ying tong
6c55e1a7e3
[book] Fix updates to Sinsemilla writeup.
2021-07-23 20:34:16 +08:00
therealyingtong
7866623a1b
[book] Undo selector optimisation in variable-base scalar mul
...
Previously, we were using a non-binary selector q_mul = {1, 2, 3}
to switch between three cases. Now, we replace this with three
binary selectors.
2021-07-22 22:39:17 +08:00
therealyingtong
c5cda9481d
[book] Undo selector optimisations in Sinsemilla
...
- Instead of defining a synthetic q_S3 based on a combination of
of q_S1, q_S2, we simply create another selector q_S3.
- Instead of using fixed_y_q as a nonbinary selector, replace it
with q_S4 and copy the fixed value into a row above.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-22 22:19:01 +08:00
str4d
bd28b46163
Merge pull request #150 from zcash/bump-halo2-again
...
Migrate to latest `halo2` API
2021-07-19 13:56:59 +01:00
str4d
38f9e3076f
Update code comments after review
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: ying tong <yingtong@z.cash>
2021-07-19 13:56:18 +01:00
str4d
146156abb6
Merge pull request #118 from zcash/sinsemilla-chip-commit
...
Sinsemilla chip with Commit Domain
2021-07-19 13:27:08 +01:00
str4d
f44c4161af
Adjust documentation of `CommitDomains::r`
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-19 13:26:03 +01:00
therealyingtong
a17a9301d7
sinsemilla::tests: Witness and constrain expected result of commit.
2021-07-19 20:03:13 +08:00
therealyingtong
8ce0725043
gadget::sinsemilla.rs: Add SinsemillaCommit test.
2021-07-19 20:03:13 +08:00
therealyingtong
df4bf422f5
gadget::sinsemilla.rs: Add CommitDomain
...
SinsemillaInstructions gains several associated types specific to
SinsemillaCommit.
2021-07-19 20:03:12 +08:00
Jack Grigg
1dca72a1cc
Migrate to latest `halo2` test API
2021-07-19 12:58:05 +01:00
Jack Grigg
654f1b4613
Add selector to dummy circuit
...
We need to ensure that no gates are active on the blinding factor rows.
2021-07-19 12:53:38 +01:00
Jack Grigg
15f9d254d9
Migrate to latest `halo2` API
...
- `halo2::plonk::{create_proof, verify_proof}` now take instance columns
as slices of values.
- `halo2::plonk::Permutation` has been replaced by a global permutation,
to which columns can be added with `ConstraintSystem::enable_equality`.
- The introduction of blinding rows means that various tests now require
larger circuit parameters.
2021-07-19 12:53:38 +01:00
str4d
cf4c78f9a1
Merge pull request #145 from zcash/refactor-short-scalar
...
Refactor `mul_fixed_short` API to copy in (`magnitude`, `sign`)
2021-07-19 12:48:52 +01:00
therealyingtong
1b615a40ee
Fix documentation in decompose_running_sum.
2021-07-19 19:14:32 +08:00
therealyingtong
c444ddebf8
Documentation and variable naming cleanups.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-19 18:48:49 +08:00
therealyingtong
fe95122ef7
mul_fixed::base_field_elem: Remove duplicate coords check gate.
...
The coordinate check for an element decomposed using a running sum
is enforced by mul_fixed::Config::running_sum_coords_gate().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-19 18:08:22 +08:00
therealyingtong
91b8ea20e4
mul_fixed::short.rs: Fix magnitude bound in test.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-18 00:13:23 +08:00
therealyingtong
90b59baca5
mul_fixed: Remove unused selectors and duplicate gates.
...
Selectors previously used in the witness_scalar_* APIs, such as
q_scalar_fixed and q_scalar_fixed_short, are now removed. The
remaining selectors have been renamed for clarity.
The coordinates check for scalars decomposed using a running sum
has been moved into the mul_fixed.rs file, instead of being
duplicated in both mul_fixed::base_field_elem and mul_fixed::short.
The decompose_scalar_fixed() method is now only used in
mul_fixed::full_width, and has been moved there.
2021-07-18 00:10:15 +08:00
therealyingtong
179cd8e940
base_field_elem: Remove z_85_alpha = 0 check from canonicity gate.
...
The decompose_running_sum gadget in strict mode already enforces
this check.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-18 00:09:39 +08:00
therealyingtong
e846536b4e
decompose_running_sum: Remove NUM_WINDOWS, WORD_NUM_BITS const generics
...
These are now provided as inputs to the witness_decompose() and
copy_decompose() methods. This allows us to reuse the same config
for different word/window lengths, avoiding a duplicate constraint
creation.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-17 12:10:13 +08:00
therealyingtong
90474995a7
Add mul_short::tests cases and address review comments.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-17 00:44:56 +08:00
therealyingtong
32f3068886
ecc.rs: Add MulFixedBaseField type.
...
In the Orchard protocol, only the NullifierK fixed base in used in
scalar multiplication with a base field element.
The mul_fixed_base_field_elem() API does not have to accept fixed
bases other than NullifierK; conversely, NullifierK does not have
to work with the full-width mul_fixed() API.
2021-07-15 20:51:52 +08:00
therealyingtong
1681463856
mul_fixed::short::tests: Test negative mul_with_double case.
2021-07-15 20:51:43 +08:00
therealyingtong
e21b193a17
mul_fixed::short::tests: Test invalid magnitude and sign.
...
Check that a magnitude larger than 64 bits results in a constraint
failure.
Check that a sign other than +/- 1 results in a constrain failure.
2021-07-15 20:51:42 +08:00
therealyingtong
a8bd2d6abf
mul_fixed::short: Copy (magnitude, sign) instead of witnessing Scalar.
...
In the Orchard circuit, the short signed scalar is v_old - v_new,
which will be witnessed as two cells: a 64-bit magnitude, and a
sign that is +/- 1.
2021-07-15 20:46:51 +08:00
therealyingtong
426f954b1d
gadget::ecc.rs: Inline witness_scalar_* APIs.
...
Witness a scalar in the region where it is used for multiplication,
instead of witnessing it separately and then copying it in.
2021-07-15 20:46:46 +08:00
therealyingtong
32f28ed4b0
gadget::ecc.rs: Bound EccInstructions on UtilitiesInstructions.
2021-07-15 20:46:40 +08:00
therealyingtong
7b497c53a3
mul_fixed::base_field_elem: Use decompose_running_sum helper.
2021-07-15 20:46:22 +08:00
therealyingtong
ee062bae3d
gadget::utilities: Add decompose_running_sum helper.
...
This decomposes a field element into K-bit windows using a
running sum. Each step of the running sum is range-constrained.
In strict mode, the final output of the running sum is constrained
to be zero.
This helper asserts K <= 3.
2021-07-15 20:46:21 +08:00
str4d
f3c9b6cedc
Merge pull request #144 from zcash/bump-halo2
...
Migrate to latest `halo2::plonk::Circuit` API
2021-07-15 13:33:53 +01:00
Jack Grigg
ac70a6bfdf
test: Print Merkle path test circuit layout
...
Requires fixing an unnecessary unwrap in the test circuit's synthesis.
2021-07-15 11:25:22 +01:00
Jack Grigg
d47a7d2105
Migrate to latest halo2 Circuit APIs
...
- The `Circuit` trait now has a `FloorPlanner` associated type.
- `circuit_layout` has been replaced by `CircuitLayout`.
2021-07-15 11:22:25 +01:00
str4d
cc3e1ad0b4
Merge pull request #111 from zcash/ecc-mul
...
[ECC chip] Fixed- and variable-base scalar multiplication
2021-07-15 11:16:12 +01:00
therealyingtong
425ee6e038
Docfixes and minor refactors.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-15 12:27:12 +08:00
therealyingtong
b696163e31
mul.rs: Explain ordering of mul::incomplete advice columns.
2021-07-14 18:30:43 +08:00
Daira Hopwood
43ffa37740
[book] Nullifiers: the scalar is (...) mod p, not ... (mod p).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-12 20:24:18 +01:00
Daira Hopwood
c76358769c
book/src/design/nullifiers.md: cosmetics (make the table fit).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-12 20:20:00 +01:00
therealyingtong
0ade539441
utilities::tests::test_range_check(): Test range_check() helper.
...
Verify that this constraint fails when the witnessed value is out
of range.
2021-07-09 23:17:42 +08:00
ying tong
7b3a0c8a29
Merge pull request #54 from zcash/book-ecc-gadget
...
[book] Document ECC gadget in circuit
2021-07-09 22:18:16 +08:00
therealyingtong
6c41c72e66
utilities::range_check: Correct range_check expression
...
Previously, we were multiplying the expression by 0, which led it
to always evaluate to true.
2021-07-09 22:03:26 +08:00
therealyingtong
8a9f8218e9
mul_fixed::base_field_elem: Remove double-enable of base_field_fixed_mul.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-09 10:23:40 +08:00
therealyingtong
d9f134ac4b
[book] Details and formatting changes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-09 10:09:10 +08:00
str4d
74df35ce89
Merge pull request #136 from nuttycom/total_merkle_crh_orchard
...
Implements the updated, total definition of MerkleCRH^Orchard
2021-07-09 02:26:10 +01:00
ying tong
2febafbdfe
Apply suggestions from code review
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: str4d <jack@electriccoin.co>
2021-07-08 16:40:44 +08:00
therealyingtong
ae4e54dce8
gadget::utilities: Add test cases for bitrange_subset() helper.
2021-07-08 16:29:07 +08:00
therealyingtong
5c38f53b58
mul::tests: Witness expected point and constrain result to be equal.
2021-07-08 15:17:52 +08:00
therealyingtong
e2ea443fad
mul_fixed::*::tests: Witness expected point and constrain result to be equal.
2021-07-08 15:06:47 +08:00
therealyingtong
22ec16f129
Minor refactors, cleanups, clippy fixes, docfixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-08 13:31:56 +08:00
therealyingtong
96863c9f73
mul_fixed::*: Use a separate region for complete addition assignment.
...
The mul_fixed regions use complete addition on the last window,
and incomplete addition on all other windows. However, the complete
addition does not depend on any offsets in the incomplete addition
region, and can be separated into a disjoint region. Since incomplete
addition uses only four advice columns, while complete addition uses
nine, separating the regions would allow the layouter to optimise
their placement.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-08 12:04:43 +08:00