From 4ad3988e432d25fbfc44998f9dad1b17f23383f2 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Tue, 24 Sep 2019 10:54:15 +0100 Subject: [PATCH] Crate docs --- bellman/src/domain.rs | 21 +-- bellman/src/gadgets.rs | 2 + bellman/src/gadgets/blake2s.rs | 4 + bellman/src/gadgets/boolean.rs | 2 + bellman/src/gadgets/lookup.rs | 2 + bellman/src/gadgets/multipack.rs | 2 + bellman/src/gadgets/num.rs | 2 + bellman/src/gadgets/sha256.rs | 5 + bellman/src/gadgets/test/mod.rs | 2 + bellman/src/gadgets/uint32.rs | 3 + bellman/src/groth16/mod.rs | 4 + bellman/src/lib.rs | 134 ++++++++++++++++++ bellman/src/multicore.rs | 11 +- ff/src/lib.rs | 2 + pairing/src/bls12_381/mod.rs | 3 + pairing/src/lib.rs | 2 + zcash_client_backend/src/constants/mainnet.rs | 2 + zcash_client_backend/src/constants/testnet.rs | 2 + zcash_primitives/src/block.rs | 2 + zcash_primitives/src/block/equihash.rs | 4 + zcash_primitives/src/constants.rs | 2 + zcash_primitives/src/group_hash.rs | 4 + zcash_primitives/src/jubjub/mod.rs | 6 + zcash_primitives/src/keys.rs | 4 +- zcash_primitives/src/lib.rs | 5 + zcash_primitives/src/pedersen_hash.rs | 2 + zcash_primitives/src/primitives.rs | 2 + zcash_primitives/src/redjubjub.rs | 6 +- .../src/transaction/components.rs | 2 + zcash_primitives/src/transaction/mod.rs | 2 + zcash_primitives/src/zip32.rs | 4 + zcash_proofs/src/circuit.rs | 2 + zcash_proofs/src/circuit/ecc.rs | 2 + zcash_proofs/src/circuit/pedersen_hash.rs | 2 + zcash_proofs/src/circuit/sapling.rs | 2 + zcash_proofs/src/circuit/sprout/mod.rs | 12 ++ zcash_proofs/src/lib.rs | 5 + zcash_proofs/src/sapling/mod.rs | 2 + 38 files changed, 259 insertions(+), 18 deletions(-) diff --git a/bellman/src/domain.rs b/bellman/src/domain.rs index c636855..ddba4f4 100644 --- a/bellman/src/domain.rs +++ b/bellman/src/domain.rs @@ -1,14 +1,15 @@ -//! This module contains an `EvaluationDomain` abstraction for -//! performing various kinds of polynomial arithmetic on top of -//! the scalar field. +//! This module contains an [`EvaluationDomain`] abstraction for performing +//! various kinds of polynomial arithmetic on top of the scalar field. //! -//! In pairing-based SNARKs like Groth16, we need to calculate -//! a quotient polynomial over a target polynomial with roots -//! at distinct points associated with each constraint of the -//! constraint system. In order to be efficient, we choose these -//! roots to be the powers of a 2^n root of unity in the field. -//! This allows us to perform polynomial operations in O(n) -//! by performing an O(n log n) FFT over such a domain. +//! In pairing-based SNARKs like [Groth16], we need to calculate a quotient +//! polynomial over a target polynomial with roots at distinct points associated +//! with each constraint of the constraint system. In order to be efficient, we +//! choose these roots to be the powers of a 2n root of unity in the +//! field. This allows us to perform polynomial operations in O(n) by performing +//! an O(n log n) FFT over such a domain. +//! +//! [`EvaluationDomain`]: crate::domain::EvaluationDomain +//! [Groth16]: https://eprint.iacr.org/2016/260 use ff::{Field, PrimeField, ScalarEngine}; use group::CurveProjective; diff --git a/bellman/src/gadgets.rs b/bellman/src/gadgets.rs index cf366df..b0ce734 100644 --- a/bellman/src/gadgets.rs +++ b/bellman/src/gadgets.rs @@ -1,3 +1,5 @@ +//! Self-contained sub-circuit implementations for various primitives. + pub mod test; pub mod blake2s; diff --git a/bellman/src/gadgets/blake2s.rs b/bellman/src/gadgets/blake2s.rs index 96e554b..e98fd55 100644 --- a/bellman/src/gadgets/blake2s.rs +++ b/bellman/src/gadgets/blake2s.rs @@ -1,3 +1,7 @@ +//! The [BLAKE2s] hash function with personalization support. +//! +//! [BLAKE2s]: https://tools.ietf.org/html/rfc7693 + use super::{boolean::Boolean, multieq::MultiEq, uint32::UInt32}; use crate::{ConstraintSystem, SynthesisError}; use ff::ScalarEngine; diff --git a/bellman/src/gadgets/boolean.rs b/bellman/src/gadgets/boolean.rs index bbc0d30..e08974d 100644 --- a/bellman/src/gadgets/boolean.rs +++ b/bellman/src/gadgets/boolean.rs @@ -1,3 +1,5 @@ +//! Gadgets for allocating bits in the circuit and performing boolean logic. + use ff::{BitIterator, Field, PrimeField, ScalarEngine}; use crate::{ConstraintSystem, LinearCombination, SynthesisError, Variable}; diff --git a/bellman/src/gadgets/lookup.rs b/bellman/src/gadgets/lookup.rs index 8124b22..b83844d 100644 --- a/bellman/src/gadgets/lookup.rs +++ b/bellman/src/gadgets/lookup.rs @@ -1,3 +1,5 @@ +//! Window table lookup gadgets. + use ff::{Field, ScalarEngine}; use super::boolean::Boolean; diff --git a/bellman/src/gadgets/multipack.rs b/bellman/src/gadgets/multipack.rs index 1fa1967..c0dc50e 100644 --- a/bellman/src/gadgets/multipack.rs +++ b/bellman/src/gadgets/multipack.rs @@ -1,3 +1,5 @@ +//! Helpers for packing vectors of bits into scalar field elements. + use super::boolean::Boolean; use super::num::Num; use super::Assignment; diff --git a/bellman/src/gadgets/num.rs b/bellman/src/gadgets/num.rs index b7caf6d..8be5448 100644 --- a/bellman/src/gadgets/num.rs +++ b/bellman/src/gadgets/num.rs @@ -1,3 +1,5 @@ +//! Gadgets representing numbers in the scalar field of the underlying curve. + use ff::{BitIterator, Field, PrimeField, PrimeFieldRepr, ScalarEngine}; use crate::{ConstraintSystem, LinearCombination, SynthesisError, Variable}; diff --git a/bellman/src/gadgets/sha256.rs b/bellman/src/gadgets/sha256.rs index a875513..0c8efea 100644 --- a/bellman/src/gadgets/sha256.rs +++ b/bellman/src/gadgets/sha256.rs @@ -1,3 +1,8 @@ +//! Circuits for the [SHA-256] hash function and its internal compression +//! function. +//! +//! [SHA-256]: https://tools.ietf.org/html/rfc6234 + use super::boolean::Boolean; use super::multieq::MultiEq; use super::uint32::UInt32; diff --git a/bellman/src/gadgets/test/mod.rs b/bellman/src/gadgets/test/mod.rs index fedfe94..47392f1 100644 --- a/bellman/src/gadgets/test/mod.rs +++ b/bellman/src/gadgets/test/mod.rs @@ -1,3 +1,5 @@ +//! Helpers for testing circuit implementations. + use ff::{Field, PrimeField, PrimeFieldRepr, ScalarEngine}; use crate::{ConstraintSystem, Index, LinearCombination, SynthesisError, Variable}; diff --git a/bellman/src/gadgets/uint32.rs b/bellman/src/gadgets/uint32.rs index cf8e390..a10be6c 100644 --- a/bellman/src/gadgets/uint32.rs +++ b/bellman/src/gadgets/uint32.rs @@ -1,3 +1,6 @@ +//! Circuit representation of a [`u32`], with helpers for the [`sha256`] +//! gadgets. + use ff::{Field, PrimeField, ScalarEngine}; use crate::{ConstraintSystem, LinearCombination, SynthesisError}; diff --git a/bellman/src/groth16/mod.rs b/bellman/src/groth16/mod.rs index 44c6f22..1ff152d 100644 --- a/bellman/src/groth16/mod.rs +++ b/bellman/src/groth16/mod.rs @@ -1,3 +1,7 @@ +//! The [Groth16] proving system. +//! +//! [Groth16]: https://eprint.iacr.org/2016/260 + use group::{CurveAffine, EncodedPoint}; use pairing::{Engine, PairingCurveAffine}; diff --git a/bellman/src/lib.rs b/bellman/src/lib.rs index 5152b0f..a3b577b 100644 --- a/bellman/src/lib.rs +++ b/bellman/src/lib.rs @@ -1,3 +1,137 @@ +//! `bellman` is a crate for building zk-SNARK circuits. It provides circuit +//! traits and and primitive structures, as well as basic gadget implementations +//! such as booleans and number abstractions. +//! +//! # Example circuit +//! +//! Say we want to write a circuit that proves we know the preimage to some hash +//! computed using SHA-256d (calling SHA-256 twice). The preimage must have a +//! fixed length known in advance (because the circuit parameters will depend on +//! it), but can otherwise have any value. We take the following strategy: +//! +//! - Witness each bit of the preimage. +//! - Compute `hash = SHA-256d(preimage)` inside the circuit. +//! - Expose `hash` as a public input using multiscalar packing. +//! +//! ``` +//! use bellman::{ +//! gadgets::{ +//! boolean::{AllocatedBit, Boolean}, +//! multipack, +//! sha256::sha256, +//! }, +//! groth16, Circuit, ConstraintSystem, SynthesisError, +//! }; +//! use pairing::{bls12_381::Bls12, Engine}; +//! use rand::rngs::OsRng; +//! use sha2::{Digest, Sha256}; +//! +//! /// Our own SHA-256d gadget. Input and output are in little-endian bit order. +//! fn sha256d>( +//! mut cs: CS, +//! data: &[Boolean], +//! ) -> Result, SynthesisError> { +//! // Flip endianness of each input byte +//! let input: Vec<_> = data +//! .chunks(8) +//! .map(|c| c.iter().rev()) +//! .flatten() +//! .cloned() +//! .collect(); +//! +//! let mid = sha256(cs.namespace(|| "SHA-256(input)"), &input)?; +//! let res = sha256(cs.namespace(|| "SHA-256(mid)"), &mid)?; +//! +//! // Flip endianness of each output byte +//! Ok(res +//! .chunks(8) +//! .map(|c| c.iter().rev()) +//! .flatten() +//! .cloned() +//! .collect()) +//! } +//! +//! struct MyCircuit { +//! /// The input to SHA-256d we are proving that we know. Set to `None` when we +//! /// are verifying a proof (and do not have the witness data). +//! preimage: Option<[u8; 80]>, +//! } +//! +//! impl Circuit for MyCircuit { +//! fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { +//! // Compute the values for the bits of the preimage. If we are verifying a proof, +//! // we still need to create the same constraints, so we return an equivalent-size +//! // Vec of None (indicating that the value of each bit is unknown). +//! let bit_values = if let Some(preimage) = self.preimage { +//! preimage +//! .into_iter() +//! .map(|byte| (0..8).map(move |i| (byte >> i) & 1u8 == 1u8)) +//! .flatten() +//! .map(|b| Some(b)) +//! .collect() +//! } else { +//! vec![None; 80 * 8] +//! }; +//! assert_eq!(bit_values.len(), 80 * 8); +//! +//! // Witness the bits of the preimage. +//! let preimage_bits = bit_values +//! .into_iter() +//! .enumerate() +//! // Allocate each bit. +//! .map(|(i, b)| { +//! AllocatedBit::alloc(cs.namespace(|| format!("preimage bit {}", i)), b) +//! }) +//! // Convert the AllocatedBits into Booleans (required for the sha256 gadget). +//! .map(|b| b.map(Boolean::from)) +//! .collect::, _>>()?; +//! +//! // Compute hash = SHA-256d(preimage). +//! let hash = sha256d(cs.namespace(|| "SHA-256d(preimage)"), &preimage_bits)?; +//! +//! // Expose the vector of 32 boolean variables as compact public inputs. +//! multipack::pack_into_inputs(cs.namespace(|| "pack hash"), &hash) +//! } +//! } +//! +//! // Create parameters for our circuit. In a production deployment these would +//! // be generated securely using a multiparty computation. +//! let params = { +//! let c = MyCircuit { preimage: None }; +//! groth16::generate_random_parameters::(c, &mut OsRng).unwrap() +//! }; +//! +//! // Prepare the verification key (for proof verification). +//! let pvk = groth16::prepare_verifying_key(¶ms.vk); +//! +//! // Pick a preimage and compute its hash. +//! let preimage = [42; 80]; +//! let hash = Sha256::digest(&Sha256::digest(&preimage)); +//! +//! // Create an instance of our circuit (with the preimage as a witness). +//! let c = MyCircuit { +//! preimage: Some(preimage), +//! }; +//! +//! // Create a Groth16 proof with our parameters. +//! let proof = groth16::create_random_proof(c, ¶ms, &mut OsRng).unwrap(); +//! +//! // Pack the hash as inputs for proof verification. +//! let hash_bits = multipack::bytes_to_bits_le(&hash); +//! let inputs = multipack::compute_multipacking::(&hash_bits); +//! +//! // Check the proof! +//! assert!(groth16::verify_proof(&pvk, &proof, &inputs).unwrap()); +//! ``` +//! +//! # Roadmap +//! +//! `bellman` is being refactored into a generic proving library. Currently it +//! is pairing-specific, and different types of proving systems need to be +//! implemented as sub-modules. After the refactor, `bellman` will be generic +//! using the [`ff`] and [`group`] crates, while specific proving systems will +//! be separate crates that pull in the dependencies they require. + // Catch documentation errors caused by code changes. #![deny(intra_doc_link_resolution_failure)] diff --git a/bellman/src/multicore.rs b/bellman/src/multicore.rs index ff97e06..ba69b5f 100644 --- a/bellman/src/multicore.rs +++ b/bellman/src/multicore.rs @@ -1,8 +1,9 @@ -//! This is an interface for dealing with the kinds of -//! parallel computations involved in bellman. It's -//! currently just a thin wrapper around CpuPool and -//! crossbeam but may be extended in the future to -//! allow for various parallelism strategies. +//! An interface for dealing with the kinds of parallel computations involved in +//! `bellman`. It's currently just a thin wrapper around [`CpuPool`] and +//! [`crossbeam`] but may be extended in the future to allow for various +//! parallelism strategies. +//! +//! [`CpuPool`]: futures_cpupool::CpuPool #[cfg(feature = "multicore")] mod implementation { diff --git a/ff/src/lib.rs b/ff/src/lib.rs index 456cbc1..6be25da 100644 --- a/ff/src/lib.rs +++ b/ff/src/lib.rs @@ -1,3 +1,5 @@ +//! This crate provides traits for working with finite fields. + // Catch documentation errors caused by code changes. #![deny(intra_doc_link_resolution_failure)] #![allow(unused_imports)] diff --git a/pairing/src/bls12_381/mod.rs b/pairing/src/bls12_381/mod.rs index 8fc6bbd..e6e88dd 100644 --- a/pairing/src/bls12_381/mod.rs +++ b/pairing/src/bls12_381/mod.rs @@ -1,3 +1,6 @@ +//! An implementation of the BLS12-381 pairing-friendly elliptic curve +//! construction. + mod ec; mod fq; mod fq12; diff --git a/pairing/src/lib.rs b/pairing/src/lib.rs index 9f20a88..89e5873 100644 --- a/pairing/src/lib.rs +++ b/pairing/src/lib.rs @@ -1,3 +1,5 @@ +//! A library for working with pairing-friendly curves. + // `clippy` is a code linting tool for improving code quality by catching // common mistakes or strange code patterns. If the `cargo-clippy` feature // is provided, all compiler warnings are prohibited. diff --git a/zcash_client_backend/src/constants/mainnet.rs b/zcash_client_backend/src/constants/mainnet.rs index 24dbbe7..f3f020d 100644 --- a/zcash_client_backend/src/constants/mainnet.rs +++ b/zcash_client_backend/src/constants/mainnet.rs @@ -1,3 +1,5 @@ +//! Constants for the Zcash main network. + /// The mainnet coin type for ZEC, as defined by [SLIP 44]. /// /// [SLIP 44]: https://github.com/satoshilabs/slips/blob/master/slip-0044.md diff --git a/zcash_client_backend/src/constants/testnet.rs b/zcash_client_backend/src/constants/testnet.rs index a83706e..5379d5a 100644 --- a/zcash_client_backend/src/constants/testnet.rs +++ b/zcash_client_backend/src/constants/testnet.rs @@ -1,3 +1,5 @@ +//! Constants for the Zcash test network. + /// The testnet coin type for ZEC, as defined by [SLIP 44]. /// /// [SLIP 44]: https://github.com/satoshilabs/slips/blob/master/slip-0044.md diff --git a/zcash_primitives/src/block.rs b/zcash_primitives/src/block.rs index 28a7441..ecb0e5b 100644 --- a/zcash_primitives/src/block.rs +++ b/zcash_primitives/src/block.rs @@ -1,3 +1,5 @@ +//! Structs and methods for handling Zcash block headers. + use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt}; use hex; use std::fmt; diff --git a/zcash_primitives/src/block/equihash.rs b/zcash_primitives/src/block/equihash.rs index 2a3bb66..5d40465 100644 --- a/zcash_primitives/src/block/equihash.rs +++ b/zcash_primitives/src/block/equihash.rs @@ -1,3 +1,7 @@ +//! Verification functions for the [Equihash] proof-of-work algorithm. +//! +//! [Equihash]: https://zips.z.cash/protocol/protocol.pdf#equihash + use blake2b_simd::{Hash as Blake2bHash, Params as Blake2bParams, State as Blake2bState}; use byteorder::{BigEndian, LittleEndian, ReadBytesExt, WriteBytesExt}; use log::error; diff --git a/zcash_primitives/src/constants.rs b/zcash_primitives/src/constants.rs index 39d55f3..37d337d 100644 --- a/zcash_primitives/src/constants.rs +++ b/zcash_primitives/src/constants.rs @@ -1,3 +1,5 @@ +//! Various constants used by the Zcash primitives. + /// First 64 bytes of the BLAKE2s input during group hash. /// This is chosen to be some random string that we couldn't have anticipated when we designed /// the algorithm, for rigidity purposes. diff --git a/zcash_primitives/src/group_hash.rs b/zcash_primitives/src/group_hash.rs index 8549c5e..6aac847 100644 --- a/zcash_primitives/src/group_hash.rs +++ b/zcash_primitives/src/group_hash.rs @@ -1,3 +1,7 @@ +//! Implementation of [group hashing into Jubjub][grouphash]. +//! +//! [grouphash]: https://zips.z.cash/protocol/protocol.pdf#concretegrouphashjubjub + use crate::jubjub::{edwards, JubjubEngine, PrimeOrder}; use ff::PrimeField; diff --git a/zcash_primitives/src/jubjub/mod.rs b/zcash_primitives/src/jubjub/mod.rs index 40938f3..4998a0b 100644 --- a/zcash_primitives/src/jubjub/mod.rs +++ b/zcash_primitives/src/jubjub/mod.rs @@ -1,3 +1,6 @@ +//! The [Jubjub] curve for efficient elliptic curve operations in circuits built +//! over [BLS12-381]. +//! //! Jubjub is a twisted Edwards curve defined over the BLS12-381 scalar //! field, Fr. It takes the form `-x^2 + y^2 = 1 + dx^2y^2` with //! `d = -(10240/10241)`. It is birationally equivalent to a Montgomery @@ -16,6 +19,9 @@ //! It is a complete twisted Edwards curve, so the equivalence with //! the Montgomery curve forms a group isomorphism, allowing points //! to be freely converted between the two forms. +//! +//! [Jubjub]: https://zips.z.cash/protocol/protocol.pdf#jubjub +//! [BLS12-381]: pairing::bls12_381 use ff::{Field, PrimeField, SqrtField}; use pairing::Engine; diff --git a/zcash_primitives/src/keys.rs b/zcash_primitives/src/keys.rs index 8c8a4b1..76914ba 100644 --- a/zcash_primitives/src/keys.rs +++ b/zcash_primitives/src/keys.rs @@ -1,6 +1,8 @@ //! Sapling key components. //! -//! Implements section 4.2.2 of the Zcash Protocol Specification. +//! Implements [section 4.2.2] of the Zcash Protocol Specification. +//! +//! [section 4.2.2]: https://zips.z.cash/protocol/protocol.pdf#saplingkeycomponents use crate::{ jubjub::{edwards, FixedGenerators, JubjubEngine, JubjubParams, ToUniform, Unknown}, diff --git a/zcash_primitives/src/lib.rs b/zcash_primitives/src/lib.rs index e8c2a51..713ca2b 100644 --- a/zcash_primitives/src/lib.rs +++ b/zcash_primitives/src/lib.rs @@ -1,3 +1,8 @@ +//! *General Zcash primitives.* +//! +//! `zcash_primitives` is a library that provides the core structs and functions necessary +//! for working with Zcash. + // Catch documentation errors caused by code changes. #![deny(intra_doc_link_resolution_failure)] diff --git a/zcash_primitives/src/pedersen_hash.rs b/zcash_primitives/src/pedersen_hash.rs index 835e9c7..690e977 100644 --- a/zcash_primitives/src/pedersen_hash.rs +++ b/zcash_primitives/src/pedersen_hash.rs @@ -1,3 +1,5 @@ +//! Implementation of the Pedersen hash function used in Sapling. + use crate::jubjub::*; use ff::{Field, PrimeField, PrimeFieldRepr}; diff --git a/zcash_primitives/src/primitives.rs b/zcash_primitives/src/primitives.rs index a336673..af4fa3a 100644 --- a/zcash_primitives/src/primitives.rs +++ b/zcash_primitives/src/primitives.rs @@ -1,3 +1,5 @@ +//! Structs for core Zcash primitives. + use ff::{Field, PrimeField, PrimeFieldRepr}; use crate::constants; diff --git a/zcash_primitives/src/redjubjub.rs b/zcash_primitives/src/redjubjub.rs index 6721b5e..187ebd3 100644 --- a/zcash_primitives/src/redjubjub.rs +++ b/zcash_primitives/src/redjubjub.rs @@ -1,5 +1,7 @@ -//! Implementation of RedJubjub, a specialization of RedDSA to the Jubjub curve. -//! See section 5.4.6 of the Sapling protocol specification. +//! Implementation of [RedJubjub], a specialization of RedDSA to the Jubjub +//! curve. +//! +//! [RedJubjub]: https://zips.z.cash/protocol/protocol.pdf#concretereddsa use crate::jubjub::{edwards::Point, FixedGenerators, JubjubEngine, JubjubParams, Unknown}; use ff::{Field, PrimeField, PrimeFieldRepr}; diff --git a/zcash_primitives/src/transaction/components.rs b/zcash_primitives/src/transaction/components.rs index c0410c4..270bac5 100644 --- a/zcash_primitives/src/transaction/components.rs +++ b/zcash_primitives/src/transaction/components.rs @@ -1,3 +1,5 @@ +//! Structs representing the components within Zcash transactions. + use crate::jubjub::{edwards, Unknown}; use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt}; use ff::{PrimeField, PrimeFieldRepr}; diff --git a/zcash_primitives/src/transaction/mod.rs b/zcash_primitives/src/transaction/mod.rs index 10e935b..4c203c5 100644 --- a/zcash_primitives/src/transaction/mod.rs +++ b/zcash_primitives/src/transaction/mod.rs @@ -1,3 +1,5 @@ +//! Structs and methods for handling Zcash transactions. + use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt}; use hex; use sha2::{Digest, Sha256}; diff --git a/zcash_primitives/src/zip32.rs b/zcash_primitives/src/zip32.rs index 6cbc462..f346625 100644 --- a/zcash_primitives/src/zip32.rs +++ b/zcash_primitives/src/zip32.rs @@ -1,3 +1,7 @@ +//! Implementation of [ZIP 32] for hierarchical deterministic key management. +//! +//! [ZIP 32]: https://zips.z.cash/zip-0032 + use aes::Aes256; use blake2b_simd::Params as Blake2bParams; use byteorder::{ByteOrder, LittleEndian, ReadBytesExt, WriteBytesExt}; diff --git a/zcash_proofs/src/circuit.rs b/zcash_proofs/src/circuit.rs index ac7e74c..6d26fa4 100644 --- a/zcash_proofs/src/circuit.rs +++ b/zcash_proofs/src/circuit.rs @@ -1,3 +1,5 @@ +//! Implementations of the Zcash circuits and Zcash-specific gadgets. + pub mod ecc; pub mod pedersen_hash; diff --git a/zcash_proofs/src/circuit/ecc.rs b/zcash_proofs/src/circuit/ecc.rs index fa4913a..e65d0ed 100644 --- a/zcash_proofs/src/circuit/ecc.rs +++ b/zcash_proofs/src/circuit/ecc.rs @@ -1,3 +1,5 @@ +//! Gadgets implementing Jubjub elliptic curve operations. + use ff::Field; use pairing::Engine; diff --git a/zcash_proofs/src/circuit/pedersen_hash.rs b/zcash_proofs/src/circuit/pedersen_hash.rs index 409f30e..15cc0c9 100644 --- a/zcash_proofs/src/circuit/pedersen_hash.rs +++ b/zcash_proofs/src/circuit/pedersen_hash.rs @@ -1,3 +1,5 @@ +//! Gadget for Zcash's Pedersen hash. + use super::ecc::{EdwardsPoint, MontgomeryPoint}; use bellman::gadgets::boolean::Boolean; use bellman::gadgets::lookup::*; diff --git a/zcash_proofs/src/circuit/sapling.rs b/zcash_proofs/src/circuit/sapling.rs index 08e55e6..aa4b7c8 100644 --- a/zcash_proofs/src/circuit/sapling.rs +++ b/zcash_proofs/src/circuit/sapling.rs @@ -1,3 +1,5 @@ +//! The Sapling circuits. + use ff::{Field, PrimeField, PrimeFieldRepr}; use bellman::{Circuit, ConstraintSystem, SynthesisError}; diff --git a/zcash_proofs/src/circuit/sprout/mod.rs b/zcash_proofs/src/circuit/sprout/mod.rs index 959ec78..1877047 100644 --- a/zcash_proofs/src/circuit/sprout/mod.rs +++ b/zcash_proofs/src/circuit/sprout/mod.rs @@ -1,3 +1,15 @@ +//! The "hybrid Sprout" circuit. +//! +//! "Hybrid Sprout" refers to the implementation of the [Sprout statement] in +//! `bellman` for [`groth16`], instead of the [original implementation][oldimpl] +//! using [`libsnark`] for [BCTV14]. +//! +//! [Sprout statement]: https://zips.z.cash/protocol/protocol.pdf#joinsplitstatement +//! [`groth16`]: bellman::groth16 +//! [oldimpl]: https://github.com/zcash/zcash/tree/v2.0.7/src/zcash/circuit +//! [`libsnark`]: https://github.com/scipr-lab/libsnark +//! [BCTV14]: https://eprint.iacr.org/2013/879 + use bellman::gadgets::boolean::{AllocatedBit, Boolean}; use bellman::gadgets::multipack::pack_into_inputs; use bellman::{Circuit, ConstraintSystem, LinearCombination, SynthesisError}; diff --git a/zcash_proofs/src/lib.rs b/zcash_proofs/src/lib.rs index a323cc3..0a1f9f2 100644 --- a/zcash_proofs/src/lib.rs +++ b/zcash_proofs/src/lib.rs @@ -1,3 +1,8 @@ +//! *Zcash circuits and proofs.* +//! +//! `zcash_proofs` contains the zk-SNARK circuits used by Zcash, and the APIs for creating +//! and verifying proofs. + // Catch documentation errors caused by code changes. #![deny(intra_doc_link_resolution_failure)] diff --git a/zcash_proofs/src/sapling/mod.rs b/zcash_proofs/src/sapling/mod.rs index 9aa62f1..60ffd9b 100644 --- a/zcash_proofs/src/sapling/mod.rs +++ b/zcash_proofs/src/sapling/mod.rs @@ -1,3 +1,5 @@ +//! Helpers for creating Sapling proofs. + use pairing::bls12_381::Bls12; use zcash_primitives::jubjub::{ edwards, fs::FsRepr, FixedGenerators, JubjubBls12, JubjubParams, Unknown,