From 8918160e5de44e01a1f596552284651419b16e05 Mon Sep 17 00:00:00 2001
From: therealyingtong <yingtong@z.cash>
Date: Fri, 26 Feb 2021 16:21:43 +0800
Subject: [PATCH] Add Sinsemilla gadget

---
 src/circuit/gadget.rs            |  1 +
 src/circuit/gadget/sinsemilla.rs | 36 ++++++++++++++++++++++++++++++++
 src/primitives/sinsemilla.rs     | 10 ++++++---
 3 files changed, 44 insertions(+), 3 deletions(-)
 create mode 100644 src/circuit/gadget/sinsemilla.rs

diff --git a/src/circuit/gadget.rs b/src/circuit/gadget.rs
index 9e152918f..6760313fc 100644
--- a/src/circuit/gadget.rs
+++ b/src/circuit/gadget.rs
@@ -1 +1,2 @@
 pub(crate) mod ecc;
+pub(crate) mod sinsemilla;
diff --git a/src/circuit/gadget/sinsemilla.rs b/src/circuit/gadget/sinsemilla.rs
new file mode 100644
index 000000000..58507778b
--- /dev/null
+++ b/src/circuit/gadget/sinsemilla.rs
@@ -0,0 +1,36 @@
+//! Gadget and chips for the Sinsemilla hash function.
+use halo2::{
+    arithmetic::CurveAffine,
+    circuit::{Chip, Layouter},
+    plonk::Error,
+};
+
+/// The set of circuit instructions required to use the [`Sinsemilla`](https://zcash.github.io/halo2/design/gadgets/sinsemilla.html) gadget.
+pub trait SinsemillaInstructions<C: CurveAffine>: Chip<Field = C::Base> {
+    type Message: Iterator<Item = bool> + ExactSizeIterator;
+
+    fn extract(point: &C::Curve) -> C::Base;
+
+    #[allow(non_snake_case)]
+    fn Q(domain_prefix: &str) -> C::Curve;
+
+    fn hash_to_point(
+        layouter: &mut impl Layouter<Self>,
+        domain_prefix: &str,
+        message: Self::Message,
+    ) -> Result<C::Curve, Error>;
+
+    fn hash(
+        layouter: &mut impl Layouter<Self>,
+        domain_prefix: &str,
+        message: Self::Message,
+    ) -> Result<C::Base, Error>;
+
+    fn commit(domain_prefix: &str, msg: Self::Message, r: &C::Scalar) -> Result<C::Curve, Error>;
+
+    fn short_commit(
+        domain_prefix: &str,
+        msg: Self::Message,
+        r: &C::Scalar,
+    ) -> Result<C::Base, Error>;
+}
diff --git a/src/primitives/sinsemilla.rs b/src/primitives/sinsemilla.rs
index 7899952dc..2e4b36a0a 100644
--- a/src/primitives/sinsemilla.rs
+++ b/src/primitives/sinsemilla.rs
@@ -8,10 +8,14 @@ use halo2::{
     pasta::pallas,
 };
 
-const GROUP_HASH_Q: &str = "z.cash:SinsemillaQ";
-const GROUP_HASH_S: &str = "z.cash:SinsemillaS";
+/// Domain prefix used in SWU hash-to-curve to generate Q.
+pub const GROUP_HASH_Q: &str = "z.cash:SinsemillaQ";
 
-const K: usize = 10;
+/// Domain prefix used in SWU hash-to-curve to generate S_i's.
+pub const GROUP_HASH_S: &str = "z.cash:SinsemillaS";
+
+/// There are 2^K S_i generators in the Sinsemilla lookup.
+pub const K: usize = 10;
 const C: usize = 253;
 
 fn lebs2ip_32(bits: &[bool]) -> u32 {