Halo 2及更高版本的Pasta曲線

origin from：?https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond/

One of the most enjoyable things we do at ECC is working on cutting-edge cryptography. In our continued effort to ensure that Zcash benefits as much as possible from groundbreaking crypto innovations, part of what we do is to design our own cryptographic constructs to improve performance and security. For the?Halo 2 project, we have designed a new cycle of elliptic curves, Pallas and Vesta, which we collectively refer to as the?Pasta?curves.

我們在ECC最愛做的事情之前就是致力于研究尖端的密碼學(xué)蓄喇，我們持續(xù)不斷的努力確保zcash能更多的受益于開創(chuàng)性的密碼學(xué)發(fā)明中弓千， 我們一部分的工作就是設(shè)計我們自己的密碼學(xué)構(gòu)造壶愤，提升性能和安全性姚建。 對 Halo2 這個項目闯睹，我們已經(jīng)設(shè)計了一個新的橢圓曲線循環(huán)巷挥， Pallas 和 Vesta烹卒， 我們合起來稱之為 Pasta 曲線。

Using the same elliptic curves as other projects is helpful in numerous ways. As an example, the pairing-friendly curve?BLS12-381?that we designed for?Sapling?is now a?de?facto?standard in the cryptocurrency world, being deployed in fundamental components of protocols?such as Ethereum?2. This has allowed us to benefit from other projects’ research and development in BLS12-381, and it has increased the opportunities for cross-platform interoperability.

和其他項目使用相同的橢圓曲線有諸多好處倦西。 比如說能真，我們給 Sapling 版本設(shè)計的對稱友好型曲線BLS12-381，目前已經(jīng)成為加密貨幣行業(yè)的事實上的標(biāo)準(zhǔn)，已經(jīng)被應(yīng)用在許多協(xié)議的基礎(chǔ)組件中粉铐，比如以太坊 2.0中疼约。 我們就可以從其他項目對于 BLS12-381的研發(fā)中收益，也就提高了跨平臺互操作的可能性秦躯。

Since we originally presented the Tweedle cycle of curves in the?Halo paper, we’ve had time to learn more about which engineering and cryptographic properties are useful (particularly the low-degree isogeny and 2-adicity tweaks described below). We invite projects that plan to deploy protocols using ideas from Halo to employ the same curve cycle, so that we can collectively benefit from shared analysis and engineering effort.

自從我們開始在 Halo的白皮書中展示過 Tweedle 曲線的周期忆谓，我們也就有了時間去學(xué)習(xí)更多關(guān)于實用的工程學(xué)和密碼學(xué)的特性（尤其是下文描述的低度同源以及二元微調(diào)）裆装， 我們邀請其他想使用從 Halo 部署同樣曲線周期獲得靈感的項目去部署他們自己協(xié)議的踱承， 這樣我們就能共同的收益于共同的分析研究和工程成果。

很抱歉哨免，以下翻譯內(nèi)容實在是需要太強的數(shù)學(xué)功底茎活，我選擇放棄，哈哈琢唾，留下英文吧

Curve Parameters（曲線的參數(shù)）

Pallas:y^2 = x^3 + 5y2=x3+5overGF(0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001)GF(0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001)Vesta:y^2 = x^3 + 5y2=x3+5overGF(0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001)GF(0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001)

Like the Tweedle curves, the Pasta curves form a cycle with one another: the order of each curve is exactly the base field of the other. This property is?critical to the efficiency of recursive proof systems. They are designed to be highly 2-adic, meaning that a large power-of-two multiplicative subgroup exists in each field. This is important for the performance of polynomial arithmetic over their scalar fields and is essential for protocols similar to?PLONK.

Several other criteria are meant to ensure that the curves perform well and have nice symmetries:

Unlike with the Tweedle curves, both Pallas and Vesta have low-degree?isogenies?(both of degree 3) from curves with a nonzero j-invariant. This is?useful?when hashing to the curve using the “simplified SWU” algorithm, and perhaps for other not-yet-known purposes.

They have the same 2-adicity, 32, unlike the Tweedle curves that had 2-adicity of 33 and 34. This simplifies implementations and may assist in square root performance (used for point decompression and internally to Halo 2) due to?a new algorithm recently discovered; 32 is more convenient for this algorithm.

They are both constructed over 255-bit prime fields. This gives 126-bit security against?Pollard rho?attacks, and allows the compressed representation of points to be an even 32?bytes.

Both moduli have sparse bit representations in order to improve the performance of?Montgomery reduction?and other common operations.

They both support an endomorphism that can be used to improve performance of scalar multiplication, similar to that available for secp256k1. This is even more useful after the?recent expiry of related patents.

They have the same curve equation,?y^2 = x^3 + 5y2=x3+5. For curves using this cycle construction it is also the case that an?xx-coordinate of zero is not valid, which allows a convenient representation of all zeroes for the point at infinity.

Both fields do not have 5-order, 7-order, etc. multiplicative subgroups, so that exponentiation by these small primes is a permutation — a crucial requirement for algebraic hash functions such as Rescue and Poseidon.

These curves can be reproducibly obtained?using a curve search utility we’ve published. The tool uses?various techniques?to quickly search the large space of elliptic curves for a pair that satisfies our performance and security goals. For the Tweedle curves we also ensured that the quadratic twist security for both curves was high; this criterion has been dropped for the Pasta curves because it was only defence-in-depth (for curve formulae that we do not recommend using) and was too strict of a requirement that precluded other more important design considerations.

Naming（命名）

Pasta is a portmanteau of?Pallas and Vesta— two minor planets in the solar system:?2 Pallas?and?4 Vesta. Like the curves, the minor planets are close in size; Pallas is the smaller minor planet and also the curve over the smaller base field. Pallas and Vesta were two of the earliest minor planets to be discovered, both by the German astronomer?Heinrich Olbers. They are visible with binoculars when in favourable positions [2 Pallas,?4 Vesta].

Pasta 是 Pallas 和 Vesta 的合成詞载荔， 太陽系的兩個小行星：2 Pallas 和 4Vesta. 就想曲線一樣，這小行星大小非常相近采桃，Pallas 行星是比較小的那一個懒熙，正如這個曲線的領(lǐng)域也更小。 Pallas 和 Vesta 是兩個最早被德國宇航員 Heinrich Olbers 發(fā)現(xiàn)的小行星普办。在合適的位置上我們用雙筒望遠鏡可以看到 2Pallas工扎，4Vesta這兩個小行星。

An unpublished 1805 work of?Carl Friedrich Gauss?connects 2?Pallas to the Halo proof system: Gauss developed a method of computing?discrete Fourier transforms, which are used in Halo, partly to track the orbit of this minor planet. His method was very similar to the one published in 1965 byJames CooleyandJohn Tukey, who are generally credited for the invention of the modern generic FFT algorithm.

尚未公布的由Carl Friedrich Gauss開發(fā)的代號為1805的工作將2 Pallas 和 Halo憑證系統(tǒng)關(guān)聯(lián)起來衔蹲。? Gauss 開發(fā)了一個計算離散傅里葉變換的方法肢娘，這個方法被用在 halo 中， 部分追蹤到這個小行星的軌跡舆驶。? 他的方法非常類似于于 1965 年由James Cooley?和John Tukey發(fā)布的類似橱健， 這兩個人的被認(rèn)定發(fā)明了現(xiàn)代類FTT算法。

In Greek mythology, Pallas (or?Pallas Athena) is a goddess associated with wisdom, handicraft, and warfare, while?Vesta?is a goddess of the hearth, home, and family. In the original?Temple of Vesta?in Rome stood the?Palladium, a statue of Pallas Athena. The?sacred fire of Vesta?and the Palladium were both held to be symbols of the safety and prosperity of Rome — just as we aim for these curves to provide a foundation for the future security of the Zcash protocol.

Pallas Athena?and?Vesta?have another connection to Halo: they are the names of Artificial Intelligences in the universe of the?Halo?video games.

在希臘神話中沙廉， Pallas (或者說 Pallas Athena 帕拉斯雅典娜) 是智慧拘荡、手工藝品、戰(zhàn)爭之神撬陵， Vesta是灶臺珊皿、住宅、家庭之神袱结。? 在早期的屹立在維斯塔神廟的守護神中亮隙，有帕拉斯雅典娜的雕像。? 維斯塔神圣之火和守護神是羅馬安全和繁榮的象征垢夹。 正如我們希望這些曲線能給zcash 協(xié)議提供未來安全基礎(chǔ)溢吻。