# Twisted Edwards and Zcash lemma 5.4.7 *notes where I was confused, i am no longer confused* We begin with a motivating walk through of Twisted Edwards curves, and the proof to [Lemma 5.4.7](https://zips.z.cash/protocol/protocol.pdf#concreteextractorjubjub). *Italics mine*. First, recall the [Twisted Edwards](https://eprint.iacr.org/2008/013.pdf)[^3] form for elliptic curves. If the Weierstrass curve equation is: $$y^2=x^3+ax+b$$ Then the Twisted Edwards form is: $$au^2+v^2 = 1 + du^2v^2$$ The $a$ parameter is the "twist" of the Edwards curve; if $a=1$, the curve is "untwisted". Where[^4] : $$ u = \frac{1+y}{1-y} \quad v=\frac{x}{1-y}$$ **Lemma 5.4.7**. Let $P=(u,v) \in \mathbb J^{(r)}.$ Then $(u,-v) \not \in \mathbb J^{(r)}$ (subgroup of Jubjub of order r). - *what?! If $-P\ne (u,-v)$, then what does it equal? $-P$ must lie within $\mathbb G=J^{(r)}$ for $\mathbb G$ to be a group.* Further, with the Twisted Edwards curve equation presented above, if $(u,v)$ satisfies an equation, then $(\pm u, \pm v)$ will all satisfy the equation, as every coordinate is squared. **Proof** If $P$ is the point at infinity then $(u,v)=(0,1),$ but $-P=(0,-1)$ which does not lie on the subgroup. - $a(0^2)+(-1)^2=1+d(0^2)(-1)^2=1$ definitely satisfies the point equation. Is this some peculiar Twisted Edwards convention, to represent the point at infinity as $(0,1)$, but to say that $-O=-(0,1)=(0,1)=O$? All other points $P$ have odd order. - *because $P$ lies the some subgroup of order $r$, presumably chosen to be an odd prime*. Further, $v\ne 0$, since if $v=0$: $$au^2+0^2=1+d*0=au^2=1\implies u=\pm \sqrt {1/a}$$ Which implies that $[2]P=(0,-1)$ then $[2]([2]P)=(0,1)=O$, which obtains $P$ of even order, a contradiction. - *I thought we just said $(0,-1)$ doesn't lie on the curve by convention?* - *How did we get to $[2]P=(0,-1)$?* Now, anticipating contradiction, let $P=(u,v), Q=(u,-v)$ be points on the subgroup. By the doubling formula, we have that $[2]Q=-[2]P$. But also, $[2](-P)=-[2]P$. Therefore either: - $Q=-P\implies Q.v = (-P).v$, a contradiction, - *I'm not certain I believe that's a contradiction* - Or doubling is not injective on the subgroup, which contradict's the subgroup's having odd order. ## footnotes [^4]: Don't check this by hand. The algebra won't work out nicely, or at least mine didn't. I'm not sure why, but I believe the answer has something to do with algebraic geometers mumbling curses, and at this point I'm not interested enough to dig deeper. But if you, dear reader, know what that's about, do reach out, I'd love to know.