It was too long, and `group::Curve::batch_normalize` panics if its
inputs are not the same length (which would be the case if a batch
included an output with an invalid `ephemeral_key`).
`rcv` was being used correctly outside the circuit to derive `cv_net`
but then `Circuit` was just storing 0. The `round_trip` test passed
because it uses `rcv = 0` everywhere.
The lookup running sum decomposition uses the same lookup table as
its short variant. These two lookup arguments have been merged.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
By rearranging the pieces in the gate, we remove a prev() query and
preserve proximity between pieces involved in the same constraint.
This commit also includes several minor fixes:
- use strict mode for decomposition of j in y-coordinate check;
- Name All Polynomial Constraints;
- remove point_repr() helper function;
- variable renaming and docfixes.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Instead of separately witnessing k_1 and equating it to z1_j, we
can directly make use of z1_j in the gate. This allows us to fit
the region into a 5 x 2 area, improving the layout.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Even though we only use the LSB of the y-coordinates as inputs to
the Sinsemilla hash, we still have to check that they are consistent
with the g_d and pk_d points that were passed in.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Change the region layout to only use 9 advice columns instead of 10.
Also rename variables to match the book.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Previously, these two helpers were returning different outputs.
They have now been standardised to return only the full running
sum.
Note the z_0 is the original element being decomposed by the
helper.
- Placing the Poseidon `state` columns after the `partial_sbox` column
instead of before it causes them to line up with vast stretch of free
space, enabling the pad-and-add region to be layed out there.
- Using the `Region::assign_advice_from_constant` API to initialise the
Poseidon state removes fixed-column contention between that region and
fixed-base scalar multiplication, enabling it to also be layed out
within the free space.
- If https://github.com/zcash/halo2/issues/334 were implemented then
this region would disappear.
- The overflow check in variable-base scalar mul is also moved into the
columns with free space.
Previously, the short_lookup_bitshift fixed column was a non-binary
selector that both provided a constant value and toggled a gate.
Now, the constant value is copied in from the global constants API,
and the toggle is handled by a q_lookup_bitshift selector.
Previously, l_plus_1 was a non-binary fixed column, used to
1. provide the value of l + 1; and
2. toggle the decomposition gate.
Now, the value is copied in from the global constants column, and
the toggle is handled by a binary q_decompose selector.
Previously, fixed_y_q was a non-binary selector that both loaded
the y_Q value and toggled the y_Q gate.
Now, the gate is toggled by a q_s4 simple selector, while the value
is loaded into a separate fixed column.
The Action circuit only used standard PLONK in one place. Since it
used non-binary selectors, it cannot be optimised by the halo2
selector optimisations. We now replace it with a custom gate which
uses a binary selector.
The Sinsemilla chip witnesses message pieces in individual regions, and
then copies them into the `hash_piece` region to initialize the running
sum. Previously these occured in the same column, but we can reduce the
utilized rows of the Action circuit by moving these into a less-used
column.
If https://github.com/zcash/halo2/issues/334 is implemented, this change
would be unnecessary, as the witnessed message piece regions would never
be assigned into the circuit.
We were configuring multiple instances of this across all of the advice
columns, in order to spread their assignments. However, we are actually
more constrained by columns than rows, and we have comparatively few
rows of range check logic required for the Action circuit.
We now use a single LookupRangeCheckConfig for the entire circuit. The
reduction in lookup arguments and fixed columns cuts the proof size in
half (now at 6048 bytes when using `floor_planner::V1`).
Co-authored-by: therealyingtong <yingtong@z.cash>
- Move Poseidon into the right-hand advice columns. The Action circuit
has 33 Sinsemilla invocations with 510-bit inputs (the 32 Merkle path
hashes, and Commit^ivk). Poseidon fits within the row count of one of
these invocations, so we can run it in parallel with these.
- Share fixed columns between ECC and Poseidon chips. Poseidon requires
four advice columns, while ECC incomplete addition requires six, so we
could choose to configure them in parallel. However, we only use a
single Poseidon invocation, and we have the rows to accomodate it
serially with fixed-base scalar mul. Sharing the ECC chip's 8 Lagrange
coefficient fixed columns instead reduces the proof size.
- We position Poseidon in the right-most 6 fixed columns, anticipating
a further optimisation to Sinsemilla that will occupy the left-most
2 fixed columns.
The Action Circuit configuration uses 10 advice columns. It contains:
- a single EccConfig (10 advice columns);
- two SinsemillaConfigs (5 advice columns each);
- two MerkleConfigs (5 advice columns each);
- a PoseidonConfig, (4 advice columns);
- a PLONKConfig for standard PLONK operations (3 advice columns);
and some infrastructure to handle public inputs (subject to change
at the time of commit).
The 5-column configs are placed side-by-side in the circuit to
optimize space usage.
Gate creation is delegated to the configure() function of each
respective Chip.
The Default Circuit sets all fields to None. This is used as a
placeholder in src/builder.rs.
The circuit in the Circuit::round_trip() test has been filled in.
This was previously creating an extra advice column. Instead, we
should pass in all required advice columns as inputs.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
- `halo2::plonk::{create_proof, verify_proof}` now take instance columns
as slices of values.
- `halo2::plonk::Permutation` has been replaced by a global permutation,
to which columns can be added with `ConstraintSystem::enable_equality`.
- The introduction of blinding rows means that various tests now require
larger circuit parameters.
The coordinate check for an element decomposed using a running sum
is enforced by mul_fixed::Config::running_sum_coords_gate().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Selectors previously used in the witness_scalar_* APIs, such as
q_scalar_fixed and q_scalar_fixed_short, are now removed. The
remaining selectors have been renamed for clarity.
The coordinates check for scalars decomposed using a running sum
has been moved into the mul_fixed.rs file, instead of being
duplicated in both mul_fixed::base_field_elem and mul_fixed::short.
The decompose_scalar_fixed() method is now only used in
mul_fixed::full_width, and has been moved there.
These are now provided as inputs to the witness_decompose() and
copy_decompose() methods. This allows us to reuse the same config
for different word/window lengths, avoiding a duplicate constraint
creation.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
In the Orchard protocol, only the NullifierK fixed base in used in
scalar multiplication with a base field element.
The mul_fixed_base_field_elem() API does not have to accept fixed
bases other than NullifierK; conversely, NullifierK does not have
to work with the full-width mul_fixed() API.
This decomposes a field element into K-bit windows using a
running sum. Each step of the running sum is range-constrained.
In strict mode, the final output of the running sum is constrained
to be zero.
This helper asserts K <= 3.
The mul_fixed regions use complete addition on the last window,
and incomplete addition on all other windows. However, the complete
addition does not depend on any offsets in the incomplete addition
region, and can be separated into a disjoint region. Since incomplete
addition uses only four advice columns, while complete addition uses
nine, separating the regions would allow the layouter to optimise
their placement.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
We can use the three-bit existing running sum decomposition to
constrain alpha_0 to be within 130 bits. This removes the need for
a 10-bit lookup decomposition of alpha_0.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Jack Grigg
Daira Hopwood
Kris Nuttycombe
therealyingtong
Kris Nuttycombe
Kris Nuttycombe