sapling-crypto icon indicating copy to clipboard operation
sapling-crypto copied to clipboard
verified publisher icon zcash

Use `Unknown`/`PrimeOrder` marker types inside circuit

Open ebfull opened this issue 7 years ago • 2 comments

These are used outside the circuit a lot, but it seems they would be very handy inside the circuit. Then, you could have a "compress" method defined only for prime order points, never using get_x when the mapping isn't actually injective.

ebfull avatar Mar 10 '18 00:03 ebfull

Remember that the correctness of the Montgomery-curve addition depends on a subtle (but proven) argument about the indices of the inputs, so there would be a loophole in this typing if the premises of that argument didn't hold. I guess it could still rule out some classes of mistake.

daira avatar Mar 18 '18 09:03 daira

I really don't like the fact that PrimeOrder doesn't mean that the point is of prime order; it only means that it's in the prime-order subgroup. I think it should be renamed to PrimeSubgroup. I will open a ticket.

daira avatar Feb 04 '19 20:02 daira