Extract a `ValueCommit^Orchard` gadget from the circuit

2022-04-29 20:05:00 +00:00 · 2022-04-29 20:05:00 +00:00 · 3b922f8f48
parent dafb357dc0
commit 3b922f8f48
2 changed files with 53 additions and 23 deletions
--- a/src/circuit.rs
+++ b/src/circuit.rs
@ -24,7 +24,7 @@ use self::{
 use crate::{
    constants::{
        OrchardCommitDomains, OrchardFixedBases, OrchardFixedBasesFull, OrchardHashDomains,
-        ValueCommitV, MERKLE_DEPTH_ORCHARD,
+        MERKLE_DEPTH_ORCHARD,
    },
    keys::{
        CommitIvkRandomness, DiversifiedTransmissionKey, NullifierDerivingKey, SpendValidatingKey,
@ -42,7 +42,7 @@ use crate::{
 use halo2_gadgets::{
    ecc::{
        chip::{EccChip, EccConfig},
-        FixedPoint, FixedPointShort, NonIdentityPoint, Point,
+        FixedPoint, NonIdentityPoint, Point,
    },
    poseidon::{Pow5Chip as PoseidonChip, Pow5Config as PoseidonConfig},
    primitives::poseidon,
@ -436,25 +436,12 @@ impl plonk::Circuit<pallas::Base> for Circuit {
                (magnitude, sign)
            };

-            // commitment = [v_net] ValueCommitV
-            let (commitment, _) = {
-                let value_commit_v = ValueCommitV;
-                let value_commit_v = FixedPointShort::from_inner(ecc_chip.clone(), value_commit_v);
-                value_commit_v.mul(layouter.namespace(|| "[v_net] ValueCommitV"), v_net.clone())?
-            };
-
-            // blind = [rcv] ValueCommitR
-            let (blind, _rcv) = {
-                let rcv = self.rcv.as_ref().map(|rcv| rcv.inner());
-                let value_commit_r = OrchardFixedBasesFull::ValueCommitR;
-                let value_commit_r = FixedPoint::from_inner(ecc_chip.clone(), value_commit_r);
-
-                // [rcv] ValueCommitR
-                value_commit_r.mul(layouter.namespace(|| "[rcv] ValueCommitR"), rcv)?
-            };
-
-            // [v_net] ValueCommitV + [rcv] ValueCommitR
-            let cv_net = commitment.add(layouter.namespace(|| "cv_net"), &blind)?;
+            let cv_net = gadget::value_commit_orchard(
+                layouter.namespace(|| "cv_net = ValueCommit^Orchard_rcv(v_net)"),
+                ecc_chip.clone(),
+                v_net.clone(),
+                self.rcv.as_ref().map(|rcv| rcv.inner()),
+            )?;

            // Constrain cv_net to equal public input
            layouter.constrain_instance(cv_net.inner().x().cell(), config.primary, CV_NET_X)?;
--- a/src/circuit/gadget.rs
+++ b/src/circuit/gadget.rs
@ -2,9 +2,14 @@

 use pasta_curves::pallas;

-use crate::constants::{NullifierK, OrchardCommitDomains, OrchardFixedBases, OrchardHashDomains};
+use crate::constants::{
+    NullifierK, OrchardCommitDomains, OrchardFixedBases, OrchardFixedBasesFull, OrchardHashDomains,
+    ValueCommitV,
+};
 use halo2_gadgets::{
-    ecc::{chip::EccChip, EccInstructions, FixedPointBaseField, Point, X},
+    ecc::{
+        chip::EccChip, EccInstructions, FixedPoint, FixedPointBaseField, FixedPointShort, Point, X,
+    },
    poseidon::{Hash as PoseidonHash, PoseidonSpongeInstructions, Pow5Chip as PoseidonChip},
    primitives::poseidon::{self, ConstantLength},
    sinsemilla::{chip::SinsemillaChip, merkle::chip::MerkleChip},
@ -66,6 +71,44 @@ pub(in crate::circuit) trait AddInstruction<F: FieldExt>: Chip<F> {
    ) -> Result<AssignedCell<F, F>, plonk::Error>;
 }

+/// `ValueCommit^Orchard` from [Section 5.4.8.3 Homomorphic Pedersen commitments (Sapling and Orchard)].
+///
+/// [Section 5.4.8.3 Homomorphic Pedersen commitments (Sapling and Orchard)]: https://zips.z.cash/protocol/protocol.pdf#concretehomomorphiccommit
+pub(in crate::circuit) fn value_commit_orchard<
+    EccChip: EccInstructions<
+        pallas::Affine,
+        FixedPoints = OrchardFixedBases,
+        Var = AssignedCell<pallas::Base, pallas::Base>,
+    >,
+>(
+    mut layouter: impl Layouter<pallas::Base>,
+    ecc_chip: EccChip,
+    v: (
+        AssignedCell<pallas::Base, pallas::Base>,
+        AssignedCell<pallas::Base, pallas::Base>,
+    ),
+    rcv: Option<pallas::Scalar>,
+) -> Result<Point<pallas::Affine, EccChip>, plonk::Error> {
+    // commitment = [v] ValueCommitV
+    let (commitment, _) = {
+        let value_commit_v = ValueCommitV;
+        let value_commit_v = FixedPointShort::from_inner(ecc_chip.clone(), value_commit_v);
+        value_commit_v.mul(layouter.namespace(|| "[v] ValueCommitV"), v)?
+    };
+
+    // blind = [rcv] ValueCommitR
+    let (blind, _rcv) = {
+        let value_commit_r = OrchardFixedBasesFull::ValueCommitR;
+        let value_commit_r = FixedPoint::from_inner(ecc_chip, value_commit_r);
+
+        // [rcv] ValueCommitR
+        value_commit_r.mul(layouter.namespace(|| "[rcv] ValueCommitR"), rcv)?
+    };
+
+    // [v] ValueCommitV + [rcv] ValueCommitR
+    commitment.add(layouter.namespace(|| "cv"), &blind)
+}
+
 /// `DeriveNullifier` from [Section 4.16: Note Commitments and Nullifiers].
 ///
 /// [Section 4.16: Note Commitments and Nullifiers]: https://zips.z.cash/protocol/protocol.pdf#commitmentsandnullifiers