arnaucube
/
circomlib
mirror of https://github.com/arnaucube/circomlib.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19 Commits
7 Branches
7 Tags
12 MiB
Tree: 09f36d1e4d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '09f36d1e4d'
${ noResults }
circomlib/circuits/montgomery.circom

123 lines
2.3 KiB
Raw Normal View History

Pedersen2 and BitPoints MulFix and MulAny
6 years ago
  2. /*
  3. Source: https://en.wikipedia.org/wiki/Montgomery_curve
  5. 1 + y 1 + y
  6. [u, v] = [ ------- , ---------- ]
  7. 1 - y (1 - y)x
  9. */
  11. template Edwards2Montgomery() {
  12. signal input in[2];
  13. signal output out[2];
  15. out[0] <-- (1 + in[1]) / (1 - in[1]);
  16. out[1] <-- out[0] / in[0];
  19. out[0] * (1-in[1]) === (1 + in[1]);
  20. out[1] * in[0] === out[0];
  21. }
  23. /*
  25. u u - 1
  26. [x, y] = [ ---, ------- ]
  27. v u + 1
  29. */
  30. template Montgomery2Edwards() {
  31. signal input in[2];
  32. signal output out[2];
  34. out[0] <-- in[0] / in[1];
  35. out[1] <-- (in[0] - 1) / (in[0] + 1);
  37. out[0] * in[1] === in[0];
  38. out[1] * (in[0] + 1) === in[0] - 1;
  39. }
  42. /*
  43. x2 - x1
  44. lamda = ---------
  45. y2 - y1
  47. x3 + A + x1 + x2
  48. x3 = B * lamda^2 - A - x1 -x2 => lamda^2 = ------------------
  49. B
  51. y3 = (2*x1 + x2 + A)*lamda - B*lamda^3 - y1 =>
  54. => y3 = lamda * ( 2*x1 + x2 + A - x3 - A - x1 - x2) - y1 =>
  56. => y3 = lamda * ( x1 - x3 ) - y1
  58. ----------
  60. y2 - y1
  61. lamda = ---------
  62. x2 - x1
  64. x3 = B * lamda^2 - A - x1 -x2
  66. y3 = lamda * ( x1 - x3 ) - y1
  68. */
  70. template MontgomeryAdd() {
  71. signal input in1[2];
  72. signal input in2[2];
  73. signal output out[2];
  75. var a = 168700;
  76. var d = 168696;
  78. var A = (2 * (a + d)) / (a - d);
  79. var B = 4 / (a - d);
  81. signal lamda;
  83. lamda <-- (in2[1] - in1[1]) / (in2[0] - in1[0]);
  84. lamda * (in2[0] - in1[0]) === (in2[1] - in1[1]);
  86. out[0] <== B*lamda*lamda - A - in1[0] -in2[0];
  87. out[1] <== lamda * (in1[0] - out[0]) - in1[1];
  88. }
  90. /*
  92. x1_2 = x1*x1
  94. 3*x1_2 + 2*A*x1 + 1
  95. lamda = ---------------------
  96. 2*B*y1
  98. x3 = B * lamda^2 - A - x1 -x1
  100. y3 = lamda * ( x1 - x3 ) - y1
  102. */
  103. template MontgomeryDouble() {
  104. signal input in[2];
  105. signal output out[2];
  107. var a = 168700;
  108. var d = 168696;
  110. var A = (2 * (a + d)) / (a - d);
  111. var B = 4 / (a - d);
  113. signal lamda;
  114. signal x1_2;
  116. x1_2 <== in[0] * in[0];
  118. lamda <-- (3*x1_2 + 2*A*in[0] + 1 ) / (2*B*in[1]);
  119. lamda * (2*B*in[1]) === (3*x1_2 + 2*A*in[0] + 1 );
  121. out[0] <== B*lamda*lamda - A - 2*in[0];
  122. out[1] <== lamda * (in[0] - out[0]) - in[1];
  123. }