Skip to content
This repository has been archived by the owner on Dec 18, 2023. It is now read-only.

Twisted Edwards parameters for BLS12-377 #76

Merged
merged 9 commits into from
Oct 19, 2021
Merged

Twisted Edwards parameters for BLS12-377 #76

merged 9 commits into from
Oct 19, 2021

Conversation

zhenfeizhang
Copy link
Contributor

Description

This PR implements twisted Edwards parameters for bls12-377 curve.

A bit more on why we need TE form for bls12-377.

In the case of recursive snarks, it is desirable to reuse a same code base
for both

  1. inner circuit proofs (i.e., statements over ed_on_bls_12_377 base field)
    and
  2. outer circuit proofs (i.e., statements over bls_12_377 base field).

That implies both curves need to use a same form, so that a same code
for group operation may be reused for both curves. ed_on_bls_12_377
implements twisted Edwards form. This PR impl twist Edwards for
bls12-377 G1.

closes: #XXXX

Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.

  • Targeted PR against correct branch (master)
  • Linked to Github issue with discussion and accepted design OR have an explanation in the PR that describes this work.
  • Wrote unit tests
  • Updated relevant documentation in the code
  • Added a relevant changelog entry to the Pending section in CHANGELOG.md
  • Re-reviewed Files changed in the Github PR explorer

@weikengchen
Copy link
Member

I think I only have one question: do you have the script that generates the parameters? We sort of need to declare that it is generated deterministically from some simple seed.

@zhenfeizhang
Copy link
Contributor Author

zhenfeizhang commented Sep 28, 2021
edited
Loading

Conversions between sw <> Montogomery <> TE1 follow standard conversion from https://en.wikipedia.org/wiki/Montgomery_curve TE2 is a normalization of TE1 to have a = -1. There is no random entropy generated during the process. The parameters are obtained via deterministic algorithm from the following script. The generator in this PR is TE2 generator obtained from the sw generator from arkworks' code.

# modulus
p=0x1ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001
Fp=Zmod(p)

#####################################################
# Weierstrass curve: y² = x³ + A * x + B
#####################################################
# curve y^2 = x^3 + 1
WA=Fp(0)
WB=Fp(1)

#####################################################
# Montgomery curve: By² = x³ + A * x² + x
#####################################################
# root for x^3 + 1 = 0
alpha = -1
# s = 1 / (sqrt(3alpha^2 + a))
s = 1/(Fp(3).sqrt())

# MA = 3 * alpha * s
MA=Fp(228097355113300204138531148905234651262148041026195375645000724271212049151994375092458297304264351187709081232384)
# MB = s
MB=Fp(10189023633222963290707194929886294091415157242906428298294512798502806398782149227503530278436336312243746741931)

# #####################################################
# # Twised Edwards curve 1: a * x² + y² = 1 + d * x² * y²
# #####################################################
# a = (MA+2)/MB
TE1a=Fp(61134141799337779744243169579317764548490943457438569789767076791016838392692895365021181670618017873462480451583)
# b = (MA-2)/MB
TE1d=Fp(197530284213631314266409564115575768987902569297476090750117185875703629955647927409947706468955342250977841006588)

# #####################################################
# # Twised Edwards curve 2: a * x² + y² = 1 + d * x² * y²
# #####################################################
# a = -1
TE2a=Fp(-1)
# b = -TE1d/TE1a
TE2d=Fp(122268283598675559488486339158635529096981886914877139579534153582033676785385790730042363341236035746924960903179)


################################################################################
################################################################################
################################################################################
################################################################################

#####################################################
# Weierstrass curve generator
#####################################################
# obtained from arkworks code
Wx = Fp(81937999373150964239938255573465948239988671502647976594219695644855304257327692006745978603320413799295628339695)
Wy = Fp(241266749859715473739788878240585681733927191168601896383759122102112907357779751001206799952863815012735208165030)

assert(Wy^2 - Wx^3 - WA * Wx - WB == 0)

#####################################################
# Montgomery curve generator
#####################################################
# x = s * (x - alpha)
Mx = Fp(251803586774461569862800610331871502335378228972505599912537082323947581271784390797244487924068052270360793200630)
# y = s * y
My = Fp(77739247071951651095607889637653357561348174979132042929587539214321586851215673796661346812932566642719051699820)

assert(MB * My^2 == Mx^3+ MA * Mx^2 + Mx)

# #####################################################
# # Twised Edwards curve 1 generator
# #####################################################
# x = Mx/My
TE1x = Fp(82241236807150726090333472814441006963902378430536027612759193445733851062772474760677400112551677454953925168208)
# y = (Mx - 1)/(Mx+1)
TE1y = Fp(6177051365529633638563236407038680211609544222665285371549726196884440490905471891908272386851767077598415378235)

assert( TE1a * TE1x^2 + TE1y^2 == 1 + TE1d * TE1x^2 * TE1y^2 )


# #####################################################
# # Twised Edwards curve 2 generator
# #####################################################
beta = (-TE1a).sqrt()
# x = TE1x * sqrt(-TE1a)
TE2x = Fp(71222569531709137229370268896323705690285216175189308202338047559628438110820800641278662592954630774340654489393)
# y = TE1y
TE2y = Fp(6177051365529633638563236407038680211609544222665285371549726196884440490905471891908272386851767077598415378235)

assert( TE2a * TE2x^2 + TE2y^2 == 1 + TE2d * TE2x^2 * TE2y^2 )

@Pratyush
Copy link
Member

btw, since the motivation is circuit code, do you also want to add gadgets here?

@Pratyush Pratyush added the T-feature Type: new features label Oct 18, 2021
@zhenfeizhang zhenfeizhang mentioned this pull request Oct 19, 2021
Closed
9 tasks
@Pratyush Pratyush added breaking-change Breaking change and removed breaking-change Breaking change labels Oct 19, 2021
@Pratyush
Copy link
Member

Ok sounds good! Last thing: do you mind adding some documentation for the Edwards and Montgomery parameters? You can also include the sage script in a ```sage ... ``` block.

@zhenfeizhang
Copy link
Contributor Author

Ok sounds good! Last thing: do you mind adding some documentation for the Edwards and Montgomery parameters? You can also include the sage script in a sage ... block.

Done!

@Pratyush Pratyush changed the title twisted Edwards parameters for bls12-377 Twisted Edwards parameters for BLS12-377 Oct 19, 2021
@Pratyush Pratyush merged commit 5fe1862 into arkworks-rs:master Oct 19, 2021
This was referenced Nov 30, 2022
Open
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Pratyush Pratyush Pratyush left review comments

Assignees
No one assigned
Labels
T-feature Type: new features
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zhenfeizhang @weikengchen @Pratyush