[book] Undo selector optimisations in Sinsemilla

- Instead of defining a synthetic q_S3 based on a combination of
  of q_S1, q_S2, we simply create another selector q_S3.
- Instead of using fixed_y_q as a nonbinary selector, replace it
  with q_S4 and copy the fixed value into a row above.

Co-authored-by: Daira Hopwood <daira@jacaranda.org>

book/src/design/circuit/gadgets/sinsemilla.md

@@ -80,59 +80,70 @@ In other words, $z_{n-i} = \sum\limits_{h=0}^{i-1} 2^{kh} \cdot m_{h+1}$.
 >
 > In order to support chaining multiple field elements without a gap, we will use a slightly more complicated expression for $m_{i+1}$ that effectively forces $\mathbf{z}_n$ to zero for the last step of each element, as indicated by $q_{S2}$. This allows the cell that would have been $\mathbf{z}_n$ to be used to reinitialize the running sum for the next element.
 
-### Layout
-
-Note: $q_{S3}$ is synthesized from $q_{S1}$ and $q_{S2}$; it is shown here only for clarity.
-
+### Generator lookup table
+The
 $$
-\begin{array}{|c|c|c|c|c|c|c|c|c|c|c|c|c|}
+\begin{array}{|c|c|c|}
 \hline
-\text{Step} &    x_A     &    x_P      &   bits   &    \lambda_1     &   \lambda_2      & q_{S1} & q_{S2} & q_{S3} & fixed\_y_Q & table_{idx} & table_x  & table_y  \\\hline
-    0       & x_Q        & x_{P[m_1]}  & z_0      & \lambda_{1,0}    & \lambda_{2,0}    & 1      & 1      & 0      &    y_Q     & 0           & x_{P[0]} & y_{P[0]} \\\hline
-    1       & x_{A,1}    & x_{P[m_2]}  & z_1      & \lambda_{1,1}    & \lambda_{2,1}    & 1      & 1      & 0      &     0      & 1           & x_{P[1]} & y_{P[1]} \\\hline
-    2       & x_{A,2}    & x_{P[m_3]}  & z_2      & \lambda_{1,2}    & \lambda_{2,2}    & 1      & 1      & 0      &     0      & 2           & x_{P[2]} & y_{P[2]} \\\hline
-  \vdots    & \vdots     & \vdots      & \vdots   & \vdots           & \vdots           & 1      & 1      & 0      &     0      & \vdots      & \vdots   & \vdots   \\\hline
-   n-1      & x_{A,n-1}  & x_{P[m_n]}  & z_{n-1}  & \lambda_{1,n-1}  & \lambda_{2,n-1}  & 1      & 0      & 0      &     0      & \vdots      & \vdots   & \vdots   \\\hline
-    0'      & x'_{A,0}   & x_{P[m'_1]} & z'_0     & \lambda'_{1,0}   & \lambda'_{2,0}   & 1      & 1      & 0      &     0      & \vdots      & \vdots   & \vdots   \\\hline
-    1'      & x'_{A,1}   & x_{P[m'_2]} & z'_1     & \lambda'_{1,1}   & \lambda'_{2,1}   & 1      & 1      & 0      &     0      & \vdots      & \vdots   & \vdots   \\\hline
-    2'      & x'_{A,2}   & x_{P[m'_3]} & z'_2     & \lambda'_{1,2}   & \lambda'_{2,2}   & 1      & 1      & 0      &     0      & \vdots      & \vdots   & \vdots   \\\hline
-  \vdots    & \vdots     & \vdots      & \vdots   & \vdots           & \vdots           & 1      & 1      & 0      &     0      & \vdots      & \vdots   & \vdots   \\\hline
-   n-1'     & x'_{A,n-1} & x_{P[m'_n]} & z'_{n-1} & \lambda'_{1,n-1} & \lambda'_{2,n-1} & 1      & 2      & 2      &     0      & \vdots      & \vdots   & \vdots   \\\hline
-    n'      & x'_{A,n}   &             &          & y_{A,n}          &                  & 0      & 0      & 0      &     0      & \vdots      & \vdots   & \vdots   \\\hline
+ table_{idx} & table_x         & table_y         \\\hline
+ 0           & x_{P[0]}        & y_{P[0]}        \\\hline
+ 1           & x_{P[1]}        & y_{P[1]}        \\\hline
+ 2           & x_{P[2]}        & y_{P[2]}        \\\hline
+ \vdots      & \vdots          & \vdots          \\\hline
+ 2^{10} - 1  & x_{P[2^{10}-1]} & y_{P[2^{10}-1]} \\\hline
 \end{array}
 $$
 
-$x_Q$, $z_0$, $z'_0$, etc. would be copied in using equality constraints.
+### Layout
+$$
+\begin{array}{|c|c|c|c|c|c|c|c|c|c|}
+\hline
+\text{Step} &    x_A     &    x_P      &   bits   &    \lambda_1     &   \lambda_2      & q_{S1} & q_{S2} & q_{S3} &    q_{S4}  \\\hline
+   -1       & y_Q        &             &          &                  &                  & 0      & 0      & 0      &     1      \\\hline
+    0       & x_Q        & x_{P[m_1]}  & z_0      & \lambda_{1,0}    & \lambda_{2,0}    & 1      & 1      & 0      &     0      \\\hline
+    1       & x_{A,1}    & x_{P[m_2]}  & z_1      & \lambda_{1,1}    & \lambda_{2,1}    & 1      & 1      & 0      &     0      \\\hline
+    2       & x_{A,2}    & x_{P[m_3]}  & z_2      & \lambda_{1,2}    & \lambda_{2,2}    & 1      & 1      & 0      &     0      \\\hline
+  \vdots    & \vdots     & \vdots      & \vdots   & \vdots           & \vdots           & 1      & 1      & 0      &     0      \\\hline
+   n-1      & x_{A,n-1}  & x_{P[m_n]}  & z_{n-1}  & \lambda_{1,n-1}  & \lambda_{2,n-1}  & 1      & 0      & 0      &     0      \\\hline
+    0'      & x'_{A,0}   & x_{P[m'_1]} & z'_0     & \lambda'_{1,0}   & \lambda'_{2,0}   & 1      & 1      & 0      &     0      \\\hline
+    1'      & x'_{A,1}   & x_{P[m'_2]} & z'_1     & \lambda'_{1,1}   & \lambda'_{2,1}   & 1      & 1      & 0      &     0      \\\hline
+    2'      & x'_{A,2}   & x_{P[m'_3]} & z'_2     & \lambda'_{1,2}   & \lambda'_{2,2}   & 1      & 1      & 0      &     0      \\\hline
+  \vdots    & \vdots     & \vdots      & \vdots   & \vdots           & \vdots           & 1      & 1      & 0      &     0      \\\hline
+   n-1'     & x'_{A,n-1} & x_{P[m'_n]} & z'_{n-1} & \lambda'_{1,n-1} & \lambda'_{2,n-1} & 1      & 0      & 1      &     0      \\\hline
+\end{array}
+$$
+
+$x_Q$, $y_Q$, $z_0$, $z'_0$, etc. would be copied in using equality constraints.
 
 ### Optimized Sinsemilla gate
-
-$\begin{array}{lrcl}
+$$
+\begin{array}{lrcl}
 \text{For } i \in [0, n), \text{ let} &x_{R,i} &=& \lambda_{1,i}^2 - x_{A,i} - x_{P,i} \\
                                       &Y_{A,i} &=& (\lambda_{1,i} + \lambda_{2,i}) \cdot (x_{A,i} - x_{R,i}) \\
                                       &y_{P,i} &=& Y_{A,i}/2 - \lambda_{1,i} \cdot (x_{A,i} - x_{P,i}) \\
-                                      &m_{i+1} &=& z_{i} - 2^k \cdot (q_{S2,i} - q_{S3,i}) \cdot z_{i+1} \\
-                                      &q_{S3}  &=& q_{S2} \cdot (q_{S2} - 1)
-\end{array}$
+                                      &m_{i+1} &=& z_{i} - 2^k \cdot q_{S2,i} \cdot z_{i+1}
+\end{array}
+$$
 
 The Halo 2 circuit API can automatically substitute $y_{P,i}$, $x_{R,i}$, $y_{A,i}$, and $y_{A,i+1}$, so we don't need to do that manually.
 
-- $x_{A,0} = x_Q$
-- $2 \cdot y_Q = Y_{A,0}$
-- for $i$ from $0$ up to $n-1$:
-  - $(m_{i+1},\, x_{P,i},\, y_{P,i}) \in \mathcal{P}$
-  - $\lambda_{2,i}^2 = x_{A,i+1} + x_{R,i} + x_{A,i}$
-  - $4 \cdot \lambda_{2,i} \cdot (x_{A,i} - x_{A,i+1}) = 2 \cdot Y_{A,i} + (2 - q_{S3}) \cdot Y_{A,i+1} + 2 q_{S3} \cdot y_{A,n}$
+$x_{A,0} = x_Q$
+$2 \cdot y_Q = Y_{A,0}$
+for $i$ from $0$ up to $n-1$:
+    $(m_{i+1},\, x_{P,i},\, y_{P,i}) \in \mathcal{P}$
+    $\lambda_{2,i}^2 = x_{A,i+1} + x_{R,i} + x_{A,i}$
+    $2 \cdot \lambda_{2,i} \cdot (x_{A,i} - x_{A,i+1}) = Y_{A,i} + (1 - q_{S3}) \cdot Y_{A,i+1} + 2 \cdot q_{S3} \cdot y_{A,n}$
 
-Note that each term of the last constraint is multiplied by $4$ relative to the constraint program given earlier. This is a small optimization that avoids divisions by $2$.
+Note that each term of the last constraint is multiplied by $2$ relative to the constraint program given earlier. This is a small optimization that avoids divisions by $2$.
 
 $$
 \begin{array}{|c|l|}
 \hline
 \text{Degree} & \text{Constraint} \\\hline
-4   & fixed\rule{0.4em}{0.02ex}y_Q \cdot (2 \cdot fixed\rule{0.4em}{0.02ex}y_Q - Y_{A,0}) = 0 \\\hline
+4   & q_{S4} \cdot (2 \cdot y_Q - Y_{A,0}) = 0 \\\hline
 5   & q_{S1,i} \Rightarrow (m_{i+1},\, x_{P,i},\, y_{P,i}) \in \mathcal{P} \\\hline
 3   & q_{S1,i} \cdot \big(\lambda_{2,i}^2 - (x_{A,i+1} + x_{R,i} + x_{A,i})\big) \\\hline
-6   & q_{S1,i} \cdot \left(4 \cdot \lambda_{2,i} \cdot (x_{A,i} - x_{A,i+1}) - (2 \cdot Y_{A,i} + (2 - q_{S3,i}) \cdot Y_{A,i+1} + 2 \cdot q_{S3,i} \cdot y_{A,n})\right) = 0 \\\hline
+6   & q_{S1,i} \cdot \left(2 \cdot \lambda_{2,i} \cdot (x_{A,i} - x_{A,i+1}) - (Y_{A,i} + (1 - q_{S3,i}) \cdot Y_{A,i+1} + 2 \cdot q_{S3,i} \cdot y_{A,n})\right) = 0 \\\hline
 \end{array}
 $$