diff --git a/halo2_gadgets/src/sinsemilla/chip/hash_to_point.rs b/halo2_gadgets/src/sinsemilla/chip/hash_to_point.rs index fc4567974..74a3d113a 100644 --- a/halo2_gadgets/src/sinsemilla/chip/hash_to_point.rs +++ b/halo2_gadgets/src/sinsemilla/chip/hash_to_point.rs @@ -58,6 +58,80 @@ where self.check_hash_result(EccPointQ::PublicPoint(Q), message, x_a, y_a, zs_sum) } + #[allow(unused_variables)] + #[allow(non_snake_case)] + #[allow(clippy::type_complexity)] + fn check_hash_result( + &self, + Q: EccPointQ, + message: &>::Message, + x_a: X, + y_a: AssignedCell, pallas::Base>, + zs_sum: Vec>>, + ) -> Result< + ( + NonIdentityEccPoint, + Vec>>, + ), + Error, + > { + #[cfg(test)] + // Check equivalence to result from primitives::sinsemilla::hash_to_point + { + use crate::sinsemilla::primitives::{K, S_PERSONALIZATION}; + + use group::{prime::PrimeCurveAffine, Curve}; + use pasta_curves::arithmetic::CurveExt; + + let field_elems: Value> = message + .iter() + .map(|piece| piece.field_elem().map(|elem| (elem, piece.num_words()))) + .collect(); + + let value_Q = match Q { + EccPointQ::PublicPoint(p) => Value::known(p), + EccPointQ::PrivatePoint(p) => p.point(), + }; + + field_elems + .zip(x_a.value().zip(y_a.value())) + .zip(value_Q) + .assert_if_known(|((field_elems, (x_a, y_a)), value_Q)| { + // Get message as a bitstring. + let bitstring: Vec = field_elems + .iter() + .flat_map(|(elem, num_words)| { + elem.to_le_bits().into_iter().take(K * num_words) + }) + .collect(); + + let hasher_S = pallas::Point::hash_to_curve(S_PERSONALIZATION); + let S = |chunk: &[bool]| hasher_S(&lebs2ip_k(chunk).to_le_bytes()); + + // We can use complete addition here because it differs from + // incomplete addition with negligible probability. + let expected_point = bitstring + .chunks(K) + .fold(value_Q.to_curve(), |acc, chunk| (acc + S(chunk)) + acc); + let actual_point = + pallas::Affine::from_xy(x_a.evaluate(), y_a.evaluate()).unwrap(); + expected_point.to_affine() == actual_point + }); + } + + x_a.value() + .zip(y_a.value()) + .error_if_known_and(|(x_a, y_a)| x_a.is_zero_vartime() || y_a.is_zero_vartime())?; + Ok(( + NonIdentityEccPoint::from_coordinates_unchecked(x_a.0, y_a), + zs_sum, + )) + } + #[allow(non_snake_case)] /// Assign the coordinates of the initial public point `Q`, /// y_Q to a fixed column @@ -179,80 +253,6 @@ where Ok((x_a, y_a, zs_sum)) } - #[allow(unused_variables)] - #[allow(non_snake_case)] - #[allow(clippy::type_complexity)] - fn check_hash_result( - &self, - Q: EccPointQ, - message: &>::Message, - x_a: X, - y_a: AssignedCell, pallas::Base>, - zs_sum: Vec>>, - ) -> Result< - ( - NonIdentityEccPoint, - Vec>>, - ), - Error, - > { - #[cfg(test)] - // Check equivalence to result from primitives::sinsemilla::hash_to_point - { - use crate::sinsemilla::primitives::{K, S_PERSONALIZATION}; - - use group::{prime::PrimeCurveAffine, Curve}; - use pasta_curves::arithmetic::CurveExt; - - let field_elems: Value> = message - .iter() - .map(|piece| piece.field_elem().map(|elem| (elem, piece.num_words()))) - .collect(); - - let value_Q = match Q { - EccPointQ::PublicPoint(p) => Value::known(p), - EccPointQ::PrivatePoint(p) => p.point(), - }; - - field_elems - .zip(x_a.value().zip(y_a.value())) - .zip(value_Q) - .assert_if_known(|((field_elems, (x_a, y_a)), value_Q)| { - // Get message as a bitstring. - let bitstring: Vec = field_elems - .iter() - .flat_map(|(elem, num_words)| { - elem.to_le_bits().into_iter().take(K * num_words) - }) - .collect(); - - let hasher_S = pallas::Point::hash_to_curve(S_PERSONALIZATION); - let S = |chunk: &[bool]| hasher_S(&lebs2ip_k(chunk).to_le_bytes()); - - // We can use complete addition here because it differs from - // incomplete addition with negligible probability. - let expected_point = bitstring - .chunks(K) - .fold(value_Q.to_curve(), |acc, chunk| (acc + S(chunk)) + acc); - let actual_point = - pallas::Affine::from_xy(x_a.evaluate(), y_a.evaluate()).unwrap(); - expected_point.to_affine() == actual_point - }); - } - - x_a.value() - .zip(y_a.value()) - .error_if_known_and(|(x_a, y_a)| x_a.is_zero_vartime() || y_a.is_zero_vartime())?; - Ok(( - NonIdentityEccPoint::from_coordinates_unchecked(x_a.0, y_a), - zs_sum, - )) - } - #[allow(clippy::type_complexity)] /// Hashes a message piece containing `piece.length` number of `K`-bit words. ///