32ea1cce27
constants::util::evaluate(): Replace fold() with reduce().
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-09 10:42:45 +08:00
8a9f8218e9
mul_fixed::base_field_elem: Remove double-enable of base_field_fixed_mul.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-09 10:23:40 +08:00
ae4e54dce8
gadget::utilities: Add test cases for bitrange_subset() helper.
2021-07-08 16:29:07 +08:00
5c38f53b58
mul::tests: Witness expected point and constrain result to be equal.
2021-07-08 15:17:52 +08:00
e2ea443fad
mul_fixed::*::tests: Witness expected point and constrain result to be equal.
2021-07-08 15:06:47 +08:00
22ec16f129
Minor refactors, cleanups, clippy fixes, docfixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-08 13:31:56 +08:00
96863c9f73
mul_fixed::*: Use a separate region for complete addition assignment.
...
The mul_fixed regions use complete addition on the last window,
and incomplete addition on all other windows. However, the complete
addition does not depend on any offsets in the incomplete addition
region, and can be separated into a disjoint region. Since incomplete
addition uses only four advice columns, while complete addition uses
nine, separating the regions would allow the layouter to optimise
their placement.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-08 12:04:43 +08:00
d0e34cd204
mul_fixed::base_field_elem: Eliminate alpha_0 lookup decomposition.
...
We can use the three-bit existing running sum decomposition to
constrain alpha_0 to be within 130 bits. This removes the need for
a 10-bit lookup decomposition of alpha_0.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-08 11:24:18 +08:00
f42d48b8a4
mul_fixed::base_field_elem: Fix two_pow_130 expression.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-08 08:49:46 +08:00
ae72501b70
mul_fixed::base_field_elem: Add constraint alpha_2 = 0 => alpha_1 = 0.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-07 23:12:31 +08:00
72e469ee10
mul_fixed::base_field_elem.rs: Check canonicity of base field element used in fixed-base scalar mul.
...
When using a base field element as the scalar in fixed-base mul,
we check the canonicity of its decomposition.
2021-07-07 23:12:31 +08:00
b69094036c
chip::mul_fixed.rs: Make q_mul_fixed a selector instead of fixed column.
2021-07-07 23:12:31 +08:00
23f2ed5abe
gadget::utilities.rs: Add bitrange_subset() helper.
2021-07-07 23:12:31 +08:00
2d343af068
Update mul_fixed_* APIs to take Layouter instead of Region.
...
These APIs are not called internally.
2021-07-07 23:10:59 +08:00
d550e156d9
mul_fixed_*::tests: Constrain zero outputs in mul_fixed tests.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
9fd4d7df27
Cleanups and clippy fixes.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-07 23:10:59 +08:00
2536555299
mul_fixed: Constrain interpolated window mul to be on curve.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
67caed52eb
mul::incomplete: Constrain final iteration correctly
...
The differences between the final iteration and prior iterations are:
- The final iteration does not constrain (x_T, y_T) to propagate down.
- The final iteration constrains an assigned y_A output instead of a
derived y_A from the next iteration's variables.
We also swap the init_y constraint to match the book.
Co-authored-by: therealyingtong <yingtong@z.cash>
2021-07-07 23:10:59 +08:00
33b66ab796
tests::print_ecc_chip(): Print ECC chip.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
3f961ab29a
mul::process_lsb(): Clean up assignments and boolean-constrain LSB.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
6ffd867e23
mul::complete.rs: Constrain negation of (x_p, y_p) in double-and-add.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
e75c176181
mul::incomplete.rs: Make offsets more intuitive
2021-07-07 23:10:59 +08:00
4d69dec00f
mul::incomplete.rs: Constrain first and last y_a values.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
b363492a35
ecc::chip.rs: Introduce circuit-wide "constants" fixed column
...
At certain points in the circuit, we need to constrain cells in
advice columns to equal a fixed constant. Instead of defining a
new fixed column for each constant, we pass around a single
shared by all chips, that is included in the permutation over all
advice columns.
This lets us load all needed constants into a single column and
directly constrain advice cells with an equality constraint.
2021-07-07 23:10:59 +08:00
69d6629ac6
chip::mul.rs: Enforce LSB if/else condition
...
On the LSB of the scalar, we assign a point (x,y) = (x_p, -y_p)
if LSB = 0, and (0,0) otherwise. This if/else condition must be
enforced.
Co-authored-by: Sean Bowe <ewillbefull@gmail.com>
2021-07-07 23:10:59 +08:00
e726fee19b
mul_fixed: Avoid computing fixed constants during proving
...
This decreases proving time in the Action circuit by 17%.
2021-07-07 23:10:59 +08:00
b15343f6f7
Add `OrchardFixedBasesFull::{generator, u}` methods
...
Using these in `OrchardFixedBases::{generator, u}` instead of the
`impl From<OrchardFixedBasesFull> for OrchardFixedBase` means we avoid
computing the Lagrange coefficients for the generator (which were then
immediately dropped).
This decreases proving time in the Action circuit by 53%.
2021-07-07 23:10:59 +08:00
09b4da197d
base_field_elem.rs: Support fixed-base mul using base field element.
...
In Orchard nullifier derivation, we multiply the fixed base
K^Orchard by a value encoded as a base field element. This commit
introduces an API that allows using a base field element as the
"scalar" in fixed-base scalar multiplication.
The API currently assumes that the base field element is output by
another instruction (i.e. there is no instruction to directly
witness it).
2021-07-07 23:10:59 +08:00
37074c64f5
mul_fixed::short: Check that last window is either 0 or 1.
...
The magnitude of the short signed scalar must be 64 bits. We decompose
the magnitude into 22 3-bit windows and check that each window is in
the 3-bit range.
However, since the first 21 windows have already accounted for 63 bits,
the last window is constrained to be a single bit.
2021-07-07 23:10:59 +08:00
747f71ca80
constants.rs: Add unit tests for T_P, T_Q constants.
2021-07-07 23:10:59 +08:00
5ae9890913
mul::overflow.rs: Overflow check in variable-base scalar mul
...
Simplify the canonicity check for variable-base scalar multiplication,
by range-checking the low 130 bits rather than the low 127 bits.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: ying tong <yingtong@z.cash>
2021-07-07 23:10:59 +08:00
a3ca27b756
ecc::tests: Add tests for variable- and fixed-base scalar mul.
2021-07-07 23:10:59 +08:00
ae25310385
chip::mul_fixed.rs: Implement fixed-base scalar mul instruction.
...
Fixed-base scalar mul makes use of the add_incomplete and add
instructions internally. The full-width and short signed share
some common logic, which is captured in chip::mul_fixed.rs.
The signed short variant introduces additional logic to handle
the scalar's sign. This is done in the submodule mul_fixed::short.
2021-07-07 23:10:59 +08:00
a263774abf
chip::witness_scalar_fixed.rs: Implement witness_scalar_fixed instruction.
...
A scalar used in fixed-base scalar mul needs to be decomposed into
windows to use with the fixed-base window table. Both full-width
and short signed scalars share some logic (captured in the function
decompose_scalar_fixed()).
A short signed scalar introduces additional logic: its magnitude is
decomposed, and its sign is separately witnessed. This is handled
in the submodule witness_scalar_fixed::short.
2021-07-07 23:10:59 +08:00
cc9dd20536
chip::mul.rs: Implement variable-base scalar mul instruction.
...
This uses the complete addition instruction internally. The module
is split up into mul::incomplete.rs and mul::complete.rs, where
mul::incomplete handles the incomplete additions used in the
starting rounds of the variable-base scalar mul algorithm, and
mul::complete handles the complete additions in the final rounds.
Incomplete additions are broken into "hi" and "lo" halves and
processed on the same rows across different columns. This is an
optimization to make full use of the advice columns in this
instruction.
2021-07-07 23:10:59 +08:00
64a2b02d42
ecc::chip.rs: Witness scalar for variable-base scalar mul
2021-07-07 23:10:59 +08:00
0f60a81485
ecc::chip.rs: Add EccScalarFixed, EccScalarFixedShort structs
2021-07-07 23:10:59 +08:00
64c5b25d1c
Rename OrchardIncrementalTreeDigest to MerkleCrhOrchardOutput
2021-07-01 12:09:24 -06:00
fd94759fab
Implements the updated, total definition of MerkleCRH^Orchard
...
See https://github.com/zcash/zips/pull/530
2021-07-01 12:09:24 -06:00
aa0c0ecbec
Implement ZIP-244 txid and authorizing commitments.
2021-07-01 10:10:24 -06:00
ab2622f59c
Make note encryption OrchardDomain type public.
2021-06-30 12:47:37 -06:00
234eed9cbb
Update src/note_encryption.rs
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-06-30 11:58:28 -06:00
1e95360a74
Add for_action method for constructing an OrchardDomain
2021-06-30 11:21:07 -06:00
74456acea1
primitives::sinsemilla.rs: Document panic in hash()
...
Document that hash() panics if a message is longer than K * C.
2021-06-30 20:01:05 +08:00
ba7e1892de
Minor fixes involving constants.
...
- document that find_zs_and_us is not meant to be used anywhere
- use F::zero() instead of F::default() in constants/util.rs
- use personalisations from constants in spec.rs
2021-06-30 20:00:36 +08:00
bb159a2ccf
Merge pull request #98 from zcash/merkle-chip
...
Merkle hash chip
2021-06-29 23:09:15 +01:00
7c38f149ac
rustfmt
2021-06-29 22:46:07 +01:00
cbded2b821
Optimize transpose_option_array
2021-06-29 22:43:50 +01:00
8dfcd7d49b
Remove unused lookup_config in MerkleConfig
2021-06-29 22:41:01 +01:00
9f1bd64fe9
Merge pull request #133 from zcash/patch-sinsemilla
...
Introduce `LookupRangeCheckConfig`s for each Sinsemilla advice column
2021-06-29 10:43:30 +01:00
3ecd0a122c
Merge pull request #132 from zcash/patch-lookup-range-check
...
Add short range check to `lookup_range_check` util
2021-06-29 10:38:14 +01:00
3806a9d6f0
Further cleanups and docfixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-29 12:08:31 +08:00
d68eb6583d
Docfixes, variable renames, cleanups
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-29 12:08:31 +08:00
32e564a963
Constrain b_1 + 2^5 b_2 = z1_b in decomposition gate.
2021-06-29 12:08:31 +08:00
db45c81ea6
sinsemilla::merkle.rs: Add test for MerkleChip.
2021-06-29 12:08:31 +08:00
f30de79fc6
sinsemilla::merkle.rs: Implement MerkleInstructions for MerkleChip.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-29 12:08:31 +08:00
569eb4baa6
sinsemilla::merkle.rs: Configure MerkleChip
...
MerkleChip::configure() takes a SinsemillaConfig as input.
2021-06-29 12:08:31 +08:00
6976e2baeb
sinsemilla::merkle.rs: Derive SinsemillaInstructions, CondSwapInstructions for MerkleChip
2021-06-29 12:08:31 +08:00
68878d88b1
sinsemilla::merkle.rs: Add MerkleChip
2021-06-29 12:08:31 +08:00
d090da0159
sinsemilla::merkle.rs: Add MerkleInstructions.
...
This has three const generic parameters: PATH_LENGTH, K, MAX_WORDS.
PATH_LENGTH is the length of the Merkle path being hashed. K and
MAX_WORDS parameterize the internal Sinsemilla instance used in
hashing the path.
2021-06-29 12:08:31 +08:00
1ac3541505
Add spec::i2lebsp and constants::MERKLE_DEPTH_ORCHARD
2021-06-29 12:07:49 +08:00
12cef17559
Cleanups and minor refactors.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-29 12:02:54 +08:00
209e6a1132
Docfixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: str4d <jack@electriccoin.co>
2021-06-29 09:51:02 +08:00
3badd42d15
nonempty 0.7
...
We can now correctly measure the heap-allocated memory used by a bundle.
2021-06-28 20:57:49 +01:00
1f861423c2
Merge pull request #122 from nuttycom/incremental_merkle_tree
...
Add Orchard incremental merkle tree digests.
2021-06-28 19:12:13 +01:00
9bf066ef8b
rustfmt
2021-06-28 18:48:58 +01:00
93ab753b8c
Apply string fixes from code review
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-28 18:47:02 +01:00
ffafb6308c
Fix clippy complaints.
2021-06-28 10:56:25 -06:00
0d078c8a90
Rustfmt
2021-06-28 10:01:13 -06:00
9b47bd0db4
sinsemilla::tests: Use separate constants columns for chips.
...
To be replaced by the public inputs API.
2021-06-25 15:07:27 +08:00
2ec30943b3
Configure each Sinsemilla advice column for use with a K-bit lookup.
...
Inputs to Sinsemilla often need to be decomposed and range-constrained.
2021-06-25 15:07:27 +08:00
bdcdb8ac13
Move witness_message() and witness_message_piece_bitstring() to gadget level
...
These instructions were not making any assignments; instead, they
were calling through to witness_message_piece_field().
This PR also renames the witness_message_piece_field() instruction
to witness_message_piece().
2021-06-25 15:07:27 +08:00
6fdee71667
Adjustments to APIs in sinsemilla::chip and sinsemilla::message.
2021-06-25 15:07:27 +08:00
c43c91b796
gadget::utilities: Adjustments to utilities gadgets and helpers.
2021-06-25 15:05:39 +08:00
3840f280d7
lookup_range_check.rs: Add short range check lookup.
...
Also introduce a "strict" mode for the full-length lookup, where
"true" requires the field element to be within num_words * K bits,
whereas "false" does not.
2021-06-25 15:05:39 +08:00
e37cec1e53
Apply suggestions from code review
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-06-24 12:39:28 -06:00
fc41db1ab5
Add UNCOMMITTED_ORCHARD constant.
2021-06-24 12:33:02 -06:00
90d0c254cf
Account for non-canonical base in serde deserialization.
2021-06-24 09:57:35 -06:00
78adc9c810
Anchor computation is partial.
2021-06-24 09:43:10 -06:00
f22907a4d7
Use constants for value commitment hash-to-curve.
...
Fixes #76
2021-06-23 18:04:17 -06:00
52394b8e8d
Add test for incremental Merkle tree root calculation.
...
Fix indexing in perfect subtree computation test for auth paths.
2021-06-23 15:57:33 -06:00
1b42ae707b
Make proptest bundle size configurable.
2021-06-23 15:57:33 -06:00
c876f74ab1
Fix level/layer confusion.
2021-06-23 15:57:33 -06:00
4888f0d16c
Rename Level -> Altitude
2021-06-23 15:57:33 -06:00
e3abbf9a42
Add serde support for OrchardIncrementalTreeDigest
2021-06-23 15:57:33 -06:00
7e79fd4b1c
Add necessary trait impls for OrchardIncrementalTreeDigest
...
Required to make the wrapper type usable for digests in
a serializable incremental merkle tree.
2021-06-23 15:57:33 -06:00
ce4697aca5
Add construction of OrchardIncrementalTreeDigest
2021-06-22 18:14:27 -06:00
4bb252eb0c
Add Orchard incremental merkle tree digests.
2021-06-22 18:14:27 -06:00
71756cffda
Merge pull request #128 from zcash/bundle-dynamic-usage
...
Add `Bundle<Authorized, _>::dynamic_usage` method
2021-06-22 17:46:15 +01:00
66340e2655
Merge pull request #67 from zcash/sinsemilla-chip-config
...
Sinsemilla chip with HashDomain
2021-06-22 16:20:35 +01:00
06f7d7fbe0
Add `Bundle<Authorized, _>::dynamic_usage` method
...
This will be used by `zcashd` as part of tracking the memory usage of
transactions.
2021-06-22 16:06:49 +01:00
81fb944997
Make this crate clippy clean for warnings on nightly.
...
One .clone() removal; all of the other changes are removing needless borrows that are immediately
dereferenced: https://rust-lang.github.io/rust-clippy/master/index.html#needless_borrow
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-21 18:04:00 +01:00
8af84479b3
Rename "Sinsemilla gate" constraint to "y check".
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-21 17:04:47 +01:00
62642fd804
Add `Bundle<Authorized, _>::verify_proof` API
2021-06-21 13:38:43 +01:00
bd08808566
SinsemillaChip::configure(): Merge "Initial y_q" gate with main gate
...
This allows the MockProver to see the fixed_y_q query as semantically
connected to q_sinsemilla1.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 20:56:56 +08:00
a01c2ee829
test: Print layout for Sinsemilla test circuit
2021-06-20 11:51:33 +01:00
5f5238f411
Doc comment fixes
2021-06-20 11:30:43 +01:00
002596f6cd
Docfixes and cleanups.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 12:11:01 +08:00
744f3d1653
SinsemillaChip::configure(): Combine and label gates.
...
The gates "Secant line" and "Sinsemilla gate" were using the same
selectors and could be combined.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 11:26:59 +08:00
eccd72fcd0
hash_piece(): Remove (correct) duplicate assignment of x_a.
...
hash_piece() is an internal API, which means its caller hash_message()
is working in the same region. We rely on the caller to have already
assigned each piece's initial x_a at the correct offset before making
the call to hash_piece().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 11:14:02 +08:00
9ce29d9d4d
hash_to_point(): Introduce final_piece boolean flag
...
This toggles the assignment of q_s2 on the last row of each piece.
We assign q_s2 = 2 on the last row of the final piece, and q_s2 = 0
on the last row of other pieces.
This allows us to process the final_piece in the main loop together
with the other pieces.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 11:00:14 +08:00
031bb0bc87
SinsemillaChip::configure(): Introduce closures for Y_A and x_r
...
These expressions are derived multiple times in the gates.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 10:43:24 +08:00
9072ed437d
generator_table.rs: Fix bug in y_p lookup expression.
...
Also, GeneratorTable::configure() was not being called in the main
SinsemillaChip::configure(), which meant the lookup argument had
not been activated. This has now been fixed.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 10:34:03 +08:00
2f6ca9e6de
generator_table.rs: Enforce z_n = 0 for the last message piece.
2021-06-19 22:39:19 +08:00
158ab865f8
gadget::sinsemilla.rs: Add Sinsemilla test.
2021-06-19 18:17:11 +08:00
eba2172f4f
chip::hash_to_point.rs: Implement hash_to_point instruction.
2021-06-19 18:17:10 +08:00
f122e481a7
sinsemilla::chip.rs: Configure Sinsemilla gates.
2021-06-19 18:17:09 +08:00
7cddc9b587
sinsemilla::chip.rs: Implement witness_message_* APIs.
...
witness_message() witnesses a full message given a bitstring.
The other two APIs, witness_message_piece_bitstring() and
witness_message_piece_field(), both witness a message piece, i.e.
part of a message that fits within a single base field element.
witness_message_piece_bitstring() takes in a bitstring, while
witness_message_piece_field() takes in a field element. In the
latter case, the number of words encoded must be specified.
2021-06-19 18:14:22 +08:00
74e617b46d
chip::generator_table.rs: Load Sinsemilla generator lookup table.
...
The 2^K table of generators used in the Sinsemilla hash. These
are loaded into a lookup table.
2021-06-19 18:14:22 +08:00
ebb7dae063
sinsemilla::chip.rs: Add Sinsemilla chip.
...
The chip that will implement SinsemillaInstructions.
2021-06-19 18:14:22 +08:00
e2859df4eb
sinsemilla::message.rs: Add message module.
...
This defines a Sinsemilla message in terms of pieces and subpieces.
This is useful when decomposing field elements and packing them
into K-bit messages.
2021-06-19 18:14:22 +08:00
af2ac762f4
gadget::sinsemilla.rs: Add Sinsemilla instructions.
...
SinsemillaInstructions has two const generic parameters: K, which
is the number of bits in each word of the hash, and MAX_WORDS,
which is the maximum number of words the hash can process.
For Orchard, K = 10, MAX_WORDS = 253.
2021-06-19 18:14:22 +08:00
83eddd8857
ecc::chip.rs: Add Point::from_coordinates_unchecked() API
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-19 18:14:22 +08:00
1c19bea842
Fix clippy lints.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-16 19:13:40 +01:00
5264d53498
impl Copy for Anchor
2021-06-15 15:42:06 +01:00
019ae7da8e
Anchor::{from_bytes, to_bytes}
2021-06-15 15:41:57 +01:00
e412a5a25b
Merge pull request #115 from zcash/anchor-type
...
Store anchors as pallas::Base instead of [u8; 32]
2021-06-15 14:18:48 +01:00
e90a5972f1
redpallas: Expose batch validation API
2021-06-14 21:41:12 +01:00
eec17a9174
Add a `Bundle::binding_validating_key` method
...
This derives the `bvk` for validating `Authorized::binding_signature`.
2021-06-14 21:40:28 +01:00
ee26116fcf
Merge pull request #114 from zcash/util-range-check
...
utilities::lookup_range_check: Add LookupRangeCheck helper
2021-06-14 10:56:52 -06:00
f5bf0c1ef3
lookup_range_check.rs: Docfixes and minor refactors.
2021-06-15 00:18:38 +08:00
60861b7245
sinsemilla::constants.rs: Add INV_TWO_POW_K = 1 / 2^K constant.
2021-06-15 00:18:38 +08:00
1182d8d5a7
Merge pull request #99 from zcash/note-encryption
...
Note encryption
2021-06-14 17:16:54 +01:00
4a52d771b1
Merge pull request #113 from zcash/constants-concrete-type
...
`constants::load.rs`: Use concrete `pallas::Affine` type for generators
2021-06-14 09:25:17 -06:00
c25526e216
lookup_range_check.rs: Delete wrong comment.
2021-06-14 19:55:51 +08:00
8a8df98a50
add_incomplete::tests: Constrain output of `P + Q` test.
...
Also minor docfixes and refactors.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-14 00:19:21 +08:00
70ec5755cf
lookup_range_check.rs: Add documentation and minor refactors.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 23:24:19 +08:00
b7b8126ccf
spec.rs: Add lebs2ip function bounded on const generic L.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 23:20:59 +08:00
7341996d2c
gadget::ecc.rs: Add EccInstructions::constrain_equal() instruction.
...
This allows us to constrain two points to be equal in value at the
gadget level.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 21:26:30 +08:00
b299a51b31
lookup_range_check.rs: Downgrade from Chip to Config.
...
We need to be able to toggle the lookup on and off on specific
offsets. These offsets are often assigned outside the logic of
the decomposition.
2021-06-13 09:40:50 +08:00
cdab5bf8c4
gadget::utilities.rs: Remove Chip bound on UtilitiesInstructions.
2021-06-13 09:40:20 +08:00
de78186503
Store anchors as pallas::Base instead of [u8; 32]
...
This matches what we store in `MerklePath`, and better enforces the
required type.
2021-06-12 21:35:37 +01:00
e83880841a
utilities::lookup_range_check: Add LookupRangeCheck chip
...
This decomposes a field element into K-bit words and constrains each
word's range by looking it up in a K-bit lookup table.
The field element is broken down using a running sum. All interstitial
values of the running sum are returned.
2021-06-12 22:46:31 +08:00
a11c2066ef
chip::add.rs: Use Expression::square() + other minor refactors
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-12 20:25:12 +08:00
e259bb3846
ecc::chip.rs: Use concrete pallas::Affine for Chip impl.
...
The EccInstructions trait is still generic over C: CurveAffine;
however, the EccChip implementation is specific to the pasta
curves.
2021-06-12 20:25:09 +08:00
aec7a7f850
ecc::chip.rs: Stub out scalar-mul-related structs and types.
...
These will be updated or restored in #111 .
2021-06-12 20:24:14 +08:00
e1779dab70
Docfixes and minor refactors.
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-06-12 12:41:27 +08:00
6dabb16edc
chip::add.rs: Use batch inversion for alpha, beta, gamma, delta
2021-06-12 12:41:27 +08:00
f655e38e3e
chip::add_incomplete.rs: Remove superfluous check.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-12 12:41:27 +08:00
aff56e6763
ecc::chip.rs: Make EccPoint.x, EccPoint.y private fields
...
Also add public getters x() and y().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-12 12:41:27 +08:00
433791fcb0
chip::witness_point.rs: Allow witnessing the identity.
2021-06-12 12:41:27 +08:00
36d7888c1c
ecc.rs: Add tests for complete and incomplete addition.
2021-06-12 12:41:27 +08:00
6491ea90dd
ecc::chip.rs: Bound EccConfig on <C: CurveAffine>.
2021-06-12 12:41:27 +08:00
e802e2917a
chip::add.rs: Implement complete addition instruction.
2021-06-12 12:41:27 +08:00
7dc11b95d2
chip::add_incomplete.rs: Implement add_incomplete() instruction
2021-06-12 12:41:27 +08:00
7eb86eb0c2
chip::witness_point.rs: Implement witness_point() instruction.
2021-06-12 12:41:27 +08:00
6627b2258f
ecc::chip.rs: Add ECC chip.
...
Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-12 12:41:27 +08:00
e15648cb67
gadget::ecc: Remove representations of fixed points in the circuit
...
Fixed points are represented by precomputed window tables. These
are not "initialized" in the circuit at any single point, but are
loaded into fixed columns at the offsets where the fixed points
are used.
Thus, we don't need FixedPoint and get_fixed() in the circuit.
Similarly, we can remove FixedPointShort and get_fixed_short().
2021-06-12 12:41:27 +08:00
ddb9500991
constants::load.rs: Use concrete pallas::Affine type for generators
...
The Orchard fixed bases are Pallas curve points and are not generic
over other curves.
2021-06-12 12:36:43 +08:00
769be6c080
Note encryption test vectors
2021-06-11 23:55:17 +01:00
37326df1ab
spec: Impl more traits for NonZero types
...
Also fixes their Default impls to use "1" as the default.
2021-06-11 23:55:17 +01:00
57f84c3eea
builder: Encrypt output notes
2021-06-11 23:55:17 +01:00
99665572a2
Orchard note encryption
2021-06-11 23:55:16 +01:00
11350339f5
Ensure that derived esk is non-zero
...
There's a (negligble) chance that we could generate (or be sent
adversarially) a RandomSeed which derives esk == 0. It's not hard to
detect and reject, in order to satisfy the type system.
2021-06-11 23:54:35 +01:00
8a7ff1b28a
Structs representing note encryption key material
2021-06-11 23:54:35 +01:00
0ead91a88c
Merge pull request #110 from zcash/tree-logic
...
Implement tree logic in Builder
2021-06-11 21:39:40 +01:00
bd30783a52
Make `hash_layer` comment a doc comment
...
This way, it renders with `cargo doc --document-private-items`
2021-06-11 20:46:30 +01:00
d8f2af8983
Simplify `gen_const_array` implementation
...
Also includes a performance improvement to `i2lebsp_k`.
2021-06-11 20:46:30 +01:00
8464df6e46
Merge pull request #108 from zcash/102-sign-with-rsk
...
builder: Store alpha and use it to derive rsk for signing spends
2021-06-11 14:42:16 +01:00
0e9726ae69
tree.rs: Use 2 as uncommitted leaf and check against test vectors.
2021-06-11 20:24:55 +08:00
380128ed49
tree::MerklePath: Add postion() and auth_path() getters.
2021-06-10 16:55:49 +08:00
b3daeb0861
tree::testing: Fix and test arb_tree().
2021-06-10 13:54:42 +08:00
2d0afe9357
constants.rs: Introduce L_ORCHARD_MERKLE constant
...
Also test that L_ORCHARD_BASE, L_ORCHARD_SCALAR, L_ORCHARD_MERKLE
are consistent with the Pallas curve.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-10 10:33:06 +08:00
e8e22886f4
tree.rs: MerklePath.root(): Fix missing bitmask in swap calculation
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-10 10:29:08 +08:00
18535894d6
constants::util.rs: Factor out gen_fixed_array() method.
2021-06-10 10:03:15 +08:00
7818291118
primitives::sinsemilla.rs: Optimize and test i2lebsp_k
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-09 23:50:59 +08:00
8f8eff23d8
Update proptests to generate Merkle paths
2021-06-08 22:38:11 +08:00
b33248bdb0
src::tree.rs: Implement MerklePath.root() method.
...
Co-authored-by: Kris Nuttycombe <kris@electriccoin.co>
2021-06-08 22:31:24 +08:00
94e730ad4c
Migrate to latest version of halo2
...
This brings in:
- Fixes and improvements to `MockProver`.
- Support for annotating constraints within gates.
- Removal of Selector rotations.
2021-06-07 19:49:25 +01:00
2be13bfa80
Merge pull request #89 from zcash/utils-chip
...
Chip for general utils
2021-06-07 19:40:56 +01:00
3ff307f946
docs: Clarify EnableFlagInstructions::enable_flag
2021-06-07 19:34:48 +01:00
54c8cfd1d0
Documentation improvements and minor refactors.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-08 00:28:32 +08:00
0f2dfc5508
Use UtilitiesInstructions::Var instead of internal associated type.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-08 00:20:09 +08:00
e0e082d265
test: Remove stray dbg!()
2021-06-05 22:39:57 +01:00
cbf7c3825f
builder: Store alpha and use it to derive rsk for signing spends
...
This was missed from zcash/orchard#49 , but could not have caused a
consensus failure or loss-of-funds because `alpha` _was_ being sampled
and used to derive `rk`, meaning that the signatures would fail to
validate.
2021-06-05 22:35:52 +01:00
cd1e72bbcd
Merge pull request #106 from zcash/refactor-constants
...
Refactor `constants` to add `constants::load`
2021-06-05 13:42:16 +01:00
243f862617
Fix clippy lints
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-05 13:18:14 +01:00
d3da71a4fd
Merge pull request #105 from zcash/constants-spend-auth-g
...
Add SpendAuthG fixed base
2021-06-05 12:09:51 +01:00
40599144bf
utilities::plonk: Remove assumption that fixed columns default to 1
2021-06-05 15:33:12 +08:00
6603e996ed
utilities::cond_swap: Directly witness swap bit
2021-06-05 15:32:43 +08:00
9f27049c84
Add constants::load.rs
...
This makes it easier to load constants into the ECC chip.
2021-06-05 13:18:24 +08:00
1d46a2d3e7
Add SpendAuthG fixed base.
...
Used in spend authority randomization where rk = ak + [alpha]SpendAuthG.
2021-06-05 13:16:56 +08:00
f31b9feba0
utilities::enable_flag: Directly witness flag
2021-06-05 09:42:23 +08:00
6f3ac2cdcc
Avoid discards in arbitrary nullifier generation.
2021-06-04 17:36:50 -06:00
bea8a9b7ff
Migrate to bitvec 0.22, ff 0.10, group 0.10, pasta_curves 0.1
2021-06-04 20:38:52 +01:00
fea88c814c
Add enable flag chip
2021-06-04 18:08:59 +08:00
4b0ea0be15
Add conditional swap chip
2021-06-04 18:08:59 +08:00
4f87815262
Add standard PLONK chip
2021-06-04 18:08:59 +08:00
4d8ae89aa9
Add Utilities chip
2021-06-04 18:08:59 +08:00
c5aa41e2e4
Merge pull request #86 from zcash/patch-fixed-mul
...
Update formula for fixed-base window tables.
2021-06-03 13:33:00 +01:00
505e003842
Merge pull request #28 from zcash/poseidon
...
Width-3 Poseidon chip
2021-06-03 12:38:16 +01:00
dc075e7971
Merge pull request #91 from zcash/key-component-test-vectors
...
Add test vectors for key components
2021-06-02 22:23:54 +01:00
fa9d8a992c
Update constants
2021-06-02 22:51:37 +08:00
0636a6f2ec
Update window table formula.
...
Previously, the window table M for fixed-base scalar multiplication
computed M[w][k] = [(k+1)*(2^3)^w]B for each window w, where k is a
3-bit chunk in the scalar decomposition in the range [0..8).
However, in the case k_0 = 7, k_1= 0, the window table entries would
evaluate to:
* M[0][k_0] = [(7+1)*(2^3)^0]B = [8]B,
* M[1][k_1] = [(0+1)*(2^3)^1]B = [8]B,
which means the first addition would require complete addition.
To avoid this, we alter the formula to M[w][k] = [(k+2)*(2^3)^w]B.
We make a corresponding change to the formula for the last window
W. Previously, we had:
M[W][k] = [k * (2^3)^W - \sum((2^3)^j)]B, for j in [0..W-1).
Now, we have:
M[W][k] = [k * (2^3)^W - \sum(2^(3j+1))]B, for j in [0..W-1).
2021-06-02 22:51:37 +08:00
91db490e20
test: Add Poseidon test vectors
2021-06-01 18:36:11 +01:00
5925852c7d
Add Poseidon test vector generated by the reference code.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-01 18:36:11 +01:00
f5a4cc3550
poseidon::Hash gadget
2021-06-01 18:36:11 +01:00
38dd7b791d
PoseidonDuplexInstructions
2021-06-01 18:36:11 +01:00
a69d76113f
test: Rename MyCircuit to PermuteCircuit
2021-06-01 18:36:11 +01:00
d1fe466812
Replace PoseidonInstructions::State with PoseidonInstructions::Word
2021-06-01 18:36:11 +01:00
01eb431f1f
Remove "final" round logic from poseidon::Pow5T3Chip
...
This was a bug in the Poseidon reference implementation, fixed in v1.1.
2021-06-01 18:36:11 +01:00
40a19b429c
Test that poseidon::Pow5T3Chip chip correctly implements Poseidon
2021-06-01 18:36:11 +01:00
f1b8abfccb
Arity-3 Poseidon chip
2021-06-01 18:36:11 +01:00
363e6944ec
Poseidon instructions
2021-06-01 17:54:37 +01:00
dfa3fbb19b
Migrate to latest revision of halo2
2021-06-01 17:37:44 +01:00
803fc2bea3
Merge pull request #93 from zcash/prf_expand-domains
...
Define explicit domains for PRF^expand
2021-06-01 14:31:04 +01:00
c4ffb7c617
Rework PRF^expand to use explicit domains
...
`prf_expand{_vec}` have been replaced by the `PrfExpand` enum, which
has `PrfExpand::{expand, with_ad, with_ad_slices}` methods for use
within each domain as necessary.
2021-05-28 13:12:25 +01:00
cea8a3ab69
Move prf_expand{_vec} into a submodule for clarity
2021-05-28 12:42:01 +01:00
7f47949b09
Take `self` directly in to_bytes methods where Self: Copy
2021-05-28 12:11:22 +01:00
cdfd2ab0f9
Remove clones from types that now impl Copy
2021-05-28 12:10:54 +01:00
5af73f7822
Add test vectors for key components
2021-05-28 11:57:21 +01:00
f82d00e40d
Merge pull request #77 from zcash/remove-rand-0.7
...
Remove rand 0.7 usage
2021-05-21 21:25:34 +01:00
97710e04d6
Merge pull request #80 from zcash/spec-updates
...
Update implementation to match protocol spec version 2021.2.0
2021-05-21 21:24:39 +01:00
2bbbc3ec94
Update comments
...
Co-authored-by: ying tong <yingtong@z.cash>
2021-05-21 21:24:08 +01:00
7109153e88
Merge pull request #43 from zcash/constants
...
Add Orchard constants
2021-05-18 20:44:59 +01:00
38f1c9e14f
Merge pull request #75 from zcash/ecc-gadget
...
Modify ECC gadget to work with chip refactor
2021-05-18 20:34:28 +01:00
ff504c1a3f
Address review comments.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 17:14:13 +08:00
2962115aef
Reintroduce point doubling API
2021-05-18 16:54:52 +08:00
af30f4b141
Add Eq to the EccChip trait
2021-05-18 16:12:06 +08:00
caa3791562
Documentation fixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 16:07:40 +08:00
edea9bde73
Document incomplete point addition error handling
2021-05-18 13:28:17 +08:00
c8076c2864
Add FixedPointsShort associated type
2021-05-18 13:28:17 +08:00
74c797165f
Add range check for short scalar
2021-05-18 13:28:16 +08:00
fb9da0b1b3
Address review comments.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-05-18 09:45:03 +08:00
800e540875
Make the `Bundle` type implement `Clone`
...
This is required for proptest generation that handles shrinking
correctly in librustzcash.
2021-05-13 15:35:44 -06:00
81d751d1b6
Add proptest for decompose_scalar_fixed()
2021-05-13 12:52:03 +08:00
077f809df7
Cleanups from code review
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-05-13 10:48:10 +08:00
4423b50788
Include ρ as an input to the derivation of ψ, esk, and rcm
...
This brings the implementation in line with spec version 2021.2.0 and
the Orchard book.
2021-05-11 18:51:57 +08:00
736de1156b
Ensure that Notes always have valid commitments
...
Implements the change from spec version 2021.1.23 to sample a new rseed
if a note is generated without a valid commitment.
2021-05-11 18:51:57 +08:00
d8cc596bbe
Create separate types for protocol-level and user-level ivk
...
Spec version 2021.1.24 added the diversifier key to the encoding of an
incoming viewing key (to make them more usable). As a result, we now
have two separate types:
- `KeyAgreementPrivateKey`: what was previously `IncomingViewingKey`,
corresponding to the `ivk` type in the protocol spec. It is now
crate-internal.
- `IncomingViewingKey`: the user-facing type that encompasses `dk` and
`ivk`.
2021-05-11 18:51:57 +08:00
76a39d29c1
Change diversify_hash and ka_orchard to use non-zero types
...
This matches the changes to KA^Orchard in spec version 2021.1.23.
2021-05-11 18:51:57 +08:00
9a828febd7
Change `commit_ivk` to return a non-zero Pallas base field element
...
The type system now enforces that `ivk != 0`.
2021-05-11 18:51:57 +08:00
012d14073d
Remove rand 0.7 usage
...
Upstream redjubjub (on which our reddsa dependency is based) has
migrated to rand 0.8.
2021-05-09 07:51:55 +12:00
db60fd2262
Add FixedPointShort associated type
2021-05-06 15:55:15 +08:00
6a64bc1c37
Expose Point.add_incomplete()
2021-05-06 12:54:21 +08:00
e82a76da2a
Remove unused OrchardFixedBases trait
2021-05-06 12:52:52 +08:00
c9f1060bb9
Minor correction to type signature (naming)
2021-05-05 17:44:15 -06:00
bf4532fd7d
Properly condition generators on flags.
2021-05-05 17:36:05 -06:00
71736433d0
Rename arb_nonnegative_note_value -> arb_note_value_bounded
2021-05-05 17:23:21 -06:00
3170096134
Publicly expose `MAX_NOTE_VALUE`
2021-05-05 17:19:42 -06:00
6373d3d422
Fix incorrect generation for bsk/bvk consistency test.
2021-05-05 17:12:31 -06:00
8f3f4a8479
Make note module public.
2021-05-05 14:05:17 -06:00
6c681d0539
Generate uniformly distributed nullifiers.
2021-05-05 13:39:41 -06:00
aa11eb1372
Derive the full range of ValueCommitment values.
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-05-05 12:02:50 -06:00
e72d74ccd6
Remove extraneous pub exports from the root.
2021-05-05 11:46:24 -06:00
7ea8900a58
Implement AsRef for Proof
2021-05-05 11:39:07 -06:00
a08d060725
Remove unneeded pub(crate)
2021-05-05 11:23:30 -06:00
226673938a
Pass flags to arbitrary action generators.
2021-05-05 11:21:45 -06:00
88b8265165
Generate both spend and output values for actions.
2021-05-05 11:14:38 -06:00
4f2b4d2935
Address review comments
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-05-05 20:23:29 +08:00
therealyingtong
Jack Grigg
Kris Nuttycombe
Kris Nuttycombe
Kris Nuttycombe
Daira Hopwood
ebfull
Jack Grigg