zec
/
orchard
mirror of https://github.com/zcash/orchard.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
682 Commits 5 Branches 12 Tags 25 MiB
Commit Graph

682 Commits

Author SHA1 Message Date
str4d 078b71a960
Merge pull request #165 from daira/bump-halo2 
Update to assign_table API.
 2021-07-27 21:29:27 +01:00
Jack Grigg 6185d8e295 Bump halo2 revision to include `Layouter::assign_table` 2021-07-27 20:54:48 +01:00
Daira Hopwood 145da9c510 Update to assign_table API. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-27 18:32:32 +01:00
str4d a273307661
Merge pull request #164 from daira/book-decomposition 
[book] decomposition.md: avoid introducing `m` when we already have `range`
 2021-07-27 17:10:50 +01:00
Daira Hopwood b2e25b5ac3 [book] decomposition.md: avoid introducing `m` when we already have `range`. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-27 17:06:36 +01:00
ying tong ee878ddc57
Merge pull request #162 from zcash/book-merge-lookups 
[book] Merge lookup arguments for normal and short variants
 2021-07-27 23:34:28 +08:00
ying tong d8743b8870
Merge pull request #161 from zcash/merge-lookups 
Merge lookup arguments in `lookup_range_check` helper.
 2021-07-27 23:34:15 +08:00
ying tong 0bb4a7fd71
[book] decomposition.md: Formatting and phrasing fixes. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: str4d <jack@electriccoin.co>
 2021-07-27 23:29:11 +08:00
ying tong 1c2ab16a15
Merge pull request #163 from zcash/book-notecommit-fixes 
book: Fixes to NoteCommit page
 2021-07-27 23:10:29 +08:00
therealyingtong d3a7e9ed39 lookup_range_check: Merge running sum and short lookup arguments. 
The lookup running sum decomposition uses the same lookup table as
its short variant. These two lookup arguments have been merged.

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-27 09:50:17 +01:00
str4d bb90f2eb7d
Merge pull request #101 from zcash/action-circuit 
Action circuit
 2021-07-27 09:49:23 +01:00
str4d 620e227854
Fix y-coordinate recovery in NoteCommit tests 2021-07-27 09:27:33 +01:00
therealyingtong 3f506a0129 circuit.rs: Minor cleanups and column optimisations. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-27 15:41:26 +08:00
therealyingtong 664125f44f commit_ivk::tests: Check value of output ivk against expected ivk. 2021-07-27 15:33:13 +08:00
therealyingtong fa135fe62e note_commit::tests: Constrain output of NoteCommit to expected point. 2021-07-27 15:23:00 +08:00
therealyingtong ac5404a943 [book] note-commit.md: Update NoteCommit gate region layout. 
By rearranging the pieces in the gate, we remove a prev() query and
preserve proximity between pieces involved in the same constraint.
 2021-07-27 13:56:10 +08:00
therealyingtong 7aa3174880 sinsemilla::note_commit: Improve NoteCommit gate layout. 
By rearranging the pieces in the gate, we remove a prev() query and
preserve proximity between pieces involved in the same constraint.

This commit also includes several minor fixes:
- use strict mode for decomposition of j in y-coordinate check;
- Name All Polynomial Constraints;
- remove point_repr() helper function;
- variable renaming and docfixes.

Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-27 13:51:35 +08:00
therealyingtong 920fe64399 [book] note-commit.md: Document substitution of k_1 with z1_j. 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-27 12:53:41 +08:00
therealyingtong e4a960d7f1 sinsemilla::note_commit: Simplify y canonicity check region layout 
Instead of separately witnessing k_1 and equating it to z1_j, we
can directly make use of z1_j in the gate. This allows us to fit
the region into a 5 x 2 area, improving the layout.

Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-27 12:49:42 +08:00
Jack Grigg 9ef46ae4ee book: Fixes to NoteCommit page 
Noticed during review.
 2021-07-27 05:34:36 +01:00
therealyingtong 65ff84da0a [book] decomposition.md: Merge lookup arguments for normal and short variants. 2021-07-27 11:56:18 +08:00
Daira Hopwood 29fe6e14fc
Merge pull request #148 from daira/daira-book-addition 
[book] Fixes to the completeness arguments for cases of complete addition, and a fix to the last step of variable-base scalar multiplication
 2021-07-27 02:10:49 +01:00
Daira Hopwood a6badba32f [book] src/design/circuit/gadgets/ecc/var-base-scalar-mul.md: we always do addition (possibly of the zero point) at the end of variable-base scalar mul. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-27 02:01:21 +01:00
Daira Hopwood 7895a2a082 [book] src/design/circuit/gadgets/ecc/var-base-scalar-mul.md: more formatting. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-27 02:01:05 +01:00
Daira Hopwood 3dfefe0e85 [book] src/design/circuit/gadgets/ecc/addition.md: correctness and clarity. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-27 01:51:37 +01:00
Daira Hopwood 3ed388e6bb [book] src/design/circuit/gadgets/ecc/addition.md: formatting. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-27 01:51:28 +01:00
ying tong 4229ba1dec
Merge pull request #134 from zcash/book-sinsemilla-inputs 
[book] Document decomposition and canonicity checks for Sinsemilla inputs
 2021-07-27 03:29:13 +08:00
therealyingtong b3ccd3f0dd Use halo2 selector optimizations. 2021-07-27 03:14:34 +08:00
therealyingtong 65ccf80560 sinsemilla::note_commit: Check canonicity of y(g_d), y(pk_d). 
Even though we only use the LSB of the y-coordinates as inputs to
the Sinsemilla hash, we still have to check that they are consistent
with the g_d and pk_d points that were passed in.

Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-27 03:13:54 +08:00
therealyingtong f1ccc58d9a [book] note-commit.md: y-coordinate canonicity constraints. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-27 01:56:17 +08:00
ying tong 3833d665de
[book] Clarify upper bounds in canonicity shift constraints. 2021-07-26 12:05:25 +08:00
ying tong 14b8d9b048
[book] note-commit.md: 2^140 -> 2^130 in psi check. 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-26 11:12:42 +08:00
ying tong 453681f309
[book] commit-ivk.md: Update region layout to use 9 advice columns. 
Co-authored-by: str4d <jack@electriccoin.co>
 2021-07-26 11:09:47 +08:00
therealyingtong 57f23d9f17 sinsemilla::commit_ivk: Fix two_pow_5 constraint bug. 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-26 10:05:15 +08:00
Jack Grigg 0375c64801 [book] Update NoteCommit page to match Commit^ivk style 
Constraint tables have been added along with the region layout. I also
fixed numerous bugs in the constraints (most of which appeared to be
copy-pasta bugs).
 2021-07-26 02:05:35 +01:00
Jack Grigg 5aa05713e7 [book] Use \CommitIvk macro in page heading 
We can't use KaTeX  on the SUMMARY page that generates the sidebar, so
that continues to use a CamelCase approximation.
 2021-07-26 02:05:35 +01:00
Jack Grigg f376a61bb8 [book] Add macros, constraint tables, and region layout to Commit^ivk 
I also merged in content from a page I wrote independently while
reviewing the Action circuit PR, and made various cleanups to the
Markdown source.
 2021-07-26 02:05:35 +01:00
Daira Hopwood 4a5a4cc437 [book] merkle-crh.md: formatting. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-26 02:05:35 +01:00
Daira Hopwood ed20d539b2 [book] merkle-crh.md: corrections. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-07-26 02:05:35 +01:00
Daira Hopwood 47a29f10aa [book] Document NoteCommit message decomposition & canonicity checks 2021-07-26 02:05:35 +01:00
Daira Hopwood 2846593937 [book] Document CommitIvk message decomposition & canonicity checks 2021-07-26 02:05:35 +01:00
Daira Hopwood 9708e296c8 [book] Document Merkle chip layout and message decomposition. 2021-07-26 02:05:35 +01:00
therealyingtong 5b63550f50 sinsemilla::note_commit: Check that g1_g2_prime < 2^130 instead of 2^140. 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-25 21:56:55 +08:00
ying tong 9a44a14863
Merge pull request #160 from zcash/book-recombine-sinsemilla-selectors 
[book] Recombine Sinsemilla q_S1, q_S2, q_S3 selectors.
 2021-07-25 21:16:12 +08:00
therealyingtong d9351df544 sinsemilla::commit_ivk: Use 9 advice columns instead of 10 
Change the region layout to only use 9 advice columns instead of 10.
Also rename variables to match the book.

Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-25 21:10:13 +08:00
therealyingtong 5999d4be6d sinsemilla::commit_ivk.rs: Change z14_c -> z13_c 
This matches the constraint specified in the book.

Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-07-25 21:10:13 +08:00
therealyingtong 4d1cd2651a Return full running sum [z_0, ..., z_W] from lookup_range_check and decompose_running_sum. 
Previously, these two helpers were returning different outputs.
They have now been standardised to return only the full running
sum.

Note the z_0 is the original element being decomposed by the
helper.
 2021-07-25 21:10:13 +08:00
Jack Grigg 092cc389bb More small circuit optimisations 
- Placing the Poseidon `state` columns after the `partial_sbox` column
  instead of before it causes them to line up with vast stretch of free
  space, enabling the pad-and-add region to be layed out there.

- Using the `Region::assign_advice_from_constant` API to initialise the
  Poseidon state removes fixed-column contention between that region and
  fixed-base scalar multiplication, enabling it to also be layed out
  within the free space.
  - If https://github.com/zcash/halo2/issues/334 were implemented then
    this region would disappear.

- The overflow check in variable-base scalar mul is also moved into the
  columns with free space.
 2021-07-25 21:10:13 +08:00
therealyingtong 7af1ae5b52 note_commit: Decompose q_canon into two binary selectors. 
Previously, q_canon was a non-binary fixed column that was set to
either {1, 2}. It has been decomposed into two binary selectors.
 2021-07-25 21:10:13 +08:00
therealyingtong 76c73531c8 lookup_range_check: Replace short_lookup_bitshift with selector. 
Previously, the short_lookup_bitshift fixed column was a non-binary
selector that both provided a constant value and toggled a gate.

Now, the constant value is copied in from the global constants API,
and the toggle is handled by a q_lookup_bitshift selector.
 2021-07-25 21:10:13 +08:00