mirror of https://github.com/zcash/zips.git
Give a definition for complete twisted Edwards elliptic curves.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
2379ba88d7
commit
f4f4682d57
|
@ -627,6 +627,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\JubjubCurve}{\mathsf{Jubjub}}
|
\newcommand{\JubjubCurve}{\mathsf{Jubjub}}
|
||||||
\newcommand{\jubjubCurve}{\term{Jubjub curve}}
|
\newcommand{\jubjubCurve}{\term{Jubjub curve}}
|
||||||
\newcommand{\Jubjub}{\titleterm{Jubjub}}
|
\newcommand{\Jubjub}{\titleterm{Jubjub}}
|
||||||
|
\newcommand{\completeTwistedEdwardsEllipticCurve}{\term{complete twisted Edwards elliptic curve}}
|
||||||
|
\newcommand{\completeTwistedEdwardsEllipticCurves}{\term{complete twisted Edwards elliptic curves}}
|
||||||
|
\newcommand{\MontgomeryEllipticCurve}{\term{Montgomery elliptic curve}}
|
||||||
|
\newcommand{\MontgomeryEllipticCurves}{\term{Montgomery elliptic curves}}
|
||||||
\newcommand{\uniformRandomString}{\term{Uniform Random String}}
|
\newcommand{\uniformRandomString}{\term{Uniform Random String}}
|
||||||
\newcommand{\uniformRandomStrings}{\term{Uniform Random Strings}}
|
\newcommand{\uniformRandomStrings}{\term{Uniform Random Strings}}
|
||||||
\newcommand{\BNRepresentedPairing}{\titleterm{BN-254}}
|
\newcommand{\BNRepresentedPairing}{\titleterm{BN-254}}
|
||||||
|
@ -2311,8 +2315,8 @@ and rational constants $\FoundersFraction$, $\PoWMaxAdjustDown$, and
|
||||||
$\PoWMaxAdjustUp$ will also be defined in that section.
|
$\PoWMaxAdjustUp$ will also be defined in that section.
|
||||||
|
|
||||||
\notsprout{
|
\notsprout{
|
||||||
We use the abbreviation ``ctEdwards'' to refer to complete twisted Edwards elliptic
|
We use the abbreviation ``ctEdwards'' to refer to \completeTwistedEdwardsEllipticCurves and
|
||||||
curves and coordinates (see \crossref{jubjub}).
|
coordinates (see \crossref{jubjub}).
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -7386,6 +7390,13 @@ curve.
|
||||||
\zkSNARKCircuits, called ``Jubjub'' \cite{Carroll1876}.
|
\zkSNARKCircuits, called ``Jubjub'' \cite{Carroll1876}.
|
||||||
The \representedGroup $\JubjubCurve$ of points on this curve is defined in this section.
|
The \representedGroup $\JubjubCurve$ of points on this curve is defined in this section.
|
||||||
|
|
||||||
|
A \completeTwistedEdwardsEllipticCurve, as defined in \cite[section 4.3.4]{BL2017}, is
|
||||||
|
an elliptic curve $E$ over a non-binary field $\GF{q}$, parameterized by distinct
|
||||||
|
$a, d \typecolon \GF{q} \setminus \setof{0}$ such that $a$ is square and $d$ is nonsquare,
|
||||||
|
with equation $E : a \smult u^2 + \varv^2 = 1 + d \smult u^2 \smult \varv^2$.
|
||||||
|
We use the abbreviation ``ctEdwards'' to refer to \completeTwistedEdwardsEllipticCurves and
|
||||||
|
coordinates.
|
||||||
|
|
||||||
Let $\ParamJ{q} := \ParamS{r}$, as defined in \crossref{blspairing}.
|
Let $\ParamJ{q} := \ParamS{r}$, as defined in \crossref{blspairing}.
|
||||||
|
|
||||||
Let $\ParamJ{r} := 6554484396890773809930967563523245729705921265872317281365359162392183254199$.
|
Let $\ParamJ{r} := 6554484396890773809930967563523245729705921265872317281365359162392183254199$.
|
||||||
|
@ -7398,9 +7409,8 @@ Let $\ParamJ{a} := -1$.
|
||||||
|
|
||||||
Let $\ParamJ{d} := -10240/10241 \pmod{\ParamJ{q}}$.
|
Let $\ParamJ{d} := -10240/10241 \pmod{\ParamJ{q}}$.
|
||||||
|
|
||||||
Let $\GroupJ$ be the group of points $(u, \varv)$ on a complete twisted Edwards (``ctEdwards'')
|
Let $\GroupJ$ be the group of points $(u, \varv)$ on a ctEdwards curve $\CurveJ$ over $\GF{\ParamJ{q}}$
|
||||||
elliptic curve $\CurveJ$ over $\GF{\ParamJ{q}}$ with equation
|
with equation $\ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$.
|
||||||
$\ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$.
|
|
||||||
The zero point with coordinates $(0, 1)$ is denoted $\ZeroJ$.
|
The zero point with coordinates $(0, 1)$ is denoted $\ZeroJ$.
|
||||||
$\GroupJ$ has order $\ParamJ{h} \smult \ParamJ{r}$.
|
$\GroupJ$ has order $\ParamJ{h} \smult \ParamJ{r}$.
|
||||||
|
|
||||||
|
@ -9988,6 +9998,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
2019-06-18
|
2019-06-18
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
\item Give a definition for \completeTwistedEdwardsEllipticCurves in \crossref{jubjub}.
|
||||||
\item Ensure that this document builds correctly and without missing
|
\item Ensure that this document builds correctly and without missing
|
||||||
characters on recent versions of \TeX Live.
|
characters on recent versions of \TeX Live.
|
||||||
\item Update the \texttt{Makefile} to use Ghostscript for PDF optimization.
|
\item Update the \texttt{Makefile} to use Ghostscript for PDF optimization.
|
||||||
|
@ -11203,9 +11214,9 @@ in \crossref{notation}.
|
||||||
|
|
||||||
\subsection{Elliptic curve background} \label{ecbackground}
|
\subsection{Elliptic curve background} \label{ecbackground}
|
||||||
|
|
||||||
The \Sapling circuits make use of a complete twisted Edwards (``ctEdwards'') curve,
|
The \Sapling circuits make use of a \completeTwistedEdwardsEllipticCurve (``ctEdwards curve'')
|
||||||
$\JubjubCurve$, and also a Montgomery curve $\MontCurve$ that is birationally equivalent
|
$\JubjubCurve$, defined in \crossref{jubjub}, and also a \MontgomeryEllipticCurve $\MontCurve$
|
||||||
to $\JubjubCurve$. Following the notation in \cite{BL2017} we use
|
that is birationally equivalent to $\JubjubCurve$. Following the notation in \cite{BL2017} we use
|
||||||
$(u, \varv)$ for affine coordinates on the ctEdwards curve, and $(x, y)$ for
|
$(u, \varv)$ for affine coordinates on the ctEdwards curve, and $(x, y)$ for
|
||||||
affine coordinates on the Montgomery curve.
|
affine coordinates on the Montgomery curve.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue