Implementation of the Jubjub elliptic curve group

Overview

jubjub Crates.io

This is a pure Rust implementation of the Jubjub elliptic curve group and its associated fields.

  • This implementation has not been reviewed or audited. Use at your own risk.
  • This implementation targets Rust 1.47 or later.
  • All operations are constant time unless explicitly noted.
  • This implementation does not require the Rust standard library.

Documentation

Curve Description

Jubjub is the twisted Edwards curve -u^2 + v^2 = 1 + d.u^2.v^2 of rational points over GF(q) with a subgroup of prime order r and cofactor 8.

q = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
r = 0x0e7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7
d = -(10240/10241)

The choice of GF(q) is made to be the scalar field of the BLS12-381 elliptic curve construction.

Jubjub is birationally equivalent to a Montgomery curve y^2 = x^3 + Ax^2 + x over the same field with A = 40962. This value of A is the smallest integer such that (A - 2) / 4 is a small integer, A^2 - 4 is nonsquare in GF(q), and the Montgomery curve and its quadratic twist have small cofactors 8 and 4, respectively. This is identical to the relationship between Curve25519 and ed25519.

Please see ./doc/evidence/ for supporting evidence that Jubjub meets the SafeCurves criteria. The tool in ./doc/derive/ will derive the curve parameters via the above criteria to demonstrate rigidity.

Acknowledgements

Jubjub was designed by Sean Bowe. Daira Hopwood is responsible for its name and specification. The security evidence in ./doc/evidence/ is the product of Daira Hopwood and based on SafeCurves by Daniel J. Bernstein and Tanja Lange. Peter Newell and Daira Hopwood are responsible for the Jubjub bird image.

Please see Cargo.toml for a list of primary authors of this codebase.

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Comments
  • Why is the Jubjub base field exposed?

    Why is the Jubjub base field exposed?

    Is there a use-case for exposing the base field of Jubjub? From the perspective of a user of the elliptic curve library, the base field of the curve is an implementation detail. From looking through the API it seemed like the only place that it's used in the public API is in functions like from_raw_unchecked for unsafely constructing points, but it's not clear why someone would need to do that.

    opened by hdevalence 9
  • Expose Fr::MODULUS

    Expose Fr::MODULUS

    As jubjub::MODULUS:

    use jubjub::{Fr, MODULUS};
    
    let modulus: Fr = MODULUS;
    // do something with it
    

    IMO the current docs ("Constant representing the modulus r = 0x...") are okay, and it doesn't need a rename or anything.

    I found this useful, not sure if others will.

    opened by znewman01 6
  • Fix ZIP 216 bug

    Fix ZIP 216 bug

    See ZIP 216 for more details.

    A new API jubjub::AffinePoint::from_bytes_pre_zip216_compatibility has been added for consensus compatibility. We will use this API in Zcash code until NU5 activates.

    opened by str4d 5
  • Fq inverse (addition chain for fq)

    Fq inverse (addition chain for fq)

    This PR is to add an addition chain for performing faster inversion over Fq. According to the benchmark it takes about half the time that the naive way does.

    This is using the baseline addition presented by @ValarDragon in https://github.com/zkcrypto/jubjub/issues/1

    I wrote a simple program in Java to convert the output in to rust code. I can share that tool if it useful or when we do teh same for Fr.

    opened by Eirik0 5
  • Constant time everything

    Constant time everything

    This changes virtually everything to be constant time, by introducing a new Maybe abstraction that can later be upstream'd to subtle. This borrows from #18's constant time Tonelli-Shanks, adapted to match the current implementation that is more efficient and more closely based on the paper.

    TODO: tests for Maybe::and_then and Maybe::map

    opened by ebfull 2
  • Point arithmetic (addition/doubling)

    Point arithmetic (addition/doubling)

    This is all of the point arithmetic we could possibly need; though we have to consider what is and isn't necessary downstream, and expose a simpler interface. ~This is mostly based on what curve25519-dalek does.~ I've modified my proposed API based on Mike Hamburg's paper.

    • [ ] AffinePoint represents a (u, v) coordinate in memory.
      • [ ] ::identity() -> Self (forward from Default::default())
      • [ ] ::compress(&self) -> [u8; 32]
      • [ ] ::decompress_vartime([u8; 32]) -> Self
      • [ ] ::get_u(&self) -> Fq
      • [ ] ::get_v(&self) -> Fq
      • [ ] ::to_affine_niels(&self) -> AffineNielsPoint
      • [ ] ::double(&self) -> ExtendedPoint
      • [ ] (private) ::is_on_curve_var(&self) -> bool
    • [ ] ExtendedPoint represents a (U, V, T1, T2, Z) coordinate in memory. (u:Z, v:Z with T1*T2 = uv/Z)
      • [ ] ::to_affine(&self) -> AffinePoint
      • [ ] ::double(&self) -> CompletedPoint
    • [ ] AffineNielsPoint represents an affine point in Niels coordinates (v+u, v-u, uv2d)
    • [ ] ProjectiveNielsPoint represents a projective point in Niels coordinates (V+U, V-U, Z, 2dUV)

    Traits

    • [ ] impl Add<&ExtendedNielsPoint> for &ExtendedPoint
    • [ ] impl Add<&AffineNielsPoint> for &ExtendedPoint
    • [ ] impl Sub<&ExtendedNielsPoint> for &AffinePoint
    • [ ] impl Sub<&AffineNielsPoint> for &AffinePoint
    • [ ] impl Neg for &AffineNielsPoint
    • [ ] impl Neg for &ProjectiveNielsPoint
    • [ ] impl Neg for &AffinePoint
    • [ ] impl Neg for &ExtendedPoint
    opened by ebfull 1
  • Fq square assign

    Fq square assign

    This PR is to incorporate the squaring algorithm from https://github.com/zcash/librustzcash/blob/master/pairing/src/bls12_381/fr.rs#L467

    I've also added some benchmarks and refactored some of the helper functions to return pairs rather than update one value by reference.

    opened by Eirik0 1
  • Optimize square root implementation for Fq

    Optimize square root implementation for Fq

    Suggested by @str4d:

    The Sarkar algorithm used in the Pasta implementation is applicable to Fq since it is highly 2-adic. (Fr is not, but optimizing Fq square roots is more important for Jubjub curve point decompression, and therefore for Sapling trial decryption; see https://github.com/zcash/librustzcash/pull/423#issuecomment-894377882 ).

    opened by daira 0
  • Will be good to add a tag on each release ?

    Will be good to add a tag on each release ?

    In crates.io jubjub version is at 0.7.0 (https://crates.io/crates/jubjub) but here in github is 0.3.0 which is a bit confusing. Will it worth to tag 0.7.0 here now ?

    opened by oxarbitrage 0
  • Recalculate w-NAF recommendations

    Recalculate w-NAF recommendations

    The implementation of WnafGroup::recommended_wnaf_for_num_scalars copies the empirical recommendations from the old pairing::bls12_381 implementation of G1. We should recalculate them for this implementation.

    https://github.com/zcash/librustzcash/pull/245#discussion_r471616548

    opened by str4d 0
  • Serde support

    Serde support

    We'd like to have Serde support for use implementing FROST for redjubjub (tracking issue: https://github.com/ZcashFoundation/redjubjub/issues/21). I'd be happy to implement this (probably feature-gated behind a serde feature?) if it would fit with the library.

    opened by hdevalence 0
  • Request for Addition Chains

    Request for Addition Chains

    Jubjub needs you!

    ... to make efficient addition chains.

    • 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfefffffffeffffffff (for inversion in Fq)
    • 0x39f6d3a994cebea4199cec0404d0ec02a9ded2017fff2dff7fffffff80000000 (for Legendre symbol in Fq)
    • 0x39f6d3a994cebea4199cec0404d0ec02a9ded2017fff2dff80000000 (for sqrt in Fq)
    • 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff (also for sqrt in Fq)

    • 0x0e7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb5 (for inversion in Fr)
    opened by ebfull 6
Owner
Zero-knowledge Cryptography in Rust
Zero-knowledge Cryptography in Rust
Elliptic-curves - Collection of pure Rust elliptic curve implementations (e.g. P-256, P-384, secp256k1)

RustCrypto: Elliptic Curves General purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic cu

Rust Crypto 386 Dec 27, 2022
Implementation of the BLS12-381 pairing-friendly elliptic curve group

bls12_381 This crate provides an implementation of the BLS12-381 pairing-friendly elliptic curve construction. This implementation has not been review

Zero-knowledge Cryptography in Rust 183 Dec 27, 2022
Rust implementation of {t,n}-threshold ECDSA (elliptic curve digital signature algorithm).

Multi-party ECDSA This project is a Rust implementation of {t,n}-threshold ECDSA (elliptic curve digital signature algorithm). Threshold ECDSA include

[ZenGo X] 706 Jan 5, 2023
X25519 elliptic curve Diffie-Hellman key exchange in pure-Rust, using curve25519-dalek.

x25519-dalek A pure-Rust implementation of x25519 elliptic curve Diffie-Hellman key exchange, with curve operations provided by curve25519-dalek. This

dalek cryptography 252 Dec 26, 2022
Multi Party Key Management System (KMS) for Secp256k1 Elliptic curve based digital signatures.

Key Management System (KMS) for curve Secp256k1 Multi Party Key Management System (KMS) for Secp256k1 Elliptic curve based digital signatures. Introdu

[ZenGo X] 61 Dec 28, 2022
Elliptic curve cryptography on Soroban.

Elliptic Curve Cryptography on Soroban Contract examples and reusable primitives. Groth 16 verifier. This crate provides a SorobanGroth16Verifier obje

Xycloo Labs 5 Feb 10, 2023
Private key finder based on the (Bitcoin) secp256k1 elliptic curve.

keyripper keyripper is a powerful tool developed in Rust to assist in the recovery of Bitcoin private keys by leveraging the Baby-Step Giant-Step (BSG

Denzy 12 Sep 27, 2024
This is the repository for the group project assignment in the course "Project in Introduction to Computer Science" (DD1396), by the Inda21plusplus group.

Project-Delta This is the repository for the group project assignment in the course "Project in Introduction to Computer Science" (DD1396), by the Ind

null 9 May 24, 2022
Bulletproofs and Bulletproofs+ Rust implementation for Aggregated Range Proofs over multiple elliptic curves

Bulletproofs This library implements Bulletproofs+ and Bulletproofs aggregated range proofs with multi-exponent verification. The library supports mul

[ZenGo X] 62 Dec 13, 2022
Rust implementation of multi-party Schnorr signatures over elliptic curves.

Multi Party Schnorr Signatures This library contains several Rust implementations of multi-signature Schnorr schemes. Generally speaking, these scheme

[ZenGo X] 148 Dec 15, 2022
Implementation of the Grumpkin curve in Rust.

Grumpkin curve implementation in Rust This repository implements the Grumpkin curve for use in Rust, by building off of the code provided by ZCash and

Jules 3 Dec 26, 2022
L2 validity rollup combined with blind signatures over elliptic curves inside zkSNARK, to provide offchain anonymous voting with onchain binding execution on Ethereum

blind-ovote Blind-OVOTE is a L2 voting solution which combines the validity rollup ideas with blind signatures over elliptic curves inside zkSNARK, to

Aragon ZK Research 3 Nov 18, 2022
A pure-Rust implementation of group operations on Ristretto and Curve25519

curve25519-dalek A pure-Rust implementation of group operations on Ristretto and Curve25519. curve25519-dalek is a library providing group operations

dalek cryptography 611 Dec 25, 2022
A Rust implementation of the Message Layer Security group messaging protocol

Molasses An extremely early implementation of the Message Layer Security group messaging protocol. This repo is based on draft 4 of the MLS protocol s

Trail of Bits 109 Dec 13, 2022
A Rust implementation of the Message Layer Security group messaging protocol

Molasses An extremely early implementation of the Message Layer Security group messaging protocol. This repo is based on draft 4 of the MLS protocol s

Trail of Bits 109 Dec 13, 2022
An NTP implementation in Rust, supported by Internet Security Research Group's Prossimo project.

NTPD-rs NTPD-rs is an implementation of NTP completely written in Rust, with a focus on exposing a minimal attack surface. The project is currently in

Prossimo (ISRG) 302 Jan 4, 2023
Yet Another Kalman Filter Implementation. As well as Lie Theory (Lie group and algebra) on SE(3). [no_std] is supported by default.

yakf - Yet Another Kalman Filter Yet Another Kalman Filter Implementation, as well as, Lie Theory (Lie group, algebra, vector) on SO(3), SE(3), SO(2),

null 7 Dec 1, 2022
A Trojan implementation from SSPanel-Uim group

TrojanX A Trojan-based proxy implementation. Attention Early Version This is an early version. Security, features, and potential bugs may be insuffici

SSPanel-Uim 56 Apr 26, 2023
Fast Hilbert space-filling curve transformation using a LUT

Fast Hilbert Fast Hilbert 2D curve computation using an efficient Lookup Table (LUT). Convert from discrete 2D space to 1D hilbert space and reverse V

Armin Becher 20 Nov 3, 2022
A Curve-like AMM for Secret Network

A Curve-like AMM for Secret Network. Supports a varibale number of tokens with the same underlying value.

Enigma 16 Dec 11, 2022