diff --git a/src/curve/curve_adds.rs b/src/curve/curve_adds.rs index 66e66bd0..f25d3847 100644 --- a/src/curve/curve_adds.rs +++ b/src/curve/curve_adds.rs @@ -41,6 +41,7 @@ impl Add> for ProjectivePoint { } } + // From https://www.hyperelliptic.org/EFD/g1p/data/shortw/projective/addition/add-1998-cmo-2 let z1z2 = z1 * z2; let u = y2z1 - y1z2; let uu = u.square(); @@ -92,6 +93,7 @@ impl Add> for ProjectivePoint { } } + // From https://www.hyperelliptic.org/EFD/g1p/data/shortw/projective/addition/madd-1998-cmo let u = y2z1 - y1; let uu = u.square(); let v = x2z1 - x1; @@ -138,6 +140,7 @@ impl Add> for AffinePoint { } } + // From https://www.hyperelliptic.org/EFD/g1p/data/shortw/projective/addition/mmadd-1998-cmo let u = y2 - y1; let uu = u.square(); let v = x2 - x1; diff --git a/src/curve/curve_types.rs b/src/curve/curve_types.rs index 3c16651e..f2bb24b5 100644 --- a/src/curve/curve_types.rs +++ b/src/curve/curve_types.rs @@ -197,6 +197,7 @@ impl ProjectivePoint { result } + // From https://www.hyperelliptic.org/EFD/g1p/data/shortw/projective/doubling/dbl-2007-bl pub fn double(&self) -> Self { let Self { x, y, z } = *self; if z == C::BaseField::ZERO { diff --git a/src/curve/secp256k1.rs b/src/curve/secp256k1.rs index 7102b5c9..47c6ebb2 100644 --- a/src/curve/secp256k1.rs +++ b/src/curve/secp256k1.rs @@ -22,6 +22,7 @@ impl Curve for Secp256K1 { }; } +// 55066263022277343669578718895168534326250603453777594175500187360389116729240 const SECP256K1_GENERATOR_X: Secp256K1Base = Secp256K1Base([ 0x59F2815B16F81798, 0x029BFCDB2DCE28D9, @@ -29,7 +30,7 @@ const SECP256K1_GENERATOR_X: Secp256K1Base = Secp256K1Base([ 0x79BE667EF9DCBBAC, ]); -/// 241266749859715473739788878240585681733927191168601896383759122102112907357779751001206799952863815012735208165030 +/// 32670510020758816978083085130507043184471273380659243275938904335757337482424 const SECP256K1_GENERATOR_Y: Secp256K1Base = Secp256K1Base([ 0x9C47D08FFB10D4B8, 0xFD17B448A6855419, diff --git a/src/field/secp256k1_base.rs b/src/field/secp256k1_base.rs index a09edc30..acb1df4e 100644 --- a/src/field/secp256k1_base.rs +++ b/src/field/secp256k1_base.rs @@ -88,7 +88,7 @@ impl Field for Secp256K1Base { // Sage: `g = GF(p).multiplicative_generator()` const MULTIPLICATIVE_GROUP_GENERATOR: Self = Self([5, 0, 0, 0]); - // Sage: `g_2 = power_mod(g, (p - 1) // 2), p)` + // Sage: `g_2 = g^((p - 1) / 2)` const POWER_OF_TWO_GENERATOR: Self = Self::NEG_ONE; const BITS: usize = 256; diff --git a/src/gadgets/curve.rs b/src/gadgets/curve.rs index 3c205e2f..5a458a56 100644 --- a/src/gadgets/curve.rs +++ b/src/gadgets/curve.rs @@ -1,10 +1,11 @@ use crate::curve::curve_types::{AffinePoint, Curve}; use crate::field::extension_field::Extendable; -use crate::field::field_types::{Field, RichField}; +use crate::field::field_types::RichField; use crate::gadgets::nonnative::NonNativeTarget; use crate::plonk::circuit_builder::CircuitBuilder; -/// A Target representing an affine point on the curve `C`. +/// A Target representing an affine point on the curve `C`. We use incomplete arithmetic for efficiency, +/// so we assume these points are not zero. #[derive(Clone, Debug)] pub struct AffinePointTarget { pub x: NonNativeTarget, diff --git a/src/gadgets/nonnative.rs b/src/gadgets/nonnative.rs index 7cae727d..90735a61 100644 --- a/src/gadgets/nonnative.rs +++ b/src/gadgets/nonnative.rs @@ -1,6 +1,6 @@ use std::marker::PhantomData; -use num::{BigUint, One}; +use num::{BigUint, One, Zero}; use crate::field::field_types::RichField; use crate::field::{extension_field::Extendable, field_types::Field}; @@ -79,12 +79,10 @@ impl, const D: usize> CircuitBuilder { } pub fn neg_nonnative(&mut self, x: &NonNativeTarget) -> NonNativeTarget { - // TODO: zero - x would be more efficient but doesn't seem to work? - let neg_one = FF::order() - BigUint::one(); - let neg_one_target = self.constant_biguint(&neg_one); - let neg_one_ff = self.biguint_to_nonnative(&neg_one_target); + let zero_target = self.constant_biguint(&BigUint::zero()); + let zero_ff = self.biguint_to_nonnative(&zero_target); - self.mul_nonnative(&neg_one_ff, x) + self.sub_nonnative(&zero_ff, x) } pub fn inv_nonnative(&mut self, x: &NonNativeTarget) -> NonNativeTarget {