From eb2843d1024306e33a4e43227c4a2a003d875b21 Mon Sep 17 00:00:00 2001
From: Yoichi Hirai <i@yoichihirai.com>
Date: Thu, 13 Apr 2017 13:39:35 +0200
Subject: [PATCH 1/4] EIP101: some basic mathematical descriptions

---
 Paper.tex | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/Paper.tex b/Paper.tex
index 37c1b196..5622dc5a 100644
--- a/Paper.tex
+++ b/Paper.tex
@@ -1388,6 +1388,48 @@ \section{Precompiled Contracts}\label{app:precompiled}
 \mathbf{o} &=& I_\mathbf{d}
 \end{eqnarray}
 
+\subsection{zkSNARK Related Precompiled Contracts}
+
+We choose two numbers, both of which are prime.
+\begin{eqnarray}
+p &\equiv& 21888242871839275222246405745257275088696311157297823662689037894645226208583 \\
+q &\equiv& 21888242871839275222246405745257275088548364400416034343698204186575808495617
+\end{eqnarray}
+Since $p$ is a prime number, $\{0, 1, \ldots, p - 1\}$ forms a field with addition and multiplication modulo $p$. We call this field $F_p$.
+
+We define a set~$C_1$ with
+\begin{equation}
+C_1\equiv\{(X,Y)\in F_p\times F_p\mid Y^2=X^3+3\}\cup\{(0,0)\}
+\end{equation}
+We define a binary operation $+$ on $C_1$ with
+\begin{eqnarray}\label{eq:ec-addition}
+(X_1, Y_1) + (X_2, Y_2)&\equiv&\begin{cases}
+(X,Y)&\text{if}\ X_1\neq X_2\\
+(0,0)&\text{otherwise}
+\end{cases}\\
+X&\equiv&\lambda^2-X_1-X_2\\
+Y&\equiv&\lambda(X_1-X)-Y_1\\
+\lambda&\equiv&\frac{Y_2-Y_1}{X_2-X_1}
+\end{eqnarray}
+
+$(C_1,+)$ is known to form a group. We define the scalar multiplication $\cdot$ with
+\begin{equation}\label{eq:ec-scalar-multiplication}
+n\cdot P\equiv(0,0)+\underbrace{P+\cdots+P}_{n}
+\end{equation}
+for a natural number $n$ and a point $P$ in $C_1$.
+
+We define $P_1$ to be a point $(1,2)$ on $C_1$. Let $G_1$ be the subgroup of $(C_1,+)$ generated by $P_1$. $G_1$ is known to be a cyclic group of order $q$. For a point $P$ in $G_1$, we define $\log_{P_1}(P)$ to be the smallest natural number $n$ satisfying $n\cdot P_1=P$. $\log_{P_1}(P)$ is at most $q-1$.
+
+Let $F_{p^2}$ be a field $F_p[i]/(i+1)$. We define a set $C_2$ with
+\begin{equation}
+C_2\equiv\{(X,Y)\in F_{p^2}\times F_{p^2}\mid Y^2=X^3+3\}\cup\{(0,0)\}
+\end{equation}
+We define a binary operation $+$ and a scalar multiplication $\cdot$ with the same equations (\ref{eq:ec-addition}) and (\ref{eq:ec-scalar-multiplication}). $(C_2,+)$ is also known to be a group. We define $P_2$ in $C_2$ with
+\begin{eqnarray}
+P_2&\equiv&
+(11559732032986387107991004021392285783925812861821192530917403151452391805634 \times i\\\nonumber &&+ 10857046999023057135944570762232829481370756359578518086990519993285655852781,\\\nonumber && 4082367875863433681332203403145435568316851327593401208105741076214120093531 \times i\\\nonumber &&+ 8495653923123431417604973247489272438418190587263600148770280649306958101930)
+\end{eqnarray}
+We define $G_2$ to be the subgroup of $(C_2,+)$ generated by $P_2$. $G_2$ is known to be a cyclic group of order $q$. For a point $P$ in $G_2$, we define $\log_{P_2}(P)$ be the smallest natural number $n$ satisfying $n\cdot P_2=P$. With this definition, $\log_{P_2}(P)$ is at most $q-1$.
 
 \section{Signing Transactions}\label{app:signing}
 

From 75e6d3a9d924c57b4130a8f9b97afee4fd391009 Mon Sep 17 00:00:00 2001
From: Yoichi Hirai <i@yoichihirai.com>
Date: Thu, 13 Apr 2017 15:20:26 +0200
Subject: [PATCH 2/4] EIP212: pairing checking precompiled contract

As described in https://github.com/ethereum/EIPs/pull/212
---
 Paper.tex | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/Paper.tex b/Paper.tex
index 5622dc5a..27c16557 100644
--- a/Paper.tex
+++ b/Paper.tex
@@ -1431,6 +1431,62 @@ \subsection{zkSNARK Related Precompiled Contracts}
 \end{eqnarray}
 We define $G_2$ to be the subgroup of $(C_2,+)$ generated by $P_2$. $G_2$ is known to be a cyclic group of order $q$. For a point $P$ in $G_2$, we define $\log_{P_2}(P)$ be the smallest natural number $n$ satisfying $n\cdot P_2=P$. With this definition, $\log_{P_2}(P)$ is at most $q-1$.
 
+A 32 byte number $\mathbf{x}\in\mathbf{P}_{256}$ might and might not represent an element of $F_p$.
+\begin{equation}
+\delta_p(\mathbf x)\equiv\begin{cases}
+\mathbf x&\text{if}\ \mathbf x<p\\
+\varnothing&\text{otherwise}
+\end{cases}
+\end{equation}
+
+A 64 byte data $\mathbf x\in\mathbf B_{512}$ might and might not represent an element of $G_1$.
+\begin{eqnarray}
+\delta_1(\mathbf x)&\equiv&\begin{cases}
+g_1&\text{if}\ g_1\in G_1\\
+\varnothing&\text{otherwise}
+\end{cases}\\
+g_1&\equiv&\begin{cases}
+(x,y)&\text{if}\ x\neq\varnothing\wedge y\neq\varnothing\\
+\varnothing&\text{otherwise}
+\end{cases}\\
+x&\equiv&\delta_p(\mathbf x[0..31])\\
+y&\equiv&\delta_p(\mathbf x[32..63])
+\end{eqnarray}
+
+A 128 byte data $\mathbf x\in\mathbf B_{1024}$ might and might not represent an element of $G_2$.
+\begin{eqnarray}
+\delta_2(\mathbf x)&\equiv&\begin{cases}
+g_2&\text{if}\ g_2\in G_2\\
+\varnothing&\text{otherwise}
+\end{cases}\\
+g_2&\equiv&\begin{cases}
+((x_0i+y_0),(x_1i+y_1))&\text{if}\ x_0\neq\varnothing\wedge y_0\neq\varnothing\wedge x_1\neq\varnothing\wedge y_1\neq\varnothing\\
+\varnothing&\text{otherwise}
+\end{cases}\\
+x_0&\equiv&\delta_p(\mathbf x[0..31])\\
+y_0&\equiv&\delta_p(\mathbf x[32..63])\\
+x_1&\equiv&\delta_p(\mathbf x[64..95])\\
+y_1&\equiv&\delta_p(\mathbf x[96..127])
+\end{eqnarray}
+
+We define a precompiled contract for zkSNARK verification.
+\begin{eqnarray}
+\Xi_{\mathtt{SNARKV}}&\equiv&\Xi_{\mathtt{PRE}}\quad\text{except:}\\
+\qquad\Xi_{\mathtt{SNARKV}}(\boldsymbol\sigma,g,I)&=&(\varnothing,0,A^0,())\quad\text{if}\ F\\
+F&\equiv&(|I_\mathbf{d}|\bmod 192\neq 0\vee(\exists j.\ a_j=\varnothing\vee b_j=\varnothing))\\
+g_r&=&?\\
+\mathbf o[0..31]&\equiv&\begin{cases}
+0x0000000000000000000000000000000000000000000000000000000000000001&\text{if}\ v\wedge\neg F\\
+0x0000000000000000000000000000000000000000000000000000000000000000&\text{if}\ \neg v\wedge\neg F
+\end{cases}\\
+v&\equiv&(\log_{P_1}(a_1)\times\log_{P_2}(b_1)+\cdots+\log_{P_1}(a_k)\times\log_{P_2}(b_k)\equiv 0\mod q)\\
+a_1&\equiv&\delta_1(I_{\mathbf d}[0..63])\\
+b_1&\equiv&\delta_2(I_{\mathbf d}[64..191])\\\nonumber
+\vdots\\
+a_k&\equiv&\delta_1(I_{\mathbf d}[(|I_{\mathbf d}|-192)..(|I_{\mathbf d}|-129)])\\
+b_k&\equiv&\delta_2(I_{\mathbf d}[(|I_{\mathbf d}|-128)..(|I_{\mathbf d}|-1)])
+\end{eqnarray}
+
 \section{Signing Transactions}\label{app:signing}
 
 The method of signing transactions is similar to the `Electrum style signatures'; it utilises the SECP-256k1 curve as described by \cite{gura2004comparing}.

From dcb97db69439b2f873c95e81c526f417ee840344 Mon Sep 17 00:00:00 2001
From: Yoichi Hirai <i@yoichihirai.com>
Date: Thu, 13 Apr 2017 15:46:06 +0200
Subject: [PATCH 3/4] EIP 213

Define addition precompiled contract on G_1
---
 Paper.tex | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/Paper.tex b/Paper.tex
index 27c16557..126f3ab5 100644
--- a/Paper.tex
+++ b/Paper.tex
@@ -1487,6 +1487,20 @@ \subsection{zkSNARK Related Precompiled Contracts}
 b_k&\equiv&\delta_2(I_{\mathbf d}[(|I_{\mathbf d}|-128)..(|I_{\mathbf d}|-1)])
 \end{eqnarray}
 
+We define a precompiled contract for addition on $G_1$.
+\begin{eqnarray}
+\Xi_{\mathtt{BN\_ADD}}&\equiv&\Xi_{\mathtt{BN\_PRE}}\quad\text{except:}\\
+\Xi_{\mathtt{BN\_ADD}}(\boldsymbol\sigma,g,I)&=&(\varnothing,0,A^0,())\quad\text{if}\ x=\varnothing\vee y=\varnothing\\
+g_r&=&?\\
+\mathbf o&\equiv&\delta_1^{-1}(x+y)\quad\text{where $+$ is the group operation in $G_1$}\\
+x&\equiv&\delta_1(\bar I_{\mathbf d}[0..63])\\
+y&\equiv&\delta_1(\bar I_{\mathbf d}[64..127])\\
+\label{eq:complemented_input}\bar I_{\mathbf d}[x]&\equiv&\begin{cases}
+I_{\mathbf d}[x]&\text{if}\ x < |I_{\mathbf d}|\\
+0&\text{otherwise}
+\end{cases}
+\end{eqnarray}
+
 \section{Signing Transactions}\label{app:signing}
 
 The method of signing transactions is similar to the `Electrum style signatures'; it utilises the SECP-256k1 curve as described by \cite{gura2004comparing}.

From 3feaf1e281e0935f18607fb8c688a5fcfc3c5881 Mon Sep 17 00:00:00 2001
From: Yoichi Hirai <i@yoichihirai.com>
Date: Thu, 13 Apr 2017 15:53:01 +0200
Subject: [PATCH 4/4] EIP 213

Defining the precompiled contract for scalar multiplication on G_1
---
 Paper.tex | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Paper.tex b/Paper.tex
index 126f3ab5..6c70da88 100644
--- a/Paper.tex
+++ b/Paper.tex
@@ -1501,6 +1501,16 @@ \subsection{zkSNARK Related Precompiled Contracts}
 \end{cases}
 \end{eqnarray}
 
+We define a precompiled contract for scalar multiplication on $G_1$, where $\bar I_{\mathbf d}$ is defined in (\ref{eq:complemented_input}).
+\begin{eqnarray}
+\Xi_{\mathtt{BN\_MUL}}&\equiv&\Xi_{\mathtt{PRE}}\quad\text{except:}\\
+\Xi_{\mathtt{BN\_MUL}}(\boldsymbol\sigma,g,I)&=&(\varnothing,0,A^0,())\quad\text{if}\ x=\varnothing\\
+g_r&=&?\\
+\mathbf o&\equiv&\delta_1^{-1}(n\cdot x)\quad\text{where $\cdot$ is the scalar multiplication in $G_1$}\\
+n&\equiv&\bar I_{\mathbf d}[0..31]\\
+x&\equiv&\delta_1(\bar I_{\mathbf d}[32..95])
+\end{eqnarray}
+
 \section{Signing Transactions}\label{app:signing}
 
 The method of signing transactions is similar to the `Electrum style signatures'; it utilises the SECP-256k1 curve as described by \cite{gura2004comparing}.