In the Orchard protocol, only the NullifierK fixed base in used in
scalar multiplication with a base field element.
The mul_fixed_base_field_elem() API does not have to accept fixed
bases other than NullifierK; conversely, NullifierK does not have
to work with the full-width mul_fixed() API.
This decomposes a field element into K-bit windows using a
running sum. Each step of the running sum is range-constrained.
In strict mode, the final output of the running sum is constrained
to be zero.
This helper asserts K <= 3.
Using these in `OrchardFixedBases::{generator, u}` instead of the
`impl From<OrchardFixedBasesFull> for OrchardFixedBase` means we avoid
computing the Lagrange coefficients for the generator (which were then
immediately dropped).
This decreases proving time in the Action circuit by 53%.
- document that find_zs_and_us is not meant to be used anywhere
- use F::zero() instead of F::default() in constants/util.rs
- use personalisations from constants in spec.rs
Previously, the window table M for fixed-base scalar multiplication
computed M[w][k] = [(k+1)*(2^3)^w]B for each window w, where k is a
3-bit chunk in the scalar decomposition in the range [0..8).
However, in the case k_0 = 7, k_1= 0, the window table entries would
evaluate to:
* M[0][k_0] = [(7+1)*(2^3)^0]B = [8]B,
* M[1][k_1] = [(0+1)*(2^3)^1]B = [8]B,
which means the first addition would require complete addition.
To avoid this, we alter the formula to M[w][k] = [(k+2)*(2^3)^w]B.
We make a corresponding change to the formula for the last window
W. Previously, we had:
M[W][k] = [k * (2^3)^W - \sum((2^3)^j)]B, for j in [0..W-1).
Now, we have:
M[W][k] = [k * (2^3)^W - \sum(2^(3j+1))]B, for j in [0..W-1).
Kris Nuttycombe
therealyingtong
Jack Grigg