halo2 中文手册 (The halo2 Book · 简体中文版)

译自 halo2 book:https://zcash.github.io/halo2/design/gadgets/ecc/addition.html

我们将使用短 Weierstrass 曲线上仿射坐标(affine coordinates)的曲线算术公式, 推导自 Hüseyin Hışıl 博士论文 的第 4.1 节。

不完全加法(Incomplete addition)

• 输入:$P=(x_p,y_p),Q=(x_q,y_q)$
• 输出:$R=P⸭Q=(x_r,y_r)$

Hışıl 论文中的公式为:

• $x_3={\left(\frac{y_1-y_2}{x_1-x_2}\right)}^2-x_1-x_2$
• $y_3=\frac{y_1-y_2}{x_1-x_2}\cdot (x_1-x_3)-y_1.$

把 $(x_1,y_1)$ 重命名为 $(x_q,y_q)$,把 $(x_2,y_2)$ 重命名为 $(x_p,y_p)$,把 $(x_3,y_3)$ 重命名为 $(x_r,y_r)$,得到

• $x_r={\left(\frac{y_q-y_p}{x_q-x_p}\right)}^2-x_q-x_p$
• $y_r=\frac{y_q-y_p}{x_q-x_p}\cdot (x_q-x_r)-y_q$

这等价于

• $x_r+x_q+x_p={\left(\frac{y_p-y_q}{x_p-x_q}\right)}^2$
• $y_r+y_q=\frac{y_p-y_q}{x_p-x_q}\cdot (x_q-x_r).$

假设 $x_p\ne x_q$,我们有

$\begin{array}{lrrll}& & x_r+x_q+x_p& =& {\left(\frac{y_p-y_q}{x_p-x_q}\right)}^2\\ & ⟺& (x_r+x_q+x_p)\cdot (x_p-x_q{)}^2& =& (y_p-y_q{)}^2\\ & ⟺& (x_r+x_q+x_p)\cdot (x_p-x_q{)}^2-(y_p-y_q{)}^2& =& 0\\ \text{and}& & & & \\ & & y_r+y_q& =& \frac{y_p-y_q}{x_p-x_q}\cdot (x_q-x_r)\\ & ⟺& (y_r+y_q)\cdot (x_p-x_q)& =& (y_p-y_q)\cdot (x_q-x_r)\\ & ⟺& (y_r+y_q)\cdot (x_p-x_q)-(y_p-y_q)\cdot (x_q-x_r)& =& 0.\end{array}$

于是我们得到约束:

• $(x_r+x_q+x_p)\cdot (x_p-x_q{)}^2-(y_p-y_q{)}^2=0$
  • 注意此约束对于 $P⸭(-P)$(当 $P\ne \mathcal{O}$ 时)是不可满足的, 因此不能用于任意输入。
• $(y_r+y_q)\cdot (x_p-x_q)-(y_p-y_q)\cdot (x_q-x_r)=0.$

约束(Constraints)

$$\begin{array}{cl}\text{Degree}& \text{Constraint}\\ 4& q_{\text{add-incomplete}}\cdot \left((x_r+x_q+x_p)\cdot (x_p-x_q{)}^2-(y_p-y_q{)}^2\right)=0\\ 3& q_{\text{add-incomplete}}\cdot \left((y_r+y_q)\cdot (x_p-x_q)-(y_p-y_q)\cdot (x_q-x_r)\right)=0\end{array}$$

完全加法(Complete addition)

$\begin{array}{rcll}\mathcal{O}& +& \mathcal{O}& =\mathcal{O}\\ \mathcal{O}& +& (x_q,y_q)& =(x_q,y_q)\\ (x_p,y_p)& +& \mathcal{O}& =(x_p,y_p)\\ (x,y)& +& (x,y)& =[2](x,y)\\ (x,y)& +& (x,-y)& =\mathcal{O}\\ (x_p,y_p)& +& (x_q,y_q)& =(x_p,y_p)⸭(x_q,y_q),\text{ if }{x}_p\ne x_q.\end{array}$

假设我们把 $\mathcal{O}$ 表示为 $(0,0)$。($0$ 不是有效点的 $x$ 坐标,因为那将需要 $y^2=x^3+5$,而 $5$ 在 ${\mathbb{F}}_q$ 中不是平方数。同样 $0$ 也不是有效点的 $y$ 坐标,因为 $-5$ 在 ${\mathbb{F}}_q$ 中不是立方数。)

$$\begin{array}{rl}P+Q& =R\\ (x_p,y_p)+(x_q,y_q)& =(x_r,y_r)\\ \lambda & =\frac{y_q-y_p}{x_q-x_p}\\ x_r& ={\lambda }^2-x_p-x_q\\ y_r& =\lambda (x_p-x_r)-y_p\end{array}$$

对于倍点(doubling)情形,Hışıl 的论文告诉我们 $\lambda$ 必须改为计算为 $\frac{3x^2}{2y}$。

定义 $inv0(x)=\{\begin{array}{ll}0,& \text{if }x=0\\ 1/x,& \text{otherwise.}\end{array}$

见证(Witness)$\alpha ,\beta ,\gamma ,\delta ,\lambda$,其中:

$\begin{array}{rl}\alpha =& inv0(x_q-x_p)\\ \beta =& inv0(x_p)\\ \gamma =& inv0(x_q)\\ \delta =& \{\begin{array}{ll}inv0(y_q+y_p),& \text{if }{x}_q=x_p\\ 0,& \text{otherwise}\end{array}\\ \lambda =& \{\begin{array}{ll}\frac{y_q-y_p}{x_q-x_p},& \text{if }{x}_q\ne x_p\\ \frac{3{x_p}^2}{2y_p}& \text{if }{x}_q=x_p\wedge y_p\ne 0\\ 0,& \text{otherwise.}\end{array}\end{array}$

约束(Constraints)

$$\begin{array}{clcll}\text{Degree}& \text{Constraint}& & & \text{Meaning}\\ 4& q_{add}\cdot (x_q-x_p)\cdot ((x_q-x_p)\cdot \lambda -(y_q-y_p))& =& 0& x_q\ne x_p⟹\lambda =\frac{y_q-y_p}{x_q-x_p}\\ & & & & \\ 5& q_{add}\cdot (1-(x_q-x_p)\cdot \alpha )\cdot \left(2y_p\cdot \lambda -3{x_p}^2\right)& =& 0& \{\begin{array}{l}{x}_q=x_p\wedge y_p\ne 0⟹\lambda =\frac{3{x_p}^2}{2y_p}\\ x_q=x_p\wedge y_p=0⟹x_p=0\end{array}\\ 6& q_{add}\cdot x_p\cdot x_q\cdot (x_q-x_p)\cdot ({\lambda }^2-x_p-x_q-x_r)& =& 0& x_p\ne 0\wedge x_q\ne 0\wedge x_q\ne x_p⟹x_r={\lambda }^2-x_p-x_q\\ 6& q_{add}\cdot x_p\cdot x_q\cdot (x_q-x_p)\cdot (\lambda \cdot (x_p-x_r)-y_p-y_r)& =& 0& x_p\ne 0\wedge x_q\ne 0\wedge x_q\ne x_p⟹y_r=\lambda \cdot (x_p-x_r)-y_p\\ 6& q_{add}\cdot x_p\cdot x_q\cdot (y_q+y_p)\cdot ({\lambda }^2-x_p-x_q-x_r)& =& 0& x_p\ne 0\wedge x_q\ne 0\wedge y_q\ne -y_p⟹x_r={\lambda }^2-x_p-x_q\\ 6& q_{add}\cdot x_p\cdot x_q\cdot (y_q+y_p)\cdot (\lambda \cdot (x_p-x_r)-y_p-y_r)& =& 0& x_p\ne 0\wedge x_q\ne 0\wedge y_q\ne -y_p⟹y_r=\lambda \cdot (x_p-x_r)-y_p\\ 4& q_{add}\cdot (1-x_p\cdot \beta )\cdot (x_r-x_q)& =& 0& x_p=0⟹x_r=x_q\\ 4& q_{add}\cdot (1-x_p\cdot \beta )\cdot (y_r-y_q)& =& 0& x_p=0⟹y_r=y_q\\ 4& q_{add}\cdot (1-x_q\cdot \gamma )\cdot (x_r-x_p)& =& 0& x_q=0⟹x_r=x_p\\ 4& q_{add}\cdot (1-x_q\cdot \gamma )\cdot (y_r-y_p)& =& 0& x_q=0⟹y_r=y_p\\ 4& q_{add}\cdot (1-(x_q-x_p)\cdot \alpha -(y_q+y_p)\cdot \delta )\cdot x_r& =& 0& x_q=x_p\wedge y_q=-y_p⟹x_r=0\\ 4& q_{add}\cdot (1-(x_q-x_p)\cdot \alpha -(y_q+y_p)\cdot \delta )\cdot y_r& =& 0& x_q=x_p\wedge y_q=-y_p⟹y_r=0\end{array}$$

最大次数(Max degree):6

约束分析(Analysis of constraints)

$$\begin{array}{rl}1.& (x_q-x_p)\cdot ((x_q-x_p)\cdot \lambda -(y_q-y_p))=0\\ & \\ & \begin{array}{rl}\text{At least one of }& x_q-x_p=0\\ \text{or }& (x_q-x_p)\cdot \lambda -(y_q-y_p)=0\end{array}\\ & \text{must be satisfied for the constraint to be satisfied.}\\ & \\ & \text{If }{x}_q-x_p\ne 0,\text{ then }(x_q-x_p)\cdot \lambda -(y_q-y_p)=0,\text{ and}\\ & \text{by rearranging both sides we get }\lambda =(y_q-y_p)/(x_q-x_p).\\ & \\ & \text{Therefore:}\\ & x_q\ne x_p⟹\lambda =(y_q-y_p)/(x_q-x_p).\\ & \\ 2.& (1-(x_q-x_p)\cdot \alpha )\cdot (2y_p\cdot \lambda -3x_p^2)=0\\ & \\ & \begin{array}{rl}\text{At least one of }& (1-(x_q-x_p)\cdot \alpha )=0\\ \text{or }& (2y_p\cdot \lambda -3x_p^2)=0\end{array}\\ & \text{must be satisfied for the constraint to be satisfied.}\\ & \\ & \text{If }{x}_q=x_p,\text{ then }1-(x_q-x_p)\cdot \alpha =0\text{ has no solution for }\alpha ,\\ & \text{so it must be that }2y_p\cdot \lambda -3x_p^2=0.\\ & \\ & \text{If }{x}_q=x_p\text{ and }{y}_p=0\text{ then }{x}_p=0,\text{ and the constraint is satisfied.}\\ & \\ & \text{If }{x}_q=x_p\text{ and }{y}_p\ne 0\text{ then by rearranging both sides}\\ & \text{we get }\lambda =3x_p^2/2y_p.\\ & \\ & \text{Therefore:}\\ & (x_q=x_p)\wedge y_p\ne 0⟹\lambda =3x_p^2/2y_p.\\ & \\ 3.\text{ a)}& x_p\cdot x_q\cdot (x_q-x_p)\cdot ({\lambda }^2-x_p-x_q-x_r)=0\\ \text{ b)}& x_p\cdot x_q\cdot (x_q-x_p)\cdot (\lambda \cdot (x_p-x_r)-y_p-y_r)=0\\ \text{ c)}& x_p\cdot x_q\cdot (y_q+y_p)\cdot ({\lambda }^2-x_p-x_q-x_r)=0\\ \text{ d)}& x_p\cdot x_q\cdot (y_q+y_p)\cdot (\lambda \cdot (x_p-x_r)-y_p-y_r)=0\\ & \\ & \begin{array}{rl}\text{At least one of }& x_p=0\\ \text{or }& x_p=0\\ \text{or }& (x_q-x_p)=0\\ \text{or }& ({\lambda }^2-x_p-x_q-x_r)=0\end{array}\\ & \text{must be satisfied for constraint (a) to be satisfied.}\\ & \\ & \text{If }{x}_p\ne 0\wedge x_q\ne 0\wedge x_q\ne x_p,\\ & \text{• Constraint (a) imposes that }{x}_r={\lambda }^2-x_p-x_q.\\ & \text{• Constraint (b) imposes that }{y}_r=\lambda \cdot (x_p-x_r)-y_p.\\ & \\ & \text{If }{x}_p\ne 0\wedge x_q\ne 0\wedge y_q\ne -y_p,\\ & \text{• Constraint (c) imposes that }{x}_r={\lambda }^2-x_p-x_q.\\ & \text{• Constraint (d) imposes that }{y}_r=\lambda \cdot (x_p-x_r)-y_p.\\ & \\ & \text{Therefore:}\\ & \begin{array}{rl}& (x_p\ne 0)\wedge (x_q\ne 0)\wedge ((x_q\ne x_p)\vee (y_q\ne -y_p))\\ ⟹& (x_r={\lambda }^2-x_p-x_q)\wedge (y_r=\lambda \cdot (x_p-x_r)-y_p).\end{array}\\ & \\ 4.\text{ a)}& (1-x_p\cdot \beta )\cdot (x_r-x_q)=0\\ \text{ b)}& (1-x_p\cdot \beta )\cdot (y_r-y_q)=0\\ & \\ & \begin{array}{rl}\text{At least one of }1-x_p\cdot \beta & =0\\ \text{or }{x}_r-x_q& =0\end{array}\\ & \text{must be satisfied for constraint (a) to be satisfied.}\\ & \\ & \text{If }{x}_p=0\text{ then }1-x_p\cdot \beta =0\text{ has no solutions for }\beta ,\\ & \text{and so it must be that }{x}_r-x_q=0.\\ & \\ & \text{Similarly, constraint (b) imposes that if }{x}_p=0\\ & \text{then }{y}_r-y_q=0.\\ & \\ & \text{Therefore:}\\ & x_p=0⟹(x_r,y_r)=(x_q,y_q).\\ & \\ 5.\text{ a)}& (1-x_q\cdot \gamma )\cdot (x_r-x_p)=0\\ \text{ b)}& (1-x_q\cdot \gamma )\cdot (y_r-y_p)=0\\ & \\ & \begin{array}{rl}\text{At least one of }1-x_q\cdot \gamma & =0\\ \text{or }{x}_r-x_p& =0\end{array}\\ & \text{must be satisfied for constraint (a) to be satisfied.}\\ & \\ & \text{If }{x}_q=0\text{ then }1-x_q\cdot \gamma =0\text{ has no solutions for }\gamma ,\\ & \text{and so it must be that }{x}_r-x_p=0.\\ & \\ & \text{Similarly, constraint (b) imposes that if }{x}_q=0\\ & \text{then }{y}_r-y_p=0.\\ & \\ & \text{Therefore:}\\ & x_q=0⟹(x_r,y_r)=(x_p,y_p).\\ & \\ 6.\text{ a)}& (1-(x_q-x_p)\cdot \alpha -(y_q+y_p)\cdot \delta )\cdot x_r=0\\ \text{ b)}& (1-(x_q-x_p)\cdot \alpha -(y_q+y_p)\cdot \delta )\cdot y_r=0\\ & \\ & \begin{array}{rl}\text{At least one of }& 1-(x_q-x_p)\cdot \alpha -(y_q+y_p)\cdot \delta =0\\ \text{or }& x_r=0\end{array}\\ & \text{must be satisfied for constraint (a) to be satisfied,}\\ & \text{and similarly replacing }{x}_r\text{ by }{y}_r.\\ & \\ & \text{If }{x}_r\ne 0\text{ or }{y}_r\ne 0,\text{ then it must be that }1-(x_q-x_p)\cdot \alpha -(y_q+y_p)\cdot \delta =0.\\ & \\ & \text{However, if }{x}_q=x_p\wedge y_q=-y_p,\text{ then there are no solutions for }\alpha \text{ and }\delta .\\ & \\ & \text{Therefore: }\\ & x_q=x_p\wedge y_q=-y_p⟹(x_r,y_r)=(0,0).\end{array}$$

命题(Propositions):

$\begin{array}{cl}(1)& x_q\ne x_p⟹\lambda =(y_q-y_p)/(x_q-x_p)\\ (2)& (x_q=x_p)\wedge y_p\ne 0⟹\lambda =3x_p^2/2y_p\\ (3)& (x_p\ne 0)\wedge (x_q\ne 0)\wedge ((x_q\ne x_p)\vee (y_q\ne -y_p))\\ & ⟹(x_r={\lambda }^2-x_p-x_q)\wedge (y_r=\lambda \cdot (x_p-x_r)-y_p)\\ (4)& x_p=0⟹(x_r,y_r)=(x_q,y_q)\\ (5)& x_q=0⟹(x_r,y_r)=(x_p,y_p)\\ (6)& x_q=x_p\wedge y_q=-y_p⟹(x_r,y_r)=(0,0)\end{array}$

情形(Cases):

$(x_p,y_p)+(x_q,y_q)=(x_r,y_r)$

注意我们依赖于这样一个事实:$0$ 不是 Pallas 曲线上除 $\mathcal{O}$ 之外任何点的有效 $x$ 坐标或 $y$ 坐标。

• $(0,0)+(0,0)$

  • 完备性(Completeness):

    $\begin{array}{cl}(1)& \text{holds because }{x}_q=x_p\\ (2)& \text{holds because }{y}_p=0\\ (3)& \text{holds because }{x}_p=0\\ (4)& \text{holds because }(x_r,y_r)=(x_q,y_q)=(0,0)\\ (5)& \text{holds because }(x_r,y_r)=(x_p,y_p)=(0,0)\\ (6)& \text{holds because }(x_r,y_r)=(0,0).\end{array}$

  • 可靠性(Soundness):$(x_r,y_r)=(0,0)$ 是 $(6)$ 的唯一解。

• $(x,y)+(0,0)$,其中 $(x,y)\ne (0,0)$

  • 完备性(Completeness):

    $\begin{array}{cl}(1)& \text{holds because }{x}_q\ne x_p,\text{ therefore }\lambda =(y_q-y_p)/(x_q-x_p)\text{ is a solution}\\ (2)& \text{holds because }{x}_q\ne x_p,\text{ therefore }\alpha =(x_q-x_p{)}^{-1}\text{ is a solution}\\ (3)& \text{holds because }{x}_q=0\\ (4)& \text{holds because }{x}_p\ne 0,\text{ therefore }\beta =x_p^{-1}\text{ is a solution}\\ (5)& \text{holds because }(x_r,y_r)=(x_p,y_p)\\ (6)& \text{holds because }{x}_q\ne x_p,\text{ therefore }\alpha =(x_q-x_p{)}^{-1}\text{ and }\delta =0\text{ is a solution.}\end{array}$

  • 可靠性(Soundness):$(x_r,y_r)=(x_p,y_p)$ 是 $(5)$ 的唯一解。

• $(0,0)+(x,y)$,其中 $(x,y)\ne (0,0)$

  • 完备性(Completeness):

    $\begin{array}{cl}(1)& \text{holds because }{x}_q\ne x_p,\text{ therefore }\lambda =(y_q-y_p)/(x_q-x_p)\text{ is a solution}\\ (2)& \text{holds because }{x}_q\ne x_p,\text{ therefore }\alpha =(x_q-x_p{)}^{-1}\text{ is a solution}\\ (3)& \text{holds because }{x}_p=0\\ (4)& \text{holds because }{x}_p=0\text{ only when }(x_r,y_r)=(x_q,y_q)\\ (5)& \text{holds because }{x}_q\ne 0,\text{ therefore }\gamma =x_q^{-1}\text{ is a solution}\\ (6)& \text{holds because }{x}_q\ne x_p,\text{ therefore }\alpha =(x_q-x_p{)}^{-1}\text{ and }\delta =0\text{ is a solution.}\end{array}$

  • 可靠性(Soundness):$(x_r,y_r)=(x_q,y_q)$ 是 $(4)$ 的唯一解。

• $(x,y)+(x,y)$,其中 $(x,y)\ne (0,0)$

  • 完备性(Completeness):

    $\begin{array}{cl}(1)& \text{holds because }{x}_q=x_p\\ (2)& \text{holds because }{x}_q=x_p\wedge y_p\ne 0,\text{ therefore }\lambda =3x_p^2/2y_p\text{ is a solution}\\ (3)& \text{holds because }{x}_r={\lambda }^2-x_p-x_q\wedge y_r=\lambda \cdot (x_p-x_r)-y_p\text{ in this case}\\ (4)& \text{holds because }{x}_p\ne 0,\text{ therefore }\beta =x_p^{-1}\text{ is a solution}\\ (5)& \text{holds because }{x}_p\ne 0,\text{ therefore }\gamma =x_q^{-1}\text{ is a solution}\\ (6)& \text{holds because }{x}_q=x_p\text{ and }{y}_q\ne -y_p,\text{ therefore }\alpha =0\text{ and }\delta =(y_q+y_p{)}^{-1}\text{ is a solution.}\end{array}$

  • 可靠性(Soundness):$\lambda$ 被正确计算,且 $(x_r,y_r)=({\lambda }^2-x_p-x_q,\lambda \cdot (x_p-x_r)-y_p)$ 是唯一解。

• $(x,y)+(x,-y)$,其中 $(x,y)\ne (0,0)$

  • 完备性(Completeness):

    $\begin{array}{cl}(1)& \text{holds because }{x}_q=x_p\\ (2)& \text{holds because }{x}_q=x_p\wedge y_p\ne 0,\text{ therefore }\lambda =3x_p^2/2y_p\text{ is a solution}\\ & \text{(although }\lambda \text{ is not used in this case)}\\ (3)& \text{holds because }{x}_q=x_p\text{ and }{y}_q=-y_p\\ (4)& \text{holds because }{x}_p\ne 0,\text{ therefore }\beta =x_p^{-1}\text{ is a solution}\\ (5)& \text{holds because }{x}_q\ne 0,\text{ therefore }\gamma =x_q^{-1}\text{ is a solution}\\ (6)& \text{holds because }(x_r,y_r)=(0,0)\end{array}$

  • 可靠性(Soundness):$(x_r,y_r)=(0,0)$ 是 $(6)$ 的唯一解。

• $(x_p,y_p)+(x_q,y_q)$,其中 $(x_p,y_p)\ne (0,0)$ 且 $(x_q,y_q)\ne (0,0)$ 且 $x_p\ne x_q$

  • 完备性(Completeness):

    $\begin{array}{cl}(1)& \text{holds because }{x}_q\ne x_p,\text{ therefore }\lambda =(y_q-y_p)/(x_q-x_p)\text{ is a solution}\\ (2)& \text{holds because }{x}_q\ne x_p,\text{ therefore }\alpha =(x_q-x_p{)}^{-1}\text{ is a solution}\\ (3)& \text{holds because }{x}_r={\lambda }^2-x_p-x_q\wedge y_r=\lambda \cdot (x_p-x_r)-y_p\text{ in this case}\\ (4)& \text{holds because }{x}_p\ne 0,\text{ therefore }\beta =x_p^{-1}\text{ is a solution}\\ (5)& \text{holds because }{x}_q\ne 0,\text{ therefore }\gamma =x_q^{-1}\text{ is a solution}\\ (6)& \text{holds because }{x}_q\ne x_p,\text{ therefore }\alpha =(x_q-x_p{)}^{-1}\text{ and }\delta =0\text{ is a solution.}\end{array}$

  • 可靠性(Soundness):$\lambda$ 被正确计算,且 $(x_r,y_r)=({\lambda }^2-x_p-x_q,\lambda \cdot (x_p-x_r)-y_p)$ 是唯一解。