|
| 1 | +Relation between the elliptic curves and signature schemes. |
| 2 | + |
| 3 | +In order to comply with the Cardano main-net, Curve BLS12-381 is used as the parent curve in this library. |
| 4 | +Therefore, the rest of the primitives are selected considering this case. |
| 5 | +In-circuit elliptic curve operations are implemented with Jubjub curve. |
| 6 | +Jubjub is the embedded curve of BLS12-381. |
| 7 | +We used a SNARK-friendly signature scheme, Schnorr over Jubjub. |
| 8 | + |
| 9 | +In this section, we explain the relation between BLS12-381, Jubjub, Schnorr, and EdDSA. |
| 10 | + |
| 11 | +See the documentation of the related topics: |
| 12 | +- [BLS12-381][crate::docs::ecc#curve-setting] |
| 13 | +- [JubJub][crate::docs::ecc#jubjub] |
| 14 | +- [EdDSA][crate::docs::ecc#edwards-curve-digital-signature-algorithm-eddsa] |
| 15 | +- [Schnorr][crate::docs::schnorr] |
| 16 | + |
| 17 | +## Relation between BLS12-381 and Jubjub |
| 18 | +BLS12-381 is preferred for pairing operations. |
| 19 | +We define two curves: |
| 20 | +- Curve 1: Defined over the field $\mathbb{F}_p$. The curve equation is given below: |
| 21 | +$$E(\mathbb{F}_p): y^2 = x^3 + 4$$ |
| 22 | + |
| 23 | +- Curve 2: Defined over the field $\mathbb{F}_{p^2}$. The curve equation is given below: |
| 24 | + |
| 25 | +$$E'(\mathbb{F}_{p^2}): y^2 = x^3 + 4 (1 + i)$$ |
| 26 | + |
| 27 | +The prime $p$ is represented in hexadecimal as following: |
| 28 | +```ignore |
| 29 | + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab |
| 30 | +``` |
| 31 | + |
| 32 | +Pairings are usually denoted as $e(P, Q)$ where |
| 33 | +* $e: G_1 \times G_2 \rightarrow G_T$ |
| 34 | +* $P \in G_1 \sub E(\mathbb{F}_p)$ |
| 35 | +* $Q \in G_2 \sub E'(\mathbb{F}_{p^2})$ |
| 36 | +* $G_T \sub \mathbb{F}_{p^{12}}$ |
| 37 | + |
| 38 | +As described in [here][crate::docs::ecc#pairing], the following identity holds: |
| 39 | +$$e(\[a\]P, \[b\]Q) = e(P, \[b\]Q)^a = e(P, Q)^{ab} = e(P, \[a\]Q)b = e(\[b\]P, \[a\]Q).$$ |
| 40 | + |
| 41 | +Note that, in the above identity, we showed some scalar multiplications, i.e., $\[a\]P$. |
| 42 | +The value $a$ is an element of $\mathbb{F}_s$, |
| 43 | +where $s$ is the size of the subgroup of the curve. |
| 44 | +$\mathbb{F}_s$ is a finite field defined over the prime $s$, which is represented in hexadecimal as follows: |
| 45 | +```ignore |
| 46 | +0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001 |
| 47 | +``` |
| 48 | +(_For sake of simplicity, we won't explain the details of the mentioned subgroup._) |
| 49 | + |
| 50 | +> As a conclusion, we say that the base field of BLS12-381 is $\mathbb{F}_p$ and the scalar field of the curve is $\mathbb{F}_s$. |
| 51 | +
|
| 52 | +Our second primitive is the Jubjub curve. |
| 53 | +Jubjub is an elliptic curve of the [twisted Edward's form][crate::docs::ecc#twisted-edwards-curve]. |
| 54 | + |
| 55 | +Let $d = -(10240/10241)$, the Jubjub curve is defined as follows: |
| 56 | +$$E_{d}: -u^2 + v^2 = 1 + du^2v^2.$$ |
| 57 | +We use Jubjub for in-circuit elliptic curve operations since it provides efficient EC operations within the proof. |
| 58 | +We define the Jubjub curve over the field $\mathbb{F}_q$ where $q$ is represented in hexadecimal as follows: |
| 59 | +```ignore |
| 60 | +q = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001 |
| 61 | +``` |
| 62 | +In addition, it has a subgroup of order $r$ and cofactor $8$. |
| 63 | +```ignore |
| 64 | +r = 0x0e7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7 |
| 65 | +``` |
| 66 | +As mentioned before, we set the Jubjub curve as the embedded curve of BLS12-381. |
| 67 | +Meaning that, Jubjub curve is defined over a prime which is also the prime that defines the scalar field of BLS12-381. |
| 68 | + |
| 69 | +> As a conclusion, we say that the base field of Jubjub is $\mathbb{F}_q$ and the scalar field of the curve is $\mathbb{F}_r$. |
| 70 | +
|
| 71 | +--- |
| 72 | + |
| 73 | +**Note that, the scalar field of BLS12-381 $\mathbb{F}_s$ equals to the base field of Jubjub $\mathbb{F}_q$.** |
| 74 | +**It means that if I have a result on the base field of the JubJub curve, it is also an element of the scalar field of the BLS curve.** |
| 75 | + |
| 76 | +--- |
| 77 | + |
| 78 | +## Relation between Schnorr signature and EdDSA |
| 79 | +EdDSA is a variant of the Schnorr signature scheme designed specifically for Edward's curve. |
| 80 | +See the [$sign$][crate::docs::schnorr#sign] algorithm of Schnorr and the [sign][crate::docs::ecc#sign] algorithm of EdDSA. |
| 81 | +Note that, the only difference between two algorithms is the first step. |
| 82 | +* In Schnorr signature, we have: |
| 83 | + * Choose a random scalar: $r \leftarrow Z_p$, |
| 84 | + * Compute the nonce: $R = r \cdot G$. |
| 85 | +* In EdDSA, we have: |
| 86 | + * Get the hash of private key and the message: $r = H(H_{b, \ldots, 2b-1}(x) || m)$. |
| 87 | + * Compute the point $R = r \cdot B$. |
| 88 | + |
| 89 | +This means that the randomness used in the first step of the Schnorr signer is generated using a hash function by the EdDSA signer, rather than sampling the value at random. |
| 90 | + |
| 91 | +* We use the probabilistic Schnorr signature scheme in our setting. We can make this deterministic using EdDSA instead. |
| 92 | + |
| 93 | +## Relation between BLS12-381, Jubjub, and Schnorr |
| 94 | +To implement the Schnorr signature, we use elliptic curve scalar multiplications. |
| 95 | +_(See [$Schnorr signature$][crate::docs::schnorr]) and [scalar multiplication][crate::docs::ecc#basic-ecc-toolbox].)_ |
| 96 | +* In this library, the scalar multiplication is implemented as follows: |
| 97 | + * Let $a$ be scalar and an element of the scalar field of Jubjub curve. |
| 98 | + * $a \in \mathbb{F}_r$ |
| 99 | + * Let $P$ be an extended point on Jubjub curve. Meaning that, the coordinates of the point are elements of the base field of the Jubjub curve, $\mathbb{F}_q$. |
| 100 | + * $Q = a \cdot P$ is the result of the scalar multiplication and is an extended point on Jubjub curve. |
| 101 | + * Convert $Q$ to an affine point. The coordinates of an affine point are elements of the base field of the Jubjub curve, $\mathbb{F}_q$. |
| 102 | + |
| 103 | +> As a conclusion, we can say that the coordinates of both affine and extended points in the above scheme are also elements of the scalar field of BLS12-381 curve. |
0 commit comments