Make missed fixes for the previous commit and provide a draft general…

…ization to generate both vanilla and zsa circuit

Cargo.toml

@@ -2,6 +2,5 @@
 members = [
     "halo2",
     "halo2_gadgets",
-    "halo2_gadgets_zsa",
     "halo2_proofs",
 ]

halo2_gadgets/src/sinsemilla.rs

@@ -515,8 +515,12 @@ where
         Error,
     > {
         assert_eq!(self.M.sinsemilla_chip, message.chip);
+
+        // FIXME: it's not a breaking change because `blinding_factor` simply wraps `R.mul`
+        // and `hash` simply wraps `M.hash_to_point` - are those wrapper really needed?
         let blind = self.blinding_factor(layouter.namespace(|| "[r] R"), r)?;
         let (p, zs) = self.hash(layouter.namespace(|| "M"), message)?;
+
         let commitment = p.add(layouter.namespace(|| "M + [r] R"), &blind)?;
         Ok((commitment, zs))
     }

halo2_gadgets/src/sinsemilla/chip.rs

@@ -59,6 +59,8 @@ where
     pub(super) generator_table: GeneratorTableConfig,
     /// An advice column configured to perform lookup range checks.
     lookup_config: LookupRangeCheckConfig<pallas::Base, { sinsemilla::K }>,
+    /// FIXME: add a proper comment
+    is_zsa_variant: bool,
     _marker: PhantomData<(Hash, Commit, F)>,
 }
 
@@ -181,6 +183,8 @@ where
                 table_range_check_tag: lookup.3,
             },
             lookup_config: range_check,
+            // FIXME: consider passing is_zsa_enabled to `configure` function explicitly
+            is_zsa_variant: lookup.3.is_some(),
             _marker: PhantomData,
         };
 
@@ -204,9 +208,12 @@ where
         // https://p.z.cash/halo2-0.1:sinsemilla-constraints?partial
         meta.create_gate("Initial y_Q", |meta| {
             let q_s4 = meta.query_selector(config.q_sinsemilla4);
-            let y_q = meta.query_fixed(config.fixed_y_q);
-            // FIXME: restore zsa version:
-            //let y_q = meta.query_advice(config.double_and_add.x_p, Rotation::prev());
+
+            let y_q = if config.is_zsa_variant {
+                meta.query_advice(config.double_and_add.x_p, Rotation::prev())
+            } else {
+                meta.query_fixed(config.fixed_y_q)
+            };
 
             // Y_A = (lambda_1 + lambda_2) * (x_a - x_r)
             let Y_A_cur = Y_A(meta, Rotation::cur());

halo2_gadgets/src/sinsemilla/chip/hash_to_point.rs

@@ -41,7 +41,11 @@ where
         ),
         Error,
     > {
-        let (offset, x_a, y_a) = self.public_initialization(region, Q)?;
+        let (offset, x_a, y_a) = if self.config.is_zsa_variant {
+            self.public_initialization_zsa(region, Q)?
+        } else {
+            self.public_initialization(region, Q)?
+        };
 
         let (x_a, y_a, zs_sum) = self.hash_all_pieces(region, offset, message, x_a, y_a)?;
 
@@ -116,6 +120,19 @@ where
 
         let (x_a, y_a, zs_sum) = self.hash_all_pieces(region, offset, message, x_a, y_a)?;
 
+        // FIXME: try to avoid duplication with a very similar code block in `hash_message` method
+        // - it's basically the same code except the following lines:
+        //
+        // hash_message_with_private_init:
+        // ...
+        // .zip(Q.point())
+        // .assert_if_known(|((field_elems, (x_a, y_a)), Q)| {
+        // ...
+        //
+        // hash_message:
+        // ...
+        // .assert_if_known(|(field_elems, (x_a, y_a))| {
+        // ...
         #[cfg(test)]
         #[allow(non_snake_case)]
         // Check equivalence to result from primitives::sinsemilla::hash_to_point
@@ -165,14 +182,57 @@ where
         ))
     }
 
+    #[allow(non_snake_case)]
+    fn public_initialization(
+        &self,
+        region: &mut Region<'_, pallas::Base>,
+        Q: pallas::Affine,
+    ) -> Result<(usize, X<pallas::Base>, Y<pallas::Base>), Error> {
+        let config = self.config().clone();
+        let offset = 0;
+
+        // Get the `x`- and `y`-coordinates of the starting `Q` base.
+        let x_q = *Q.coordinates().unwrap().x();
+        let y_q = *Q.coordinates().unwrap().y();
+
+        // Constrain the initial x_a, lambda_1, lambda_2, x_p using the q_sinsemilla4
+        // selector.
+        let y_a: Y<pallas::Base> = {
+            // Enable `q_sinsemilla4` on the first row.
+            config.q_sinsemilla4.enable(region, offset)?;
+            region.assign_fixed(
+                || "fixed y_q",
+                config.fixed_y_q,
+                offset,
+                || Value::known(y_q),
+            )?;
+
+            Value::known(y_q.into()).into()
+        };
+
+        // Constrain the initial x_q to equal the x-coordinate of the domain's `Q`.
+        let x_a: X<pallas::Base> = {
+            let x_a = region.assign_advice_from_constant(
+                || "fixed x_q",
+                config.double_and_add.x_a,
+                offset,
+                x_q.into(),
+            )?;
+
+            x_a.into()
+        };
+
+        Ok((offset, x_a, y_a))
+    }
+
     #[allow(non_snake_case)]
     /// Assign the coordinates of the initial public point `Q`
     ///
     /// | offset | x_A | x_P | q_sinsemilla4 |
     /// --------------------------------------
     /// |   0    |     | y_Q |               |
     /// |   1    | x_Q |     |       1       |
-    fn public_initialization(
+    fn public_initialization_zsa(
         &self,
         region: &mut Region<'_, pallas::Base>,
         Q: pallas::Affine,

halo2_gadgets/src/utilities/lookup_range_check.rs

@@ -49,7 +49,7 @@ impl<F: PrimeFieldBits> RangeConstrained<F, AssignedCell<F, F>> {
             .map(|inner| Self {
                 inner,
                 num_bits,
-                _phantom: PhantomData::default(),
+                _phantom: PhantomData,
             })
     }
 }

halo2_proofs/src/dev/cost.rs

@@ -270,9 +270,6 @@ impl<G: PrimeGroup, ConcreteCircuit: Circuit<G::Scalar>> CircuitCost<G, Concrete
             cs.constants.clone(),
         )
         .unwrap();
-        println!("circuit: {:#?}", cs);
-        //println!("cs: {:#?}", cs);
-        //println!("layout: {:#?}", layout);
         let (cs, _) = cs.compress_selectors(layout.selectors);
 
         assert!((1 << k) >= cs.minimum_rows());