Kris Nuttycombe
4c7ab377fb
Make the DiversifierKey type crate-private
2022-02-14 17:04:38 -07:00
Kris Nuttycombe
ae3cc78a56
Add decryption of the diversifier index for an address to the IVK.
...
Also correct a spelling error.
2022-02-14 17:04:38 -07:00
str4d
4ae32ef98a
Merge pull request #282 from zcash/clone-unauthorized-bundle
...
Add `Clone` impls to various structs
2022-02-12 03:23:11 +00:00
Jack Grigg
c4cd541e6c
Add `Clone` impls to various structs
...
This enables `InProgress<Unproven, Unauthorized>: Clone`, which allows
the bundle returned by `Builder::build` to be cloned. In pure-Rust
wallets this should not be necessary, but it is required for `zcashd`
due to FFI-crossing.
2022-02-12 02:04:52 +00:00
Kris Nuttycombe
b7f66b48e6
Merge pull request #280 from nuttycom/decrypt_diversifier
...
Add diversifier index decryption to DiversifierKey
2022-02-11 14:51:54 -07:00
Kris Nuttycombe
8c96640826
Add diversifier index decryption to DiversifierKey.
2022-02-11 14:09:07 -07:00
Jack Grigg
c1447d6af2
Fix broken main branch
...
This was a non-code merge conflict between zcash/halo2#217 and main,
that caused CI to break after the PR merged.
2022-02-08 15:19:56 +00:00
Jack Grigg
ce301a6aa3
Shuffle spends and recipients before pairing them into Actions
...
Callers cannot assume that any specific output corresponds to a specific
Orchard recipient, and must trial-decrypt all outputs to find the ones
belonging to them. This is consistent with higher-layer semantics like
having Unified Addresses as recipients (where the mapping from recipient
to a specific output would become much more complex).
Closes zcash/orchard#203 .
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2022-02-07 22:37:37 +00:00
str4d
40491385c6
Merge pull request #217 from zcash/update-halo2-gadgets
...
Delete gadgets and introduce halo2_gadgets dependency.
2022-02-03 21:23:42 +00:00
therealyingtong
91e22e4f92
Use internal keys test vectors.
2022-02-01 18:55:21 +08:00
therealyingtong
9cf4e10d4f
Remove InternalSpendingKey, introduce FullViewingKey::rivk_internal.
2022-02-01 18:55:21 +08:00
therealyingtong
99119f04fa
Derive internal full viewing key.
2022-02-01 18:55:21 +08:00
therealyingtong
2412e83400
Derive internal spending key.
2022-02-01 18:55:21 +08:00
therealyingtong
dc7c699a4a
spec: Add PrfExpand::OrchardRivkInternal variant.
2022-02-01 18:55:21 +08:00
therealyingtong
f74cb9e4d3
Delete gadgets and their primitives; add `halo2_gadgets` dependency.
2022-01-29 01:57:01 +08:00
Jack Grigg
f300cea2c8
Fix clippy lints
...
These became stable lints between 1.51 and 1.54.
2022-01-28 23:00:00 +08:00
Jack Grigg
2b333d642c
pasta_curves 0.3
...
The MSRV is now 1.54.0, because reddsa 0.2.0 included a fix to its
nightly CI that inadvertently bumped its MSRV.
The `halo2` crate is now the `halo2_proofs` crate, but we're avoiding
the cross-repo crate rename until after `halo2_gadgets` is extracted.
This also brings in the 20% prover performance improvement from
zcash/halo2#447 .
2022-01-28 22:59:59 +08:00
therealyingtong
a2868262b3
Minor cleanups and fixes.
2022-01-28 00:45:44 +08:00
therealyingtong
91bc1edf8f
constants::sinsemilla: Remove Q_ and S_PERSONALIZATION.
...
These are part of the sinsemilla gadget and are not Orchard-specific.
They will live in primitives::sinsemilla.
2022-01-27 21:14:15 +08:00
therealyingtong
28f2d7a84b
Provide compute_lagrange_coeffs() functionality in ECCChip.
...
This involves moving helper functions from src/constants to a new
module, ecc::chip::constants.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2022-01-27 21:14:15 +08:00
therealyingtong
85b481af35
sinsemilla::merkle: Remove MERKLE_DEPTH constant.
2022-01-27 08:14:41 +08:00
therealyingtong
31259d089c
ecc::chip::mul_fixed: Reintroduce build_constants() closure for constants.
2022-01-27 08:11:52 +08:00
therealyingtong
f0e9daf722
gadget::ecc: Clean up bounds four FixedPointBaseField, FixedPointShort.
2022-01-27 08:10:18 +08:00
therealyingtong
191b5df0cb
circuit.rs: Tidy up imports.
2022-01-27 08:09:29 +08:00
therealyingtong
a5cfd2cfc6
circuit::gadget: Remove Orchard-specific names from gadget consts.
...
- L_ORCHARD_BASE -> pallas::Base::NUM_BITS,
- L_ORCHARD_SCALAR -> pallas::Scalar::NUM_BITS,
- L_VALUE -> L_SCALAR_SHORT,
- MERKLE_DEPTH_ORCHARD -> MERKLE_DEPTH.
2022-01-19 00:47:01 +08:00
therealyingtong
1a3cbeb896
Refactor src/constants and primitives::sinsemilla::constants.
2022-01-19 00:46:12 +08:00
therealyingtong
d37db53e0b
Implement utility functions inside `gadgets` module.
...
Instead of importing utility functions from the `orchard` crate,
the `gadgets` module now implements its own:
- lebs2ip
- i2lebsp
- decompose_word
2022-01-19 00:45:18 +08:00
therealyingtong
06ad0b6925
ecc: Introduce FixedPoints trait with Full, Base, Short associated types.
2022-01-19 00:43:52 +08:00
therealyingtong
5f8716d66a
gadget::sinsemilla: Move Orchard-specific inputs into src/circuit.
...
The sinsemilla submodules note_commit and commit_ivk are tailored
for input lengths specific to Orchard. They have been moved out of
the gadget folder and into the circuit folder.
This also involves changing the visibility of some getter functions
to be usable outside gadget::sinsemilla.
2022-01-19 00:43:52 +08:00
Jack Grigg
a83a0b3fd0
Migrate tests from `FieldExt::rand` to `Field::random`
...
These were missed in zcash/orchard#254 .
2022-01-18 14:30:55 +00:00
therealyingtong
d4d167c216
Use MockProver::FailureLocation in gadget unit tests.
...
This was introduced in halo2#433.
2022-01-05 21:30:45 +08:00
therealyingtong
5b26c7d67a
Pass rng to create_proof API.
...
As of halo2#444, all APIs now take `R: RngCore` arguments instead of
internally depending on `rand::rngs::OsRng`.
2022-01-05 21:30:45 +08:00
therealyingtong
f28edd886c
Remove .into() from arguments to enable_equality().
...
As of halo2#416, this is handled internally by the function.
2022-01-05 21:30:45 +08:00
str4d
54cdc051fe
Merge pull request #237 from zcash/orchard-mainnet-circuit
...
Orchard proposed mainnet circuit
2021-12-20 17:49:57 +00:00
Jack Grigg
d11fbd4a56
Remove `ValueSum::from_raw`
...
There is no reason for crate users to be constructing `ValueSum`
directly. We no longer use it to represent `valueBalanceOrchard`,
instead requiring the user to specify their own type.
2021-12-20 16:08:44 +00:00
Jack Grigg
04af08d343
Fix documentation of `orchard::value` module
...
Closes zcash/orchard#142 .
2021-12-20 16:05:33 +00:00
Jack Grigg
d84764f2db
Remove outdated doc comment on `MerkleHashOrchard`
...
Closes zcash/orchard#245 .
2021-12-20 15:24:48 +00:00
Jack Grigg
0e1220acc9
Merge branch 'main' into orchard-mainnet-circuit
2021-12-20 15:20:33 +00:00
Jack Grigg
369b99ee3f
Add `doc_cfg` annotations
2021-12-17 22:08:58 +00:00
Jack Grigg
4b0b32275f
Migrate to latest `zcash_note_encryption` API
2021-12-17 05:31:24 +00:00
str4d
b13b9677cf
Merge pull request #254 from zcash/pasta_curves-prep
...
Remove various usages of `FieldExt` methods
2021-12-16 12:07:50 +00:00
Jack Grigg
ab930e8866
sinsemilla: Simplify assertions in `MessagePiece::from_bitstring`
...
Also fixes some incorrect code comments.
Closes zcash/orchard#263 .
2021-12-15 22:15:00 +00:00
Jack Grigg
1be54d9f0d
Use `<= PrimeField::CAPACITY` instead of `< PrimeField::NUM_BITS`
2021-12-15 15:42:05 +00:00
Jack Grigg
5dd7de3cc7
Remove all uses of `PrimeField::Repr` in generic code
...
`PrimeField::from_repr` explicitly leaves the endianness opaque. We
therefore can't use it in places we were using `FieldExt::from_bytes`
(which was specifically little-endian) generically, but the previous
commit replaced it everywhere. We now handle generic contexts on a
case-by-case basis:
- Where we needed to convert bitstrings into field elements, we now use
double-and-add on the field elements directly instead of on bytes.
This is less efficient, but visible correct (and a future change to
the `ff` crate APIs could enable the more efficient version).
- `INV_TWO_POW_K`, which is pre-computed for `pallas::Base`, was being
incorrectly used in a field-generic circuit. We now compute it live.
- `test_zs_and_us` was only used in tests, and hard-coded a field
element encoding length of 32 bytes. It now uses Pallas concretely.
2021-12-15 15:28:32 +00:00
Jack Grigg
044844c0a0
Reject the identity in `SpendValidatingKey::from_bytes`
...
`ak_P` is not allowed to be the identity in the Orchard protocol. We
were enforcing this by construction in most places, except for the
parsing of an Orchard full viewing key.
Closes zcash/orchard#261 .
2021-12-15 13:48:59 +00:00
Jack Grigg
8fe178e433
poseidon: Seal the sponge modes
...
A sponge can only have two modes: absorbing, and squeezing.
2021-12-15 13:08:08 +00:00
str4d
5948a4977a
poseidon: Update code comments
...
Also fixes some clippy lints (public docs linking to private items).
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-12-15 13:04:54 +00:00
str4d
a64e2d64a8
poseidon: Remove `M: SpongeMode` from `PhantomData`
...
`M` was at one point only used as a type marker, but now it stores per-mode state.
Co-authored-by: ying tong <yingtong@z.cash>
2021-12-15 13:01:53 +00:00
Jack Grigg
423006b905
poseidon: Remove redundant additions when squeezing sponge
...
In the previous commit, we fixed a bug where padding was being added to
the state when the sponge was in squeezing mode. But there's no need to
assign a circuit region in which we add constant zeroes to the state :)
2021-12-10 02:40:41 +00:00
Jack Grigg
ae72813f77
poseidon: Fix padding to follow sponge construction
...
Sponge constructions pad the entire input message and then split it into
rate-sized chunks. The previous implementation was using an incorrect
duplex-like hybrid where padding was applied to each chunked input. We
now use an enum to distinguish message and padding words being absorbed
into the sponge.
This also fixes two previous bugs:
- If a `ConstantLength` hash had a length greater than the permutation's
rate but not a multiple of it, no padding would be generated and the
circuit would fail to create proofs.
- If a sponge usage required more output than the permutation's rate,
the squeeze-side permutations would in some cases incorrectly apply
padding, when it should instead use the prior state as-is. We now add
zeroes instead.
This change doesn't alter the Orchard circuit, because it doesn't need
any padding cells, only takes a single field element as output, and
padding is still assigned in the same region as before.
2021-12-10 02:40:41 +00:00
Jack Grigg
fdeb2fb817
poseidon: Add circuit test case that fails
...
This exposes a bug in the way padding was being handled by the invalid
sponge-duplex hybrid construction.
2021-12-10 02:40:41 +00:00
Jack Grigg
bfc65d5985
poseidon: Remove `self` parameter from `Domain` trait methods
...
For almost all the sponge constructions defined in the Poseidon paper,
the domain can be defined completely statically. Variable-length hashing
requires knowledge of the message length, but that can be provided to
the fixed padding function in a subsequent commit, and in any case we
can't use variable-length inputs in a circuit.
2021-12-10 02:40:33 +00:00
Jack Grigg
9f654005c7
poseidon: Replace the `Duplex` struct with a `Sponge` struct
...
The `Sponge` struct's API correctly enforces the properties of a sponge:
it can absorb an arbitrary number of elements, and then squeeze an
arbitrary number of elements, but cannot absorb after it has squeezed.
Co-authored-by: ying tong <yingtong@z.cash>
2021-12-10 02:40:32 +00:00
Jack Grigg
b827298d42
poseidon: Rename `SpongeState` to `SpongeRate`
2021-12-09 17:19:05 +00:00
Jack Grigg
0378898289
Replace `FieldExt::{from, to}_bytes` with `PrimeField::{from, to}_repr`
2021-12-09 15:39:37 +00:00
Jack Grigg
6f0cab5ffd
Replace `FieldExt::from_u64` with `PrimeField: From<u64>`
2021-12-09 15:38:36 +00:00
Jack Grigg
a4135dde24
ecc::chip: Fix `print_ecc_chip`
...
The ECC test chip performs various checks that assume the chip will only
be synthesized with witnesses. This assumption is broken by the chip
printer test, so we fix the assumption here.
2021-12-09 00:49:01 +00:00
Jack Grigg
6b84d0955a
Fix "complex type" clippy lints
2021-12-08 04:11:57 +00:00
Jack Grigg
a44253acc7
ecc::chip: Define a `MagnitudeSign` type alias
...
This fixes some "complex type" clippy lints, and also will make it
easier to change it to a better-typed struct later.
2021-12-08 02:23:51 +00:00
Jack Grigg
bacdf67428
Remove the `CellValue` type
...
In order to make the changeover easier to review, we redefined
`CellValue<F>` to be `AssignedCell<F, F>`. Now we remove that type and
rename throughout the codebase.
2021-12-08 02:10:17 +00:00
Jack Grigg
65a89f099b
Replace `gadget::utilities::copy` with `AssignedCell::copy_advice`
...
Also replaces other copy-advice implementations that weren't using
`copy`.
2021-12-08 01:50:02 +00:00
Jack Grigg
3079800f42
Remove `Var::new` trait method
...
As the underlying `Region` methods now return `AssignedCell` instead of
`Cell`, we can simplify all the places where we then constructed a
`CellValue` struct.
2021-12-08 01:48:17 +00:00
Jack Grigg
9b41a06363
Migrate to halo2 version with `AssignedCell`
...
We change `CellValue` into a typedef of `AssignedCell` to simplify the
migration in this commit.
The migration from `CellValue` to `AssignedCell` requires several other
changes:
- `<CellValue as Var>::value()` returned `Option<F>`, whereas
`AssignedCell::<F, F>::value()` returns `Option<&F>`. This means we
need to dereference, use `Option::cloned`, or alter functions to take
`&F` arguments.
- `StateWord` in the Poseidon chip has been changed to a newtype around
`AssignedCell` (the chip was written before `CellValue` existed).
2021-12-08 01:45:00 +00:00
Jack Grigg
5cb838f1a2
circuit: Remove `Copy` impl from `poseidon::pow5::StateWord`
...
We will be making it a newtype around `halo2::circuit::AssignedCell`,
which does not impl `Copy`.
2021-12-08 01:44:09 +00:00
Jack Grigg
e99fc92e4b
circuit: Use `Field::is_zero_vartime`
2021-12-08 01:44:08 +00:00
Jack Grigg
50b4600a1a
circuit: Remove `Copy` impl from `CellValue`
...
We will be replacing it with `halo2::circuit::AssignedCell`, which does
not impl `Copy`.
2021-12-08 01:43:00 +00:00
str4d
55567f31ed
Merge pull request #248 from zcash/ecc-config-refactor
...
circuit: Refactor `EccConfig` away from `impl From<EccConfig>`.
2021-12-08 01:40:14 +00:00
str4d
a38e2ff728
Ensure lo and hi incomplete ranges line up
...
The previous code assumed that `pallas::Scalar::NUM_BITS` was odd, which is true, but might not remain so after a future generalisation refactor.
2021-12-08 01:00:18 +00:00
Jack Grigg
fe7796b884
circuit: Ensure that the real proof length matches calculated length
2021-12-06 19:44:44 +00:00
Jack Grigg
e2c300368b
circuit: Pin the proof size
...
This is to ensure that if any future circuit changes are made, their
effect on the proof size (if any) will be noticed.
2021-12-06 18:01:55 +00:00
str4d
42ad193b58
Merge pull request #247 from zcash/ternary-expr
...
circuit: Introduce ternary expression helper.
2021-12-06 17:32:35 +00:00
therealyingtong
a09173a331
ecc::chip: Remove chip-level permutation.
...
We have now refactored away from the impl From<EccConfig> pattern
so that each sub-config can equality-enable the columns they need.
2021-12-04 04:45:06 +00:00
therealyingtong
c00ee1707e
mul_fixed::base_field_elem: Refactor base_field_elem::Config.
...
This commit does not result in circuit changes.
2021-12-04 04:45:06 +00:00
therealyingtong
687e220c36
mul_fixed::short: Refactor short::Config.
...
This commit does not result in circuit changes.
2021-12-04 04:45:06 +00:00
therealyingtong
165c9b6941
mul_fixed::full_width: Refactor full_width::Config.
...
This commit does not result in circuit changes.
2021-12-04 04:45:06 +00:00
therealyingtong
f472a16b32
chip::mul_fixed: Move running_sum_config into mul_fixed::Config.
2021-12-04 04:45:06 +00:00
therealyingtong
1a7e832ed4
chip::mul_fixed: Refactor mul_fixed::Config.
...
This commit does not introduce circuit changes.
2021-12-04 04:45:06 +00:00
therealyingtong
a7dad1d611
chip::mul: Refactor mul::Config.
...
This commit does not introduce additional circuit changes.
2021-12-04 04:45:05 +00:00
therealyingtong
440cd14dbb
mul::overflow: Refactor overflow::Config.
...
This is only used in chip::mul::Config. In a subsequent commit,
this will be configured from mul::Config instead of from
ecc::chip::Config.
This commit does not result in circuit changes.
2021-12-04 04:44:41 +00:00
therealyingtong
931d61a863
mul::complete: Refactor complete::Config.
...
This is only used in chip::mul::Config. In a subsequent commit,
this will be configured from mul::Config instead of from
ecc::chip::Config.
This commit does not result in circuit changes.
2021-12-04 04:41:52 +00:00
therealyingtong
22f57005a9
mul::incomplete: Refactor incomplete::Config.
...
This is only used in chip::mul::Config. In a subsequent commit,
this will be configured from mul::Config instead of from
ecc::chip::Config.
This commit does not result in circuit changes.
2021-12-04 04:39:41 +00:00
Jack Grigg
0ede6b2301
mul::Config: Reorder gate definitions
...
We are about to extract the sub-configs from mul::Config and refactor
them. Doing so would have moved their gate definitions past the one gate
that isn't created in a sub-config. Reordering the definitions here will
make the subsequent refactor diffs simpler to review.
2021-12-04 04:38:08 +00:00
therealyingtong
2ec480ef6b
utilities::lookup_range_check: Derive Copy for LookupRangeCheckConfig.
2021-12-02 14:55:37 -05:00
therealyingtong
4fe6fb8bf2
chip::add: Refactor add::Config.
...
This is also used in mul and mul_fixed.
2021-12-02 14:55:36 -05:00
therealyingtong
13faedc7cc
chip::add_incomplete: Refactor add_incomplete::Config.
...
This is also used in mul_fixed.
2021-12-02 14:54:13 -05:00
therealyingtong
9d8fee29c7
chip::witness_point: Refactor witness_point::Config.
2021-12-02 14:51:33 -05:00
str4d
d8690b8985
Merge pull request #236 from zcash/bench-poseidon-2
...
Benchmark Poseidon gadget for rates {2, 8, 11}
2021-12-01 15:57:55 +00:00
ying tong
b02628d263
Apply suggestions from code review
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-12-01 09:31:53 -05:00
therealyingtong
76c8bb9711
utilities::cond_swap: Use ternary helper in cond_swap.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-11-30 20:36:13 -05:00
Jack Grigg
37f1bba998
Remove `PartialEq, PartialOrd` impls from `{Extended}SpendingKey`
2021-11-30 23:25:35 +00:00
Jack Grigg
674ceb54c8
`impl ConstantTimeEq for {Extended}SpendingKey`
2021-11-30 23:24:50 +00:00
therealyingtong
1a7a1255c8
mul::complete.rs: Use ternary helper in complete addition part of variable-base scalar mul.
2021-11-30 13:02:25 -05:00
therealyingtong
9513efd6f3
ecc::chip::mul.rs: Use ternary helper in variable-base scalar mul.
2021-11-30 12:52:15 -05:00
therealyingtong
ba75da27bb
gadget::utilities: Introduce ternary expression helper.
2021-11-30 10:39:01 -05:00
therealyingtong
421891f065
Benchmark proof creation and verification for RATE = 2, 8, 11.
2021-11-30 10:03:49 -05:00
therealyingtong
9b76556503
poseidon: Make gadget tests generic over WIDTH, RATE
2021-11-30 10:03:49 -05:00
therealyingtong
b63c868591
poseidon: Make Spec trait methods not take (&self) parameter.
2021-11-30 10:02:16 -05:00
therealyingtong
409bbf36a0
mul::complete: Replace k_minus_one with one_minus_k.
2021-11-29 21:45:49 -05:00
therealyingtong
303bdc3f65
Replace local bool_check expressions with utilities::bool_check().
2021-11-29 21:45:48 -05:00
therealyingtong
4fb434f88d
gadget::utilities: Use range_check in bool_check.
2021-11-29 20:50:31 -05:00
therealyingtong
36f1d18705
gadget::utilities: Use N - x in range_check.
2021-11-29 20:50:31 -05:00
str4d
68b790c7da
Merge pull request #239 from nuttycom/di_from_bytes
...
Add construction of DiversifierIndex directly from bytes.
2021-11-29 17:46:44 +00:00
Jack Grigg
99d03e0d25
Migrate to latest halo2 revision
2021-11-26 16:24:26 +00:00
Kris Nuttycombe
14c4b40dfc
Add construction of DiversifierIndex directly from bytes.
2021-11-24 18:09:25 -07:00
therealyingtong
9bb29018ac
poseidon::pow5: Undo circuit change.
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-11-23 15:38:55 -05:00
ying tong
79123629da
Docfixes and minor refactors.
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-11-23 15:29:56 -05:00
therealyingtong
fe1bc97ab4
Generalise Pow5T3 chip to be generic over WIDTH, RATE.
2021-11-19 00:50:04 -05:00
therealyingtong
0417e233c3
poseidon: Return CellValue from squeeze()
2021-11-19 00:04:27 -05:00
therealyingtong
de37248749
Allow passing CellValue as input word to Poseidon gadget.
...
Update circuit description.
2021-11-18 23:47:57 -05:00
ying tong
dfcea20569
Merge pull request #218 from zcash/zcash_note_encryption-batchdomain
...
Migrate to `zcash_note_encryption::BatchDomain`
2021-11-17 15:13:57 +01:00
str4d
465afd162e
Merge pull request #229 from zcash/228-fix-ivk-to_bytes
...
Fix `IncomingViewingKey::to_bytes`
2021-11-17 13:30:54 +00:00
Jack Grigg
8c018eff7e
Migrate to `zcash_note_encryption::BatchDomain`
2021-11-17 12:15:21 +00:00
Jack Grigg
235cd791b4
Fix `IncomingViewingKey::to_bytes`
...
`slice::copy_from_slice` panics if the source and destination slices are
not the same length.
Closes zcash/orchard#228 .
2021-11-17 12:12:20 +00:00
Deirdre Connolly
568e24cd5f
Derive Clone for circuit::Instance
2021-11-04 23:30:57 -04:00
Deirdre Connolly
7412dfe79a
Update src/circuit.rs
...
Co-authored-by: str4d <thestr4d@gmail.com>
2021-11-04 17:54:30 -04:00
Deirdre Connolly
e51e92e848
Add `orchard::circuit::Instance::from_parts()`
2021-11-03 23:24:54 -04:00
therealyingtong
c61524ea29
p128pow5t3::tests: Extract verify_constants_helper.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-10-12 11:58:27 +02:00
therealyingtong
2c97e56da7
Add hash() and permute() test vectors for Poseidon over Fq.
2021-10-12 11:58:27 +02:00
therealyingtong
f5775b6c6d
p128pow5t3.rs: Test against reference input for Fq field modulus.
2021-10-12 11:58:27 +02:00
therealyingtong
4eb4c57827
Impl Spec for P128Pow5T3 over Fq.
2021-10-12 11:58:27 +02:00
therealyingtong
764c445a81
Rename poseidon::nullifier -> poseidon::p128pow5t3.
2021-10-12 11:58:27 +02:00
therealyingtong
8e00f69d63
primitives::poseidon: Add constants for Fq field modulus.
2021-10-12 11:58:27 +02:00
str4d
2c8241f25b
Merge pull request #209 from zcash/circuit-bugfixes
...
Circuit bugfixes
2021-09-29 10:06:25 +13:00
Jack Grigg
631182fb77
Update selector columns in expected-failure tests
...
The addition of the non-identity selector caused the layouter to reorder
some of the selectors in the ECC gadget test circuit.
2021-09-28 21:49:06 +01:00
Daira Hopwood
d77cb82c8d
Apply suggestions from code review
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-09-28 21:09:39 +01:00
Jack Grigg
d0056d9050
Test that we can't witness the identity as a NonIdentityPoint
2021-09-28 21:00:29 +01:00
Sean Bowe
ebfd919abc
Update circuit description.
2021-09-28 20:31:32 +01:00
str4d
aec3b1d52d
Remove unnecessary clones in closure
2021-09-28 20:31:32 +01:00
therealyingtong
52f53f3425
Remove IsIdentity trait from public EccInstructions.
...
We only need is_identity() in tests and can implement it on the
concrete EccPoint type. This method is flagged off by #[cfg(test)].
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 20:31:32 +01:00
therealyingtong
c80ccba801
Witness cm_old using Point::new().
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 20:31:32 +01:00
therealyingtong
b0de6afd7c
Reintroduce Point::new() API and constraints.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 20:31:32 +01:00
Jack Grigg
751277cdb2
Remove `EccInstructions::NonIdentityPoint: TryFrom<Self::Point>` bound
...
After the previous commit, this is no longer used anywhere. Additionally
it was not enforcing the conversion in the circuit, which could lead to
circuit implementation mistakes.
2021-09-28 13:13:25 -06:00
Jack Grigg
97c27e3d5a
Use complete addition in SinsemillaCommit
...
This is necessary because the blinding factor r can be zero with greater
than negligible probability in an adversarial case, which with incomplete
addition would cause the circuit to compute a commitment that is not on
the curve.
2021-09-28 13:13:25 -06:00
therealyingtong
8c8a12a8df
Minor fixes.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-09-28 13:13:25 -06:00
therealyingtong
fa560d3aee
Replace is_identity() instruction with IsIdentity trait.
2021-09-28 13:13:25 -06:00
therealyingtong
4a13ab4f6b
Docfixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 13:13:25 -06:00
Daira Hopwood
6b6b515232
`hash_to_point` should return `Result<(Self::NonIdentityPoint, Vec<Self::RunningSum>), Error>`
...
because any exceptional case is treated as an error, and therefore the identity cannot be returned.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 13:13:25 -06:00
therealyingtong
8ad3003e27
Remove Point::new() API and introduce is_identity() instruction.
...
Also remove the q_point selector and gate from the circuit.
2021-09-28 13:13:25 -06:00
therealyingtong
ec27989b9b
Clippy and formatting fixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 13:13:25 -06:00
therealyingtong
a5a6e78d42
src/circuit.rs: Use NonIdentityPoint for all witnessed points.
...
The witnessed points are cm_old, g_d_old, pk_d_old, ak.
g_d_new and pk_d_new are currently also witnessed as affine points,
which diverges from the spec.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 13:13:25 -06:00
therealyingtong
cdcfcbc0c2
gadget::sinsemilla: Propagate changes to the Sinsemilla gadget.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 13:13:25 -06:00
therealyingtong
258fe5796b
ecc::chip: Propagate changes to sub-chips.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 13:13:25 -06:00
therealyingtong
df26a6c674
chip::witness_point.rs: Constraints for non-identity point.
...
The point_non_id() method returns an error if the given point is
the identity.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 13:13:25 -06:00
therealyingtong
88eb762cf2
ecc::chip.rs: Introduce NonIdentityEccPoint struct.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 13:13:25 -06:00
therealyingtong
f5ed26790a
gadget::ecc: Introduce NonIdentityPoint associated type and gadget.
...
The add_incomplete() and mul() APIs have been removed from the
Point gadget, since we cannot perform incomplete addition or
variable-base scalar multiplication on the identity.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-09-28 13:13:25 -06:00
str4d
05f3226314
Merge pull request #206 from defuse/comment-fixes
...
Correct a couple comments
2021-09-29 08:13:08 +13:00
Sean Bowe
f9aa765787
Add test against hardcoded pinned verification key
2021-09-28 12:54:13 -06:00
Taylor Hornby
63a1c9d08e
Correct a couple comments
2021-09-27 20:52:16 -06:00
therealyingtong
1f2132a8c0
Use correct MERKLE_DEPTH_ORCHARD in proptests.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-09-16 21:37:59 +02:00
therealyingtong
d47c157ae0
Replace arb_tree proptest with incrementalmerkletree impl.
2021-09-16 20:50:27 +02:00
therealyingtong
2c551db32b
Use gen_const_array_with_default where possible.
2021-09-16 18:20:51 +02:00
therealyingtong
291400ec33
Rename MerkleCrhOrchardOutput -> MerkleHashOrchard.
2021-09-16 15:38:01 +02:00
therealyingtong
e9dc2f747f
Move hash_with_l() logic into MerkleCrhOrchardOutput::combine().
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-09-16 15:37:22 +02:00
therealyingtong
58de805a13
sinsemilla::merkle.rs: Use tree::MerklePath::root in tests.
2021-09-16 15:36:24 +02:00
therealyingtong
f75f890a64
Update tree::MerklePath::root to be total.
2021-09-16 15:36:24 +02:00
Jack Grigg
414eef3ce5
memuse 0.2
2021-09-14 20:40:15 +01:00
Kris Nuttycombe
4488288ac0
Merge pull request #198 from zcash/merkle-path-test-vectors
...
Add Merkle path test vectors
2021-09-14 07:22:28 -06:00
str4d
3dd2a1872a
Merge pull request #169 from zcash/circuit-constraint-refinements
...
Circuit constraint refinements to reduce proof size
2021-09-14 02:05:41 +01:00
Jack Grigg
29a4bbcbc1
Add Merkle path test vectors
2021-09-14 00:15:39 +01:00
Daira Hopwood
ee44d2ccf0
Apply suggestions from code review
2021-09-07 02:45:10 +01:00
Daira Hopwood
97e18a8190
Apply suggestions from code review
2021-09-07 00:56:22 +01:00
Daira Hopwood
faddaf9e30
note_commit.rs: make two_pow_* definitions more consistent.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-07 00:52:37 +01:00
Jack Grigg
8c82ceecbf
ff 0.11, group 0.11, pasta_curves 0.2 etc.
2021-09-06 20:39:43 +01:00
Jack Grigg
7fad21e7d6
Switch to `memuse` crate for measuring heap allocations
2021-09-05 01:33:27 +01:00
Daira Hopwood
c24c67d5f0
cargo fmt
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-01 14:11:08 +01:00
Kris Nuttycombe
e4a54cdf61
Improve error handling in zip32 APIs.
2021-08-31 16:49:58 -06:00
therealyingtong
c3e24794f0
zip32.rs: master and child key derivation for ExtendedSpendingKey
2021-08-31 15:49:32 -06:00
Kris Nuttycombe
77be355912
Apply suggestions from code review
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: ying tong <yingtong@z.cash>
2021-08-23 11:29:07 -06:00
Kris Nuttycombe
0449edd5b8
Validate the sign of the y-coordinate for ak when deserializing.
2021-08-23 11:29:07 -06:00
Kris Nuttycombe
43abadfb55
Adds decryption for a specific index within a bundle.
2021-08-23 11:29:07 -06:00
Kris Nuttycombe
c406461f64
Expose inner representation of NoteValue
2021-08-23 11:29:07 -06:00
Kris Nuttycombe
872f337811
Expose SpendingKey byte representation.
2021-08-23 11:29:07 -06:00
Kris Nuttycombe
c803114bf6
Go ahead and clone IVKs to limit borrowing hassles.
2021-08-23 11:29:07 -06:00
Kris Nuttycombe
d8bf892c72
Return key used to decrypt an output along with decrypted note contents.
2021-08-23 11:29:07 -06:00
Kris Nuttycombe
5d78ab3508
Add Eq and Ord implementations for Orchard keys.
2021-08-23 11:29:06 -06:00
Kris Nuttycombe
52f0f158ef
Add serialization and parsing of full viewing keys.
2021-08-23 11:28:27 -06:00
Kris Nuttycombe
1fd00e6236
Add raw address serialization and parsing.
2021-08-23 11:28:27 -06:00
Kris Nuttycombe
e33cd4ade4
Add trial decryption of actions to Bundle
2021-08-23 11:28:25 -06:00
Kris Nuttycombe
77cf4c9831
Implement IncomingViewingKey::to_bytes
2021-08-23 11:27:02 -06:00
str4d
f2400baa01
Improve NoteCommit input value gate doc
...
Brings it in line with the other gate docs.
Co-authored-by: ying tong <yingtong@z.cash>
2021-08-19 14:35:56 +01:00
str4d
bac22d9b19
clippy: Remove redundant clones
...
Co-authored-by: ying tong <yingtong@z.cash>
2021-08-19 14:34:15 +01:00
str4d
ac900148ed
Fix typo in gate documentation
...
Co-authored-by: ying tong <yingtong@z.cash>
2021-08-19 14:33:52 +01:00
str4d
b4a82211ce
Merge pull request #184 from zcash/poseidon-domain-spec
...
poseidon::Domain: Remove Spec trait bound.
2021-08-17 12:55:01 +01:00
str4d
cb28e00ebd
Merge pull request #178 from zcash/batch-note-decryption
...
Speed up batched note decryption
2021-08-13 14:27:41 +01:00
Jack Grigg
79988a5317
Move the interpolation logic into `SharedSecret::batch_to_affine`
...
This makes the method interface clearer, as the same pattern of shared
secrets is returned as was provided.
2021-08-13 14:27:20 +01:00
therealyingtong
1f852544cf
poseidon::Domain: Remove Spec trait bound.
...
The methods in the Domain trait are not generic over Spec.
2021-08-13 14:47:02 +08:00
str4d
4e33fe7aec
Use correct symbol for incomplete addition
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-08-12 21:34:35 +01:00
str4d
459e68b71e
Fix clippy lint
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-08-12 21:32:14 +01:00
Jack Grigg
9f3c9a7e60
Use mixed addition for Sinsemilla bases
...
Performance improvements:
- MerkleCRH: ~5%
- Commit^ivk: ~1%
- NoteCommit: ~3%
2021-08-12 15:45:00 +01:00
Jack Grigg
6197a0ef62
Use `group::Wnaf` to accelerate `sinsemilla::CommitDomain::commit`
...
Performance improvements:
- Commit^ivk: ~31%
- NoteCommit: ~22%
2021-08-12 15:45:00 +01:00
str4d
5f0c3b3585
Merge pull request #179 from zcash/sinsemilla-bases
...
primitives::sinsemilla: Use hard-coded generators in sinsemilla_s.
2021-08-12 15:18:38 +01:00
therealyingtong
92a7e20d30
Remove sinsemilla_s_generators() function.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-08-12 20:54:51 +08:00
Jack Grigg
c79acc0e08
Fix length of output Vec for `SharedSecret::batch_to_affine`
...
It was too long, and `group::Curve::batch_normalize` panics if its
inputs are not the same length (which would be the case if a batch
included an output with an invalid `ephemeral_key`).
2021-08-12 13:40:56 +01:00
therealyingtong
a9e96eb0a4
sinsemilla_s: Add documentation.
2021-08-12 16:15:24 +08:00
therealyingtong
995728caa6
primitives::sinsemilla: Use hard-coded generators in sinsemilla_s.
2021-08-12 15:45:14 +08:00
Jack Grigg
8e13986101
Implement `Domain::batch_epk` for note decryption
...
Improves throughput of batched trial decryption by around 10%.
2021-08-12 01:36:38 +01:00
Jack Grigg
8c15cc25be
Benchmark batch trial decryption
2021-08-12 01:36:38 +01:00
Jack Grigg
0d306d18aa
Expose and benchmark Poseidon
2021-08-10 13:44:04 +01:00
Jack Grigg
08b279b900
Expose and benchmark Sinsemilla primitive
2021-08-10 13:39:14 +01:00
therealyingtong
e62cfaa398
ExtractedNoteCommitment::from_bytes: Document cmx canonicity.
2021-08-09 20:11:27 +08:00