therealyingtong
3a75f875a4
poseidon::pow5t3.rs: Take partial_sbox advice column as input.
...
This was previously creating an extra advice column. Instead, we
should pass in all required advice columns as inputs.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-21 20:35:43 +08:00
therealyingtong
d16b83816b
Implement needed getters and conversions in other modules.
2021-07-21 20:35:43 +08:00
Kris Nuttycombe
8971b37af3
Use NOTE_COMMITMENT_PERSONALIZATION constant for CommitDomain initialization.
2021-07-19 20:39:39 -06:00
str4d
bd28b46163
Merge pull request #150 from zcash/bump-halo2-again
...
Migrate to latest `halo2` API
2021-07-19 13:56:59 +01:00
str4d
38f9e3076f
Update code comments after review
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: ying tong <yingtong@z.cash>
2021-07-19 13:56:18 +01:00
str4d
146156abb6
Merge pull request #118 from zcash/sinsemilla-chip-commit
...
Sinsemilla chip with Commit Domain
2021-07-19 13:27:08 +01:00
str4d
f44c4161af
Adjust documentation of `CommitDomains::r`
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-19 13:26:03 +01:00
therealyingtong
a17a9301d7
sinsemilla::tests: Witness and constrain expected result of commit.
2021-07-19 20:03:13 +08:00
therealyingtong
8ce0725043
gadget::sinsemilla.rs: Add SinsemillaCommit test.
2021-07-19 20:03:13 +08:00
therealyingtong
df4bf422f5
gadget::sinsemilla.rs: Add CommitDomain
...
SinsemillaInstructions gains several associated types specific to
SinsemillaCommit.
2021-07-19 20:03:12 +08:00
Jack Grigg
1dca72a1cc
Migrate to latest `halo2` test API
2021-07-19 12:58:05 +01:00
Jack Grigg
654f1b4613
Add selector to dummy circuit
...
We need to ensure that no gates are active on the blinding factor rows.
2021-07-19 12:53:38 +01:00
Jack Grigg
15f9d254d9
Migrate to latest `halo2` API
...
- `halo2::plonk::{create_proof, verify_proof}` now take instance columns
as slices of values.
- `halo2::plonk::Permutation` has been replaced by a global permutation,
to which columns can be added with `ConstraintSystem::enable_equality`.
- The introduction of blinding rows means that various tests now require
larger circuit parameters.
2021-07-19 12:53:38 +01:00
str4d
cf4c78f9a1
Merge pull request #145 from zcash/refactor-short-scalar
...
Refactor `mul_fixed_short` API to copy in (`magnitude`, `sign`)
2021-07-19 12:48:52 +01:00
therealyingtong
1b615a40ee
Fix documentation in decompose_running_sum.
2021-07-19 19:14:32 +08:00
ying tong
c23897ea8d
Apply suggestions from code review
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-07-19 19:01:06 +08:00
therealyingtong
c444ddebf8
Documentation and variable naming cleanups.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-19 18:48:49 +08:00
therealyingtong
fe95122ef7
mul_fixed::base_field_elem: Remove duplicate coords check gate.
...
The coordinate check for an element decomposed using a running sum
is enforced by mul_fixed::Config::running_sum_coords_gate().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-19 18:08:22 +08:00
therealyingtong
91b8ea20e4
mul_fixed::short.rs: Fix magnitude bound in test.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-18 00:13:23 +08:00
therealyingtong
90b59baca5
mul_fixed: Remove unused selectors and duplicate gates.
...
Selectors previously used in the witness_scalar_* APIs, such as
q_scalar_fixed and q_scalar_fixed_short, are now removed. The
remaining selectors have been renamed for clarity.
The coordinates check for scalars decomposed using a running sum
has been moved into the mul_fixed.rs file, instead of being
duplicated in both mul_fixed::base_field_elem and mul_fixed::short.
The decompose_scalar_fixed() method is now only used in
mul_fixed::full_width, and has been moved there.
2021-07-18 00:10:15 +08:00
therealyingtong
179cd8e940
base_field_elem: Remove z_85_alpha = 0 check from canonicity gate.
...
The decompose_running_sum gadget in strict mode already enforces
this check.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-18 00:09:39 +08:00
therealyingtong
e846536b4e
decompose_running_sum: Remove NUM_WINDOWS, WORD_NUM_BITS const generics
...
These are now provided as inputs to the witness_decompose() and
copy_decompose() methods. This allows us to reuse the same config
for different word/window lengths, avoiding a duplicate constraint
creation.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-17 12:10:13 +08:00
therealyingtong
90474995a7
Add mul_short::tests cases and address review comments.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-17 00:44:56 +08:00
therealyingtong
32f3068886
ecc.rs: Add MulFixedBaseField type.
...
In the Orchard protocol, only the NullifierK fixed base in used in
scalar multiplication with a base field element.
The mul_fixed_base_field_elem() API does not have to accept fixed
bases other than NullifierK; conversely, NullifierK does not have
to work with the full-width mul_fixed() API.
2021-07-15 20:51:52 +08:00
therealyingtong
1681463856
mul_fixed::short::tests: Test negative mul_with_double case.
2021-07-15 20:51:43 +08:00
therealyingtong
e21b193a17
mul_fixed::short::tests: Test invalid magnitude and sign.
...
Check that a magnitude larger than 64 bits results in a constraint
failure.
Check that a sign other than +/- 1 results in a constrain failure.
2021-07-15 20:51:42 +08:00
therealyingtong
a8bd2d6abf
mul_fixed::short: Copy (magnitude, sign) instead of witnessing Scalar.
...
In the Orchard circuit, the short signed scalar is v_old - v_new,
which will be witnessed as two cells: a 64-bit magnitude, and a
sign that is +/- 1.
2021-07-15 20:46:51 +08:00
therealyingtong
426f954b1d
gadget::ecc.rs: Inline witness_scalar_* APIs.
...
Witness a scalar in the region where it is used for multiplication,
instead of witnessing it separately and then copying it in.
2021-07-15 20:46:46 +08:00
therealyingtong
32f28ed4b0
gadget::ecc.rs: Bound EccInstructions on UtilitiesInstructions.
2021-07-15 20:46:40 +08:00
therealyingtong
7b497c53a3
mul_fixed::base_field_elem: Use decompose_running_sum helper.
2021-07-15 20:46:22 +08:00
therealyingtong
ee062bae3d
gadget::utilities: Add decompose_running_sum helper.
...
This decomposes a field element into K-bit windows using a
running sum. Each step of the running sum is range-constrained.
In strict mode, the final output of the running sum is constrained
to be zero.
This helper asserts K <= 3.
2021-07-15 20:46:21 +08:00
str4d
f3c9b6cedc
Merge pull request #144 from zcash/bump-halo2
...
Migrate to latest `halo2::plonk::Circuit` API
2021-07-15 13:33:53 +01:00
Jack Grigg
ac70a6bfdf
test: Print Merkle path test circuit layout
...
Requires fixing an unnecessary unwrap in the test circuit's synthesis.
2021-07-15 11:25:22 +01:00
Jack Grigg
d47a7d2105
Migrate to latest halo2 Circuit APIs
...
- The `Circuit` trait now has a `FloorPlanner` associated type.
- `circuit_layout` has been replaced by `CircuitLayout`.
2021-07-15 11:22:25 +01:00
str4d
cc3e1ad0b4
Merge pull request #111 from zcash/ecc-mul
...
[ECC chip] Fixed- and variable-base scalar multiplication
2021-07-15 11:16:12 +01:00
therealyingtong
425ee6e038
Docfixes and minor refactors.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-15 12:27:12 +08:00
therealyingtong
b696163e31
mul.rs: Explain ordering of mul::incomplete advice columns.
2021-07-14 18:30:43 +08:00
Daira Hopwood
43ffa37740
[book] Nullifiers: the scalar is (...) mod p, not ... (mod p).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-12 20:24:18 +01:00
Daira Hopwood
c76358769c
book/src/design/nullifiers.md: cosmetics (make the table fit).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-12 20:20:00 +01:00
therealyingtong
2dd23f47b8
[book] Update constraints for short signed fixed-base mul.
...
Previously, we witnessed the magnitude of a short signed scalar
directly as three-bit windows. Now, we decompose and range-constrain
it using a running sum.
2021-07-12 11:58:32 +08:00
therealyingtong
0ade539441
utilities::tests::test_range_check(): Test range_check() helper.
...
Verify that this constraint fails when the witnessed value is out
of range.
2021-07-09 23:17:42 +08:00
ying tong
7b3a0c8a29
Merge pull request #54 from zcash/book-ecc-gadget
...
[book] Document ECC gadget in circuit
2021-07-09 22:18:16 +08:00
therealyingtong
6c41c72e66
utilities::range_check: Correct range_check expression
...
Previously, we were multiplying the expression by 0, which led it
to always evaluate to true.
2021-07-09 22:03:26 +08:00
therealyingtong
32ea1cce27
constants::util::evaluate(): Replace fold() with reduce().
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-09 10:42:45 +08:00
therealyingtong
8a9f8218e9
mul_fixed::base_field_elem: Remove double-enable of base_field_fixed_mul.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-09 10:23:40 +08:00
therealyingtong
d9f134ac4b
[book] Details and formatting changes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-07-09 10:09:10 +08:00
str4d
74df35ce89
Merge pull request #136 from nuttycom/total_merkle_crh_orchard
...
Implements the updated, total definition of MerkleCRH^Orchard
2021-07-09 02:26:10 +01:00
ying tong
2febafbdfe
Apply suggestions from code review
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: str4d <jack@electriccoin.co>
2021-07-08 16:40:44 +08:00
therealyingtong
ae4e54dce8
gadget::utilities: Add test cases for bitrange_subset() helper.
2021-07-08 16:29:07 +08:00
therealyingtong
5c38f53b58
mul::tests: Witness expected point and constrain result to be equal.
2021-07-08 15:17:52 +08:00