therealyingtong
1681463856
mul_fixed::short::tests: Test negative mul_with_double case.
2021-07-15 20:51:43 +08:00
therealyingtong
e21b193a17
mul_fixed::short::tests: Test invalid magnitude and sign.
...
Check that a magnitude larger than 64 bits results in a constraint
failure.
Check that a sign other than +/- 1 results in a constrain failure.
2021-07-15 20:51:42 +08:00
therealyingtong
a8bd2d6abf
mul_fixed::short: Copy (magnitude, sign) instead of witnessing Scalar.
...
In the Orchard circuit, the short signed scalar is v_old - v_new,
which will be witnessed as two cells: a 64-bit magnitude, and a
sign that is +/- 1.
2021-07-15 20:46:51 +08:00
therealyingtong
426f954b1d
gadget::ecc.rs: Inline witness_scalar_* APIs.
...
Witness a scalar in the region where it is used for multiplication,
instead of witnessing it separately and then copying it in.
2021-07-15 20:46:46 +08:00
therealyingtong
32f28ed4b0
gadget::ecc.rs: Bound EccInstructions on UtilitiesInstructions.
2021-07-15 20:46:40 +08:00
therealyingtong
7b497c53a3
mul_fixed::base_field_elem: Use decompose_running_sum helper.
2021-07-15 20:46:22 +08:00
therealyingtong
ee062bae3d
gadget::utilities: Add decompose_running_sum helper.
...
This decomposes a field element into K-bit windows using a
running sum. Each step of the running sum is range-constrained.
In strict mode, the final output of the running sum is constrained
to be zero.
This helper asserts K <= 3.
2021-07-15 20:46:21 +08:00
str4d
f3c9b6cedc
Merge pull request #144 from zcash/bump-halo2
...
Migrate to latest `halo2::plonk::Circuit` API
2021-07-15 13:33:53 +01:00
Jack Grigg
ac70a6bfdf
test: Print Merkle path test circuit layout
...
Requires fixing an unnecessary unwrap in the test circuit's synthesis.
2021-07-15 11:25:22 +01:00
Jack Grigg
d47a7d2105
Migrate to latest halo2 Circuit APIs
...
- The `Circuit` trait now has a `FloorPlanner` associated type.
- `circuit_layout` has been replaced by `CircuitLayout`.
2021-07-15 11:22:25 +01:00
str4d
cc3e1ad0b4
Merge pull request #111 from zcash/ecc-mul
...
[ECC chip] Fixed- and variable-base scalar multiplication
2021-07-15 11:16:12 +01:00
therealyingtong
425ee6e038
Docfixes and minor refactors.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-15 12:27:12 +08:00
therealyingtong
b696163e31
mul.rs: Explain ordering of mul::incomplete advice columns.
2021-07-14 18:30:43 +08:00
Daira Hopwood
43ffa37740
[book] Nullifiers: the scalar is (...) mod p, not ... (mod p).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-12 20:24:18 +01:00
Daira Hopwood
c76358769c
book/src/design/nullifiers.md: cosmetics (make the table fit).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-12 20:20:00 +01:00
therealyingtong
2dd23f47b8
[book] Update constraints for short signed fixed-base mul.
...
Previously, we witnessed the magnitude of a short signed scalar
directly as three-bit windows. Now, we decompose and range-constrain
it using a running sum.
2021-07-12 11:58:32 +08:00
therealyingtong
0ade539441
utilities::tests::test_range_check(): Test range_check() helper.
...
Verify that this constraint fails when the witnessed value is out
of range.
2021-07-09 23:17:42 +08:00
ying tong
7b3a0c8a29
Merge pull request #54 from zcash/book-ecc-gadget
...
[book] Document ECC gadget in circuit
2021-07-09 22:18:16 +08:00
therealyingtong
6c41c72e66
utilities::range_check: Correct range_check expression
...
Previously, we were multiplying the expression by 0, which led it
to always evaluate to true.
2021-07-09 22:03:26 +08:00
therealyingtong
32ea1cce27
constants::util::evaluate(): Replace fold() with reduce().
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-09 10:42:45 +08:00
therealyingtong
8a9f8218e9
mul_fixed::base_field_elem: Remove double-enable of base_field_fixed_mul.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-09 10:23:40 +08:00
therealyingtong
d9f134ac4b
[book] Details and formatting changes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-09 10:09:10 +08:00
str4d
74df35ce89
Merge pull request #136 from nuttycom/total_merkle_crh_orchard
...
Implements the updated, total definition of MerkleCRH^Orchard
2021-07-09 02:26:10 +01:00
ying tong
2febafbdfe
Apply suggestions from code review
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: str4d <jack@electriccoin.co>
2021-07-08 16:40:44 +08:00
therealyingtong
ae4e54dce8
gadget::utilities: Add test cases for bitrange_subset() helper.
2021-07-08 16:29:07 +08:00
therealyingtong
5c38f53b58
mul::tests: Witness expected point and constrain result to be equal.
2021-07-08 15:17:52 +08:00
therealyingtong
e2ea443fad
mul_fixed::*::tests: Witness expected point and constrain result to be equal.
2021-07-08 15:06:47 +08:00
therealyingtong
22ec16f129
Minor refactors, cleanups, clippy fixes, docfixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-08 13:31:56 +08:00
therealyingtong
96863c9f73
mul_fixed::*: Use a separate region for complete addition assignment.
...
The mul_fixed regions use complete addition on the last window,
and incomplete addition on all other windows. However, the complete
addition does not depend on any offsets in the incomplete addition
region, and can be separated into a disjoint region. Since incomplete
addition uses only four advice columns, while complete addition uses
nine, separating the regions would allow the layouter to optimise
their placement.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-08 12:04:43 +08:00
therealyingtong
d0e34cd204
mul_fixed::base_field_elem: Eliminate alpha_0 lookup decomposition.
...
We can use the three-bit existing running sum decomposition to
constrain alpha_0 to be within 130 bits. This removes the need for
a 10-bit lookup decomposition of alpha_0.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-08 11:24:18 +08:00
therealyingtong
afc8d9a142
[book] Eliminate alpha_0 lookup decomposition when checking canonicity of base field element used in fixed-base mul.
2021-07-08 11:12:13 +08:00
therealyingtong
f42d48b8a4
mul_fixed::base_field_elem: Fix two_pow_130 expression.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-08 08:49:46 +08:00
therealyingtong
ae72501b70
mul_fixed::base_field_elem: Add constraint alpha_2 = 0 => alpha_1 = 0.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-07 23:12:31 +08:00
therealyingtong
72e469ee10
mul_fixed::base_field_elem.rs: Check canonicity of base field element used in fixed-base scalar mul.
...
When using a base field element as the scalar in fixed-base mul,
we check the canonicity of its decomposition.
2021-07-07 23:12:31 +08:00
therealyingtong
b69094036c
chip::mul_fixed.rs: Make q_mul_fixed a selector instead of fixed column.
2021-07-07 23:12:31 +08:00
therealyingtong
23f2ed5abe
gadget::utilities.rs: Add bitrange_subset() helper.
2021-07-07 23:12:31 +08:00
therealyingtong
2d343af068
Update mul_fixed_* APIs to take Layouter instead of Region.
...
These APIs are not called internally.
2021-07-07 23:10:59 +08:00
therealyingtong
d550e156d9
mul_fixed_*::tests: Constrain zero outputs in mul_fixed tests.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
therealyingtong
9fd4d7df27
Cleanups and clippy fixes.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-07 23:10:59 +08:00
therealyingtong
2536555299
mul_fixed: Constrain interpolated window mul to be on curve.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
Jack Grigg
67caed52eb
mul::incomplete: Constrain final iteration correctly
...
The differences between the final iteration and prior iterations are:
- The final iteration does not constrain (x_T, y_T) to propagate down.
- The final iteration constrains an assigned y_A output instead of a
derived y_A from the next iteration's variables.
We also swap the init_y constraint to match the book.
Co-authored-by: therealyingtong <yingtong@z.cash>
2021-07-07 23:10:59 +08:00
therealyingtong
33b66ab796
tests::print_ecc_chip(): Print ECC chip.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
therealyingtong
3f961ab29a
mul::process_lsb(): Clean up assignments and boolean-constrain LSB.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
therealyingtong
6ffd867e23
mul::complete.rs: Constrain negation of (x_p, y_p) in double-and-add.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
therealyingtong
e75c176181
mul::incomplete.rs: Make offsets more intuitive
2021-07-07 23:10:59 +08:00
therealyingtong
4d69dec00f
mul::incomplete.rs: Constrain first and last y_a values.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
therealyingtong
b363492a35
ecc::chip.rs: Introduce circuit-wide "constants" fixed column
...
At certain points in the circuit, we need to constrain cells in
advice columns to equal a fixed constant. Instead of defining a
new fixed column for each constant, we pass around a single
shared by all chips, that is included in the permutation over all
advice columns.
This lets us load all needed constants into a single column and
directly constrain advice cells with an equality constraint.
2021-07-07 23:10:59 +08:00
therealyingtong
69d6629ac6
chip::mul.rs: Enforce LSB if/else condition
...
On the LSB of the scalar, we assign a point (x,y) = (x_p, -y_p)
if LSB = 0, and (0,0) otherwise. This if/else condition must be
enforced.
Co-authored-by: Sean Bowe <ewillbefull@gmail.com>
2021-07-07 23:10:59 +08:00
Jack Grigg
e726fee19b
mul_fixed: Avoid computing fixed constants during proving
...
This decreases proving time in the Action circuit by 17%.
2021-07-07 23:10:59 +08:00
Jack Grigg
b15343f6f7
Add `OrchardFixedBasesFull::{generator, u}` methods
...
Using these in `OrchardFixedBases::{generator, u}` instead of the
`impl From<OrchardFixedBasesFull> for OrchardFixedBase` means we avoid
computing the Lagrange coefficients for the generator (which were then
immediately dropped).
This decreases proving time in the Action circuit by 53%.
2021-07-07 23:10:59 +08:00