therealyingtong
426f954b1d
gadget::ecc.rs: Inline witness_scalar_* APIs.
...
Witness a scalar in the region where it is used for multiplication,
instead of witnessing it separately and then copying it in.
2021-07-15 20:46:46 +08:00
therealyingtong
32f28ed4b0
gadget::ecc.rs: Bound EccInstructions on UtilitiesInstructions.
2021-07-15 20:46:40 +08:00
Jack Grigg
d47a7d2105
Migrate to latest halo2 Circuit APIs
...
- The `Circuit` trait now has a `FloorPlanner` associated type.
- `circuit_layout` has been replaced by `CircuitLayout`.
2021-07-15 11:22:25 +01:00
therealyingtong
5c38f53b58
mul::tests: Witness expected point and constrain result to be equal.
2021-07-08 15:17:52 +08:00
therealyingtong
e2ea443fad
mul_fixed::*::tests: Witness expected point and constrain result to be equal.
2021-07-08 15:06:47 +08:00
therealyingtong
d550e156d9
mul_fixed_*::tests: Constrain zero outputs in mul_fixed tests.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
therealyingtong
33b66ab796
tests::print_ecc_chip(): Print ECC chip.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
therealyingtong
b363492a35
ecc::chip.rs: Introduce circuit-wide "constants" fixed column
...
At certain points in the circuit, we need to constrain cells in
advice columns to equal a fixed constant. Instead of defining a
new fixed column for each constant, we pass around a single
shared by all chips, that is included in the permutation over all
advice columns.
This lets us load all needed constants into a single column and
directly constrain advice cells with an equality constraint.
2021-07-07 23:10:59 +08:00
therealyingtong
09b4da197d
base_field_elem.rs: Support fixed-base mul using base field element.
...
In Orchard nullifier derivation, we multiply the fixed base
K^Orchard by a value encoded as a base field element. This commit
introduces an API that allows using a base field element as the
"scalar" in fixed-base scalar multiplication.
The API currently assumes that the base field element is output by
another instruction (i.e. there is no instruction to directly
witness it).
2021-07-07 23:10:59 +08:00
therealyingtong
5ae9890913
mul::overflow.rs: Overflow check in variable-base scalar mul
...
Simplify the canonicity check for variable-base scalar multiplication,
by range-checking the low 130 bits rather than the low 127 bits.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: ying tong <yingtong@z.cash>
2021-07-07 23:10:59 +08:00
therealyingtong
a3ca27b756
ecc::tests: Add tests for variable- and fixed-base scalar mul.
2021-07-07 23:10:59 +08:00
therealyingtong
8a8df98a50
add_incomplete::tests: Constrain output of `P + Q` test.
...
Also minor docfixes and refactors.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-14 00:19:21 +08:00
therealyingtong
7341996d2c
gadget::ecc.rs: Add EccInstructions::constrain_equal() instruction.
...
This allows us to constrain two points to be equal in value at the
gadget level.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 21:26:30 +08:00
therealyingtong
e259bb3846
ecc::chip.rs: Use concrete pallas::Affine for Chip impl.
...
The EccInstructions trait is still generic over C: CurveAffine;
however, the EccChip implementation is specific to the pasta
curves.
2021-06-12 20:25:09 +08:00
ying tong
e1779dab70
Docfixes and minor refactors.
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-06-12 12:41:27 +08:00
therealyingtong
aff56e6763
ecc::chip.rs: Make EccPoint.x, EccPoint.y private fields
...
Also add public getters x() and y().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-12 12:41:27 +08:00
therealyingtong
433791fcb0
chip::witness_point.rs: Allow witnessing the identity.
2021-06-12 12:41:27 +08:00
therealyingtong
36d7888c1c
ecc.rs: Add tests for complete and incomplete addition.
2021-06-12 12:41:27 +08:00
therealyingtong
6627b2258f
ecc::chip.rs: Add ECC chip.
...
Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-12 12:41:27 +08:00
therealyingtong
e15648cb67
gadget::ecc: Remove representations of fixed points in the circuit
...
Fixed points are represented by precomputed window tables. These
are not "initialized" in the circuit at any single point, but are
loaded into fixed columns at the offsets where the fixed points
are used.
Thus, we don't need FixedPoint and get_fixed() in the circuit.
Similarly, we can remove FixedPointShort and get_fixed_short().
2021-06-12 12:41:27 +08:00
therealyingtong
ff504c1a3f
Address review comments.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 17:14:13 +08:00
therealyingtong
2962115aef
Reintroduce point doubling API
2021-05-18 16:54:52 +08:00
therealyingtong
af30f4b141
Add Eq to the EccChip trait
2021-05-18 16:12:06 +08:00
therealyingtong
caa3791562
Documentation fixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 16:07:40 +08:00
therealyingtong
edea9bde73
Document incomplete point addition error handling
2021-05-18 13:28:17 +08:00
therealyingtong
c8076c2864
Add FixedPointsShort associated type
2021-05-18 13:28:17 +08:00
therealyingtong
74c797165f
Add range check for short scalar
2021-05-18 13:28:16 +08:00
therealyingtong
db60fd2262
Add FixedPointShort associated type
2021-05-06 15:55:15 +08:00
therealyingtong
6a64bc1c37
Expose Point.add_incomplete()
2021-05-06 12:54:21 +08:00
therealyingtong
4f2b4d2935
Address review comments
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-05-05 20:23:29 +08:00
therealyingtong
4bf6202c35
Modify ECC gadget to work with chip refactor
2021-05-04 12:11:28 +08:00
Jack Grigg
bbf2dc271e
Add ECC gadgets and instructions
...
Migrated from the halo2 crate; we may re-upstream them later (or move
gadgets into their own crate) once we've stabilised them.
2021-02-25 18:11:46 +00:00