[ECC chip] Fixed- and variable-base scalar multiplication

src/circuit/gadget/ecc/chip/add.rs

@@ -70,6 +70,10 @@ impl Config {
         .collect()
     }
 
+    pub(crate) fn output_columns(&self) -> HashSet<Column<Advice>> {
+        core::array::IntoIter::new([self.x_qr, self.y_qr]).collect()
+    }
+
     pub(crate) fn create_gate(&self, meta: &mut ConstraintSystem<pallas::Base>) {
         meta.create_gate("complete addition gates", |meta| {
             let q_add = meta.query_selector(self.q_add);

src/circuit/gadget/ecc/chip/mul.rs

@@ -80,15 +80,20 @@ impl From<&EccConfig> for Config {
             "y_p is shared across hi and lo halves."
         );
 
-        let add_config_advices = config.add_config.advice_columns();
-        assert!(
-            !add_config_advices.contains(&config.hi_config.z),
-            "hi_config z cannot overlap with complete addition columns."
-        );
-        assert!(
-            !add_config_advices.contains(&config.complete_config.z_complete),
-            "complete_config z cannot overlap with complete addition columns."
-        );
+        // For both hi_config and lo_config:
+        // z and lambda1 are assigned on the same row as the add_config output.
+        // Therefore, z and lambda1 must not overlap with add_config.x_qr, add_config.y_qr.
+        let add_config_outputs = config.add_config.output_columns();
+        for config in [&(*config.hi_config), &(*config.lo_config)].iter() {
+            assert!(
+                !add_config_outputs.contains(&config.z),
+                "incomplete config z cannot overlap with complete addition columns."
+            );
+            assert!(
+                !add_config_outputs.contains(&config.lambda1),
+                "incomplete config lambda1 cannot overlap with complete addition columns."
+            );
+        }
 
         config
     }
@@ -464,7 +469,8 @@ pub mod tests {
             scalar_val: pallas::Base,
             result: Point<pallas::Affine, EccChip>,
         ) -> Result<(), Error> {
-            // Case scalar from base field into scalar field
+            // Move scalar from base field into scalar field (which always fits
+            // for Pallas).
             let scalar = pallas::Scalar::from_bytes(&scalar_val.to_bytes()).unwrap();
             let expected = Point::new(
                 chip,

src/circuit/gadget/ecc/chip/mul_fixed/base_field_elem.rs

@@ -1,4 +1,5 @@
 use super::super::{EccBaseFieldElemFixed, EccConfig, EccPoint, OrchardFixedBasesFull};
+use super::H_BASE;
 
 use crate::{
     circuit::gadget::utilities::{
@@ -167,7 +168,7 @@ impl Config {
                     z_44_alpha.clone() - z_84_alpha * two_pow_120
                 };
                 // a_43 = z_43 - (2^3)z_44
-                let a_43 = z_43_alpha - z_44_alpha * pallas::Base::from_u64(1 << 3);
+                let a_43 = z_43_alpha - z_44_alpha * *H_BASE;
 
                 std::iter::empty()
                     .chain(Some(("MSB = 1 => alpha_1 = 0", alpha_2.clone() * alpha_1)))
@@ -456,10 +457,6 @@ impl Config {
             &self.super_config.perm,
         )?;
 
-        for idx in 0..words.len() {
-            self.base_field_fixed_mul.enable(region, offset + idx)?;
-        }
-
         let offset = offset + 1;
 
         let eight_inv = pallas::Base::TWO_INV.square() * pallas::Base::TWO_INV;
@@ -581,7 +578,7 @@ pub mod tests {
             scalar_val: pallas::Base,
             result: Point<pallas::Affine, EccChip>,
         ) -> Result<(), Error> {
-            // Case scalar from base field into scalar field
+            // Move scalar from base field into scalar field (which always fits for Pallas).
             let scalar = pallas::Scalar::from_bytes(&scalar_val.to_bytes()).unwrap();
             let expected = Point::new(
                 chip,

src/circuit/gadget/utilities.rs

@@ -123,19 +123,101 @@ pub fn bitrange_subset<F: FieldExt + PrimeFieldBits>(field_elem: F, bitrange: Ra
 /// Check that an expression is in the small range [0..range),
 /// i.e. 0 ≤ word < range.
 pub fn range_check<F: FieldExt>(word: Expression<F>, range: usize) -> Expression<F> {
-    (0..range)
-        .map(|i| Expression::Constant(F::from_u64(i as u64)))
-        .reduce(|acc, i| acc * (word.clone() - i))
-        .expect("range > 0")
+    (1..range).fold(word.clone(), |acc, i| {
+        acc * (word.clone() - Expression::Constant(F::from_u64(i as u64)))
+    })
 }
 
 #[cfg(test)]
 mod tests {
     use super::*;
     use bigint::U256;
     use ff::PrimeField;
+    use halo2::{
+        circuit::{layouter::SingleChipLayouter, Layouter},
+        dev::{MockProver, VerifyFailure},
+        plonk::{Assignment, Circuit, ConstraintSystem, Error, Selector},
+        poly::Rotation,
+    };
     use pasta_curves::pallas;
 
+    #[test]
+    fn test_range_check() {
+        struct MyCircuit<const RANGE: usize>(u8);
+
+        impl<const RANGE: usize> UtilitiesInstructions<pallas::Base> for MyCircuit<RANGE> {
+            type Var = CellValue<pallas::Base>;
+        }
+
+        #[derive(Clone)]
+        struct Config {
+            selector: Selector,
+            advice: Column<Advice>,
+        }
+
+        impl<const RANGE: usize> Circuit<pallas::Base> for MyCircuit<RANGE> {
+            type Config = Config;
+
+            fn configure(meta: &mut ConstraintSystem<pallas::Base>) -> Self::Config {
+                let selector = meta.selector();
+                let advice = meta.advice_column();
+
+                meta.create_gate("range check", |meta| {
+                    let selector = meta.query_selector(selector);
+                    let advice = meta.query_advice(advice, Rotation::cur());
+
+                    vec![selector * range_check(advice, RANGE)]
+                });
+
+                Config { selector, advice }
+            }
+
+            fn synthesize(
+                &self,
+                cs: &mut impl Assignment<pallas::Base>,
+                config: Self::Config,
+            ) -> Result<(), Error> {
+                let mut layouter = SingleChipLayouter::new(cs)?;
+
+                layouter.assign_region(
+                    || "range constrain",
+                    |mut region| {
+                        config.selector.enable(&mut region, 0)?;
+                        region.assign_advice(
+                            || format!("witness {}", self.0),
+                            config.advice,
+                            0,
+                            || Ok(pallas::Base::from_u64(self.0.into())),
+                        )?;
+
+                        Ok(())
+                    },
+                )
+            }
+        }
+
+        for i in 0..8 {
+            let circuit: MyCircuit<8> = MyCircuit(i);
+            let prover = MockProver::<pallas::Base>::run(1, &circuit, vec![]).unwrap();
+            assert_eq!(prover.verify(), Ok(()));
+        }
+
+        {
+            let circuit: MyCircuit<8> = MyCircuit(8);
+            let prover = MockProver::<pallas::Base>::run(1, &circuit, vec![]).unwrap();
+            assert_eq!(
+                prover.verify(),
+                Err(vec![VerifyFailure::Constraint {
+                    gate_index: 0,
+                    gate_name: "range check",
+                    constraint_index: 0,
+                    constraint_name: "",
+                    row: 0
+                }])
+            );
+        }
+    }
+
     #[test]
     fn test_bitrange_subset() {
         // Subset full range.