escalarmulfix uses segments of 246 and adds comments on limits

2019-11-23 22:00:11 +02:00 · 2019-11-23 22:00:11 +02:00 · 8445381431
commit 8445381431
parent 42e96c2e1f
4 changed files with 10 additions and 4 deletions
--- a/circuits/bitify.circom
+++ b/circuits/bitify.circom
@ -21,6 +21,7 @@ include "comparators.circom";
 include "aliascheck.circom";


+/* This doesn't check aliasing, so for n > 253 there are multiple bit strings for each number */
 template Num2Bits(n) {
    signal input in;
    signal output out[n];
@ -76,6 +77,7 @@ template Bits2Num_strict() {
    b2n.out ==> out;
 }

+/* n must not exceed 253 */  
 template Num2BitsNeg(n) {
    signal input in;
    signal output out[n];
--- a/circuits/escalarmulfix.circom
+++ b/circuits/escalarmulfix.circom
@ -44,6 +44,7 @@ include "babyjub.circom";
    A good way to see it is that the accumulator input of the adder >= 2^247*B and the other input
    is the output of the windows that it's going to be <= 2^246*B
 */
+ /* base must not be the neutral element nor points of small order */
 template WindowMulFix() {
    signal input in[3];
    signal input base[2];
@ -133,11 +134,12 @@ template WindowMulFix() {

 /*
    This component does a multiplication of a escalar times a fix base
+    nWindows must not exceed 82
    Signals:
        e: The scalar in bits
        base: the base point in edwards format
        out:  The result
-        dbl: Point in Edwards to be linked to the next segment.
+        dbl: Point in Montgomery to be linked to the next segment.
 */

 template SegmentMulFix(nWindows) {
@ -236,7 +238,7 @@ template EscalarMulFix(n, BASE) {
    signal output out[2];           // Point (Twisted format)

    var nsegments = (n-1)\246 +1;       // 249 probably would work. But I'm not sure and for security I keep 246
-    var nlastsegment = n - (nsegments-1)*249;
+    var nlastsegment = n - (nsegments-1)*246;

    component segments[nsegments];

@ -250,13 +252,13 @@ template EscalarMulFix(n, BASE) {

    for (s=0; s<nsegments; s++) {

-        nseg = (s < nsegments-1) ? 249 : nlastsegment;
+        nseg = (s < nsegments-1) ? 246 : nlastsegment;
        nWindows = ((nseg - 1)\3)+1;

        segments[s] = SegmentMulFix(nWindows);

        for (i=0; i<nseg; i++) {
-            segments[s].e[i] <== e[s*249+i];
+            segments[s].e[i] <== e[s*246+i];
        }

        for (i = nseg; i<nWindows*3; i++) {
--- a/circuits/montgomery.circom
+++ b/circuits/montgomery.circom
@ -85,6 +85,7 @@ template Montgomery2Edwards() {

 */

+/* in1 must be != in2 */
 template MontgomeryAdd() {
    signal input in1[2];
    signal input in2[2];
--- a/circuits/pedersen.circom
+++ b/circuits/pedersen.circom
@ -108,6 +108,7 @@ template Window4() {
 }


+/* nWindows must not exceed 50 */
 template Segment(nWindows) {
    signal input in[nWindows*4];
    signal input base[2];