Merge branch 'improve-backward-compatability-with-zsa' into backward-…

…compatibility-based-on-previous-pr

.github/workflows/ci.yml

@@ -127,34 +127,33 @@ jobs:
       - name: Test halo2 book
         run: mdbook test -L target/debug/deps book/
 
-  codecov:
-    name: Code coverage
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-      # Use stable for this to ensure that cargo-tarpaulin can be built.
-      - id: prepare
-        uses: ./.github/actions/prepare
-        with:
-          toolchain: stable
-          nightly-features: true
-      - name: Install cargo-tarpaulin
-        uses: actions-rs/cargo@v1
-        with:
-          command: install
-          args: cargo-tarpaulin
-      - name: Generate coverage report
-        uses: actions-rs/cargo@v1
-        with:
-          command: tarpaulin
-          # Extend the timeout to 3600 to ensure the code coverage test pass
-          args: >
-            ${{ steps.prepare.outputs.feature-flags }}
-            --timeout 3600
-            --out Xml
-      - name: Upload coverage to Codecov
-        uses: codecov/[email protected]
+#   codecov:
+#     name: Code coverage
+#     runs-on: ubuntu-latest
+#
+#     steps:
+#       - uses: actions/checkout@v3
+#       # Use stable for this to ensure that cargo-tarpaulin can be built.
+#       - id: prepare
+#         uses: ./.github/actions/prepare
+#         with:
+#           toolchain: stable
+#           nightly-features: true
+#       - name: Install cargo-tarpaulin
+#         uses: actions-rs/cargo@v1
+#         with:
+#           command: install
+#           args: cargo-tarpaulin
+#       - name: Generate coverage report
+#         uses: actions-rs/cargo@v1
+#         with:
+#           command: tarpaulin
+#           args: >
+#             ${{ steps.prepare.outputs.feature-flags }}
+#             --timeout 600
+#             --out Xml
+#       - name: Upload coverage to Codecov
+#         uses: codecov/[email protected]
 
   doc-links:
     name: Intra-doc links

halo2_gadgets/src/ecc.rs

@@ -4,7 +4,7 @@ use std::fmt::Debug;
 
 use halo2_proofs::{
     arithmetic::CurveAffine,
-    circuit::{Chip, Layouter, Value},
+    circuit::{AssignedCell, Chip, Layouter, Value},
     plonk::Error,
 };
 
@@ -60,6 +60,15 @@ pub trait EccInstructions<C: CurveAffine>:
         value: Value<C>,
     ) -> Result<Self::Point, Error>;
 
+    /// Witnesses the given constant point as a private input to the circuit.
+    /// This allows the point to be the identity, mapped to (0, 0) in
+    /// affine coordinates.
+    fn witness_point_from_constant(
+        &self,
+        layouter: &mut impl Layouter<C::Base>,
+        value: C,
+    ) -> Result<Self::Point, Error>;
+
     /// Witnesses the given point as a private input to the circuit.
     /// This returns an error if the point is the identity.
     fn witness_point_non_id(
@@ -111,6 +120,15 @@ pub trait EccInstructions<C: CurveAffine>:
         b: &B,
     ) -> Result<Self::Point, Error>;
 
+    /// Performs variable-base sign-scalar multiplication, returning `[sign] point`
+    /// `sign` must be in {-1, 1}.
+    fn mul_sign(
+        &self,
+        layouter: &mut impl Layouter<C::Base>,
+        sign: &AssignedCell<C::Base, C::Base>,
+        point: &Self::Point,
+    ) -> Result<Self::Point, Error>;
+
     /// Performs variable-base scalar multiplication, returning `[scalar] base`.
     fn mul(
         &self,
@@ -390,6 +408,17 @@ impl<C: CurveAffine, EccChip: EccInstructions<C> + Clone + Debug + Eq> Point<C,
         point.map(|inner| Point { chip, inner })
     }
 
+    /// Witnesses the given constant point as a private input to the circuit.
+    /// This allows the point to be the identity, mapped to (0, 0) in affine coordinates.
+    pub fn new_from_constant(
+        chip: EccChip,
+        mut layouter: impl Layouter<C::Base>,
+        value: C,
+    ) -> Result<Self, Error> {
+        let point = chip.witness_point_from_constant(&mut layouter, value);
+        point.map(|inner| Point { chip, inner })
+    }
+
     /// Constrains this point to be equal in value to another point.
     pub fn constrain_equal<Other: Into<Point<C, EccChip>> + Clone>(
         &self,
@@ -432,6 +461,21 @@ impl<C: CurveAffine, EccChip: EccInstructions<C> + Clone + Debug + Eq> Point<C,
                 inner,
             })
     }
+
+    /// Returns `[sign] self`.
+    /// `sign` must be in {-1, 1}.
+    pub fn mul_sign(
+        &self,
+        mut layouter: impl Layouter<C::Base>,
+        sign: &AssignedCell<C::Base, C::Base>,
+    ) -> Result<Point<C, EccChip>, Error> {
+        self.chip
+            .mul_sign(&mut layouter, sign, &self.inner)
+            .map(|point| Point {
+                chip: self.chip.clone(),
+                inner: point,
+            })
+    }
 }
 
 /// The affine short Weierstrass x-coordinate of a point on a specific elliptic curve.
@@ -579,6 +623,7 @@ impl<C: CurveAffine, EccChip: EccInstructions<C>> FixedPointShort<C, EccChip> {
 pub(crate) mod tests {
     use ff::PrimeField;
     use group::{prime::PrimeCurveAffine, Curve, Group};
+    use std::marker::PhantomData;
 
     use halo2_proofs::{
         circuit::{Layouter, SimpleFloorPlanner, Value},
@@ -597,7 +642,9 @@ pub(crate) mod tests {
     };
     use crate::{
         tests::test_utils::test_against_stored_circuit,
-        utilities::lookup_range_check::{LookupRangeCheck, PallasLookupRangeCheckConfig},
+        utilities::lookup_range_check::{
+            PallasLookupRangeCheck, PallasLookupRangeCheck45BConfig, PallasLookupRangeCheckConfig,
+        },
     };
 
     #[derive(Debug, Eq, PartialEq, Clone)]
@@ -726,17 +773,21 @@ pub(crate) mod tests {
         type Base = BaseField;
     }
 
-    struct MyCircuit {
+    struct MyCircuit<Lookup: PallasLookupRangeCheck> {
         test_errors: bool,
+        _lookup_marker: PhantomData<Lookup>,
     }
 
     #[allow(non_snake_case)]
-    impl Circuit<pallas::Base> for MyCircuit {
-        type Config = EccConfig<TestFixedBases, PallasLookupRangeCheckConfig>;
+    impl<Lookup: PallasLookupRangeCheck> Circuit<pallas::Base> for MyCircuit<Lookup> {
+        type Config = EccConfig<TestFixedBases, Lookup>;
         type FloorPlanner = SimpleFloorPlanner;
 
         fn without_witnesses(&self) -> Self {
-            MyCircuit { test_errors: false }
+            MyCircuit {
+                test_errors: false,
+                _lookup_marker: PhantomData,
+            }
         }
 
         fn configure(meta: &mut ConstraintSystem<pallas::Base>) -> Self::Config {
@@ -767,9 +818,8 @@ pub(crate) mod tests {
             let constants = meta.fixed_column();
             meta.enable_constant(constants);
 
-            let range_check =
-                PallasLookupRangeCheckConfig::configure(meta, advices[9], lookup_table);
-            EccChip::<TestFixedBases, PallasLookupRangeCheckConfig>::configure(
+            let range_check = Lookup::configure(meta, advices[9], lookup_table);
+            EccChip::<TestFixedBases, Lookup>::configure(
                 meta,
                 advices,
                 lagrange_coeffs,
@@ -874,6 +924,14 @@ pub(crate) mod tests {
                 )?;
             }
 
+            // Test variable-base sign-scalar multiplication
+            {
+                super::chip::mul_fixed::short::tests::test_mul_sign(
+                    chip.clone(),
+                    layouter.namespace(|| "variable-base sign-scalar mul"),
+                )?;
+            }
+
             // Test full-width fixed-base scalar multiplication
             {
                 super::chip::mul_fixed::full_width::tests::test_mul_fixed(
@@ -904,15 +962,21 @@ pub(crate) mod tests {
 
     #[test]
     fn ecc_chip() {
-        let k = 13;
-        let circuit = MyCircuit { test_errors: true };
+        let k = 11;
+        let circuit: MyCircuit<PallasLookupRangeCheckConfig> = MyCircuit {
+            test_errors: true,
+            _lookup_marker: PhantomData,
+        };
         let prover = MockProver::run(k, &circuit, vec![]).unwrap();
         assert_eq!(prover.verify(), Ok(()))
     }
 
     #[test]
-    fn test_ecc_chip_against_stored_circuit() {
-        let circuit = MyCircuit { test_errors: false };
+    fn test_against_stored_ecc_chip() {
+        let circuit: MyCircuit<PallasLookupRangeCheckConfig> = MyCircuit {
+            test_errors: false,
+            _lookup_marker: PhantomData,
+        };
         test_against_stored_circuit(circuit, "ecc_chip", 3872);
     }
 
@@ -925,7 +989,50 @@ pub(crate) mod tests {
         root.fill(&WHITE).unwrap();
         let root = root.titled("Ecc Chip Layout", ("sans-serif", 60)).unwrap();
 
-        let circuit = MyCircuit { test_errors: false };
+        let circuit: MyCircuit<PallasLookupRangeCheckConfig> = MyCircuit {
+            test_errors: false,
+            _lookup_marker: PhantomData,
+        };
+        halo2_proofs::dev::CircuitLayout::default()
+            .render(13, &circuit, &root)
+            .unwrap();
+    }
+
+    #[test]
+    fn ecc_chip_4_5_b() {
+        let k = 11;
+        let circuit: MyCircuit<PallasLookupRangeCheck45BConfig> = MyCircuit {
+            test_errors: true,
+            _lookup_marker: PhantomData,
+        };
+        let prover = MockProver::run(k, &circuit, vec![]).unwrap();
+
+        assert_eq!(prover.verify(), Ok(()))
+    }
+
+    #[test]
+    fn test_against_stored_ecc_chip_4_5_b() {
+        let circuit: MyCircuit<PallasLookupRangeCheck45BConfig> = MyCircuit {
+            test_errors: false,
+            _lookup_marker: PhantomData,
+        };
+        test_against_stored_circuit(circuit, "ecc_chip_4_5_b", 3968);
+    }
+
+    #[cfg(feature = "test-dev-graph")]
+    #[test]
+    fn print_ecc_chip_4_5_b() {
+        use plotters::prelude::*;
+
+        let root =
+            BitMapBackend::new("ecc-chip-4-5-b-layout.png", (1024, 7680)).into_drawing_area();
+        root.fill(&WHITE).unwrap();
+        let root = root.titled("Ecc Chip Layout", ("sans-serif", 60)).unwrap();
+
+        let circuit: MyCircuit<PallasLookupRangeCheck45BConfig> = MyCircuit {
+            test_errors: false,
+            _lookup_marker: PhantomData,
+        };
         halo2_proofs::dev::CircuitLayout::default()
             .render(13, &circuit, &root)
             .unwrap();

halo2_gadgets/src/ecc/chip.rs

@@ -465,6 +465,21 @@ where
         )
     }
 
+    /// Witnesses the given constant point as a private input to the circuit.
+    /// This allows the point to be the identity, mapped to (0, 0) in
+    /// affine coordinates.
+    fn witness_point_from_constant(
+        &self,
+        layouter: &mut impl Layouter<pallas::Base>,
+        value: pallas::Affine,
+    ) -> Result<Self::Point, Error> {
+        let config = self.config().witness_point;
+        layouter.assign_region(
+            || "witness point (constant)",
+            |mut region| config.constant_point(value, 0, &mut region),
+        )
+    }
+
     fn witness_point_non_id(
         &self,
         layouter: &mut impl Layouter<pallas::Base>,
@@ -544,6 +559,24 @@ where
         )
     }
 
+    /// Performs variable-base sign-scalar multiplication, returning `[sign] point`
+    /// `sign` must be in {-1, 1}.
+    fn mul_sign(
+        &self,
+        layouter: &mut impl Layouter<pallas::Base>,
+        sign: &AssignedCell<pallas::Base, pallas::Base>,
+        point: &Self::Point,
+    ) -> Result<Self::Point, Error> {
+        // Multiply point by sign, using the same gate as mul_fixed::short.
+        // This also constrains sign to be in {-1, 1}.
+        let config_short = self.config().mul_fixed_short.clone();
+        config_short.assign_scalar_sign(
+            layouter.namespace(|| "variable-base sign-scalar mul"),
+            sign,
+            point,
+        )
+    }
+
     fn mul(
         &self,
         layouter: &mut impl Layouter<pallas::Base>,

halo2_gadgets/src/ecc/chip/mul_fixed/base_field_elem.rs

@@ -391,14 +391,13 @@ pub mod tests {
     use pasta_curves::pallas;
     use rand::rngs::OsRng;
 
-    use crate::utilities::lookup_range_check::PallasLookupRangeCheck;
     use crate::{
         ecc::{
             chip::{EccChip, FixedPoint, H},
             tests::{BaseField, TestFixedBases},
             FixedPointBaseField, NonIdentityPoint, Point,
         },
-        utilities::UtilitiesInstructions,
+        utilities::{lookup_range_check::PallasLookupRangeCheck, UtilitiesInstructions},
     };
 
     pub(crate) fn test_mul_fixed_base_field<Lookup: PallasLookupRangeCheck>(