Try   HackMD

Barrett Reduction

Barrett reduction allows us to quickly calculate the quotient

q and reminder
r of
a(modn), i.e.
a=qn+r,0r<n.

GLV

One of the use case is in GLV decomposition. For simplicity, we consider all the integers below are less than

2256. We want to decompose
k=k1+k2λ with both
k1,k2 are small. Here is the correspondence
ka,k1r,k2q,λn

When

λ is
128 bit, we can use Barrett reduction to derive
k1,k2 with
k1<2128,k2<2128.

In the glv paper, it considers more general case where

λ might not be
128 bit and hence use lattice based algorithm to derive small
k1,k2 (which might not less than
2128)

Barrett Reduction Algorithm

In practice, We use

β=2128 (or
2c in general) for efficient calculation. For BLS12-381 curve, n=lambda=0xAC45A4010001A40200000000FFFFFFFF is exaclty
128 bit, hence satisfy algorithm's assumption.

Algorithm 1
Assume

0a<β2,
β/2<n<β.
I=β2/nq=aIβ2r=aqnwhile r>=n:r=rn;q=q+1(at most 1 times)
Proof
It's easy to see
r(modn)=a(modn). We just need to prove
0r<2n (value of
r before while loop).
qaIβ2aβ2nβ2r0I>β2/n1In>β2nq>aIβ21β2q>aIβ2β2qn>aInβ2n>aβ2anβ2n>β2(a2n)aqn<2n

We prove a general algorithm.
Algorithm 2
Assume

0a<β2,
β/2<n<β.
I=β2/na=a1γ+a2,a1=a/γ,a2=a(modγ)q=a1γIβ2,k=a0Iβ2r=aqnwhile r>=n:r=rn;q=q+1(at most 2+k times)
Proof
(In general, algorithm holds as long as
a0Iβ2k for some integer
k).
Define
q0=aIβ2=a1γIβ2+a0Iβ2, we have
qq0a1γIβ2+k=q+k
By Algorithm 1, we have
aqna(q0k)n=aq0n+kn<(2+k)n

Example 1 If we choose

γ=β, we have
a0I/β2<β2β/β2=2, we derive the algorithm in section 2.4.1 in Modern Computer Arithmetic (reference), where
r<4n.

Example 2 If we choose

γ=β/2, we have
a0I/β2<γ2β/β21. Thus
r<(2+k)n=3n.

Reference

Faster Point Multiplication on Elliptic Curves
with Efficient Endomorphisms
Modern Computer Arithmetic

tags: public
Last changed by 
Chao
0
1
1889

Read more

Lookup argument for folding

Example Assume in lookup arguments, we have two columns $(A,S)$, and try to lookup $A_i\in S$. Firstly, we cannot directly fold two such instances, e.g. with random factor $r=1$: $$A_1=[1,1,2,3], S_1=[1,2,3,4,5]\ A_2=[1,1,1,2], S_2=[1,2,3,4,5]\ A_1+A_2=[2,2,3,5], S_1+S_2=[2,4,6,8,10]$$ Obviously $(A_1+A_2, S_1+S_2)$ will not work. And since the lookup is arbitrary, we probably will not have any explicit formula to make the folding of $(A,S)$ work. Attempt 1 Assume we want to calcualte a function $F: X\rightarrow Y$. Instead of writing circuit for $F$, we do lookup argument that $(x,F(x))\in S$. Here $S={(x,F(x))|x\in X}$.

Mar 20, 2023
Montgomery modular multiplication

Original version Suppose $a,b\in \mathbb{Z}_N$, modular multiplication $[ab]$ requires first multiply them in the range $[0,N^2-2N+1]$, and then use Euclidean division theorem to get $ab=qN+r,q=\lfloor ab/N\rfloor$, such that $[ab]=r$. The division is quite expensive. Montgomery form is to choose a different divisor $R&gt;N$ with $\gcd{(R, N)}=1$. For example, by choose $R=2^n$, the division is just shift by $n$ bits. Thus, we just want to make sure the numerator is divisible by $R$. Montgomery form of $a$ is defined as $\bar{a}=[aR]$, i.e. residual class of $aR$. We have: $$\gcd{(R,N)}=1\implies \exists R^{-1}:RR^{-1}\equiv 1\implies\exists N&apos;&lt;R:RR^{-1}=N&apos;N+1$$ i.e. $N&apos;$ is negative mod inverse of $N$ w.r.t $R$. And we have multiplication by $R$ is ring isomorphism. And: $$T=[aR][bR]\equiv abR\cdot R\equiv [abR]\cdot R$$ Notice $T&lt;N\cdot N&lt; R*N$. For any $0\leq T &lt; RN$, define reduction form of $T$ as: $$t=redc(T):=TR^{-1}\pmod N$$ i.e. $\overline{ab}=redc(\bar{a}\bar{b})$. We use the following algorithm to do the reduction:

Feb 10, 2023
Plonk By Hand

Reference plonk by hand (part1) plonk by hand (part2) plonk by hand (part3) Codes All the codes below are python with SageMath.

Feb 2, 2023
MACI v1.0: top-up voice credits

Introduction In previous design, when an user signup, she will get an initial voice credit balance. This info is stored in corresponding stateLeaf. For multiple polls, an user can spend credits upto this initial balance. e.g. If an user has initial 100 credits. Then she can spend a total of 100 credits for each poll. If she wants to spend more than initial balance, she has to signup again. The purpose of top-up feature is to allow users to add more credits without signup again. Design One approach is to modify the voiceCreditBalance on the stateLeaf each time when user deposit new credits. This is the current approach we are going to take. Proposal Notice that an user cannot just arbitrarily send a topup command to add credits. Instead, we add an ERC20 contract to store voting credits. Then the user can use the topup function in poll.sol to deposit tokens into the contract address. In the current design, we don&apos;t allow users to withdraw their tokens. The reason is that withdraw feature can allow malicious one to bribe others offline to transfer their keys. Without withdraw function, the malicious cannot distinguish whether key transferred is valid or not. Since now the poll.sol contract address will hold all the funds deposit from users for the current pollID. At the end of poll, the coordinator (or anyone) can transfer funds in poll.sol into hardcoded address which is used for public goods.

Jan 19, 2023
Read more from Chao
Published on HackMD