Merge pull request privacy-scaling-explorations#167 from input-output…

…-hk/dev-fix/book-rename-ecc-to-chip

[book] Rename `ecc` to `ecc-chip`

book/src/IDENTIFIERS.json

@@ -2,23 +2,23 @@
     "decompose-combined-lookup": "design/gadgets/decomposition.html#combined-lookup-expression",
     "decompose-short-lookup": "design/gadgets/decomposition.html#short-range-check",
     "decompose-short-range": "design/gadgets/decomposition.html#short-range-decomposition",
-    "ecc-complete-addition": "design/gadgets/ecc/addition.html#complete-addition-constraints",
-    "ecc-incomplete-addition": "design/gadgets/ecc/addition.html#incomplete-addition-constraints",
-    "ecc-fixed-mul-base-canonicity": "design/gadgets/ecc/fixed-base-scalar-mul.html#base-field-element",
-    "ecc-fixed-mul-coordinates": "design/gadgets/ecc/fixed-base-scalar-mul.html#constrain-coordinates",
-    "ecc-fixed-mul-full-word": "design/gadgets/ecc/fixed-base-scalar-mul.html#full-width-scalar",
-    "ecc-fixed-mul-load-base": "design/gadgets/ecc/fixed-base-scalar-mul.html#load-fixed-base",
-    "ecc-fixed-mul-short-msb": "design/gadgets/ecc/fixed-base-scalar-mul.html#constrain-short-signed-msb",
-    "ecc-fixed-mul-short-conditional-neg": "design/gadgets/ecc/fixed-base-scalar-mul.html#constrain-short-signed-conditional-neg",
-    "ecc-var-mul-complete-gate": "design/gadgets/ecc/var-base-scalar-mul.html#complete-gate",
-    "ecc-var-mul-incomplete-first-row": "design/gadgets/ecc/var-base-scalar-mul.html#incomplete-first-row-gate",
-    "ecc-var-mul-incomplete-last-row": "design/gadgets/ecc/var-base-scalar-mul.html#incomplete-last-row-gate",
-    "ecc-var-mul-incomplete-main-loop": "design/gadgets/ecc/var-base-scalar-mul.html#incomplete-main-loop-gate",
-    "ecc-var-mul-lsb-gate": "design/gadgets/ecc/var-base-scalar-mul.html#lsb-gate",
-    "ecc-var-mul-overflow": "design/gadgets/ecc/var-base-scalar-mul.html#overflow-check-constraints",
-    "ecc-var-mul-witness-scalar": "design/gadgets/ecc/var-base-scalar-mul.html#witness-scalar",
-    "ecc-witness-point": "design/gadgets/ecc/witnessing-points.html#points-including-the-identity",
-    "ecc-witness-non-identity-point": "design/gadgets/ecc/witnessing-points.html#non-identity-points",
+    "ecc-complete-addition": "design/gadgets/ecc-chip/addition.html#complete-addition-constraints",
+    "ecc-incomplete-addition": "design/gadgets/ecc-chip/addition.html#incomplete-addition-constraints",
+    "ecc-fixed-mul-base-canonicity": "design/gadgets/ecc-chip/fixed-base-scalar-mul.html#base-field-element",
+    "ecc-fixed-mul-coordinates": "design/gadgets/ecc-chip/fixed-base-scalar-mul.html#constrain-coordinates",
+    "ecc-fixed-mul-full-word": "design/gadgets/ecc-chip/fixed-base-scalar-mul.html#full-width-scalar",
+    "ecc-fixed-mul-load-base": "design/gadgets/ecc-chip/fixed-base-scalar-mul.html#load-fixed-base",
+    "ecc-fixed-mul-short-msb": "design/gadgets/ecc-chip/fixed-base-scalar-mul.html#constrain-short-signed-msb",
+    "ecc-fixed-mul-short-conditional-neg": "design/gadgets/ecc-chip/fixed-base-scalar-mul.html#constrain-short-signed-conditional-neg",
+    "ecc-var-mul-complete-gate": "design/gadgets/ecc-chip/var-base-scalar-mul.html#complete-gate",
+    "ecc-var-mul-incomplete-first-row": "design/gadgets/ecc-chip/var-base-scalar-mul.html#incomplete-first-row-gate",
+    "ecc-var-mul-incomplete-last-row": "design/gadgets/ecc-chip/var-base-scalar-mul.html#incomplete-last-row-gate",
+    "ecc-var-mul-incomplete-main-loop": "design/gadgets/ecc-chip/var-base-scalar-mul.html#incomplete-main-loop-gate",
+    "ecc-var-mul-lsb-gate": "design/gadgets/ecc-chip/var-base-scalar-mul.html#lsb-gate",
+    "ecc-var-mul-overflow": "design/gadgets/ecc-chip/var-base-scalar-mul.html#overflow-check-constraints",
+    "ecc-var-mul-witness-scalar": "design/gadgets/ecc-chip/var-base-scalar-mul.html#witness-scalar",
+    "ecc-witness-point": "design/gadgets/ecc-chip/witnessing-points.html#points-including-the-identity",
+    "ecc-witness-non-identity-point": "design/gadgets/ecc-chip/witnessing-points.html#non-identity-points",
     "sinsemilla-constraints": "design/gadgets/sinsemilla.html#optimized-sinsemilla-gate",
     "sinsemilla-merkle-crh-bit-lengths": "design/gadgets/sinsemilla/merkle-crh.html#bit-length-constraints",
     "sinsemilla-merkle-crh-decomposition": "design/gadgets/sinsemilla/merkle-crh.html#decomposition-constraints"

book/src/SUMMARY.md

@@ -27,12 +27,12 @@
     - [Fields](design/implementation/fields.md)
     - [Selector combining](design/implementation/selector-combining.md)
   - [Gadgets](design/gadgets.md)
-    - [Elliptic curve cryptography](design/gadgets/ecc.md)
-      - [Witnessing points](design/gadgets/ecc/witnessing-points.md)
-      - [Point Doubling](design/gadgets/ecc/doubling.md)
-      - [Incomplete and complete addition](design/gadgets/ecc/addition.md)
-      - [Fixed-base scalar multiplication](design/gadgets/ecc/fixed-base-scalar-mul.md)
-      - [Variable-base scalar multiplication](design/gadgets/ecc/var-base-scalar-mul.md)
+    - [Elliptic curve cryptography (ECC) Chip](design/gadgets/ecc-chip.md)
+      - [Witnessing points](design/gadgets/ecc-chip/witnessing-points.md)
+      - [Point Doubling](design/gadgets/ecc-chip/doubling.md)
+      - [Incomplete and complete addition](design/gadgets/ecc-chip/addition.md)
+      - [Fixed-base scalar multiplication](design/gadgets/ecc-chip/fixed-base-scalar-mul.md)
+      - [Variable-base scalar multiplication](design/gadgets/ecc-chip/var-base-scalar-mul.md)
     - [Sinsemilla](design/gadgets/sinsemilla.md)
       - [MerkleCRH](design/gadgets/sinsemilla/merkle-crh.md)
     - [Decomposition](design/gadgets/decomposition.md)

book/src/design/gadgets/double-and-add.md

@@ -1,7 +1,7 @@
 # Double-and-add
 
 The double-and-add gadget is a low-level primitive that combines a point doubling and an addition into a single operation, in a way that's more constraint efficient than doing them separately.
-This efficiency is gained by not needing to constrain or witness an  intermediate point, and by using [*incomplete* addition](/design/gadgets/ecc/addition.html#incomplete-addition) ($⸭$) to avoid branching and have uniform formulas. Concretely, given points $Acc$ and $P$, the gadget logically computes
+This efficiency is gained by not needing to constrain or witness an  intermediate point, and by using [*incomplete* addition](/design/gadgets/ecc-chip/addition.html#incomplete-addition) ($⸭$) to avoid branching and have uniform formulas. Concretely, given points $Acc$ and $P$, the gadget logically computes
 
 $$
 Acc := [2]Acc + P

book/src/design/gadgets/ecc/witnessing-points.md → book/src/design/gadgets/ecc-chip/witnessing-points.md

@@ -2,7 +2,7 @@
 
 We represent elliptic curve points in the circuit in their affine representation $(x, y)$.
 The identity is represented as the pseudo-coordinate $(0, 0)$, which we
-[assume](../ecc.md#chip-assumptions) is not a valid point on the curve.
+[assume](../ecc-chip.md#chip-assumptions) is not a valid point on the curve.
 
 ## Non-identity points
 

book/src/design/gadgets/endoscaling.md

@@ -36,7 +36,7 @@ Let $E$ be our elliptic curve, and assume that $\phi$ is a cubic group automorph
 $$\phi([s]B) = [s]\phi(B) = [s]([z]B) = [z]([s]B),$$
 i.e. $\phi(P) = [z]P$ for all $P$. But then $B = \phi^3(B) = [z^3]B$ implies $z^3 = 1 \bmod q$. And so $\zeta_q \triangleq z$ is what we're after.
 
-So, it remains to show that $\phi((x, y)) \triangleq (\zeta_p \cdot x, y)$ is a cubic group automorphism of $E$. It's clear that $\phi$ defined this way is a cubic <em>set</em> automorphism of $E$, since $\zeta_p^3 = 1$ and our curve equation is of the form $E = \{(x,y): y^2 = x^3 + b\}$. Hence it remains to show that $\phi(P + Q) = \phi(P) + \phi(Q)$. To see this, just check the equations for [adding distinct points](/design/gadgets/ecc/addition.html#incomplete-addition) and [adding a point to itself](/design/gadgets/ecc/addition.html#complete-addition) and note that
+So, it remains to show that $\phi((x, y)) \triangleq (\zeta_p \cdot x, y)$ is a cubic group automorphism of $E$. It's clear that $\phi$ defined this way is a cubic <em>set</em> automorphism of $E$, since $\zeta_p^3 = 1$ and our curve equation is of the form $E = \{(x,y): y^2 = x^3 + b\}$. Hence it remains to show that $\phi(P + Q) = \phi(P) + \phi(Q)$. To see this, just check the equations for [adding distinct points](/design/gadgets/ecc-chip/addition.html#incomplete-addition) and [adding a point to itself](/design/gadgets/ecc-chip/addition.html#complete-addition) and note that
 $$x_r((\zeta_p \cdot x_p, y_p), (\zeta_p \cdot x_q, y_q)) = \zeta_p \cdot x_r((x_p, y_p), (x_q, y_q))$$
 and
 $$y_r((\zeta_p \cdot x_p, y_p), (\zeta_p \cdot x_q, y_q)) = y_r((x_p, y_p), (x_q, y_q))$$

halo2_gadgets/scripts/full_width_variable_base_scalar_mul.sage

@@ -15,11 +15,11 @@ and saves them as a reference for related future development.
 For more motivation and details, see the up-to-date description of
 variable-base scalar multiplication algorithm in the local book:
 
-http://localhost:3000/design/gadgets/ecc/var-base-scalar-mul.html
+http://localhost:3000/design/gadgets/ecc-chip/var-base-scalar-mul.html
 
 This script is particularly concerned with this section:
 
-http://localhost:3000/design/gadgets/ecc/var-base-scalar-mul.html#weird-loop.
+http://localhost:3000/design/gadgets/ecc-chip/var-base-scalar-mul.html#weird-loop.
 """
 
 def expect_assert(f):
@@ -137,7 +137,7 @@ def weird_loop(k, n, q, p):
     were computed correctly.
 
     More details at
-    http://localhost:3000/design/gadgets/ecc/var-base-scalar-mul.html#weird-loop.
+    http://localhost:3000/design/gadgets/ecc-chip/var-base-scalar-mul.html#weird-loop.
     """
     acc = 2
     for i in reversed(range(0, n)):

halo2_gadgets/src/ecc/chip/mul.rs

@@ -3,7 +3,7 @@
 //!
 //! The algorithms implemented by this module are described in the
 //! Halo 2 book:
-//! http://localhost:3000/design/gadgets/ecc/var-base-scalar-mul.html
+//! http://localhost:3000/design/gadgets/ecc-chip/var-base-scalar-mul.html
 use super::{add, double, EccPoint, EccScalarVarFullWidth, NonIdentityEccPoint};
 use crate::utilities::{
     self, bool_check,
@@ -219,7 +219,7 @@ where
         // = h + t`. See layout description in `process_lsb()`.
         //
         // If `lsb` is 0, `(x, y) = (x_p, -y_p)`. If `lsb` is 1, `(x, y) = (0,0)`.
-        // http://localhost:3000/design/gadgets/ecc/var-base-scalar-mul.html#layout-1
+        // http://localhost:3000/design/gadgets/ecc-chip/var-base-scalar-mul.html#layout-1
         meta.create_gate("LSB check", |meta| {
             let q_mul_lsb = meta.query_selector(self.q_mul_lsb);
 
@@ -315,13 +315,13 @@ where
     /// - the base-field modulus is at least `2^n`.
     ///
     /// These preconditions are explained below, and in the Halo 2 book here:
-    /// http://localhost:3000/design/gadgets/ecc/var-base-scalar-mul.html#decomp-soundness
+    /// http://localhost:3000/design/gadgets/ecc-chip/var-base-scalar-mul.html#decomp-soundness
     ///
     /// # Details
     ///
     /// This functions implements the `daa_loop` scalar
     /// multiplication algorithm described in the Halo 2 book here:
-    /// http://localhost:3000/design/gadgets/ecc/var-base-scalar-mul.html#why-decomp
+    /// http://localhost:3000/design/gadgets/ecc-chip/var-base-scalar-mul.html#why-decomp
     ///
     /// Internally we use a big-endian bit decomposition
     ///
@@ -554,7 +554,7 @@ where
     ///
     /// For more in-depth discussion of these preconditions and their
     /// justification, see the Halo 2 book:
-    /// http://localhost:3000/design/gadgets/ecc/var-base-scalar-mul.html#decomp-soundness
+    /// http://localhost:3000/design/gadgets/ecc-chip/var-base-scalar-mul.html#decomp-soundness
     ///
     /// # Pseudocode
     ///

halo2_gadgets/src/utilities/high_low_decomp.rs

@@ -37,7 +37,7 @@
 //! Decomposition is provided by [`Config::decompose_field_elem`].
 //!
 //! See the decomposition chapter of the
-//! [Halo 2 book](http://localhost:3000/design/gadgets/ecc/decomposition.html#hl-decomp)
+//! [Halo 2 book](http://localhost:3000/design/gadgets/ecc-chip/decomposition.html#hl-decomp)
 //! for more details.
 use crate::{
     sinsemilla::primitives as sinsemilla,