mirror of https://github.com/zcash/halo2.git
Apply suggestions from code review
Co-authored-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: str4d <jack@electriccoin.co>
This commit is contained in:
parent
96d60b3f13
commit
33b4192c0d
|
@ -5,13 +5,13 @@ Inputs: $P = (x_P, y_P), Q = (x_Q, y_Q)$
|
|||
Output: $A = P + Q = (x_A, y_A)$
|
||||
|
||||
Formulae:
|
||||
- $\lambda \cdot (x_p - x_{q}) = y_p - y_{q}$
|
||||
- $x_{a} = \lambda^2 - x_{q} - x_p$
|
||||
- $y_{a} = \lambda(x_{q} - x_{a}) - y_{q}$
|
||||
- $\lambda \cdot (x_p - x_q) = y_p - y_q$
|
||||
- $x_a = \lambda^2 - x_q - x_p$
|
||||
- $y_a = \lambda(x_q - x_a) - y_q$
|
||||
|
||||
Substituting for $\lambda$, we get the constraints:
|
||||
- $(x_{a} + x_{q} + x_p) \cdot (x_p - x_q)^2 - (y_p - y_{q})^2 = 0$
|
||||
- $(y_{a} + y_{q})(x_p - x_{q}) - (y_p - y_{q})(x_{q} - x_{a}) = 0$
|
||||
- $(x_a + x_q + x_p) \cdot (x_p - x_q)^2 - (y_p - y_q)^2 = 0$
|
||||
- $(y_a + y_q)(x_p - x_q) - (y_p - y_q)(x_q - x_a) = 0$
|
||||
|
||||
## Complete addition
|
||||
|
||||
|
@ -34,8 +34,8 @@ $$
|
|||
\begin{aligned}
|
||||
P + Q &= R\\
|
||||
(x_p, y_p) + (x_q, y_q) &= (x_r, y_r) \\
|
||||
\lambda &= \frac{y_q - y_p}{x_q - x_p} \\
|
||||
x_r &= \lambda^2 - x_p - x_q \\
|
||||
\lambda &= \frac{y_p - y_q}{x_p - x_q} \\
|
||||
x_r &= \lambda^2 - x_q - x_p \\
|
||||
y_r &= \lambda(x_p - x_r) - y_p
|
||||
\end{aligned}
|
||||
$$
|
||||
|
|
|
@ -14,8 +14,8 @@ $$\alpha = k_0 + k_1 \cdot (2^3)^1 + \cdots + k_{84} \cdot (2^3)^{84}, k_i \in [
|
|||
## Load fixed base
|
||||
Then, we precompute multiples of the fixed base $B$ for each window. This takes the form of a window table: $M[0..85)[0..8)$ such that:
|
||||
|
||||
- for the first 84 rows $M[0..83][0..7]$: $$M[w][k] = [(k+1) \cdot (2^3)^w]B$$
|
||||
- in the last row $M[84][0..7]$: $$M[w][k] = [k \cdot (2^3)^w - \sum\limits_{j=0}^{83} (2^3)^j]B$$
|
||||
- for the first 84 rows $M[0..84)[0..8)$: $$M[w][k] = [(k+1) \cdot (2^3)^w]B$$
|
||||
- in the last row $M[84][0..8)$: $$M[w][k] = [k \cdot (2^3)^w - \sum\limits_{j=0}^{83} (2^3)^j]B$$
|
||||
|
||||
The additional $(k + 1)$ term lets us avoid adding the point at infinity in the case $k = 0$. We offset these accumulated terms by subtracting them in the final window, i.e. we subtract $\sum\limits_{j=0}^{83} (2^3)^j$.
|
||||
|
||||
|
@ -23,7 +23,7 @@ For each window of fixed-base multiples $M[w] = (M[w][0], \cdots, M[w][7]), w \i
|
|||
- Define a Lagrange interpolation polynomial $\mathcal{L}_x(k)$ that maps $k \in [0..7]$ to the $x$-coordinate of the multiple $M[w][k]$, i.e.
|
||||
$$
|
||||
\mathcal{L}_x(k) = \begin{cases}
|
||||
([(k + 1) \cdot 8^w] B)_x &\text{for } w \in [0..83]; \\
|
||||
([(k + 1) \cdot 8^w] B)_x &\text{for } w \in [0..84); \\
|
||||
([k \cdot (8)^w - \sum\limits_{j=0}^{83} (8)^j] B)_x &\text{for } w = 84; \text{ and}
|
||||
\end{cases}
|
||||
$$
|
||||
|
@ -40,7 +40,7 @@ We load these precomputed values into fixed columns whenever we do fixed-base sc
|
|||
## Fixed-base scalar multiplication
|
||||
Given a decomposed scalar $\alpha$ and a fixed base $B$, we compute $[\alpha]B$ as such:
|
||||
|
||||
1. For each $k_w, w \in [0..84], k_w \in [0..7]$ in the scalar decomposition, witness the $x$- and $y$-coordinates $(x_w,y_w) = M[w][k_w].$
|
||||
1. For each $k_w, w \in [0..85), k_w \in [0..8)$ in the scalar decomposition, witness the $x$- and $y$-coordinates $(x_w,y_w) = M[w][k_w].$
|
||||
2. Check that $(x_w, y_w)$ is on the curve: $y_w^2 = x_w^3 + b$.
|
||||
3. Witness $u_w$ such that $y_w + z_w = u_w^2$.
|
||||
4. Use [incomplete addition](./incomplete-add.md) to sum the $M[w][k_w]$'s, resulting in $[\alpha]B$.
|
||||
|
|
Loading…
Reference in New Issue