In order to make the changeover easier to review, we redefined
`CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and
rename throughout the codebase.
As the underlying `Region` methods now return `AssignedCell` instead of
`Cell`, we can simplify all the places where we then constructed a
`CellValue` struct.
We change `CellValue` into a typedef of `AssignedCell` to simplify the
migration in this commit.
The migration from `CellValue` to `AssignedCell` requires several other
changes:
- `<CellValue as Var>::value()` returned `Option<F>`, whereas
`AssignedCell::<F, F>::value()` returns `Option<&F>`. This means we
need to dereference, use `Option::cloned`, or alter functions to take
`&F` arguments.
- `StateWord` in the Poseidon chip has been changed to a newtype around
`AssignedCell` (the chip was written before `CellValue` existed).
This is necessary because the blinding factor r can be zero with greater
than negligible probability in an adversarial case, which with incomplete
addition would cause the circuit to compute a commitment that is not on
the curve.
By rearranging the pieces in the gate, we remove a prev() query and
preserve proximity between pieces involved in the same constraint.
This commit also includes several minor fixes:
- use strict mode for decomposition of j in y-coordinate check;
- Name All Polynomial Constraints;
- remove point_repr() helper function;
- variable renaming and docfixes.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Instead of separately witnessing k_1 and equating it to z1_j, we
can directly make use of z1_j in the gate. This allows us to fit
the region into a 5 x 2 area, improving the layout.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Even though we only use the LSB of the y-coordinates as inputs to
the Sinsemilla hash, we still have to check that they are consistent
with the g_d and pk_d points that were passed in.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Change the region layout to only use 9 advice columns instead of 10.
Also rename variables to match the book.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Previously, these two helpers were returning different outputs.
They have now been standardised to return only the full running
sum.
Note the z_0 is the original element being decomposed by the
helper.
Previously, l_plus_1 was a non-binary fixed column, used to
1. provide the value of l + 1; and
2. toggle the decomposition gate.
Now, the value is copied in from the global constants column, and
the toggle is handled by a binary q_decompose selector.
Previously, fixed_y_q was a non-binary selector that both loaded
the y_Q value and toggled the y_Q gate.
Now, the gate is toggled by a q_s4 simple selector, while the value
is loaded into a separate fixed column.
Jack Grigg
therealyingtong
Daira Hopwood