mirror of https://github.com/zcash/halo2.git
Address further review comments.
Co-authored-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: str4d <jack@electriccoin.co>
This commit is contained in:
parent
33b4192c0d
commit
b4c3805e22
|
@ -1,17 +1,19 @@
|
|||
# Elliptic Curve Cryptography
|
||||
|
||||
## Incomplete addition
|
||||
Inputs: $P = (x_P, y_P), Q = (x_Q, y_Q)$
|
||||
Output: $A = P + Q = (x_A, y_A)$
|
||||
- Inputs: $P = (x_p, y_p), Q = (x_q, y_q)$
|
||||
- Output: $R = P + Q = (x_r, y_r)$
|
||||
|
||||
Formulae:
|
||||
- $\lambda \cdot (x_p - x_q) = y_p - y_q$
|
||||
- $x_a = \lambda^2 - x_q - x_p$
|
||||
- $y_a = \lambda(x_q - x_a) - y_q$
|
||||
- $x_r = \lambda^2 - x_q - x_p$
|
||||
- $y_r = \lambda(x_q - x_r) - y_q$
|
||||
|
||||
Substituting for $\lambda$, we get the constraints:
|
||||
- $(x_a + x_q + x_p) \cdot (x_p - x_q)^2 - (y_p - y_q)^2 = 0$
|
||||
- $(y_a + y_q)(x_p - x_q) - (y_p - y_q)(x_q - x_a) = 0$
|
||||
- $(x_r + x_q + x_p) \cdot (x_p - x_q)^2 - (y_p - y_q)^2 = 0$
|
||||
- Note that this constraint is unsatisfiable for $P + (-P)$, and so cannot be used with arbitrary inputs.
|
||||
- $(y_r + y_q)(x_p - x_q) - (y_p - y_q)(x_q - x_r) = 0$
|
||||
|
||||
|
||||
## Complete addition
|
||||
|
||||
|
@ -36,7 +38,7 @@ P + Q &= R\\
|
|||
(x_p, y_p) + (x_q, y_q) &= (x_r, y_r) \\
|
||||
\lambda &= \frac{y_p - y_q}{x_p - x_q} \\
|
||||
x_r &= \lambda^2 - x_q - x_p \\
|
||||
y_r &= \lambda(x_p - x_r) - y_p
|
||||
y_r &= \lambda(x_q - x_r) - y_q
|
||||
\end{aligned}
|
||||
$$
|
||||
|
||||
|
@ -73,4 +75,4 @@ A \cdot \left(2y_p \cdot \lambda - 3{x_p}^2\right) &=& 0 & A \wedge y_p \neq 0 &
|
|||
\end{array}
|
||||
$
|
||||
|
||||
Max degree: 4
|
||||
Max degree: $4$
|
||||
|
|
|
@ -19,8 +19,8 @@ Then, we precompute multiples of the fixed base $B$ for each window. This takes
|
|||
|
||||
The additional $(k + 1)$ term lets us avoid adding the point at infinity in the case $k = 0$. We offset these accumulated terms by subtracting them in the final window, i.e. we subtract $\sum\limits_{j=0}^{83} (2^3)^j$.
|
||||
|
||||
For each window of fixed-base multiples $M[w] = (M[w][0], \cdots, M[w][7]), w \in [0..84]$:
|
||||
- Define a Lagrange interpolation polynomial $\mathcal{L}_x(k)$ that maps $k \in [0..7]$ to the $x$-coordinate of the multiple $M[w][k]$, i.e.
|
||||
For each window of fixed-base multiples $M[w] = (M[w][0], \cdots, M[w][7]), w \in [0..84)$:
|
||||
- Define a Lagrange interpolation polynomial $\mathcal{L}_x(k)$ that maps $k \in [0..8)$ to the $x$-coordinate of the multiple $M[w][k]$, i.e.
|
||||
$$
|
||||
\mathcal{L}_x(k) = \begin{cases}
|
||||
([(k + 1) \cdot 8^w] B)_x &\text{for } w \in [0..84); \\
|
||||
|
@ -32,7 +32,7 @@ For each window of fixed-base multiples $M[w] = (M[w][0], \cdots, M[w][7]), w \i
|
|||
Repeating this for all $85$ windows, we end up with:
|
||||
- an $85 \times 8$ table $\mathcal{L}_x$ storing $8$ coefficients interpolating the $x-$coordinate for each window. Each $x$-coordinate interpolation polynomial will be of the form
|
||||
$$\mathcal{L}_x[w](k) = c_0 + c_1 \cdot k + c_2 \cdot k^2 + \cdots + c_7 \cdot k^7,$$
|
||||
where $k \in [0..7], w \in [0..84]$ and $c_k$'s are the coefficients for each power of $k$; and
|
||||
where $k \in [0..8), w \in [0..85)$ and $c_k$'s are the coefficients for each power of $k$; and
|
||||
- a length-$85$ array $Z$ of $z_w$'s.
|
||||
|
||||
We load these precomputed values into fixed columns whenever we do fixed-base scalar multiplication in the circuit.
|
||||
|
|
Loading…
Reference in New Issue