zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

book: Adjustments to point addition and compression sections

This commit is contained in:
str4d 2021-05-27 18:43:24 +01:00 committed by GitHub
parent d7b88addd9
commit 36cd8633e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
book/src/background/curves.md
View File

@ -154,8 +154,8 @@ when adding two distinct points.
### Point addition ### Point addition
We now add two points with distinct $x$-coordinates, $P = (x_0, y_0)$ and $Q = (x_1, y_1),$ We now add two points with distinct $x$-coordinates, $P = (x_0, y_0)$ and $Q = (x_1, y_1),$
where $x_0 \neq x_1$, to obtain $R = P + Q = (x_2, y_2).$ The line $\overline{PQ}$ has slope where $x_0 \neq x_1,$ to obtain $R = P + Q = (x_2, y_2).$ The line $\overline{PQ}$ has slope
$\lambda = (y_1 - y_0)/(x_1 - x_0) \implies y - y_0 = \lambda \cdot (x - x_0).$ $$\lambda = frac{y_1 - y_0}{x_1 - x_0} \implies y - y_0 = \lambda \cdot (x - x_0).$$
Using the expression for $\overline{PQ}$, we compute $y$-coordinate $-y_2$ of $-R$ as: Using the expression for $\overline{PQ}$, we compute $y$-coordinate $-y_2$ of $-R$ as:
$$-y_2 - y_0 = \lambda \cdot (x_2 - x_0) \implies \boxed{y_2 = (x_0 - x_2) - y_0}.$$ $$-y_2 - y_0 = \lambda \cdot (x_2 - x_0) \implies \boxed{y_2 = (x_0 - x_2) - y_0}.$$
@ -215,19 +215,25 @@ elements can be expressed in $255$ bits. This conveniently leaves one unused bit
32-byte representation. We pack the $y$-coordinate `sign` bit into the highest bit in 32-byte representation. We pack the $y$-coordinate `sign` bit into the highest bit in
the representation of the $x$-coordinate: the representation of the $x$-coordinate:
``` ```text
<----------------------------------- x ---------------------------------> <----------------------------------- x --------------------------------->
Enc(P) = [_ _ _ _ _ _ _ _] [_ _ _ _ _ _ _ _] ... [_ _ _ _ _ _ _ _] [_ _ _ _ _ _ _ sign] Enc(P) = [_ _ _ _ _ _ _ _] [_ _ _ _ _ _ _ _] ... [_ _ _ _ _ _ _ _] [_ _ _ _ _ _ _ sign]
^ <-------------------------------------> ^ ^ <-------------------------------------> ^
LSB 30 bytes MSB LSB 30 bytes MSB
``` ```
The "point at infinity" $\mathcal{O}$ that serves as the group identity, does not have an
affine $(x, y)$ representation. However, it turns out that there are no points on either
the Pallas or Vesta curve with $x = 0$ or $y = 0$. We therefore use the "fake" affine
coordinates $(0, 0)$ to encode $\mathcal{O}$, which results in the all-zeroes 32-byte
array.
### Deserialization ### Deserialization
When deserializing a compressed curve point, we first read the most significant bit as When deserializing a compressed curve point, we first read the most significant bit as
`ysign`, the sign of the $y$-coordinate. Then, we set this bit to zero to recover the `ysign`, the sign of the $y$-coordinate. Then, we set this bit to zero to recover the
original $x$-coordinate. original $x$-coordinate.
If $x = 0, y = 0,$ we return the additive identity $(0, 0, 0)$. Otherwise, we proceed If $x = 0, y = 0,$ we return the "point at infinity" $\mathcal{O}$. Otherwise, we proceed
to compute $y = \sqrt{x^3 + b}.$ Here, we read the least significant bit of $y$ as `sign`. to compute $y = \sqrt{x^3 + b}.$ Here, we read the least significant bit of $y$ as `sign`.
If `sign == ysign`, we already have the correct sign and simply return the curve point If `sign == ysign`, we already have the correct sign and simply return the curve point
$(x, y)$. Otherwise, we negate $y$ and return $(x, -y)$. $(x, y)$. Otherwise, we negate $y$ and return $(x, -y)$.