@@ -18,17 +18,18 @@ namespace bb {
1818 * | point_transition | round | slices | skew | scalar_sum |
1919 * | ---------------- | ----- | --------------- | ------ | ------------------------------- |
2020 * | 0 | 0 | s0,s1,s2,s3 | 0 | 0 |
21- * | 0 | 1 | s4,s5,s6,s7 | 0 | \sum_{i=0}^4 16^i * s_{31 - i} |
22- * | 0 | 2 | s8,s9,s10,s11 | 0 | \sum_{i=0}^8 16^i * s_{31 - i} |
23- * | 0 | 3 | s12,s13,s14,s14 | 0 | \sum_{i=0}^12 16^i * s_{31 - i} |
24- * | 0 | 4 | s16,s17,s18,s19 | 0 | \sum_{i=0}^16 16^i * s_{31 - i} |
25- * | 0 | 5 | s20,s21,s22,s23 | 0 | \sum_{i=0}^20 16^i * s_{31 - i} |
26- * | 0 | 6 | s24,s25,s26,s27 | 0 | \sum_{i=0}^24 16^i * s_{31 - i} |
27- * | 1 | 7 | s28,s29,s30,s31 | s_skew | \sum_{i=0}^28 16^i * s_{31 - i} |
21+ * | 0 | 1 | s4,s5,s6,s7 | 0 | \sum_{i=0}^4 16^i * s_{3 - i} |
22+ * | 0 | 2 | s8,s9,s10,s11 | 0 | \sum_{i=0}^8 16^i * s_{7 - i} |
23+ * | 0 | 3 | s12,s13,s14,s14 | 0 | \sum_{i=0}^12 16^i * s_{11 - i} |
24+ * | 0 | 4 | s16,s17,s18,s19 | 0 | \sum_{i=0}^16 16^i * s_{15 - i} |
25+ * | 0 | 5 | s20,s21,s22,s23 | 0 | \sum_{i=0}^20 16^i * s_{19 - i} |
26+ * | 0 | 6 | s24,s25,s26,s27 | 0 | \sum_{i=0}^24 16^i * s_{23 - i} |
27+ * | 1 | 7 | s28,s29,s30,s31 | s_skew | \sum_{i=0}^28 16^i * s_{27 - i} |
2828 *
29- * The value of the input scalar is equal to the following:
29+ * The value of the input scalar is equal to the following: RAJU: check this, seems obviously right but need to make
30+ * sure set_relation is compatible etc.
3031 *
31- * scalar = 2^16 * scalar_sum + 2^12 * s31 + 2^8 * s30 + 2^4 * s29 + s28 - s_skew
32+ * scalar = 2^16 * scalar_sum + 2^12 * s28 + 2^8 * s29 + 2^4 * s30 + s31 - s_skew
3233 * We use a set equality check in `ecc_set_relation.hpp` to validate the above value maps to the correct input
3334 * scalar for a given value of `pc`.
3435 *
@@ -49,7 +50,7 @@ void ECCVMWnafRelationImpl<FF>::accumulate(ContainerOverSubrelations& accumulato
4950 using View = typename Accumulator::View;
5051
5152 auto scalar_sum = View (in.precompute_scalar_sum );
52- auto scalar_sum_new = View (in.precompute_scalar_sum_shift );
53+ auto scalar_sum_shift = View (in.precompute_scalar_sum_shift );
5354 auto q_transition = View (in.precompute_point_transition );
5455 auto round = View (in.precompute_round );
5556 auto round_shift = View (in.precompute_round_shift );
@@ -71,6 +72,9 @@ void ECCVMWnafRelationImpl<FF>::accumulate(ContainerOverSubrelations& accumulato
7172 acc += ((s - 1 ).sqr () - 1 ) * ((s - 2 ).sqr () - 1 ) * scaling_factor;
7273 };
7374
75+ // given two 2-bit numbers `s0, `s1`, convert to a wNAF digit (in {-15, -13, ..., 13, 15}) via the formula:
76+ // `2(4s0 + s1) - 15`. (Here, `4s0 + s1` represents the 4-bit number corresponding to the concatenation of `s0` and
77+ // `s1`.)
7478 const auto convert_to_wnaf = [](const View& s0, const View& s1) {
7579 auto t = s0 + s0;
7680 t += t;
@@ -80,7 +84,9 @@ void ECCVMWnafRelationImpl<FF>::accumulate(ContainerOverSubrelations& accumulato
8084 };
8185
8286 const auto scaled_transition = q_transition * scaling_factor;
83- const auto scaled_transition_is_zero = -scaled_transition + scaling_factor;
87+ const auto scaled_transition_is_zero =
88+ -scaled_transition + scaling_factor; // `scaling_factor * (1 - q_transition)`, i.e., is the scaling_factor if we
89+ // are _not_ at a transition, else 0.
8490 /* *
8591 * @brief Constrain each of our scalar slice chunks (s1, ..., s8) to be 2 bits.
8692 * Doing range checks this way vs permutation-based range check removes need to create sorted list + grand product
@@ -127,7 +133,9 @@ void ECCVMWnafRelationImpl<FF>::accumulate(ContainerOverSubrelations& accumulato
127133 * i.e. when q_transition = 0
128134 * TODO(@zac-williamson) Optimize WNAF use (#2224)
129135 */
130- auto row_slice = w0;
136+ auto row_slice = w0; // row_slice will eventually contain the truncated scalar corresponding to the current row,
137+ // which is 2^12 * w_0 + 2^8 * w_1 + 2^4 * w_2 + w_3. (If one just looks at the wNAF digits in
138+ // this row, this is the resulting odd number. Note that it is not necessarily positive.)
131139 row_slice += row_slice;
132140 row_slice += row_slice;
133141 row_slice += row_slice;
@@ -144,7 +152,7 @@ void ECCVMWnafRelationImpl<FF>::accumulate(ContainerOverSubrelations& accumulato
144152 row_slice += row_slice;
145153 row_slice += w3;
146154 auto sum_delta = scalar_sum * FF (1ULL << 16 ) + row_slice;
147- const auto check_sum = scalar_sum_new - sum_delta;
155+ const auto check_sum = scalar_sum_shift - sum_delta;
148156 std::get<8 >(accumulator) += precompute_select * check_sum * scaled_transition_is_zero;
149157
150158 /* *
@@ -159,7 +167,7 @@ void ECCVMWnafRelationImpl<FF>::accumulate(ContainerOverSubrelations& accumulato
159167 * Let us analyze...
160168 * 1. When `q_transition = 1`, we use a set membership check to map the tuple of (pc, scalar_sum) into a set.
161169 * We compare this set with an equivalent set generated from the transcript columns. The sets must match.
162- * 2. Only case where, at row `i`, a Prover can set `round` to value > 7 is if `q_transition = 0` for all j > i.
170+ * 2. The only case where, at row `i`, a Prover can set `round` to value > 7 is if `q_transition = 0` for all j > i.
163171 * `precompute_pc` decrements by 1 when `q_transition` = 1
164172 * We can infer from 1, 2, that if `round > 7`, the resulting wnafs will map into a set at a value of `pc` that is
165173 * greater than all valid msm pc values (assuming the set equivalence check on the scalar sums is satisfied).
@@ -173,17 +181,19 @@ void ECCVMWnafRelationImpl<FF>::accumulate(ContainerOverSubrelations& accumulato
173181 // => q_transition * (round - 7 - round_shift + round + 1) + (round_shift - round - 1)
174182 // => q_transition * (2 * round - round_shift - 6) + (round_shift - round - 1)
175183 const auto round_check = round_shift - round - 1 ;
176- std::get<9 >(accumulator) += precompute_select * scaled_transition * ((round - round_check - 7 ) + round_check);
177- std::get<10 >(accumulator) += precompute_select * scaled_transition * round_shift;
184+ std::get<9 >(accumulator) +=
185+ precompute_select * (scaled_transition * (round - round_check - 7 ) + scaling_factor * round_check);
186+ std::get<10 >(accumulator) +=
187+ precompute_select * scaled_transition * round_shift; // at a transition, next round == 0
178188
179189 /* *
180- * @brief Scalar transition checks.
190+ * @brief Scalar transition/PC checks.
181191 * 1: if q_transition = 1, scalar_sum_new = 0
182192 * 2: if q_transition = 0, pc at next row = pc at current row
183193 * 3: if q_transition = 1, pc at next row = pc at current row - 1 (decrements by 1)
184194 * (we combine 2 and 3 into a single relation)
185195 */
186- std::get<11 >(accumulator) += precompute_select * scalar_sum_new * scaled_transition ;
196+ std::get<11 >(accumulator) += precompute_select * scaled_transition * scalar_sum_shift ;
187197 // (2, 3 combined): q_transition * (pc - pc_shift - 1) + (-q_transition + 1) * (pc_shift - pc)
188198 // => q_transition * (-2 * (pc_shift - pc) - 1) + (pc_shift - pc)
189199 const auto pc_delta = pc_shift - pc;
@@ -200,7 +210,7 @@ void ECCVMWnafRelationImpl<FF>::accumulate(ContainerOverSubrelations& accumulato
200210 * 2: in ecc_msm_relation. Final MSM round uses skew to conditionally subtract a point from the accumulator
201211 */
202212 std::get<13 >(accumulator) += precompute_select * (precompute_skew * (precompute_skew - 7 )) * scaling_factor;
203-
213+ // set round slices, pc, and round all to zero when `precompute_select == 0`.
204214 const auto precompute_select_zero = (-precompute_select + 1 ) * scaling_factor;
205215 std::get<14 >(accumulator) += precompute_select_zero * (w0 + 15 );
206216 std::get<15 >(accumulator) += precompute_select_zero * (w1 + 15 );
0 commit comments