The decaf377 group
Penumbra, like many other zero-knowledge protocols, requires a cryptographic group that can be used inside of an arithmetic circuit. This is accomplished by defining an “embedded” elliptic curve whose base field is the scalar field of the proving curve used by the proof system.
The Zexe paper, which defined BLS12-377, also defined (called in Figure 16 of the paper) a cofactor-4 Edwards curve defined over the BLS12-377 scalar field for exactly this purpose. However, non-prime-order groups are a leaky abstraction, forcing all downstream constructions to pay attention to correct handling of the cofactor. Although it is usually possible to do so safely, it requires additional care, and the optimal technique for handling the cofactor is different inside and outside of a circuit.
Instead, applying the Decaf construction to this curve gives decaf377, a
clean abstraction that provides a prime-order group complete with hash-to-group
functionality and whose encoding and decoding functions integrate validation.
Although it imposes a modest additional cost in the circuit context, as
discussed in Costs and Alternatives, the
construction works the same way inside and outside of a circuit and imposes no
costs for lightweight, software-only applications, making it a good choice for
general-purpose applications.
Curve Parameters
The cofactor-4 Edwards curve defined over the BLS12-377 scalar field has the following parameters:
- Base field: Integers mod prime
- Elliptic curve equation: with and
- Curve order: where
We use a conventional generator basepoint selected to have a convenient hex encoding:
0x0800000000000000000000000000000000000000000000000000000000000000
In affine coordinates this generator point has coordinates:
Implementation
An implementation of decaf377 can be found here.