From 067eca51135c06922a71200e83caac1d2c843b7f Mon Sep 17 00:00:00 2001 From: Dmitry Demin Date: Sat, 24 Feb 2024 20:17:38 +0100 Subject: [PATCH] Make missed fixes for the previous commit and provide a draft generalization to generate both vanilla and zsa circuit --- Cargo.lock | 21 ------ Cargo.toml | 1 - halo2_gadgets/src/sinsemilla.rs | 4 ++ halo2_gadgets/src/sinsemilla/chip.rs | 13 +++- .../src/sinsemilla/chip/hash_to_point.rs | 64 ++++++++++++++++++- .../src/utilities/lookup_range_check.rs | 2 +- halo2_proofs/src/dev/cost.rs | 3 - 7 files changed, 77 insertions(+), 31 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 7b48b4f4a0..2f8bc71dfb 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -864,27 +864,6 @@ dependencies = [ "uint", ] -[[package]] -name = "halo2_gadgets_zsa" -version = "0.3.0" -dependencies = [ - "arrayvec", - "bitvec", - "criterion", - "ff", - "group", - "halo2_proofs", - "inferno", - "lazy_static", - "pasta_curves", - "plotters", - "pprof", - "proptest", - "rand", - "subtle", - "uint", -] - [[package]] name = "halo2_legacy_pdqsort" version = "0.1.0" diff --git a/Cargo.toml b/Cargo.toml index dbb7735770..b7878ae843 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -2,6 +2,5 @@ members = [ "halo2", "halo2_gadgets", - "halo2_gadgets_zsa", "halo2_proofs", ] diff --git a/halo2_gadgets/src/sinsemilla.rs b/halo2_gadgets/src/sinsemilla.rs index e57c0a2129..7bae069dd8 100644 --- a/halo2_gadgets/src/sinsemilla.rs +++ b/halo2_gadgets/src/sinsemilla.rs @@ -515,8 +515,12 @@ where Error, > { assert_eq!(self.M.sinsemilla_chip, message.chip); + + // FIXME: it's not a breaking change because `blinding_factor` simply wraps `R.mul` + // and `hash` simply wraps `M.hash_to_point` - are those wrapper really needed? let blind = self.blinding_factor(layouter.namespace(|| "[r] R"), r)?; let (p, zs) = self.hash(layouter.namespace(|| "M"), message)?; + let commitment = p.add(layouter.namespace(|| "M + [r] R"), &blind)?; Ok((commitment, zs)) } diff --git a/halo2_gadgets/src/sinsemilla/chip.rs b/halo2_gadgets/src/sinsemilla/chip.rs index 222886a867..022941dd82 100644 --- a/halo2_gadgets/src/sinsemilla/chip.rs +++ b/halo2_gadgets/src/sinsemilla/chip.rs @@ -59,6 +59,8 @@ where pub(super) generator_table: GeneratorTableConfig, /// An advice column configured to perform lookup range checks. lookup_config: LookupRangeCheckConfig, + /// FIXME: add a proper comment + is_zsa_variant: bool, _marker: PhantomData<(Hash, Commit, F)>, } @@ -181,6 +183,8 @@ where table_range_check_tag: lookup.3, }, lookup_config: range_check, + // FIXME: consider passing is_zsa_enabled to `configure` function explicitly + is_zsa_variant: lookup.3.is_some(), _marker: PhantomData, }; @@ -204,9 +208,12 @@ where // https://p.z.cash/halo2-0.1:sinsemilla-constraints?partial meta.create_gate("Initial y_Q", |meta| { let q_s4 = meta.query_selector(config.q_sinsemilla4); - let y_q = meta.query_fixed(config.fixed_y_q); - // FIXME: restore zsa version: - //let y_q = meta.query_advice(config.double_and_add.x_p, Rotation::prev()); + + let y_q = if config.is_zsa_variant { + meta.query_advice(config.double_and_add.x_p, Rotation::prev()) + } else { + meta.query_fixed(config.fixed_y_q) + }; // Y_A = (lambda_1 + lambda_2) * (x_a - x_r) let Y_A_cur = Y_A(meta, Rotation::cur()); diff --git a/halo2_gadgets/src/sinsemilla/chip/hash_to_point.rs b/halo2_gadgets/src/sinsemilla/chip/hash_to_point.rs index 165615efaa..c9c4bdb470 100644 --- a/halo2_gadgets/src/sinsemilla/chip/hash_to_point.rs +++ b/halo2_gadgets/src/sinsemilla/chip/hash_to_point.rs @@ -41,7 +41,11 @@ where ), Error, > { - let (offset, x_a, y_a) = self.public_initialization(region, Q)?; + let (offset, x_a, y_a) = if self.config.is_zsa_variant { + self.public_initialization_zsa(region, Q)? + } else { + self.public_initialization(region, Q)? + }; let (x_a, y_a, zs_sum) = self.hash_all_pieces(region, offset, message, x_a, y_a)?; @@ -116,6 +120,19 @@ where let (x_a, y_a, zs_sum) = self.hash_all_pieces(region, offset, message, x_a, y_a)?; + // FIXME: try to avoid duplication with a very similar code block in `hash_message` method + // - it's basically the same code except the following lines: + // + // hash_message_with_private_init: + // ... + // .zip(Q.point()) + // .assert_if_known(|((field_elems, (x_a, y_a)), Q)| { + // ... + // + // hash_message: + // ... + // .assert_if_known(|(field_elems, (x_a, y_a))| { + // ... #[cfg(test)] #[allow(non_snake_case)] // Check equivalence to result from primitives::sinsemilla::hash_to_point @@ -165,6 +182,49 @@ where )) } + #[allow(non_snake_case)] + fn public_initialization( + &self, + region: &mut Region<'_, pallas::Base>, + Q: pallas::Affine, + ) -> Result<(usize, X, Y), Error> { + let config = self.config().clone(); + let offset = 0; + + // Get the `x`- and `y`-coordinates of the starting `Q` base. + let x_q = *Q.coordinates().unwrap().x(); + let y_q = *Q.coordinates().unwrap().y(); + + // Constrain the initial x_a, lambda_1, lambda_2, x_p using the q_sinsemilla4 + // selector. + let y_a: Y = { + // Enable `q_sinsemilla4` on the first row. + config.q_sinsemilla4.enable(region, offset)?; + region.assign_fixed( + || "fixed y_q", + config.fixed_y_q, + offset, + || Value::known(y_q), + )?; + + Value::known(y_q.into()).into() + }; + + // Constrain the initial x_q to equal the x-coordinate of the domain's `Q`. + let x_a: X = { + let x_a = region.assign_advice_from_constant( + || "fixed x_q", + config.double_and_add.x_a, + offset, + x_q.into(), + )?; + + x_a.into() + }; + + Ok((offset, x_a, y_a)) + } + #[allow(non_snake_case)] /// Assign the coordinates of the initial public point `Q` /// @@ -172,7 +232,7 @@ where /// -------------------------------------- /// | 0 | | y_Q | | /// | 1 | x_Q | | 1 | - fn public_initialization( + fn public_initialization_zsa( &self, region: &mut Region<'_, pallas::Base>, Q: pallas::Affine, diff --git a/halo2_gadgets/src/utilities/lookup_range_check.rs b/halo2_gadgets/src/utilities/lookup_range_check.rs index e03e39dce9..04e94e30df 100644 --- a/halo2_gadgets/src/utilities/lookup_range_check.rs +++ b/halo2_gadgets/src/utilities/lookup_range_check.rs @@ -49,7 +49,7 @@ impl RangeConstrained> { .map(|inner| Self { inner, num_bits, - _phantom: PhantomData::default(), + _phantom: PhantomData, }) } } diff --git a/halo2_proofs/src/dev/cost.rs b/halo2_proofs/src/dev/cost.rs index 1fe8043ce0..0c3c7efaf1 100644 --- a/halo2_proofs/src/dev/cost.rs +++ b/halo2_proofs/src/dev/cost.rs @@ -270,9 +270,6 @@ impl> CircuitCost= cs.minimum_rows());