#!/usr/bin/env sage # Let's say we want to interpolate between h curve points (x, y) over a # curve y^2 = x^3 + b in a PLONK circuit, for small h. # The obvious way to do it involves 2h fixed columns: # use \sum\limits_{j=0}^{h-1} x_j . l_j to interpolate x, and similarly for y. # # We want to use only h+1 columns. Here's how: # - Interpolate x as above. # - Witness y and check y^2 = x^3 + b. # - Witness u such that u^2 = y+z. # # where z is some field element that "makes the signs come out right". # The purpose of this script is to find z. load('hashtocurve.sage') if sys.version_info[0] == 2: from string import maketrans else: maketrans = str.maketrans def hash_to_pallas(domain_prefix, msg): (P, _, _) = hash_to_pallas_jacobian(msg, domain_prefix + "-pallas_XMD:BLAKE2b_SSWU_RO_") return P def I2LEOSP_32(j): return pack("