From 90474995a7fd91fb160e1950acf91c026244e7c6 Mon Sep 17 00:00:00 2001
From: therealyingtong <yingtong@z.cash>
Date: Sat, 17 Jul 2021 00:44:56 +0800
Subject: [PATCH] Add mul_short::tests cases and address review comments.

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
---
 src/circuit/gadget/ecc.rs                     |  3 +-
 .../gadget/ecc/chip/mul_fixed/short.rs        | 80 +++++++++++++------
 .../gadget/utilities/decompose_running_sum.rs | 41 +++++-----
 3 files changed, 81 insertions(+), 43 deletions(-)

diff --git a/src/circuit/gadget/ecc.rs b/src/circuit/gadget/ecc.rs
index 3fb3a92f..46237feb 100644
--- a/src/circuit/gadget/ecc.rs
+++ b/src/circuit/gadget/ecc.rs
@@ -100,7 +100,8 @@ pub trait EccInstructions<C: CurveAffine>: Chip<C::Base> + UtilitiesInstructions
         base: &Self::FixedPoints,
     ) -> Result<(Self::Point, Self::ScalarFixed), Error>;
 
-    /// Performs fixed-base scalar multiplication using a short signed scalar, returning `[scalar] base`.
+    /// Performs fixed-base scalar multiplication using a short signed scalar, returning
+    /// `[magnitude * sign] base`.
     fn mul_fixed_short(
         &self,
         layouter: &mut impl Layouter<C::Base>,
diff --git a/src/circuit/gadget/ecc/chip/mul_fixed/short.rs b/src/circuit/gadget/ecc/chip/mul_fixed/short.rs
index 9f182008..5ebebe01 100644
--- a/src/circuit/gadget/ecc/chip/mul_fixed/short.rs
+++ b/src/circuit/gadget/ecc/chip/mul_fixed/short.rs
@@ -163,7 +163,9 @@ impl Config {
                     &self.super_config.perm,
                 )?;
 
-                // Copy last window to `u` column
+                // Copy last window to `u` column.
+                // (Although the last window is not a `u` value; we are copying it into the `u`
+                // column because there is an available cell there.)
                 let z_21 = scalar.running_sum[20];
                 copy(
                     &mut region,
@@ -459,30 +461,60 @@ pub mod tests {
 
         // Magnitude larger than 64 bits should fail
         {
-            let circuit = MyCircuit {
-                magnitude: Some(pallas::Base::from_u128(1 << 64)),
-                sign: Some(pallas::Base::one()),
-            };
+            let circuits = [
+                // 2^64
+                MyCircuit {
+                    magnitude: Some(pallas::Base::from_u128(1 << 64)),
+                    sign: Some(pallas::Base::one()),
+                },
+                // -2^64
+                MyCircuit {
+                    magnitude: Some(pallas::Base::from_u128(1 << 64)),
+                    sign: Some(-pallas::Base::one()),
+                },
+                // 2^66
+                MyCircuit {
+                    magnitude: Some(pallas::Base::from_u128(1 << 66)),
+                    sign: Some(pallas::Base::one()),
+                },
+                // -2^66
+                MyCircuit {
+                    magnitude: Some(pallas::Base::from_u128(1 << 66)),
+                    sign: Some(-pallas::Base::one()),
+                },
+                // 2^254
+                MyCircuit {
+                    magnitude: Some(pallas::Base::from_u128(1 << 127).square()),
+                    sign: Some(pallas::Base::one()),
+                },
+                // -2^254
+                MyCircuit {
+                    magnitude: Some(pallas::Base::from_u128(1 << 127).square()),
+                    sign: Some(-pallas::Base::one()),
+                },
+            ];
 
-            let prover = MockProver::<pallas::Base>::run(11, &circuit, vec![]).unwrap();
-            assert_eq!(
-                prover.verify(),
-                Err(vec![
-                    VerifyFailure::Constraint {
-                        constraint: ((4, "final z = 0").into(), 0, "").into(),
-                        row: 24
-                    },
-                    VerifyFailure::Constraint {
-                        constraint: (
-                            (15, "Short fixed-base mul gate").into(),
-                            0,
-                            "last_window_check"
-                        )
-                            .into(),
-                        row: 26
-                    }
-                ])
-            );
+            for circuit in circuits.iter() {
+                let prover = MockProver::<pallas::Base>::run(11, circuit, vec![]).unwrap();
+                assert_eq!(
+                    prover.verify(),
+                    Err(vec![
+                        VerifyFailure::Constraint {
+                            constraint: ((4, "final z = 0").into(), 0, "").into(),
+                            row: 24
+                        },
+                        VerifyFailure::Constraint {
+                            constraint: (
+                                (15, "Short fixed-base mul gate").into(),
+                                0,
+                                "last_window_check"
+                            )
+                                .into(),
+                            row: 26
+                        }
+                    ])
+                );
+            }
         }
 
         // Sign that is not +/- 1 should fail
diff --git a/src/circuit/gadget/utilities/decompose_running_sum.rs b/src/circuit/gadget/utilities/decompose_running_sum.rs
index 717a3aa0..6aff4f11 100644
--- a/src/circuit/gadget/utilities/decompose_running_sum.rs
+++ b/src/circuit/gadget/utilities/decompose_running_sum.rs
@@ -308,6 +308,29 @@ mod tests {
             };
             let prover = MockProver::<pallas::Base>::run(8, &circuit, vec![]).unwrap();
             assert_eq!(prover.verify(), Ok(()));
+        }
+
+        // Random 64-bit word
+        {
+            let alpha = pallas::Base::from_u64(rand::random());
+
+            // Strict full decomposition should pass.
+            let circuit: MyCircuit<
+                pallas::Base,
+                L_VALUE,
+                FIXED_BASE_WINDOW_SIZE,
+                NUM_WINDOWS_SHORT,
+            > = MyCircuit {
+                alpha: Some(alpha),
+                strict: true,
+            };
+            let prover = MockProver::<pallas::Base>::run(8, &circuit, vec![]).unwrap();
+            assert_eq!(prover.verify(), Ok(()));
+        }
+
+        // 2^64
+        {
+            let alpha = pallas::Base::from_u128(1 << 64);
 
             // Strict partial decomposition should fail.
             let circuit: MyCircuit<
@@ -347,23 +370,5 @@ mod tests {
             let prover = MockProver::<pallas::Base>::run(8, &circuit, vec![]).unwrap();
             assert_eq!(prover.verify(), Ok(()));
         }
-
-        // Random 64-bit word
-        {
-            let alpha = pallas::Base::from_u64(rand::random());
-
-            // Strict full decomposition should pass.
-            let circuit: MyCircuit<
-                pallas::Base,
-                L_VALUE,
-                FIXED_BASE_WINDOW_SIZE,
-                NUM_WINDOWS_SHORT,
-            > = MyCircuit {
-                alpha: Some(alpha),
-                strict: true,
-            };
-            let prover = MockProver::<pallas::Base>::run(8, &circuit, vec![]).unwrap();
-            assert_eq!(prover.verify(), Ok(()));
-        }
     }
 }