Jack Grigg
0375c64801
[book] Update NoteCommit page to match Commit^ivk style
...
Constraint tables have been added along with the region layout. I also
fixed numerous bugs in the constraints (most of which appeared to be
copy-pasta bugs).
2021-07-26 02:05:35 +01:00
Jack Grigg
5aa05713e7
[book] Use \CommitIvk macro in page heading
...
We can't use KaTeX on the SUMMARY page that generates the sidebar, so
that continues to use a CamelCase approximation.
2021-07-26 02:05:35 +01:00
Jack Grigg
f376a61bb8
[book] Add macros, constraint tables, and region layout to Commit^ivk
...
I also merged in content from a page I wrote independently while
reviewing the Action circuit PR, and made various cleanups to the
Markdown source.
2021-07-26 02:05:35 +01:00
Daira Hopwood
4a5a4cc437
[book] merkle-crh.md: formatting.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-26 02:05:35 +01:00
Daira Hopwood
ed20d539b2
[book] merkle-crh.md: corrections.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-26 02:05:35 +01:00
Daira Hopwood
47a29f10aa
[book] Document NoteCommit message decomposition & canonicity checks
2021-07-26 02:05:35 +01:00
Daira Hopwood
2846593937
[book] Document CommitIvk message decomposition & canonicity checks
2021-07-26 02:05:35 +01:00
Daira Hopwood
9708e296c8
[book] Document Merkle chip layout and message decomposition.
2021-07-26 02:05:35 +01:00
ying tong
9a44a14863
Merge pull request #160 from zcash/book-recombine-sinsemilla-selectors
...
[book] Recombine Sinsemilla q_S1, q_S2, q_S3 selectors.
2021-07-25 21:16:12 +08:00
therealyingtong
5dc5e6479a
[book] Recombine Sinsemilla q_S1, q_S2, q_S3 selectors.
...
Since q_S1, q_S2, q_S3 are not simple selectors, they cannot be
automatically combined. We manually combine them here.
2021-07-25 20:28:05 +08:00
ying tong
a2ed3f1b52
Merge pull request #155 from zcash/book-selector-optimisations
...
[Book] Undo selector optimisations
2021-07-25 00:57:35 +08:00
ying tong
3d56fb0716
Merge pull request #146 from zcash/book-short-scalar-mul
...
[book] Update constraints for short signed fixed-base mul.
2021-07-25 00:54:32 +08:00
therealyingtong
782a70a786
[book] Minor fixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-25 00:52:38 +08:00
ying tong
ce881bc4fe
[book] Formatting fix.
2021-07-25 00:40:44 +08:00
therealyingtong
78b0ec4e7b
[book] Sinsemilla: reintroduce fixed_y_q column.
...
Loading fixed_y_q into an advice column introduces an additional
row. Instead, we load it into a fixed column.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-24 23:15:17 +08:00
ying tong
6c55e1a7e3
[book] Fix updates to Sinsemilla writeup.
2021-07-23 20:34:16 +08:00
Kris Nuttycombe
b86967bc57
Merge pull request #135 from zcash/patch-ncc
...
Partial fixes from NCC draft report
2021-07-22 15:25:05 -06:00
therealyingtong
7866623a1b
[book] Undo selector optimisation in variable-base scalar mul
...
Previously, we were using a non-binary selector q_mul = {1, 2, 3}
to switch between three cases. Now, we replace this with three
binary selectors.
2021-07-22 22:39:17 +08:00
therealyingtong
c5cda9481d
[book] Undo selector optimisations in Sinsemilla
...
- Instead of defining a synthetic q_S3 based on a combination of
of q_S1, q_S2, we simply create another selector q_S3.
- Instead of using fixed_y_q as a nonbinary selector, replace it
with q_S4 and copy the fixed value into a row above.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-22 22:19:01 +08:00
Kris Nuttycombe
8971b37af3
Use NOTE_COMMITMENT_PERSONALIZATION constant for CommitDomain initialization.
2021-07-19 20:39:39 -06:00
str4d
bd28b46163
Merge pull request #150 from zcash/bump-halo2-again
...
Migrate to latest `halo2` API
2021-07-19 13:56:59 +01:00
str4d
38f9e3076f
Update code comments after review
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: ying tong <yingtong@z.cash>
2021-07-19 13:56:18 +01:00
str4d
146156abb6
Merge pull request #118 from zcash/sinsemilla-chip-commit
...
Sinsemilla chip with Commit Domain
2021-07-19 13:27:08 +01:00
str4d
f44c4161af
Adjust documentation of `CommitDomains::r`
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-19 13:26:03 +01:00
therealyingtong
a17a9301d7
sinsemilla::tests: Witness and constrain expected result of commit.
2021-07-19 20:03:13 +08:00
therealyingtong
8ce0725043
gadget::sinsemilla.rs: Add SinsemillaCommit test.
2021-07-19 20:03:13 +08:00
therealyingtong
df4bf422f5
gadget::sinsemilla.rs: Add CommitDomain
...
SinsemillaInstructions gains several associated types specific to
SinsemillaCommit.
2021-07-19 20:03:12 +08:00
Jack Grigg
1dca72a1cc
Migrate to latest `halo2` test API
2021-07-19 12:58:05 +01:00
Jack Grigg
654f1b4613
Add selector to dummy circuit
...
We need to ensure that no gates are active on the blinding factor rows.
2021-07-19 12:53:38 +01:00
Jack Grigg
15f9d254d9
Migrate to latest `halo2` API
...
- `halo2::plonk::{create_proof, verify_proof}` now take instance columns
as slices of values.
- `halo2::plonk::Permutation` has been replaced by a global permutation,
to which columns can be added with `ConstraintSystem::enable_equality`.
- The introduction of blinding rows means that various tests now require
larger circuit parameters.
2021-07-19 12:53:38 +01:00
str4d
cf4c78f9a1
Merge pull request #145 from zcash/refactor-short-scalar
...
Refactor `mul_fixed_short` API to copy in (`magnitude`, `sign`)
2021-07-19 12:48:52 +01:00
therealyingtong
1b615a40ee
Fix documentation in decompose_running_sum.
2021-07-19 19:14:32 +08:00
ying tong
c23897ea8d
Apply suggestions from code review
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-07-19 19:01:06 +08:00
therealyingtong
c444ddebf8
Documentation and variable naming cleanups.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-19 18:48:49 +08:00
therealyingtong
fe95122ef7
mul_fixed::base_field_elem: Remove duplicate coords check gate.
...
The coordinate check for an element decomposed using a running sum
is enforced by mul_fixed::Config::running_sum_coords_gate().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-19 18:08:22 +08:00
therealyingtong
91b8ea20e4
mul_fixed::short.rs: Fix magnitude bound in test.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-18 00:13:23 +08:00
therealyingtong
90b59baca5
mul_fixed: Remove unused selectors and duplicate gates.
...
Selectors previously used in the witness_scalar_* APIs, such as
q_scalar_fixed and q_scalar_fixed_short, are now removed. The
remaining selectors have been renamed for clarity.
The coordinates check for scalars decomposed using a running sum
has been moved into the mul_fixed.rs file, instead of being
duplicated in both mul_fixed::base_field_elem and mul_fixed::short.
The decompose_scalar_fixed() method is now only used in
mul_fixed::full_width, and has been moved there.
2021-07-18 00:10:15 +08:00
therealyingtong
179cd8e940
base_field_elem: Remove z_85_alpha = 0 check from canonicity gate.
...
The decompose_running_sum gadget in strict mode already enforces
this check.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-18 00:09:39 +08:00
therealyingtong
e846536b4e
decompose_running_sum: Remove NUM_WINDOWS, WORD_NUM_BITS const generics
...
These are now provided as inputs to the witness_decompose() and
copy_decompose() methods. This allows us to reuse the same config
for different word/window lengths, avoiding a duplicate constraint
creation.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-17 12:10:13 +08:00
therealyingtong
90474995a7
Add mul_short::tests cases and address review comments.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-17 00:44:56 +08:00
therealyingtong
32f3068886
ecc.rs: Add MulFixedBaseField type.
...
In the Orchard protocol, only the NullifierK fixed base in used in
scalar multiplication with a base field element.
The mul_fixed_base_field_elem() API does not have to accept fixed
bases other than NullifierK; conversely, NullifierK does not have
to work with the full-width mul_fixed() API.
2021-07-15 20:51:52 +08:00
therealyingtong
1681463856
mul_fixed::short::tests: Test negative mul_with_double case.
2021-07-15 20:51:43 +08:00
therealyingtong
e21b193a17
mul_fixed::short::tests: Test invalid magnitude and sign.
...
Check that a magnitude larger than 64 bits results in a constraint
failure.
Check that a sign other than +/- 1 results in a constrain failure.
2021-07-15 20:51:42 +08:00
therealyingtong
a8bd2d6abf
mul_fixed::short: Copy (magnitude, sign) instead of witnessing Scalar.
...
In the Orchard circuit, the short signed scalar is v_old - v_new,
which will be witnessed as two cells: a 64-bit magnitude, and a
sign that is +/- 1.
2021-07-15 20:46:51 +08:00
therealyingtong
426f954b1d
gadget::ecc.rs: Inline witness_scalar_* APIs.
...
Witness a scalar in the region where it is used for multiplication,
instead of witnessing it separately and then copying it in.
2021-07-15 20:46:46 +08:00
therealyingtong
32f28ed4b0
gadget::ecc.rs: Bound EccInstructions on UtilitiesInstructions.
2021-07-15 20:46:40 +08:00
therealyingtong
7b497c53a3
mul_fixed::base_field_elem: Use decompose_running_sum helper.
2021-07-15 20:46:22 +08:00
therealyingtong
ee062bae3d
gadget::utilities: Add decompose_running_sum helper.
...
This decomposes a field element into K-bit windows using a
running sum. Each step of the running sum is range-constrained.
In strict mode, the final output of the running sum is constrained
to be zero.
This helper asserts K <= 3.
2021-07-15 20:46:21 +08:00
str4d
f3c9b6cedc
Merge pull request #144 from zcash/bump-halo2
...
Migrate to latest `halo2::plonk::Circuit` API
2021-07-15 13:33:53 +01:00
Jack Grigg
ac70a6bfdf
test: Print Merkle path test circuit layout
...
Requires fixing an unnecessary unwrap in the test circuit's synthesis.
2021-07-15 11:25:22 +01:00