Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ECC chip] Fixed- and variable-base scalar multiplication #111

Merged
merged 40 commits into from
Jul 15, 2021
Merged

[ECC chip] Fixed- and variable-base scalar multiplication #111

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
0f60a81
ecc::chip.rs: Add EccScalarFixed, EccScalarFixedShort structs
therealyingtong Jun 12, 2021
64a2b02
ecc::chip.rs: Witness scalar for variable-base scalar mul
therealyingtong Jun 12, 2021
cc9dd20
chip::mul.rs: Implement variable-base scalar mul instruction.
therealyingtong Jun 5, 2021
a263774
chip::witness_scalar_fixed.rs: Implement witness_scalar_fixed instruc…
therealyingtong Jun 5, 2021
ae25310
chip::mul_fixed.rs: Implement fixed-base scalar mul instruction.
therealyingtong Jun 5, 2021
a3ca27b
ecc::tests: Add tests for variable- and fixed-base scalar mul.
therealyingtong Jun 14, 2021
5ae9890
mul::overflow.rs: Overflow check in variable-base scalar mul
therealyingtong Jun 13, 2021
747f71c
constants.rs: Add unit tests for T_P, T_Q constants.
therealyingtong Jun 15, 2021
37074c6
mul_fixed::short: Check that last window is either 0 or 1.
therealyingtong Jun 18, 2021
09b4da1
base_field_elem.rs: Support fixed-base mul using base field element.
therealyingtong Jun 18, 2021
b15343f
Add `OrchardFixedBasesFull::{generator, u}` methods
str4d Jun 16, 2021
e726fee
mul_fixed: Avoid computing fixed constants during proving
str4d Jun 16, 2021
69d6629
chip::mul.rs: Enforce LSB if/else condition
therealyingtong Jun 18, 2021
b363492
ecc::chip.rs: Introduce circuit-wide "constants" fixed column
therealyingtong Jun 19, 2021
4d69dec
mul::incomplete.rs: Constrain first and last y_a values.
therealyingtong Jul 2, 2021
e75c176
mul::incomplete.rs: Make offsets more intuitive
therealyingtong Jul 2, 2021
6ffd867
mul::complete.rs: Constrain negation of (x_p, y_p) in double-and-add.
therealyingtong Jul 2, 2021
3f961ab
mul::process_lsb(): Clean up assignments and boolean-constrain LSB.
therealyingtong Jul 2, 2021
33b66ab
tests::print_ecc_chip(): Print ECC chip.
therealyingtong Jul 2, 2021
67caed5
mul::incomplete: Constrain final iteration correctly
str4d Jul 2, 2021
2536555
mul_fixed: Constrain interpolated window mul to be on curve.
therealyingtong Jul 3, 2021
9fd4d7d
Cleanups and clippy fixes.
therealyingtong Jul 3, 2021
d550e15
mul_fixed_*::tests: Constrain zero outputs in mul_fixed tests.
therealyingtong Jul 3, 2021
2d343af
Update mul_fixed_* APIs to take Layouter instead of Region.
therealyingtong Jul 7, 2021
23f2ed5
gadget::utilities.rs: Add bitrange_subset() helper.
therealyingtong Jul 7, 2021
b690940
chip::mul_fixed.rs: Make q_mul_fixed a selector instead of fixed column.
therealyingtong Jul 7, 2021
72e469e
mul_fixed::base_field_elem.rs: Check canonicity of base field element…
therealyingtong Jul 7, 2021
ae72501
mul_fixed::base_field_elem: Add constraint alpha_2 = 0 => alpha_1 = 0.
therealyingtong Jul 7, 2021
f42d48b
mul_fixed::base_field_elem: Fix two_pow_130 expression.
therealyingtong Jul 8, 2021
d0e34cd
mul_fixed::base_field_elem: Eliminate alpha_0 lookup decomposition.
therealyingtong Jul 8, 2021
96863c9
mul_fixed::*: Use a separate region for complete addition assignment.
therealyingtong Jul 8, 2021
22ec16f
Minor refactors, cleanups, clippy fixes, docfixes.
therealyingtong Jul 8, 2021
e2ea443
mul_fixed::*::tests: Witness expected point and constrain result to b…
therealyingtong Jul 8, 2021
5c38f53
mul::tests: Witness expected point and constrain result to be equal.
therealyingtong Jul 8, 2021
ae4e54d
gadget::utilities: Add test cases for bitrange_subset() helper.
therealyingtong Jul 8, 2021
8a9f821
mul_fixed::base_field_elem: Remove double-enable of base_field_fixed_…
therealyingtong Jul 9, 2021
6c41c72
utilities::range_check: Correct range_check expression
therealyingtong Jul 9, 2021
0ade539
utilities::tests::test_range_check(): Test range_check() helper.
therealyingtong Jul 9, 2021
b696163
mul.rs: Explain ordering of mul::incomplete advice columns.
therealyingtong Jul 14, 2021
425ee6e
Docfixes and minor refactors.
therealyingtong Jul 15, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions src/circuit/gadget/ecc/chip/mul_fixed.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -424,7 +424,7 @@ impl<const NUM_WINDOWS: usize> Config<NUM_WINDOWS> {
)?;
}

// offset_acc = \sum_{j = 0}^{NUM_WINDOWS - 2} 2^{FIXED_BASE_WINDOW_SIZE * j+1}
// offset_acc = \sum_{j = 0}^{NUM_WINDOWS - 2} 2^{FIXED_BASE_WINDOW_SIZE*j + 1}
let offset_acc = (0..(NUM_WINDOWS - 1)).fold(pallas::Scalar::zero(), |acc, w| {
acc + (*TWO_SCALAR).pow(&[
constants::FIXED_BASE_WINDOW_SIZE as u64 * w as u64 + 1,
Expand All @@ -434,7 +434,7 @@ impl<const NUM_WINDOWS: usize> Config<NUM_WINDOWS> {
])
});

// `scalar = [k * 8^84 - offset_acc]`, where `offset_acc = \sum_{j = 0}^{83} 2^{FIXED_BASE_WINDOW_SIZE * j + 1}`.
// `scalar = [k * 8^84 - offset_acc]`, where `offset_acc = \sum_{j = 0}^{83} 2^{FIXED_BASE_WINDOW_SIZE*j + 1}`.
let scalar = scalar.windows_field()[scalar.windows_field().len() - 1]
.map(|k| k * (*H_SCALAR).pow(&[(NUM_WINDOWS - 1) as u64, 0, 0, 0]) - offset_acc);

Expand Down Expand Up @@ -531,14 +531,14 @@ impl ScalarFixed {
}

// The scalar decomposition is guaranteed to be in three-bit windows,
// so we also cast the least significant byte in their serialisation
// so we also cast the least significant 4 bytes in their serialisation
// into usize for convenient indexing into `u`-values
fn windows_usize(&self) -> Vec<Option<usize>> {
self.windows_field()
.iter()
.map(|window| {
if let Some(window) = window {
let window = window.to_bytes()[0] as usize;
let window = window.get_lower_32() as usize;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@daira left a comment inside the get_lower_32() impls:

// TODO: don't reduce, just hash the Montgomery form. (Requires rebuilding perfect hash table.)

We'll need to take care over there to ensure we don't alter this API, now that we are relying on it outside the perfect hash table.

assert!(window < constants::H);
Some(window)
} else {
Expand Down
3 changes: 2 additions & 1 deletion src/circuit/gadget/utilities.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,8 @@ pub fn transpose_option_array<T: Copy + std::fmt::Debug, const LEN: usize>(
ret
}

/// Subsets a field element to a specified bitrange (little-endian)
/// Takes a specified subsequence of the little-endian bit representation of a field element.
/// The bits are numbered from 0 for the LSB.
pub fn bitrange_subset<F: FieldExt + PrimeFieldBits>(field_elem: F, bitrange: Range<usize>) -> F {
assert!(bitrange.end <= F::NUM_BITS as usize);

Expand Down