SW <-> TE map for Bandersnatch #804
Conversation
…/arkworks-algebra into skalman--sw-te-map-for-bandersnatch
drskalman
requested review from
z-tech,
Pratyush and
weikengchen
and removed request for
a team
| @@ -4,6 +4,7 @@ | |||
|
|
|||
| - [\#772](https://github.com/arkworks-rs/algebra/pull/772) (`ark-ff`) Implementation of `mul` method for `BigInteger`. | |||
| - [\#794](https://github.com/arkworks-rs/algebra/pull/794) (`ark-ff`) Fix `wasm` compilation. | |||
| - [\#XXX](https://github.com/arkworks-rs/algebra/pull/XXX) (`ark-curves`) Implement TE <-> SW map for Bandersnatch. | |||
There was a problem hiding this comment.
| - [\#XXX](https://github.com/arkworks-rs/algebra/pull/XXX) (`ark-curves`) Implement TE <-> SW map for Bandersnatch. | |
| - [\#804](https://github.com/arkworks-rs/algebra/pull/XXX) (`ark-curves`) Implement TE <-> SW map for Bandersnatch. |
(since the PR is from an organization, I cannot edit directly)
|
Ok, I need to say that we generally want to have uniformity in the curve repository, so if we want to add, likely we will structure a trait and facilitates it from there. I.e., implementing it for all the curves if possible. What do you think? It would be preferred, of course, if the implementation can be done for general curves. But I want to ask a question about the motivation: so, if I remember correctly, the incomplete addition formula for SW should have similar performance with the one in twisted Edwards curve, nope? |
|
I'd think one or more flavors of this map should typically exist whenever the both the TE and SW forms exist, although some exceptions exist. Among other reasons, serialization should be in Edwards, even if the circuts use SW, if only because the serialized form is one byte shorter, but often because advanced compression techniques are only researched for TE. In particular, Bandersnatch should be serialized as ganderwagon, which reuqires passing through TE. I suppose decaf377 would similarlly be the preferable serialization for BLS12-377. As a rule, you'll have worse interfaces if you rush into trait design than if you let the requirement emerge organically, with the hash-to-curve shit show being one example. We do not know if multiple isogenies were alredy deployed for bandersnatch, bls12-377, or ed25519. |
|
I agree with @weikengchen here. |
|
It's quite general if you do roughly: You can even still do I'm warning against assuming that particular impl exists, aka ignoring the associated types. I'm especially warning against doing this: I'm also saying there is no real reason to block providing the mapping upon selecting the trait, but if the general trait exists then whatever. |
| MontFp!("41180284393978236561320365279764246793818536543197771097409483252169927600582"); | ||
|
|
||
| impl BandersnatchConfig { | ||
| /// Map an point in TE form to its corresponding point on SW curve |
There was a problem hiding this comment.
| /// Map an point in TE form to its corresponding point on SW curve | |
| /// Map a point in TE form to its corresponding point on SW curve |
| let v = v_w_num * v_denom_inv; | ||
| let w = v_w_num * w_denom_inv; | ||
|
|
||
| //now we are mappyng the montgamory point to SW. |
There was a problem hiding this comment.
| //now we are mappyng the montgamory point to SW. | |
| //now we are mapping the montgomery point to SW. |
| debug_assert!( | ||
| point_on_sw_curve.is_on_curve(), | ||
| "TE point mapped off the SW curve" | ||
| ); |
There was a problem hiding this comment.
I'd probably play it safe here and use SWAffine::new here and remove the debug asserts. That way you'd run both checks. Then consider adding a te_to_sw_unchecked() if/when there's proof that it's too slow to run the checks.
| } | ||
|
|
||
| pub fn map_sw_to_te(point: SWAffine) -> Option<EdwardsAffine> { | ||
| //first we are mappyng the sw point to montgamory point |
There was a problem hiding this comment.
| //first we are mappyng the sw point to montgamory point | |
| //first we are mappng the sw point to its montgomery point |
| let point_on_te_curve = EdwardsAffine::new_unchecked(v, w); | ||
| debug_assert!( | ||
| point_on_te_curve.is_on_curve(), | ||
| "TE point mapped off the SW curve" | ||
| ); |
There was a problem hiding this comment.
Same comment as above: consider using EdwartdsAffine::new instead and ditch the debug assert.
| impl BandersnatchConfig { | ||
| /// Map an point in TE form to its corresponding point on SW curve | ||
| pub fn map_te_to_sw(point: EdwardsAffine) -> Option<SWAffine> { | ||
| //First we map the point from the TE to Montgamory |
There was a problem hiding this comment.
| //First we map the point from the TE to Montgamory | |
| if point.is_zero() { | |
| return SWAffine::identity() | |
| } | |
| //First we map the point from the TE to Montgamory |
| } | ||
|
|
||
| pub fn map_sw_to_te(point: SWAffine) -> Option<EdwardsAffine> { | ||
| //first we are mappyng the sw point to montgamory point |
There was a problem hiding this comment.
| //first we are mappyng the sw point to montgamory point | |
| if point.is_zero() { | |
| return EdwardsAffine::zero() | |
| } | |
| // First we are mappyng the sw point to montgamory point |
|
Hi, I'm working on the SW <-> TE map for BN254 and came across this PR. Nice work! One question: is it possible to apply the same technique "Short Weierstrass <-> Montgomery <-> Twisted Edwards" for BN254 curve? Thank you. Update: Since BN254 is a prime order curve, there is no TE model for it. Thanks for the clarification from Pratyush. |
Description
Implement the birational map between the Short Weierstrass and Twisted Edwards forms of the Bandersnatch curve.
It is important because it is significantly cheaper to verifiy SNARK using the incomplete addition formula of SW form while Elligator hash-to-curve is significantly cheaper than WB or SWU hash-to-curve.
Specifically for Bandersnatch serializing in TE form saves a byte from 33 to 32 which is more machine friendly.
Pendingsection inCHANGELOG.mdFiles changedin the GitHub PR explorer