-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
about serialization of bn254 curve point #109
Comments
related discussion on arkworks arkworks-rs/algebra#708 |
Thank you for the reply! In fact, the serialization(compressed version) of bn254 in both projects are very similar except the bit sign. The zcash serialization of bls12-381 sets a good standard here. https://www.ietf.org/archive/id/draft-irtf-cfrg-pairing-friendly-curves-11.html#name-zcash-serialization-format- But for bn254, it can be harder, as there're already many different impls used on production. |
I've stopped myself from ranting against BE. Just letting you know I hate this... It should've all been LE. On the rest, I agree, we can solve this on this way or another. I think we can flip the bit order in the compressed form such that the two ecosystems match together. For the rest, we can define an Any idea how could we formalize this a bit more? We'll be happy to jump into a call, clarify this and update it! |
Unifying the formatting makes sense for the community. Add @huyuncong , maybe he knows someone from arkworks who can take a look. |
Maybe we can try summoning @Pratyush and he can orient us. Also curious to know his thoughts. |
When implementing curve serialization, I have seen 3 different cases:
BigInts/Fields are always serialized in BE, it's also natural when hex debugging. See I2OSP and OS2IP from RSA spec: https://www.rfc-editor.org/rfc/rfc8017.html#section-4 Additionally, if needed, Fp2 and Fp12 serializations might need standardization as well. For Fp2, Zcash serializes extension field first, i.e. the i element then the base field. For Fp12, the serialization should be canonical instead of being tied to a specific towering Fp2 -> Fp6 -> Fp12 vs Fp2 -> Fp4 -> Fp12. See discussion in supranational/blst#101 (comment) |
There is an extra case, the curves that have no extra bits for flags, like I found a couple more issues. halo2curves/src/derive/curve.rs Line 109 in bdb27cc
But it is the 6th in the uncompressed form: halo2curves/src/derive/curve.rs Line 235 in bdb27cc
The way of determining the sign seems not to be agreed upon either. In fact, we are not getting the sign but the parity of the y-coordinate. |
Note that "sign" is a convention that splits a cyclic group in 2 halves. When standardizing hash-to-curve, the "sign" was changed to mean x mod 2:
|
and should notice that sign of bn254 curve in halo2curves and arkworks have different meaning in arkworks: the negative sign always means the bigger one, see the code: while in halo2curves: That means one canno distinguish current y is the smaller one or the bigger one based on the sign in halo2curves impl. |
Recently I'm working on a project which involved both halo2curves and arkworks.rs.
I found that the serialization of bn254 curve point like G1 are different in these two projects.
when serializing, halo2curves add the negative sign as the 6th bit of last bytes, and point of infinity as the 7th bit. see
halo2curves/src/derive/curve.rs
Line 138 in a3f15e4
while arkworks.rs does the opposite(6th for point of infinity, 7th for negative sign). see https://github.com/arkworks-rs/algebra/blob/860a986360a1deb19a4d06b991a1a700d34b1298/ec/src/models/short_weierstrass/serialization_flags.rs#L7
I had dealt the subtle difference in my project.
However, I wonder if there exists a common standard for (de)serialization Field and Curve Point?
If there isn't, I wonder how could we change the situation, and unify the serialization in many other zk projects and make proof parsing more portable?
The text was updated successfully, but these errors were encountered: