Endoscaling instructions and chip. #529
Conversation
therealyingtong
force-pushed
the
endoscale
branch
from
ed5ab6e
to
54d723a
Compare
therealyingtong
changed the base branch from
refactor-decompose-gadget
to
endoscale-prep
halo2/src/lib.rs
Outdated
| @@ -5,3 +5,5 @@ | |||
| #![deny(missing_debug_implementations)] | |||
| #![deny(missing_docs)] | |||
| #![deny(unsafe_code)] | |||
|
|
|||
| pub mod recursion; | |||
There was a problem hiding this comment.
We probably don't need this module any more (since halo2 is now entirely the recursive crate, and the non-recursive parts were moved to halo2_proofs).
There was a problem hiding this comment.
I thought that we re-exported all the halo2_proofs stuff from halo2 (at least, that was the original plan)? In which case a recursion module is still needed to separate the recursion-specific APIs and let users switch a halo2_proofs import to a halo2 one easily.
| @@ -271,7 +271,7 @@ impl<F: FieldExt + PrimeFieldBits, const K: usize> LookupRangeCheckConfig<F, K> | |||
| pub fn copy_short_check( | |||
| &self, | |||
| mut layouter: impl Layouter<F>, | |||
| element: AssignedCell<F, F>, | |||
| element: &AssignedCell<F, F>, | |||
There was a problem hiding this comment.
Needs documentation in the changelog.
halo2/src/recursion/endoscale.rs
Outdated
| fn endoscale_fixed_base<L: Layouter<C::Base>, const NUM_BITS: usize, const NUM_WINDOWS: usize>( | ||
| &self, | ||
| layouter: L, | ||
| base: C, |
There was a problem hiding this comment.
Currently, there is no way to constrain in the circuit that multiple invocations of endoscale_fixed_base use the same fixed base (it can happen incidentally, but only if the caller passes the same value through to be constant-assigned; a mistake here couldn't be caught in an automated way). Is this intentional (i.e. are the bases supposed to be unconnected)? If not, then a separate associated type, and a corresponding "assign this type from a constant" would be good (and probably what we actually want is just #334).
therealyingtong
force-pushed
the
endoscale-prep
branch
2 times, most recently
from
1caf222
to
920d3d0
Compare
therealyingtong
force-pushed
the
endoscale-prep
branch
from
920d3d0
to
82051ba
Compare
therealyingtong
force-pushed
the
endoscale
branch
from
54d723a
to
1097cb9
Compare
therealyingtong
force-pushed
the
endoscale-prep
branch
from
82051ba
to
779e09c
Compare
therealyingtong
force-pushed
the
endoscale
branch
from
1097cb9
to
698248c
Compare
therealyingtong
force-pushed
the
endoscale
branch
2 times, most recently
from
867eb36
to
6474826
Compare
therealyingtong
force-pushed
the
endoscale-prep
branch
from
779e09c
to
943b495
Compare
therealyingtong
force-pushed
the
endoscale
branch
from
6474826
to
a1ffacf
Compare
therealyingtong
force-pushed
the
endoscale-prep
branch
from
943b495
to
499464c
Compare
therealyingtong
force-pushed
the
endoscale
branch
2 times, most recently
from
20baed5
to
4b9b2da
Compare
| let y_check = { | ||
| let endo_y = double_and_add.y_p(meta, Rotation::cur()); | ||
| let p_y = meta.query_advice(base.1, Rotation::cur()); | ||
| // If the first bit is set, check that endo_y = P_y | ||
| let b0_set = b_0.clone() * (endo_y.clone() - p_y.clone()); | ||
|
|
||
| // If the first bit is not set, check that endo_y = -P_y | ||
| let not_b0 = Expression::Constant(C::Base::one()) - b_0; | ||
| let b0_not_set = not_b0 * (endo_y + p_y); | ||
|
|
||
| b0_set + b0_not_set | ||
| }; | ||
| let x_check = { | ||
| let endo_x = meta.query_advice(double_and_add.x_p, Rotation::cur()); | ||
| let p_x = meta.query_advice(base.0, Rotation::cur()); | ||
| // If the second bit is set, check that endo_x = ζ * P_x | ||
| let zeta = Expression::Constant(C::Base::ZETA); | ||
| let b1_set = b_1.clone() * (endo_x.clone() - zeta * p_x.clone()); | ||
|
|
||
| // If the second bit is not set, check that endo_x = P_x | ||
| let not_b1 = Expression::Constant(C::Base::one()) - b_1; | ||
| let b1_not_set = not_b1 * (endo_x - p_x); | ||
|
|
||
| b1_set + b1_not_set | ||
| }; |
There was a problem hiding this comment.
Use ternary gate.
therealyingtong
force-pushed
the
endoscale-prep
branch
from
499464c
to
e6036de
Compare
therealyingtong
force-pushed
the
endoscale
branch
from
34bfc60
to
f1f824a
Compare
therealyingtong
force-pushed
the
endoscale-prep
branch
from
e6036de
to
789eeef
Compare
therealyingtong
force-pushed
the
endoscale
branch
from
f1f824a
to
6a2ba5e
Compare
therealyingtong
force-pushed
the
endoscale-prep
branch
from
789eeef
to
4d7c2b7
Compare
therealyingtong
force-pushed
the
endoscale
branch
from
6a2ba5e
to
fb7fde9
Compare
therealyingtong
force-pushed
the
endoscale
branch
from
fb7fde9
to
75250e7
Compare
[book] Add description of endoscaling and public input handling. Co-authored-by: Ying Tong Lai <yingtong@electriccoin.co> Signed-off-by: Daira Hopwood <daira@jacaranda.org>
therealyingtong
force-pushed
the
endoscale
branch
from
75250e7
to
1af488a
Compare
| @@ -22,6 +22,7 @@ | |||
| #![deny(unsafe_code)] | |||
|
|
|||
| pub mod ecc; | |||
| pub mod endoscale; | |||
There was a problem hiding this comment.
| pub mod endoscale; | |
| #[cfg(feature = "unstable-endoscale-gadget")] | |
| pub mod endoscale; |
| - [SHA-256](design/gadgets/sha256.md) | ||
| - [16-bit table chip](design/gadgets/sha256/table16.md) | ||
| - [Endoscaling](design/gadgets/endoscaling.md) |
There was a problem hiding this comment.
| - [SHA-256](design/gadgets/sha256.md) | |
| - [16-bit table chip](design/gadgets/sha256/table16.md) | |
| - [Endoscaling](design/gadgets/endoscaling.md) | |
| - Unstable | |
| - [SHA-256](design/gadgets/sha256.md) | |
| - [16-bit table chip](design/gadgets/sha256/table16.md) | |
| - [Endoscaling](design/gadgets/endoscaling.md) |
I think this would make them sub-sections of an "Unstable" section in the summary, while keeping their URLs stable.
| @@ -0,0 +1,368 @@ | |||
| # Endoscaling | |||
There was a problem hiding this comment.
| # Endoscaling | |
| # Endoscaling | |
| > Status: Nightly | |
| > Feature flag: `unstable-endoscale-gadget` |
| /// # Panics | ||
| /// | ||
| /// Panics if the bitstring is longer than `F::NUM_BITS`. | ||
| pub fn le_bits_to_field_elem<F: PrimeFieldBits>(bits: &[bool]) -> F { |
There was a problem hiding this comment.
Does this need to be pub? How is it used outside halo2_gadgets?
| @@ -32,7 +32,7 @@ use halo2_proofs::{ | |||
| use std::marker::PhantomData; | |||
|
|
|||
| /// The running sum $[z_0, ..., z_W]$. If created in strict mode, $z_W = 0$. | |||
| #[derive(Debug)] | |||
| #[derive(Clone, Debug)] | |||
There was a problem hiding this comment.
Technically should be listed as an addition in the changelog.
| @@ -136,6 +136,16 @@ impl<F: Field> AssignedCell<Assigned<F>, F> { | |||
| } | |||
| } | |||
|
|
|||
| impl<F: Field> From<AssignedCell<F, F>> for AssignedCell<Assigned<F>, F> { | |||
There was a problem hiding this comment.
Document as an addition in the changelog.
| @@ -160,6 +160,11 @@ impl<C: CurveAffine> Params<C> { | |||
| self.g.clone() | |||
| } | |||
|
|
|||
| /// The `g_lagrange` bases | |||
| pub fn g_lagrange(&self) -> Vec<C> { | |||
There was a problem hiding this comment.
Document as an addition in the changelog. It would also be useful to document how or why this is useful. If it is only useful for endoscaling:
| pub fn g_lagrange(&self) -> Vec<C> { | |
| #[cfg(feature = "unstable-endoscale-gadget")] | |
| pub fn g_lagrange(&self) -> Vec<C> { |
Closes #583. Closes #248. Based on https://github.com/zcash/halo2/tree/endoscale-prep, which includes the PRs:
double_and_addhelper #592)decompose_running_sumhelper ([halo2_gadgets] Minor refactors todecompose_running_sumhelper #594)doubleAPI inEccInstructions([halo2_gadgets] Minor refactors and introduction ofdoubleAPI inEccInstructions#596)