- The crate module structure from `orchard` has been flattened.
- The book pages we want to include in `halo2` have been moved to their
target location, to avoid any conflicts during the merge.
- Common files that already exist in zcash/halo2 have been removed.
We define some simple fixed bases around the default Pallas generator,
and a simple Sinsemilla instantiation. The tests now compile and pass.
Co-authored-by: ying tong <yingtong@z.cash>
The tests do not compile as of this commit, due to Orchard-specific
constants being deleted, but everything else compiles.
Co-authored-by: ying tong <yingtong@z.cash>
Previously `plonk::verify_proof` took an `MSM` as an argument, to enable
batch verification. However, this also required that it take a source of
randomness in order to enforce separation of proofs within a batch. This
made single-proof verification unnecessarily non-deterministic.
We now have a `VerificationStrategy` trait encapsulating the necessary
details, and separate `SingleVerifier` and `BatchVerifier` structs for
the specific variants. Proof verifiers no longer need to create and
manage the `MSM` themselves, and single-proof verifiers no longer need
to supply a source of randomness.
Co-authored-by: Sean Bowe <sean@electriccoin.co>
Previously we were passing through the chunk size and index to each
thread's evaluation context, but this was insufficient for them to
determine whether or not they were processing the final chunk, or if
the final chunk was short. This led to constant and linear term chunks
being created with the full chunk size, even if the last chunk was
short. If this longer-than-short chunk reached the root of the AST, it
triggered a panic in the final `copy_from_slice()`.
The bug was obscured in two ways:
- Currently polynomials always have a power-of-two length, and on CPUs
with power-of-two threads this meant we never produced short chunks.
- The way that subsequent operations like `Ast::Add` were implemented
meant that if a constant or linear term occurred on the right-hand
side of an operation, the longer chunks were masked to the short chunk
length.
We fix this by passing the polynomial length into each thread's context,
so that we can compute the correct length for the final chunk.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
The type inference algorithm seems to have been simplified,
meaning that the combination of T::from(x.into()) doesn't work anymore.
In any case, the code was also incomprehensible to a human, as it's not clear
by which "route" it does the transformation. It took me a few minutes to
figure out it's a `u64`.
These have been replaced by operations on either `poly::Ast` nodes, or
operations directly on chunks of polynomials within a higher-level
parallelism context.
Addition and scalar multiplication are (currently) still used in various
areas of the prover, so those are left in place.
This saves a bunch of `Clone`s and `Drop`s, which were consuming
significant amounts of time in large circuits (Orchard), which meant we
didn't save as much time as we could :)
The sinsemilla submodules note_commit and commit_ivk are tailored
for input lengths specific to Orchard. They have been moved out of
the gadget folder and into the circuit folder.
This also involves changing the visibility of some getter functions
to be usable outside gadget::sinsemilla.