Even though we only use the LSB of the y-coordinates as inputs to
the Sinsemilla hash, we still have to check that they are consistent
with the g_d and pk_d points that were passed in.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Constraint tables have been added along with the region layout. I also
fixed numerous bugs in the constraints (most of which appeared to be
copy-pasta bugs).
Change the region layout to only use 9 advice columns instead of 10.
Also rename variables to match the book.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Previously, these two helpers were returning different outputs.
They have now been standardised to return only the full running
sum.
Note the z_0 is the original element being decomposed by the
helper.
- Placing the Poseidon `state` columns after the `partial_sbox` column
instead of before it causes them to line up with vast stretch of free
space, enabling the pad-and-add region to be layed out there.
- Using the `Region::assign_advice_from_constant` API to initialise the
Poseidon state removes fixed-column contention between that region and
fixed-base scalar multiplication, enabling it to also be layed out
within the free space.
- If https://github.com/zcash/halo2/issues/334 were implemented then
this region would disappear.
- The overflow check in variable-base scalar mul is also moved into the
columns with free space.
Previously, the short_lookup_bitshift fixed column was a non-binary
selector that both provided a constant value and toggled a gate.
Now, the constant value is copied in from the global constants API,
and the toggle is handled by a q_lookup_bitshift selector.
Previously, l_plus_1 was a non-binary fixed column, used to
1. provide the value of l + 1; and
2. toggle the decomposition gate.
Now, the value is copied in from the global constants column, and
the toggle is handled by a binary q_decompose selector.
Previously, fixed_y_q was a non-binary selector that both loaded
the y_Q value and toggled the y_Q gate.
Now, the gate is toggled by a q_s4 simple selector, while the value
is loaded into a separate fixed column.
Loading fixed_y_q into an advice column introduces an additional
row. Instead, we load it into a fixed column.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
The Action circuit only used standard PLONK in one place. Since it
used non-binary selectors, it cannot be optimised by the halo2
selector optimisations. We now replace it with a custom gate which
uses a binary selector.
- Instead of defining a synthetic q_S3 based on a combination of
of q_S1, q_S2, we simply create another selector q_S3.
- Instead of using fixed_y_q as a nonbinary selector, replace it
with q_S4 and copy the fixed value into a row above.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
The Sinsemilla chip witnesses message pieces in individual regions, and
then copies them into the `hash_piece` region to initialize the running
sum. Previously these occured in the same column, but we can reduce the
utilized rows of the Action circuit by moving these into a less-used
column.
If https://github.com/zcash/halo2/issues/334 is implemented, this change
would be unnecessary, as the witnessed message piece regions would never
be assigned into the circuit.
We were configuring multiple instances of this across all of the advice
columns, in order to spread their assignments. However, we are actually
more constrained by columns than rows, and we have comparatively few
rows of range check logic required for the Action circuit.
We now use a single LookupRangeCheckConfig for the entire circuit. The
reduction in lookup arguments and fixed columns cuts the proof size in
half (now at 6048 bytes when using `floor_planner::V1`).
Co-authored-by: therealyingtong <yingtong@z.cash>
therealyingtong
Daira Hopwood
Jack Grigg
Kris Nuttycombe