{"doc_urls":["index.html#halo2---cratesio","index.html#documentation","index.html#minimum-supported-rust-version","index.html#controlling-parallelism","index.html#license","index.html#contribution","concepts.html#concepts","concepts/proofs.html#proof-systems","concepts/arithmetization.html#plonkish-arithmetization","concepts/chips.html#chips","concepts/chips.html#composing-chips","concepts/gadgets.html#gadgets","user.html#user-documentation","user/dev-tools.html#developer-tools","user/dev-tools.html#mock-prover","user/dev-tools.html#circuit-visualizations","user/dev-tools.html#circuit-layout","user/dev-tools.html#circuit-structure","user/dev-tools.html#cost-estimator","user/simple-example.html#a-simple-example","user/simple-example.html#define-instructions","user/simple-example.html#define-a-chip-implementation","user/simple-example.html#configure-the-chip","user/simple-example.html#implement-chip-traits","user/simple-example.html#build-the-circuit","user/simple-example.html#testing-the-circuit","user/simple-example.html#full-example","user/lookup-tables.html#lookup-tables","user/gadgets.html#gadgets","user/tips-and-tricks.html#tips-and-tricks","user/tips-and-tricks.html#small-range-constraints","user/tips-and-tricks.html#small-set-interpolation","user/wasm-port.html#using-halo2-in-wasm","user/wasm-port.html#circuit-code-setup","user/wasm-port.html#prover","user/wasm-port.html#verifier","user/wasm-port.html#params","user/wasm-port.html#rust-and-wasm-environment-setup","user/wasm-port.html#webapp-setup","user/wasm-port.html#safari","user/wasm-port.html#debugging","user/wasm-port.html#credits","design.html#design","design.html#note-on-language","design/proving-system.html#proving-system","design/proving-system.html#example","design/proving-system.html#tldr","design/proving-system/lookup.html#lookup-argument","design/proving-system/lookup.html#note-on-language","design/proving-system/lookup.html#technique-description","design/proving-system/lookup.html#zero-knowledge-adjustment","design/proving-system/lookup.html#cost","design/proving-system/lookup.html#generalizations","design/proving-system/permutation.html#permutation-argument","design/proving-system/permutation.html#notation","design/proving-system/permutation.html#constructing-the-permutation","design/proving-system/permutation.html#goal","design/proving-system/permutation.html#algorithm","design/proving-system/permutation.html#broken-alternatives","design/proving-system/permutation.html#argument-specification","design/proving-system/permutation.html#zero-knowledge-adjustment","design/proving-system/permutation.html#spanning-a-large-number-of-columns","design/proving-system/circuit-commitments.html#circuit-commitments","design/proving-system/circuit-commitments.html#committing-to-the-circuit-assignments","design/proving-system/circuit-commitments.html#committing-to-the-lookup-permutations","design/proving-system/circuit-commitments.html#committing-to-the-equality-constraint-permutation","design/proving-system/circuit-commitments.html#committing-to-the-lookup-permutation-product-columns","design/proving-system/vanishing.html#vanishing-argument","design/proving-system/vanishing.html#committing-to-hx","design/proving-system/vanishing.html#evaluating-the-polynomials","design/proving-system/multipoint-opening.html#multipoint-opening-argument","design/proving-system/multipoint-opening.html#optimization-steps","design/proving-system/inner-product.html#inner-product-argument","design/proving-system/comparison.html#comparison-to-other-work","design/proving-system/comparison.html#bcms20-appendix-a2","design/protocol.html#protocol-description","design/protocol.html#preliminaries","design/protocol.html#cryptographic-groups","design/protocol.html#interactive-proofs","design/protocol.html#zero-knowledge-arguments-of-knowledge","design/protocol.html#protocol","design/protocol.html#zero-knowledge-and-completeness","design/protocol.html#witness-extended-emulation","design/protocol.html#description-of-function-h","design/implementation.html#implementation","design/implementation/proofs.html#halo-2-proofs","design/implementation/proofs.html#proofs-as-opaque-byte-streams","design/implementation/proofs.html#proof-encoding","design/implementation/fields.html#fields","design/implementation/fields.html#sarkar-square-root-algorithm-table-based-variant","design/implementation/fields.html#i--0-1","design/implementation/fields.html#i--2","design/implementation/fields.html#i--3","design/implementation/fields.html#final-result","design/implementation/selector-combining.html#selector-combining","design/implementation/selector-combining.html#identifying-selectors-that-can-be-combined","design/implementation/selector-combining.html#writing-circuits-to-take-best-advantage-of-selector-combining","design/gadgets.html#gadgets","design/gadgets/ecc.html#elliptic-curves","design/gadgets/ecc.html#eccchip","design/gadgets/ecc.html#chip-assumptions","design/gadgets/ecc.html#layout","design/gadgets/ecc/witnessing-points.html#witnessing-points","design/gadgets/ecc/witnessing-points.html#non-identity-points","design/gadgets/ecc/witnessing-points.html#points-including-the-identity","design/gadgets/ecc/addition.html#incomplete-addition","design/gadgets/ecc/addition.html#constraints","design/gadgets/ecc/addition.html#complete-addition","design/gadgets/ecc/addition.html#constraints-1","design/gadgets/ecc/addition.html#analysis-of-constraints","design/gadgets/ecc/fixed-base-scalar-mul.html#fixed-base-scalar-multiplication","design/gadgets/ecc/fixed-base-scalar-mul.html#decompose-scalar","design/gadgets/ecc/fixed-base-scalar-mul.html#full-width-scalar","design/gadgets/ecc/fixed-base-scalar-mul.html#base-field-element","design/gadgets/ecc/fixed-base-scalar-mul.html#short-signed-scalar","design/gadgets/ecc/fixed-base-scalar-mul.html#load-fixed-base","design/gadgets/ecc/fixed-base-scalar-mul.html#fixed-base-scalar-multiplication-1","design/gadgets/ecc/fixed-base-scalar-mul.html#signed-short-exponent","design/gadgets/ecc/fixed-base-scalar-mul.html#layout","design/gadgets/ecc/var-base-scalar-mul.html#variable-base-scalar-multiplication","design/gadgets/ecc/var-base-scalar-mul.html#witness-scalar","design/gadgets/ecc/var-base-scalar-mul.html#variable-base-scalar-multiplication-1","design/gadgets/ecc/var-base-scalar-mul.html#constraint-program-for-optimized-double-and-add","design/gadgets/ecc/var-base-scalar-mul.html#incomplete-addition","design/gadgets/ecc/var-base-scalar-mul.html#q11","design/gadgets/ecc/var-base-scalar-mul.html#q21","design/gadgets/ecc/var-base-scalar-mul.html#q31","design/gadgets/ecc/var-base-scalar-mul.html#complete-addition","design/gadgets/ecc/var-base-scalar-mul.html#layout","design/gadgets/ecc/var-base-scalar-mul.html#constraints","design/gadgets/ecc/var-base-scalar-mul.html#lsb","design/gadgets/ecc/var-base-scalar-mul.html#layout-1","design/gadgets/ecc/var-base-scalar-mul.html#constraints-1","design/gadgets/ecc/var-base-scalar-mul.html#overflow-check","design/gadgets/ecc/var-base-scalar-mul.html#optimized-check-for-ktqptq","design/gadgets/ecc/var-base-scalar-mul.html#overflow-check-constraints","design/gadgets/ecc/var-base-scalar-mul.html#overflow-check-general","design/gadgets/ecc/var-base-scalar-mul.html#overflow-check-constraints-general","design/gadgets/ecc/var-base-scalar-mul.html#cost","design/gadgets/sinsemilla.html#sinsemilla","design/gadgets/sinsemilla.html#overview","design/gadgets/sinsemilla.html#description","design/gadgets/sinsemilla.html#use-as-a-commitment-scheme","design/gadgets/sinsemilla.html#efficient-implementation","design/gadgets/sinsemilla.html#incomplete-addition","design/gadgets/sinsemilla.html#constraint-program","design/gadgets/sinsemilla.html#plonk--halo-2-constraints","design/gadgets/sinsemilla.html#message-decomposition","design/gadgets/sinsemilla.html#efficient-packing","design/gadgets/sinsemilla.html#selectors","design/gadgets/sinsemilla.html#generator-lookup-table","design/gadgets/sinsemilla.html#layout","design/gadgets/sinsemilla.html#optimized-sinsemilla-gate","design/gadgets/sinsemilla/merkle-crh.html#merklecrh","design/gadgets/sinsemilla/merkle-crh.html#message-decomposition","design/gadgets/sinsemilla/merkle-crh.html#bit-length-constraints","design/gadgets/sinsemilla/merkle-crh.html#a0a1","design/gadgets/sinsemilla/merkle-crh.html#b0b1b2","design/gadgets/sinsemilla/merkle-crh.html#constraints","design/gadgets/sinsemilla/merkle-crh.html#decomposition-constraints","design/gadgets/sinsemilla/merkle-crh.html#region-layout","design/gadgets/sinsemilla/merkle-crh.html#circuit-components","design/gadgets/decomposition.html#decomposition","design/gadgets/decomposition.html#strict-mode","design/gadgets/decomposition.html#lookup-decomposition","design/gadgets/decomposition.html#short-range-check","design/gadgets/decomposition.html#combined-lookup-expression","design/gadgets/decomposition.html#short-range-decomposition","design/gadgets/sha256.html#sha-256","design/gadgets/sha256.html#specification","design/gadgets/sha256.html#gadget-interface","design/gadgets/sha256.html#chip-instructions","design/gadgets/sha256/table16.html#16-bit-table-chip-for-sha-256","design/gadgets/sha256/table16.html#compression-round","design/gadgets/sha256/table16.html#modular-addition","design/gadgets/sha256/table16.html#maj-function","design/gadgets/sha256/table16.html#ch-function","design/gadgets/sha256/table16.html#Σ_0-function","design/gadgets/sha256/table16.html#Σ_1-function","design/gadgets/sha256/table16.html#block-decomposition","design/gadgets/sha256/table16.html#σ_0-function","design/gadgets/sha256/table16.html#σ_1-function","design/gadgets/sha256/table16.html#message-scheduling","design/gadgets/sha256/table16.html#overall-cost","design/gadgets/sha256/table16.html#tables","design/gadgets/sha256/table16.html#spread-table","design/gadgets/sha256/table16.html#gates","design/gadgets/sha256/table16.html#choice-gate","design/gadgets/sha256/table16.html#majority-gate","design/gadgets/sha256/table16.html#Σ_0-gate","design/gadgets/sha256/table16.html#Σ_1-gate","design/gadgets/sha256/table16.html#σ_0-gate","design/gadgets/sha256/table16.html#σ_1-gate","design/gadgets/sha256/table16.html#helper-gates","design/gadgets/sha256/table16.html#message-scheduling-region","design/gadgets/sha256/table16.html#compression-region","background.html#background-material","background/fields.html#fields","background/fields.html#groups","background/fields.html#the-multiplicative-group-of-a-finite-field","background/fields.html#montgomerys-trick","background/fields.html#multiplicative-subgroups","background/fields.html#square-roots","background/fields.html#roots-of-unity","background/fields.html#references","background/polynomials.html#polynomials","background/polynomials.html#fast-fourier-transform-fft","background/polynomials.html#motivation-fast-polynomial-multiplication","background/polynomials.html#the-radix-2-cooley-tukey-algorithm","background/polynomials.html#inverse-fft","background/polynomials.html#the-schwartz-zippel-lemma","background/polynomials.html#vanishing-polynomial","background/polynomials.html#lagrange-basis-functions","background/polynomials.html#lagrange-interpolation","background/polynomials.html#references","background/groups.html#cryptographic-groups","background/groups.html#pedersen-commitment","background/groups.html#vector-pedersen-commitment","background/groups.html#diffiehellman","background/groups.html#multiscalar-multiplication","background/groups.html#todo-pippengers-algorithm","background/curves.html#elliptic-curves","background/curves.html#curve-arithmetic","background/curves.html#point-doubling","background/curves.html#projective-coordinates","background/curves.html#point-addition","background/curves.html#curve-endomorphisms","background/curves.html#curve-point-compression","background/curves.html#serialization","background/curves.html#deserialization","background/curves.html#cycles-of-curves","background/curves.html#todo-pallas-vesta-curves","background/curves.html#hashing-to-curves","background/curves.html#todo-simplified-swu","background/curves.html#references","background/pc-ipa.html#polynomial-commitment-using-inner-product-argument","background/pc-ipa.html#setup","background/pc-ipa.html#commit","background/pc-ipa.html#open-prover-and-openverify-verifier","background/recursion.html#recursion"],"index":{"documentStore":{"docInfo":{"0":{"body":0,"breadcrumbs":3,"title":2},"1":{"body":0,"breadcrumbs":2,"title":1},"10":{"body":90,"breadcrumbs":4,"title":2},"100":{"body":28,"breadcrumbs":7,"title":2},"101":{"body":48,"breadcrumbs":6,"title":1},"102":{"body":17,"breadcrumbs":9,"title":2},"103":{"body":17,"breadcrumbs":10,"title":3},"104":{"body":21,"breadcrumbs":10,"title":3},"105":{"body":51,"breadcrumbs":10,"title":2},"106":{"body":1,"breadcrumbs":9,"title":1},"107":{"body":37,"breadcrumbs":10,"title":2},"108":{"body":3,"breadcrumbs":9,"title":1},"109":{"body":276,"breadcrumbs":10,"title":2},"11":{"body":120,"breadcrumbs":3,"title":1},"110":{"body":23,"breadcrumbs":13,"title":4},"111":{"body":8,"breadcrumbs":11,"title":2},"112":{"body":41,"breadcrumbs":12,"title":3},"113":{"body":177,"breadcrumbs":12,"title":3},"114":{"body":55,"breadcrumbs":12,"title":3},"115":{"body":164,"breadcrumbs":12,"title":3},"116":{"body":72,"breadcrumbs":13,"title":4},"117":{"body":24,"breadcrumbs":12,"title":3},"118":{"body":12,"breadcrumbs":10,"title":1},"119":{"body":13,"breadcrumbs":13,"title":4},"12":{"body":14,"breadcrumbs":4,"title":2},"120":{"body":40,"breadcrumbs":11,"title":2},"121":{"body":271,"breadcrumbs":13,"title":4},"122":{"body":73,"breadcrumbs":14,"title":5},"123":{"body":65,"breadcrumbs":11,"title":2},"124":{"body":15,"breadcrumbs":10,"title":1},"125":{"body":7,"breadcrumbs":10,"title":1},"126":{"body":15,"breadcrumbs":10,"title":1},"127":{"body":49,"breadcrumbs":11,"title":2},"128":{"body":0,"breadcrumbs":10,"title":1},"129":{"body":8,"breadcrumbs":10,"title":1},"13":{"body":9,"breadcrumbs":6,"title":2},"130":{"body":0,"breadcrumbs":10,"title":1},"131":{"body":0,"breadcrumbs":10,"title":1},"132":{"body":1,"breadcrumbs":10,"title":1},"133":{"body":100,"breadcrumbs":11,"title":2},"134":{"body":94,"breadcrumbs":12,"title":3},"135":{"body":55,"breadcrumbs":12,"title":3},"136":{"body":166,"breadcrumbs":12,"title":3},"137":{"body":38,"breadcrumbs":13,"title":4},"138":{"body":31,"breadcrumbs":10,"title":1},"139":{"body":0,"breadcrumbs":4,"title":1},"14":{"body":35,"breadcrumbs":6,"title":2},"140":{"body":123,"breadcrumbs":4,"title":1},"141":{"body":175,"breadcrumbs":4,"title":1},"142":{"body":39,"breadcrumbs":6,"title":3},"143":{"body":27,"breadcrumbs":5,"title":2},"144":{"body":23,"breadcrumbs":5,"title":2},"145":{"body":31,"breadcrumbs":5,"title":2},"146":{"body":0,"breadcrumbs":7,"title":4},"147":{"body":72,"breadcrumbs":5,"title":2},"148":{"body":113,"breadcrumbs":5,"title":2},"149":{"body":74,"breadcrumbs":4,"title":1},"15":{"body":26,"breadcrumbs":6,"title":2},"150":{"body":12,"breadcrumbs":6,"title":3},"151":{"body":8,"breadcrumbs":4,"title":1},"152":{"body":64,"breadcrumbs":6,"title":3},"153":{"body":0,"breadcrumbs":5,"title":1},"154":{"body":93,"breadcrumbs":6,"title":2},"155":{"body":10,"breadcrumbs":7,"title":3},"156":{"body":22,"breadcrumbs":5,"title":1},"157":{"body":33,"breadcrumbs":5,"title":1},"158":{"body":5,"breadcrumbs":5,"title":1},"159":{"body":55,"breadcrumbs":6,"title":2},"16":{"body":135,"breadcrumbs":6,"title":2},"160":{"body":1,"breadcrumbs":6,"title":2},"161":{"body":39,"breadcrumbs":6,"title":2},"162":{"body":32,"breadcrumbs":4,"title":1},"163":{"body":24,"breadcrumbs":5,"title":2},"164":{"body":38,"breadcrumbs":5,"title":2},"165":{"body":65,"breadcrumbs":6,"title":3},"166":{"body":25,"breadcrumbs":6,"title":3},"167":{"body":17,"breadcrumbs":6,"title":3},"168":{"body":0,"breadcrumbs":6,"title":2},"169":{"body":18,"breadcrumbs":5,"title":1},"17":{"body":63,"breadcrumbs":6,"title":2},"170":{"body":29,"breadcrumbs":6,"title":2},"171":{"body":171,"breadcrumbs":6,"title":2},"172":{"body":35,"breadcrumbs":14,"title":6},"173":{"body":40,"breadcrumbs":10,"title":2},"174":{"body":110,"breadcrumbs":10,"title":2},"175":{"body":92,"breadcrumbs":10,"title":2},"176":{"body":95,"breadcrumbs":10,"title":2},"177":{"body":115,"breadcrumbs":10,"title":2},"178":{"body":125,"breadcrumbs":10,"title":2},"179":{"body":41,"breadcrumbs":10,"title":2},"18":{"body":160,"breadcrumbs":6,"title":2},"180":{"body":17,"breadcrumbs":10,"title":2},"181":{"body":24,"breadcrumbs":10,"title":2},"182":{"body":146,"breadcrumbs":10,"title":2},"183":{"body":44,"breadcrumbs":10,"title":2},"184":{"body":19,"breadcrumbs":9,"title":1},"185":{"body":84,"breadcrumbs":10,"title":2},"186":{"body":0,"breadcrumbs":9,"title":1},"187":{"body":111,"breadcrumbs":10,"title":2},"188":{"body":69,"breadcrumbs":10,"title":2},"189":{"body":96,"breadcrumbs":10,"title":2},"19":{"body":21,"breadcrumbs":6,"title":2},"190":{"body":104,"breadcrumbs":10,"title":2},"191":{"body":228,"breadcrumbs":10,"title":2},"192":{"body":228,"breadcrumbs":10,"title":2},"193":{"body":217,"breadcrumbs":10,"title":2},"194":{"body":551,"breadcrumbs":11,"title":3},"195":{"body":1174,"breadcrumbs":10,"title":2},"196":{"body":21,"breadcrumbs":4,"title":2},"197":{"body":178,"breadcrumbs":4,"title":1},"198":{"body":252,"breadcrumbs":4,"title":1},"199":{"body":86,"breadcrumbs":7,"title":4},"2":{"body":14,"breadcrumbs":5,"title":4},"20":{"body":139,"breadcrumbs":6,"title":2},"200":{"body":65,"breadcrumbs":5,"title":2},"201":{"body":149,"breadcrumbs":5,"title":2},"202":{"body":277,"breadcrumbs":5,"title":2},"203":{"body":84,"breadcrumbs":5,"title":2},"204":{"body":11,"breadcrumbs":4,"title":1},"205":{"body":154,"breadcrumbs":4,"title":1},"206":{"body":42,"breadcrumbs":7,"title":4},"207":{"body":84,"breadcrumbs":7,"title":4},"208":{"body":85,"breadcrumbs":8,"title":5},"209":{"body":44,"breadcrumbs":5,"title":2},"21":{"body":62,"breadcrumbs":7,"title":3},"210":{"body":79,"breadcrumbs":6,"title":3},"211":{"body":60,"breadcrumbs":5,"title":2},"212":{"body":138,"breadcrumbs":6,"title":3},"213":{"body":12,"breadcrumbs":5,"title":2},"214":{"body":46,"breadcrumbs":4,"title":1},"215":{"body":43,"breadcrumbs":6,"title":2},"216":{"body":92,"breadcrumbs":6,"title":2},"217":{"body":32,"breadcrumbs":7,"title":3},"218":{"body":131,"breadcrumbs":5,"title":1},"219":{"body":0,"breadcrumbs":6,"title":2},"22":{"body":205,"breadcrumbs":6,"title":2},"220":{"body":2,"breadcrumbs":7,"title":3},"221":{"body":304,"breadcrumbs":6,"title":2},"222":{"body":0,"breadcrumbs":6,"title":2},"223":{"body":34,"breadcrumbs":6,"title":2},"224":{"body":159,"breadcrumbs":6,"title":2},"225":{"body":108,"breadcrumbs":6,"title":2},"226":{"body":64,"breadcrumbs":6,"title":2},"227":{"body":19,"breadcrumbs":7,"title":3},"228":{"body":116,"breadcrumbs":5,"title":1},"229":{"body":49,"breadcrumbs":5,"title":1},"23":{"body":183,"breadcrumbs":7,"title":3},"230":{"body":153,"breadcrumbs":6,"title":2},"231":{"body":2,"breadcrumbs":8,"title":4},"232":{"body":55,"breadcrumbs":6,"title":2},"233":{"body":2,"breadcrumbs":7,"title":3},"234":{"body":27,"breadcrumbs":5,"title":1},"235":{"body":30,"breadcrumbs":14,"title":6},"236":{"body":32,"breadcrumbs":9,"title":1},"237":{"body":25,"breadcrumbs":9,"title":1},"238":{"body":216,"breadcrumbs":12,"title":4},"239":{"body":177,"breadcrumbs":4,"title":1},"24":{"body":173,"breadcrumbs":6,"title":2},"25":{"body":103,"breadcrumbs":6,"title":2},"26":{"body":5,"breadcrumbs":6,"title":2},"27":{"body":52,"breadcrumbs":6,"title":2},"28":{"body":0,"breadcrumbs":4,"title":1},"29":{"body":10,"breadcrumbs":6,"title":2},"3":{"body":13,"breadcrumbs":3,"title":2},"30":{"body":95,"breadcrumbs":7,"title":3},"31":{"body":61,"breadcrumbs":7,"title":3},"32":{"body":68,"breadcrumbs":7,"title":3},"33":{"body":45,"breadcrumbs":7,"title":3},"34":{"body":103,"breadcrumbs":5,"title":1},"35":{"body":59,"breadcrumbs":5,"title":1},"36":{"body":96,"breadcrumbs":5,"title":1},"37":{"body":289,"breadcrumbs":8,"title":4},"38":{"body":121,"breadcrumbs":6,"title":2},"39":{"body":38,"breadcrumbs":5,"title":1},"4":{"body":16,"breadcrumbs":2,"title":1},"40":{"body":64,"breadcrumbs":5,"title":1},"41":{"body":18,"breadcrumbs":5,"title":1},"42":{"body":0,"breadcrumbs":2,"title":1},"43":{"body":64,"breadcrumbs":3,"title":2},"44":{"body":83,"breadcrumbs":5,"title":2},"45":{"body":22,"breadcrumbs":4,"title":1},"46":{"body":77,"breadcrumbs":4,"title":1},"47":{"body":13,"breadcrumbs":7,"title":2},"48":{"body":16,"breadcrumbs":7,"title":2},"49":{"body":239,"breadcrumbs":7,"title":2},"5":{"body":21,"breadcrumbs":2,"title":1},"50":{"body":156,"breadcrumbs":8,"title":3},"51":{"body":15,"breadcrumbs":6,"title":1},"52":{"body":148,"breadcrumbs":6,"title":1},"53":{"body":45,"breadcrumbs":7,"title":2},"54":{"body":64,"breadcrumbs":6,"title":1},"55":{"body":0,"breadcrumbs":7,"title":2},"56":{"body":37,"breadcrumbs":6,"title":1},"57":{"body":179,"breadcrumbs":6,"title":1},"58":{"body":40,"breadcrumbs":7,"title":2},"59":{"body":229,"breadcrumbs":7,"title":2},"6":{"body":21,"breadcrumbs":2,"title":1},"60":{"body":98,"breadcrumbs":8,"title":3},"61":{"body":107,"breadcrumbs":9,"title":4},"62":{"body":0,"breadcrumbs":7,"title":2},"63":{"body":110,"breadcrumbs":8,"title":3},"64":{"body":67,"breadcrumbs":8,"title":3},"65":{"body":77,"breadcrumbs":9,"title":4},"66":{"body":70,"breadcrumbs":10,"title":5},"67":{"body":149,"breadcrumbs":7,"title":2},"68":{"body":43,"breadcrumbs":7,"title":2},"69":{"body":69,"breadcrumbs":7,"title":2},"7":{"body":376,"breadcrumbs":5,"title":2},"70":{"body":66,"breadcrumbs":9,"title":3},"71":{"body":125,"breadcrumbs":8,"title":2},"72":{"body":31,"breadcrumbs":9,"title":3},"73":{"body":0,"breadcrumbs":7,"title":2},"74":{"body":209,"breadcrumbs":8,"title":3},"75":{"body":0,"breadcrumbs":5,"title":2},"76":{"body":22,"breadcrumbs":4,"title":1},"77":{"body":144,"breadcrumbs":5,"title":2},"78":{"body":48,"breadcrumbs":5,"title":2},"79":{"body":520,"breadcrumbs":7,"title":4},"8":{"body":252,"breadcrumbs":5,"title":2},"80":{"body":388,"breadcrumbs":4,"title":1},"81":{"body":511,"breadcrumbs":6,"title":3},"82":{"body":249,"breadcrumbs":6,"title":3},"83":{"body":793,"breadcrumbs":6,"title":3},"84":{"body":0,"breadcrumbs":3,"title":1},"85":{"body":0,"breadcrumbs":6,"title":3},"86":{"body":142,"breadcrumbs":7,"title":4},"87":{"body":196,"breadcrumbs":5,"title":2},"88":{"body":28,"breadcrumbs":4,"title":1},"89":{"body":55,"breadcrumbs":10,"title":7},"9":{"body":366,"breadcrumbs":3,"title":1},"90":{"body":8,"breadcrumbs":5,"title":2},"91":{"body":5,"breadcrumbs":4,"title":1},"92":{"body":5,"breadcrumbs":4,"title":1},"93":{"body":27,"breadcrumbs":5,"title":2},"94":{"body":150,"breadcrumbs":6,"title":2},"95":{"body":240,"breadcrumbs":7,"title":3},"96":{"body":71,"breadcrumbs":11,"title":7},"97":{"body":13,"breadcrumbs":3,"title":1},"98":{"body":0,"breadcrumbs":7,"title":2},"99":{"body":20,"breadcrumbs":6,"title":1}},"docs":{"0":{"body":"","breadcrumbs":"halo2 » halo2 Crates.io","id":"0","title":"halo2 Crates.io"},"1":{"body":"","breadcrumbs":"halo2 » Documentation","id":"1","title":"Documentation"},"10":{"body":"In order to combine functionality from several chips, we compose them in a tree. The top-level chip defines a set of fixed, advice, and instance columns, and then specifies how they should be distributed between lower-level chips. In the simplest case, each lower-level chips will use columns disjoint from the other chips. However, it is allowed to share a column between chips. It is important to optimize the number of advice columns in particular, because that affects proof size. The result (possibly after optimization) is a PLONKish configuration. Our circuit implementation will be parameterized on a chip, and can use any features of the supported lower-level chips via the top-level chip. Our hope is that less expert users will normally be able to find an existing chip that supports the operations they need, or only have to make minor modifications to an existing chip. Expert users will have full control to do the kind of circuit optimizations that ECC is famous for 🙂.","breadcrumbs":"Concepts » Chips » Composing chips","id":"10","title":"Composing chips"},"100":{"body":"A non-exhaustive list of assumptions made by EccChip: 0 is not an x-coordinate of a valid point on the curve. Holds for Pallas because 5 is not square in Fq. 0 is not a y-coordinate of a valid point on the curve. Holds for Pallas because −5 is not a cube in Fq.","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Chip assumptions","id":"100","title":"Chip assumptions"},"101":{"body":"The following table shows how columns are used by the gates for various chip sub-areas: W - witnessing points. AI - incomplete point addition. AC - complete point addition. MF - Fixed-base scalar multiplication. MVI - variable-base scalar multiplication, incomplete rounds. MVC - variable-base scalar multiplication, complete rounds. MVO - variable-base scalar multiplication, overflow check. Sub-areaWAIACMFMVIMVCa0xxpxpxpxpxpa1yypypypypypa2xqxrxqxrxqxrλ2loxqxra3yqyryqyryqyrxAhiyqyra4λwindowλ1hiλa5αuλ2hiαa6βzloβa7γxAloγa8δλ1loδa9zhizcomplete","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Layout","id":"101","title":"Layout"},"102":{"body":"We represent elliptic curve points in the circuit in their affine representation (x,y). The identity is represented as the pseudo-coordinate (0,0), which we assume is not a valid point on the curve.","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Witnessing points » Witnessing points","id":"102","title":"Witnessing points"},"103":{"body":"To constrain a coordinate pair (x,y) as representing a valid point on the curve, we directly check the curve equation. For Pallas and Vesta, this is: y2=x3+5 Degree4Constraintqpointnon-id⋅(y2−x3−5)=0","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Witnessing points » Non-identity points","id":"103","title":"Non-identity points"},"104":{"body":"To allow (x,y) to represent either a valid point on the curve, or the pseudo-coordinate (0,0), we define a separate gate that enforces the curve equation check unless both x and y are zero. Degree55Constraint(qpoint⋅x)⋅(y2−x3−5)=0(qpoint⋅y)⋅(y2−x3−5)=0","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Witnessing points » Points including the identity","id":"104","title":"Points including the identity"},"105":{"body":"We will use formulae for curve arithmetic using affine coordinates on short Weierstrass curves, derived from section 4.1 of Hüseyin Hışıl's thesis . Inputs: P=(xp,yp),Q=(xq,yq) Output: R=P⸭Q=(xr,yr) The formulae from Hışıl's thesis are: x3=(x1−x2y1−y2)2−x1−x2 y3=x1−x2y1−y2⋅(x1−x3)−y1. Rename (x1,y1) to (xq,yq), (x2,y2) to (xp,yp), and (x3,y3) to (xr,yr), giving xr=(xq−xpyq−yp)2−xq−xp yr=xq−xpyq−yp⋅(xq−xr)−yq which is equivalent to xr+xq+xp=(xp−xqyp−yq)2 yr+yq=xp−xqyp−yq⋅(xq−xr). Assuming xp=xq, we have and⟺⟺⟺⟺xr+xq+xp(xr+xq+xp)⋅(xp−xq)2(xr+xq+xp)⋅(xp−xq)2−(yp−yq)2yr+yq(yr+yq)⋅(xp−xq)(yr+yq)⋅(xp−xq)−(yp−yq)⋅(xq−xr)======(xp−xqyp−yq)2(yp−yq)20xp−xqyp−yq⋅(xq−xr)(yp−yq)⋅(xq−xr)0. So we get the constraints: (xr+xq+xp)⋅(xp−xq)2−(yp−yq)2=0 Note that this constraint is unsatisfiable for P⸭(−P) (when P=O), and so cannot be used with arbitrary inputs. (yr+yq)⋅(xp−xq)−(yp−yq)⋅(xq−xr)=0.","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Incomplete and complete addition » Incomplete addition","id":"105","title":"Incomplete addition"},"106":{"body":"Degree43Constraintqadd-incomplete⋅((xr+xq+xp)⋅(xp−xq)2−(yp−yq)2)=0qadd-incomplete⋅((yr+yq)⋅(xp−xq)−(yp−yq)⋅(xq−xr))=0","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Incomplete and complete addition » Constraints","id":"106","title":"Constraints"},"107":{"body":"OO(xp,yp)(x,y)(x,y)(xp,yp)++++++O(xq,yq)O(x,y)(x,−y)(xq,yq)=O=(xq,yq)=(xp,yp)=[2](x,y)=O=(xp,yp)⸭(xq,yq), if xp=xq. Suppose that we represent O as (0,0). (0 is not an x-coordinate of a valid point because we would need y2=x3+5, and 5 is not square in Fq. Also 0 is not a y-coordinate of a valid point because −5 is not a cube in Fq.) P+Q(xp,yp)+(xq,yq)λxryr=R=(xr,yr)=xq−xpyq−yp=λ2−xp−xq=λ(xp−xr)−yp For the doubling case, Hışıl's thesis tells us that λ has to instead be computed as 2y3x2. Define inv0(x)={0,1/x,if x=0otherwise. Witness α,β,γ,δ,λ where: α=β=γ=δ=λ=inv0(xq−xp)inv0(xp)inv0(xq){inv0(yq+yp),0,if xq=xpotherwise⎩⎨⎧xq−xpyq−yp,2yp3xp20,if xq=xpif xq=xp∧yp=0otherwise.","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Incomplete and complete addition » Complete addition","id":"107","title":"Complete addition"},"108":{"body":"Degree456666444444Constraintqadd⋅(xq−xp)⋅((xq−xp)⋅λ−(yq−yp))qadd⋅(1−(xq−xp)⋅α)⋅(2yp⋅λ−3xp2)qadd⋅xp⋅xq⋅(xq−xp)⋅(λ2−xp−xq−xr)qadd⋅xp⋅xq⋅(xq−xp)⋅(λ⋅(xp−xr)−yp−yr)qadd⋅xp⋅xq⋅(yq+yp)⋅(λ2−xp−xq−xr)qadd⋅xp⋅xq⋅(yq+yp)⋅(λ⋅(xp−xr)−yp−yr)qadd⋅(1−xp⋅β)⋅(xr−xq)qadd⋅(1−xp⋅β)⋅(yr−yq)qadd⋅(1−xq⋅γ)⋅(xr−xp)qadd⋅(1−xq⋅γ)⋅(yr−yp)qadd⋅(1−(xq−xp)⋅α−(yq+yp)⋅δ)⋅xrqadd⋅(1−(xq−xp)⋅α−(yq+yp)⋅δ)⋅yr============000000000000Meaningxq=xp⟹λ=xq−xpyq−yp{xq=xp∧yp=0⟹λ=2yp3xp2xq=xp∧yp=0⟹xp=0xp=0∧xq=0∧xq=xp⟹xr=λ2−xp−xqxp=0∧xq=0∧xq=xp⟹yr=λ⋅(xp−xr)−ypxp=0∧xq=0∧yq=−yp⟹xr=λ2−xp−xqxp=0∧xq=0∧yq=−yp⟹yr=λ⋅(xp−xr)−ypxp=0⟹xr=xqxp=0⟹yr=yqxq=0⟹xr=xpxq=0⟹yr=ypxq=xp∧yq=−yp⟹xr=0xq=xp∧yq=−yp⟹yr=0 Max degree: 6","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Incomplete and complete addition » Constraints","id":"108","title":"Constraints"},"109":{"body":"1.2.3. a) b) c) d)4. a) b)5. a) b)6. a) b)(xq−xp)⋅((xq−xp)⋅λ−(yq−yp))=0At least one of or xq−xp=0(xq−xp)⋅λ−(yq−yp)=0must be satisfied for the constraint to be satisfied.If xq−xp=0, then (xq−xp)⋅λ−(yq−yp)=0, andby rearranging both sides we get λ=(yq−yp)/(xq−xp).Therefore:xq=xp⟹λ=(yq−yp)/(xq−xp).(1−(xq−xp)⋅α)⋅(2yp⋅λ−3xp2)=0At least one of or (1−(xq−xp)⋅α)=0(2yp⋅λ−3xp2)=0must be satisfied for the constraint to be satisfied.If xq=xp, then 1−(xq−xp)⋅α=0 has no solution for α,so it must be that 2yp⋅λ−3xp2=0.If xq=xp and yp=0 then xp=0, and the constraint is satisfied.If xq=xp and yp=0 then by rearranging both sideswe get λ=3xp2/2yp.Therefore:(xq=xp)∧yp=0⟹λ=3xp2/2yp.xp⋅xq⋅(xq−xp)⋅(λ2−xp−xq−xr)=0xp⋅xq⋅(xq−xp)⋅(λ⋅(xp−xr)−yp−yr)=0xp⋅xq⋅(yq+yp)⋅(λ2−xp−xq−xr)=0xp⋅xq⋅(yq+yp)⋅(λ⋅(xp−xr)−yp−yr)=0At least one of or or or xp=0xp=0(xq−xp)=0(λ2−xp−xq−xr)=0must be satisfied for constraint (a) to be satisfied.If xp=0∧xq=0∧xq=xp,• Constraint (a) imposes that xr=λ2−xp−xq.• Constraint (b) imposes that yr=λ⋅(xp−xr)−yp.If xp=0∧xq=0∧yq=−yp,• Constraint (c) imposes that xr=λ2−xp−xq.• Constraint (d) imposes that yr=λ⋅(xp−xr)−yp.Therefore:⟹(xp=0)∧(xq=0)∧((xq=xp)∨(yq=−yp))(xr=λ2−xp−xq)∧(yr=λ⋅(xp−xr)−yp).(1−xp⋅β)⋅(xr−xq)=0(1−xp⋅β)⋅(yr−yq)=0At least one of 1−xp⋅βor xr−xq=0=0must be satisfied for constraint (a) to be satisfied.If xp=0 then 1−xp⋅β=0 has no solutions for β,and so it must be that xr−xq=0.Similarly, constraint (b) imposes that if xp=0then yr−yq=0.Therefore:xp=0⟹(xr,yr)=(xq,yq).(1−xq⋅γ)⋅(xr−xp)=0(1−xq⋅γ)⋅(yr−yp)=0At least one of 1−xq⋅γor xr−xp=0=0must be satisfied for constraint (a) to be satisfied.If xq=0 then 1−xq⋅γ=0 has no solutions for γ,and so it must be that xr−xp=0.Similarly, constraint (b) imposes that if xq=0then yr−yp=0.Therefore:xq=0⟹(xr,yr)=(xp,yp).(1−(xq−xp)⋅α−(yq+yp)⋅δ)⋅xr=0(1−(xq−xp)⋅α−(yq+yp)⋅δ)⋅yr=0At least one of or 1−(xq−xp)⋅α−(yq+yp)⋅δ=0xr=0must be satisfied for constraint (a) to be satisfied,and similarly replacing xr by yr.If xr=0 or yr=0, then it must be that 1−(xq−xp)⋅α−(yq+yp)⋅δ=0.However, if xq=xp∧yq=−yp, then there are no solutions for α and δ.Therefore: xq=xp∧yq=−yp⟹(xr,yr)=(0,0). Propositions: (1)(2)(3)(4)(5)(6)xq=xp⟹λ=(yq−yp)/(xq−xp)(xq=xp)∧yp=0⟹λ=3xp2/2yp(xp=0)∧(xq=0)∧((xq=xp)∨(yq=−yp))⟹(xr=λ2−xp−xq)∧(yr=λ⋅(xp−xr)−yp)xp=0⟹(xr,yr)=(xq,yq)xq=0⟹(xr,yr)=(xp,yp)xq=xp∧yq=−yp⟹(xr,yr)=(0,0) Cases: (xp,yp)+(xq,yq)=(xr,yr) Note that we rely on the fact that 0 is not a valid x-coordinate or y-coordinate of a point on the Pallas curve other than O. (0,0)+(0,0) Completeness: (1)(2)(3)(4)(5)(6)holds because xq=xpholds because yp=0holds because xp=0holds because (xr,yr)=(xq,yq)=(0,0)holds because (xr,yr)=(xp,yp)=(0,0)holds because (xr,yr)=(0,0). Soundness: (xr,yr)=(0,0) is the only solution to (6). (x,y)+(0,0) for (x,y)=(0,0) Completeness: (1)(2)(3)(4)(5)(6)holds because xq=xp, therefore λ=(yq−yp)/(xq−xp) is a solutionholds because xq=xp, therefore α=(xq−xp)−1 is a solutionholds because xq=0holds because xp=0, therefore β=xp−1 is a solutionholds because (xr,yr)=(xp,yp)holds because xq=xp, therefore α=(xq−xp)−1 and δ=0 is a solution. Soundness: (xr,yr)=(xp,yp) is the only solution to (5). (0,0)+(x,y) for (x,y)=(0,0) Completeness: (1)(2)(3)(4)(5)(6)holds because xq=xp, therefore λ=(yq−yp)/(xq−xp) is a solutionholds because xq=xp, therefore α=(xq−xp)−1 is a solutionholds because xp=0holds because xp=0 only when (xr,yr)=(xq,yq)holds because xq=0, therefore γ=xq−1 is a solutionholds because xq=xp, therefore α=(xq−xp)−1 and δ=0 is a solution. Soundness: (xr,yr)=(xq,yq) is the only solution to (4). (x,y)+(x,y) for (x,y)=(0,0) Completeness: (1)(2)(3)(4)(5)(6)holds because xq=xpholds because xq=xp∧yp=0, therefore λ=3xp2/2yp is a solutionholds because xr=λ2−xp−xq∧yr=λ⋅(xp−xr)−yp in this caseholds because xp=0, therefore β=xp−1 is a solutionholds because xp=0, therefore γ=xq−1 is a solutionholds because xq=xp and yq=−yp, therefore α=0 and δ=(yq+yp)−1 is a solution. Soundness: λ is computed correctly, and (xr,yr)=(λ2−xp−xq,λ⋅(xp−xr)−yp) is the only solution. (x,y)+(x,−y) for (x,y)=(0,0) Completeness: (1)(2)(3)(4)(5)(6)holds because xq=xpholds because xq=xp∧yp=0, therefore λ=3xp2/2yp is a solution(although λ is not used in this case)holds because xq=xp and yq=−ypholds because xp=0, therefore β=xp−1 is a solutionholds because xq=0, therefore γ=xq−1 is a solutionholds because (xr,yr)=(0,0) Soundness: (xr,yr)=(0,0) is the only solution to (6). (xp,yp)+(xq,yq) for (xp,yp)=(0,0) and (xq,yq)=(0,0) and xp=xq Completeness: (1)(2)(3)(4)(5)(6)holds because xq=xp, therefore λ=(yq−yp)/(xq−xp) is a solutionholds because xq=xp, therefore α=(xq−xp)−1 is a solutionholds because xr=λ2−xp−xq∧yr=λ⋅(xp−xr)−yp in this caseholds because xp=0, therefore β=xp−1 is a solutionholds because xq=0, therefore γ=xq−1 is a solutionholds because xq=xp, therefore α=(xq−xp)−1 and δ=0 is a solution. Soundness: λ is computed correctly, and (xr,yr)=(λ2−xp−xq,λ⋅(xp−xr)−yp) is the only solution.","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Incomplete and complete addition » Analysis of constraints","id":"109","title":"Analysis of constraints"},"11":{"body":"When implementing a circuit, we could use the features of the chips we've selected directly. Typically, though, we will use them via gadgets . This indirection is useful because, for reasons of efficiency and limitations imposed by PLONKish circuits, the chip interfaces will often be dependent on low-level implementation details. The gadget interface can provide a more convenient and stable API that abstracts away from extraneous detail. For example, consider a hash function such as SHA-256. The interface of a chip supporting SHA-256 might be dependent on internals of the hash function design such as the separation between message schedule and compression function. The corresponding gadget interface can provide a more convenient and familiar update/finalize API, and can also handle parts of the hash function that do not need chip support, such as padding. This is similar to how accelerated instructions for cryptographic primitives on CPUs are typically accessed via software libraries, rather than directly. Gadgets can also provide modular and reusable abstractions for circuit programming at a higher level, similar to their use in libraries such as libsnark and bellman . As well as abstracting functions , they can also abstract types , such as elliptic curve points or integers of specific sizes.","breadcrumbs":"Concepts » Gadgets » Gadgets","id":"11","title":"Gadgets"},"110":{"body":"There are 6 fixed bases in the Orchard protocol: KOrchard, used in deriving the nullifier; GOrchard, used in spend authorization; R base for NoteCommitOrchard; V and R bases for ValueCommitOrchard; and R base for Commitivk.","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Fixed-base scalar multiplication » Fixed-base scalar multiplication","id":"110","title":"Fixed-base scalar multiplication"},"111":{"body":"We support fixed-base scalar multiplication with three types of scalars:","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Fixed-base scalar multiplication » Decompose scalar","id":"111","title":"Decompose scalar"},"112":{"body":"A 255-bit scalar from Fq. We decompose a full-width scalar α into 85 3-bit windows: α=k0+k1⋅(23)1+⋯+k84⋅(23)84,ki∈[0..23). The scalar multiplication will be computed correctly for k0..84 representing any integer in the range [0,2255) - that is, the scalar is allowed to be non-canonical. We range-constrain each 3-bit word of the scalar decomposition using a polynomial range-check constraint: Degree9Constraintqmul_fixed_full⋅range_check(word,23)=0 where range_check(word,range)=word⋅(1−word)⋯(range−1−word).","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Fixed-base scalar multiplication » Full-width scalar","id":"112","title":"Full-width scalar"},"113":{"body":"We support using a base field element as the scalar in fixed-base multiplication. This occurs, for example, in the scalar multiplication for the nullifier computation of the Action circuit DeriveNullifiernk=ExtractP([(PRFnknfOrchard(ρ)+ψ)modqP]KOrchard+cm): here, the scalar [(PRFnknfOrchard(ρ)+ψ)modqP] is the result of a base field addition. Decompose the base field element α into three-bit windows, and range-constrain each window, using the short range decomposition gadget in strict mode, with W=85,K=3. If k0..84 is witnessed directly then no issue of canonicity arises. However, because the scalar is given as a base field element here, care must be taken to ensure a canonical representation, since 2255>p. That is, we must check that 0≤α
q. Thus, given a scalar α, we witness the boolean decomposition of k=α+tq. (We use big-endian bit order for convenient input into the variable-base scalar multiplication algorithm.) k=k254⋅2254+k253⋅2253+⋯+k0.","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Variable-base scalar multiplication » Witness scalar","id":"120","title":"Witness scalar"},"121":{"body":"We use an optimized double-and-add algorithm, copied from \"Faster variable-base scalar multiplication in zk-SNARK circuits\" with some variable name changes: Acc := [2] T\nfor i from n-1 down to 0 { P := k_{i+1} ? T : −T Acc := (Acc + P) + Acc\n}\nreturn (k_0 = 0) ? (Acc - T) : Acc It remains to check that the x-coordinates of each pair of points to be added are distinct. When adding points in a prime-order group, we can rely on Theorem 3 from Appendix C of the Halo paper , which says that if we have two such points with nonzero indices wrt a given odd-prime order base, where the indices taken in the range −(q−1)/2..(q−1)/2 are distinct disregarding sign, then they have different x-coordinates. This is helpful, because it is easier to reason about the indices of points occurring in the scalar multiplication algorithm than it is to reason about their x-coordinates directly. So, the required check is equivalent to saying that the following \"indexed version\" of the above algorithm never asserts: acc := 2\nfor i from n-1 down to 0 { p = k_{i+1} ? 1 : −1 assert acc ≠ ± p assert (acc + p) ≠ acc // X acc := (acc + p) + acc assert 0 < acc ≤ (q-1)/2\n}\nif k_0 = 0 { assert acc ≠ 1 acc := acc - 1\n} The maximum value of acc is: <--- n 1s ---> 1011111...111111\n= 1100000...000000 - 1 = 2n+1+2n−1 The assertion labelled X obviously cannot fail because p=0. It is possible to see that acc is monotonically increasing except in the last conditional. It reaches its largest value when k is maximal, i.e. 2n+1+2n−1. So to entirely avoid exceptional cases, we would need 2n+1+2n−1<(q−1)/2. But we can use n larger by c if the last c iterations use complete addition . The first i for which the algorithm using only incomplete addition fails is going to be 252, since 2252+1+2252−1>(q−1)/2. We need n=254 to make the wraparound technique above work. sage: q = 0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001\nsage: 2^253 + 2^252 - 1 < (q-1)//2\nFalse\nsage: 2^252 + 2^251 - 1 < (q-1)//2\nTrue So the last three iterations of the loop (i=2..0) need to use complete addition , as does the conditional subtraction at the end. Writing this out using ⸭ for incomplete addition (as we do in the spec), we have: Acc := [2] T\nfor i from 253 down to 3 { P := k_{i+1} ? T : −T Acc := (Acc ⸭ P) ⸭ Acc\n}\nfor i from 2 down to 0 { P := k_{i+1} ? T : −T Acc := (Acc + P) + Acc // complete addition\n}\nreturn (k_0 = 0) ? (Acc + (-T)) : Acc // complete addition","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Variable-base scalar multiplication » Variable-base scalar multiplication","id":"121","title":"Variable-base scalar multiplication"},"122":{"body":"Define a running sum zj=∑i=jn(ki⋅2i−j), where n=254 and: zn+1=0,zn=kn,(most significant bit)z0=k. Initialize A254=[2]T.for i from 254 down to 4:bool_check(ki)=0zi=2zi+1+kixP,i=xTyP,i=(2ki−1)⋅yT(conditionally negate)λ1,i⋅(xA,i−xP,i)=yA,i−yP,ixR,i=λ1,i2−xA,i−xP,i(λ1,i+λ2,i)⋅(xA,i−xR,i)=2yA,iλ2,i2=xA,i−1+xR,i+xA,iλ2,i⋅(xA,i−xA,i−1)=yA,i+yA,i−1. The helper bool_check(x)=x⋅(1−x). After substitution of xP,i,yP,i,xR,i,yA,i, and yA,i−1, this becomes: Initialize A254=[2]T.for i from 254 down to 4:// let ki=zi−2zi+1// let yA,i=2(λ1,i+λ2,i)⋅(xA,i−(λ1,i2−xA,i−xT))bool_check(ki)=0λ1,i⋅(xA,i−xT)=yA,i−(2ki−1)⋅yTλ2,i2=xA,i−1+λ1,i2−xT{λ2,i⋅(xA,i−xA,i−1)=yA,i+yA,i−1,λ2,4⋅(xA,4−xA,3)=yA,4+yA,3witnessed,if i>4if i=4. Here, yA,3witnessed is assigned to a cell. This is unlike previous yA,i's, which were implicitly derived from λ1,i,λ2,i,xA,i,xT, but never actually assigned. The bits k3…1 are used in three further steps, using complete addition : for i from 3 down to 1:// let ki=zi−2zi+1bool_check(ki)=0(xA,i−1,yA,i−1)=((xA,i,yA,i)+(xT,yT))+(xA,i,yA,i) If the least significant bit k0=1, we set B=O, otherwise we set B=−T. Then we return A+B using complete addition. Let B={(0,0),(xT,−yT), if k0=1, otherwise. Output (xA,0,yA,0)+B. (Note that (0,0) represents O.)","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Variable-base scalar multiplication » Constraint program for optimized double-and-add","id":"122","title":"Constraint program for optimized double-and-add"},"123":{"body":"We need six advice columns to witness (xT,yT,λ1,λ2,xA,i,zi). However, since (xT,yT) are the same, we can perform two incomplete additions in a single row, reusing the same (xT,yT). We split the scalar bits used in incomplete addition into hi and lo halves and process them in parallel. This means that we effectively have two for loops: the first, covering the hi half for i from 254 down to 130, with a special case at i=130; and the second, covering the lo half for the remaining i from 129 down to 4, with a special case at i=4. xTxTxT⋮xTxTyTyTyT⋮yTyTzhiz255=0z254z253⋮z130xAhixA,254=2[T]xxA,253⋮xA,130xA,129λ1hiyA,254=2[T]yλ1,254λ1,253⋮λ1,130yA,129λ2hiλ2,254λ2,253⋮λ2,130q1hi100⋮0q2hi011⋮0q3hi000⋮1zloz130z129z128⋮z5z4xAloxA,129xA,128⋮xA,5xA,4xA,3λ1loyA,129λ1,129λ1,128⋮λ1,5λ1,4yA,3λ2loλ2,129λ2,128⋮λ2,5λ2,4q1lo100⋮00q2lo011⋮10q3lo000⋮01 For each hi and lo half, we have three sets of gates. Note that i is going from 255..=3; i is NOT indexing the rows.","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Variable-base scalar multiplication » Incomplete addition","id":"123","title":"Incomplete addition"},"124":{"body":"This gate is only used on the first row (before the for loop). We check that λ1,λ2 are initialized to values consistent with the initial yA. Degree4Constraintq1⋅(yA,nwitnessed−yA,n)=0 where yA,nyA,nwitnessed=2(λ1,n+λ2,n)⋅(xA,n−(λ1,n2−xA,n−xT)), is witnessed.","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Variable-base scalar multiplication » q1=1","id":"124","title":"q1=1"},"125":{"body":"This gate is used on all rows corresponding to the for loop except the last. Degree223433Constraintq2⋅(xT,cur−xT,next)=0q2⋅(yT,cur−yT,next)=0q2⋅bool_check(ki)=0, where ki=zi−2zi+1q2⋅(λ1,i⋅(xA,i−xT,i)−yA,i+(2ki−1)⋅yT,i)=0q2⋅(λ2,i2−xA,i−1−xR,i−xA,i)=0q2⋅(λ2,i⋅(xA,i−xA,i−1)−yA,i−yA,i−1)=0 where xR,iyA,iyA,i−1=λ1,i2−xA,i−xT,=2(λ1,i+λ2,i)⋅(xA,i−(λ1,i2−xA,i−xT)),=2(λ1,i−1+λ2,i−1)⋅(xA,i−1−(λ1,i−12−xA,i−1−xT)),","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Variable-base scalar multiplication » q2=1","id":"125","title":"q2=1"},"126":{"body":"This gate is used on the final iteration of the for loop, handling the special case where we check that the output yA has been witnessed correctly. Degree3433Constraintq3⋅bool_check(ki)=0, where ki=zi−2zi+1q3⋅(λ1,i⋅(xA,i−xT,i)−yA,i+(2ki−1)⋅yT,i)=0q3⋅(λ2,i2−xA,i−1−xR,i−xA,i)=0q3⋅(λ2,i⋅(xA,i−xA,i−1)−yA,i−yA,i−1witnessed)=0 where xR,iyA,iyA,i−1witnessed=λ1,i2−xA,i−xT,=2(λ1,i+λ2,i)⋅(xA,i−(λ1,i2−xA,i−xT)), is witnessed.","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Variable-base scalar multiplication » q3=1","id":"126","title":"q3=1"},"127":{"body":"We reuse the complete addition constraints to implement the final c rounds of double-and-add. This requires two rows per round because we need 9 advice columns for each complete addition. In the 10th advice column we stash the other cells that we need to correctly implement the double-and-add: The base y coordinate, so we can conditionally negate it as input to one of the complete additions. The running sum, which we constrain over two rows instead of sequentially.","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Variable-base scalar multiplication » Complete addition","id":"127","title":"Complete addition"},"128":{"body":"a0xTxAa1ypyAa2xAxqxra3yAyqyra4λ1λ2a5α1α2a6β1β2a7γ1γ2a8δ1δ2a9zi+1yTziqmul_decompose_var010","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Variable-base scalar multiplication » Layout","id":"128","title":"Layout"},"129":{"body":"In addition to the complete addition constraints, we define the following gate: DegreeConstraintqmul_decompose_var⋅bool_check(ki)=0qmul_decompose_var⋅ternary(ki,yT−yp,yT+yp)=0 where ki=zi−2zi+1.","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Variable-base scalar multiplication » Constraints","id":"129","title":"Constraints"},"13":{"body":"The halo2 crate includes several utilities to help you design and implement your circuits.","breadcrumbs":"User Documentation » Developer tools » Developer tools","id":"13","title":"Developer tools"},"130":{"body":"","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Variable-base scalar multiplication » LSB","id":"130","title":"LSB"},"131":{"body":"a0xpxTa1ypyTa2xAxra3yAyra4λa5αa6βa7γa8δa9z1z0qmul_lsb10","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Variable-base scalar multiplication » Layout","id":"131","title":"Layout"},"132":{"body":"DegreeConstraintqmul_lsb⋅bool_check(k0)=0qmul_lsb⋅ternary(k0,xp,xp−xT)=0qmul_lsb⋅ternary(k0,yp,yp+yT)=0 where k0=z0−2z1.","breadcrumbs":"Design » Gadgets » Elliptic curve cryptography » Variable-base scalar multiplication » Constraints","id":"132","title":"Constraints"},"133":{"body":"zi cannot overflow for any i≥1, because it is a weighted sum of bits only up to 2n−1=2253, which is smaller than p (and also q). However, z0=α+tq can overflow [0,p). Note: for full-width scalar mul, it may not be possible to represent z0 in the base field (e.g. when the base field is Pasta's Fp and p : Chipq. It is not true for a full-width scalar α≥p when p