zec
/
orchard
mirror of https://github.com/zcash/orchard.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

gadget::sinsemilla: Move Orchard-specific inputs into parent folder. 

The sinsemilla submodules note_commit and commit_ivk are tailored
for input lengths specific to Orchard. They have been moved out of
the gadget folder and into the parent circuit folder.
This commit is contained in:
therealyingtong 2021-08-18 12:55:23 +08:00
parent c61524ea29
commit 951dd0a108
7 changed files with 69 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/circuit.rs
View File

@ -46,12 +46,10 @@ use gadget::{
},
sinsemilla::{
chip::{SinsemillaChip, SinsemillaConfig, SinsemillaHashDomains},
commit_ivk::CommitIvkConfig,
merkle::{
chip::{MerkleChip, MerkleConfig},
MerklePath,
},
note_commit::NoteCommitConfig,
},
utilities::{copy, CellValue, UtilitiesInstructions, Var},
};
@ -60,7 +58,11 @@ use std::convert::TryInto;
use self::gadget::utilities::lookup_range_check::LookupRangeCheckConfig;
mod commit_ivk;
pub(crate) mod gadget;
mod note_commit;
use commit_ivk::CommitIvkConfig;
use note_commit::NoteCommitConfig;
/// Size of the Orchard circuit.
const K: u32 = 11;

19
src/circuit/gadget/sinsemilla/commit_ivk.rs → src/circuit/commit_ivk.rs
View File

@ -8,16 +8,15 @@ use pasta_curves::{arithmetic::FieldExt, pallas};
use crate::{
circuit::gadget::{
ecc::{chip::EccChip, X},
sinsemilla::{
chip::{SinsemillaChip, SinsemillaCommitDomains, SinsemillaConfig},
CommitDomain, Message, MessagePiece,
},
utilities::{bitrange_subset, bool_check, copy, CellValue, Var},
},
constants::T_P,
};
use super::{
chip::{SinsemillaChip, SinsemillaCommitDomains, SinsemillaConfig},
CommitDomain, Message, MessagePiece,
};
#[derive(Clone, Debug)]
pub struct CommitIvkConfig {
q_commit_ivk: Selector,
@ -263,13 +262,13 @@ impl CommitIvkConfig {
});
// Constrain b_0 to be 4 bits.
let b_0 = self.sinsemilla_config.lookup_config.witness_short_check(
let b_0 = self.sinsemilla_config.lookup_config().witness_short_check(
layouter.namespace(|| "b_0 is 4 bits"),
b_0,
4,
)?;
// Constrain b_2 to be 5 bits.
let b_2 = self.sinsemilla_config.lookup_config.witness_short_check(
let b_2 = self.sinsemilla_config.lookup_config().witness_short_check(
layouter.namespace(|| "b_2 is 5 bits"),
b_2,
5,
@ -307,7 +306,7 @@ impl CommitIvkConfig {
.map(|(d_0, d_1)| d_0 + d_1 * pallas::Base::from_u64(1 << 9));
// Constrain d_0 to be 9 bits.
let d_0 = self.sinsemilla_config.lookup_config.witness_short_check(
let d_0 = self.sinsemilla_config.lookup_config().witness_short_check(
layouter.namespace(|| "d_0 is 9 bits"),
d_0,
9,
@ -400,7 +399,7 @@ impl CommitIvkConfig {
let t_p = pallas::Base::from_u128(T_P);
a + two_pow_130 - t_p
});
let zs = self.sinsemilla_config.lookup_config.witness_check(
let zs = self.sinsemilla_config.lookup_config().witness_check(
layouter.namespace(|| "Decompose low 130 bits of (a + 2^130 - t_P)"),
a_prime,
13,
@ -437,7 +436,7 @@ impl CommitIvkConfig {
let t_p = pallas::Base::from_u128(T_P);
b_2 + c * two_pow_5 + two_pow_140 - t_p
});
let zs = self.sinsemilla_config.lookup_config.witness_check(
let zs = self.sinsemilla_config.lookup_config().witness_check(
layouter.namespace(|| "Decompose low 140 bits of (b_2 + c * 2^5 + 2^140 - t_P)"),
b2_c_prime,
14,

14
src/circuit/gadget/sinsemilla.rs
View File

@ -9,10 +9,8 @@ use pasta_curves::arithmetic::{CurveAffine, FieldExt};
use std::{convert::TryInto, fmt::Debug};
pub mod chip;
pub mod commit_ivk;
pub mod merkle;
mod message;
pub mod note_commit;
/// The set of circuit instructions required to use the [`Sinsemilla`](https://zcash.github.io/halo2/design/gadgets/sinsemilla.html) gadget.
/// This trait is bounded on two constant parameters: `K`, the number of bits
@ -107,7 +105,8 @@ impl<C: CurveAffine, SinsemillaChip, const K: usize, const MAX_WORDS: usize>
where
SinsemillaChip: SinsemillaInstructions<C, K, MAX_WORDS> + Clone + Debug + Eq,
{
fn from_bitstring(
/// Constructs a message from a bitstring.
pub fn from_bitstring(
chip: SinsemillaChip,
mut layouter: impl Layouter<C::Base>,
bitstring: Vec<Option<bool>>,
@ -140,7 +139,7 @@ where
/// Constructs a message from a vector of [`MessagePiece`]s.
///
/// [`MessagePiece`]: SinsemillaInstructions::MessagePiece
fn from_pieces(
pub fn from_pieces(
chip: SinsemillaChip,
pieces: Vec<MessagePiece<C, SinsemillaChip, K, MAX_WORDS>>,
) -> Self {
@ -169,7 +168,8 @@ impl<C: CurveAffine, SinsemillaChip, const K: usize, const MAX_WORDS: usize>
where
SinsemillaChip: SinsemillaInstructions<C, K, MAX_WORDS> + Clone + Debug + Eq,
{
fn inner(&self) -> SinsemillaChip::MessagePiece {
/// Returns the inner MessagePiece contained in this gadget.
pub fn inner(&self) -> SinsemillaChip::MessagePiece {
self.inner
}
}
@ -179,7 +179,7 @@ impl<C: CurveAffine, SinsemillaChip, const K: usize, const MAX_WORDS: usize>
where
SinsemillaChip: SinsemillaInstructions<C, K, MAX_WORDS> + Clone + Debug + Eq,
{
fn from_bitstring(
pub fn from_bitstring(
chip: SinsemillaChip,
layouter: impl Layouter<C::Base>,
bitstring: &[Option<bool>],
@ -214,7 +214,7 @@ where
Self::from_field_elem(chip, layouter, piece_value, num_words)
}
fn from_field_elem(
pub fn from_field_elem(
chip: SinsemillaChip,
layouter: impl Layouter<C::Base>,
field_elem: Option<C::Base>,

11
src/circuit/gadget/sinsemilla/chip.rs
View File

@ -63,16 +63,21 @@ pub struct SinsemillaConfig {
witness_pieces: Column<Advice>,
/// The lookup table where $(\mathsf{idx}, x_p, y_p)$ are loaded for the $2^K$
/// generators of the Sinsemilla hash.
pub(super) generator_table: GeneratorTableConfig,
generator_table: GeneratorTableConfig,
/// An advice column configured to perform lookup range checks.
pub(super) lookup_config: LookupRangeCheckConfig<pallas::Base, { sinsemilla::K }>,
lookup_config: LookupRangeCheckConfig<pallas::Base, { sinsemilla::K }>,
}
impl SinsemillaConfig {
/// Returns an array of all advice columns in this config, in arbitrary order.
pub(super) fn advices(&self) -> [Column<Advice>; 5] {
pub fn advices(&self) -> [Column<Advice>; 5] {
[self.x_a, self.x_p, self.bits, self.lambda_1, self.lambda_2]
}
/// Returns the lookup table config of this Sinsemilla config.
pub fn lookup_config(&self) -> &LookupRangeCheckConfig<pallas::Base, { sinsemilla::K }> {
&self.lookup_config
}
}
#[derive(Eq, PartialEq, Clone, Debug)]

9
src/circuit/gadget/sinsemilla/merkle.rs
View File

@ -4,11 +4,12 @@ use halo2::{
};
use pasta_curves::arithmetic::CurveAffine;
use super::{HashDomains, SinsemillaInstructions};
use crate::{
circuit::gadget::utilities::{
cond_swap::CondSwapInstructions, transpose_option_array, UtilitiesInstructions,
circuit::gadget::{
sinsemilla::{HashDomains, SinsemillaInstructions},
utilities::{
cond_swap::CondSwapInstructions, transpose_option_array, UtilitiesInstructions,
},
},
spec::i2lebsp,
};

36
src/circuit/gadget/sinsemilla/merkle/chip.rs
View File

@ -5,17 +5,19 @@ use halo2::{
};
use pasta_curves::{arithmetic::FieldExt, pallas};
use super::super::{
chip::{SinsemillaChip, SinsemillaConfig},
SinsemillaInstructions,
};
use super::MerkleInstructions;
use crate::{
circuit::gadget::utilities::{
bitrange_subset,
cond_swap::{CondSwapChip, CondSwapConfig, CondSwapInstructions},
copy, CellValue, UtilitiesInstructions, Var,
circuit::gadget::{
sinsemilla::{
chip::{SinsemillaChip, SinsemillaConfig},
SinsemillaInstructions,
},
utilities::{
bitrange_subset,
cond_swap::{CondSwapChip, CondSwapConfig, CondSwapInstructions},
copy, CellValue, UtilitiesInstructions, Var,
},
},
constants::{L_ORCHARD_BASE, MERKLE_DEPTH_ORCHARD},
primitives::sinsemilla,
@ -209,11 +211,10 @@ impl MerkleInstructions<pallas::Affine, MERKLE_DEPTH_ORCHARD, { sinsemilla::K },
.value()
.map(|value| bitrange_subset(value, 250..L_ORCHARD_BASE));
config.sinsemilla_config.lookup_config.witness_short_check(
layouter.namespace(|| "Constrain b_1 to 5 bits"),
b_1,
5,
)?
config
.sinsemilla_config
.lookup_config()
.witness_short_check(layouter.namespace(|| "Constrain b_1 to 5 bits"), b_1, 5)?
};
// b_2 = (bits 0..=4 of `right`)
@ -221,11 +222,10 @@ impl MerkleInstructions<pallas::Affine, MERKLE_DEPTH_ORCHARD, { sinsemilla::K },
let b_2 = {
let b_2 = right.value().map(|value| bitrange_subset(value, 0..5));
config.sinsemilla_config.lookup_config.witness_short_check(
layouter.namespace(|| "Constrain b_2 to 5 bits"),
b_2,
5,
)?
config
.sinsemilla_config
.lookup_config()
.witness_short_check(layouter.namespace(|| "Constrain b_2 to 5 bits"), b_2, 5)?
};
let b = {

37
src/circuit/gadget/sinsemilla/note_commit.rs → src/circuit/note_commit.rs
View File

@ -11,16 +11,15 @@ use crate::{
chip::{EccChip, NonIdentityEccPoint},
Point,
},
sinsemilla::{
chip::{SinsemillaChip, SinsemillaCommitDomains, SinsemillaConfig},
CommitDomain, Message, MessagePiece,
},
utilities::{bitrange_subset, bool_check, copy, CellValue, Var},
},
constants::T_P,
};
use super::{
chip::{SinsemillaChip, SinsemillaCommitDomains, SinsemillaConfig},
CommitDomain, Message, MessagePiece,
};
/*
<https://zips.z.cash/protocol/nu5.pdf#concretesinsemillacommit>
We need to hash g_d || pk_d || i2lebsp_{64}(v) || rho || psi,
@ -552,14 +551,14 @@ impl NoteCommitConfig {
let b_3 = pkd_x.map(|pkd_x| bitrange_subset(pkd_x, 0..4));
// Constrain b_0 to be 4 bits
let b_0 = self.sinsemilla_config.lookup_config.witness_short_check(
let b_0 = self.sinsemilla_config.lookup_config().witness_short_check(
layouter.namespace(|| "b_0 is 4 bits"),
b_0,
4,
)?;
// Constrain b_3 to be 4 bits
let b_3 = self.sinsemilla_config.lookup_config.witness_short_check(
let b_3 = self.sinsemilla_config.lookup_config().witness_short_check(
layouter.namespace(|| "b_3 is 4 bits"),
b_3,
4,
@ -597,7 +596,7 @@ impl NoteCommitConfig {
let d_3 = value_val.map(|value| bitrange_subset(value, 8..58));
// Constrain d_2 to be 8 bits
let d_2 = self.sinsemilla_config.lookup_config.witness_short_check(
let d_2 = self.sinsemilla_config.lookup_config().witness_short_check(
layouter.namespace(|| "d_2 is 8 bits"),
d_2,
8,
@ -628,14 +627,14 @@ impl NoteCommitConfig {
let e_1 = rho_val.map(|rho| bitrange_subset(rho, 0..4));
// Constrain e_0 to be 6 bits.
let e_0 = self.sinsemilla_config.lookup_config.witness_short_check(
let e_0 = self.sinsemilla_config.lookup_config().witness_short_check(
layouter.namespace(|| "e_0 is 6 bits"),
e_0,
6,
)?;
// Constrain e_1 to be 4 bits.
let e_1 = self.sinsemilla_config.lookup_config.witness_short_check(
let e_1 = self.sinsemilla_config.lookup_config().witness_short_check(
layouter.namespace(|| "e_1 is 4 bits"),
e_1,
4,
@ -664,7 +663,7 @@ impl NoteCommitConfig {
let g_2 = psi_val.map(|psi| bitrange_subset(psi, 9..249));
// Constrain g_1 to be 9 bits.
let g_1 = self.sinsemilla_config.lookup_config.witness_short_check(
let g_1 = self.sinsemilla_config.lookup_config().witness_short_check(
layouter.namespace(|| "g_1 is 9 bits"),
g_1,
9,
@ -690,7 +689,7 @@ impl NoteCommitConfig {
let h_1 = psi_val.map(|psi| bitrange_subset(psi, 254..255));
// Constrain h_0 to be 5 bits.
let h_0 = self.sinsemilla_config.lookup_config.witness_short_check(
let h_0 = self.sinsemilla_config.lookup_config().witness_short_check(
layouter.namespace(|| "h_0 is 5 bits"),
h_0,
5,
@ -835,7 +834,7 @@ impl NoteCommitConfig {
let t_p = pallas::Base::from_u128(T_P);
a + two_pow_130 - t_p
});
let zs = self.sinsemilla_config.lookup_config.witness_check(
let zs = self.sinsemilla_config.lookup_config().witness_check(
layouter.namespace(|| "Decompose low 130 bits of (a + 2^130 - t_P)"),
a_prime,
13,
@ -874,7 +873,7 @@ impl NoteCommitConfig {
b_3 + (two_pow_4 * c) + two_pow_140 - t_p
});
let zs = self.sinsemilla_config.lookup_config.witness_check(
let zs = self.sinsemilla_config.lookup_config().witness_check(
layouter.namespace(|| "Decompose low 140 bits of (b_3 + 2^4 c + 2^140 - t_P)"),
b3_c_prime,
14,
@ -914,7 +913,7 @@ impl NoteCommitConfig {
// Decompose the low 140 bits of e1_f_prime = e_1 + 2^4 f + 2^140 - t_P,
// and output the running sum at the end of it.
// If e1_f_prime < 2^140, the running sum will be 0.
let zs = self.sinsemilla_config.lookup_config.witness_check(
let zs = self.sinsemilla_config.lookup_config().witness_check(
layouter.namespace(|| "Decompose low 140 bits of (e_1 + 2^4 f + 2^140 - t_P)"),
e1_f_prime,
14,
@ -951,7 +950,7 @@ impl NoteCommitConfig {
g_1 + (two_pow_9 * g_2) + two_pow_130 - t_p
});
let zs = self.sinsemilla_config.lookup_config.witness_check(
let zs = self.sinsemilla_config.lookup_config().witness_check(
layouter.namespace(|| "Decompose low 130 bits of (g_1 + (2^9)g_2 + 2^130 - t_P)"),
g1_g2_prime,
13,
@ -984,14 +983,14 @@ impl NoteCommitConfig {
};
// Range-constrain k_0 to be 9 bits.
let k_0 = self.sinsemilla_config.lookup_config.witness_short_check(
let k_0 = self.sinsemilla_config.lookup_config().witness_short_check(
layouter.namespace(|| "Constrain k_0 to be 9 bits"),
k_0,
9,
)?;
// Range-constrain k_2 to be 4 bits.
let k_2 = self.sinsemilla_config.lookup_config.witness_short_check(
let k_2 = self.sinsemilla_config.lookup_config().witness_short_check(
layouter.namespace(|| "Constrain k_2 to be 4 bits"),
k_2,
4,
@ -1004,7 +1003,7 @@ impl NoteCommitConfig {
let two_pow_10 = pallas::Base::from_u64(1 << 10);
lsb + two * k_0 + two_pow_10 * k_1
});
let zs = self.sinsemilla_config.lookup_config.witness_check(
let zs = self.sinsemilla_config.lookup_config().witness_check(
layouter.namespace(|| "Decompose j = LSB + (2)k_0 + (2^10)k_1"),
j,
25,