Is there anything wrong in `s` vector in section 3.1 of Halo paper?

ebfull / halo

Other

115 stars 17 forks source link

Is there anything wrong in `s` vector in section 3.1 of Halo paper? #23

Closed 3for closed 4 years ago

3for commented 5 years ago

I think the s vector should be shown as below:

ebfull commented 5 years ago

It's possible this is backwards, but...

u_j is the challenge for the jth round starting with u_k and going down to u_1. This means that the first elements of the s vector (corresponding to the lower side of the beginning rounds) will be multiplied by the inverses. If I'm right, our paper at least must be updated to clarify this ordering. (I am trying to replicate the ordering described here.)

3for commented 5 years ago

@ebfull The curve for EC0 and EC1 (y^2=x^3+5 and y^2=x^3+7, both with different finite field p from secp224k1 and secp256k1.) It seemed that EC0 and EC1 are new pairing-friendly curves? Is there a corresponding paper for them?

ebfull commented 5 years ago

We're actually changing to a different curve cycle in an update to our paper, but these are not intended to be pairing-friendly cycles. We're avoiding pairings entirely.

3for commented 5 years ago

Wow, expecting the update so much.

daira commented 4 years ago

The ordering in the paper is consistent with https://doc-internal.dalek.rs/bulletproofs/inner_product_proof/index.html , so this can be closed.