From 9ef46ae4ee4f12115bcee2ff7233f9b5a76d686b Mon Sep 17 00:00:00 2001
From: Jack Grigg <jack@electriccoin.co>
Date: Tue, 27 Jul 2021 05:34:36 +0100
Subject: [PATCH 1/3] book: Fixes to NoteCommit page

Noticed during review.
---
 .../design/circuit/gadgets/sinsemilla/note-commit.md   | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/book/src/design/circuit/gadgets/sinsemilla/note-commit.md b/book/src/design/circuit/gadgets/sinsemilla/note-commit.md
index 0250c46f..69cb619d 100644
--- a/book/src/design/circuit/gadgets/sinsemilla/note-commit.md
+++ b/book/src/design/circuit/gadgets/sinsemilla/note-commit.md
@@ -200,7 +200,7 @@ y &= \textsf{LSB} \bconcat k_0 \bconcat k_1 \bconcat k_2 \bconcat k_3\\
 \end{align}
 $$
 
-where $\textsf{LSB}$ is $b_2$ for $\mathsf{y(g_d)}$, and $d_1$ for $\mathsf{y(pk_d)}$. Let $$j = \textsf{LSB} + 2 \cdot k_0 + 10 \cdot k_1.$$ We decompose $j$ to be $250$ bits using $25$ [ten-bit lookups](../decomposition.md#lookup-decomposition).
+where $\textsf{LSB}$ is $b_2$ for $\mathsf{y(g_d)}$, and $d_1$ for $\mathsf{y(pk_d)}$. Let $$j = \textsf{LSB} + 2 \cdot k_0 + 2^{10} \cdot k_1.$$ We decompose $j$ to be $250$ bits using $25$ [ten-bit lookups](../decomposition.md#lookup-decomposition).
 
 Recall that $b_2 = ỹ(g_d)$ and $d_1 = ỹ(pk_d)$ were pieces input to the Sinsemilla hash and have already been boolean-constrained. To constrain the remaining chunks, we use the following constraints:
 
@@ -220,8 +220,8 @@ $$
 \begin{array}{|c|l|}
 \hline
 \text{Degree} & \text{Constraint} \\\hline
-2 & q_{\NoteCommit,3} \cdot \left(j - (\textsf{LSB} + 2 \cdot k_0 + 10 \cdot k_1) \right) = 0 \\\hline
-2 & q_{\NoteCommit,3} \cdot \left(y - (j + 2^{250} \cdot k_2 + 2^{254} \cdot k_3) \right) = 0 \\\hline
+2 & q_{\NoteCommit,3} \cdot \left(j - (\textsf{LSB} + k_0 \cdot 2 + k_1 \cdot 2^{10}) \right) = 0 \\\hline
+2 & q_{\NoteCommit,3} \cdot \left(y - (j + k_2 \cdot 2^{250} + k_3 \cdot 2^{254}) \right) = 0 \\\hline
 \end{array}
 $$
 
@@ -431,7 +431,7 @@ $$
 3 & q_{\NoteCommit,2} \cdot h_1 \cdot h_0 = 0 \\\hline
 3 & q_{\NoteCommit,2} \cdot h_1 \cdot z_{g,13} = 0 \\\hline
 2 & q_{\NoteCommit,1} \cdot (g_1 + g_2 \cdot 2^9 + 2^{130} - t_\mathbb{P} - {g_1}{g_2}') = 0 \\\hline
-3 & q_{\NoteCommit,2} \cdot g_0 \cdot z_{{g_1}{g_2}',14} = 0 \\\hline
+3 & q_{\NoteCommit,2} \cdot g_0 \cdot z_{{g_1}{g_2}',13} = 0 \\\hline
 \end{array}
 $$
 
@@ -446,6 +446,6 @@ $$
 a'  & {b_3}c' & {e_1}f' & {g_1}{g_2}' &  a  &  b  & b_2 & b_3 &  c  &    d    & 0 & 0 \\\hline
 d_1 &   d_2   & z_{d,1} &      e      & e_0 & e_1 &  f  &  g  & g_1 &    h    & 1 & 0 \\\hline
 h_0 &   h_1   & x(g_d)  &   x(pk_d)   &  v  & b_0 & b_1 & d_0 & g_0 & z_{g,1} & 0 & 1 \\\hline
-z_{a',13} & z_{{b_3}c',14} & z_{{e_1}f',14} & z_{{g_1}{g_2}',14} & z_{a,13} & z_{c,13} & z_{f,13} & z_{g,13} & \psi & \rho & 0 & 0 \\\hline
+z_{a',13} & z_{{b_3}c',14} & z_{{e_1}f',14} & z_{{g_1}{g_2}',13} & z_{a,13} & z_{c,13} & z_{f,13} & z_{g,13} & \psi & \rho & 0 & 0 \\\hline
 \end{array}
 $$

From 920fe643997ac5887f4f1a6e5d9e0b8bc4b8af30 Mon Sep 17 00:00:00 2001
From: therealyingtong <yingtong@z.cash>
Date: Tue, 27 Jul 2021 12:53:41 +0800
Subject: [PATCH 2/3] [book] note-commit.md: Document substitution of k_1 with
 z1_j.

Co-authored-by: Jack Grigg <jack@electriccoin.co>
---
 book/src/design/circuit/gadgets/sinsemilla/note-commit.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/book/src/design/circuit/gadgets/sinsemilla/note-commit.md b/book/src/design/circuit/gadgets/sinsemilla/note-commit.md
index 69cb619d..98cade5c 100644
--- a/book/src/design/circuit/gadgets/sinsemilla/note-commit.md
+++ b/book/src/design/circuit/gadgets/sinsemilla/note-commit.md
@@ -200,7 +200,7 @@ y &= \textsf{LSB} \bconcat k_0 \bconcat k_1 \bconcat k_2 \bconcat k_3\\
 \end{align}
 $$
 
-where $\textsf{LSB}$ is $b_2$ for $\mathsf{y(g_d)}$, and $d_1$ for $\mathsf{y(pk_d)}$. Let $$j = \textsf{LSB} + 2 \cdot k_0 + 2^{10} \cdot k_1.$$ We decompose $j$ to be $250$ bits using $25$ [ten-bit lookups](../decomposition.md#lookup-decomposition).
+where $\textsf{LSB}$ is $b_2$ for $\mathsf{y(g_d)}$, and $d_1$ for $\mathsf{y(pk_d)}$. Let $$j = \textsf{LSB} + 2 \cdot k_0 + 2^{10} \cdot k_1.$$ We decompose $j$ to be $250$ bits using a strict $25-$word [ten-bit lookup](../decomposition.md#lookup-decomposition). The running sum outputs allow us to susbstitute $k_1 = z_{j, 1}.$
 
 Recall that $b_2 = ỹ(g_d)$ and $d_1 = ỹ(pk_d)$ were pieces input to the Sinsemilla hash and have already been boolean-constrained. To constrain the remaining chunks, we use the following constraints:
 
@@ -211,7 +211,6 @@ $$
   & \ShortLookupRangeCheck{k_0, 9} \\\hline
   & \ShortLookupRangeCheck{k_2, 4} \\\hline
 3 & q_{\NoteCommit,3} \cdot \BoolCheck{k_3} = 0 \\\hline
-  & k_1 := z_{j,1} \\\hline
 \end{array}
 $$
 

From ac5404a94317623ae713d6f0408d37247d46ea10 Mon Sep 17 00:00:00 2001
From: therealyingtong <yingtong@z.cash>
Date: Tue, 27 Jul 2021 13:56:10 +0800
Subject: [PATCH 3/3] [book] note-commit.md: Update NoteCommit gate region
 layout.

By rearranging the pieces in the gate, we remove a prev() query and
preserve proximity between pieces involved in the same constraint.
---
 .../design/circuit/gadgets/sinsemilla/note-commit.md   | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/book/src/design/circuit/gadgets/sinsemilla/note-commit.md b/book/src/design/circuit/gadgets/sinsemilla/note-commit.md
index 98cade5c..ce249957 100644
--- a/book/src/design/circuit/gadgets/sinsemilla/note-commit.md
+++ b/book/src/design/circuit/gadgets/sinsemilla/note-commit.md
@@ -441,10 +441,10 @@ arranged in a single region across 10 advice columns, requiring four rows.
 
 $$
 \begin{array}{|c|c|c|c|c|c|c|c|c|c|cc}
-    &         &         &             &   &     &     &     &   &     & q_{\NoteCommit,1} & q_{\NoteCommit,2} \\\hline
-a'  & {b_3}c' & {e_1}f' & {g_1}{g_2}' &  a  &  b  & b_2 & b_3 &  c  &    d    & 0 & 0 \\\hline
-d_1 &   d_2   & z_{d,1} &      e      & e_0 & e_1 &  f  &  g  & g_1 &    h    & 1 & 0 \\\hline
-h_0 &   h_1   & x(g_d)  &   x(pk_d)   &  v  & b_0 & b_1 & d_0 & g_0 & z_{g,1} & 0 & 1 \\\hline
-z_{a',13} & z_{{b_3}c',14} & z_{{e_1}f',14} & z_{{g_1}{g_2}',13} & z_{a,13} & z_{c,13} & z_{f,13} & z_{g,13} & \psi & \rho & 0 & 0 \\\hline
+          &                &                &        &          &                   &          &                &          &           & q_{\NoteCommit,1} & q_{\NoteCommit,2} \\\hline
+    b     &        d       &        e       &   g    &     h    &        d_1        &  x(pk_d) &      b_3       &     a'   &   b_2     &        0          &         0         \\\hline
+  {e_1}f' &  {g_1}{g_2}'   &        v       &  d_2   &  z_{d,1} &        e_0        &{b_3}{c}' &       c        &     a    &  x(g_d)   &        1          &         0         \\\hline
+   e_1    &        f       &       g_0      &  g_1   &  z_{g,1} &        h_0        &    h_1   &      d_0       &    b_0   &   b_1     &        0          &         1         \\\hline
+  \rho    &    z_{f,13}    & z_{{e_1}f',14} &  \psi  & z_{g,13} &z_{{g_1}{g_2}',13} & z_{c,13} & z_{{b_3}c',14} & z_{a,13} & z_{a',13} &        0          &         0         \\\hline
 \end{array}
 $$