diff --git a/circuits/bitify.circom b/circuits/bitify.circom index 2050e13..470e0c8 100644 --- a/circuits/bitify.circom +++ b/circuits/bitify.circom @@ -21,6 +21,7 @@ include "comparators.circom"; include "aliascheck.circom"; +/* This doesn't check aliasing, so for n > 253 there are multiple bit strings for each number */ template Num2Bits(n) { signal input in; signal output out[n]; @@ -76,6 +77,7 @@ template Bits2Num_strict() { b2n.out ==> out; } +/* n must not exceed 253 */ template Num2BitsNeg(n) { signal input in; signal output out[n]; diff --git a/circuits/escalarmulfix.circom b/circuits/escalarmulfix.circom index 8e3e031..5ea8e09 100644 --- a/circuits/escalarmulfix.circom +++ b/circuits/escalarmulfix.circom @@ -44,6 +44,7 @@ include "babyjub.circom"; A good way to see it is that the accumulator input of the adder >= 2^247*B and the other input is the output of the windows that it's going to be <= 2^246*B */ + /* base must not be the neutral element nor points of small order */ template WindowMulFix() { signal input in[3]; signal input base[2]; @@ -133,11 +134,12 @@ template WindowMulFix() { /* This component does a multiplication of a escalar times a fix base + nWindows must not exceed 82 Signals: e: The scalar in bits base: the base point in edwards format out: The result - dbl: Point in Edwards to be linked to the next segment. + dbl: Point in Montgomery to be linked to the next segment. */ template SegmentMulFix(nWindows) { @@ -236,7 +238,7 @@ template EscalarMulFix(n, BASE) { signal output out[2]; // Point (Twisted format) var nsegments = (n-1)\246 +1; // 249 probably would work. But I'm not sure and for security I keep 246 - var nlastsegment = n - (nsegments-1)*249; + var nlastsegment = n - (nsegments-1)*246; component segments[nsegments]; @@ -250,13 +252,13 @@ template EscalarMulFix(n, BASE) { for (s=0; s