From 58e3da88c274fa0261d61d550dfec224e74311b4 Mon Sep 17 00:00:00 2001
From: therealyingtong <yingtong@z.cash>
Date: Sun, 23 May 2021 10:26:55 +0800
Subject: [PATCH] Document point doubling constraints

---
 book/src/design/circuit/gadgets/ecc.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/book/src/design/circuit/gadgets/ecc.md b/book/src/design/circuit/gadgets/ecc.md
index e1748d47..f7ee5165 100644
--- a/book/src/design/circuit/gadgets/ecc.md
+++ b/book/src/design/circuit/gadgets/ecc.md
@@ -1,5 +1,18 @@
 # Elliptic Curve Cryptography
 
+## Point doubling
+- Input: $P = (x_p, y_p)$
+- Output: $[2]P = (x_r, y_r)$
+
+Formulae:
+$\lambda = \frac{3 x_p^2}{2 \cdot y_p}$
+$x_r = \lambda^2 - 2 \cdot x_p$
+$y_r = \lambda(x_p - x_r) - y_p$
+
+Substituting for $\lambda$, we get the constraints:
+- $4 \cdot y_p^2(x_r + 2 \cdot x_p) - 9 x_p^4 = 0$
+- $2 \cdot y_p(y_r + y_p) - 3 x_p^2(x_p - x_r) = 0$
+
 ## Incomplete addition
 - Inputs: $P = (x_p, y_p), Q = (x_q, y_q)$
 - Output: $R = P \;⸭\; Q = (x_r, y_r)$