therealyingtong
64a2b02d42
ecc::chip.rs: Witness scalar for variable-base scalar mul
2021-07-07 23:10:59 +08:00
therealyingtong
0f60a81485
ecc::chip.rs: Add EccScalarFixed, EccScalarFixedShort structs
2021-07-07 23:10:59 +08:00
str4d
bb159a2ccf
Merge pull request #98 from zcash/merkle-chip
...
Merkle hash chip
2021-06-29 23:09:15 +01:00
Jack Grigg
7c38f149ac
rustfmt
2021-06-29 22:46:07 +01:00
str4d
cbded2b821
Optimize transpose_option_array
2021-06-29 22:43:50 +01:00
str4d
8dfcd7d49b
Remove unused lookup_config in MerkleConfig
2021-06-29 22:41:01 +01:00
str4d
9f1bd64fe9
Merge pull request #133 from zcash/patch-sinsemilla
...
Introduce `LookupRangeCheckConfig`s for each Sinsemilla advice column
2021-06-29 10:43:30 +01:00
therealyingtong
3806a9d6f0
Further cleanups and docfixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-29 12:08:31 +08:00
therealyingtong
d68eb6583d
Docfixes, variable renames, cleanups
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-29 12:08:31 +08:00
therealyingtong
32e564a963
Constrain b_1 + 2^5 b_2 = z1_b in decomposition gate.
2021-06-29 12:08:31 +08:00
therealyingtong
db45c81ea6
sinsemilla::merkle.rs: Add test for MerkleChip.
2021-06-29 12:08:31 +08:00
therealyingtong
f30de79fc6
sinsemilla::merkle.rs: Implement MerkleInstructions for MerkleChip.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-29 12:08:31 +08:00
therealyingtong
569eb4baa6
sinsemilla::merkle.rs: Configure MerkleChip
...
MerkleChip::configure() takes a SinsemillaConfig as input.
2021-06-29 12:08:31 +08:00
therealyingtong
6976e2baeb
sinsemilla::merkle.rs: Derive SinsemillaInstructions, CondSwapInstructions for MerkleChip
2021-06-29 12:08:31 +08:00
therealyingtong
68878d88b1
sinsemilla::merkle.rs: Add MerkleChip
2021-06-29 12:08:31 +08:00
therealyingtong
d090da0159
sinsemilla::merkle.rs: Add MerkleInstructions.
...
This has three const generic parameters: PATH_LENGTH, K, MAX_WORDS.
PATH_LENGTH is the length of the Merkle path being hashed. K and
MAX_WORDS parameterize the internal Sinsemilla instance used in
hashing the path.
2021-06-29 12:08:31 +08:00
therealyingtong
12cef17559
Cleanups and minor refactors.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-29 12:02:54 +08:00
ying tong
209e6a1132
Docfixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: str4d <jack@electriccoin.co>
2021-06-29 09:51:02 +08:00
therealyingtong
9b47bd0db4
sinsemilla::tests: Use separate constants columns for chips.
...
To be replaced by the public inputs API.
2021-06-25 15:07:27 +08:00
therealyingtong
2ec30943b3
Configure each Sinsemilla advice column for use with a K-bit lookup.
...
Inputs to Sinsemilla often need to be decomposed and range-constrained.
2021-06-25 15:07:27 +08:00
therealyingtong
bdcdb8ac13
Move witness_message() and witness_message_piece_bitstring() to gadget level
...
These instructions were not making any assignments; instead, they
were calling through to witness_message_piece_field().
This PR also renames the witness_message_piece_field() instruction
to witness_message_piece().
2021-06-25 15:07:27 +08:00
therealyingtong
6fdee71667
Adjustments to APIs in sinsemilla::chip and sinsemilla::message.
2021-06-25 15:07:27 +08:00
therealyingtong
c43c91b796
gadget::utilities: Adjustments to utilities gadgets and helpers.
2021-06-25 15:05:39 +08:00
therealyingtong
3840f280d7
lookup_range_check.rs: Add short range check lookup.
...
Also introduce a "strict" mode for the full-length lookup, where
"true" requires the field element to be within num_words * K bits,
whereas "false" does not.
2021-06-25 15:05:39 +08:00
str4d
66340e2655
Merge pull request #67 from zcash/sinsemilla-chip-config
...
Sinsemilla chip with HashDomain
2021-06-22 16:20:35 +01:00
Daira Hopwood
81fb944997
Make this crate clippy clean for warnings on nightly.
...
One .clone() removal; all of the other changes are removing needless borrows that are immediately
dereferenced: https://rust-lang.github.io/rust-clippy/master/index.html#needless_borrow
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-21 18:04:00 +01:00
Daira Hopwood
8af84479b3
Rename "Sinsemilla gate" constraint to "y check".
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-21 17:04:47 +01:00
therealyingtong
bd08808566
SinsemillaChip::configure(): Merge "Initial y_q" gate with main gate
...
This allows the MockProver to see the fixed_y_q query as semantically
connected to q_sinsemilla1.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 20:56:56 +08:00
Jack Grigg
a01c2ee829
test: Print layout for Sinsemilla test circuit
2021-06-20 11:51:33 +01:00
str4d
5f5238f411
Doc comment fixes
2021-06-20 11:30:43 +01:00
therealyingtong
002596f6cd
Docfixes and cleanups.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 12:11:01 +08:00
therealyingtong
744f3d1653
SinsemillaChip::configure(): Combine and label gates.
...
The gates "Secant line" and "Sinsemilla gate" were using the same
selectors and could be combined.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 11:26:59 +08:00
therealyingtong
eccd72fcd0
hash_piece(): Remove (correct) duplicate assignment of x_a.
...
hash_piece() is an internal API, which means its caller hash_message()
is working in the same region. We rely on the caller to have already
assigned each piece's initial x_a at the correct offset before making
the call to hash_piece().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 11:14:02 +08:00
therealyingtong
9ce29d9d4d
hash_to_point(): Introduce final_piece boolean flag
...
This toggles the assignment of q_s2 on the last row of each piece.
We assign q_s2 = 2 on the last row of the final piece, and q_s2 = 0
on the last row of other pieces.
This allows us to process the final_piece in the main loop together
with the other pieces.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 11:00:14 +08:00
therealyingtong
031bb0bc87
SinsemillaChip::configure(): Introduce closures for Y_A and x_r
...
These expressions are derived multiple times in the gates.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 10:43:24 +08:00
therealyingtong
9072ed437d
generator_table.rs: Fix bug in y_p lookup expression.
...
Also, GeneratorTable::configure() was not being called in the main
SinsemillaChip::configure(), which meant the lookup argument had
not been activated. This has now been fixed.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-20 10:34:03 +08:00
therealyingtong
2f6ca9e6de
generator_table.rs: Enforce z_n = 0 for the last message piece.
2021-06-19 22:39:19 +08:00
therealyingtong
158ab865f8
gadget::sinsemilla.rs: Add Sinsemilla test.
2021-06-19 18:17:11 +08:00
therealyingtong
eba2172f4f
chip::hash_to_point.rs: Implement hash_to_point instruction.
2021-06-19 18:17:10 +08:00
therealyingtong
f122e481a7
sinsemilla::chip.rs: Configure Sinsemilla gates.
2021-06-19 18:17:09 +08:00
therealyingtong
7cddc9b587
sinsemilla::chip.rs: Implement witness_message_* APIs.
...
witness_message() witnesses a full message given a bitstring.
The other two APIs, witness_message_piece_bitstring() and
witness_message_piece_field(), both witness a message piece, i.e.
part of a message that fits within a single base field element.
witness_message_piece_bitstring() takes in a bitstring, while
witness_message_piece_field() takes in a field element. In the
latter case, the number of words encoded must be specified.
2021-06-19 18:14:22 +08:00
therealyingtong
74e617b46d
chip::generator_table.rs: Load Sinsemilla generator lookup table.
...
The 2^K table of generators used in the Sinsemilla hash. These
are loaded into a lookup table.
2021-06-19 18:14:22 +08:00
therealyingtong
ebb7dae063
sinsemilla::chip.rs: Add Sinsemilla chip.
...
The chip that will implement SinsemillaInstructions.
2021-06-19 18:14:22 +08:00
therealyingtong
e2859df4eb
sinsemilla::message.rs: Add message module.
...
This defines a Sinsemilla message in terms of pieces and subpieces.
This is useful when decomposing field elements and packing them
into K-bit messages.
2021-06-19 18:14:22 +08:00
therealyingtong
af2ac762f4
gadget::sinsemilla.rs: Add Sinsemilla instructions.
...
SinsemillaInstructions has two const generic parameters: K, which
is the number of bits in each word of the hash, and MAX_WORDS,
which is the maximum number of words the hash can process.
For Orchard, K = 10, MAX_WORDS = 253.
2021-06-19 18:14:22 +08:00
therealyingtong
83eddd8857
ecc::chip.rs: Add Point::from_coordinates_unchecked() API
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-19 18:14:22 +08:00
ebfull
ee26116fcf
Merge pull request #114 from zcash/util-range-check
...
utilities::lookup_range_check: Add LookupRangeCheck helper
2021-06-14 10:56:52 -06:00
therealyingtong
f5bf0c1ef3
lookup_range_check.rs: Docfixes and minor refactors.
2021-06-15 00:18:38 +08:00
therealyingtong
60861b7245
sinsemilla::constants.rs: Add INV_TWO_POW_K = 1 / 2^K constant.
2021-06-15 00:18:38 +08:00
therealyingtong
c25526e216
lookup_range_check.rs: Delete wrong comment.
2021-06-14 19:55:51 +08:00
therealyingtong
8a8df98a50
add_incomplete::tests: Constrain output of `P + Q` test.
...
Also minor docfixes and refactors.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-14 00:19:21 +08:00
therealyingtong
70ec5755cf
lookup_range_check.rs: Add documentation and minor refactors.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 23:24:19 +08:00
therealyingtong
7341996d2c
gadget::ecc.rs: Add EccInstructions::constrain_equal() instruction.
...
This allows us to constrain two points to be equal in value at the
gadget level.
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-13 21:26:30 +08:00
therealyingtong
b299a51b31
lookup_range_check.rs: Downgrade from Chip to Config.
...
We need to be able to toggle the lookup on and off on specific
offsets. These offsets are often assigned outside the logic of
the decomposition.
2021-06-13 09:40:50 +08:00
therealyingtong
cdab5bf8c4
gadget::utilities.rs: Remove Chip bound on UtilitiesInstructions.
2021-06-13 09:40:20 +08:00
therealyingtong
e83880841a
utilities::lookup_range_check: Add LookupRangeCheck chip
...
This decomposes a field element into K-bit words and constrains each
word's range by looking it up in a K-bit lookup table.
The field element is broken down using a running sum. All interstitial
values of the running sum are returned.
2021-06-12 22:46:31 +08:00
therealyingtong
a11c2066ef
chip::add.rs: Use Expression::square() + other minor refactors
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-12 20:25:12 +08:00
therealyingtong
e259bb3846
ecc::chip.rs: Use concrete pallas::Affine for Chip impl.
...
The EccInstructions trait is still generic over C: CurveAffine;
however, the EccChip implementation is specific to the pasta
curves.
2021-06-12 20:25:09 +08:00
therealyingtong
aec7a7f850
ecc::chip.rs: Stub out scalar-mul-related structs and types.
...
These will be updated or restored in #111 .
2021-06-12 20:24:14 +08:00
ying tong
e1779dab70
Docfixes and minor refactors.
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-06-12 12:41:27 +08:00
therealyingtong
6dabb16edc
chip::add.rs: Use batch inversion for alpha, beta, gamma, delta
2021-06-12 12:41:27 +08:00
therealyingtong
f655e38e3e
chip::add_incomplete.rs: Remove superfluous check.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-12 12:41:27 +08:00
therealyingtong
aff56e6763
ecc::chip.rs: Make EccPoint.x, EccPoint.y private fields
...
Also add public getters x() and y().
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-06-12 12:41:27 +08:00
therealyingtong
433791fcb0
chip::witness_point.rs: Allow witnessing the identity.
2021-06-12 12:41:27 +08:00
therealyingtong
36d7888c1c
ecc.rs: Add tests for complete and incomplete addition.
2021-06-12 12:41:27 +08:00
therealyingtong
6491ea90dd
ecc::chip.rs: Bound EccConfig on <C: CurveAffine>.
2021-06-12 12:41:27 +08:00
therealyingtong
e802e2917a
chip::add.rs: Implement complete addition instruction.
2021-06-12 12:41:27 +08:00
therealyingtong
7dc11b95d2
chip::add_incomplete.rs: Implement add_incomplete() instruction
2021-06-12 12:41:27 +08:00
therealyingtong
7eb86eb0c2
chip::witness_point.rs: Implement witness_point() instruction.
2021-06-12 12:41:27 +08:00
therealyingtong
6627b2258f
ecc::chip.rs: Add ECC chip.
...
Implement witness_scalar_var() and extract_p() instructions inline.
2021-06-12 12:41:27 +08:00
therealyingtong
e15648cb67
gadget::ecc: Remove representations of fixed points in the circuit
...
Fixed points are represented by precomputed window tables. These
are not "initialized" in the circuit at any single point, but are
loaded into fixed columns at the offsets where the fixed points
are used.
Thus, we don't need FixedPoint and get_fixed() in the circuit.
Similarly, we can remove FixedPointShort and get_fixed_short().
2021-06-12 12:41:27 +08:00
Jack Grigg
94e730ad4c
Migrate to latest version of halo2
...
This brings in:
- Fixes and improvements to `MockProver`.
- Support for annotating constraints within gates.
- Removal of Selector rotations.
2021-06-07 19:49:25 +01:00
str4d
3ff307f946
docs: Clarify EnableFlagInstructions::enable_flag
2021-06-07 19:34:48 +01:00
therealyingtong
54c8cfd1d0
Documentation improvements and minor refactors.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-08 00:28:32 +08:00
therealyingtong
0f2dfc5508
Use UtilitiesInstructions::Var instead of internal associated type.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-06-08 00:20:09 +08:00
therealyingtong
40599144bf
utilities::plonk: Remove assumption that fixed columns default to 1
2021-06-05 15:33:12 +08:00
therealyingtong
6603e996ed
utilities::cond_swap: Directly witness swap bit
2021-06-05 15:32:43 +08:00
therealyingtong
f31b9feba0
utilities::enable_flag: Directly witness flag
2021-06-05 09:42:23 +08:00
therealyingtong
fea88c814c
Add enable flag chip
2021-06-04 18:08:59 +08:00
therealyingtong
4b0ea0be15
Add conditional swap chip
2021-06-04 18:08:59 +08:00
therealyingtong
4f87815262
Add standard PLONK chip
2021-06-04 18:08:59 +08:00
therealyingtong
4d8ae89aa9
Add Utilities chip
2021-06-04 18:08:59 +08:00
Jack Grigg
91db490e20
test: Add Poseidon test vectors
2021-06-01 18:36:11 +01:00
Jack Grigg
f5a4cc3550
poseidon::Hash gadget
2021-06-01 18:36:11 +01:00
Jack Grigg
38dd7b791d
PoseidonDuplexInstructions
2021-06-01 18:36:11 +01:00
Jack Grigg
a69d76113f
test: Rename MyCircuit to PermuteCircuit
2021-06-01 18:36:11 +01:00
Jack Grigg
d1fe466812
Replace PoseidonInstructions::State with PoseidonInstructions::Word
2021-06-01 18:36:11 +01:00
Jack Grigg
01eb431f1f
Remove "final" round logic from poseidon::Pow5T3Chip
...
This was a bug in the Poseidon reference implementation, fixed in v1.1.
2021-06-01 18:36:11 +01:00
Jack Grigg
40a19b429c
Test that poseidon::Pow5T3Chip chip correctly implements Poseidon
2021-06-01 18:36:11 +01:00
Jack Grigg
f1b8abfccb
Arity-3 Poseidon chip
2021-06-01 18:36:11 +01:00
Jack Grigg
363e6944ec
Poseidon instructions
2021-06-01 17:54:37 +01:00
therealyingtong
ff504c1a3f
Address review comments.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 17:14:13 +08:00
therealyingtong
2962115aef
Reintroduce point doubling API
2021-05-18 16:54:52 +08:00
therealyingtong
af30f4b141
Add Eq to the EccChip trait
2021-05-18 16:12:06 +08:00
therealyingtong
caa3791562
Documentation fixes.
...
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 16:07:40 +08:00
therealyingtong
edea9bde73
Document incomplete point addition error handling
2021-05-18 13:28:17 +08:00
therealyingtong
c8076c2864
Add FixedPointsShort associated type
2021-05-18 13:28:17 +08:00
therealyingtong
74c797165f
Add range check for short scalar
2021-05-18 13:28:16 +08:00
therealyingtong
db60fd2262
Add FixedPointShort associated type
2021-05-06 15:55:15 +08:00
therealyingtong
6a64bc1c37
Expose Point.add_incomplete()
2021-05-06 12:54:21 +08:00
therealyingtong
4f2b4d2935
Address review comments
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-05-05 20:23:29 +08:00
therealyingtong
4bf6202c35
Modify ECC gadget to work with chip refactor
2021-05-04 12:11:28 +08:00
Jack Grigg
bbf2dc271e
Add ECC gadgets and instructions
...
Migrated from the halo2 crate; we may re-upstream them later (or move
gadgets into their own crate) once we've stabilised them.
2021-02-25 18:11:46 +00:00