Giter Club home page Giter Club logo

Comments (2)

akosba avatar akosba commented on July 17, 2024

Hi @hasinitg,

Could you please advice what is the recommended way to do this in jsnark? Is it fine to first compute the scalar multiplication a.P and then negate the resulting point? Or, should I first negate the scalar, and then perform scalar multiplication? I followed the first approach, by introducing a 'negateAffinePoint' function as below, because I am not sure how to do it using the latter approach in jsnark. I would appreciate a lot your insight on this.

For the second method, negating the scalar using the same way in your first method won't work as expected, i.e., if you use .mul(-1), it won't work correctly for the second case.)
In the second case, you have to subtract the scalar from the order of the curve (or the order of the subgroup, but in this type of curves, I recall that the scalar or the secret keys in general are selected to be higher than the subgroup order, so the order of the curve should work). You will find these constants documented in the ECDHKeyExchange gadget. You have to be sure though before doing the subtraction that a is smaller. 

In terms of efficiency, the first method seems to be a better candidate, because if you already have the bits of a, you can reuse them directly. However, if you use the second, you will have to subtract and then extract the bits, which will add ~250 constraints.

By the way, as a suggestion, there are also other SNARK friendly curves that were proposed by others after the one I had in jsnark, e.g., https://z.cash/technology/jubjub/. You could also look into those, as they will be more optimized and possibly implemented for other functionalities other than key exchange.

from jsnark.

hasinitg avatar hasinitg commented on July 17, 2024

Hi @akosba

Thank you very much for your reply. I appreciate it a lot (I am sorry about the delay in reply, as I was going through a transition period).
Thank you for clarifying the pros and cons of the two approaches for obtaining the negation of a scalar multiplication. I also implemented approach 1, as approach 2 involves more constraints, as you have pointed out as well.

Thank you for pointing out jubjub. I would prefer to continue using jsnark, as I have been using it for implementation of the other circuits as well.

Thank you.

from jsnark.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.