2021-09-27 01:49:08 -07:00
|
|
|
use super::{add, CellValue, EccConfig, EccPoint, NonIdentityEccPoint, Var};
|
2021-07-07 22:14:53 -07:00
|
|
|
use crate::{circuit::gadget::utilities::copy, constants::T_Q};
|
2021-06-04 23:17:43 -07:00
|
|
|
use std::ops::{Deref, Range};
|
|
|
|
|
2021-06-13 06:06:34 -07:00
|
|
|
use bigint::U256;
|
|
|
|
use ff::PrimeField;
|
2021-06-04 23:17:43 -07:00
|
|
|
use halo2::{
|
|
|
|
arithmetic::FieldExt,
|
2021-06-13 06:06:34 -07:00
|
|
|
circuit::{Layouter, Region},
|
2021-07-20 01:22:08 -07:00
|
|
|
plonk::{ConstraintSystem, Error, Expression, Selector},
|
2021-06-04 23:17:43 -07:00
|
|
|
poly::Rotation,
|
|
|
|
};
|
|
|
|
|
|
|
|
use pasta_curves::pallas;
|
|
|
|
|
|
|
|
mod complete;
|
|
|
|
mod incomplete;
|
2021-06-13 06:06:34 -07:00
|
|
|
mod overflow;
|
2021-06-04 23:17:43 -07:00
|
|
|
|
2021-07-07 22:14:53 -07:00
|
|
|
/// Number of bits for which complete addition needs to be used in variable-base
|
|
|
|
/// scalar multiplication
|
|
|
|
const NUM_COMPLETE_BITS: usize = 3;
|
|
|
|
|
2021-06-04 23:17:43 -07:00
|
|
|
// Bits used in incomplete addition. k_{254} to k_{4} inclusive
|
|
|
|
const INCOMPLETE_LEN: usize = pallas::Scalar::NUM_BITS as usize - 1 - NUM_COMPLETE_BITS;
|
|
|
|
const INCOMPLETE_RANGE: Range<usize> = 0..INCOMPLETE_LEN;
|
|
|
|
|
|
|
|
// Bits k_{254} to k_{4} inclusive are used in incomplete addition.
|
|
|
|
// The `hi` half is k_{254} to k_{130} inclusive (length 125 bits).
|
2021-07-07 22:14:53 -07:00
|
|
|
// (It is a coincidence that k_{130} matches the boundary of the
|
|
|
|
// overflow check described in [the book](https://zcash.github.io/halo2/design/gadgets/ecc/var-base-scalar-mul.html#overflow-check).)
|
2021-06-04 23:17:43 -07:00
|
|
|
const INCOMPLETE_HI_RANGE: Range<usize> = 0..(INCOMPLETE_LEN / 2);
|
|
|
|
|
|
|
|
// Bits k_{254} to k_{4} inclusive are used in incomplete addition.
|
|
|
|
// The `lo` half is k_{129} to k_{4} inclusive (length 126 bits).
|
|
|
|
const INCOMPLETE_LO_RANGE: Range<usize> = (INCOMPLETE_LEN / 2)..INCOMPLETE_LEN;
|
|
|
|
|
|
|
|
// Bits k_{3} to k_{1} inclusive are used in complete addition.
|
|
|
|
// Bit k_{0} is handled separately.
|
|
|
|
const COMPLETE_RANGE: Range<usize> = INCOMPLETE_LEN..(INCOMPLETE_LEN + NUM_COMPLETE_BITS);
|
|
|
|
|
|
|
|
pub struct Config {
|
2021-06-18 11:11:47 -07:00
|
|
|
// Selector used to check switching logic on LSB
|
|
|
|
q_mul_lsb: Selector,
|
2021-06-04 23:17:43 -07:00
|
|
|
// Configuration used in complete addition
|
|
|
|
add_config: add::Config,
|
|
|
|
// Configuration used for `hi` bits of the scalar
|
2021-06-13 06:06:34 -07:00
|
|
|
hi_config: incomplete::HiConfig,
|
2021-06-04 23:17:43 -07:00
|
|
|
// Configuration used for `lo` bits of the scalar
|
2021-06-13 06:06:34 -07:00
|
|
|
lo_config: incomplete::LoConfig,
|
|
|
|
// Configuration used for complete addition part of double-and-add algorithm
|
|
|
|
complete_config: complete::Config,
|
|
|
|
// Configuration used to check for overflow
|
|
|
|
overflow_config: overflow::Config,
|
2021-06-04 23:17:43 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
impl From<&EccConfig> for Config {
|
|
|
|
fn from(ecc_config: &EccConfig) -> Self {
|
|
|
|
let config = Self {
|
2021-06-18 11:11:47 -07:00
|
|
|
q_mul_lsb: ecc_config.q_mul_lsb,
|
2021-06-04 23:17:43 -07:00
|
|
|
add_config: ecc_config.into(),
|
2021-06-13 06:06:34 -07:00
|
|
|
hi_config: ecc_config.into(),
|
|
|
|
lo_config: ecc_config.into(),
|
|
|
|
complete_config: ecc_config.into(),
|
|
|
|
overflow_config: ecc_config.into(),
|
2021-06-04 23:17:43 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
assert_eq!(
|
|
|
|
config.hi_config.x_p, config.lo_config.x_p,
|
|
|
|
"x_p is shared across hi and lo halves."
|
|
|
|
);
|
|
|
|
assert_eq!(
|
|
|
|
config.hi_config.y_p, config.lo_config.y_p,
|
|
|
|
"y_p is shared across hi and lo halves."
|
|
|
|
);
|
|
|
|
|
2021-07-14 03:30:43 -07:00
|
|
|
// For both hi_config and lo_config:
|
|
|
|
// z and lambda1 are assigned on the same row as the add_config output.
|
|
|
|
// Therefore, z and lambda1 must not overlap with add_config.x_qr, add_config.y_qr.
|
|
|
|
let add_config_outputs = config.add_config.output_columns();
|
|
|
|
for config in [&(*config.hi_config), &(*config.lo_config)].iter() {
|
|
|
|
assert!(
|
|
|
|
!add_config_outputs.contains(&config.z),
|
|
|
|
"incomplete config z cannot overlap with complete addition columns."
|
|
|
|
);
|
|
|
|
assert!(
|
|
|
|
!add_config_outputs.contains(&config.lambda1),
|
|
|
|
"incomplete config lambda1 cannot overlap with complete addition columns."
|
|
|
|
);
|
|
|
|
}
|
2021-06-04 23:17:43 -07:00
|
|
|
|
|
|
|
config
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
impl Config {
|
|
|
|
pub(super) fn create_gate(&self, meta: &mut ConstraintSystem<pallas::Base>) {
|
2021-06-18 11:11:47 -07:00
|
|
|
// If `lsb` is 0, (x, y) = (x_p, -y_p). If `lsb` is 1, (x, y) = (0,0).
|
|
|
|
meta.create_gate("LSB check", |meta| {
|
|
|
|
let q_mul_lsb = meta.query_selector(self.q_mul_lsb);
|
|
|
|
|
2021-07-29 06:54:36 -07:00
|
|
|
let z_1 = meta.query_advice(self.complete_config.z_complete, Rotation::cur());
|
|
|
|
let z_0 = meta.query_advice(self.complete_config.z_complete, Rotation::next());
|
|
|
|
let x_p = meta.query_advice(self.add_config.x_p, Rotation::cur());
|
|
|
|
let y_p = meta.query_advice(self.add_config.y_p, Rotation::cur());
|
|
|
|
let base_x = meta.query_advice(self.add_config.x_p, Rotation::next());
|
|
|
|
let base_y = meta.query_advice(self.add_config.y_p, Rotation::next());
|
2021-06-18 11:11:47 -07:00
|
|
|
|
|
|
|
// z_0 = 2 * z_1 + k_0
|
|
|
|
// => k_0 = z_0 - 2 * z_1
|
|
|
|
let lsb = z_0 - z_1 * pallas::Base::from_u64(2);
|
2021-07-02 09:29:50 -07:00
|
|
|
let one_minus_lsb = Expression::Constant(pallas::Base::one()) - lsb.clone();
|
2021-06-18 11:11:47 -07:00
|
|
|
|
2021-07-02 09:29:50 -07:00
|
|
|
let bool_check = lsb.clone() * one_minus_lsb.clone();
|
2021-06-18 11:11:47 -07:00
|
|
|
|
2021-07-02 09:29:50 -07:00
|
|
|
// `lsb` = 0 => (x_p, y_p) = (x, -y)
|
|
|
|
// `lsb` = 1 => (x_p, y_p) = (0,0)
|
|
|
|
let lsb_x = (lsb.clone() * x_p.clone()) + one_minus_lsb.clone() * (x_p - base_x);
|
|
|
|
let lsb_y = (lsb * y_p.clone()) + one_minus_lsb * (y_p + base_y);
|
2021-06-18 11:11:47 -07:00
|
|
|
|
2021-07-28 18:10:32 -07:00
|
|
|
std::array::IntoIter::new([
|
|
|
|
("bool_check", bool_check),
|
|
|
|
("lsb_x", lsb_x),
|
|
|
|
("lsb_y", lsb_y),
|
|
|
|
])
|
|
|
|
.map(move |(name, poly)| (name, q_mul_lsb.clone() * poly))
|
2021-06-18 11:11:47 -07:00
|
|
|
});
|
|
|
|
|
2021-06-13 06:06:34 -07:00
|
|
|
self.hi_config.create_gate(meta);
|
|
|
|
self.lo_config.create_gate(meta);
|
|
|
|
self.complete_config.create_gate(meta);
|
|
|
|
self.overflow_config.create_gate(meta);
|
2021-06-04 23:17:43 -07:00
|
|
|
}
|
|
|
|
|
2021-06-13 06:06:34 -07:00
|
|
|
pub(super) fn assign(
|
2021-06-04 23:17:43 -07:00
|
|
|
&self,
|
2021-06-13 06:06:34 -07:00
|
|
|
mut layouter: impl Layouter<pallas::Base>,
|
2021-07-09 22:19:42 -07:00
|
|
|
alpha: CellValue<pallas::Base>,
|
2021-09-27 01:49:08 -07:00
|
|
|
base: &NonIdentityEccPoint,
|
2021-07-09 22:19:42 -07:00
|
|
|
) -> Result<(EccPoint, CellValue<pallas::Base>), Error> {
|
2021-06-13 06:06:34 -07:00
|
|
|
let (result, zs): (EccPoint, Vec<Z<pallas::Base>>) = layouter.assign_region(
|
|
|
|
|| "variable-base scalar mul",
|
|
|
|
|mut region| {
|
|
|
|
let offset = 0;
|
2021-09-28 03:05:44 -07:00
|
|
|
|
|
|
|
// Case `base` into an `EccPoint` for later use.
|
|
|
|
let base_point: EccPoint = (*base).into();
|
|
|
|
|
2021-06-13 06:06:34 -07:00
|
|
|
// Decompose `k = alpha + t_q` bitwise (big-endian bit order).
|
|
|
|
let bits = decompose_for_scalar_mul(alpha.value());
|
|
|
|
|
|
|
|
// Define ranges for each part of the algorithm.
|
|
|
|
let bits_incomplete_hi = &bits[INCOMPLETE_HI_RANGE];
|
|
|
|
let bits_incomplete_lo = &bits[INCOMPLETE_LO_RANGE];
|
|
|
|
let lsb = bits[pallas::Scalar::NUM_BITS as usize - 1];
|
|
|
|
|
|
|
|
// Initialize the accumulator `acc = [2]base`
|
2021-09-28 03:05:44 -07:00
|
|
|
let acc =
|
|
|
|
self.add_config
|
|
|
|
.assign_region(&base_point, &base_point, offset, &mut region)?;
|
2021-06-13 06:06:34 -07:00
|
|
|
|
|
|
|
// Increase the offset by 1 after complete addition.
|
|
|
|
let offset = offset + 1;
|
|
|
|
|
|
|
|
// Initialize the running sum for scalar decomposition to zero
|
|
|
|
let z_init = {
|
2021-07-20 01:22:08 -07:00
|
|
|
let z_init_cell = region.assign_advice_from_constant(
|
|
|
|
|| "z_init = 0",
|
|
|
|
self.hi_config.z,
|
2021-06-19 04:08:46 -07:00
|
|
|
offset,
|
2021-07-20 01:22:08 -07:00
|
|
|
pallas::Base::zero(),
|
2021-06-13 06:06:34 -07:00
|
|
|
)?;
|
|
|
|
|
2021-07-20 01:22:08 -07:00
|
|
|
Z(CellValue::new(z_init_cell, Some(pallas::Base::zero())))
|
2021-06-13 06:06:34 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
// Double-and-add (incomplete addition) for the `hi` half of the scalar decomposition
|
|
|
|
let (x_a, y_a, zs_incomplete_hi) = self.hi_config.double_and_add(
|
|
|
|
&mut region,
|
|
|
|
offset,
|
2021-07-03 01:49:15 -07:00
|
|
|
base,
|
2021-06-13 06:06:34 -07:00
|
|
|
bits_incomplete_hi,
|
2021-07-02 01:41:18 -07:00
|
|
|
(X(acc.x), Y(acc.y), z_init),
|
2021-06-13 06:06:34 -07:00
|
|
|
)?;
|
|
|
|
|
|
|
|
// Double-and-add (incomplete addition) for the `lo` half of the scalar decomposition
|
2021-07-02 09:29:50 -07:00
|
|
|
let z = zs_incomplete_hi.last().expect("should not be empty");
|
2021-06-13 06:06:34 -07:00
|
|
|
let (x_a, y_a, zs_incomplete_lo) = self.lo_config.double_and_add(
|
|
|
|
&mut region,
|
|
|
|
offset,
|
2021-07-03 01:49:15 -07:00
|
|
|
base,
|
2021-06-13 06:06:34 -07:00
|
|
|
bits_incomplete_lo,
|
2021-07-02 09:29:50 -07:00
|
|
|
(x_a, y_a, *z),
|
2021-06-13 06:06:34 -07:00
|
|
|
)?;
|
|
|
|
|
|
|
|
// Move from incomplete addition to complete addition.
|
2021-07-03 01:49:15 -07:00
|
|
|
// Inside incomplete::double_and_add, the offset was increased once after initialization
|
2021-06-13 06:06:34 -07:00
|
|
|
// of the running sum.
|
|
|
|
// Then, the final assignment of double-and-add was made on row + offset + 1.
|
|
|
|
// Outside of incomplete addition, we must account for these offset increases by adding
|
|
|
|
// 2 to the incomplete addition length.
|
|
|
|
let offset = offset + INCOMPLETE_LO_RANGE.len() + 2;
|
|
|
|
|
|
|
|
// Complete addition
|
|
|
|
let (acc, zs_complete) = {
|
2021-07-02 09:29:50 -07:00
|
|
|
let z = zs_incomplete_lo.last().expect("should not be empty");
|
2021-06-13 06:06:34 -07:00
|
|
|
// Bits used in complete addition. k_{3} to k_{1} inclusive
|
|
|
|
// The LSB k_{0} is handled separately.
|
|
|
|
let bits_complete = &bits[COMPLETE_RANGE];
|
|
|
|
self.complete_config.assign_region(
|
|
|
|
&mut region,
|
|
|
|
offset,
|
|
|
|
bits_complete,
|
2021-09-28 03:05:44 -07:00
|
|
|
&base_point,
|
2021-06-13 06:06:34 -07:00
|
|
|
x_a,
|
|
|
|
y_a,
|
|
|
|
*z,
|
|
|
|
)?
|
|
|
|
};
|
|
|
|
|
|
|
|
// Each iteration of the complete addition uses two rows.
|
|
|
|
let offset = offset + COMPLETE_RANGE.len() * 2;
|
|
|
|
|
|
|
|
// Process the least significant bit
|
|
|
|
let z_1 = zs_complete.last().unwrap();
|
|
|
|
let (result, z_0) = self.process_lsb(&mut region, offset, base, acc, *z_1, lsb)?;
|
|
|
|
|
|
|
|
#[cfg(test)]
|
|
|
|
// Check that the correct multiple is obtained.
|
|
|
|
{
|
|
|
|
use group::Curve;
|
|
|
|
|
|
|
|
let base = base.point();
|
|
|
|
let alpha = alpha
|
|
|
|
.value()
|
|
|
|
.map(|alpha| pallas::Scalar::from_bytes(&alpha.to_bytes()).unwrap());
|
|
|
|
let real_mul = base.zip(alpha).map(|(base, alpha)| base * alpha);
|
|
|
|
let result = result.point();
|
|
|
|
|
|
|
|
if let (Some(real_mul), Some(result)) = (real_mul, result) {
|
|
|
|
assert_eq!(real_mul.to_affine(), result);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
let zs = {
|
2021-07-03 01:49:15 -07:00
|
|
|
let mut zs = std::iter::empty()
|
|
|
|
.chain(Some(z_init))
|
|
|
|
.chain(zs_incomplete_hi.into_iter())
|
|
|
|
.chain(zs_incomplete_lo.into_iter())
|
|
|
|
.chain(zs_complete.into_iter())
|
|
|
|
.chain(Some(z_0))
|
|
|
|
.collect::<Vec<_>>();
|
2021-06-13 06:06:34 -07:00
|
|
|
assert_eq!(zs.len(), pallas::Scalar::NUM_BITS as usize + 1);
|
|
|
|
|
|
|
|
// This reverses zs to give us [z_0, z_1, ..., z_{254}, z_{255}].
|
|
|
|
zs.reverse();
|
|
|
|
zs
|
|
|
|
};
|
|
|
|
|
|
|
|
Ok((result, zs))
|
|
|
|
},
|
2021-06-04 23:17:43 -07:00
|
|
|
)?;
|
|
|
|
|
2021-06-13 06:06:34 -07:00
|
|
|
self.overflow_config
|
|
|
|
.overflow_check(layouter.namespace(|| "overflow check"), alpha, &zs)?;
|
2021-06-04 23:17:43 -07:00
|
|
|
|
2021-07-09 22:19:42 -07:00
|
|
|
Ok((result, alpha))
|
2021-06-04 23:17:43 -07:00
|
|
|
}
|
|
|
|
|
2021-07-02 09:29:50 -07:00
|
|
|
/// Processes the final scalar bit `k_0`.
|
|
|
|
///
|
|
|
|
/// Assumptions for this sub-region:
|
|
|
|
/// - `acc_x` and `acc_y` are assigned in row `offset` by the previous complete
|
|
|
|
/// addition. They will be copied into themselves.
|
|
|
|
/// - `z_1 is assigned in row `offset` by the mul::complete region assignment. We only
|
|
|
|
/// use its value here.
|
|
|
|
///
|
|
|
|
/// `x_p` and `y_p` are assigned here, and then copied into themselves by the complete
|
|
|
|
/// addition subregion.
|
|
|
|
///
|
|
|
|
/// ```text
|
2021-07-29 06:54:36 -07:00
|
|
|
/// | x_p | y_p | acc_x | acc_y | complete addition | z_1 | q_mul_lsb = 1
|
|
|
|
/// |base_x|base_y| res_x | res_y | | | | | | z_0 |
|
2021-07-02 09:29:50 -07:00
|
|
|
/// ```
|
2021-06-04 23:17:43 -07:00
|
|
|
fn process_lsb(
|
|
|
|
&self,
|
|
|
|
region: &mut Region<'_, pallas::Base>,
|
|
|
|
offset: usize,
|
2021-09-27 01:49:08 -07:00
|
|
|
base: &NonIdentityEccPoint,
|
2021-06-04 23:17:43 -07:00
|
|
|
acc: EccPoint,
|
2021-06-13 06:06:34 -07:00
|
|
|
z_1: Z<pallas::Base>,
|
2021-06-04 23:17:43 -07:00
|
|
|
lsb: Option<bool>,
|
|
|
|
) -> Result<(EccPoint, Z<pallas::Base>), Error> {
|
2021-06-18 11:11:47 -07:00
|
|
|
// Enforce switching logic on LSB using a custom gate
|
2021-07-29 06:54:36 -07:00
|
|
|
self.q_mul_lsb.enable(region, offset)?;
|
2021-06-18 11:11:47 -07:00
|
|
|
|
2021-07-02 09:29:50 -07:00
|
|
|
// z_1 has been assigned at (z_complete, offset).
|
2021-06-13 06:06:34 -07:00
|
|
|
// Assign z_0 = 2⋅z_1 + k_0
|
|
|
|
let z_0 = {
|
|
|
|
let z_0_val = z_1.value().zip(lsb).map(|(z_1, lsb)| {
|
|
|
|
let lsb = pallas::Base::from_u64(lsb as u64);
|
|
|
|
z_1 * pallas::Base::from_u64(2) + lsb
|
2021-06-04 23:17:43 -07:00
|
|
|
});
|
2021-06-13 06:06:34 -07:00
|
|
|
let z_0_cell = region.assign_advice(
|
|
|
|
|| "z_0",
|
|
|
|
self.complete_config.z_complete,
|
2021-07-02 09:29:50 -07:00
|
|
|
offset + 1,
|
2021-06-13 06:06:34 -07:00
|
|
|
|| z_0_val.ok_or(Error::SynthesisError),
|
2021-06-04 23:17:43 -07:00
|
|
|
)?;
|
|
|
|
|
2021-06-13 06:06:34 -07:00
|
|
|
Z(CellValue::new(z_0_cell, z_0_val))
|
|
|
|
};
|
2021-06-04 23:17:43 -07:00
|
|
|
|
2021-07-02 09:29:50 -07:00
|
|
|
// Copy in `base_x`, `base_y` to use in the LSB gate
|
2021-06-18 11:11:47 -07:00
|
|
|
copy(
|
|
|
|
region,
|
2021-07-02 09:29:50 -07:00
|
|
|
|| "copy base_x",
|
2021-06-18 11:11:47 -07:00
|
|
|
self.add_config.x_p,
|
2021-07-02 09:29:50 -07:00
|
|
|
offset + 1,
|
2021-06-18 11:11:47 -07:00
|
|
|
&base.x(),
|
|
|
|
)?;
|
|
|
|
copy(
|
|
|
|
region,
|
2021-07-02 09:29:50 -07:00
|
|
|
|| "copy base_y",
|
2021-06-18 11:11:47 -07:00
|
|
|
self.add_config.y_p,
|
2021-07-02 09:29:50 -07:00
|
|
|
offset + 1,
|
2021-06-18 11:11:47 -07:00
|
|
|
&base.y(),
|
|
|
|
)?;
|
|
|
|
|
2021-06-04 23:17:43 -07:00
|
|
|
// If `lsb` is 0, return `Acc + (-P)`. If `lsb` is 1, simply return `Acc + 0`.
|
2021-06-18 11:11:47 -07:00
|
|
|
let x = if let Some(lsb) = lsb {
|
2021-06-04 23:17:43 -07:00
|
|
|
if !lsb {
|
|
|
|
base.x.value()
|
|
|
|
} else {
|
|
|
|
Some(pallas::Base::zero())
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
None
|
|
|
|
};
|
2021-06-18 11:11:47 -07:00
|
|
|
|
|
|
|
let y = if let Some(lsb) = lsb {
|
2021-06-04 23:17:43 -07:00
|
|
|
if !lsb {
|
|
|
|
base.y.value().map(|y_p| -y_p)
|
|
|
|
} else {
|
|
|
|
Some(pallas::Base::zero())
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
None
|
|
|
|
};
|
|
|
|
|
2021-06-18 11:11:47 -07:00
|
|
|
let x_cell = region.assign_advice(
|
|
|
|
|| "x",
|
2021-07-02 09:29:50 -07:00
|
|
|
self.add_config.x_p,
|
2021-06-13 06:06:34 -07:00
|
|
|
offset,
|
2021-06-18 11:11:47 -07:00
|
|
|
|| x.ok_or(Error::SynthesisError),
|
2021-06-04 23:17:43 -07:00
|
|
|
)?;
|
|
|
|
|
2021-06-18 11:11:47 -07:00
|
|
|
let y_cell = region.assign_advice(
|
|
|
|
|| "y",
|
2021-07-02 09:29:50 -07:00
|
|
|
self.add_config.y_p,
|
2021-06-13 06:06:34 -07:00
|
|
|
offset,
|
2021-06-18 11:11:47 -07:00
|
|
|
|| y.ok_or(Error::SynthesisError),
|
2021-06-04 23:17:43 -07:00
|
|
|
)?;
|
|
|
|
|
|
|
|
let p = EccPoint {
|
2021-06-18 11:11:47 -07:00
|
|
|
x: CellValue::<pallas::Base>::new(x_cell, x),
|
|
|
|
y: CellValue::<pallas::Base>::new(y_cell, y),
|
2021-06-04 23:17:43 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
// Return the result of the final complete addition as `[scalar]B`
|
2021-06-13 06:06:34 -07:00
|
|
|
let result = self.add_config.assign_region(&p, &acc, offset, region)?;
|
2021-06-04 23:17:43 -07:00
|
|
|
|
2021-06-13 06:06:34 -07:00
|
|
|
Ok((result, z_0))
|
2021-06-04 23:17:43 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Clone, Debug)]
|
|
|
|
// `x`-coordinate of the accumulator.
|
|
|
|
struct X<F: FieldExt>(CellValue<F>);
|
|
|
|
impl<F: FieldExt> Deref for X<F> {
|
|
|
|
type Target = CellValue<F>;
|
|
|
|
|
|
|
|
fn deref(&self) -> &Self::Target {
|
|
|
|
&self.0
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Copy, Clone, Debug)]
|
|
|
|
// `y`-coordinate of the accumulator.
|
2021-07-02 01:41:18 -07:00
|
|
|
struct Y<F: FieldExt>(CellValue<F>);
|
2021-06-04 23:17:43 -07:00
|
|
|
impl<F: FieldExt> Deref for Y<F> {
|
2021-07-02 01:41:18 -07:00
|
|
|
type Target = CellValue<F>;
|
2021-06-04 23:17:43 -07:00
|
|
|
|
|
|
|
fn deref(&self) -> &Self::Target {
|
|
|
|
&self.0
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Copy, Clone, Debug)]
|
|
|
|
// Cumulative sum `z` used to decompose the scalar.
|
|
|
|
struct Z<F: FieldExt>(CellValue<F>);
|
|
|
|
impl<F: FieldExt> Deref for Z<F> {
|
|
|
|
type Target = CellValue<F>;
|
|
|
|
|
|
|
|
fn deref(&self) -> &Self::Target {
|
|
|
|
&self.0
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
fn decompose_for_scalar_mul(scalar: Option<pallas::Base>) -> Vec<Option<bool>> {
|
2021-06-13 06:06:34 -07:00
|
|
|
let bitstring = scalar.map(|scalar| {
|
2021-06-04 23:17:43 -07:00
|
|
|
// We use `k = scalar + t_q` in the double-and-add algorithm, where
|
|
|
|
// the scalar field `F_q = 2^254 + t_q`.
|
2021-06-13 06:06:34 -07:00
|
|
|
// Note that the addition `scalar + t_q` is not reduced.
|
|
|
|
//
|
|
|
|
let scalar = U256::from_little_endian(&scalar.to_bytes());
|
|
|
|
let t_q = U256::from_little_endian(&T_Q.to_le_bytes());
|
|
|
|
let k = scalar + t_q;
|
|
|
|
|
|
|
|
// Big-endian bit representation of `k`.
|
|
|
|
let bitstring: Vec<bool> = {
|
|
|
|
let mut le_bytes = [0u8; 32];
|
|
|
|
k.to_little_endian(&mut le_bytes);
|
|
|
|
le_bytes.iter().fold(Vec::new(), |mut bitstring, byte| {
|
|
|
|
let bits = (0..8)
|
|
|
|
.map(|shift| (byte >> shift) % 2 == 1)
|
|
|
|
.collect::<Vec<_>>();
|
|
|
|
bitstring.extend_from_slice(&bits);
|
|
|
|
bitstring
|
|
|
|
})
|
2021-06-04 23:17:43 -07:00
|
|
|
};
|
|
|
|
|
2021-06-13 06:06:34 -07:00
|
|
|
// Take the first 255 bits.
|
|
|
|
let mut bitstring = bitstring[0..pallas::Scalar::NUM_BITS as usize].to_vec();
|
|
|
|
bitstring.reverse();
|
|
|
|
bitstring
|
2021-06-04 23:17:43 -07:00
|
|
|
});
|
|
|
|
|
2021-06-13 06:06:34 -07:00
|
|
|
if let Some(bitstring) = bitstring {
|
|
|
|
bitstring.into_iter().map(Some).collect()
|
2021-06-04 23:17:43 -07:00
|
|
|
} else {
|
|
|
|
vec![None; pallas::Scalar::NUM_BITS as usize]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#[cfg(test)]
|
|
|
|
pub mod tests {
|
2021-07-08 00:17:52 -07:00
|
|
|
use group::Curve;
|
2021-07-09 22:19:42 -07:00
|
|
|
use halo2::{
|
|
|
|
circuit::{Chip, Layouter},
|
|
|
|
plonk::Error,
|
|
|
|
};
|
2021-06-04 23:17:43 -07:00
|
|
|
use pasta_curves::{arithmetic::FieldExt, pallas};
|
|
|
|
|
2021-07-09 22:19:42 -07:00
|
|
|
use crate::circuit::gadget::{
|
2021-09-28 09:39:41 -07:00
|
|
|
ecc::{
|
|
|
|
chip::{EccChip, EccPoint},
|
|
|
|
EccInstructions, NonIdentityPoint, Point,
|
|
|
|
},
|
2021-07-09 22:19:42 -07:00
|
|
|
utilities::UtilitiesInstructions,
|
|
|
|
};
|
2021-06-04 23:17:43 -07:00
|
|
|
|
2021-07-09 22:19:42 -07:00
|
|
|
pub fn test_mul(
|
2021-06-04 23:17:43 -07:00
|
|
|
chip: EccChip,
|
|
|
|
mut layouter: impl Layouter<pallas::Base>,
|
2021-09-27 01:49:08 -07:00
|
|
|
p: &NonIdentityPoint<pallas::Affine, EccChip>,
|
2021-07-08 00:17:52 -07:00
|
|
|
p_val: pallas::Affine,
|
2021-06-04 23:17:43 -07:00
|
|
|
) -> Result<(), Error> {
|
2021-07-09 22:19:42 -07:00
|
|
|
let column = chip.config().advices[0];
|
|
|
|
|
2021-09-27 03:14:01 -07:00
|
|
|
fn constrain_equal_non_id<
|
2021-09-28 09:39:41 -07:00
|
|
|
EccChip: EccInstructions<pallas::Affine, Point = EccPoint> + Clone + Eq + std::fmt::Debug,
|
2021-07-08 00:17:52 -07:00
|
|
|
>(
|
|
|
|
chip: EccChip,
|
|
|
|
mut layouter: impl Layouter<pallas::Base>,
|
|
|
|
base_val: pallas::Affine,
|
|
|
|
scalar_val: pallas::Base,
|
|
|
|
result: Point<pallas::Affine, EccChip>,
|
|
|
|
) -> Result<(), Error> {
|
2021-07-08 19:23:40 -07:00
|
|
|
// Move scalar from base field into scalar field (which always fits
|
|
|
|
// for Pallas).
|
2021-07-08 00:17:52 -07:00
|
|
|
let scalar = pallas::Scalar::from_bytes(&scalar_val.to_bytes()).unwrap();
|
2021-09-27 03:14:01 -07:00
|
|
|
let expected = NonIdentityPoint::new(
|
2021-07-08 00:17:52 -07:00
|
|
|
chip,
|
|
|
|
layouter.namespace(|| "expected point"),
|
|
|
|
Some((base_val * scalar).to_affine()),
|
|
|
|
)?;
|
|
|
|
result.constrain_equal(layouter.namespace(|| "constrain result"), &expected)
|
|
|
|
}
|
|
|
|
|
2021-06-13 06:06:34 -07:00
|
|
|
// [a]B
|
2021-07-08 00:17:52 -07:00
|
|
|
{
|
|
|
|
let scalar_val = pallas::Base::rand();
|
2021-07-09 22:19:42 -07:00
|
|
|
let (result, _) = {
|
|
|
|
let scalar = chip.load_private(
|
2021-07-08 00:17:52 -07:00
|
|
|
layouter.namespace(|| "random scalar"),
|
2021-07-09 22:19:42 -07:00
|
|
|
column,
|
2021-07-08 00:17:52 -07:00
|
|
|
Some(scalar_val),
|
|
|
|
)?;
|
|
|
|
p.mul(layouter.namespace(|| "random [a]B"), &scalar)?
|
|
|
|
};
|
2021-09-27 03:14:01 -07:00
|
|
|
constrain_equal_non_id(
|
2021-07-08 00:17:52 -07:00
|
|
|
chip.clone(),
|
|
|
|
layouter.namespace(|| "random [a]B"),
|
|
|
|
p_val,
|
|
|
|
scalar_val,
|
|
|
|
result,
|
|
|
|
)?;
|
|
|
|
}
|
2021-06-04 23:17:43 -07:00
|
|
|
|
|
|
|
// [0]B should return (0,0) since variable-base scalar multiplication
|
|
|
|
// uses complete addition for the final bits of the scalar.
|
2021-07-08 00:17:52 -07:00
|
|
|
{
|
|
|
|
let scalar_val = pallas::Base::zero();
|
2021-07-09 22:19:42 -07:00
|
|
|
let (result, _) = {
|
|
|
|
let scalar =
|
|
|
|
chip.load_private(layouter.namespace(|| "zero"), column, Some(scalar_val))?;
|
2021-07-08 00:17:52 -07:00
|
|
|
p.mul(layouter.namespace(|| "[0]B"), &scalar)?
|
|
|
|
};
|
2021-09-28 09:39:41 -07:00
|
|
|
assert!(result.inner().is_identity().unwrap());
|
2021-07-08 00:17:52 -07:00
|
|
|
}
|
2021-06-13 06:06:34 -07:00
|
|
|
|
|
|
|
// [-1]B (the largest possible base field element)
|
2021-07-08 00:17:52 -07:00
|
|
|
{
|
|
|
|
let scalar_val = -pallas::Base::one();
|
2021-07-09 22:19:42 -07:00
|
|
|
let (result, _) = {
|
2021-07-08 00:17:52 -07:00
|
|
|
let scalar =
|
2021-07-09 22:19:42 -07:00
|
|
|
chip.load_private(layouter.namespace(|| "-1"), column, Some(scalar_val))?;
|
2021-07-08 00:17:52 -07:00
|
|
|
p.mul(layouter.namespace(|| "[-1]B"), &scalar)?
|
|
|
|
};
|
2021-09-27 03:14:01 -07:00
|
|
|
constrain_equal_non_id(
|
2021-07-08 00:17:52 -07:00
|
|
|
chip,
|
|
|
|
layouter.namespace(|| "[-1]B"),
|
|
|
|
p_val,
|
|
|
|
scalar_val,
|
|
|
|
result,
|
|
|
|
)?;
|
|
|
|
}
|
2021-06-04 23:17:43 -07:00
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
}
|