Files
dusk_plonk
commitment_scheme
kzg10
errors.rskey.rsmod.rssrs.rs
mod.rs
constraint_system
ecc
gates.rsmod.rs
arithmetic.rsboolean.rscomposer.rscs_errors.rslogic.rsmod.rsrange.rsvariable.rs
fft
domain.rsevaluations.rsfft_errors.rsmod.rspolynomial.rs
permutation
constants.rsmod.rspermutation.rs
proof_system
widget
arithmetic
mod.rsproverkey.rsverifierkey.rs
ecc
mod.rsproverkey.rsverifierkey.rs
logic
mod.rsproverkey.rsverifierkey.rs
permutation
mod.rsproverkey.rsverifierkey.rs
range
mod.rsproverkey.rsverifierkey.rs
mod.rs
linearisation_poly.rsmod.rspreprocess.rsproof.rsproof_system_errors.rsprover.rsquotient_poly.rsverifier.rs
bit_iterator.rslib.rsprelude.rstranscript.rsutil.rs
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

mod proverkey;
mod verifierkey;

pub use proverkey::ProverKey;
pub use verifierkey::VerifierKey;

// Note: The ECC gadget does not check that the initial point is on the curve for two reasons:
// - We constrain the accumulator to start from the identity point, which the verifier knows is on the curve
// - We are adding multiples of the generator to the accumulator which the verifier also knows is on the curve and is prime order
// - We do allow arbitrary Scalar multiplication, and possibly XXX: may add constraints to ensure the generator is correct (prime order)

// Bits are accumulated in base2. So we use d(Xw) - 2d(X) to extract the base2 bit

use dusk_bls12_381::Scalar;
fn extract_bit(curr_acc: &Scalar, next_acc: &Scalar) -> Scalar {
    // Next - 2 * current
    next_acc - (curr_acc + curr_acc)
}

// Ensures that the bit is either +1, -1 or 0
fn check_bit_consistency(bit: Scalar) -> Scalar {
    let one = Scalar::one();
    bit * (bit - one) * (bit + one)
}