5.有限域上的椭圆曲线
5.有限域上的椭圆曲线
generator 对有限域上的椭圆曲线是非常重要的,因为椭圆曲线上的运算都是与 generator 相关的。
选择一个合适的 generator,使得整个 prime field 足够大,而且 order 足够高(足够多地遍历点),可以极大地增强椭圆曲线的安全性。
In most situations, an Elliptic Curve E is the graph of an equation of the form \(y^2 = x^3 + Ax + B\), where A and B are constants. This is called the Weierstrass equation for an elliptic curve.
TODO: elliptic_curves_group_law.pdf
常见椭圆曲线
BLS12-381 p = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001 Generator
BLS12-381
BLS12-381 (2017) or 255-bit curve (EIP-4844 KZG commitment curve). Developed by Sean Bowe for ZCash, and will be used by Ethereum
Many protocols are putting it to use for digital signatures and zero-knowledge proofs: Zcash, Ethereum 2.0, Skale, Algorand, Dfinity, Chia, and more.
BLS12-381 is a pairing-friendly elliptic curve. Pairing-based cryptography has been developed over the last couple of decades, enabling useful new applications such as short digital signatures that are efficiently aggregatable, identity-based cryptography, single-round multi-party key exchange, and efficient polynomial commitment schemes such as KZG commitments.
The basic equation of the BLS12-381 curve is \(y^2 = x^3 + 4\)
TODO - [ ] 为什么既有 field order 又有 subgroup order?
Field modulus:
0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab field order = 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787
Subgroup size、Order of BLS12-381 elliptic curve:
1 | group order = hex(52435875175126190479447740508185965837690552500527637822603658699938581184513) |
该曲线的阶最后很多 0,然后有一个 1,是因为 order-1 是乘法群的阶,然后可以产生具有高阶的 root of unity 的乘法子群。
1 | PRIMITIVE_ROOT = 5 |
注意: order 选择 2 幂次 ref: Order of elements in cyclic group - TheoremDep
Ethereum EIP-4844 引入 KZG commitment 对分片交易进行压缩证明: EIP-4844: Shard Blob Transactions
BLS12-381 For The Rest Of Us - HackMD BLS Curves (BLS12-381) and BLS Signatures
alt_bn128
ALT_BN128 (2015),Also known as BN254, 254-bit curve (used in Ethereum zkp). Developed by SCIPR-lab.
pairing friendly
order of bn128:
1 | hex(21888242871839275222246405745257275088548364400416034343698204186575808495617) |
Generator 5.
the secp256k1 curve
Secp256k1 is the name of the elliptic curve used by Bitcoin to implement its public key cryptography, ECDSA algorithm. All points on this curve are valid Bitcoin public keys.
Formula:
For secp256k1, a=0 and b=7, yields the equation \(y^2 = x^3 + 7\)
Jacobi curve
In mathematics, the Jacobi curve is a representation of an elliptic curve different from the usual one defined by the Weierstrass equation. Sometimes it is used in cryptography instead of the Weierstrass form because it can provide a defence against simple and differential power analysis style (SPA) attacks;
Jacobian Coordinates are used to represent elliptic curve points on prime curves. They give a speed benefit over Affine Coordinates when the cost for field inversions is significantly higher than field multiplications.
note: 相同的点可能 Jacobian point 的坐标不一样, 用 ==
判断即可。
