This currently matches the first region on the row that matches any
input column, which will result in some mismatches. To fix this, we will
need to track the columns of complex selectors.
`PrimeField::from_repr` explicitly leaves the endianness opaque. We
therefore can't use it in places we were using `FieldExt::from_bytes`
(which was specifically little-endian) generically, but the previous
commit replaced it everywhere. We now handle generic contexts on a
case-by-case basis:
- Where we needed to convert bitstrings into field elements, we now use
double-and-add on the field elements directly instead of on bytes.
This is less efficient, but visible correct (and a future change to
the `ff` crate APIs could enable the more efficient version).
- `INV_TWO_POW_K`, which is pre-computed for `pallas::Base`, was being
incorrectly used in a field-generic circuit. We now compute it live.
- `test_zs_and_us` was only used in tests, and hard-coded a field
element encoding length of 32 bytes. It now uses Pallas concretely.
`ak_P` is not allowed to be the identity in the Orchard protocol. We
were enforcing this by construction in most places, except for the
parsing of an Orchard full viewing key.
Closeszcash/orchard#261.
If the rational would evaluate to zero, we need to ignore it instead of
using its denominator in normal rational addition equations. This fixes
the tests we added in the last two commits.
In the previous commit, we fixed a bug where padding was being added to
the state when the sponge was in squeezing mode. But there's no need to
assign a circuit region in which we add constant zeroes to the state :)
Sponge constructions pad the entire input message and then split it into
rate-sized chunks. The previous implementation was using an incorrect
duplex-like hybrid where padding was applied to each chunked input. We
now use an enum to distinguish message and padding words being absorbed
into the sponge.
This also fixes two previous bugs:
- If a `ConstantLength` hash had a length greater than the permutation's
rate but not a multiple of it, no padding would be generated and the
circuit would fail to create proofs.
- If a sponge usage required more output than the permutation's rate,
the squeeze-side permutations would in some cases incorrectly apply
padding, when it should instead use the prior state as-is. We now add
zeroes instead.
This change doesn't alter the Orchard circuit, because it doesn't need
any padding cells, only takes a single field element as output, and
padding is still assigned in the same region as before.
For almost all the sponge constructions defined in the Poseidon paper,
the domain can be defined completely statically. Variable-length hashing
requires knowledge of the message length, but that can be provided to
the fixed padding function in a subsequent commit, and in any case we
can't use variable-length inputs in a circuit.
The `Sponge` struct's API correctly enforces the properties of a sponge:
it can absorb an arbitrary number of elements, and then squeeze an
arbitrary number of elements, but cannot absorb after it has squeezed.
Co-authored-by: ying tong <yingtong@z.cash>
The tests for addition and subtraction expose a bug in the addition
implementation, which does not correctly handle the `1/0 -> 0` map that
`inv0` is defined to perform.
Criterion's benchmark grouping does not match on group names; it only
groups benchmarks that are run prior to that specific benchmark group
instance being dropped. Since each benchmark group holds a mutable
reference to the criterion instance, this means we can't have multiple
active groups collecting measurements. Instead, we need to collect the
proving benchmarks for all recipient numbers, followed by verification
benchmarks.
The ECC test chip performs various checks that assume the chip will only
be synthesized with witnesses. This assumption is broken by the chip
printer test, so we fix the assumption here.
The benchmark action's "cargo" tooling assumes the standard bencher
output format, and can't parse criterion's output. Fortunately,
criterion can also provide bencher output for compatibility.
In order to pass criterion flags via `cargo bench`, we need to ensure
that all benchmarks use it (otherwise the flags are rejected by the
built-in benchmark harness as unknown). Since we don't actually have any
benchmarks inside the library itself, we simply disable its benchmark
harness.
- Added keygen benchmark.
- Refactored to extract common prover and verifier logic.
- Benchmarks are now grouped.
- Prover (and keygen) benchmarks now only take 10 samples instead of 100
(to make them feasible to collect in CI).
The workflow will comment on commits that cause a performance regression
of at least 200% (e.g. proving taking twice as long); we'll tune this as
we figure out how well benchmarking works on standard GitHub builders.
In order to make the changeover easier to review, we redefined
`CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and
rename throughout the codebase.