Trait halo2_gadgets::ecc::EccInstructions

source · []
pub trait EccInstructions<C: CurveAffine>: Chip<C::Base> + UtilitiesInstructions<C::Base> + Clone + Debug + Eq {
    type ScalarVar: Clone + Debug;
    type ScalarFixed: Clone + Debug;
    type ScalarFixedShort: Clone + Debug;
    type Point: From<Self::NonIdentityPoint> + Clone + Debug;
    type NonIdentityPoint: Clone + Debug;
    type X: Clone + Debug;
    type FixedPoints: FixedPoints<C>;
    fn constrain_equal(
        &self, 
        layouter: &mut impl Layouter<C::Base>, 
        a: &Self::Point, 
        b: &Self::Point
    ) -> Result<(), Error>;

    fn witness_point(
        &self, 
        layouter: &mut impl Layouter<C::Base>, 
        value: Option<C>
    ) -> Result<Self::Point, Error>;

    fn witness_point_non_id(
        &self, 
        layouter: &mut impl Layouter<C::Base>, 
        value: Option<C>
    ) -> Result<Self::NonIdentityPoint, Error>;

    fn extract_p<Point: Into<Self::Point> + Clone>(point: &Point) -> Self::X;

    fn add_incomplete(
        &self, 
        layouter: &mut impl Layouter<C::Base>, 
        a: &Self::NonIdentityPoint, 
        b: &Self::NonIdentityPoint
    ) -> Result<Self::NonIdentityPoint, Error>;

    fn add<A: Into<Self::Point> + Clone, B: Into<Self::Point> + Clone>(
        &self, 
        layouter: &mut impl Layouter<C::Base>, 
        a: &A, 
        b: &B
    ) -> Result<Self::Point, Error>;

    fn mul(
        &self, 
        layouter: &mut impl Layouter<C::Base>, 
        scalar: &Self::Var, 
        base: &Self::NonIdentityPoint
    ) -> Result<(Self::Point, Self::ScalarVar), Error>;

    fn mul_fixed(
        &self, 
        layouter: &mut impl Layouter<C::Base>, 
        scalar: Option<C::Scalar>, 
        base: &<Self::FixedPoints as FixedPoints<C>>::FullScalar
    ) -> Result<(Self::Point, Self::ScalarFixed), Error>;

    fn mul_fixed_short(
        &self, 
        layouter: &mut impl Layouter<C::Base>, 
        magnitude_sign: (Self::Var, Self::Var), 
        base: &<Self::FixedPoints as FixedPoints<C>>::ShortScalar
    ) -> Result<(Self::Point, Self::ScalarFixedShort), Error>;

    fn mul_fixed_base_field_elem(
        &self, 
        layouter: &mut impl Layouter<C::Base>, 
        base_field_elem: Self::Var, 
        base: &<Self::FixedPoints as FixedPoints<C>>::Base
    ) -> Result<Self::Point, Error>;
}
Expand description

The set of circuit instructions required to use the ECC gadgets.

Associated Types

Variable representing an element of the elliptic curve’s base field, that is used as a scalar in variable-base scalar mul.

It is not true in general that a scalar field element fits in a curve’s base field, and in particular it is untrue for the Pallas curve, whose scalar field Fq is larger than its base field Fp.

However, the only use of variable-base scalar mul in the Orchard protocol is in deriving diversified addresses [ivk] g_d, and ivk is guaranteed to be in the base field of the curve. (See non-normative notes in https://zips.z.cash/protocol/nu5.pdf#orchardkeycomponents.)

Variable representing a full-width element of the elliptic curve’s scalar field, to be used for fixed-base scalar mul.

Variable representing a signed short element of the elliptic curve’s scalar field, to be used for fixed-base scalar mul.

A ScalarFixedShort must be in the range [-(2^64 - 1), 2^64 - 1].

Variable representing an elliptic curve point.

Variable representing a non-identity elliptic curve point.

Variable representing the affine short Weierstrass x-coordinate of an elliptic curve point.

Enumeration of the set of fixed bases to be used in scalar mul. TODO: When associated consts can be used as const generics, introduce Self::NUM_WINDOWS, Self::NUM_WINDOWS_BASE_FIELD, Self::NUM_WINDOWS_SHORT and use them to differentiate FixedPoints types.

Required methods

Constrains point a to be equal in value to point b.

Witnesses the given point as a private input to the circuit. This allows the point to be the identity, mapped to (0, 0) in affine coordinates.

Witnesses the given point as a private input to the circuit. This returns an error if the point is the identity.

Extracts the x-coordinate of a point.

Performs incomplete point addition, returning a + b.

This returns an error in exceptional cases.

Performs complete point addition, returning a + b.

Performs variable-base scalar multiplication, returning [scalar] base.

Performs fixed-base scalar multiplication using a full-width scalar, returning [scalar] base.

Performs fixed-base scalar multiplication using a short signed scalar, returning [magnitude * sign] base.

Performs fixed-base scalar multiplication using a base field element as the scalar. In the current implementation, this base field element must be output from another instruction.

Implementors