Updated the OpenVM book and example code for twisted Edwards curves

Author: Avaneesh-axiom

book/src/custom-extensions/ecc.md

@@ -15,12 +15,20 @@ The OpenVM Elliptic Curve Cryptography Extension provides support for elliptic c
 - `WeierstrassPoint` trait:
   It represents an affine point on a Weierstrass elliptic curve and it extends `Group`.
 
-  - `Coordinate` type is the type of the coordinates of the point, and it implements `IntMod`.
-  - `x()`, `y()` are used to get the affine coordinates
+  - `Coordinate` type is the type of the coordinates of the point, and it implements `Field`.
+  - `x()`, `y()` are used to get the affine coordinates.
   - `from_xy` is a constructor for the point, which checks if the point is either identity or on the affine curve.
   - The point supports elliptic curve operations through intrinsic functions `add_ne_nonidentity` and `double_nonidentity`.
   - `decompress`: Sometimes an elliptic curve point is compressed and represented by its `x` coordinate and the odd/even parity of the `y` coordinate. `decompress` is used to decompress the point back to `(x, y)`.
 
+- `TwistedEdwardsPoint` trait:
+  It represents an affine point on a twisted Edwards elliptic curve and it extends `Group`.
+
+  - `Coordinate` type is the type of the coordinates of the point, and it implements `Field`.
+  - `x()`, `y()` are used to get the affine coordinates.
+  - `from_xy` is a constructor for the point, which checks if the point is on the affine curve.
+  - The point supports elliptic curve addition through the `add_impl` method.
+
 - `msm`: for multi-scalar multiplication.
 
 - `ecdsa`: for doing ECDSA signature verification and public key recovery from signature.
@@ -29,37 +37,45 @@ The OpenVM Elliptic Curve Cryptography Extension provides support for elliptic c
 
 For elliptic curve cryptography, the `openvm-ecc-guest` crate provides macros similar to those in [`openvm-algebra-guest`](./algebra.md):
 
-1. **Declare**: Use `sw_declare!` to define elliptic curves over the previously declared moduli. For example:
+1. **Declare**: Use `sw_declare!` or `te_declare!` to define weierstrass or twisted edwards elliptic curves, respectively,over the previously declared moduli. For example:
 
 ```rust
 sw_declare! {
     Bls12_381G1Affine { mod_type = Bls12_381Fp, b = BLS12_381_B },
     P256Affine { mod_type = P256Coord, a = P256_A, b = P256_B },
 }
+te_declare! {
+    Edwards25519 { mod_type = Edwards25519Coord, a = CURVE_A, d = CURVE_D },
+}
 ```
+This creates `Bls12_381G1Affine` and `P256Affine` structs which implement the `Group` and `WeierstrassPoint` traits, and the `Edwards25519` struct which implements the `Group` and `TwistedEdwardsPoint` traits. The underlying memory layout of the structs uses the memory layout of the `Bls12_381Fp`, `P256Coord`, and `Edwards25519Coord` structs, respectively.
 
-Each declared curve must specify the `mod_type` (implementing `IntMod`) and a constant `b` for the Weierstrass curve equation \\(y^2 = x^3 + ax + b\\). `a` is optional and defaults to 0 for short Weierstrass curves.
-This creates `Bls12_381G1Affine` and `P256Affine` structs which implement the `Group` and `WeierstrassPoint` traits. The underlying memory layout of the structs uses the memory layout of the `Bls12_381Fp` and `P256Coord` structs, respectively.
+Each declared curve must specify the `mod_type` (implementing `Field`) and a constant `b` for the Weierstrass curve equation \\(y^2 = x^3 + ax + b\\) or `a` and `d` for the twisted Edwards curve equation \\(ax^2 + y^2 = 1 + dx^2y^2\\). For short Weierstrass curves, `a` is optional and defaults to 0.
 
 2. **Init**: Called once, it enumerates these curves and allows the compiler to produce optimized instructions:
 
 ```rust
 sw_init! {
     Bls12_381G1Affine, P256Affine,
 }
+te_init! {
+    Edwards25519,
+}
 ```
 
 3. **Setup**: Similar to the moduli and complex extensions, runtime setup instructions ensure that the correct curve parameters are being used, guaranteeing secure operation.
 
 **Summary**:
 
-- `sw_declare!`: Declares elliptic curve structures.
-- `sw_init!`: Initializes them once, linking them to the underlying moduli.
-- `setup_sw_<i>()`/`setup_all_curves()`: Secures runtime correctness.
+- `sw_declare!`: Declares short Weierstrass elliptic curve structures.
+- `te_declare!`: Declares twisted Edwards elliptic curve structures.
+- `sw_init!`: Initializes the short Weierstrass elliptic curves once, linking them to the underlying moduli.
+- `te_init!`: Initializes the twisted Edwards elliptic curves once, linking it to the underlying moduli.
+- `setup_sw_<i>()`/`setup_all_sw_curves()`/`setup_te_<i>()`/`setup_all_te_curves()`: Secures runtime correctness.
 
-To use elliptic curve operations on a struct defined with `sw_declare!`, it is expected that the struct for the curve's coordinate field was defined using `moduli_declare!`. In particular, the coordinate field needs to be initialized and set up as described in the [algebra extension](./algebra.md) chapter.
+To use elliptic curve operations on a struct defined with `sw_declare!` or `te_declare!`, it is expected that the struct for the curve's coordinate field was defined using `moduli_declare!`. In particular, the coordinate field needs to be initialized and set up as described in the [algebra extension](./algebra.md) chapter.
 
-For the basic operations provided by the `WeierstrassPoint` trait, the scalar field is not needed. For the ECDSA functions in the `ecdsa` module, the scalar field must also be declared, initialized, and set up.
+For the basic operations provided by the `WeierstrassPoint` or `TwistedEdwardsPoint` traits, the scalar field is not needed. For the ECDSA functions in the `ecdsa` module, the scalar field must also be declared, initialized, and set up.
 
 ## Example program
 
@@ -98,8 +114,22 @@ supported_modulus = ["1157920892373161954235709850086879078532699846656405640394
 [[app_vm_config.ecc.supported_curves]]
 modulus = "115792089237316195423570985008687907853269984665640564039457584007908834671663"
 scalar = "115792089237316195423570985008687907852837564279074904382605163141518161494337"
+
+[app_vm_config.ecc.supported_curves.coeffs]
+type = "SwCurve"
 a = "0"
 b = "7"
+
+[[app_vm_config.ecc.supported_curves]]
+modulus = "57896044618658097711785492504343953926634992332820282019728792003956564819949"
+scalar = "7237005577332262213973186563042994240857116359379907606001950938285454250989"
+
+[app_vm_config.ecc.supported_curves.coeffs]
+type = "TeCurve"
+a = "57896044618658097711785492504343953926634992332820282019728792003956564819948"
+d = "37095705934669439343138083508754565189542113879843219016388785533085940283555"
 ```
 
 The `supported_modulus` parameter is a list of moduli that the guest program will use. The `ecc.supported_curves` parameter is a list of supported curves that the guest program will use. They must be provided in decimal format in the `.toml` file. For multiple curves create multiple `[[app_vm_config.ecc.supported_curves]]` sections.
+
+The `type` field must be `SwCurve` for short Weierstrass curves and `TeCurve` for twisted Edwards curves.

examples/ecc/Cargo.toml

@@ -12,6 +12,7 @@ openvm-platform = { path = "../../crates/toolchain/platform" }
 openvm-algebra-guest = { path = "../../extensions/algebra/guest" }
 openvm-ecc-guest = { path = "../../extensions/ecc/guest", features = ["k256"] }
 hex-literal = { version = "0.4.1", default-features = false }
+serde = { version = "1.0", default-features = false, features = [ "derive" ] }
 
 [features]
 default = []

examples/ecc/openvm.toml

@@ -7,4 +7,17 @@ supported_modulus = ["1157920892373161954235709850086879078532699846656405640394
 [[app_vm_config.ecc.supported_curves]]
 modulus = "115792089237316195423570985008687907853269984665640564039457584007908834671663"
 scalar = "115792089237316195423570985008687907852837564279074904382605163141518161494337"
-coeffs = { SwCurve = { a = "0", b = "7" } }
+
+[app_vm_config.ecc.supported_curves.coeffs]
+type = "SwCurve"
+a = "0"
+b = "7"
+
+[[app_vm_config.ecc.supported_curves]]
+modulus = "57896044618658097711785492504343953926634992332820282019728792003956564819949"
+scalar = "7237005577332262213973186563042994240857116359379907606001950938285454250989"
+
+[app_vm_config.ecc.supported_curves.coeffs]
+type = "TeCurve"
+a = "57896044618658097711785492504343953926634992332820282019728792003956564819948"
+d = "37095705934669439343138083508754565189542113879843219016388785533085940283555"

examples/ecc/src/main.rs

@@ -3,17 +3,64 @@
 
 // ANCHOR: imports
 use hex_literal::hex;
-use openvm_algebra_guest::IntMod;
+use openvm_algebra_guest::{Field, IntMod};
 use openvm_ecc_guest::{
+    edwards::TwistedEdwardsPoint,
     k256::{Secp256k1Coord, Secp256k1Point},
     weierstrass::WeierstrassPoint,
+    Group,
 };
 // ANCHOR_END: imports
+openvm_algebra_guest::moduli_setup::moduli_declare! {
+    // The Secp256k1 modulus and scalar field modulus are already declared in the k256 module
+    Edwards25519Coord { modulus = "57896044618658097711785492504343953926634992332820282019728792003956564819949" },
+}
 
 // ANCHOR: init
 openvm_algebra_guest::moduli_setup::moduli_init! {
     "0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F",
-    "0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141"
+    "0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141",
+    "57896044618658097711785492504343953926634992332820282019728792003956564819949",
+}
+
+// have to implement Field for Edwards25519Coord because moduli_declare! only implements IntMod
+impl Field for Edwards25519Coord {
+    const ZERO: Self = <Self as IntMod>::ZERO;
+    const ONE: Self = <Self as IntMod>::ONE;
+
+    type SelfRef<'a> = &'a Self;
+
+    fn double_assign(&mut self) {
+        IntMod::double_assign(self);
+    }
+
+    fn square_assign(&mut self) {
+        IntMod::square_assign(self);
+    }
+}
+
+// a = 57896044618658097711785492504343953926634992332820282019728792003956564819948
+// d = 37095705934669439343138083508754565189542113879843219016388785533085940283555
+// encoded in little endian, 32 limbs of 8 bits each
+const CURVE_A: Edwards25519Coord = Edwards25519Coord::from_const_bytes([
+    236, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+    255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 127,
+]);
+const CURVE_D: Edwards25519Coord = Edwards25519Coord::from_const_bytes([
+    163, 120, 89, 19, 202, 77, 235, 117, 171, 216, 65, 65, 77, 10, 112, 0, 152, 232, 121, 119, 121,
+    64, 199, 140, 115, 254, 111, 43, 238, 108, 3, 82,
+]);
+
+openvm_ecc_guest::te_setup::te_declare! {
+    Edwards25519Point {
+        mod_type = Edwards25519Coord,
+        a = CURVE_A,
+        d = CURVE_D
+    }
+}
+
+openvm_ecc_guest::te_setup::te_init! {
+    Edwards25519Point,
 }
 
 openvm_ecc_guest::sw_setup::sw_init! {
@@ -26,7 +73,9 @@ openvm::entry!(main);
 
 pub fn main() {
     setup_all_moduli();
-    setup_all_curves();
+    setup_all_sw_curves();
+    setup_all_te_curves();
+
     let x1 = Secp256k1Coord::from_u32(1);
     let y1 = Secp256k1Coord::from_le_bytes(&hex!(
         "EEA7767E580D75BC6FDD7F58D2A84C2614FB22586068DB63B346C6E60AF21842"
@@ -40,5 +89,21 @@ pub fn main() {
     let p2 = Secp256k1Point::from_xy_nonidentity(x2, y2).unwrap();
 
     let _p3 = &p1 + &p2;
+
+    let x1 = Edwards25519Coord::from_le_bytes(&hex!(
+        "216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A"
+    ));
+    let y1 = Edwards25519Coord::from_le_bytes(&hex!(
+        "6666666666666666666666666666666666666666666666666666666666666658"
+    ));
+    let p1 = Edwards25519Point::from_xy(x1, y1).unwrap();
+
+    let x2 = Edwards25519Coord::from_u32(2);
+    let y2 = Edwards25519Coord::from_le_bytes(&hex!(
+        "1A43BF127BDDC4D71FF910403C11DDB5BA2BCDD2815393924657EF111E712631"
+    ));
+    let p2 = Edwards25519Point::from_xy(x2, y2).unwrap();
+
+    let _p3 = &p1 + &p2;
 }
 // ANCHOR_END: main