From 30476d96d0e8d96b4a436b92d648229ca71a58f2 Mon Sep 17 00:00:00 2001 From: crStiv Date: Mon, 25 Aug 2025 09:04:56 +0200 Subject: [PATCH 1/2] Update curves.md --- book/src/background/curves.md | 40 +++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/book/src/background/curves.md b/book/src/background/curves.md index 2600127dd..bc823ddbe 100644 --- a/book/src/background/curves.md +++ b/book/src/background/curves.md @@ -271,7 +271,22 @@ over $E_q/\mathbb{F}_q,$ forming a 2-cycle with the first: ![](https://i.imgur.com/bNMyMRu.png) -### TODO: Pallas-Vesta curves +### Pallas-Vesta curves + +The Pallas and Vesta curves form a 2-cycle of elliptic curves designed specifically for Halo 2. They are defined over finite fields with highly 2-adic structure, meaning they have large multiplicative subgroups of order $2^S$ where $S = 32$. + +**Pallas curve ($E_p/\mathbb{F}_p$):** +- Base field: $\mathbb{F}_p$ where $p = 2^{254} + t_p$ and $t_p = 45560315531419706090280762371685220353$ +- Scalar field: $\mathbb{F}_q$ where $q = 2^{254} + t_q$ and $t_q = 45560315531506369815346746415080538113$ +- Curve equation: $y^2 = x^3 + 5$ + +**Vesta curve ($E_q/\mathbb{F}_q$):** +- Base field: $\mathbb{F}_q$ (same as Pallas scalar field) +- Scalar field: $\mathbb{F}_p$ (same as Pallas base field) +- Curve equation: $y^2 = x^3 + 5$ + +This 2-cycle structure enables efficient recursive proof composition, where proofs generated on one curve can be efficiently verified on the other curve. The highly 2-adic structure ($p-1 = T \cdot 2^{32}$ with $T$ odd) provides efficient FFT operations and enables a wide variety of circuit sizes. + Reference: https://github.com/zcash/pasta ## Hashing to curves @@ -290,7 +305,28 @@ framework used in the Internet Draft makes use of several functions: [cfrg-hash-to-curve]: https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/?include_text=1 -### TODO: Simplified SWU +### Simplified SWU + +The Simplified SWU (Shallue-van de Woestijne-Ulas) method is an efficient hash-to-curve algorithm that maps field elements to curve points. It is particularly well-suited for curves of the form $y^2 = x^3 + b$ where $b \neq 0$. + +For a field element $u \in \mathbb{F}_p$, the Simplified SWU algorithm works as follows: + +1. **Precomputation**: Compute $Z = -b/A$ where $A$ is a non-square in $\mathbb{F}_p$ +2. **Mapping**: For input $u$, compute: + - $t_1 = -Z \cdot (1 + u^2)$ + - $t_2 = -Z \cdot (1 - u^2)$ + - $x_1 = t_1^3 + b$ + - $x_2 = t_2^3 + b$ + - $x_3 = Z \cdot (t_1^2 \cdot t_2^2)$ + +3. **Selection**: Choose the first $x_i$ that is a square in $\mathbb{F}_p$ +4. **Square root**: Compute $y = \sqrt{x_i^3 + b}$ +5. **Sign adjustment**: If $u \cdot y$ is negative, negate $y$ + +The result is the curve point $(x_i, y)$. + +This method is constant-time, deterministic, and provides a uniform distribution over the curve points. It is used in Halo 2 for various cryptographic operations including parameter generation and commitment schemes. + Reference: https://eprint.iacr.org/2019/403.pdf ## References From 4e293c85305f2e34de0db2d32207ef682fb661ea Mon Sep 17 00:00:00 2001 From: Daira-Emma Hopwood Date: Sun, 28 Dec 2025 05:43:33 -0800 Subject: [PATCH 2/2] Apply suggestions from review by @daira --- book/src/background/curves.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/book/src/background/curves.md b/book/src/background/curves.md index bc823ddbe..d90ed675b 100644 --- a/book/src/background/curves.md +++ b/book/src/background/curves.md @@ -273,7 +273,7 @@ over $E_q/\mathbb{F}_q,$ forming a 2-cycle with the first: ### Pallas-Vesta curves -The Pallas and Vesta curves form a 2-cycle of elliptic curves designed specifically for Halo 2. They are defined over finite fields with highly 2-adic structure, meaning they have large multiplicative subgroups of order $2^S$ where $S = 32$. +The Pallas and Vesta curves form a 2-cycle of elliptic curves designed to allow efficient recursion in discrete-log-based proof systems such as Halo 2. They are defined over finite fields with highly 2-adic structure, meaning they have large multiplicative subgroups of order $2^S$, where in this case $S = 32$. **Pallas curve ($E_p/\mathbb{F}_p$):** - Base field: $\mathbb{F}_p$ where $p = 2^{254} + t_p$ and $t_p = 45560315531419706090280762371685220353$ @@ -309,7 +309,7 @@ framework used in the Internet Draft makes use of several functions: The Simplified SWU (Shallue-van de Woestijne-Ulas) method is an efficient hash-to-curve algorithm that maps field elements to curve points. It is particularly well-suited for curves of the form $y^2 = x^3 + b$ where $b \neq 0$. -For a field element $u \in \mathbb{F}_p$, the Simplified SWU algorithm works as follows: +For a field element $u \in \mathbb{F}_p$, the core of the Simplified SWU algorithm works as follows: 1. **Precomputation**: Compute $Z = -b/A$ where $A$ is a non-square in $\mathbb{F}_p$ 2. **Mapping**: For input $u$, compute: @@ -325,6 +325,8 @@ For a field element $u \in \mathbb{F}_p$, the Simplified SWU algorithm works as The result is the curve point $(x_i, y)$. +In practice for curves with $j$-invariant $0$ such as Pallas and Vesta, this algorithm cannot be used as-is. Instead we map $u$ to an isogenous curve with a non-zero $j$-invariant ("iso-Pallas" or "iso-Vesta"), and then apply the isogeny to give a point on the target curve. Also, the full hash-to-curve operation involves pre-hashing the input with domain separation, and adding the results of two such mappings to the target curve (or equivalently, adding them on the isogenous curve and then applying the isogeny). For full details see the [Sage reference implementation](https://github.com/zcash/pasta/blob/master/hashtocurve.sage). + This method is constant-time, deterministic, and provides a uniform distribution over the curve points. It is used in Halo 2 for various cryptographic operations including parameter generation and commitment schemes. Reference: https://eprint.iacr.org/2019/403.pdf