You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The C++ implementation is parameterised, the Python and Solidity implementations aren't.
Related to #103 (to match the number of constraints as the zcash/bellman implementation)
They have scaled the parameters so the Bellman implementation of Jubjub can be used without modifying the constraints, this means the security proof from ZCash with their specific constraints can be more directly translated / be applicable.
//! scaling = 1911982854305225074381251344103329931637610209014896889891168275855466657090
//! a' = 21888242871839275222246405745257275088548364400416034343698204186575808495616 == -1 = a*scale^2 mod P
//! d' = 12181644023421730124874158521699555681764249180949974110617291017600649128846 == -(168696/168700) = d*scale^2
For the Python and Solidity implementations this requires the addition of the Scale parameter.
Additionally, need to update the ejubjub.sage file to demonstrate that we can transform from the existing curve parameters to the modified ones.
Additionally need to verify that the jubjub tests defined by zcash are implemented:
(1 / d) is nonsquare
-d is nonsquare
(1 / -d) is nonsquare
Check that A^2 - 4 is nonsquare
Check that A - 2 is nonsquare
Additionally, there is a test to verify that the number of windows per generator in the Pedersen hash does not allow for collisions:
As implemented by Matter Inc. which changes the curve parameters to be able to use the unmodified sapling-crypto repository: https://github.com/matterinc/sapling-crypto
The C++ implementation is parameterised, the Python and Solidity implementations aren't.
Related to #103 (to match the number of constraints as the zcash/bellman implementation)
They have scaled the parameters so the Bellman implementation of Jubjub can be used without modifying the constraints, this means the security proof from ZCash with their specific constraints can be more directly translated / be applicable.
For the Python and Solidity implementations this requires the addition of the
Scaleparameter.Additionally, need to update the
ejubjub.sagefile to demonstrate that we can transform from the existing curve parameters to the modified ones.Additionally need to verify that the jubjub tests defined by zcash are implemented:
(1 / d) is nonsquare-d is nonsquare(1 / -d) is nonsquareCheck that A^2 - 4 is nonsquareCheck that A - 2 is nonsquareAdditionally, there is a test to verify that the number of windows per generator in the Pedersen hash does not allow for collisions:
The text was updated successfully, but these errors were encountered: