adding SW parameters for Bandersnatch curve (#67)

Co-authored-by: Pratyush Mishra <pratyushmishra@berkeley.edu>
2026-01-08 23:11:29 +01:00 · 2021-10-20 13:12:15 -04:00
parent 5fe1862c9a
commit 461e4190b1
9 changed files with 199 additions and 54 deletions
--- a/ed_on_bls12_381/src/constraints/curves.rs
+++ b/ed_on_bls12_381/src/constraints/curves.rs
@@ -1,12 +1,17 @@
 use crate::*;
-use ark_r1cs_std::groups::curves::twisted_edwards::AffineVar;
+use ark_r1cs_std::groups::curves::{short_weierstrass::ProjectiveVar, twisted_edwards::AffineVar};

 use crate::constraints::FqVar;

 /// A variable that is the R1CS equivalent of `crate::EdwardsAffine`.
-pub type EdwardsVar = AffineVar<EdwardsParameters, FqVar>;
+pub type EdwardsVar = AffineVar<JubjubParameters, FqVar>;
+
+/// A variable that is the R1CS equivalent of `crate::SWProjective`
+pub type SWVar = ProjectiveVar<JubjubParameters, FqVar>;

 #[test]
 fn test() {
    ark_curve_constraint_tests::curves::te_test::<_, EdwardsVar>().unwrap();
+    ark_curve_constraint_tests::curves::sw_test::<_, SWVar>().unwrap();
+    ark_curve_constraint_tests::curves::group_test::<_, Fq, EdwardsVar>().unwrap();
 }
--- a/ed_on_bls12_381/src/curves/mod.rs
+++ b/ed_on_bls12_381/src/curves/mod.rs
@@ -1,15 +1,21 @@
 use crate::{Fq, Fr};
 use ark_ec::{
    models::{ModelParameters, MontgomeryModelParameters, TEModelParameters},
+    short_weierstrass_jacobian::{
+        GroupAffine as SWGroupAffine, GroupProjective as SWGroupProjective,
+    },
    twisted_edwards_extended::{GroupAffine, GroupProjective},
+    SWModelParameters,
 };
 use ark_ff::field_new;

 #[cfg(test)]
 mod tests;

-pub type EdwardsAffine = GroupAffine<EdwardsParameters>;
-pub type EdwardsProjective = GroupProjective<EdwardsParameters>;
+pub type EdwardsAffine = GroupAffine<JubjubParameters>;
+pub type EdwardsProjective = GroupProjective<JubjubParameters>;
+pub type SWAffine = SWGroupAffine<JubjubParameters>;
+pub type SWProjective = SWGroupProjective<JubjubParameters>;

 /// `JubJub` is a twisted Edwards curve. These curves have equations of the
 /// form: ax² + y² = 1 - dx²y².
@@ -32,15 +38,29 @@ pub type EdwardsProjective = GroupProjective<EdwardsParameters>;
 /// ```
 /// These parameters and the sage script obtained from:
 /// <https://github.com/zcash/zcash/issues/2230#issuecomment-317182190>
+///
+///
+/// `jubjub` also has a short Weierstrass curve form, following the
+/// form: y² = x³ + A * x + B
+/// where
+///
+/// A = 52296097456646850916096512823759002727550416093741407922227928430486925478210
+/// B = 48351165704696163914533707656614864561753505123260775585269522553028192119009
+///
+/// We can use the script available
+/// [here](https://github.com/zhenfeizhang/bandersnatch/blob/main/bandersnatch/script/jubjub.sage)
+/// to convert between the different representations.
 #[derive(Clone, Default, PartialEq, Eq)]
-pub struct EdwardsParameters;
+pub struct JubjubParameters;
+pub type EdwardsParameters = JubjubParameters;
+pub type SWParameters = JubjubParameters;

-impl ModelParameters for EdwardsParameters {
+impl ModelParameters for JubjubParameters {
    type BaseField = Fq;
    type ScalarField = Fr;
 }

-impl TEModelParameters for EdwardsParameters {
+impl TEModelParameters for JubjubParameters {
    /// COEFF_A = -1
    #[rustfmt::skip]
    const COEFF_A: Fq = field_new!(Fq, "-1");
@@ -60,7 +80,7 @@ impl TEModelParameters for EdwardsParameters {
    /// AFFINE_GENERATOR_COEFFS = (GENERATOR_X, GENERATOR_Y)
    const AFFINE_GENERATOR_COEFFS: (Self::BaseField, Self::BaseField) = (GENERATOR_X, GENERATOR_Y);

-    type MontgomeryModelParameters = EdwardsParameters;
+    type MontgomeryModelParameters = JubjubParameters;

    /// Multiplication by `a` is simply negation here.
    #[inline(always)]
@@ -69,7 +89,7 @@ impl TEModelParameters for EdwardsParameters {
    }
 }

-impl MontgomeryModelParameters for EdwardsParameters {
+impl MontgomeryModelParameters for JubjubParameters {
    /// COEFF_A = 40962
    #[rustfmt::skip]
    const COEFF_A: Fq = field_new!(Fq, "40962");
@@ -77,10 +97,39 @@ impl MontgomeryModelParameters for EdwardsParameters {
    #[rustfmt::skip]
    const COEFF_B: Fq = field_new!(Fq, "-40964");

-    type TEModelParameters = EdwardsParameters;
+    type TEModelParameters = JubjubParameters;
 }

 #[rustfmt::skip]
 const GENERATOR_X: Fq = field_new!(Fq, "8076246640662884909881801758704306714034609987455869804520522091855516602923");
 #[rustfmt::skip]
 const GENERATOR_Y: Fq = field_new!(Fq, "13262374693698910701929044844600465831413122818447359594527400194675274060458");
+
+impl SWModelParameters for JubjubParameters {
+    /// COEFF_A = 52296097456646850916096512823759002727550416093741407922227928430486925478210
+    #[rustfmt::skip]
+    const COEFF_A: Self::BaseField = field_new!(Fq, "52296097456646850916096512823759002727550416093741407922227928430486925478210");
+
+    /// COEFF_B = 48351165704696163914533707656614864561753505123260775585269522553028192119009
+    #[rustfmt::skip]
+    const COEFF_B: Self::BaseField = field_new!(Fq, "48351165704696163914533707656614864561753505123260775585269522553028192119009");
+
+    /// COFACTOR = 8
+    const COFACTOR: &'static [u64] = &[8];
+
+    /// COFACTOR^(-1) mod r =
+    /// 819310549611346726241370945440405716213240158234039660170669895299022906775
+    #[rustfmt::skip]
+    const COFACTOR_INV: Fr = field_new!(Fr, "819310549611346726241370945440405716213240158234039660170669895299022906775");
+
+    /// generators
+    const AFFINE_GENERATOR_COEFFS: (Self::BaseField, Self::BaseField) =
+        (SW_GENERATOR_X, SW_GENERATOR_Y);
+}
+
+/// x coordinate for SW curve generator
+#[rustfmt::skip]
+const SW_GENERATOR_X: Fq = field_new!(Fq, "33835869156188682335217394949746694649676633840125476177319971163079011318731");
+/// y coordinate for SW curve generator
+#[rustfmt::skip]
+const SW_GENERATOR_Y: Fq = field_new!(Fq, "43777270878440091394432848052353307184915192688165709016756678962558652055320");
--- a/ed_on_bls12_381/src/curves/tests.rs
+++ b/ed_on_bls12_381/src/curves/tests.rs
@@ -1,8 +1,6 @@
 use ark_ec::{AffineCurve, ProjectiveCurve};
 use ark_ff::{bytes::FromBytes, Zero};
-use ark_std::rand::Rng;
-use ark_std::str::FromStr;
-use ark_std::test_rng;
+use ark_std::{rand::Rng, str::FromStr, test_rng};

 use crate::*;

@@ -12,7 +10,9 @@ use ark_algebra_test_templates::{curves::*, groups::*};
 fn test_projective_curve() {
    curve_tests::<EdwardsProjective>();

-    edwards_tests::<EdwardsParameters>();
+    edwards_tests::<JubjubParameters>();
+    montgomery_conversion_test::<JubjubParameters>();
+    sw_tests::<JubjubParameters>();
 }

 #[test]
@@ -20,8 +20,13 @@ fn test_projective_group() {
    let mut rng = test_rng();
    let a = rng.gen();
    let b = rng.gen();
+
+    let c = rng.gen();
+    let d = rng.gen();
+
    for _i in 0..100 {
        group_test::<EdwardsProjective>(a, b);
+        group_test::<SWProjective>(c, d);
    }
 }

@@ -37,9 +42,15 @@ fn test_affine_group() {

 #[test]
 fn test_generator() {
+    // edward curve
    let generator = EdwardsAffine::prime_subgroup_generator();
    assert!(generator.is_on_curve());
    assert!(generator.is_in_correct_subgroup_assuming_on_curve());
+
+    // weierstrass curve
+    let generator = SWAffine::prime_subgroup_generator();
+    assert!(generator.is_on_curve());
+    assert!(generator.is_in_correct_subgroup_assuming_on_curve());
 }

 #[test]
@@ -103,5 +114,5 @@ fn test_bytes() {

 #[test]
 fn test_montgomery_conversion() {
-    montgomery_conversion_test::<EdwardsParameters>();
+    montgomery_conversion_test::<JubjubParameters>();
 }
--- a/ed_on_bls12_381/src/fields/tests.rs
+++ b/ed_on_bls12_381/src/fields/tests.rs
@@ -9,8 +9,7 @@ use ark_std::test_rng;

 use ark_algebra_test_templates::fields::*;

-use ark_std::rand::Rng;
-use ark_std::str::FromStr;
+use ark_std::{rand::Rng, str::FromStr};

 #[test]
 fn test_fr() {
--- a/ed_on_bls12_381/src/lib.rs
+++ b/ed_on_bls12_381/src/lib.rs
@@ -8,14 +8,16 @@
 )]
 #![forbid(unsafe_code)]

-//! This library implements a twisted Edwards curve whose base field is the scalar field of the
-//! curve BLS12-381. This allows defining cryptographic primitives that use elliptic curves over
-//! the scalar field of the latter curve. This curve was generated by Sean Bowe, and is also known
-//! as [Jubjub](https://github.com/zkcrypto/jubjub).
+//! This library implements a twisted Edwards curve whose base field is the
+//! scalar field of the curve BLS12-381. This allows defining cryptographic
+//! primitives that use elliptic curves over the scalar field of the latter
+//! curve. This curve was generated by Sean Bowe, and is also known as [Jubjub](https://github.com/zkcrypto/jubjub).
 //!
 //! Curve information:
-//! * Base field: q = 52435875175126190479447740508185965837690552500527637822603658699938581184513
-//! * Scalar field: r = 6554484396890773809930967563523245729705921265872317281365359162392183254199
+//! * Base field: q =
+//!   52435875175126190479447740508185965837690552500527637822603658699938581184513
+//! * Scalar field: r =
+//!   6554484396890773809930967563523245729705921265872317281365359162392183254199
 //! * Valuation(q - 1, 2) = 32
 //! * Valuation(r - 1, 2) = 1
 //! * Curve equation: ax^2 + y^2 =1 + dx^2y^2, where