Halo2 ecc snark verifier 0220 -- Sync from main

Cargo.toml

@@ -25,6 +25,8 @@ poseidon = { git = "https://github.com/scroll-tech/poseidon.git", branch = "halo
 halo2curves = { git = "https://github.com/scroll-tech/halo2curves.git", branch = "halo2-ecc-snark-verifier-0220" }
 
 [features]
+# Use an implementation using fewer rows (8) per permutation.
+short = []
 # printout the layout of circuits for demo and some unittests
 # print_layout = ["halo2_proofs/dev-graph"]
 

src/hash.rs

@@ -7,6 +7,33 @@ use halo2_proofs::circuit::AssignedCell;
 use halo2_proofs::ff::{FromUniformBytes, PrimeField};
 use halo2_proofs::halo2curves::bn256::Fr;
 
+mod chip_long {
+    use super::{SpongeChip, SpongeConfig};
+    use crate::poseidon::Pow5Chip;
+    /// The configuration of the Poseidon hash chip.
+    pub type PoseidonHashConfig<F> = SpongeConfig<F, Pow5Chip<F, 3, 2>>;
+    /// The Poseidon hash chip.
+    pub type PoseidonHashChip<'d, F, const STEP: usize> =
+        SpongeChip<'d, F, STEP, Pow5Chip<F, 3, 2>>;
+}
+
+mod chip_short {
+    use super::{SpongeChip, SpongeConfig};
+    use crate::poseidon::SeptidonChip;
+    /// The configuration of the Poseidon hash chip.
+    pub type PoseidonHashConfig<F> = SpongeConfig<F, SeptidonChip>;
+    /// The Poseidon hash chip.
+    pub type PoseidonHashChip<'d, F, const STEP: usize> = SpongeChip<'d, F, STEP, SeptidonChip>;
+}
+
+// By default, use a chip with double rounds over 38 rows.
+#[cfg(not(feature = "short"))]
+pub use chip_long::*;
+
+// If feature `short` is enabled, use the chip with septuple rounds on 8 rows.
+#[cfg(feature = "short")]
+pub use chip_short::*;
+
 /// indicate an field can be hashed in merkle tree (2 Fields to 1 Field)
 pub trait Hashable: FromUniformBytes<64> + Ord {
     /// the spec type used in circuit for this hashable field
@@ -60,25 +87,24 @@ impl MessageHashable for Fr {
 use crate::poseidon::{PermuteChip, PoseidonInstructions};
 use halo2_proofs::{
     circuit::{Chip, Layouter, Region, Value},
-    plonk::{Advice, Column, ConstraintSystem, Error, Expression, Fixed, Selector, TableColumn},
+    plonk::{Advice, Column, ConstraintSystem, Error, Expression, Selector, TableColumn},
     poly::Rotation,
 };
 
 /// The config for poseidon hash circuit
 #[derive(Clone, Debug)]
-pub struct PoseidonHashConfig<Fp: PrimeField, PC: PermuteChip<Fp>> {
+pub struct SpongeConfig<Fp: PrimeField, PC: PermuteChip<Fp>> {
     permute_config: PC::Config,
     hash_table: [Column<Advice>; 5],
     hash_table_aux: [Column<Advice>; 6],
     control_aux: Column<Advice>,
     s_sponge_continue: Column<Advice>,
-    constants: [Column<Fixed>; 1],
     control_step_range: TableColumn,
     s_table: Selector,
     s_custom: Selector,
 }
 
-impl<Fp: Hashable, PC: PermuteChip<Fp>> PoseidonHashConfig<Fp, PC> {
+impl<Fp: Hashable, PC: PermuteChip<Fp>> SpongeConfig<Fp, PC> {
     /// obtain the commitment index of hash table
     pub fn commitment_index(&self) -> [usize; 5] {
         self.hash_table.map(|col| col.index())
@@ -95,8 +121,6 @@ impl<Fp: Hashable, PC: PermuteChip<Fp>> PoseidonHashConfig<Fp, PC> {
         hash_table: [Column<Advice>; 5],
         step: usize,
     ) -> Self {
-        // TODO: remove this "constants".
-        let constants = [0; 1].map(|_| meta.fixed_column());
         let s_table = meta.selector();
         let s_custom = meta.selector();
 
@@ -238,7 +262,6 @@ impl<Fp: Hashable, PC: PermuteChip<Fp>> PoseidonHashConfig<Fp, PC> {
             hash_table,
             hash_table_aux,
             control_aux,
-            constants,
             control_step_range,
             s_table,
             s_custom,
@@ -324,12 +347,12 @@ impl<Fp: Hashable> PoseidonHashTable<Fp> {
 
 /// Represent the chip for Poseidon hash table
 #[derive(Debug)]
-pub struct PoseidonHashChip<'d, Fp: PrimeField, const STEP: usize, PC: PermuteChip<Fp>> {
+pub struct SpongeChip<'d, Fp: PrimeField, const STEP: usize, PC: PermuteChip<Fp>> {
     calcs: usize,
     nil_msg_hash: Option<Fp>,
     mpt_only: bool,
     data: &'d PoseidonHashTable<Fp>,
-    config: PoseidonHashConfig<Fp, PC>,
+    config: SpongeConfig<Fp, PC>,
 }
 
 type PermutedState<Word> = Vec<[Word; 3]>;
@@ -339,11 +362,11 @@ impl<
         Fp: Hashable,
         const STEP: usize,
         PC: PermuteChip<Fp> + PoseidonInstructions<Fp, Fp::SpecType, 3, 2>,
-    > PoseidonHashChip<'d, Fp, STEP, PC>
+    > SpongeChip<'d, Fp, STEP, PC>
 {
     ///construct the chip
     pub fn construct(
-        config: PoseidonHashConfig<Fp, PC>,
+        config: SpongeConfig<Fp, PC>,
         data: &'d PoseidonHashTable<Fp>,
         calcs: usize,
         mpt_only: bool,
@@ -635,9 +658,9 @@ impl<
 }
 
 impl<Fp: PrimeField, const STEP: usize, PC: PermuteChip<Fp>> Chip<Fp>
-    for PoseidonHashChip<'_, Fp, STEP, PC>
+    for SpongeChip<'_, Fp, STEP, PC>
 {
-    type Config = PoseidonHashConfig<Fp, PC>;
+    type Config = SpongeConfig<Fp, PC>;
     type Loaded = PoseidonHashTable<Fp>;
 
     fn config(&self) -> &Self::Config {
@@ -652,8 +675,7 @@ impl<Fp: PrimeField, const STEP: usize, PC: PermuteChip<Fp>> Chip<Fp>
 mod tests {
     use std::marker::PhantomData;
 
-    use crate::poseidon::Pow5Chip;
-    use crate::septidon::SeptidonChip;
+    use crate::poseidon::{Pow5Chip, SeptidonChip};
 
     use super::*;
     use halo2_proofs::ff::Field;
@@ -726,7 +748,7 @@ mod tests {
     impl<PC: PermuteChip<Fr> + PoseidonInstructions<Fr, <Fr as Hashable>::SpecType, 3, 2>>
         Circuit<Fr> for TestCircuit<PC>
     {
-        type Config = (PoseidonHashConfig<Fr, PC>, usize);
+        type Config = (SpongeConfig<Fr, PC>, usize);
         type FloorPlanner = SimpleFloorPlanner;
 
         fn without_witnesses(&self) -> Self {
@@ -735,18 +757,15 @@ mod tests {
 
         fn configure(meta: &mut ConstraintSystem<Fr>) -> Self::Config {
             let hash_tbl = [0; 5].map(|_| meta.advice_column());
-            (
-                PoseidonHashConfig::configure_sub(meta, hash_tbl, TEST_STEP),
-                4,
-            )
+            (SpongeConfig::configure_sub(meta, hash_tbl, TEST_STEP), 4)
         }
 
         fn synthesize(
             &self,
             (config, max_rows): Self::Config,
             mut layouter: impl Layouter<Fr>,
         ) -> Result<(), Error> {
-            let chip = PoseidonHashChip::<Fr, TEST_STEP, PC>::construct(
+            let chip = SpongeChip::<Fr, TEST_STEP, PC>::construct(
                 config,
                 &self.table,
                 max_rows,

src/lib.rs

@@ -8,7 +8,6 @@
 
 pub mod hash;
 pub mod poseidon;
-pub mod septidon;
 
 pub use halo2_proofs::halo2curves::bn256::Fr as Bn256Fr;
 pub use hash::Hashable;

src/poseidon.rs

@@ -13,6 +13,9 @@ use halo2_proofs::{
 mod pow5;
 pub use pow5::{Pow5Chip, Pow5Config, StateWord, Var};
 
+mod septidon;
+pub use septidon::SeptidonChip;
+
 pub mod primitives;
 use primitives::{Absorbing, ConstantLength, Domain, Spec, SpongeMode, Squeezing, State};
 use std::fmt::Debug as DebugT;

src/poseidon/primitives.rs

@@ -25,10 +25,10 @@ pub(crate) mod pasta;
 //pub(crate) mod test_vectors;
 
 mod p128pow5t3;
-pub(crate) mod p128pow5t3_compact;
+mod p128pow5t3_compact;
 
 pub use p128pow5t3::P128Pow5T3;
-pub use p128pow5t3_compact::P128Pow5T3CompactSpec as P128Pow5T3Compact;
+pub use p128pow5t3_compact::P128Pow5T3Compact;
 
 use grain::SboxType;
 

src/poseidon/primitives/bn256/mod.rs

@@ -27,9 +27,7 @@ mod tests {
 
     use halo2_proofs::ff::{Field, FromUniformBytes};
 
-    use crate::poseidon::primitives::p128pow5t3::P128Pow5T3;
-    use crate::poseidon::primitives::p128pow5t3_compact::P128Pow5T3CompactSpec;
-    use crate::poseidon::primitives::{permute, Spec};
+    use crate::poseidon::primitives::{permute, P128Pow5T3, P128Pow5T3Compact, Spec};
 
     use super::*;
 
@@ -154,8 +152,8 @@ mod tests {
         let output_compact = {
             let mut state = input.clone();
 
-            let (rc, mds, _inv) = P128Pow5T3CompactSpec::<Fp>::constants();
-            permute::<Fp, P128Pow5T3CompactSpec<Fp>, 3, 2>(&mut state, &mds, &rc[..]);
+            let (rc, mds, _inv) = P128Pow5T3Compact::<Fp>::constants();
+            permute::<Fp, P128Pow5T3Compact<Fp>, 3, 2>(&mut state, &mds, &rc[..]);
 
             // This is the compact form with 1 constant per partial round.
             for i in 4..4 + 57 {

src/poseidon/primitives/p128pow5t3_compact.rs

@@ -1,19 +1,19 @@
 use halo2_proofs::ff::{FromUniformBytes, PrimeField};
 use std::marker::PhantomData;
 
-pub use super::p128pow5t3::P128Pow5T3Constants;
+use super::p128pow5t3::P128Pow5T3Constants;
 use super::{Mds, Spec};
 
 /// Poseidon-128 using the $x^5$ S-box, with a width of 3 field elements, and the
 /// standard number of rounds for 128-bit security "with margin".
 ///
 #[derive(Debug)]
-pub struct P128Pow5T3CompactSpec<Fp> {
+pub struct P128Pow5T3Compact<Fp> {
     _marker: PhantomData<Fp>,
 }
 
 impl<Fp: P128Pow5T3Constants + FromUniformBytes<64> + Ord> Spec<Fp, 3, 2>
-    for P128Pow5T3CompactSpec<Fp>
+    for P128Pow5T3Compact<Fp>
 {
     fn full_rounds() -> usize {
         8

src/septidon/control.rs → src/poseidon/septidon/control.rs

@@ -1,5 +1,5 @@
+use super::params::GATE_DEGREE_5;
 use super::util::query;
-use crate::septidon::params::GATE_DEGREE_5;
 use halo2_proofs::circuit::{Region, Value};
 use halo2_proofs::halo2curves::bn256::Fr as F;
 use halo2_proofs::plonk::{Column, ConstraintSystem, Error, Expression, Fixed, VirtualCells};

src/septidon/full_round.rs → src/poseidon/septidon/full_round.rs

@@ -1,9 +1,7 @@
 use super::loop_chip::LoopBody;
 use super::params::mds;
 use super::state::{Cell, FullState, SBox};
-use super::util::matmul;
-use super::util::query;
-use crate::septidon::util::{join_values, split_values};
+use super::util::{join_values, matmul, query, split_values};
 use halo2_proofs::circuit::{Region, Value};
 use halo2_proofs::halo2curves::bn256::Fr as F;
 use halo2_proofs::plonk::{ConstraintSystem, Error, Expression, VirtualCells};

src/septidon/instruction.rs → src/poseidon/septidon/instruction.rs

@@ -1,8 +1,8 @@
-use super::{params::F, util::map_array, SeptidonChip};
-use crate::poseidon::{
+use super::super::{
     primitives::{Spec, State},
     PermuteChip, PoseidonInstructions, StateWord, Var,
 };
+use super::{params::F, util::map_array, SeptidonChip};
 use halo2_proofs::{
     circuit::{Chip, Layouter},
     plonk::{ConstraintSystem, Error},

src/septidon/params.rs → src/poseidon/septidon/params.rs

@@ -1,6 +1,4 @@
-use crate::poseidon::primitives::p128pow5t3_compact::{P128Pow5T3CompactSpec, P128Pow5T3Constants};
-use crate::poseidon::primitives::Mds as MdsT;
-use crate::poseidon::primitives::Spec;
+use super::super::primitives::{Mds as MdsT, P128Pow5T3Compact, Spec};
 use lazy_static::lazy_static;
 
 /// This implementation can be limited to gate degree 5. However, this mode will not work with
@@ -30,20 +28,14 @@ pub mod sbox {
 pub type Mds = MdsT<F, 3>;
 
 lazy_static! {
-    static ref MDS: Mds = F::mds();
+    // Cache the round constants and the MDS matrix (and unused inverse MDS matrix).
+    static ref CONSTANTS: (Vec<[F; 3]>, Mds, Mds) = P128Pow5T3Compact::<F>::constants();
 }
 
-pub fn mds() -> &'static Mds {
-    &MDS
-}
-
-lazy_static! {
-    static ref ROUND_CONSTANTS: Vec<[F; 3]> = {
-        let (rc, _, _) = P128Pow5T3CompactSpec::<F>::constants();
-        rc
-    };
+pub fn round_constant(index: usize) -> [F; 3] {
+    CONSTANTS.0[index]
 }
 
-pub fn round_constant(index: usize) -> [F; 3] {
-    ROUND_CONSTANTS[index]
+pub fn mds() -> &'static Mds {
+    &CONSTANTS.1
 }

src/septidon/septidon_chip.rs → src/poseidon/septidon/septidon_chip.rs

@@ -5,18 +5,18 @@ use halo2_proofs::plonk::{ConstraintSystem, Error};
 use super::control::ControlChip;
 use super::full_round::FullRoundChip;
 use super::loop_chip::LoopChip;
+use super::params::round_constant;
 use super::septuple_round::SeptupleRoundChip;
 use super::state::Cell;
 use super::transition_round::TransitionRoundChip;
 use super::util::map_array;
-use crate::septidon::params::round_constant;
 
 /// The configuration of the permutation chip.
 ///
 /// ```
 /// use halo2_proofs::halo2curves::bn256::Fr as F;
 /// use halo2_proofs::plonk::ConstraintSystem;
-/// use poseidon_circuit::septidon::SeptidonChip;
+/// use poseidon_circuit::poseidon::SeptidonChip;
 ///
 /// let mut cs = ConstraintSystem::<F>::default();
 /// let config = SeptidonChip::configure(&mut cs);

src/septidon/septuple_round.rs → src/poseidon/septidon/septuple_round.rs

@@ -1,8 +1,7 @@
 use super::loop_chip::LoopBody;
+use super::params::mds;
 use super::state::{Cell, SBox};
-use super::util::query;
-use crate::septidon::params::mds;
-use crate::septidon::util::{join_values, matmul, split_values};
+use super::util::{join_values, matmul, query, split_values};
 use halo2_proofs::circuit::{Region, Value};
 use halo2_proofs::halo2curves::bn256::Fr as F;
 use halo2_proofs::plonk::{ConstraintSystem, Constraints, Error, Expression, VirtualCells};

src/septidon/state.rs → src/poseidon/septidon/state.rs

@@ -1,4 +1,4 @@
-use crate::septidon::params;
+use super::params;
 use halo2_proofs::circuit::{Region, Value};
 use halo2_proofs::halo2curves::bn256::Fr as F;
 use halo2_proofs::plonk::{

src/septidon/tests.rs → src/poseidon/septidon/tests.rs

@@ -3,8 +3,7 @@ use halo2_proofs::dev::MockProver;
 use halo2_proofs::halo2curves::bn256::Fr as F;
 use halo2_proofs::plonk::{Circuit, ConstraintSystem, Error};
 
-use super::SeptidonChip;
-use crate::septidon::util::join_values;
+use super::{util::join_values, SeptidonChip};
 
 #[test]
 fn septidon_permutation() {

src/septidon/transition_round.rs → src/poseidon/septidon/transition_round.rs

@@ -1,7 +1,7 @@
+use super::params;
+use super::params::{mds, round_constant};
 use super::state::Cell;
-use crate::septidon::params;
-use crate::septidon::params::{mds, round_constant};
-use crate::septidon::util::{join_values, matmul, split_values};
+use super::util::{join_values, matmul, split_values};
 use halo2_proofs::circuit::{Region, Value};
 use halo2_proofs::halo2curves::bn256::Fr as F;
 use halo2_proofs::plonk::{Advice, Column, ConstraintSystem, Constraints, Error, Expression};

tests/hash_proving.rs

@@ -27,7 +27,7 @@ struct TestCircuit(PoseidonHashTable<Fp>, usize);
 
 // test circuit derived from table data
 impl Circuit<Fp> for TestCircuit {
-    type Config = PoseidonHashConfig<Fp, Pow5Chip<Fp, 3, 2>>;
+    type Config = SpongeConfig<Fp, Pow5Chip<Fp, 3, 2>>;
     type FloorPlanner = SimpleFloorPlanner;
 
     fn without_witnesses(&self) -> Self {
@@ -36,15 +36,15 @@ impl Circuit<Fp> for TestCircuit {
 
     fn configure(meta: &mut ConstraintSystem<Fp>) -> Self::Config {
         let hash_tbl = [0; 5].map(|_| meta.advice_column());
-        PoseidonHashConfig::configure_sub(meta, hash_tbl, DEFAULT_STEP)
+        SpongeConfig::configure_sub(meta, hash_tbl, DEFAULT_STEP)
     }
 
     fn synthesize(
         &self,
         config: Self::Config,
         mut layouter: impl Layouter<Fp>,
     ) -> Result<(), Error> {
-        let chip = PoseidonHashChip::<Fp, DEFAULT_STEP, Pow5Chip<Fp, 3, 2>>::construct(
+        let chip = SpongeChip::<Fp, DEFAULT_STEP, Pow5Chip<Fp, 3, 2>>::construct(
             config,
             &self.0,
             self.1,