Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[std] Implement Bowe-Hopwood Pedersen hash in Montgomery form #158

Closed
yelhousni opened this issue Oct 28, 2021 · 1 comment
Closed

[std] Implement Bowe-Hopwood Pedersen hash in Montgomery form #158

yelhousni opened this issue Oct 28, 2021 · 1 comment
Labels
good first issue Good for newcomers new feature

Comments

@yelhousni
Copy link
Contributor

A double-and-add scalar multiplication by N costs on average log(N) doublings and log(N/2) additions. For twisted Edwards curves (used in gnark for edDSA circuits), it costs 7 rank-1 constraints (Groth16) to describe an addition in affine coordinates and 6 for a doubling. These twisted Edwards curves can be converted to Montgomery form where it costs 4 R1C for an addition and 5 for a doubling. To convert a point from twisted Edwards to Montgomery it costs 2 R1C and the inverse map costs 2 R1C. Note that the formulae in Montgomery are incomplete. However, this form can be used only for implementing Bowe-Hopwood Pedersen hash which can be done using only additions.

N.B.: same logic might be applied to sparse R1CS count (PlonK).
@yelhousni yelhousni added good first issue Good for newcomers not soon labels Oct 28, 2021
@yelhousni
Copy link
Contributor Author

Outdated. We chose to go with poseidon2 #1300.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gbotrel @yelhousni