diff --git a/book/src/design/circuit/gadgets/ecc.md b/book/src/design/circuit/gadgets/ecc.md index 5c4b7e48..ae3cbedd 100644 --- a/book/src/design/circuit/gadgets/ecc.md +++ b/book/src/design/circuit/gadgets/ecc.md @@ -5,13 +5,13 @@ Inputs: $P = (x_P, y_P), Q = (x_Q, y_Q)$ Output: $A = P + Q = (x_A, y_A)$ Formulae: -- $\lambda \cdot (x_p - x_{q}) = y_p - y_{q}$ -- $x_{a} = \lambda^2 - x_{q} - x_p$ -- $y_{a} = \lambda(x_{q} - x_{a}) - y_{q}$ +- $\lambda \cdot (x_p - x_q) = y_p - y_q$ +- $x_a = \lambda^2 - x_q - x_p$ +- $y_a = \lambda(x_q - x_a) - y_q$ Substituting for $\lambda$, we get the constraints: -- $(x_{a} + x_{q} + x_p) \cdot (x_p - x_q)^2 - (y_p - y_{q})^2 = 0$ -- $(y_{a} + y_{q})(x_p - x_{q}) - (y_p - y_{q})(x_{q} - x_{a}) = 0$ +- $(x_a + x_q + x_p) \cdot (x_p - x_q)^2 - (y_p - y_q)^2 = 0$ +- $(y_a + y_q)(x_p - x_q) - (y_p - y_q)(x_q - x_a) = 0$ ## Complete addition @@ -34,8 +34,8 @@ $$ \begin{aligned} P + Q &= R\\ (x_p, y_p) + (x_q, y_q) &= (x_r, y_r) \\ - \lambda &= \frac{y_q - y_p}{x_q - x_p} \\ - x_r &= \lambda^2 - x_p - x_q \\ + \lambda &= \frac{y_p - y_q}{x_p - x_q} \\ + x_r &= \lambda^2 - x_q - x_p \\ y_r &= \lambda(x_p - x_r) - y_p \end{aligned} $$ diff --git a/book/src/design/circuit/gadgets/ecc/fixed-base-scalar-mul.md b/book/src/design/circuit/gadgets/ecc/fixed-base-scalar-mul.md index 37de167c..e02b7983 100644 --- a/book/src/design/circuit/gadgets/ecc/fixed-base-scalar-mul.md +++ b/book/src/design/circuit/gadgets/ecc/fixed-base-scalar-mul.md @@ -14,8 +14,8 @@ $$\alpha = k_0 + k_1 \cdot (2^3)^1 + \cdots + k_{84} \cdot (2^3)^{84}, k_i \in [ ## Load fixed base Then, we precompute multiples of the fixed base $B$ for each window. This takes the form of a window table: $M[0..85)[0..8)$ such that: -- for the first 84 rows $M[0..83][0..7]$: $$M[w][k] = [(k+1) \cdot (2^3)^w]B$$ -- in the last row $M[84][0..7]$: $$M[w][k] = [k \cdot (2^3)^w - \sum\limits_{j=0}^{83} (2^3)^j]B$$ +- for the first 84 rows $M[0..84)[0..8)$: $$M[w][k] = [(k+1) \cdot (2^3)^w]B$$ +- in the last row $M[84][0..8)$: $$M[w][k] = [k \cdot (2^3)^w - \sum\limits_{j=0}^{83} (2^3)^j]B$$ The additional $(k + 1)$ term lets us avoid adding the point at infinity in the case $k = 0$. We offset these accumulated terms by subtracting them in the final window, i.e. we subtract $\sum\limits_{j=0}^{83} (2^3)^j$. @@ -23,7 +23,7 @@ For each window of fixed-base multiples $M[w] = (M[w][0], \cdots, M[w][7]), w \i - Define a Lagrange interpolation polynomial $\mathcal{L}_x(k)$ that maps $k \in [0..7]$ to the $x$-coordinate of the multiple $M[w][k]$, i.e. $$ \mathcal{L}_x(k) = \begin{cases} - ([(k + 1) \cdot 8^w] B)_x &\text{for } w \in [0..83]; \\ + ([(k + 1) \cdot 8^w] B)_x &\text{for } w \in [0..84); \\ ([k \cdot (8)^w - \sum\limits_{j=0}^{83} (8)^j] B)_x &\text{for } w = 84; \text{ and} \end{cases} $$ @@ -40,7 +40,7 @@ We load these precomputed values into fixed columns whenever we do fixed-base sc ## Fixed-base scalar multiplication Given a decomposed scalar $\alpha$ and a fixed base $B$, we compute $[\alpha]B$ as such: -1. For each $k_w, w \in [0..84], k_w \in [0..7]$ in the scalar decomposition, witness the $x$- and $y$-coordinates $(x_w,y_w) = M[w][k_w].$ +1. For each $k_w, w \in [0..85), k_w \in [0..8)$ in the scalar decomposition, witness the $x$- and $y$-coordinates $(x_w,y_w) = M[w][k_w].$ 2. Check that $(x_w, y_w)$ is on the curve: $y_w^2 = x_w^3 + b$. 3. Witness $u_w$ such that $y_w + z_w = u_w^2$. 4. Use [incomplete addition](./incomplete-add.md) to sum the $M[w][k_w]$'s, resulting in $[\alpha]B$.