Circuit: Update value_commit_orchard to take into account asset

Cargo.toml

@@ -29,8 +29,8 @@ blake2b_simd = "1"
 ff = "0.12"
 fpe = "0.5"
 group = { version = "0.12.1", features = ["wnaf-memuse"] }
-halo2_gadgets = "0.2"
-halo2_proofs = "0.2"
+halo2_gadgets = { git = "https://github.com/QED-it/halo2", branch = "zsa1" }
+halo2_proofs = { git = "https://github.com/QED-it/halo2", branch = "zsa1" }
 hex = "0.4"
 lazy_static = "1"
 memuse = { version = "0.2.1", features = ["nonempty"] }
@@ -52,7 +52,7 @@ plotters = { version = "0.3.0", optional = true }
 
 [dev-dependencies]
 criterion = "0.3"
-halo2_gadgets = { version = "0.2", features = ["test-dependencies"] }
+halo2_gadgets = { git = "https://github.com/QED-it/halo2", branch = "zsa1" , features = ["test-dependencies"] }
 hex = "0.4"
 proptest = "1.0.0"
 zcash_note_encryption = { version = "0.2", features = ["pre-zip-212"] }

src/circuit.rs

@@ -46,7 +46,7 @@ use crate::{
 use halo2_gadgets::{
     ecc::{
         chip::{EccChip, EccConfig},
-        FixedPoint, NonIdentityPoint, Point, ScalarFixed, ScalarFixedShort, ScalarVar,
+        FixedPoint, NonIdentityPoint, Point, ScalarFixed, ScalarVar,
     },
     poseidon::{primitives as poseidon, Pow5Chip as PoseidonChip, Pow5Config as PoseidonConfig},
     sinsemilla::{
@@ -62,6 +62,7 @@ use halo2_gadgets::{
 mod commit_ivk;
 pub mod gadget;
 mod note_commit;
+mod value_commit_orchard;
 
 /// Size of the Orchard circuit.
 const K: u32 = 11;
@@ -109,7 +110,6 @@ pub struct Circuit {
     pub(crate) psi_old: Value<pallas::Base>,
     pub(crate) rcm_old: Value<NoteCommitTrapdoor>,
     pub(crate) cm_old: Value<NoteCommitment>,
-    pub(crate) asset_old: Value<AssetBase>,
     pub(crate) alpha: Value<pallas::Scalar>,
     pub(crate) ak: Value<SpendValidatingKey>,
     pub(crate) nk: Value<NullifierDerivingKey>,
@@ -119,8 +119,8 @@ pub struct Circuit {
     pub(crate) v_new: Value<NoteValue>,
     pub(crate) psi_new: Value<pallas::Base>,
     pub(crate) rcm_new: Value<NoteCommitTrapdoor>,
-    pub(crate) asset_new: Value<AssetBase>,
     pub(crate) rcv: Value<ValueCommitTrapdoor>,
+    pub(crate) asset: Value<AssetBase>,
     pub(crate) split_flag: Value<bool>,
 }
 
@@ -175,7 +175,6 @@ impl Circuit {
             psi_old: Value::known(psi_old),
             rcm_old: Value::known(rcm_old),
             cm_old: Value::known(spend.note.commitment()),
-            asset_old: Value::known(spend.note.asset()),
             alpha: Value::known(alpha),
             ak: Value::known(spend.fvk.clone().into()),
             nk: Value::known(*spend.fvk.nk()),
@@ -185,8 +184,8 @@ impl Circuit {
             v_new: Value::known(output_note.value()),
             psi_new: Value::known(psi_new),
             rcm_new: Value::known(rcm_new),
-            asset_new: Value::known(output_note.asset()),
             rcv: Value::known(rcv),
+            asset: Value::known(spend.note.asset()),
             split_flag: Value::known(spend.split_flag),
         }
     }
@@ -475,23 +474,6 @@ impl plonk::Circuit<pallas::Base> for Circuit {
             (psi_old, rho_old, cm_old, g_d_old, ak_P, nk, v_old, v_new)
         };
 
-        // Verify that asset_old and asset_new are equals
-        {
-            let asset_old = NonIdentityPoint::new(
-                ecc_chip.clone(),
-                layouter.namespace(|| "witness asset_old"),
-                self.asset_old
-                    .map(|asset_old| asset_old.cv_base().to_affine()),
-            )?;
-            let asset_new = NonIdentityPoint::new(
-                ecc_chip.clone(),
-                layouter.namespace(|| "asset equality"),
-                self.asset_new
-                    .map(|asset_new| asset_new.cv_base().to_affine()),
-            )?;
-            asset_old.constrain_equal(layouter.namespace(|| "asset equality"), &asset_new)?;
-        }
-
         // Merkle path validity check (https://p.z.cash/ZKS:action-merkle-path-validity?partial).
         let root = {
             let path = self
@@ -549,22 +531,25 @@ impl plonk::Circuit<pallas::Base> for Circuit {
                 (magnitude, sign)
             };
 
-            let v_net = ScalarFixedShort::new(
-                ecc_chip.clone(),
-                layouter.namespace(|| "v_net"),
-                v_net_magnitude_sign.clone(),
-            )?;
             let rcv = ScalarFixed::new(
                 ecc_chip.clone(),
                 layouter.namespace(|| "rcv"),
                 self.rcv.as_ref().map(|rcv| rcv.inner()),
             )?;
 
+            let asset = NonIdentityPoint::new(
+                ecc_chip.clone(),
+                layouter.namespace(|| "witness asset"),
+                self.asset.map(|asset| asset.cv_base().to_affine()),
+            )?;
+
             let cv_net = gadget::value_commit_orchard(
-                layouter.namespace(|| "cv_net = ValueCommit^Orchard_rcv(v_net)"),
+                layouter.namespace(|| "cv_net = ValueCommit^Orchard_rcv(v_net_magnitude_sign)"),
+                config.sinsemilla_chip_1(),
                 ecc_chip.clone(),
-                v_net,
+                v_net_magnitude_sign.clone(),
                 rcv,
+                asset,
             )?;
 
             // Constrain cv_net to equal public input
@@ -1033,7 +1018,6 @@ mod tests {
     use rand::{rngs::OsRng, RngCore};
 
     use super::{Circuit, Instance, Proof, ProvingKey, VerifyingKey, K};
-    use crate::keys::{IssuanceAuthorizingKey, IssuanceValidatingKey, SpendingKey};
     use crate::note::AssetBase;
     use crate::{
         keys::SpendValidatingKey,
@@ -1074,7 +1058,6 @@ mod tests {
                 psi_old: Value::known(spent_note.rseed().psi(&spent_note.rho())),
                 rcm_old: Value::known(spent_note.rseed().rcm(&spent_note.rho())),
                 cm_old: Value::known(spent_note.commitment()),
-                asset_old: Value::known(spent_note.asset()),
                 alpha: Value::known(alpha),
                 ak: Value::known(ak),
                 nk: Value::known(nk),
@@ -1084,8 +1067,8 @@ mod tests {
                 v_new: Value::known(output_note.value()),
                 psi_new: Value::known(output_note.rseed().psi(&output_note.rho())),
                 rcm_new: Value::known(output_note.rseed().rcm(&output_note.rho())),
-                asset_new: Value::known(output_note.asset()),
                 rcv: Value::known(rcv),
+                asset: Value::known(spent_note.asset()),
                 split_flag: Value::known(false),
             },
             Instance {
@@ -1128,8 +1111,8 @@ mod tests {
                     K as usize,
                     &circuits[0],
                 );
-            assert_eq!(usize::from(circuit_cost.proof_size(1)), 4992);
-            assert_eq!(usize::from(circuit_cost.proof_size(2)), 7264);
+            assert_eq!(usize::from(circuit_cost.proof_size(1)), 5024);
+            assert_eq!(usize::from(circuit_cost.proof_size(2)), 7296);
             usize::from(circuit_cost.proof_size(instances.len()))
         };
 
@@ -1156,74 +1139,6 @@ mod tests {
         assert_eq!(proof.0.len(), expected_proof_size);
     }
 
-    #[test]
-    fn test_not_equal_asset_ids() {
-        use halo2_proofs::dev::{
-            metadata::Column, metadata::Region, FailureLocation, VerifyFailure,
-        };
-        use halo2_proofs::plonk::Any::Advice;
-
-        let mut rng = OsRng;
-
-        let (mut circuit, instance) = generate_circuit_instance(&mut rng);
-
-        // We would like to test that if the asset of the spent note (called asset_old) and the
-        // asset of the output note (called asset_new) are not equal, the proof is not verified.
-        // To do that, we attribute a random value to asset_new.
-        let random_asset_id = {
-            let sk = SpendingKey::random(&mut rng);
-            let isk = IssuanceAuthorizingKey::from(&sk);
-            let ik = IssuanceValidatingKey::from(&isk);
-            let asset_descr = "zsa_asset";
-            AssetBase::derive(&ik, asset_descr)
-        };
-        circuit.asset_new = Value::known(random_asset_id);
-
-        assert_eq!(
-            MockProver::run(
-                K,
-                &circuit,
-                instance
-                    .to_halo2_instance()
-                    .iter()
-                    .map(|p| p.to_vec())
-                    .collect()
-            )
-            .unwrap()
-            .verify(),
-            Err(vec![
-                VerifyFailure::Permutation {
-                    column: Column::from((Advice, 0)),
-                    location: FailureLocation::InRegion {
-                        region: Region::from((9, "witness non-identity point".to_string())),
-                        offset: 0
-                    }
-                },
-                VerifyFailure::Permutation {
-                    column: Column::from((Advice, 0)),
-                    location: FailureLocation::InRegion {
-                        region: Region::from((10, "witness non-identity point".to_string())),
-                        offset: 0
-                    }
-                },
-                VerifyFailure::Permutation {
-                    column: Column::from((Advice, 1)),
-                    location: FailureLocation::InRegion {
-                        region: Region::from((9, "witness non-identity point".to_string())),
-                        offset: 0
-                    }
-                },
-                VerifyFailure::Permutation {
-                    column: Column::from((Advice, 1)),
-                    location: FailureLocation::InRegion {
-                        region: Region::from((10, "witness non-identity point".to_string())),
-                        offset: 0
-                    }
-                }
-            ])
-        );
-    }
-
     #[test]
     fn serialized_proof_test_case() {
         use std::io::{Read, Write};
@@ -1305,7 +1220,7 @@ mod tests {
             let test_case_bytes = include_bytes!("circuit_proof_test_case.bin");
             read_test_case(&test_case_bytes[..]).expect("proof must be valid")
         };
-        assert_eq!(proof.0.len(), 4992);
+        assert_eq!(proof.0.len(), 5024);
 
         assert!(proof.verify(&vk, &[instance]).is_ok());
     }
@@ -1331,7 +1246,6 @@ mod tests {
             psi_old: Value::unknown(),
             rcm_old: Value::unknown(),
             cm_old: Value::unknown(),
-            asset_old: Value::unknown(),
             alpha: Value::unknown(),
             ak: Value::unknown(),
             nk: Value::unknown(),
@@ -1341,8 +1255,8 @@ mod tests {
             v_new: Value::unknown(),
             psi_new: Value::unknown(),
             rcm_new: Value::unknown(),
-            asset_new: Value::unknown(),
             rcv: Value::unknown(),
+            asset: Value::unknown(),
             split_flag: Value::unknown(),
         };
         halo2_proofs::dev::CircuitLayout::default()

src/circuit/gadget.rs

@@ -4,15 +4,9 @@ use ff::Field;
 use pasta_curves::pallas;
 
 use super::{commit_ivk::CommitIvkChip, note_commit::NoteCommitChip};
-use crate::constants::{
-    NullifierK, OrchardCommitDomains, OrchardFixedBases, OrchardFixedBasesFull, OrchardHashDomains,
-    ValueCommitV,
-};
+use crate::constants::{NullifierK, OrchardCommitDomains, OrchardFixedBases, OrchardHashDomains};
 use halo2_gadgets::{
-    ecc::{
-        chip::EccChip, EccInstructions, FixedPoint, FixedPointBaseField, FixedPointShort, Point,
-        ScalarFixed, ScalarFixedShort, X,
-    },
+    ecc::{chip::EccChip, EccInstructions, FixedPointBaseField, Point, X},
     poseidon::{
         primitives::{self as poseidon, ConstantLength},
         Hash as PoseidonHash, PoseidonSpongeInstructions, Pow5Chip as PoseidonChip,
@@ -107,41 +101,6 @@ where
     )
 }
 
-/// `ValueCommit^Orchard` from [Section 5.4.8.3 Homomorphic Pedersen commitments (Sapling and Orchard)].
-///
-/// [Section 5.4.8.3 Homomorphic Pedersen commitments (Sapling and Orchard)]: https://zips.z.cash/protocol/protocol.pdf#concretehomomorphiccommit
-pub(in crate::circuit) fn value_commit_orchard<
-    EccChip: EccInstructions<
-        pallas::Affine,
-        FixedPoints = OrchardFixedBases,
-        Var = AssignedCell<pallas::Base, pallas::Base>,
-    >,
->(
-    mut layouter: impl Layouter<pallas::Base>,
-    ecc_chip: EccChip,
-    v: ScalarFixedShort<pallas::Affine, EccChip>,
-    rcv: ScalarFixed<pallas::Affine, EccChip>,
-) -> Result<Point<pallas::Affine, EccChip>, plonk::Error> {
-    // commitment = [v] ValueCommitV
-    let (commitment, _) = {
-        let value_commit_v = ValueCommitV;
-        let value_commit_v = FixedPointShort::from_inner(ecc_chip.clone(), value_commit_v);
-        value_commit_v.mul(layouter.namespace(|| "[v] ValueCommitV"), v)?
-    };
-
-    // blind = [rcv] ValueCommitR
-    let (blind, _rcv) = {
-        let value_commit_r = OrchardFixedBasesFull::ValueCommitR;
-        let value_commit_r = FixedPoint::from_inner(ecc_chip, value_commit_r);
-
-        // [rcv] ValueCommitR
-        value_commit_r.mul(layouter.namespace(|| "[rcv] ValueCommitR"), rcv)?
-    };
-
-    // [v] ValueCommitV + [rcv] ValueCommitR
-    commitment.add(layouter.namespace(|| "cv"), &blind)
-}
-
 /// `DeriveNullifier` from [Section 4.16: Note Commitments and Nullifiers].
 ///
 /// [Section 4.16: Note Commitments and Nullifiers]: https://zips.z.cash/protocol/protocol.pdf#commitmentsandnullifiers
@@ -202,3 +161,4 @@ pub(in crate::circuit) fn derive_nullifier<
 
 pub(in crate::circuit) use crate::circuit::commit_ivk::gadgets::commit_ivk;
 pub(in crate::circuit) use crate::circuit::note_commit::gadgets::note_commit;
+pub(in crate::circuit) use crate::circuit::value_commit_orchard::gadgets::value_commit_orchard;