align comments and fix numeration of steps

Signed-off-by: Uncle Fatso <uncle.fatso@ghostchain.io>
ability to add mixed points
2025-10-12 22:15:10 +03:00 · 2025-10-12 22:10:58 +03:00
3 changed files with 117 additions and 43 deletions
--- a/src/MathTester.sol
+++ b/src/MathTester.sol
@ -37,6 +37,15 @@ contract MathTester {
        return EllipticCurveProjective.projectiveDouble(x1, y1, 1);
    }

+    function addProjectiveMixed(
+        uint256 x1,
+        uint256 y1,
+        uint256 x2,
+        uint256 y2
+    ) public pure returns (uint256, uint256, uint256) {
+        return EllipticCurveProjective.projectiveAddMixed(x1, y1, 1, x2, y2);
+    }
+
    function toAffineJacobian(uint256 x, uint256 y, uint256 z) public pure returns (uint256, uint256) {
        return EllipticCurve.toAffine(x, y, z, P);
    }
--- a/src/libraries/ECMathProjective.sol
+++ b/src/libraries/ECMathProjective.sol
@ -14,6 +14,45 @@ library EllipticCurveProjective {

    uint256 private constant B3 = 21;

+    function projectiveAddMixed(
+        uint256 X1,
+        uint256 Y1,
+        uint256 Z1,
+        uint256 X2,
+        uint256 Y2
+    ) internal pure returns (uint256 X3, uint256 Y3, uint256 Z3) {
+        // We implement the complete addition formula from Renes-Costello-Batina 2015
+        // (https://eprint.iacr.org/2015/1060 Algorithm 8).
+
+        // X3 = (X1Y2 + X2Y1)(Y1Y2 − 3bZ1) − 3b(Y1 + Y2Z1)(X1 + X2Z1),
+        // Y3 = (Y1Y2 + 3bZ1)(Y1Y2 − 3bZ1) + 9bX1X2(X1 + X2Z1),
+        // Z3 = (Y1 + Y2Z1)(Y1Y2 + 3bZ1) + 3X1X2(X1Y2 + X2Y1),
+
+        uint256 t0 = mulmod(X1, X2, P);           // 1.  t0 ← X1 · X2 => (X1·X2)
+        uint256 t1 = mulmod(Y1, Y2, P);           // 2.  t1 ← Y1 · Y2 => (Y1·Y2)
+        uint256 t3 = mulmod(X2, Y1, P);           // 3.  t3 ← X2 + Y2 => (X2·Y1)
+        uint256 t4 = mulmod(X1, Y2, P);           // 4.  t4 ← X1 + Y1 => (X1·Y2)
+        t3 = addmod(t3, t4, P);                   // 5.  t3 ← t3 − t4 => (X2·Y1 + X1·Y2)
+        t4 = mulmod(Y2, Z1, P);                   // 6.  t4 ← Y2 · Z1 => (Y2·Z1)
+        t4 = addmod(t4, Y1, P);                   // 7.  t4 ← t4 + Y1 => (Y2·Z1 + Y1)
+        Y3 = mulmod(X2, Z1, P);                   // 8.  Y3 ← X2 · Z1 => (X2·Z1)
+        Y3 = addmod(Y3, X1, P);                   // 9.  Y3 ← Y3 + X1 => (X2·Z1 + X1)
+        t0 = mulmod(3, t0, P);                    // 10. t0 ← X3 + t0 => (3·(X1·X2))
+        uint256 t2 = mulmod(B3, Z1, P);           // 11. t2 ← b3 · Z1 => (b3·Z1)
+        Z3 = addmod(t1, t2, P);                   // 12. Z3 ← t1 + t2 => (Y1·Y2 + b·3·Z1)
+        t1 = addmod(t1, P - t2, P);               // 13. t1 ← t1 − t2 => (Y1·Y2 - b·3·Z1)
+        Y3 = mulmod(B3, Y3, P);                   // 14. Y3 ← b3 · Y3 => 3·b·(X2·Z1 + X1)
+        X3 = mulmod(t4, Y3, P);                   // 15. X3 ← t4 · Y3 => (Y2·Z1 + Y1)·b·3·(X2·Z1 + X1)
+        t2 = mulmod(t3, t1, P);                   // 16. t2 ← t3 · t1 => ((X2·Y1 + X1·Y2)·(Y1·Y2 - b3·Z1))
+        X3 = addmod(t2, P - X3, P);               // 17. X3 ← t2 − X3 => ((X2·Y1 + X1·Y2)·(Y1·Y2 - b3·Z1) - 3·B·(Y2·Z1 + Y1)·(X2·Z1 + X1))
+        Y3 = mulmod(Y3, t0, P);                   // 18. Y3 ← Y3 · t0 => (9·b·(X2·Z1 + X1)·X1·X2)
+        t1 = mulmod(t1, Z3, P);                   // 19. t1 ← t1 · Z3 => (Y1·Y2 - b·3·Z1)·(Y1·Y2 + b·3·Z1)
+        Y3 = addmod(t1, Y3, P);                   // 20. Y3 ← t1 + Y3 => ((Y1·Y2 - b·3·Z1)·(Y1·Y2 + 3·b·Z1) + 9·b·(X2·Z1 + X1)·X1·X2)
+        t0 = mulmod(t0, t3, P);                   // 21. t0 ← t0 · t3 => (3·X2·Y1 + (X2·Y1 + X1·Y2))
+        Z3 = mulmod(Z3, t4, P);                   // 22. Z3 ← Z3 · t4 => (Y1·Y2 + b·3·Z1)·(Y2·Z1 + Y1)
+        Z3 = addmod(Z3, t0, P);                   // 23. Z3 ← Z3 + t0 => ((Y1·Y2 + b·3·Z1)·(Y2·Z1 + Y1) + 3·X2·Y1·(X2·Y1 + X1·Y2))
+    }
+
    function projectiveAdd(
        uint256 X1,
        uint256 Y1,
@ -31,39 +70,39 @@ library EllipticCurveProjective {

        // TODO: Can we optimize it even more?

-        uint256 t0 = mulmod(X1, X2, P);          // 1.  t0 ← X1 · X2  => (X1·X2)
-        uint256 t1 = mulmod(Y1, Y2, P);          // 2.  t1 ← Y1 · Y2  => (Y1·Y2)
-        uint256 t2 = mulmod(Z1, Z2, P);          // 3.  t2 ← Z1 · Z2  => (Z1·Z2)
-        uint256 t3 = addmod(X1, Y1, P);          // 4.  t3 ← X1 + Y1  => (X1 + Y1)
-        uint256 t4 = addmod(X2, Y2, P);          // 5.  t4 ← X2 + Y2  => (X2 + Y2)
-        t3 = mulmod(t3, t4, P);                  // 6.  t3 ← t3 · t4  => ((X1 + Y1) · (X2 + Y2))
-        t4 = addmod(t0, t1, P);                  // 7.  t4 ← t0 + t1  => (X1·X2 + Y1·Y2)
-        t3 = addmod(t3, P - t4, P);              // 8.  t3 ← t3 - t4  => ((X1 + Y1)·(X2 + Y2) - X1·X2 - Y1·Y2)
-        t4 = addmod(Y1, Z1, P);                  // 9.  t4 ← Y1 + Z1  => (Y1 + Z1)
-        X3 = addmod(Y2, Z2, P);                  // 10. X3 ← Y2 + Z2  => (Y2 + Z2)
-        t4 = mulmod(t4, X3, P);                  // 11. t4 ← t4 · X3  => ((Y1 + Z1) · (Y2 + Z2))
-        X3 = addmod(t1, t2, P);                  // 12. X3 ← t1 + t2  => (Y1·Y2 + Z1·Z2)
-        t4 = addmod(t4, P - X3, P);              // 13. t4 ← t4 - X3  => ((Y1 + Z1)·(Y2 + Z2) - Y1·Y2 - Z1·Z2)
-        X3 = addmod(X1, Z1, P);                  // 14. X3 ← X1 + Z1  => (X1 + Z1)
-        Y3 = addmod(X2, Z2, P);                  // 15. Y3 ← X2 + Z2  => (X2 + Z2)
-        X3 = mulmod(X3, Y3, P);                  // 16. X3 ← X3 · Y3  => ((X1 + Z1) · (X2 + Z2))
-        Y3 = addmod(t0, t2, P);                  // 17. Y3 ← t0 + t2  => (X1·X2 + Z1·Z2)
-        Y3 = addmod(X3, P - Y3, P);              // 18. Y3 ← X3 - Y3  => ((X1 + Z1)·(X2 + Z2) - X1·X2 - Z1·Z2)
-        X3 = addmod(t0, t0, P);                  // 19. X3 ← t0 + t0  => (2·X1·X2)
-        t0 = addmod(X3, t0, P);                  // 20. t0 ← X3 + t0  => (3·X1·X2)
-        t2 = mulmod(B3, t2, P);                  // 21. t2 ← B3 · t2  => 3b · Z1·Z2
-        Z3 = addmod(t1, t2, P);                  // 22. Z3 ← t1 + t2  => Y1·Y2 + 3·b·Z1·Z2
-        t1 = addmod(t1, P - t2, P);              // 23. t1 ← t1 - t2  => Y1·Y2 - 3·b·Z1·Z2
-        Y3 = mulmod(B3, Y3, P);                  // 24. Y3 ← B3 · Y3  => 3b · ((X1+Z1)(X2+Z2) - X1·X2 - Z1·Z2)
-        X3 = mulmod(t4, Y3, P);                  // 25. X3 ← t4 · Y3  => 3b·((Y1+Z1)(Y2+Z2)-Y1·Y2-Z1·Z2) · ((X1+Z1)(X2+Z2)-X1·X2-Z1·Z2)
-        t2 = mulmod(t3, t1, P);                  // 26. t2 ← t3 · t1  => ((X1+Y1)(X2+Y2)-X1·X2-Y1·Y2) · (Y1·Y2 - 3·b·Z1·Z2)
-        X3 = addmod(t2, P - X3, P);              // 27. X3 ← t2 - X3  => (X1Y2+X2Y1)(Y1·Y2-3·b·Z1·Z2) - 3b(Y1·Z2+Y2·Z1)(X1·Z2+X2·Z1)
-        Y3 = mulmod(Y3, t0, P);                  // 28. Y3 ← Y3 · t0  => 3·b·((X1+Z1)(X2+Z2) - X1·X2 - Z1·Z2) · 3·X1·X2 = 9·b·X1·X2·(X1·Z2+X2·Z1)
-        t1 = mulmod(t1, Z3, P);                  // 29. t1 ← t1 · Z3  => (Y1·Y2-3·b·Z1·Z2) · (Y1·Y2+3·b·Z1·Z2)
-        Y3 = addmod(t1, Y3, P);                  // 30. Y3 ← t1 + Y3  => (Y1Y2+3·b·Z1·Z2)(Y1·Y2-3·b·Z1·Z2) + 9b·X1·X2·(X1·Z2+X2·Z1)
-        t0 = mulmod(t0, t3, P);                  // 31. t0 ← t0 · t3  => (3·X1·X2) · ((X1+Y1)(X2+Y2)-X1·X2-Y1·Y2)
-        Z3 = mulmod(Z3, t4, P);                  // 32. Z3 ← Z3 · t4  => (Y1·Y2+3·b·Z1·Z2) · ((Y1+Z1)(Y2+Z2)-Y1·Y2-Z1·Z2)
-        Z3 = addmod(Z3, t0, P);                  // 33. Z3 ← Z3 + t0  => (Y1·Z2+Y2·Z1)·(Y1·Y2+3·b·Z1·Z2) + 3·X1·X2·(X1·Y2+X2·Y1)
+        uint256 t0 = mulmod(X1, X2, P);           // 1.  t0 ← X1 · X2  => (X1·X2)
+        uint256 t1 = mulmod(Y1, Y2, P);           // 2.  t1 ← Y1 · Y2  => (Y1·Y2)
+        uint256 t2 = mulmod(Z1, Z2, P);           // 3.  t2 ← Z1 · Z2  => (Z1·Z2)
+        uint256 t3 = addmod(X1, Y1, P);           // 4.  t3 ← X1 + Y1  => (X1 + Y1)
+        uint256 t4 = addmod(X2, Y2, P);           // 5.  t4 ← X2 + Y2  => (X2 + Y2)
+        t3 = mulmod(t3, t4, P);                   // 6.  t3 ← t3 · t4  => ((X1 + Y1) · (X2 + Y2))
+        t4 = addmod(t0, t1, P);                   // 7.  t4 ← t0 + t1  => (X1·X2 + Y1·Y2)
+        t3 = addmod(t3, P - t4, P);               // 8.  t3 ← t3 - t4  => ((X1 + Y1)·(X2 + Y2) - X1·X2 - Y1·Y2)
+        t4 = addmod(Y1, Z1, P);                   // 9.  t4 ← Y1 + Z1  => (Y1 + Z1)
+        X3 = addmod(Y2, Z2, P);                   // 10. X3 ← Y2 + Z2  => (Y2 + Z2)
+        t4 = mulmod(t4, X3, P);                   // 11. t4 ← t4 · X3  => ((Y1 + Z1) · (Y2 + Z2))
+        X3 = addmod(t1, t2, P);                   // 12. X3 ← t1 + t2  => (Y1·Y2 + Z1·Z2)
+        t4 = addmod(t4, P - X3, P);               // 13. t4 ← t4 - X3  => ((Y1 + Z1)·(Y2 + Z2) - Y1·Y2 - Z1·Z2)
+        X3 = addmod(X1, Z1, P);                   // 14. X3 ← X1 + Z1  => (X1 + Z1)
+        Y3 = addmod(X2, Z2, P);                   // 15. Y3 ← X2 + Z2  => (X2 + Z2)
+        X3 = mulmod(X3, Y3, P);                   // 16. X3 ← X3 · Y3  => ((X1 + Z1) · (X2 + Z2))
+        Y3 = addmod(t0, t2, P);                   // 17. Y3 ← t0 + t2  => (X1·X2 + Z1·Z2)
+        Y3 = addmod(X3, P - Y3, P);               // 18. Y3 ← X3 - Y3  => ((X1 + Z1)·(X2 + Z2) - X1·X2 - Z1·Z2)
+        X3 = addmod(t0, t0, P);                   // 19. X3 ← t0 + t0  => (2·X1·X2)
+        t0 = addmod(X3, t0, P);                   // 20. t0 ← X3 + t0  => (3·X1·X2)
+        t2 = mulmod(B3, t2, P);                   // 21. t2 ← B3 · t2  => 3b · Z1·Z2
+        Z3 = addmod(t1, t2, P);                   // 22. Z3 ← t1 + t2  => Y1·Y2 + 3·b·Z1·Z2
+        t1 = addmod(t1, P - t2, P);               // 23. t1 ← t1 - t2  => Y1·Y2 - 3·b·Z1·Z2
+        Y3 = mulmod(B3, Y3, P);                   // 24. Y3 ← B3 · Y3  => 3b · ((X1+Z1)(X2+Z2) - X1·X2 - Z1·Z2)
+        X3 = mulmod(t4, Y3, P);                   // 25. X3 ← t4 · Y3  => 3b·((Y1+Z1)(Y2+Z2)-Y1·Y2-Z1·Z2) · ((X1+Z1)(X2+Z2)-X1·X2-Z1·Z2)
+        t2 = mulmod(t3, t1, P);                   // 26. t2 ← t3 · t1  => ((X1+Y1)(X2+Y2)-X1·X2-Y1·Y2) · (Y1·Y2 - 3·b·Z1·Z2)
+        X3 = addmod(t2, P - X3, P);               // 27. X3 ← t2 - X3  => (X1Y2+X2Y1)(Y1·Y2-3·b·Z1·Z2) - 3b(Y1·Z2+Y2·Z1)(X1·Z2+X2·Z1)
+        Y3 = mulmod(Y3, t0, P);                   // 28. Y3 ← Y3 · t0  => 3·b·((X1+Z1)(X2+Z2) - X1·X2 - Z1·Z2) · 3·X1·X2 = 9·b·X1·X2·(X1·Z2+X2·Z1)
+        t1 = mulmod(t1, Z3, P);                   // 29. t1 ← t1 · Z3  => (Y1·Y2-3·b·Z1·Z2) · (Y1·Y2+3·b·Z1·Z2)
+        Y3 = addmod(t1, Y3, P);                   // 30. Y3 ← t1 + Y3  => (Y1Y2+3·b·Z1·Z2)(Y1·Y2-3·b·Z1·Z2) + 9b·X1·X2·(X1·Z2+X2·Z1)
+        t0 = mulmod(t0, t3, P);                   // 31. t0 ← t0 · t3  => (3·X1·X2) · ((X1+Y1)(X2+Y2)-X1·X2-Y1·Y2)
+        Z3 = mulmod(Z3, t4, P);                   // 32. Z3 ← Z3 · t4  => (Y1·Y2+3·b·Z1·Z2) · ((Y1+Z1)(Y2+Z2)-Y1·Y2-Z1·Z2)
+        Z3 = addmod(Z3, t0, P);                   // 33. Z3 ← Z3 + t0  => (Y1·Z2+Y2·Z1)·(Y1·Y2+3·b·Z1·Z2) + 3·X1·X2·(X1·Y2+X2·Y1)
    }

    function projectiveDouble(
@ -80,16 +119,16 @@ library EllipticCurveProjective {

        uint256 t0 = mulmod(Y, Y, P);             // 1. t0 ← Y · Y            =>  (Y²)
        Z3 = mulmod(8, t0, P);                    // 2. Z3 ← t0 + t0          =>  (8Y²)
-        uint256 t1 = mulmod(Y, Z, P);             // 5. t1 ← Y · Z            =>  (YZ)
-        uint256 t2 = mulmod(Z, Z, P);             // 6. t2 ← Z · Z            =>  (Z²)
-        t2 = mulmod(21, t2, P);                   // 7. t2 ← b3 · t2          =>  (3bZ²)
-        X3 = mulmod(t2, Z3, P);                   // 8. X3 ← t2 · Z3          =>  (3bZ²8Y²)
-        Y3 = addmod(t0, t2, P);                   // 9. Y3 ← t0 + t2          =>  (Y² + 3bZ²)
-        Z3 = mulmod(t1, Z3, P);                   // 10. Z3 ← t1 · Z3         =>  (YZ · 8Y² = 8Y³Z)
-        t1 = addmod(t0, P - mulmod(3, t2, P), P); // 11. t1 ← t0 - (3 · t2)   =>  (Y² - 9bZ²)
-        Y3 = addmod(X3, mulmod(t1, Y3, P), P);    // 12. Y3 ← t1 · (t1 · Y3)  =>  ((Y² - 9bZ²) · (Y² + 3bZ²))
-        X3 = mulmod(t1, mulmod(X, Y, P), P);      // 13. X3 ← t1 · (X1 · Y1)  =>  ((Y² - 9bZ²) · XY)
-        X3 = addmod(X3, X3, P);                   // 14. X3 ← X3 + X3         =>  ((Y² - 9bZ²) · 2XY)
+        uint256 t1 = mulmod(Y, Z, P);             // 3. t1 ← Y · Z            =>  (YZ)
+        uint256 t2 = mulmod(Z, Z, P);             // 4. t2 ← Z · Z            =>  (Z²)
+        t2 = mulmod(21, t2, P);                   // 5. t2 ← b3 · t2          =>  (3bZ²)
+        X3 = mulmod(t2, Z3, P);                   // 6. X3 ← t2 · Z3          =>  (3bZ²8Y²)
+        Y3 = addmod(t0, t2, P);                   // 7. Y3 ← t0 + t2          =>  (Y² + 3bZ²)
+        Z3 = mulmod(t1, Z3, P);                   // 8. Z3 ← t1 · Z3          =>  (YZ · 8Y² = 8Y³Z)
+        t1 = addmod(t0, P - mulmod(3, t2, P), P); // 9. t1 ← t0 - (3 · t2)    =>  (Y² - 9bZ²)
+        Y3 = addmod(X3, mulmod(t1, Y3, P), P);    // 10. Y3 ← t1 · (t1 · Y3)  =>  ((Y² - 9bZ²) · (Y² + 3bZ²))
+        X3 = mulmod(t1, mulmod(X, Y, P), P);      // 11. X3 ← t1 · (X1 · Y1)  =>  ((Y² - 9bZ²) · XY)
+        X3 = addmod(X3, X3, P);                   // 12. X3 ← X3 + X3         =>  ((Y² - 9bZ²) · 2XY)
    }

    function toAffine(uint256 x, uint256 y, uint256 z) internal pure returns (uint256 _x, uint256 _y) {
--- a/test/MathTester.t.sol
+++ b/test/MathTester.t.sol
@ -48,6 +48,32 @@ contract MathTesterTest is Test {
        }
    }

+    function test_projectiveAdditionMixed() public view {
+        uint256 len = points.length - 1;
+        for (uint256 i; i < len;) {
+            (uint256 x_p, uint256 y_p, uint256 z_p) = math.addProjectiveMixed(
+                uint256(points[i].x),
+                uint256(points[i].y),
+                uint256(points[i+1].x),
+                uint256(points[i+1].y)
+            );
+            (x_p, y_p) = math.toAffineProjective(x_p, y_p, z_p);
+
+            (uint256 x_j, uint256 y_j, uint256 z_j) = math.addJacobian(
+                uint256(points[i].x),
+                uint256(points[i].y),
+                uint256(points[i+1].x),
+                uint256(points[i+1].y)
+            );
+            (x_j, y_j) = math.toAffineJacobian(x_j, y_j, z_j);
+
+            assertEq(x_p, x_j);
+            assertEq(y_p, y_j);
+
+            unchecked { ++i; }
+        }
+    }
+
    function test_double() public view {
        uint256 len = points.length;
        for (uint256 i; i < len;) {
Author	SHA1	Message	Date
Uncle Fatso	2b3eb14012	align comments and fix numeration of steps Signed-off-by: Uncle Fatso <uncle.fatso@ghostchain.io>	2025-10-12 22:15:10 +03:00
Uncle Fatso	abbb720857	ability to add mixed points Signed-off-by: Uncle Fatso <uncle.fatso@ghostchain.io>	2025-10-12 22:10:58 +03:00