From c5cda9481d5b78770e3009203ffe3dfb79f69b6e Mon Sep 17 00:00:00 2001 From: therealyingtong Date: Thu, 22 Jul 2021 22:19:01 +0800 Subject: [PATCH] [book] Undo selector optimisations in Sinsemilla - Instead of defining a synthetic q_S3 based on a combination of of q_S1, q_S2, we simply create another selector q_S3. - Instead of using fixed_y_q as a nonbinary selector, replace it with q_S4 and copy the fixed value into a row above. Co-authored-by: Daira Hopwood --- book/src/design/circuit/gadgets/sinsemilla.md | 75 +++++++++++-------- 1 file changed, 43 insertions(+), 32 deletions(-) diff --git a/book/src/design/circuit/gadgets/sinsemilla.md b/book/src/design/circuit/gadgets/sinsemilla.md index d07df881..287789ce 100644 --- a/book/src/design/circuit/gadgets/sinsemilla.md +++ b/book/src/design/circuit/gadgets/sinsemilla.md @@ -80,59 +80,70 @@ In other words, $z_{n-i} = \sum\limits_{h=0}^{i-1} 2^{kh} \cdot m_{h+1}$. > > In order to support chaining multiple field elements without a gap, we will use a slightly more complicated expression for $m_{i+1}$ that effectively forces $\mathbf{z}_n$ to zero for the last step of each element, as indicated by $q_{S2}$. This allows the cell that would have been $\mathbf{z}_n$ to be used to reinitialize the running sum for the next element. -### Layout - -Note: $q_{S3}$ is synthesized from $q_{S1}$ and $q_{S2}$; it is shown here only for clarity. - +### Generator lookup table +The $$ -\begin{array}{|c|c|c|c|c|c|c|c|c|c|c|c|c|} +\begin{array}{|c|c|c|} \hline -\text{Step} & x_A & x_P & bits & \lambda_1 & \lambda_2 & q_{S1} & q_{S2} & q_{S3} & fixed\_y_Q & table_{idx} & table_x & table_y \\\hline - 0 & x_Q & x_{P[m_1]} & z_0 & \lambda_{1,0} & \lambda_{2,0} & 1 & 1 & 0 & y_Q & 0 & x_{P[0]} & y_{P[0]} \\\hline - 1 & x_{A,1} & x_{P[m_2]} & z_1 & \lambda_{1,1} & \lambda_{2,1} & 1 & 1 & 0 & 0 & 1 & x_{P[1]} & y_{P[1]} \\\hline - 2 & x_{A,2} & x_{P[m_3]} & z_2 & \lambda_{1,2} & \lambda_{2,2} & 1 & 1 & 0 & 0 & 2 & x_{P[2]} & y_{P[2]} \\\hline - \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & 1 & 1 & 0 & 0 & \vdots & \vdots & \vdots \\\hline - n-1 & x_{A,n-1} & x_{P[m_n]} & z_{n-1} & \lambda_{1,n-1} & \lambda_{2,n-1} & 1 & 0 & 0 & 0 & \vdots & \vdots & \vdots \\\hline - 0' & x'_{A,0} & x_{P[m'_1]} & z'_0 & \lambda'_{1,0} & \lambda'_{2,0} & 1 & 1 & 0 & 0 & \vdots & \vdots & \vdots \\\hline - 1' & x'_{A,1} & x_{P[m'_2]} & z'_1 & \lambda'_{1,1} & \lambda'_{2,1} & 1 & 1 & 0 & 0 & \vdots & \vdots & \vdots \\\hline - 2' & x'_{A,2} & x_{P[m'_3]} & z'_2 & \lambda'_{1,2} & \lambda'_{2,2} & 1 & 1 & 0 & 0 & \vdots & \vdots & \vdots \\\hline - \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & 1 & 1 & 0 & 0 & \vdots & \vdots & \vdots \\\hline - n-1' & x'_{A,n-1} & x_{P[m'_n]} & z'_{n-1} & \lambda'_{1,n-1} & \lambda'_{2,n-1} & 1 & 2 & 2 & 0 & \vdots & \vdots & \vdots \\\hline - n' & x'_{A,n} & & & y_{A,n} & & 0 & 0 & 0 & 0 & \vdots & \vdots & \vdots \\\hline + table_{idx} & table_x & table_y \\\hline + 0 & x_{P[0]} & y_{P[0]} \\\hline + 1 & x_{P[1]} & y_{P[1]} \\\hline + 2 & x_{P[2]} & y_{P[2]} \\\hline + \vdots & \vdots & \vdots \\\hline + 2^{10} - 1 & x_{P[2^{10}-1]} & y_{P[2^{10}-1]} \\\hline \end{array} $$ -$x_Q$, $z_0$, $z'_0$, etc. would be copied in using equality constraints. +### Layout +$$ +\begin{array}{|c|c|c|c|c|c|c|c|c|c|} +\hline +\text{Step} & x_A & x_P & bits & \lambda_1 & \lambda_2 & q_{S1} & q_{S2} & q_{S3} & q_{S4} \\\hline + -1 & y_Q & & & & & 0 & 0 & 0 & 1 \\\hline + 0 & x_Q & x_{P[m_1]} & z_0 & \lambda_{1,0} & \lambda_{2,0} & 1 & 1 & 0 & 0 \\\hline + 1 & x_{A,1} & x_{P[m_2]} & z_1 & \lambda_{1,1} & \lambda_{2,1} & 1 & 1 & 0 & 0 \\\hline + 2 & x_{A,2} & x_{P[m_3]} & z_2 & \lambda_{1,2} & \lambda_{2,2} & 1 & 1 & 0 & 0 \\\hline + \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & 1 & 1 & 0 & 0 \\\hline + n-1 & x_{A,n-1} & x_{P[m_n]} & z_{n-1} & \lambda_{1,n-1} & \lambda_{2,n-1} & 1 & 0 & 0 & 0 \\\hline + 0' & x'_{A,0} & x_{P[m'_1]} & z'_0 & \lambda'_{1,0} & \lambda'_{2,0} & 1 & 1 & 0 & 0 \\\hline + 1' & x'_{A,1} & x_{P[m'_2]} & z'_1 & \lambda'_{1,1} & \lambda'_{2,1} & 1 & 1 & 0 & 0 \\\hline + 2' & x'_{A,2} & x_{P[m'_3]} & z'_2 & \lambda'_{1,2} & \lambda'_{2,2} & 1 & 1 & 0 & 0 \\\hline + \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & 1 & 1 & 0 & 0 \\\hline + n-1' & x'_{A,n-1} & x_{P[m'_n]} & z'_{n-1} & \lambda'_{1,n-1} & \lambda'_{2,n-1} & 1 & 0 & 1 & 0 \\\hline +\end{array} +$$ + +$x_Q$, $y_Q$, $z_0$, $z'_0$, etc. would be copied in using equality constraints. ### Optimized Sinsemilla gate - -$\begin{array}{lrcl} +$$ +\begin{array}{lrcl} \text{For } i \in [0, n), \text{ let} &x_{R,i} &=& \lambda_{1,i}^2 - x_{A,i} - x_{P,i} \\ &Y_{A,i} &=& (\lambda_{1,i} + \lambda_{2,i}) \cdot (x_{A,i} - x_{R,i}) \\ &y_{P,i} &=& Y_{A,i}/2 - \lambda_{1,i} \cdot (x_{A,i} - x_{P,i}) \\ - &m_{i+1} &=& z_{i} - 2^k \cdot (q_{S2,i} - q_{S3,i}) \cdot z_{i+1} \\ - &q_{S3} &=& q_{S2} \cdot (q_{S2} - 1) -\end{array}$ + &m_{i+1} &=& z_{i} - 2^k \cdot q_{S2,i} \cdot z_{i+1} +\end{array} +$$ The Halo 2 circuit API can automatically substitute $y_{P,i}$, $x_{R,i}$, $y_{A,i}$, and $y_{A,i+1}$, so we don't need to do that manually. -- $x_{A,0} = x_Q$ -- $2 \cdot y_Q = Y_{A,0}$ -- for $i$ from $0$ up to $n-1$: - - $(m_{i+1},\, x_{P,i},\, y_{P,i}) \in \mathcal{P}$ - - $\lambda_{2,i}^2 = x_{A,i+1} + x_{R,i} + x_{A,i}$ - - $4 \cdot \lambda_{2,i} \cdot (x_{A,i} - x_{A,i+1}) = 2 \cdot Y_{A,i} + (2 - q_{S3}) \cdot Y_{A,i+1} + 2 q_{S3} \cdot y_{A,n}$ +$x_{A,0} = x_Q$ +$2 \cdot y_Q = Y_{A,0}$ +for $i$ from $0$ up to $n-1$: + $(m_{i+1},\, x_{P,i},\, y_{P,i}) \in \mathcal{P}$ + $\lambda_{2,i}^2 = x_{A,i+1} + x_{R,i} + x_{A,i}$ + $2 \cdot \lambda_{2,i} \cdot (x_{A,i} - x_{A,i+1}) = Y_{A,i} + (1 - q_{S3}) \cdot Y_{A,i+1} + 2 \cdot q_{S3} \cdot y_{A,n}$ -Note that each term of the last constraint is multiplied by $4$ relative to the constraint program given earlier. This is a small optimization that avoids divisions by $2$. +Note that each term of the last constraint is multiplied by $2$ relative to the constraint program given earlier. This is a small optimization that avoids divisions by $2$. $$ \begin{array}{|c|l|} \hline \text{Degree} & \text{Constraint} \\\hline -4 & fixed\rule{0.4em}{0.02ex}y_Q \cdot (2 \cdot fixed\rule{0.4em}{0.02ex}y_Q - Y_{A,0}) = 0 \\\hline +4 & q_{S4} \cdot (2 \cdot y_Q - Y_{A,0}) = 0 \\\hline 5 & q_{S1,i} \Rightarrow (m_{i+1},\, x_{P,i},\, y_{P,i}) \in \mathcal{P} \\\hline 3 & q_{S1,i} \cdot \big(\lambda_{2,i}^2 - (x_{A,i+1} + x_{R,i} + x_{A,i})\big) \\\hline -6 & q_{S1,i} \cdot \left(4 \cdot \lambda_{2,i} \cdot (x_{A,i} - x_{A,i+1}) - (2 \cdot Y_{A,i} + (2 - q_{S3,i}) \cdot Y_{A,i+1} + 2 \cdot q_{S3,i} \cdot y_{A,n})\right) = 0 \\\hline +6 & q_{S1,i} \cdot \left(2 \cdot \lambda_{2,i} \cdot (x_{A,i} - x_{A,i+1}) - (Y_{A,i} + (1 - q_{S3,i}) \cdot Y_{A,i+1} + 2 \cdot q_{S3,i} \cdot y_{A,n})\right) = 0 \\\hline \end{array} $$