} = 0.$$
2. $b_1 = 1 \implies 0 \leq a < t_\mathbb{P}.$
@ -292,55 +304,32 @@ In these cases, we check that $\mathsf{x(g_d)}_{0..=253} < t_\mathbb{P}$:
enforce in the custom gate that
$$b_1 \cdot z_{a',13} = 0.$$
#### Region layout
$$
\begin{array}{|c|l|}
\begin{array}{|c|c|c|c|c|}
\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,2} \cdot b_1 \cdot b_0 = 0 \\\hline
3 & q_{\NoteCommit,2} \cdot b_1 \cdot z_{a,13} = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (a + 2^{130} - t_\mathbb{P} - a') = 0 \\\hline
3 & q_{\NoteCommit,2} \cdot b_1 \cdot z_{a',13} = 0 \\\hline
A_6 & A_7 & A_8 & A_9 & q_{\NoteCommit,x(\mathsf{g_d})} \\\hline
x(\mathsf{g_d}) & b_0 & a & z_{a,13} & 1 \\\hline
& b_1 & a' & z_{a',13}& 0 \\\hline
\end{array}
$$
### $\mathsf{y(g_d)}$ with $k_3 = 1 \implies \mathsf{y(g_d)} \geq 2^{254}$
In these cases, we check that $\mathsf{y(g_d)}_{0..=253} < t_\mathbb{P}$:
1. $k_3 = 1 \implies k_2 = 0.$
Since $k_3 = 1 \implies \mathsf{y(g_d)}_{0..=253} < t_\mathbb{P} < 2^{126},$ we know that
$\mathsf{y(g_d)}_{126..=253} = 0,$ and in particular
$$k_2 := \mathsf{y(g_d)}_{250..=253} = 0.$$
2. $k_3 = 1 \implies 0 \leq j < t_\mathbb{P}.$
To check that $j < t_\mathbb{P}$, we use two constraints:
a) $0 \leq j < 2^{130}$. This is expressed in the custom gate as
$$k_3 \cdot z_{j,13} = 0,$$
where $z_{j,13}$ is the index-13 running sum output by the $10$-bit lookup decomposition of $j$.
b) $0 \leq j + 2^{130} - t_\mathbb{P} < 2^{130}$. To check this, we decompose
$j' = j + 2^{130} - t_\mathbb{P}$ into thirteen 10-bit words (little-endian) using
a running sum $z_{j'}$, looking up each word in a $10$-bit lookup table. We then
enforce in the custom gate that
$$k_3 \cdot z_{j',13} = 0.$$
#### Constraints
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,3} \cdot k_3 \cdot k_2 = 0 \\\hline
3 & q_{\NoteCommit,3} \cdot k_3 \cdot z_{j,13} = 0 \\\hline
2 & q_{\NoteCommit,3} \cdot (j + 2^{130} - t_\mathbb{P} - j') = 0 \\\hline
3 & q_{\NoteCommit,3} \cdot k_3 \cdot z_{j',13} = 0 \\\hline
\text{Degree} & \text{Constraint} \\\hline
2 & q_{\NoteCommit,x(\mathsf{g_d})} \cdot (a + b_0 \cdot 2^{250} + b_1 \cdot 2^{254} - x(\mathsf{g_d})) = 0 \\\hline
3 & q_{\NoteCommit,x(\mathsf{g_d})} \cdot b_1 \cdot b_0 = 0 \\\hline
3 & q_{\NoteCommit,x(\mathsf{g_d})} \cdot b_1 \cdot z_{a,13} = 0 \\\hline
2 & q_{\NoteCommit,x(\mathsf{g_d})} \cdot (a + 2^{130} - t_\mathbb{P} - a') = 0 \\\hline
3 & q_{\NoteCommit,x(\mathsf{g_d})} \cdot b_1 \cdot z_{a',13} = 0 \\\hline
\end{array}
$$
### $\mathsf{x(pk_d)}$ with $d_0 = 1 \implies \mathsf{x(pk_d)} \geq 2^{254}$
In these cases, we check that $\mathsf{x(pk_d)}_{0..=253} < t_\mathbb{P}$:
### $x(\mathsf{pk_d})$ with $d_0 = 1 \implies x(\mathsf{pk_d}) \geq 2^{254}$
Recall that $x(\mathsf{pk_d}) = b_3 + 2^4 \cdot c + 2^{254} \cdot d_0$. When the top bit
$d_0$ is set, we check that $x(\mathsf{pk_d})_{0..=253} < t_\mathbb{P}$:
1. $d_0 = 1 \implies 0 \leq b_3 + 2^{4} \cdot c < t_\mathbb{P}.$
@ -357,22 +346,51 @@ In these cases, we check that $\mathsf{x(pk_d)}_{0..=253} < t_\mathbb{P}$:
word in a $10$-bit lookup table. We then enforce in the custom gate that
$$d_0 \cdot z_{{b_3}c',14} = 0.$$
#### Region layout
$$
\begin{array}{|c|c|c|c|c|}
\hline
A_6 & A_7 & A_8 & A_9 & q_{\NoteCommit,x(\mathsf{pk_d})} \\\hline
x(\mathsf{pk_d}) & b_3 & c & z_{c,13} & 1 \\\hline
& d_0 & b_3c' & z_{b_3c',14} & 0 \\\hline
\end{array}
$$
#### Constraints
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,2} \cdot d_0 \cdot z_{c,13} = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (b_3 + c \cdot 2^4 + 2^{140} - t_\mathbb{P} - {b_3}c') = 0 \\\hline
3 & q_{\NoteCommit,2} \cdot d_0 \cdot z_{{b_3}c',14} = 0 \\\hline
2 & q_{\NoteCommit,x(\mathsf{pk_d})} \cdot (b_3 + c \cdot 2^4 + d_0 \cdot 2^{254} - x(\mathsf{pk_d}) = 0 \\\hline
3 & q_{\NoteCommit,x(\mathsf{pk_d})} \cdot d_0 \cdot z_{c,13} = 0 \\\hline
2 & q_{\NoteCommit,x(\mathsf{pk_d})} \cdot (b_3 + c \cdot 2^4 + 2^{140} - t_\mathbb{P} - {b_3}c') = 0 \\\hline
3 & q_{\NoteCommit,x(\mathsf{pk_d})} \cdot d_0 \cdot z_{{b_3}c',14} = 0 \\\hline
\end{array}
$$
### $\mathsf{y(pk_d)}$
This can be checked in exactly the same way as $\mathsf{y(g_d)}$, with $b_2$ replaced by $d_1$.
### $\mathsf{v} = d_2 + 2^8 \cdot d_3 + 2^{58} \cdot e_0$
#### Region layout
$$
\begin{array}{|c|c|c|c|c|}
\hline
A_6 & A_7 & A_8 & A_9 & q_{\NoteCommit,value} \\\hline
value & d_2 & d_3 & e_0 & 1 \\\hline
\end{array}
$$
#### Constraints
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
2 & q_{\NoteCommit,value} \cdot (d_2 + d_3 \cdot 2^8 + e_0 \cdot 2^{58} - \mathsf{value}) = 0 \\\hline
\end{array}
$$
### $\rho$ with $g_0 = 1 \implies \rho \geq 2^{254}$
In these cases, we check that $\rho_{0..=253} < t_\mathbb{P}$:
Recall that $\rho = e_1 + 2^4 \cdot f + 2^{254} \cdot g_0$. When the top bit $g_0$ is set,
we check that $\rho_{0..=253} < t_\mathbb{P}$:
1. $g_0 = 1 \implies 0 \leq e_1 + 2^{4} \cdot f < t_\mathbb{P}.$
@ -389,24 +407,36 @@ In these cases, we check that $\rho_{0..=253} < t_\mathbb{P}$:
word in a $10$-bit lookup table. We then enforce in the custom gate that
$$g_0 \cdot z_{{e_1}f',14} = 0.$$
#### Region layout
$$
\begin{array}{|c|c|c|c|c|}
\hline
A_6 & A_7 & A_8 & A_9 & q_{\NoteCommit,\rho} \\\hline
\rho & e_1 & f & z_{f,13} & 1 \\\hline
& g_0 & e_1f' & z_{e_1f',14}& 0 \\\hline
\end{array}
$$
#### Constraints
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,2} \cdot g_0 \cdot z_{f,13} = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (e_1 + f \cdot 2^4 + 2^{140} - t_\mathbb{P} - {e_1}f') = 0 \\\hline
3 & q_{\NoteCommit,2} \cdot g_0 \cdot z_{{e_1}f',14} = 0 \\\hline
2 & q_{\NoteCommit,\rho} \cdot (e_1 + f \cdot 2^4 + g_0 \cdot 2^{254} - \rho) = 0 \\\hline
3 & q_{\NoteCommit,\rho} \cdot g_0 \cdot z_{f,13} = 0 \\\hline
2 & q_{\NoteCommit,\rho} \cdot (e_1 + f \cdot 2^4 + 2^{140} - t_\mathbb{P} - {e_1}f') = 0 \\\hline
3 & q_{\NoteCommit,\rho} \cdot g_0 \cdot z_{{e_1}f',14} = 0 \\\hline
\end{array}
$$
### $\psi$ with $h_1 = 1 \implies \psi \geq 2^{254}$
In these cases, we check that $\psi_{0..=253} < t_\mathbb{P}$:
Recall that $\psi = g_1 + 2^9 \cdot g_2 + 2^{249} \cdot h_0 + 2^{254} \cdot h_1$. When the
top bit $h_1$ is set, we check that $\psi_{0..=253} < t_\mathbb{P}$:
1. $h_1 = 1 \implies h_0 = 0.$
Since $h_1 = 1 \implies \psi_{0..=253} < t_\mathbb{P} < 2^{126},$ we know that $\psi_{126..=253} = 0,$
and in particular $h_0 := \psi_{249..=253} = 0.$
Since $h_1 = 1 \implies \psi_{0..=253} < t_\mathbb{P} < 2^{126},$ we know that
$\psi_{126..=253} = 0,$ and in particular $h_0 := \psi_{249..=253} = 0.$
2. $h_1 = 1 \implies 0 \leq g_1 + 2^{9} \cdot g_2 < t_\mathbb{P}.$
@ -423,28 +453,127 @@ In these cases, we check that $\psi_{0..=253} < t_\mathbb{P}$:
looking up each word in a $10$-bit lookup table. We then enforce in the custom gate
that $$h_1 \cdot z_{{g_1}{g_2}',13} = 0.$$
#### Region layout
$$
\begin{array}{|c|c|c|c|c|}
\hline
A_6 & A_7 & A_8 & A_9 & q_{\NoteCommit,\psi} \\\hline
\psi & g_1 & g_2 & z_{g,13} & 1 \\\hline
h_0 & h_1 & g_1g_2' & z_{g_1g_2',13}& 0 \\\hline
\end{array}
$$
#### Constraints
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,2} \cdot h_1 \cdot h_0 = 0 \\\hline
3 & q_{\NoteCommit,2} \cdot h_1 \cdot z_{g,13} = 0 \\\hline
2 & q_{\NoteCommit,1} \cdot (g_1 + g_2 \cdot 2^9 + 2^{130} - t_\mathbb{P} - {g_1}{g_2}') = 0 \\\hline
3 & q_{\NoteCommit,2} \cdot g_0 \cdot z_{{g_1}{g_2}',13} = 0 \\\hline
2 & q_{\NoteCommit,\psi} \cdot (g_1 + g_2 \cdot 2^9 + h_0 \cdot 2^{249} + h_1 \cdot 2^{254} - \psi) = 0 \\\hline
3 & q_{\NoteCommit,\psi} \cdot h_1 \cdot h_0 = 0 \\\hline
3 & q_{\NoteCommit,\psi} \cdot h_1 \cdot z_{g,13} = 0 \\\hline
2 & q_{\NoteCommit,\psi} \cdot (g_1 + g_2 \cdot 2^9 + 2^{130} - t_\mathbb{P} - {g_1}{g_2}') = 0 \\\hline
3 & q_{\NoteCommit,\psi} \cdot h_1 \cdot z_{{g_1}{g_2}',13} = 0 \\\hline
\end{array}
$$
## Region layout
### $y$-coordinate checks
The constraints controlled by the $(q_{\NoteCommit,1}, q_{\NoteCommit,2})$ selectors are
arranged in a single region across 10 advice columns, requiring four rows.
Note that only the $ỹ$ LSB of the $y$-coordinates $y(\mathsf{g_d}), y(\mathsf{pk_d})$ was
input to the hash, while the other bits of the $y$-coordinate were unused. However, we
must still check that the witnessed $ỹ$ bit matches the original point's $y$-coordinate.
The checks for $y(\mathsf{g_d}), y(\mathsf{pk_d})$ will follow the same format. For each
$y$-coordinate, we witness:
$$
\begin{array}{|c|c|c|c|c|c|c|c|c|c|cc}
& & & & & & & & & & q_{\NoteCommit,1} & q_{\NoteCommit,2} \\\hline
b & d & e & g & h & d_1 & x(pk_d) & b_3 & a' & b_2 & 0 & 0 \\\hline
{e_1}f' & {g_1}{g_2}' & v & d_2 & z_{d,1} & e_0 &{b_3}{c}' & c & a & x(g_d) & 1 & 0 \\\hline
e_1 & f & g_0 & g_1 & z_{g,1} & h_0 & h_1 & d_0 & b_0 & b_1 & 0 & 1 \\\hline
\rho & z_{f,13} & z_{{e_1}f',14} & \psi & z_{g,13} &z_{{g_1}{g_2}',13} & z_{c,13} & z_{{b_3}c',14} & z_{a,13} & z_{a',13} & 0 & 0 \\\hline
\begin{align}
y &= \textsf{LSB} \bconcat k_0 \bconcat k_1 \bconcat k_2 \bconcat k_3\\
&= \textsf{LSB}
\bconcat \text{ (bits $1..=9$ of $y$) }
\bconcat \text{ (bits $10..=249$ of $y$) }
\bconcat \text{ (bits $250..=253$ of $y$) }
\bconcat \text{ (bit $254$ of $y$) },
\end{align}
$$
where $\textsf{LSB}$ is $b_2$ for $y(\mathsf{g_d})$, and $d_1$ for $y(\mathsf{pk_d})$.
Let $$j = \textsf{LSB} + 2 \cdot k_0 + 2^{10} \cdot k_1.$$ We decompose $j$ to be $250$
bits using a strict $25-$word [ten-bit lookup](../decomposition.md#lookup-decomposition).
The running sum outputs allow us to susbstitute $k_1 = z_{j, 1}.$
Recall that $b_2 = ỹ(\mathsf{g_d})$ and $d_1 = ỹ(\mathsf{pk_d})$ were pieces input to the
Sinsemilla hash and have already been boolean-constrained. $k_0$ and $k_2$ are constrained
outside this gate to $9$ and $4$ bits respectively. To constrain the remaining chunks, we
use the following constraints:
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,y} \cdot \BoolCheck{k_3} = 0 \\\hline
\end{array}
$$
Then, to check that the decomposition was correct:
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
2 & q_{\NoteCommit,y} \cdot \left(j - (\textsf{LSB} + k_0 \cdot 2 + k_1 \cdot 2^{10}) \right) = 0 \\\hline
2 & q_{\NoteCommit,y} \cdot \left(y - (j + k_2 \cdot 2^{250} + k_3 \cdot 2^{254}) \right) = 0 \\\hline
\end{array}
$$
### $y(\mathsf{g_d})$ with $k_3 = 1 \implies y(\mathsf{g_d}) \geq 2^{254}$
In these cases, we check that $y(\mathsf{g_d})_{0..=253} < t_\mathbb{P}$:
1. $k_3 = 1 \implies k_2 = 0.$
Since $k_3 = 1 \implies y(\mathsf{g_d})_{0..=253} < t_\mathbb{P} < 2^{126},$ we know that
$y(\mathsf{g_d})_{126..=253} = 0,$ and in particular
$$k_2 := y(\mathsf{g_d})_{250..=253} = 0.$$
2. $k_3 = 1 \implies 0 \leq j < t_\mathbb{P}.$
To check that $j < t_\mathbb{P}$, we use two constraints:
a) $0 \leq j < 2^{130}$. This is expressed in the custom gate as
$$k_3 \cdot z_{j,13} = 0,$$
where $z_{j,13}$ is the index-13 running sum output by the $10$-bit lookup
decomposition of $j$.
b) $0 \leq j + 2^{130} - t_\mathbb{P} < 2^{130}$. To check this, we decompose
$j' = j + 2^{130} - t_\mathbb{P}$ into thirteen 10-bit words (little-endian) using
a running sum $z_{j'}$, looking up each word in a $10$-bit lookup table. We then
enforce in the custom gate that
$$k_3 \cdot z_{j',13} = 0.$$
#### Region layout
$$
\begin{array}{|c|c|c|c|c|c|}
\hline
A_5 & A_6 & A_7 & A_8 & A_9 & q_{\NoteCommit,y} \\\hline
y && k_0 & k_2 & k_3 & 1 \\\hline
j & k_1 & z_{j,13} & j' & z_{j',13} & 0 \\\hline
\end{array}
$$
#### Constraints
$$
\begin{array}{|c|l|}
\hline
\text{Degree} & \text{Constraint} \\\hline
3 & q_{\NoteCommit,y} \cdot k_3 \cdot k_2 = 0 \\\hline
3 & q_{\NoteCommit,y} \cdot k_3 \cdot z_{j,13} = 0 \\\hline
2 & q_{\NoteCommit,y} \cdot (j + 2^{130} - t_\mathbb{P} - j') = 0 \\\hline
3 & q_{\NoteCommit,y} \cdot k_3 \cdot z_{j',13} = 0 \\\hline
\end{array}
$$
Outside this gate, we have constrained:
- $\ShortLookupRangeCheck{k_0, 9}$
- $\ShortLookupRangeCheck{k_2, 4}$
### $y(\mathsf{pk_d})$
This can be checked in exactly the same way as $y(\mathsf{g_d})$, with $b_2$ replaced by
$d_1$.