mirror of https://github.com/zcash/halo2.git
Address further review comments.
Co-authored-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: str4d <jack@electriccoin.co>
This commit is contained in:
parent
33b4192c0d
commit
b4c3805e22
|
@ -1,17 +1,19 @@
|
||||||
# Elliptic Curve Cryptography
|
# Elliptic Curve Cryptography
|
||||||
|
|
||||||
## Incomplete addition
|
## Incomplete addition
|
||||||
Inputs: $P = (x_P, y_P), Q = (x_Q, y_Q)$
|
- Inputs: $P = (x_p, y_p), Q = (x_q, y_q)$
|
||||||
Output: $A = P + Q = (x_A, y_A)$
|
- Output: $R = P + Q = (x_r, y_r)$
|
||||||
|
|
||||||
Formulae:
|
Formulae:
|
||||||
- $\lambda \cdot (x_p - x_q) = y_p - y_q$
|
- $\lambda \cdot (x_p - x_q) = y_p - y_q$
|
||||||
- $x_a = \lambda^2 - x_q - x_p$
|
- $x_r = \lambda^2 - x_q - x_p$
|
||||||
- $y_a = \lambda(x_q - x_a) - y_q$
|
- $y_r = \lambda(x_q - x_r) - y_q$
|
||||||
|
|
||||||
Substituting for $\lambda$, we get the constraints:
|
Substituting for $\lambda$, we get the constraints:
|
||||||
- $(x_a + x_q + x_p) \cdot (x_p - x_q)^2 - (y_p - y_q)^2 = 0$
|
- $(x_r + x_q + x_p) \cdot (x_p - x_q)^2 - (y_p - y_q)^2 = 0$
|
||||||
- $(y_a + y_q)(x_p - x_q) - (y_p - y_q)(x_q - x_a) = 0$
|
- Note that this constraint is unsatisfiable for $P + (-P)$, and so cannot be used with arbitrary inputs.
|
||||||
|
- $(y_r + y_q)(x_p - x_q) - (y_p - y_q)(x_q - x_r) = 0$
|
||||||
|
|
||||||
|
|
||||||
## Complete addition
|
## Complete addition
|
||||||
|
|
||||||
|
@ -36,7 +38,7 @@ P + Q &= R\\
|
||||||
(x_p, y_p) + (x_q, y_q) &= (x_r, y_r) \\
|
(x_p, y_p) + (x_q, y_q) &= (x_r, y_r) \\
|
||||||
\lambda &= \frac{y_p - y_q}{x_p - x_q} \\
|
\lambda &= \frac{y_p - y_q}{x_p - x_q} \\
|
||||||
x_r &= \lambda^2 - x_q - x_p \\
|
x_r &= \lambda^2 - x_q - x_p \\
|
||||||
y_r &= \lambda(x_p - x_r) - y_p
|
y_r &= \lambda(x_q - x_r) - y_q
|
||||||
\end{aligned}
|
\end{aligned}
|
||||||
$$
|
$$
|
||||||
|
|
||||||
|
@ -73,4 +75,4 @@ A \cdot \left(2y_p \cdot \lambda - 3{x_p}^2\right) &=& 0 & A \wedge y_p \neq 0 &
|
||||||
\end{array}
|
\end{array}
|
||||||
$
|
$
|
||||||
|
|
||||||
Max degree: 4
|
Max degree: $4$
|
||||||
|
|
|
@ -19,8 +19,8 @@ Then, we precompute multiples of the fixed base $B$ for each window. This takes
|
||||||
|
|
||||||
The additional $(k + 1)$ term lets us avoid adding the point at infinity in the case $k = 0$. We offset these accumulated terms by subtracting them in the final window, i.e. we subtract $\sum\limits_{j=0}^{83} (2^3)^j$.
|
The additional $(k + 1)$ term lets us avoid adding the point at infinity in the case $k = 0$. We offset these accumulated terms by subtracting them in the final window, i.e. we subtract $\sum\limits_{j=0}^{83} (2^3)^j$.
|
||||||
|
|
||||||
For each window of fixed-base multiples $M[w] = (M[w][0], \cdots, M[w][7]), w \in [0..84]$:
|
For each window of fixed-base multiples $M[w] = (M[w][0], \cdots, M[w][7]), w \in [0..84)$:
|
||||||
- Define a Lagrange interpolation polynomial $\mathcal{L}_x(k)$ that maps $k \in [0..7]$ to the $x$-coordinate of the multiple $M[w][k]$, i.e.
|
- Define a Lagrange interpolation polynomial $\mathcal{L}_x(k)$ that maps $k \in [0..8)$ to the $x$-coordinate of the multiple $M[w][k]$, i.e.
|
||||||
$$
|
$$
|
||||||
\mathcal{L}_x(k) = \begin{cases}
|
\mathcal{L}_x(k) = \begin{cases}
|
||||||
([(k + 1) \cdot 8^w] B)_x &\text{for } w \in [0..84); \\
|
([(k + 1) \cdot 8^w] B)_x &\text{for } w \in [0..84); \\
|
||||||
|
@ -32,7 +32,7 @@ For each window of fixed-base multiples $M[w] = (M[w][0], \cdots, M[w][7]), w \i
|
||||||
Repeating this for all $85$ windows, we end up with:
|
Repeating this for all $85$ windows, we end up with:
|
||||||
- an $85 \times 8$ table $\mathcal{L}_x$ storing $8$ coefficients interpolating the $x-$coordinate for each window. Each $x$-coordinate interpolation polynomial will be of the form
|
- an $85 \times 8$ table $\mathcal{L}_x$ storing $8$ coefficients interpolating the $x-$coordinate for each window. Each $x$-coordinate interpolation polynomial will be of the form
|
||||||
$$\mathcal{L}_x[w](k) = c_0 + c_1 \cdot k + c_2 \cdot k^2 + \cdots + c_7 \cdot k^7,$$
|
$$\mathcal{L}_x[w](k) = c_0 + c_1 \cdot k + c_2 \cdot k^2 + \cdots + c_7 \cdot k^7,$$
|
||||||
where $k \in [0..7], w \in [0..84]$ and $c_k$'s are the coefficients for each power of $k$; and
|
where $k \in [0..8), w \in [0..85)$ and $c_k$'s are the coefficients for each power of $k$; and
|
||||||
- a length-$85$ array $Z$ of $z_w$'s.
|
- a length-$85$ array $Z$ of $z_w$'s.
|
||||||
|
|
||||||
We load these precomputed values into fixed columns whenever we do fixed-base scalar multiplication in the circuit.
|
We load these precomputed values into fixed columns whenever we do fixed-base scalar multiplication in the circuit.
|
||||||
|
|
Loading…
Reference in New Issue