zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
886 Commits 40 Branches 6 Tags 58 MiB
Commit Graph

641 Commits

Author SHA1 Message Date
Jack Grigg bdaf9d06cc clippy: Allow binary operators in IncompletePoint addition 
It's not suspicious, it's constant time! :D
 2021-04-22 12:09:32 +12:00
Jack Grigg 09e70cb6e3 Improve performance of IncompletePoint addition 
We only need to track the occurrence of any edge cases, and we can do so
without expensive inversions at every addition step, by instead
performing the checks on the projective form directly.
 2021-04-22 12:01:59 +12:00
str4d 31d1a67837
Expand documentation of conditions on SpendingKeys 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-04-21 23:28:32 +01:00
Jack Grigg c7b9ce0ea9 Fix a clippy lint 
This was leftover after an intermediate refactor that introduced
`hash_to_point_inner`.
 2021-04-20 23:57:59 +12:00
Jack Grigg b1286b4e94 Fix bundle::Action to hold cmx instead of cm 2021-04-20 10:26:58 +12:00
Jack Grigg c08d12cc52 Use incomplete addition in SinsemillaHashToPoint 
This requires exposing the ⊥ case throughout the return types. We
prevent it from propagating into the Orchard note and key types by
ensuring that:

- When we generate keys or notes, if we encounter ⊥ we discard and
  re-generate.
- When we construct keys or notes via any other pathway (e.g. parsing
  from bytes), we check for and reject ⊥.
 2021-04-20 10:05:56 +12:00
Jack Grigg 907ff46078 Simulate incomplete addition 
Sinsemilla will use incomplete addition inside the circuit for
efficiency, but the pasta_curves crate uses complete addition.
 2021-04-20 10:04:44 +12:00
Jack Grigg badaf23f25 Implement ValueCommit^Orchard 2021-04-15 17:08:06 +12:00
Jack Grigg 4c34a61c57 Use const generics for poseidon::ConstantLength 2021-03-30 14:13:15 +13:00
str4d 92cfa372e0
Merge pull request #44 from zcash/note-structure 
Note structure
 2021-03-30 14:01:56 +13:00
Jack Grigg 0f8c5b7dd3 Document TODO for SinsemillaShortCommit usage 
https://github.com/zcash/orchard/issues/55
 2021-03-30 13:55:29 +13:00
Jack Grigg 3b14cfc133 Fix link to NU5 protocol spec draft 2021-03-30 13:54:23 +13:00
Jack Grigg 5646ada113 Make nk the first argument to Nullifier::derive 
This more closely matches DeriveNullifier in the spec.
 2021-03-30 13:52:20 +13:00
Jack Grigg 061ad0656b Refactor Poseidon primitive to use const generics 2021-03-26 09:07:38 +13:00
Jack Grigg 0f6eb9ca6c Nullifier derivation 2021-03-26 07:51:05 +13:00
Jack Grigg 1a37ca492d Extract spec::mod_r_p helper from spec::commit_ivk 2021-03-26 07:51:05 +13:00
Jack Grigg 680c917ce6 Note commitment derivation 2021-03-26 07:51:05 +13:00
str4d ee2bfa7f43
Merge pull request #41 from zcash/poseidon-primitive 
Poseidon primitive
 2021-03-26 07:36:45 +13:00
therealyingtong a2c1bfb52a Remove unnecessary clone() 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-03-24 12:30:03 +08:00
therealyingtong 9c75839e62 Minor changes 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-03-24 12:25:28 +08:00
therealyingtong 7a210fabf3 Store HashDomain in CommitDomain 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-03-24 12:11:13 +08:00
therealyingtong 18fba2a62e Add getters for Q() and R() 2021-03-24 12:10:37 +08:00
therealyingtong 873e1b7d7e Call hash_to_curve() only when constructing new domain 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-03-24 12:10:37 +08:00
ying tong 946b50ebfe Add documentation 
Co-authored-by: str4d <jack@electriccoin.co>
 2021-03-24 12:09:11 +08:00
therealyingtong a3134e34c5 Introduce HashDomain and CommitDomain traits 
Co-authored-by: Jack Grigg <thestr4d@gmail.com>
 2021-03-24 12:09:11 +08:00
therealyingtong ee969a64a8 Add Sinsemilla constants 2021-03-24 12:09:11 +08:00
Jack Grigg b8f02c3b32 Temporarily allow dead code 
This will make the lints more useful while we are implementing the
Orchard protocol.
 2021-03-20 18:31:22 +13:00
Jack Grigg 1ceb60379f poseidon: Clarify that R_F must be even 2021-03-18 16:47:06 +13:00
Jack Grigg 4c3e20535d poseidon: s/arity/width 
To match the paper more closely (arity specifically refers to Merkle
tree instantiations).
 2021-03-18 16:47:04 +13:00
Jack Grigg 2beb6c3e82 Invert the Poseidon test vectors for Orchard 
We now hard-code the Poseidon round constants and MDS for the Poseidon
specification used for Orchard nullifiers, as produced by the reference
implementation, and test that our constant generation can recreate them.
 2021-03-18 16:47:01 +13:00
Jack Grigg 872471af17 Fix Poseidon instance definition 
For Orchard, we want a Poseidon instance with a width of 3 field
elements and an output of one field element. The Poseidon instances
defined in the Poseidon paper have their output size equal to their
capacity size; with a capacity of 1 and pallas::Base as the field,
Poseidon-128 has the corresponding security level.

We do deviate from the paper's instance by adding a single partial
round, which makes the circuit easier to implement in Halo 2.
 2021-03-18 16:39:09 +13:00
Jack Grigg 761dea6cc1 Implement domain separation for poseidon::Hash 
Domain separation is implemented as specified in the Poseidon paper.
We only require constant-input-length hashing.
 2021-03-18 16:38:59 +13:00
Jack Grigg c578c22fe8 Silence clippy needless_range_loop warnings 
I'm using range loops explicitly to make certain logic clearer.
 2021-03-18 16:38:30 +13:00
Jack Grigg 6bcfecd039 Add poseidon::Spec::Rate associated type 
This removes the need for specifying the rate at runtime, and removes
the remaining heap allocations from Duplex::absorb and Duplex::squeeze.
 2021-03-18 16:38:28 +13:00
Jack Grigg 6548666e37 Add poseidon::Spec::State associated type 
We reuse this type for the per-round round constants, and rows of the
MDS, to provide some type-level same-length guarantees. Once we can use
const generics, these will all be replaced by [F; Spec::ARITY].
 2021-03-18 16:38:26 +13:00
Jack Grigg 5c8e9beea7 Simplify poseidon::Spec and remove poseidon::Generic 
Poseidon specifications are now all concrete, and only generation of
constants at runtime requires an instance of the specification.
 2021-03-18 16:38:23 +13:00
Jack Grigg 266705166f Poseidon duplex sponge and hash function 2021-03-18 16:38:21 +13:00
Jack Grigg 9a2c1b0217 Make poseidon::Generic specific to SboxType::Pow 
We don't currently require SboxType::Inv, so let's simplify for now.
 2021-03-18 16:38:17 +13:00
Jack Grigg 8408f4690c Rename poseidon::PoseidonSpec trait to poseidon::Spec 2021-03-18 16:38:14 +13:00
Jack Grigg 3fb5bf8344 Modify constant generation to match reference implementation 2021-03-18 16:38:07 +13:00
Jack Grigg e1719c42bc Add test vectors from the reference implementation 
These are generated using v1.1 of the reference implementation.
 2021-03-18 16:38:06 +13:00
Jack Grigg 84907c50e1 Poseidon specification and constants 2021-03-18 16:37:36 +13:00
Jack Grigg 3911fb3202 Use Pallas directly from pasta_curves crate 2021-03-18 15:06:16 +13:00
str4d 05e86a4d98
Reuse the hasher inside diversify_hash 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-03-18 13:39:04 +13:00
str4d 51fd94df72
Fix section numbers after spec changes 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-03-18 13:38:11 +13:00
Jack Grigg 861eec1765 Document sinsemilla::Pad 2021-03-18 08:30:22 +13:00
Jack Grigg 42ea809b64 Update protocol spec references 2021-03-18 08:30:22 +13:00
Jack Grigg e0417268ad Make address generation infallible again 
DiversifyHash is altered to replace the identity with another fixed
point that is known to not be the identity.
 2021-03-18 08:30:22 +13:00
Jack Grigg 8e55b46dbf Deduplicate default address generation 2021-03-16 10:01:50 +13:00
Jack Grigg 3c8befa0f3 Remove TODO from extract_p 
The protocol spec now returns \mathbb{P}_x instead of a bit sequence,
matching what we do here.
 2021-03-16 09:36:59 +13:00
Jack Grigg 46bf89c122 Update ivk derivation to match latest protocol spec draft 2021-03-16 09:33:07 +13:00
Jack Grigg e0b40cb3cb FullViewingKey::address_at(impl Into<DiversifierIndex>) 
This is a more usable API, which we can use when we have the full
viewing key and can obtain the DiversifierKey.
 2021-03-16 09:20:45 +13:00
Jack Grigg e98f324d7d Ensure diversify_hash does not return the identity 
This makes diversified address generation fallible (though with
negligible probability). We expose this to users, so they can decide how
to handle it (either just unwrapping, or incrementing the diversifier
index).

We alter spending key construction to reject spending keys that would
not result in a default address (with diversifier index 0).
 2021-03-16 09:03:44 +13:00
Jack Grigg f7cad7762a Add clarifying note about nomenclature 
There's no point in documenting everything as being an Orchard whizzbang.
We are in the `orchard` crate, so the context should be obvious. This
also fits with the standard Rust naming guideline of not duplicating
module names in type name prefixes (`foo::bar::BarThing`).
 2021-03-09 10:39:02 +13:00
Jack Grigg 2462bb219b Use [u8; 64] as the output of prf_expand to match the spec 2021-03-09 10:33:56 +13:00
Jack Grigg cef44f5f53 Fix intra-crate doc links 2021-03-09 09:27:34 +13:00
Jack Grigg bf5fb7a668 Add missing spec links to key docs 2021-03-09 09:22:38 +13:00
Jack Grigg 307787ec17 Use spec name for SpendValidatingKey 2021-03-09 09:20:09 +13:00
Jack Grigg 26701c33af Fix commit_ivk specification 
Commit^ivk takes ak as a point, and commits to its entire serialization
(not just the x coordinate).
 2021-03-09 08:28:53 +13:00
str4d cfaa61ab14 Remove unnecessary conversions for DiversifierIndex 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-03-09 07:40:01 +13:00
Jack Grigg 57c64922f6 Add internal CommitIvkRandomness type 2021-03-09 07:38:15 +13:00
Jack Grigg 9455158190 Use protocol spec URL anchors as link handles 2021-03-06 01:18:58 +00:00
Jack Grigg 71542f7ec2 Add internal DiversifiedTransmissionKey type 2021-03-06 01:03:53 +00:00
str4d a61be5d58b
Fix typo in documentation 
Co-authored-by: Deirdre Connolly <durumcrustulum@gmail.com>
 2021-03-06 13:58:48 +13:00
Jack Grigg 5772c71a89 Add doctest example to orchard::Address that exercises key derivation 2021-03-06 00:57:30 +00:00
Jack Grigg 27501702d5 Use orchard::redpallas types in orchard::keys implementation 2021-03-06 00:03:26 +00:00
Jack Grigg eaa7158751 Use reddsa to instantiate orchard::redpallas 2021-03-05 23:46:20 +00:00
Jack Grigg ceac39d74e Implement ZIP 32 diversifier derivation 2021-03-05 23:36:38 +00:00
Jack Grigg f0779792bc Orchard key components 2021-03-05 23:28:16 +00:00
str4d 35da17944a
Merge pull request #21 from zcash/sinsemilla 
Implement Sinsemilla primitives
 2021-03-06 09:16:08 +13:00
Jack Grigg d7f8584d20 Fix clippy lint 2021-03-05 20:09:51 +00:00
Jack Grigg be758de3bb Fix protocol spec references after PDF rename 2021-03-05 20:00:45 +00:00
Jack Grigg 9882373e85 Make Bundle a parametric type over an Authorization trait 
This enables us to construct Bundles at various stages of
authorization:

- `Bundle<Unauthorized>`: A bundle with all effecting data but no
  proofs or signatures.
- `Bundle<Authorized>`: A bundle with all proofs and signatures,
  suitable for inclusion in a block.
- `Bundle<Partial>`: Example of some in-progress bundle authorization,
  for example during a FROST threshold multisignature protocol.

Also adds the bundle flags field from ZIP 225.
 2021-03-03 17:39:53 +00:00
Jack Grigg 22658c3bc4 sinsemilla: Use lebs2ip_K to match protocol spec naming 2021-03-02 01:21:07 +00:00
Jack Grigg a26e1c7879 sinsemilla: Remove the ExactSizeIterator bound 2021-03-01 23:34:02 +00:00
Jack Grigg a03ee8797d Implement Sinsemilla primitives 2021-02-27 17:10:28 +08:00
Jack Grigg bbf2dc271e Add ECC gadgets and instructions 
Migrated from the halo2 crate; we may re-upstream them later (or move
gadgets into their own crate) once we've stabilised them.
 2021-02-25 18:11:46 +00:00
Jack Grigg 97d75bab9a Enforce in type system that a Bundle contains at least one Action 2021-02-24 20:10:10 +00:00
Jack Grigg 693587a402 Rename SignedBundle to AuthorizedBundle and move the proof there 
Closes zcash/orchard#19.
 2021-02-24 20:10:10 +00:00
Jack Grigg 5bce857569 Fill out note components 2021-02-08 15:21:04 +00:00
Jack Grigg bf9e77b629 Move ovk to be derived from fvk instead of the spending key 2021-02-08 15:01:34 +00:00
Jack Grigg 1add6a7ef0 Fix FVK doc comment 2021-02-03 14:19:29 +00:00
Jack Grigg aeddfb64e5 Make Diversifier a newtype around [u8; 11] 2021-02-03 14:16:58 +00:00
Jack Grigg a564ba76ce Remove Chain and value::Constraint traits 
There was push-back on having this crate require these traits, due to the
additional complexity within this crate. My rationale for including them
was to make it simpler to reason about what is responsible for enforcing
chain-specific constraints, and to reduce duplication (by enabling the
wrapping chain implementation to use type definitions and leverage all
built-in behaviour, instead of newtypes and needing to add a bunch of
wrapping logic and boilerplate, some of which would encode chain-specific
logic).

We'll try working within the requirement that this crate enforces minimal
base constraints and hard-codes any constants, and then have the wrapping
chain provide encoding prefixes and additional value constraints where
necessary.
 2021-01-21 12:23:08 +00:00
Jack Grigg ae252f57a8 Add skeleton for RedPallas 2021-01-20 20:35:54 +00:00
Jack Grigg 1b9f6450cb Add skeleton for actions and bundles 2021-01-20 20:31:09 +00:00
Jack Grigg d65968ed38 Skeleton for notes and values 2021-01-20 20:31:09 +00:00
Jack Grigg 5285737bf0 Add skeleton of key structure 2021-01-20 19:51:03 +00:00
Jack Grigg 10bae831eb Rename to Orchard 2021-01-08 16:51:10 +00:00
Jack Grigg 7905a0c80a Update crate attributes 2020-10-20 22:44:33 +01:00
Sean Bowe d2fa7fbaf1
Initial commit 2020-10-20 15:12:37 -06:00