Certainly one curve is less complex than two, and Ethereum already uses the bls12-381 curve, so why introduce another curve? Good question, I'm glad you have the mental fortitude to challenge me so early in the article.
TLDR: It allows us to create efficient zero knowledge proofs in a snark.
Proof of execution
A proof of execution is an protocol that allows you to prove that some function
Embedded curves
Although the verification of such proof is usually quick no matter the size of
The astute reader may notice that I used the term bandersnatch in the last sentence, but the title says banderwagon. To explain the difference, lets build an analogy with a simpler example.
Uint32
vs NonZeroUint32
A uint32
is a data type that is able to store a number between
Now consider the data type NonZeroUint32
. It is a uint32
but it disallows the value zero. The way it does this is not important, it could be that upon creation, the number is checked to not be zero.
A NonZeroUint32
is able to store a number between NonZeroUint32
is a safety invariant over a uint32
as its safe to use it if you need the number to never be zero.
Bandersnatch vs Banderwagon
Similarly, one can view banderwagon as a safety invariant over bandersnatch. There are points in the bandersnatch group that are disallowed in the banderwagon group. The way it does this, is what we will build up to in the following documents.
Why do we want to avoid certain points with banderwagon?
There are two types of points that one generally wants to avoid:
Note: Banderwagon does not avoid points of low order, instead they are merged or quotiented out into points of prime of order.
Credit
The technique used to transform bandersnatch into banderwagon existed in the literature for almost a decade and was adapted to bandersnatch by Gottfried Herold.