This was previously creating an extra advice column. Instead, we
should pass in all required advice columns as inputs.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
- `halo2::plonk::{create_proof, verify_proof}` now take instance columns
as slices of values.
- `halo2::plonk::Permutation` has been replaced by a global permutation,
to which columns can be added with `ConstraintSystem::enable_equality`.
- The introduction of blinding rows means that various tests now require
larger circuit parameters.
The coordinate check for an element decomposed using a running sum
is enforced by mul_fixed::Config::running_sum_coords_gate().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Selectors previously used in the witness_scalar_* APIs, such as
q_scalar_fixed and q_scalar_fixed_short, are now removed. The
remaining selectors have been renamed for clarity.
The coordinates check for scalars decomposed using a running sum
has been moved into the mul_fixed.rs file, instead of being
duplicated in both mul_fixed::base_field_elem and mul_fixed::short.
The decompose_scalar_fixed() method is now only used in
mul_fixed::full_width, and has been moved there.
These are now provided as inputs to the witness_decompose() and
copy_decompose() methods. This allows us to reuse the same config
for different word/window lengths, avoiding a duplicate constraint
creation.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
In the Orchard protocol, only the NullifierK fixed base in used in
scalar multiplication with a base field element.
The mul_fixed_base_field_elem() API does not have to accept fixed
bases other than NullifierK; conversely, NullifierK does not have
to work with the full-width mul_fixed() API.
This decomposes a field element into K-bit windows using a
running sum. Each step of the running sum is range-constrained.
In strict mode, the final output of the running sum is constrained
to be zero.
This helper asserts K <= 3.
The mul_fixed regions use complete addition on the last window,
and incomplete addition on all other windows. However, the complete
addition does not depend on any offsets in the incomplete addition
region, and can be separated into a disjoint region. Since incomplete
addition uses only four advice columns, while complete addition uses
nine, separating the regions would allow the layouter to optimise
their placement.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
We can use the three-bit existing running sum decomposition to
constrain alpha_0 to be within 130 bits. This removes the need for
a 10-bit lookup decomposition of alpha_0.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
The differences between the final iteration and prior iterations are:
- The final iteration does not constrain (x_T, y_T) to propagate down.
- The final iteration constrains an assigned y_A output instead of a
derived y_A from the next iteration's variables.
We also swap the init_y constraint to match the book.
Co-authored-by: therealyingtong <yingtong@z.cash>