zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
886 Commits 40 Branches 6 Tags 59 MiB
Commit Graph

641 Commits

Author SHA1 Message Date
Jack Grigg 235cd791b4 Fix `IncomingViewingKey::to_bytes` 
`slice::copy_from_slice` panics if the source and destination slices are
not the same length.

Closes zcash/orchard#228.
 2021-11-17 12:12:20 +00:00
Deirdre Connolly 568e24cd5f Derive Clone for circuit::Instance 2021-11-04 23:30:57 -04:00
Deirdre Connolly 7412dfe79a
Update src/circuit.rs 
Co-authored-by: str4d <thestr4d@gmail.com>
 2021-11-04 17:54:30 -04:00
Deirdre Connolly e51e92e848 Add `orchard::circuit::Instance::from_parts()` 2021-11-03 23:24:54 -04:00
therealyingtong c61524ea29 p128pow5t3::tests: Extract verify_constants_helper. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-10-12 11:58:27 +02:00
therealyingtong 2c97e56da7 Add hash() and permute() test vectors for Poseidon over Fq. 2021-10-12 11:58:27 +02:00
therealyingtong f5775b6c6d p128pow5t3.rs: Test against reference input for Fq field modulus. 2021-10-12 11:58:27 +02:00
therealyingtong 4eb4c57827 Impl Spec for P128Pow5T3 over Fq. 2021-10-12 11:58:27 +02:00
therealyingtong 764c445a81 Rename poseidon::nullifier -> poseidon::p128pow5t3. 2021-10-12 11:58:27 +02:00
therealyingtong 8e00f69d63 primitives::poseidon: Add constants for Fq field modulus. 2021-10-12 11:58:27 +02:00
str4d 2c8241f25b
Merge pull request #209 from zcash/circuit-bugfixes 
Circuit bugfixes
 2021-09-29 10:06:25 +13:00
Jack Grigg 631182fb77 Update selector columns in expected-failure tests 
The addition of the non-identity selector caused the layouter to reorder
some of the selectors in the ECC gadget test circuit.
 2021-09-28 21:49:06 +01:00
Daira Hopwood d77cb82c8d
Apply suggestions from code review 
Co-authored-by: str4d <jack@electriccoin.co>
 2021-09-28 21:09:39 +01:00
Jack Grigg d0056d9050 Test that we can't witness the identity as a NonIdentityPoint 2021-09-28 21:00:29 +01:00
Sean Bowe ebfd919abc Update circuit description. 2021-09-28 20:31:32 +01:00
str4d aec3b1d52d Remove unnecessary clones in closure 2021-09-28 20:31:32 +01:00
therealyingtong 52f53f3425 Remove IsIdentity trait from public EccInstructions. 
We only need is_identity() in tests and can implement it on the
concrete EccPoint type. This method is flagged off by #[cfg(test)].

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-28 20:31:32 +01:00
therealyingtong c80ccba801 Witness cm_old using Point::new(). 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-28 20:31:32 +01:00
therealyingtong b0de6afd7c Reintroduce Point::new() API and constraints. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-28 20:31:32 +01:00
Jack Grigg 751277cdb2 Remove `EccInstructions::NonIdentityPoint: TryFrom<Self::Point>` bound 
After the previous commit, this is no longer used anywhere. Additionally
it was not enforcing the conversion in the circuit, which could lead to
circuit implementation mistakes.
 2021-09-28 13:13:25 -06:00
Jack Grigg 97c27e3d5a Use complete addition in SinsemillaCommit 
This is necessary because the blinding factor r can be zero with greater
than negligible probability in an adversarial case, which with incomplete
addition would cause the circuit to compute a commitment that is not on
the curve.
 2021-09-28 13:13:25 -06:00
therealyingtong 8c8a12a8df Minor fixes. 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-09-28 13:13:25 -06:00
therealyingtong fa560d3aee Replace is_identity() instruction with IsIdentity trait. 2021-09-28 13:13:25 -06:00
therealyingtong 4a13ab4f6b Docfixes. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-28 13:13:25 -06:00
Daira Hopwood 6b6b515232 `hash_to_point` should return `Result<(Self::NonIdentityPoint, Vec<Self::RunningSum>), Error>` 
because any exceptional case is treated as an error, and therefore the identity cannot be returned.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-28 13:13:25 -06:00
therealyingtong 8ad3003e27 Remove Point::new() API and introduce is_identity() instruction. 
Also remove the q_point selector and gate from the circuit.
 2021-09-28 13:13:25 -06:00
therealyingtong ec27989b9b Clippy and formatting fixes. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-28 13:13:25 -06:00
therealyingtong a5a6e78d42 src/circuit.rs: Use NonIdentityPoint for all witnessed points. 
The witnessed points are cm_old, g_d_old, pk_d_old, ak.

g_d_new and pk_d_new are currently also witnessed as affine points,
which diverges from the spec.

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-28 13:13:25 -06:00
therealyingtong cdcfcbc0c2 gadget::sinsemilla: Propagate changes to the Sinsemilla gadget. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-28 13:13:25 -06:00
therealyingtong 258fe5796b ecc::chip: Propagate changes to sub-chips. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-28 13:13:25 -06:00
therealyingtong df26a6c674 chip::witness_point.rs: Constraints for non-identity point. 
The point_non_id() method returns an error if the given point is
the identity.

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-28 13:13:25 -06:00
therealyingtong 88eb762cf2 ecc::chip.rs: Introduce NonIdentityEccPoint struct. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-28 13:13:25 -06:00
therealyingtong f5ed26790a gadget::ecc: Introduce NonIdentityPoint associated type and gadget. 
The add_incomplete() and mul() APIs have been removed from the
Point gadget, since we cannot perform incomplete addition or
variable-base scalar multiplication on the identity.

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-28 13:13:25 -06:00
str4d 05f3226314
Merge pull request #206 from defuse/comment-fixes 
Correct a couple comments
 2021-09-29 08:13:08 +13:00
Sean Bowe f9aa765787 Add test against hardcoded pinned verification key 2021-09-28 12:54:13 -06:00
Taylor Hornby 63a1c9d08e Correct a couple comments 2021-09-27 20:52:16 -06:00
therealyingtong 1f2132a8c0 Use correct MERKLE_DEPTH_ORCHARD in proptests. 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-09-16 21:37:59 +02:00
therealyingtong d47c157ae0 Replace arb_tree proptest with incrementalmerkletree impl. 2021-09-16 20:50:27 +02:00
therealyingtong 2c551db32b Use gen_const_array_with_default where possible. 2021-09-16 18:20:51 +02:00
therealyingtong 291400ec33 Rename MerkleCrhOrchardOutput -> MerkleHashOrchard. 2021-09-16 15:38:01 +02:00
therealyingtong e9dc2f747f Move hash_with_l() logic into MerkleCrhOrchardOutput::combine(). 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-09-16 15:37:22 +02:00
therealyingtong 58de805a13 sinsemilla::merkle.rs: Use tree::MerklePath::root in tests. 2021-09-16 15:36:24 +02:00
therealyingtong f75f890a64 Update tree::MerklePath::root to be total. 2021-09-16 15:36:24 +02:00
Jack Grigg 414eef3ce5 memuse 0.2 2021-09-14 20:40:15 +01:00
Kris Nuttycombe 4488288ac0
Merge pull request #198 from zcash/merkle-path-test-vectors 
Add Merkle path test vectors
 2021-09-14 07:22:28 -06:00
str4d 3dd2a1872a
Merge pull request #169 from zcash/circuit-constraint-refinements 
Circuit constraint refinements to reduce proof size
 2021-09-14 02:05:41 +01:00
Jack Grigg 29a4bbcbc1 Add Merkle path test vectors 2021-09-14 00:15:39 +01:00
Daira Hopwood ee44d2ccf0
Apply suggestions from code review 2021-09-07 02:45:10 +01:00
Daira Hopwood 97e18a8190
Apply suggestions from code review 2021-09-07 00:56:22 +01:00
Daira Hopwood faddaf9e30 note_commit.rs: make two_pow_* definitions more consistent. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-07 00:52:37 +01:00
Jack Grigg 8c82ceecbf ff 0.11, group 0.11, pasta_curves 0.2 etc. 2021-09-06 20:39:43 +01:00
Jack Grigg 7fad21e7d6 Switch to `memuse` crate for measuring heap allocations 2021-09-05 01:33:27 +01:00
Daira Hopwood c24c67d5f0 cargo fmt 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-09-01 14:11:08 +01:00
Kris Nuttycombe e4a54cdf61 Improve error handling in zip32 APIs. 2021-08-31 16:49:58 -06:00
therealyingtong c3e24794f0 zip32.rs: master and child key derivation for ExtendedSpendingKey 2021-08-31 15:49:32 -06:00
Kris Nuttycombe 77be355912 Apply suggestions from code review 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: ying tong <yingtong@z.cash>
 2021-08-23 11:29:07 -06:00
Kris Nuttycombe 0449edd5b8 Validate the sign of the y-coordinate for ak when deserializing. 2021-08-23 11:29:07 -06:00
Kris Nuttycombe 43abadfb55 Adds decryption for a specific index within a bundle. 2021-08-23 11:29:07 -06:00
Kris Nuttycombe c406461f64 Expose inner representation of NoteValue 2021-08-23 11:29:07 -06:00
Kris Nuttycombe 872f337811 Expose SpendingKey byte representation. 2021-08-23 11:29:07 -06:00
Kris Nuttycombe c803114bf6 Go ahead and clone IVKs to limit borrowing hassles. 2021-08-23 11:29:07 -06:00
Kris Nuttycombe d8bf892c72 Return key used to decrypt an output along with decrypted note contents. 2021-08-23 11:29:07 -06:00
Kris Nuttycombe 5d78ab3508 Add Eq and Ord implementations for Orchard keys. 2021-08-23 11:29:06 -06:00
Kris Nuttycombe 52f0f158ef Add serialization and parsing of full viewing keys. 2021-08-23 11:28:27 -06:00
Kris Nuttycombe 1fd00e6236 Add raw address serialization and parsing. 2021-08-23 11:28:27 -06:00
Kris Nuttycombe e33cd4ade4 Add trial decryption of actions to Bundle 2021-08-23 11:28:25 -06:00
Kris Nuttycombe 77cf4c9831 Implement IncomingViewingKey::to_bytes 2021-08-23 11:27:02 -06:00
str4d f2400baa01
Improve NoteCommit input value gate doc 
Brings it in line with the other gate docs.

Co-authored-by: ying tong <yingtong@z.cash>
 2021-08-19 14:35:56 +01:00
str4d bac22d9b19
clippy: Remove redundant clones 
Co-authored-by: ying tong <yingtong@z.cash>
 2021-08-19 14:34:15 +01:00
str4d ac900148ed
Fix typo in gate documentation 
Co-authored-by: ying tong <yingtong@z.cash>
 2021-08-19 14:33:52 +01:00
str4d b4a82211ce
Merge pull request #184 from zcash/poseidon-domain-spec 
poseidon::Domain: Remove Spec trait bound.
 2021-08-17 12:55:01 +01:00
str4d cb28e00ebd
Merge pull request #178 from zcash/batch-note-decryption 
Speed up batched note decryption
 2021-08-13 14:27:41 +01:00
Jack Grigg 79988a5317 Move the interpolation logic into `SharedSecret::batch_to_affine` 
This makes the method interface clearer, as the same pattern of shared
secrets is returned as was provided.
 2021-08-13 14:27:20 +01:00
therealyingtong 1f852544cf poseidon::Domain: Remove Spec trait bound. 
The methods in the Domain trait are not generic over Spec.
 2021-08-13 14:47:02 +08:00
str4d 4e33fe7aec Use correct symbol for incomplete addition 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-08-12 21:34:35 +01:00
str4d 459e68b71e
Fix clippy lint 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-08-12 21:32:14 +01:00
Jack Grigg 9f3c9a7e60 Use mixed addition for Sinsemilla bases 
Performance improvements:
- MerkleCRH:  ~5%
- Commit^ivk: ~1%
- NoteCommit: ~3%
 2021-08-12 15:45:00 +01:00
Jack Grigg 6197a0ef62 Use `group::Wnaf` to accelerate `sinsemilla::CommitDomain::commit` 
Performance improvements:
- Commit^ivk: ~31%
- NoteCommit: ~22%
 2021-08-12 15:45:00 +01:00
str4d 5f0c3b3585
Merge pull request #179 from zcash/sinsemilla-bases 
primitives::sinsemilla: Use hard-coded generators in sinsemilla_s.
 2021-08-12 15:18:38 +01:00
therealyingtong 92a7e20d30 Remove sinsemilla_s_generators() function. 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-08-12 20:54:51 +08:00
Jack Grigg c79acc0e08 Fix length of output Vec for `SharedSecret::batch_to_affine` 
It was too long, and `group::Curve::batch_normalize` panics if its
inputs are not the same length (which would be the case if a batch
included an output with an invalid `ephemeral_key`).
 2021-08-12 13:40:56 +01:00
therealyingtong a9e96eb0a4 sinsemilla_s: Add documentation. 2021-08-12 16:15:24 +08:00
therealyingtong 995728caa6 primitives::sinsemilla: Use hard-coded generators in sinsemilla_s. 2021-08-12 15:45:14 +08:00
Jack Grigg 8e13986101 Implement `Domain::batch_epk` for note decryption 
Improves throughput of batched trial decryption by around 10%.
 2021-08-12 01:36:38 +01:00
Jack Grigg 8c15cc25be Benchmark batch trial decryption 2021-08-12 01:36:38 +01:00
Jack Grigg 0d306d18aa Expose and benchmark Poseidon 2021-08-10 13:44:04 +01:00
Jack Grigg 08b279b900 Expose and benchmark Sinsemilla primitive 2021-08-10 13:39:14 +01:00
therealyingtong e62cfaa398 ExtractedNoteCommitment::from_bytes: Document cmx canonicity. 2021-08-09 20:11:27 +08:00
Jack Grigg f4a8c082a9 Use w-NAF in `ka_orchard` 
Improves the base-line cost of trial decryption by over 40%.
 2021-08-06 13:43:19 +01:00
Jack Grigg 2283310236 Expose `orchard::note_encryption::{CompactAction, OrchardNoteEncryption}` 
This also removes the `orchard::OrchardDomain` re-export, which is now
available at `orchard::note_encryption::OrchardDomain`.
 2021-08-06 01:01:12 +01:00
Kris Nuttycombe d8091dd575 Update incrementalmerkletree version. 2021-08-05 07:51:19 -06:00
Daira Hopwood e4612f7f6c Update Poseidon instantiation from 58 to 56 partial rounds. fixes #166 
Test vectors are from https://github.com/zcash-hackworks/zcash-test-vectors/pull/45

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-08-04 13:04:13 +01:00
Jack Grigg 9af22a8cbc circuit: Add region layout diagrams for y_switch constraint 
Helps to see why we can't optimise it to remove the `prev` query.
 2021-07-29 20:57:33 +01:00
Jack Grigg 6aa85fcdfe circuit: Refactor NoteCommit input processing into multiple regions 
The new regions take up more cells overall, but across fewer columns,
and the gates now only query `cur` and `next` rows.
 2021-07-29 20:13:27 +01:00
Jack Grigg 2198675f9d circuit: Rotate `q_commit_ivk` selector up by one row 
This ensures the Commit^ivk gate only queries `cur` and `next` rows.
 2021-07-29 14:56:56 +01:00
Jack Grigg 0009070358 circuit: Rotate`q_mul_lsb` selector up by one row 
This ensures the "LSB check" gate only queries `cur` and `next` rows.
 2021-07-29 14:56:56 +01:00
Jack Grigg 16e9076080 Add names to some nameless constraints 2021-07-29 14:56:56 +01:00
str4d 8454f86d42
Merge pull request #140 from nuttycom/bundle_zip244_commitments 
Implement ZIP-244 txid and authorizing commitments.
 2021-07-29 14:45:24 +01:00
Kris Nuttycombe 40d80c4d6f
Apply suggestions from code review 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-29 07:16:14 -06:00
Jack Grigg 9117273c08 Fix bug in `Builder` initialization of `Circuit` struct 
`rcv` was being used correctly outside the circuit to derive `cv_net`
but then `Circuit` was just storing 0. The `round_trip` test passed
because it uses `rcv = 0` everywhere.
 2021-07-28 22:51:43 +01:00