diff --git a/src/circuit/gadget/sinsemilla/merkle/chip.rs b/src/circuit/gadget/sinsemilla/merkle/chip.rs index 7712a0c5..612936e2 100644 --- a/src/circuit/gadget/sinsemilla/merkle/chip.rs +++ b/src/circuit/gadget/sinsemilla/merkle/chip.rs @@ -1,6 +1,6 @@ use halo2::{ circuit::{Chip, Layouter}, - plonk::{Advice, Column, ConstraintSystem, Error, Expression, Selector}, + plonk::{Advice, Column, ConstraintSystem, Error, Selector}, poly::Rotation, }; use pasta_curves::{arithmetic::FieldExt, pallas}; @@ -63,7 +63,7 @@ impl MerkleChip { // Check that pieces have been decomposed correctly for Sinsemilla hash. // // - // a = a_0||a_1 = l_star || (bits 0..=239 of left) + // a = a_0||a_1 = l || (bits 0..=239 of left) // b = b_0||b_1||b_2 // = (bits 240..=249 of left) || (bits 250..=254 of left) || (bits 0..=4 of right) // c = bits 5..=254 of right @@ -76,11 +76,11 @@ impl MerkleChip { | A_0 | A_1 | A_2 | A_3 | A_4 | q_decompose | ------------------------------------------------------- | a | b | c | left | right | 1 | - | z1_a | z1_b | b_1 | b_2 | l + 1 | | + | z1_a | z1_b | b_1 | b_2 | l | | */ meta.create_gate("Decomposition check", |meta| { let q_decompose = meta.query_selector(q_decompose); - let l_plus_1_whole = meta.query_advice(advices[4], Rotation::next()); + let l_whole = meta.query_advice(advices[4], Rotation::next()); let two_pow_5 = pallas::Base::from_u64(1 << 5); let two_pow_10 = two_pow_5.square(); @@ -94,16 +94,15 @@ impl MerkleChip { let left_node = meta.query_advice(advices[3], Rotation::cur()); let right_node = meta.query_advice(advices[4], Rotation::cur()); - // a = a_0||a_1 = l_star || (bits 0..=239 of left) - // Check that a_0 = l_star + // a = a_0||a_1 = l || (bits 0..=239 of left) + // Check that a_0 = l // // z_1 of SinsemillaHash(a) = a_1 let z1_a = meta.query_advice(advices[0], Rotation::next()); let a_1 = z1_a; // a_0 = a - (a_1 * 2^10) let a_0 = a_whole - a_1.clone() * pallas::Base::from_u64(1 << 10); - let l_star_check = - a_0 - (l_plus_1_whole.clone() - Expression::Constant(pallas::Base::one())); + let l_check = a_0 - l_whole; // b = b_0||b_1||b_2 // = (bits 240..=249 of left) || (bits 250..=254 of left) || (bits 0..=4 of right) @@ -137,7 +136,7 @@ impl MerkleChip { let right_check = b_2 + c_whole * two_pow_5 - right_node; array::IntoIter::new([ - ("l_star_check", l_star_check), + ("l_check", l_check), ("left_check", left_check), ("right_check", right_check), ("b1_b2_check", b1_b2_check), @@ -174,18 +173,18 @@ impl MerkleInstructions - // We need to hash `l_star || left || right`, where `l_star` is a 10-bit value. + // We need to hash `l || left || right`, where `l` is a 10-bit value. // We allow `left` and `right` to be non-canonical 255-bit encodings. // - // a = a_0||a_1 = l_star || (bits 0..=239 of left) + // a = a_0||a_1 = l || (bits 0..=239 of left) // b = b_0||b_1||b_2 // = (bits 240..=249 of left) || (bits 250..=254 of left) || (bits 0..=4 of right) // c = bits 5..=254 of right - // `a = a_0||a_1` = `l_star` || (bits 0..=239 of `left`) + // `a = a_0||a_1` = `l` || (bits 0..=239 of `left`) let a = { let a = { - // a_0 = l_star + // a_0 = l let a_0 = bitrange_subset(pallas::Base::from_u64(l as u64), 0..10); // a_1 = (bits 0..=239 of `left`) @@ -269,22 +268,21 @@ impl MerkleInstructions(l as u64); + let l = i2lebsp::<10>(l as u64); let left: Vec<_> = left .to_le_bits() .iter() @@ -359,7 +357,7 @@ impl MerkleInstructions