therealyingtong
e75c176181
mul::incomplete.rs: Make offsets more intuitive
2021-07-07 23:10:59 +08:00
therealyingtong
4d69dec00f
mul::incomplete.rs: Constrain first and last y_a values.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-07-07 23:10:59 +08:00
therealyingtong
b363492a35
ecc::chip.rs: Introduce circuit-wide "constants" fixed column
...
At certain points in the circuit, we need to constrain cells in
advice columns to equal a fixed constant. Instead of defining a
new fixed column for each constant, we pass around a single
shared by all chips, that is included in the permutation over all
advice columns.
This lets us load all needed constants into a single column and
directly constrain advice cells with an equality constraint.
2021-07-07 23:10:59 +08:00
therealyingtong
69d6629ac6
chip::mul.rs: Enforce LSB if/else condition
...
On the LSB of the scalar, we assign a point (x,y) = (x_p, -y_p)
if LSB = 0, and (0,0) otherwise. This if/else condition must be
enforced.
Co-authored-by: Sean Bowe <ewillbefull@gmail.com>
2021-07-07 23:10:59 +08:00
Jack Grigg
e726fee19b
mul_fixed: Avoid computing fixed constants during proving
...
This decreases proving time in the Action circuit by 17%.
2021-07-07 23:10:59 +08:00
Jack Grigg
b15343f6f7
Add `OrchardFixedBasesFull::{generator, u}` methods
...
Using these in `OrchardFixedBases::{generator, u}` instead of the
`impl From<OrchardFixedBasesFull> for OrchardFixedBase` means we avoid
computing the Lagrange coefficients for the generator (which were then
immediately dropped).
This decreases proving time in the Action circuit by 53%.
2021-07-07 23:10:59 +08:00
therealyingtong
09b4da197d
base_field_elem.rs: Support fixed-base mul using base field element.
...
In Orchard nullifier derivation, we multiply the fixed base
K^Orchard by a value encoded as a base field element. This commit
introduces an API that allows using a base field element as the
"scalar" in fixed-base scalar multiplication.
The API currently assumes that the base field element is output by
another instruction (i.e. there is no instruction to directly
witness it).
2021-07-07 23:10:59 +08:00
therealyingtong
37074c64f5
mul_fixed::short: Check that last window is either 0 or 1.
...
The magnitude of the short signed scalar must be 64 bits. We decompose
the magnitude into 22 3-bit windows and check that each window is in
the 3-bit range.
However, since the first 21 windows have already accounted for 63 bits,
the last window is constrained to be a single bit.
2021-07-07 23:10:59 +08:00
therealyingtong
747f71ca80
constants.rs: Add unit tests for T_P, T_Q constants.
2021-07-07 23:10:59 +08:00
therealyingtong
5ae9890913
mul::overflow.rs: Overflow check in variable-base scalar mul
...
Simplify the canonicity check for variable-base scalar multiplication,
by range-checking the low 130 bits rather than the low 127 bits.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: ying tong <yingtong@z.cash>
2021-07-07 23:10:59 +08:00
therealyingtong
a3ca27b756
ecc::tests: Add tests for variable- and fixed-base scalar mul.
2021-07-07 23:10:59 +08:00
therealyingtong
ae25310385
chip::mul_fixed.rs: Implement fixed-base scalar mul instruction.
...
Fixed-base scalar mul makes use of the add_incomplete and add
instructions internally. The full-width and short signed share
some common logic, which is captured in chip::mul_fixed.rs.
The signed short variant introduces additional logic to handle
the scalar's sign. This is done in the submodule mul_fixed::short.
2021-07-07 23:10:59 +08:00
therealyingtong
a263774abf
chip::witness_scalar_fixed.rs: Implement witness_scalar_fixed instruction.
...
A scalar used in fixed-base scalar mul needs to be decomposed into
windows to use with the fixed-base window table. Both full-width
and short signed scalars share some logic (captured in the function
decompose_scalar_fixed()).
A short signed scalar introduces additional logic: its magnitude is
decomposed, and its sign is separately witnessed. This is handled
in the submodule witness_scalar_fixed::short.
2021-07-07 23:10:59 +08:00
therealyingtong
cc9dd20536
chip::mul.rs: Implement variable-base scalar mul instruction.
...
This uses the complete addition instruction internally. The module
is split up into mul::incomplete.rs and mul::complete.rs, where
mul::incomplete handles the incomplete additions used in the
starting rounds of the variable-base scalar mul algorithm, and
mul::complete handles the complete additions in the final rounds.
Incomplete additions are broken into "hi" and "lo" halves and
processed on the same rows across different columns. This is an
optimization to make full use of the advice columns in this
instruction.
2021-07-07 23:10:59 +08:00
therealyingtong
64a2b02d42
ecc::chip.rs: Witness scalar for variable-base scalar mul
2021-07-07 23:10:59 +08:00
therealyingtong
0f60a81485
ecc::chip.rs: Add EccScalarFixed, EccScalarFixedShort structs
2021-07-07 23:10:59 +08:00
Kris Nuttycombe
64c5b25d1c
Rename OrchardIncrementalTreeDigest to MerkleCrhOrchardOutput
2021-07-01 12:09:24 -06:00
Kris Nuttycombe
fd94759fab
Implements the updated, total definition of MerkleCRH^Orchard
...
See https://github.com/zcash/zips/pull/530
2021-07-01 12:09:24 -06:00
Kris Nuttycombe
aa0c0ecbec
Implement ZIP-244 txid and authorizing commitments.
2021-07-01 10:10:24 -06:00
Kris Nuttycombe
ab2622f59c
Make note encryption OrchardDomain type public.
2021-06-30 12:47:37 -06:00
Kris Nuttycombe
234eed9cbb
Update src/note_encryption.rs
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-06-30 11:58:28 -06:00
Kris Nuttycombe
1e95360a74
Add for_action method for constructing an OrchardDomain
2021-06-30 11:21:07 -06:00
therealyingtong
74456acea1
primitives::sinsemilla.rs: Document panic in hash()
...
Document that hash() panics if a message is longer than K * C.
2021-06-30 20:01:05 +08:00
therealyingtong
ba7e1892de
Minor fixes involving constants.
...
- document that find_zs_and_us is not meant to be used anywhere
- use F::zero() instead of F::default() in constants/util.rs
- use personalisations from constants in spec.rs
2021-06-30 20:00:36 +08:00
str4d
bb159a2ccf
Merge pull request #98 from zcash/merkle-chip
...
Merkle hash chip
2021-06-29 23:09:15 +01:00
Jack Grigg
7c38f149ac
rustfmt
2021-06-29 22:46:07 +01:00
str4d
cbded2b821
Optimize transpose_option_array
2021-06-29 22:43:50 +01:00
str4d
8dfcd7d49b
Remove unused lookup_config in MerkleConfig
2021-06-29 22:41:01 +01:00
str4d
9f1bd64fe9
Merge pull request #133 from zcash/patch-sinsemilla
...
Introduce `LookupRangeCheckConfig`s for each Sinsemilla advice column
2021-06-29 10:43:30 +01:00
str4d
3ecd0a122c
Merge pull request #132 from zcash/patch-lookup-range-check
...
Add short range check to `lookup_range_check` util
2021-06-29 10:38:14 +01:00
therealyingtong
3806a9d6f0
Further cleanups and docfixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-29 12:08:31 +08:00
therealyingtong
d68eb6583d
Docfixes, variable renames, cleanups
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-29 12:08:31 +08:00
therealyingtong
32e564a963
Constrain b_1 + 2^5 b_2 = z1_b in decomposition gate.
2021-06-29 12:08:31 +08:00
therealyingtong
db45c81ea6
sinsemilla::merkle.rs: Add test for MerkleChip.
2021-06-29 12:08:31 +08:00
therealyingtong
f30de79fc6
sinsemilla::merkle.rs: Implement MerkleInstructions for MerkleChip.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-29 12:08:31 +08:00
therealyingtong
569eb4baa6
sinsemilla::merkle.rs: Configure MerkleChip
...
MerkleChip::configure() takes a SinsemillaConfig as input.
2021-06-29 12:08:31 +08:00
therealyingtong
6976e2baeb
sinsemilla::merkle.rs: Derive SinsemillaInstructions, CondSwapInstructions for MerkleChip
2021-06-29 12:08:31 +08:00
therealyingtong
68878d88b1
sinsemilla::merkle.rs: Add MerkleChip
2021-06-29 12:08:31 +08:00
therealyingtong
d090da0159
sinsemilla::merkle.rs: Add MerkleInstructions.
...
This has three const generic parameters: PATH_LENGTH, K, MAX_WORDS.
PATH_LENGTH is the length of the Merkle path being hashed. K and
MAX_WORDS parameterize the internal Sinsemilla instance used in
hashing the path.
2021-06-29 12:08:31 +08:00
therealyingtong
1ac3541505
Add spec::i2lebsp and constants::MERKLE_DEPTH_ORCHARD
2021-06-29 12:07:49 +08:00
therealyingtong
12cef17559
Cleanups and minor refactors.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-29 12:02:54 +08:00
ying tong
209e6a1132
Docfixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: str4d <jack@electriccoin.co>
2021-06-29 09:51:02 +08:00
Jack Grigg
3badd42d15
nonempty 0.7
...
We can now correctly measure the heap-allocated memory used by a bundle.
2021-06-28 20:57:49 +01:00
str4d
1f861423c2
Merge pull request #122 from nuttycom/incremental_merkle_tree
...
Add Orchard incremental merkle tree digests.
2021-06-28 19:12:13 +01:00
Jack Grigg
9bf066ef8b
rustfmt
2021-06-28 18:48:58 +01:00
str4d
93ab753b8c
Apply string fixes from code review
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-28 18:47:02 +01:00
Kris Nuttycombe
ffafb6308c
Fix clippy complaints.
2021-06-28 10:56:25 -06:00
Kris Nuttycombe
0d078c8a90
Rustfmt
2021-06-28 10:01:13 -06:00
therealyingtong
9b47bd0db4
sinsemilla::tests: Use separate constants columns for chips.
...
To be replaced by the public inputs API.
2021-06-25 15:07:27 +08:00
therealyingtong
2ec30943b3
Configure each Sinsemilla advice column for use with a K-bit lookup.
...
Inputs to Sinsemilla often need to be decomposed and range-constrained.
2021-06-25 15:07:27 +08:00
therealyingtong
bdcdb8ac13
Move witness_message() and witness_message_piece_bitstring() to gadget level
...
These instructions were not making any assignments; instead, they
were calling through to witness_message_piece_field().
This PR also renames the witness_message_piece_field() instruction
to witness_message_piece().
2021-06-25 15:07:27 +08:00
therealyingtong
6fdee71667
Adjustments to APIs in sinsemilla::chip and sinsemilla::message.
2021-06-25 15:07:27 +08:00
therealyingtong
c43c91b796
gadget::utilities: Adjustments to utilities gadgets and helpers.
2021-06-25 15:05:39 +08:00
therealyingtong
3840f280d7
lookup_range_check.rs: Add short range check lookup.
...
Also introduce a "strict" mode for the full-length lookup, where
"true" requires the field element to be within num_words * K bits,
whereas "false" does not.
2021-06-25 15:05:39 +08:00
Kris Nuttycombe
e37cec1e53
Apply suggestions from code review
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-06-24 12:39:28 -06:00
Kris Nuttycombe
fc41db1ab5
Add UNCOMMITTED_ORCHARD constant.
2021-06-24 12:33:02 -06:00
Kris Nuttycombe
90d0c254cf
Account for non-canonical base in serde deserialization.
2021-06-24 09:57:35 -06:00
Kris Nuttycombe
78adc9c810
Anchor computation is partial.
2021-06-24 09:43:10 -06:00
Kris Nuttycombe
f22907a4d7
Use constants for value commitment hash-to-curve.
...
Fixes #76
2021-06-23 18:04:17 -06:00
Kris Nuttycombe
52394b8e8d
Add test for incremental Merkle tree root calculation.
...
Fix indexing in perfect subtree computation test for auth paths.
2021-06-23 15:57:33 -06:00
Kris Nuttycombe
1b42ae707b
Make proptest bundle size configurable.
2021-06-23 15:57:33 -06:00
Kris Nuttycombe
c876f74ab1
Fix level/layer confusion.
2021-06-23 15:57:33 -06:00
Kris Nuttycombe
4888f0d16c
Rename Level -> Altitude
2021-06-23 15:57:33 -06:00
Kris Nuttycombe
e3abbf9a42
Add serde support for OrchardIncrementalTreeDigest
2021-06-23 15:57:33 -06:00
Kris Nuttycombe
7e79fd4b1c
Add necessary trait impls for OrchardIncrementalTreeDigest
...
Required to make the wrapper type usable for digests in
a serializable incremental merkle tree.
2021-06-23 15:57:33 -06:00
Kris Nuttycombe
ce4697aca5
Add construction of OrchardIncrementalTreeDigest
2021-06-22 18:14:27 -06:00
Kris Nuttycombe
4bb252eb0c
Add Orchard incremental merkle tree digests.
2021-06-22 18:14:27 -06:00
str4d
71756cffda
Merge pull request #128 from zcash/bundle-dynamic-usage
...
Add `Bundle<Authorized, _>::dynamic_usage` method
2021-06-22 17:46:15 +01:00
str4d
66340e2655
Merge pull request #67 from zcash/sinsemilla-chip-config
...
Sinsemilla chip with HashDomain
2021-06-22 16:20:35 +01:00
Jack Grigg
06f7d7fbe0
Add `Bundle<Authorized, _>::dynamic_usage` method
...
This will be used by `zcashd` as part of tracking the memory usage of
transactions.
2021-06-22 16:06:49 +01:00
Daira Hopwood
81fb944997
Make this crate clippy clean for warnings on nightly.
...
One .clone() removal; all of the other changes are removing needless borrows that are immediately
dereferenced: https://rust-lang.github.io/rust-clippy/master/index.html#needless_borrow
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-21 18:04:00 +01:00
Daira Hopwood
8af84479b3
Rename "Sinsemilla gate" constraint to "y check".
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-21 17:04:47 +01:00
Jack Grigg
62642fd804
Add `Bundle<Authorized, _>::verify_proof` API
2021-06-21 13:38:43 +01:00
therealyingtong
bd08808566
SinsemillaChip::configure(): Merge "Initial y_q" gate with main gate
...
This allows the MockProver to see the fixed_y_q query as semantically
connected to q_sinsemilla1.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 20:56:56 +08:00
Jack Grigg
a01c2ee829
test: Print layout for Sinsemilla test circuit
2021-06-20 11:51:33 +01:00
str4d
5f5238f411
Doc comment fixes
2021-06-20 11:30:43 +01:00
therealyingtong
002596f6cd
Docfixes and cleanups.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 12:11:01 +08:00
therealyingtong
744f3d1653
SinsemillaChip::configure(): Combine and label gates.
...
The gates "Secant line" and "Sinsemilla gate" were using the same
selectors and could be combined.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 11:26:59 +08:00
therealyingtong
eccd72fcd0
hash_piece(): Remove (correct) duplicate assignment of x_a.
...
hash_piece() is an internal API, which means its caller hash_message()
is working in the same region. We rely on the caller to have already
assigned each piece's initial x_a at the correct offset before making
the call to hash_piece().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 11:14:02 +08:00
therealyingtong
9ce29d9d4d
hash_to_point(): Introduce final_piece boolean flag
...
This toggles the assignment of q_s2 on the last row of each piece.
We assign q_s2 = 2 on the last row of the final piece, and q_s2 = 0
on the last row of other pieces.
This allows us to process the final_piece in the main loop together
with the other pieces.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 11:00:14 +08:00
therealyingtong
031bb0bc87
SinsemillaChip::configure(): Introduce closures for Y_A and x_r
...
These expressions are derived multiple times in the gates.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 10:43:24 +08:00
therealyingtong
9072ed437d
generator_table.rs: Fix bug in y_p lookup expression.
...
Also, GeneratorTable::configure() was not being called in the main
SinsemillaChip::configure(), which meant the lookup argument had
not been activated. This has now been fixed.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 10:34:03 +08:00
therealyingtong
2f6ca9e6de
generator_table.rs: Enforce z_n = 0 for the last message piece.
2021-06-19 22:39:19 +08:00
therealyingtong
158ab865f8
gadget::sinsemilla.rs: Add Sinsemilla test.
2021-06-19 18:17:11 +08:00
therealyingtong
eba2172f4f
chip::hash_to_point.rs: Implement hash_to_point instruction.
2021-06-19 18:17:10 +08:00
therealyingtong
f122e481a7
sinsemilla::chip.rs: Configure Sinsemilla gates.
2021-06-19 18:17:09 +08:00
therealyingtong
7cddc9b587
sinsemilla::chip.rs: Implement witness_message_* APIs.
...
witness_message() witnesses a full message given a bitstring.
The other two APIs, witness_message_piece_bitstring() and
witness_message_piece_field(), both witness a message piece, i.e.
part of a message that fits within a single base field element.
witness_message_piece_bitstring() takes in a bitstring, while
witness_message_piece_field() takes in a field element. In the
latter case, the number of words encoded must be specified.
2021-06-19 18:14:22 +08:00
therealyingtong
74e617b46d
chip::generator_table.rs: Load Sinsemilla generator lookup table.
...
The 2^K table of generators used in the Sinsemilla hash. These
are loaded into a lookup table.
2021-06-19 18:14:22 +08:00
therealyingtong
ebb7dae063
sinsemilla::chip.rs: Add Sinsemilla chip.
...
The chip that will implement SinsemillaInstructions.
2021-06-19 18:14:22 +08:00
therealyingtong
e2859df4eb
sinsemilla::message.rs: Add message module.
...
This defines a Sinsemilla message in terms of pieces and subpieces.
This is useful when decomposing field elements and packing them
into K-bit messages.
2021-06-19 18:14:22 +08:00
therealyingtong
af2ac762f4
gadget::sinsemilla.rs: Add Sinsemilla instructions.
...
SinsemillaInstructions has two const generic parameters: K, which
is the number of bits in each word of the hash, and MAX_WORDS,
which is the maximum number of words the hash can process.
For Orchard, K = 10, MAX_WORDS = 253.
2021-06-19 18:14:22 +08:00
therealyingtong
83eddd8857
ecc::chip.rs: Add Point::from_coordinates_unchecked() API
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-19 18:14:22 +08:00
Daira Hopwood
1c19bea842
Fix clippy lints.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-16 19:13:40 +01:00
Jack Grigg
5264d53498
impl Copy for Anchor
2021-06-15 15:42:06 +01:00
Jack Grigg
019ae7da8e
Anchor::{from_bytes, to_bytes}
2021-06-15 15:41:57 +01:00
Daira Hopwood
e412a5a25b
Merge pull request #115 from zcash/anchor-type
...
Store anchors as pallas::Base instead of [u8; 32]
2021-06-15 14:18:48 +01:00
Jack Grigg
e90a5972f1
redpallas: Expose batch validation API
2021-06-14 21:41:12 +01:00
Jack Grigg
eec17a9174
Add a `Bundle::binding_validating_key` method
...
This derives the `bvk` for validating `Authorized::binding_signature`.
2021-06-14 21:40:28 +01:00
ebfull
ee26116fcf
Merge pull request #114 from zcash/util-range-check
...
utilities::lookup_range_check: Add LookupRangeCheck helper
2021-06-14 10:56:52 -06:00
therealyingtong
f5bf0c1ef3
lookup_range_check.rs: Docfixes and minor refactors.
2021-06-15 00:18:38 +08:00
therealyingtong
60861b7245
sinsemilla::constants.rs: Add INV_TWO_POW_K = 1 / 2^K constant.
2021-06-15 00:18:38 +08:00
str4d
1182d8d5a7
Merge pull request #99 from zcash/note-encryption
...
Note encryption
2021-06-14 17:16:54 +01:00
ebfull
4a52d771b1
Merge pull request #113 from zcash/constants-concrete-type
...
`constants::load.rs`: Use concrete `pallas::Affine` type for generators
2021-06-14 09:25:17 -06:00
therealyingtong
c25526e216
lookup_range_check.rs: Delete wrong comment.
2021-06-14 19:55:51 +08:00
therealyingtong
8a8df98a50
add_incomplete::tests: Constrain output of `P + Q` test.
...
Also minor docfixes and refactors.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-14 00:19:21 +08:00
therealyingtong
70ec5755cf
lookup_range_check.rs: Add documentation and minor refactors.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 23:24:19 +08:00
therealyingtong
b7b8126ccf
spec.rs: Add lebs2ip function bounded on const generic L.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 23:20:59 +08:00
therealyingtong
7341996d2c
gadget::ecc.rs: Add EccInstructions::constrain_equal() instruction.
...
This allows us to constrain two points to be equal in value at the
gadget level.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 21:26:30 +08:00
therealyingtong
b299a51b31
lookup_range_check.rs: Downgrade from Chip to Config.
...
We need to be able to toggle the lookup on and off on specific
offsets. These offsets are often assigned outside the logic of
the decomposition.
2021-06-13 09:40:50 +08:00
therealyingtong
cdab5bf8c4
gadget::utilities.rs: Remove Chip bound on UtilitiesInstructions.
2021-06-13 09:40:20 +08:00
Jack Grigg
de78186503
Store anchors as pallas::Base instead of [u8; 32]
...
This matches what we store in `MerklePath`, and better enforces the
required type.
2021-06-12 21:35:37 +01:00
therealyingtong
e83880841a
utilities::lookup_range_check: Add LookupRangeCheck chip
...
This decomposes a field element into K-bit words and constrains each
word's range by looking it up in a K-bit lookup table.
The field element is broken down using a running sum. All interstitial
values of the running sum are returned.
2021-06-12 22:46:31 +08:00
therealyingtong
a11c2066ef
chip::add.rs: Use Expression::square() + other minor refactors
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-12 20:25:12 +08:00
therealyingtong
e259bb3846
ecc::chip.rs: Use concrete pallas::Affine for Chip impl.
...
The EccInstructions trait is still generic over C: CurveAffine;
however, the EccChip implementation is specific to the pasta
curves.
2021-06-12 20:25:09 +08:00
therealyingtong
aec7a7f850
ecc::chip.rs: Stub out scalar-mul-related structs and types.
...
These will be updated or restored in #111 .
2021-06-12 20:24:14 +08:00
ying tong
e1779dab70
Docfixes and minor refactors.
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-06-12 12:41:27 +08:00
therealyingtong
6dabb16edc
chip::add.rs: Use batch inversion for alpha, beta, gamma, delta
2021-06-12 12:41:27 +08:00
therealyingtong
f655e38e3e
chip::add_incomplete.rs: Remove superfluous check.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-12 12:41:27 +08:00
therealyingtong
aff56e6763
ecc::chip.rs: Make EccPoint.x, EccPoint.y private fields
...
Also add public getters x() and y().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-12 12:41:27 +08:00
therealyingtong
433791fcb0
chip::witness_point.rs: Allow witnessing the identity.
2021-06-12 12:41:27 +08:00
therealyingtong
36d7888c1c
ecc.rs: Add tests for complete and incomplete addition.
2021-06-12 12:41:27 +08:00
therealyingtong
6491ea90dd
ecc::chip.rs: Bound EccConfig on <C: CurveAffine>.
2021-06-12 12:41:27 +08:00
therealyingtong
e802e2917a
chip::add.rs: Implement complete addition instruction.
2021-06-12 12:41:27 +08:00
therealyingtong
7dc11b95d2
chip::add_incomplete.rs: Implement add_incomplete() instruction
2021-06-12 12:41:27 +08:00
therealyingtong
7eb86eb0c2
chip::witness_point.rs: Implement witness_point() instruction.
2021-06-12 12:41:27 +08:00
therealyingtong
6627b2258f
ecc::chip.rs: Add ECC chip.
...
Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-12 12:41:27 +08:00
therealyingtong
e15648cb67
gadget::ecc: Remove representations of fixed points in the circuit
...
Fixed points are represented by precomputed window tables. These
are not "initialized" in the circuit at any single point, but are
loaded into fixed columns at the offsets where the fixed points
are used.
Thus, we don't need FixedPoint and get_fixed() in the circuit.
Similarly, we can remove FixedPointShort and get_fixed_short().
2021-06-12 12:41:27 +08:00
therealyingtong
ddb9500991
constants::load.rs: Use concrete pallas::Affine type for generators
...
The Orchard fixed bases are Pallas curve points and are not generic
over other curves.
2021-06-12 12:36:43 +08:00
Jack Grigg
769be6c080
Note encryption test vectors
2021-06-11 23:55:17 +01:00
Jack Grigg
37326df1ab
spec: Impl more traits for NonZero types
...
Also fixes their Default impls to use "1" as the default.
2021-06-11 23:55:17 +01:00
Jack Grigg
57f84c3eea
builder: Encrypt output notes
2021-06-11 23:55:17 +01:00
Jack Grigg
99665572a2
Orchard note encryption
2021-06-11 23:55:16 +01:00
Jack Grigg
11350339f5
Ensure that derived esk is non-zero
...
There's a (negligble) chance that we could generate (or be sent
adversarially) a RandomSeed which derives esk == 0. It's not hard to
detect and reject, in order to satisfy the type system.
2021-06-11 23:54:35 +01:00
Jack Grigg
8a7ff1b28a
Structs representing note encryption key material
2021-06-11 23:54:35 +01:00
str4d
0ead91a88c
Merge pull request #110 from zcash/tree-logic
...
Implement tree logic in Builder
2021-06-11 21:39:40 +01:00
str4d
bd30783a52
Make `hash_layer` comment a doc comment
...
This way, it renders with `cargo doc --document-private-items`
2021-06-11 20:46:30 +01:00
str4d
d8f2af8983
Simplify `gen_const_array` implementation
...
Also includes a performance improvement to `i2lebsp_k`.
2021-06-11 20:46:30 +01:00
str4d
8464df6e46
Merge pull request #108 from zcash/102-sign-with-rsk
...
builder: Store alpha and use it to derive rsk for signing spends
2021-06-11 14:42:16 +01:00
therealyingtong
0e9726ae69
tree.rs: Use 2 as uncommitted leaf and check against test vectors.
2021-06-11 20:24:55 +08:00
therealyingtong
380128ed49
tree::MerklePath: Add postion() and auth_path() getters.
2021-06-10 16:55:49 +08:00
therealyingtong
b3daeb0861
tree::testing: Fix and test arb_tree().
2021-06-10 13:54:42 +08:00
therealyingtong
2d0afe9357
constants.rs: Introduce L_ORCHARD_MERKLE constant
...
Also test that L_ORCHARD_BASE, L_ORCHARD_SCALAR, L_ORCHARD_MERKLE
are consistent with the Pallas curve.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-10 10:33:06 +08:00
therealyingtong
e8e22886f4
tree.rs: MerklePath.root(): Fix missing bitmask in swap calculation
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-10 10:29:08 +08:00
therealyingtong
18535894d6
constants::util.rs: Factor out gen_fixed_array() method.
2021-06-10 10:03:15 +08:00
therealyingtong
7818291118
primitives::sinsemilla.rs: Optimize and test i2lebsp_k
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-09 23:50:59 +08:00
therealyingtong
8f8eff23d8
Update proptests to generate Merkle paths
2021-06-08 22:38:11 +08:00
therealyingtong
b33248bdb0
src::tree.rs: Implement MerklePath.root() method.
...
Co-authored-by: Kris Nuttycombe <kris@electriccoin.co>
2021-06-08 22:31:24 +08:00
Jack Grigg
94e730ad4c
Migrate to latest version of halo2
...
This brings in:
- Fixes and improvements to `MockProver`.
- Support for annotating constraints within gates.
- Removal of Selector rotations.
2021-06-07 19:49:25 +01:00
str4d
2be13bfa80
Merge pull request #89 from zcash/utils-chip
...
Chip for general utils
2021-06-07 19:40:56 +01:00
str4d
3ff307f946
docs: Clarify EnableFlagInstructions::enable_flag
2021-06-07 19:34:48 +01:00
therealyingtong
54c8cfd1d0
Documentation improvements and minor refactors.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-08 00:28:32 +08:00
therealyingtong
0f2dfc5508
Use UtilitiesInstructions::Var instead of internal associated type.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-08 00:20:09 +08:00
Jack Grigg
e0e082d265
test: Remove stray dbg!()
2021-06-05 22:39:57 +01:00
Jack Grigg
cbf7c3825f
builder: Store alpha and use it to derive rsk for signing spends
...
This was missed from zcash/orchard#49 , but could not have caused a
consensus failure or loss-of-funds because `alpha` _was_ being sampled
and used to derive `rk`, meaning that the signatures would fail to
validate.
2021-06-05 22:35:52 +01:00
str4d
cd1e72bbcd
Merge pull request #106 from zcash/refactor-constants
...
Refactor `constants` to add `constants::load`
2021-06-05 13:42:16 +01:00
str4d
243f862617
Fix clippy lints
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-05 13:18:14 +01:00
str4d
d3da71a4fd
Merge pull request #105 from zcash/constants-spend-auth-g
...
Add SpendAuthG fixed base
2021-06-05 12:09:51 +01:00
therealyingtong
40599144bf
utilities::plonk: Remove assumption that fixed columns default to 1
2021-06-05 15:33:12 +08:00
therealyingtong
6603e996ed
utilities::cond_swap: Directly witness swap bit
2021-06-05 15:32:43 +08:00
therealyingtong
9f27049c84
Add constants::load.rs
...
This makes it easier to load constants into the ECC chip.
2021-06-05 13:18:24 +08:00
therealyingtong
1d46a2d3e7
Add SpendAuthG fixed base.
...
Used in spend authority randomization where rk = ak + [alpha]SpendAuthG.
2021-06-05 13:16:56 +08:00
therealyingtong
f31b9feba0
utilities::enable_flag: Directly witness flag
2021-06-05 09:42:23 +08:00
Kris Nuttycombe
6f3ac2cdcc
Avoid discards in arbitrary nullifier generation.
2021-06-04 17:36:50 -06:00
Jack Grigg
bea8a9b7ff
Migrate to bitvec 0.22, ff 0.10, group 0.10, pasta_curves 0.1
2021-06-04 20:38:52 +01:00
therealyingtong
fea88c814c
Add enable flag chip
2021-06-04 18:08:59 +08:00
therealyingtong
4b0ea0be15
Add conditional swap chip
2021-06-04 18:08:59 +08:00
therealyingtong
4f87815262
Add standard PLONK chip
2021-06-04 18:08:59 +08:00
therealyingtong
4d8ae89aa9
Add Utilities chip
2021-06-04 18:08:59 +08:00
str4d
c5aa41e2e4
Merge pull request #86 from zcash/patch-fixed-mul
...
Update formula for fixed-base window tables.
2021-06-03 13:33:00 +01:00
str4d
505e003842
Merge pull request #28 from zcash/poseidon
...
Width-3 Poseidon chip
2021-06-03 12:38:16 +01:00
str4d
dc075e7971
Merge pull request #91 from zcash/key-component-test-vectors
...
Add test vectors for key components
2021-06-02 22:23:54 +01:00
therealyingtong
fa9d8a992c
Update constants
2021-06-02 22:51:37 +08:00
therealyingtong
0636a6f2ec
Update window table formula.
...
Previously, the window table M for fixed-base scalar multiplication
computed M[w][k] = [(k+1)*(2^3)^w]B for each window w, where k is a
3-bit chunk in the scalar decomposition in the range [0..8).
However, in the case k_0 = 7, k_1= 0, the window table entries would
evaluate to:
* M[0][k_0] = [(7+1)*(2^3)^0]B = [8]B,
* M[1][k_1] = [(0+1)*(2^3)^1]B = [8]B,
which means the first addition would require complete addition.
To avoid this, we alter the formula to M[w][k] = [(k+2)*(2^3)^w]B.
We make a corresponding change to the formula for the last window
W. Previously, we had:
M[W][k] = [k * (2^3)^W - \sum((2^3)^j)]B, for j in [0..W-1).
Now, we have:
M[W][k] = [k * (2^3)^W - \sum(2^(3j+1))]B, for j in [0..W-1).
2021-06-02 22:51:37 +08:00
Jack Grigg
91db490e20
test: Add Poseidon test vectors
2021-06-01 18:36:11 +01:00
Daira Hopwood
5925852c7d
Add Poseidon test vector generated by the reference code.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-01 18:36:11 +01:00
Jack Grigg
f5a4cc3550
poseidon::Hash gadget
2021-06-01 18:36:11 +01:00
Jack Grigg
38dd7b791d
PoseidonDuplexInstructions
2021-06-01 18:36:11 +01:00
Jack Grigg
a69d76113f
test: Rename MyCircuit to PermuteCircuit
2021-06-01 18:36:11 +01:00
Jack Grigg
d1fe466812
Replace PoseidonInstructions::State with PoseidonInstructions::Word
2021-06-01 18:36:11 +01:00
Jack Grigg
01eb431f1f
Remove "final" round logic from poseidon::Pow5T3Chip
...
This was a bug in the Poseidon reference implementation, fixed in v1.1.
2021-06-01 18:36:11 +01:00
Jack Grigg
40a19b429c
Test that poseidon::Pow5T3Chip chip correctly implements Poseidon
2021-06-01 18:36:11 +01:00
Jack Grigg
f1b8abfccb
Arity-3 Poseidon chip
2021-06-01 18:36:11 +01:00
Jack Grigg
363e6944ec
Poseidon instructions
2021-06-01 17:54:37 +01:00
Jack Grigg
dfa3fbb19b
Migrate to latest revision of halo2
2021-06-01 17:37:44 +01:00
str4d
803fc2bea3
Merge pull request #93 from zcash/prf_expand-domains
...
Define explicit domains for PRF^expand
2021-06-01 14:31:04 +01:00
Jack Grigg
c4ffb7c617
Rework PRF^expand to use explicit domains
...
`prf_expand{_vec}` have been replaced by the `PrfExpand` enum, which
has `PrfExpand::{expand, with_ad, with_ad_slices}` methods for use
within each domain as necessary.
2021-05-28 13:12:25 +01:00
Jack Grigg
cea8a3ab69
Move prf_expand{_vec} into a submodule for clarity
2021-05-28 12:42:01 +01:00
Jack Grigg
7f47949b09
Take `self` directly in to_bytes methods where Self: Copy
2021-05-28 12:11:22 +01:00
Jack Grigg
cdfd2ab0f9
Remove clones from types that now impl Copy
2021-05-28 12:10:54 +01:00
Jack Grigg
5af73f7822
Add test vectors for key components
2021-05-28 11:57:21 +01:00
str4d
f82d00e40d
Merge pull request #77 from zcash/remove-rand-0.7
...
Remove rand 0.7 usage
2021-05-21 21:25:34 +01:00
str4d
97710e04d6
Merge pull request #80 from zcash/spec-updates
...
Update implementation to match protocol spec version 2021.2.0
2021-05-21 21:24:39 +01:00
str4d
2bbbc3ec94
Update comments
...
Co-authored-by: ying tong <yingtong@z.cash>
2021-05-21 21:24:08 +01:00
str4d
7109153e88
Merge pull request #43 from zcash/constants
...
Add Orchard constants
2021-05-18 20:44:59 +01:00
str4d
38f1c9e14f
Merge pull request #75 from zcash/ecc-gadget
...
Modify ECC gadget to work with chip refactor
2021-05-18 20:34:28 +01:00
therealyingtong
ff504c1a3f
Address review comments.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 17:14:13 +08:00
therealyingtong
2962115aef
Reintroduce point doubling API
2021-05-18 16:54:52 +08:00
therealyingtong
af30f4b141
Add Eq to the EccChip trait
2021-05-18 16:12:06 +08:00
therealyingtong
caa3791562
Documentation fixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 16:07:40 +08:00
therealyingtong
edea9bde73
Document incomplete point addition error handling
2021-05-18 13:28:17 +08:00