Specifications of deployed elliptic curves fall into one of two
categories:
- They specify both compressed and uncompressed encodings, allowing
implementations to use either depending on performance vs data size
considerations.
- They specify a single point encoding format using point compression.
I am unaware of any elliptic curve specification that explicitly forbids
compressed encodings.
To support both categories of elliptic curves, we provide the
CurveAffine::Compressed associated type which all curves must define,
and then curves that additionally specify an uncompressed encoding may
implement the UncompressedEncoding trait and its Uncompressed associated
type.
pairing::PairingCurveAffine continues to require that its groups provide
uncompressed encodings, because this is relied upon by bellman::groth16.
We can revisit this restriction when that module is refactored as a
separate crate.
This enables MultiMillerLoop to be conditionally implemented, for
example in libraries where Engine::pairing supports no-std, but
MultiMillerLoop requires an allocator.
These associated types were completly unused. The only place we need
information about the base field of an elliptic curve is inside Jubjub
when operating over its coordinates to implement EC math inside the
circuit, and we can handle that either concretely, or with a future
trait specifically for that use-case.
Instead of imposing the requirement that bellman users explicitly
specify an engine for every proving system, we allow the Rust type
system to figure it out for us. An engine is specifically useful in
places where we require defined relationships between several types;
ff::ScalarEngine only has one type, and thus any usage of it can be
trivially replaced by an explicit Scalar type. This is also more
readable :)
Replaced by explicit APIs on the CurveAffine trait.
GroupDecodingError has been moved into pairing::bls12_381::ec, as it is
no longer used by the group traits.
Replaces the mutating CurveProjective::batch_normalization API, and
removes the need for CurveProjective::is_normalized.
The new temporary implementation in pairing::bls12_381::ec is adapted
from bls12_381::g1.
The GroupOps trait represents the group operation (addition), and the
combination of the group operation with group inversion (subtraction).
Group inversion (negation) is constrained directly on the Group trait.
Group represents a cryptographic group with a large prime-order subgroup
and a small cofactor. PrimeGroup further constrains the group to have a
cofactor of one.
Define the spend_hash, output_hash, sprout_hash circuit hashes as constants in the load_parameters function, so we don't have to take them as function arguments.
Now that PrimeField::ReprEndianness exists, users can obtain a
known-endianness representation from the output of PrimeField::char
(which is a PrimeField::Repr, and should return a representation with
the same endianness as PrimeField::into_repr).
Jack Grigg
Aditya Kulkarni
str4d
ying tong