From 2198675f9d2930c2b9b20e82e8289830d4e62378 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 29 Jul 2021 14:55:55 +0100 Subject: [PATCH] circuit: Rotate `q_commit_ivk` selector up by one row This ensures the Commit^ivk gate only queries `cur` and `next` rows. --- src/circuit/gadget/sinsemilla/commit_ivk.rs | 46 ++++++++++----------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/src/circuit/gadget/sinsemilla/commit_ivk.rs b/src/circuit/gadget/sinsemilla/commit_ivk.rs index 0f0fb74c..476691e9 100644 --- a/src/circuit/gadget/sinsemilla/commit_ivk.rs +++ b/src/circuit/gadget/sinsemilla/commit_ivk.rs @@ -59,8 +59,8 @@ impl CommitIvkConfig { | A_0 | A_1 | A_2 | A_3 | A_4 | A_5 | A_6 | A_7 | A_8 | q_commit_ivk | ----------------------------------------------------------------------------------------------------- - | ak | a | b | b_0 | b_1 | b_2 | z13_a | a_prime | z13_a_prime | 0 | - | nk | c | d | d_0 | d_1 | | z13_c | b2_c_prime| z14_b2_c_prime | 1 | + | ak | a | b | b_0 | b_1 | b_2 | z13_a | a_prime | z13_a_prime | 1 | + | nk | c | d | d_0 | d_1 | | z13_c | b2_c_prime| z14_b2_c_prime | 0 | */ meta.create_gate("CommitIvk canonicity check", |meta| { @@ -73,27 +73,27 @@ impl CommitIvkConfig { let two_pow_250 = pallas::Base::from_u128(1 << 125).square(); let two_pow_254 = two_pow_250 * two_pow_4; - let ak = meta.query_advice(config.advices[0], Rotation::prev()); - let nk = meta.query_advice(config.advices[0], Rotation::cur()); + let ak = meta.query_advice(config.advices[0], Rotation::cur()); + let nk = meta.query_advice(config.advices[0], Rotation::next()); // `a` is constrained by the Sinsemilla hash to be 250 bits. - let a = meta.query_advice(config.advices[1], Rotation::prev()); + let a = meta.query_advice(config.advices[1], Rotation::cur()); // `b` is constrained by the Sinsemilla hash to be 10 bits. - let b_whole = meta.query_advice(config.advices[2], Rotation::prev()); + let b_whole = meta.query_advice(config.advices[2], Rotation::cur()); // `c` is constrained by the Sinsemilla hash to be 240 bits. - let c = meta.query_advice(config.advices[1], Rotation::cur()); + let c = meta.query_advice(config.advices[1], Rotation::next()); // `d` is constrained by the Sinsemilla hash to be 10 bits. - let d_whole = meta.query_advice(config.advices[2], Rotation::cur()); + let d_whole = meta.query_advice(config.advices[2], Rotation::next()); // b = b_0||b_1||b_2` // = (bits 250..=253 of `ak`) || (bit 254 of `ak`) || (bits 0..=4 of `nk`) // // b_0 has been constrained outside this gate to be a four-bit value. - let b_0 = meta.query_advice(config.advices[3], Rotation::prev()); + let b_0 = meta.query_advice(config.advices[3], Rotation::cur()); // This gate constrains b_1 to be a one-bit value. - let b_1 = meta.query_advice(config.advices[4], Rotation::prev()); + let b_1 = meta.query_advice(config.advices[4], Rotation::cur()); // b_2 has been constrained outside this gate to be a five-bit value. - let b_2 = meta.query_advice(config.advices[5], Rotation::prev()); + let b_2 = meta.query_advice(config.advices[5], Rotation::cur()); // Check that b_whole is consistent with the witnessed subpieces. let b_decomposition_check = b_whole - (b_0.clone() + b_1.clone() * two_pow_4 + b_2.clone() * two_pow_5); @@ -101,9 +101,9 @@ impl CommitIvkConfig { // d = d_0||d_1` = (bits 245..=253 of `nk`) || (bit 254 of `nk`) // // d_0 has been constrained outside this gate to be a nine-bit value. - let d_0 = meta.query_advice(config.advices[3], Rotation::cur()); + let d_0 = meta.query_advice(config.advices[3], Rotation::next()); // This gate constrains d_1 to be a one-bit value. - let d_1 = meta.query_advice(config.advices[4], Rotation::cur()); + let d_1 = meta.query_advice(config.advices[4], Rotation::next()); // Check that d_whole is consistent with the witnessed subpieces. let d_decomposition_check = d_whole - (d_0.clone() + d_1.clone() * two_pow_9); @@ -137,14 +137,14 @@ impl CommitIvkConfig { // z13_a is the 13th running sum output by the 10-bit Sinsemilla decomposition of `a`. // b_1 = 1 => z13_a = 0 let z13_a_check = { - let z13_a = meta.query_advice(config.advices[6], Rotation::prev()); + let z13_a = meta.query_advice(config.advices[6], Rotation::cur()); b_1.clone() * z13_a }; // Check that a_prime = a + 2^130 - t_P. // This is checked regardless of the value of b_1. let a_prime_check = { - let a_prime = meta.query_advice(config.advices[7], Rotation::prev()); + let a_prime = meta.query_advice(config.advices[7], Rotation::cur()); let two_pow_130 = Expression::Constant(pallas::Base::from_u128(1 << 65).square()); let t_p = Expression::Constant(pallas::Base::from_u128(T_P)); @@ -154,7 +154,7 @@ impl CommitIvkConfig { // Check that the running sum output by the 130-bit little-endian decomposition of // `a_prime` is zero. let z13_a_prime = { - let z13_a_prime = meta.query_advice(config.advices[8], Rotation::prev()); + let z13_a_prime = meta.query_advice(config.advices[8], Rotation::cur()); b_1 * z13_a_prime }; @@ -174,7 +174,7 @@ impl CommitIvkConfig { // d_1 = 1 => z13_c = 0, where z13_c is the 13th running sum // output by the 10-bit Sinsemilla decomposition of `c`. let z13_c_check = { - let z13_c = meta.query_advice(config.advices[6], Rotation::cur()); + let z13_c = meta.query_advice(config.advices[6], Rotation::next()); d_1.clone() * z13_c }; @@ -185,14 +185,14 @@ impl CommitIvkConfig { let two_pow_140 = Expression::Constant(pallas::Base::from_u128(1 << 70).square()); let t_p = Expression::Constant(pallas::Base::from_u128(T_P)); - let b2_c_prime = meta.query_advice(config.advices[7], Rotation::cur()); + let b2_c_prime = meta.query_advice(config.advices[7], Rotation::next()); b_2 + c * two_pow_5 + two_pow_140 - t_p - b2_c_prime }; // Check that the running sum output by the 140-bit little- // endian decomposition of b2_c_prime is zero. let z14_b2_c_prime = { - let z14_b2_c_prime = meta.query_advice(config.advices[8], Rotation::cur()); + let z14_b2_c_prime = meta.query_advice(config.advices[8], Rotation::next()); d_1 * z14_b2_c_prime }; @@ -455,8 +455,8 @@ impl CommitIvkConfig { | A_0 | A_1 | A_2 | A_3 | A_4 | A_5 | A_6 | A_7 | A_8 | q_commit_ivk | ----------------------------------------------------------------------------------------------------- - | ak | a | b | b_0 | b_1 | b_2 | z13_a | a_prime | z13_a_prime | 0 | - | nk | c | d | d_0 | d_1 | | z13_c | b2_c_prime| z14_b2_c_prime | 1 | + | ak | a | b | b_0 | b_1 | b_2 | z13_a | a_prime | z13_a_prime | 1 | + | nk | c | d | d_0 | d_1 | | z13_c | b2_c_prime| z14_b2_c_prime | 0 | */ fn assign_gate( @@ -467,8 +467,8 @@ impl CommitIvkConfig { layouter.assign_region( || "Assign cells used in canonicity gate", |mut region| { - // Enable selector on offset 1 - self.q_commit_ivk.enable(&mut region, 1)?; + // Enable selector on offset 0 + self.q_commit_ivk.enable(&mut region, 0)?; // Offset 0 {