The sinsemilla submodules note_commit and commit_ivk are tailored
for input lengths specific to Orchard. They have been moved out of
the gadget folder and into the circuit folder.
This also involves changing the visibility of some getter functions
to be usable outside gadget::sinsemilla.
In order to make the changeover easier to review, we redefined
`CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and
rename throughout the codebase.
As the underlying `Region` methods now return `AssignedCell` instead of
`Cell`, we can simplify all the places where we then constructed a
`CellValue` struct.
We change `CellValue` into a typedef of `AssignedCell` to simplify the
migration in this commit.
The migration from `CellValue` to `AssignedCell` requires several other
changes:
- `<CellValue as Var>::value()` returned `Option<F>`, whereas
`AssignedCell::<F, F>::value()` returns `Option<&F>`. This means we
need to dereference, use `Option::cloned`, or alter functions to take
`&F` arguments.
- `StateWord` in the Poseidon chip has been changed to a newtype around
`AssignedCell` (the chip was written before `CellValue` existed).
This is necessary because the blinding factor r can be zero with greater
than negligible probability in an adversarial case, which with incomplete
addition would cause the circuit to compute a commitment that is not on
the curve.
By rearranging the pieces in the gate, we remove a prev() query and
preserve proximity between pieces involved in the same constraint.
This commit also includes several minor fixes:
- use strict mode for decomposition of j in y-coordinate check;
- Name All Polynomial Constraints;
- remove point_repr() helper function;
- variable renaming and docfixes.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Instead of separately witnessing k_1 and equating it to z1_j, we
can directly make use of z1_j in the gate. This allows us to fit
the region into a 5 x 2 area, improving the layout.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Even though we only use the LSB of the y-coordinates as inputs to
the Sinsemilla hash, we still have to check that they are consistent
with the g_d and pk_d points that were passed in.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Change the region layout to only use 9 advice columns instead of 10.
Also rename variables to match the book.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Previously, these two helpers were returning different outputs.
They have now been standardised to return only the full running
sum.
Note the z_0 is the original element being decomposed by the
helper.
Previously, l_plus_1 was a non-binary fixed column, used to
1. provide the value of l + 1; and
2. toggle the decomposition gate.
Now, the value is copied in from the global constants column, and
the toggle is handled by a binary q_decompose selector.
Previously, fixed_y_q was a non-binary selector that both loaded
the y_Q value and toggled the y_Q gate.
Now, the gate is toggled by a q_s4 simple selector, while the value
is loaded into a separate fixed column.