zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
608 Commits 40 Branches 6 Tags 58 MiB
Commit Graph

608 Commits

Author SHA1 Message Date
Jack Grigg 0375c64801 [book] Update NoteCommit page to match Commit^ivk style 
Constraint tables have been added along with the region layout. I also
fixed numerous bugs in the constraints (most of which appeared to be
copy-pasta bugs).
 2021-07-26 02:05:35 +01:00
Jack Grigg 5aa05713e7 [book] Use \CommitIvk macro in page heading 
We can't use KaTeX  on the SUMMARY page that generates the sidebar, so
that continues to use a CamelCase approximation.
 2021-07-26 02:05:35 +01:00
Jack Grigg f376a61bb8 [book] Add macros, constraint tables, and region layout to Commit^ivk 
I also merged in content from a page I wrote independently while
reviewing the Action circuit PR, and made various cleanups to the
Markdown source.
 2021-07-26 02:05:35 +01:00
Daira Hopwood 4a5a4cc437 [book] merkle-crh.md: formatting. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-26 02:05:35 +01:00
Daira Hopwood ed20d539b2 [book] merkle-crh.md: corrections. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-26 02:05:35 +01:00
Daira Hopwood 47a29f10aa [book] Document NoteCommit message decomposition & canonicity checks 2021-07-26 02:05:35 +01:00
Daira Hopwood 2846593937 [book] Document CommitIvk message decomposition & canonicity checks 2021-07-26 02:05:35 +01:00
Daira Hopwood 9708e296c8 [book] Document Merkle chip layout and message decomposition. 2021-07-26 02:05:35 +01:00
ying tong 9a44a14863
Merge pull request #160 from zcash/book-recombine-sinsemilla-selectors 
[book] Recombine Sinsemilla q_S1, q_S2, q_S3 selectors.
 2021-07-25 21:16:12 +08:00
therealyingtong 5dc5e6479a [book] Recombine Sinsemilla q_S1, q_S2, q_S3 selectors. 
Since q_S1, q_S2, q_S3 are not simple selectors, they cannot be
automatically combined. We manually combine them here.
 2021-07-25 20:28:05 +08:00
ying tong a2ed3f1b52
Merge pull request #155 from zcash/book-selector-optimisations 
[Book] Undo selector optimisations
 2021-07-25 00:57:35 +08:00
ying tong 3d56fb0716
Merge pull request #146 from zcash/book-short-scalar-mul 
[book] Update constraints for short signed fixed-base mul.
 2021-07-25 00:54:32 +08:00
therealyingtong 782a70a786 [book] Minor fixes. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-25 00:52:38 +08:00
ying tong ce881bc4fe
[book] Formatting fix. 2021-07-25 00:40:44 +08:00
therealyingtong 78b0ec4e7b [book] Sinsemilla: reintroduce fixed_y_q column. 
Loading fixed_y_q into an advice column introduces an additional
row. Instead, we load it into a fixed column.

Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-24 23:15:17 +08:00
ying tong 6c55e1a7e3
[book] Fix updates to Sinsemilla writeup. 2021-07-23 20:34:16 +08:00
Kris Nuttycombe b86967bc57
Merge pull request #135 from zcash/patch-ncc 
Partial fixes from NCC draft report
 2021-07-22 15:25:05 -06:00
therealyingtong 7866623a1b [book] Undo selector optimisation in variable-base scalar mul 
Previously, we were using a non-binary selector q_mul = {1, 2, 3}
to switch between three cases. Now, we replace this with three
binary selectors.
 2021-07-22 22:39:17 +08:00
therealyingtong c5cda9481d [book] Undo selector optimisations in Sinsemilla 
- Instead of defining a synthetic q_S3 based on a combination of
  of q_S1, q_S2, we simply create another selector q_S3.
- Instead of using fixed_y_q as a nonbinary selector, replace it
  with q_S4 and copy the fixed value into a row above.

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-22 22:19:01 +08:00
Kris Nuttycombe 8971b37af3 Use NOTE_COMMITMENT_PERSONALIZATION constant for CommitDomain initialization. 2021-07-19 20:39:39 -06:00
str4d bd28b46163
Merge pull request #150 from zcash/bump-halo2-again 
Migrate to latest `halo2` API
 2021-07-19 13:56:59 +01:00
str4d 38f9e3076f
Update code comments after review 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: ying tong <yingtong@z.cash>
 2021-07-19 13:56:18 +01:00
str4d 146156abb6
Merge pull request #118 from zcash/sinsemilla-chip-commit 
Sinsemilla chip with Commit Domain
 2021-07-19 13:27:08 +01:00
str4d f44c4161af
Adjust documentation of `CommitDomains::r` 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-19 13:26:03 +01:00
therealyingtong a17a9301d7 sinsemilla::tests: Witness and constrain expected result of commit. 2021-07-19 20:03:13 +08:00
therealyingtong 8ce0725043 gadget::sinsemilla.rs: Add SinsemillaCommit test. 2021-07-19 20:03:13 +08:00
therealyingtong df4bf422f5 gadget::sinsemilla.rs: Add CommitDomain 
SinsemillaInstructions gains several associated types specific to
SinsemillaCommit.
 2021-07-19 20:03:12 +08:00
Jack Grigg 1dca72a1cc Migrate to latest `halo2` test API 2021-07-19 12:58:05 +01:00
Jack Grigg 654f1b4613 Add selector to dummy circuit 
We need to ensure that no gates are active on the blinding factor rows.
 2021-07-19 12:53:38 +01:00
Jack Grigg 15f9d254d9 Migrate to latest `halo2` API 
- `halo2::plonk::{create_proof, verify_proof}` now take instance columns
  as slices of values.
- `halo2::plonk::Permutation` has been replaced by a global permutation,
  to which columns can be added with `ConstraintSystem::enable_equality`.
- The introduction of blinding rows means that various tests now require
  larger circuit parameters.
 2021-07-19 12:53:38 +01:00
str4d cf4c78f9a1
Merge pull request #145 from zcash/refactor-short-scalar 
Refactor `mul_fixed_short` API to copy in (`magnitude`, `sign`)
 2021-07-19 12:48:52 +01:00
therealyingtong 1b615a40ee Fix documentation in decompose_running_sum. 2021-07-19 19:14:32 +08:00
ying tong c23897ea8d
Apply suggestions from code review 
Co-authored-by: str4d <jack@electriccoin.co>
 2021-07-19 19:01:06 +08:00
therealyingtong c444ddebf8 Documentation and variable naming cleanups. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-19 18:48:49 +08:00
therealyingtong fe95122ef7 mul_fixed::base_field_elem: Remove duplicate coords check gate. 
The coordinate check for an element decomposed using a running sum
is enforced by mul_fixed::Config::running_sum_coords_gate().

Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-19 18:08:22 +08:00
therealyingtong 91b8ea20e4 mul_fixed::short.rs: Fix magnitude bound in test. 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-18 00:13:23 +08:00
therealyingtong 90b59baca5 mul_fixed: Remove unused selectors and duplicate gates. 
Selectors previously used in the witness_scalar_* APIs, such as
q_scalar_fixed and q_scalar_fixed_short, are now removed. The
remaining selectors have been renamed for clarity.

The coordinates check for scalars decomposed using a running sum
has been moved into the mul_fixed.rs file, instead of being
duplicated in both mul_fixed::base_field_elem and mul_fixed::short.

The decompose_scalar_fixed() method is now only used in
mul_fixed::full_width, and has been moved there.
 2021-07-18 00:10:15 +08:00
therealyingtong 179cd8e940 base_field_elem: Remove z_85_alpha = 0 check from canonicity gate. 
The decompose_running_sum gadget in strict mode already enforces
this check.

Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-18 00:09:39 +08:00
therealyingtong e846536b4e decompose_running_sum: Remove NUM_WINDOWS, WORD_NUM_BITS const generics 
These are now provided as inputs to the witness_decompose() and
copy_decompose() methods. This allows us to reuse the same config
for different word/window lengths, avoiding a duplicate constraint
creation.

Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-17 12:10:13 +08:00
therealyingtong 90474995a7 Add mul_short::tests cases and address review comments. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-17 00:44:56 +08:00
therealyingtong 32f3068886 ecc.rs: Add MulFixedBaseField type. 
In the Orchard protocol, only the NullifierK fixed base in used in
scalar multiplication with a base field element.

The mul_fixed_base_field_elem() API does not have to accept fixed
bases other than NullifierK; conversely, NullifierK does not have
to work with the full-width mul_fixed() API.
 2021-07-15 20:51:52 +08:00
therealyingtong 1681463856 mul_fixed::short::tests: Test negative mul_with_double case. 2021-07-15 20:51:43 +08:00
therealyingtong e21b193a17 mul_fixed::short::tests: Test invalid magnitude and sign. 
Check that a magnitude larger than 64 bits results in a constraint
failure.
Check that a sign other than +/- 1 results in a constrain failure.
 2021-07-15 20:51:42 +08:00
therealyingtong a8bd2d6abf mul_fixed::short: Copy (magnitude, sign) instead of witnessing Scalar. 
In the Orchard circuit, the short signed scalar is v_old - v_new,
which will be witnessed as two cells: a 64-bit magnitude, and a
sign that is +/- 1.
 2021-07-15 20:46:51 +08:00
therealyingtong 426f954b1d gadget::ecc.rs: Inline witness_scalar_* APIs. 
Witness a scalar in the region where it is used for multiplication,
instead of witnessing it separately and then copying it in.
 2021-07-15 20:46:46 +08:00
therealyingtong 32f28ed4b0 gadget::ecc.rs: Bound EccInstructions on UtilitiesInstructions. 2021-07-15 20:46:40 +08:00
therealyingtong 7b497c53a3 mul_fixed::base_field_elem: Use decompose_running_sum helper. 2021-07-15 20:46:22 +08:00
therealyingtong ee062bae3d gadget::utilities: Add decompose_running_sum helper. 
This decomposes a field element into K-bit windows using a
running sum. Each step of the running sum is range-constrained.
In strict mode, the final output of the running sum is constrained
to be zero.

This helper asserts K <= 3.
 2021-07-15 20:46:21 +08:00
str4d f3c9b6cedc
Merge pull request #144 from zcash/bump-halo2 
Migrate to latest `halo2::plonk::Circuit` API
 2021-07-15 13:33:53 +01:00
Jack Grigg ac70a6bfdf test: Print Merkle path test circuit layout 
Requires fixing an unnecessary unwrap in the test circuit's synthesis.
 2021-07-15 11:25:22 +01:00