Ok, thank you for your analysis. And I agree... listening to you describe what would be required doesn't sound promising. If I had to, I'd be able to translate rust to C#, but when it brings in arbitrary other libraries/crates, it's hard to estimate just how much would have to be ported over.
My impression is that jubjub was specially created for zk-snarks, FWIW. And I don't know if it matters, but I don't plan on implementing zk-snark circuits anytime soon. It's just that I need this curve to derive shielded addresses I guess, which at this point is my only goal. The offer is still open if anyone would be interested in doing this for hire (at least to discuss possible compensation to see if we're compatible). Alternatively, if anyone knows a good book to get me started on learning what I'd need to know to get started on implementing something like this, I'd appreciate the recommendation. I just bought Handbook of Applied Cryptography (Discrete Mathematics and Its Applications) 1, Menezes, Alfred J., Katz, Jonathan, van Oorschot, Paul C., Vanstone, Scott A. <https://www.amazon.com/gp/product/B00UVADN9E/ref=ppx_yo_dt_b_d_asin_title_o00?ie=UTF8&psc=1> in hopes it would help, but I guess it was published over 20 years ago and has precious little to say about elliptic curves. :( -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Tue, May 23, 2023 at 3:39 AM Peter Dettman < peter.dett...@bouncycastle.org> wrote: > Ignoring learning phase, someone might follow the Ed448 example in our > code and take a week or two to produce a twisted edwards curve > implementation over a new field implementation (BLS12-381 scalar field in > this case). > > However Jubjub (https://z.cash/technology/jubjub/) appears to be intended > for evaluation inside a zk-SNARK circuit (either as the main point of it, > or at least in addition to the "standard" one), which is a horse of a > different color. There's a prototype ( > https://github.com/Electric-Coin-Company/jubjub-prototype) which is just > 1200 lines of rust, but it depends on another crate dealing with pairing > friendly curves (like the BLS one here) that I did not investigate. > > It's doubtful to me that this is an ECC-beginner-friendly project. > > Regards, > Pete Dettman > > On 23/05/2023 10:31 am, Andrew Arnott wrote: > > Thanks. Do you (or anyone else on this list) have a rough estimate of how > much effort goes into implementing a new curve (e.g. JubJub) using Bouncy > Castle (whether in the library or as an external extension)? I'm still > trying to learn elliptic curve cryptography, and I'm trying to figure out > if it's on the scale of a day, a week, or a month, if I only knew what I > was doing. > > I wonder if anyone here would consider a donation or freelance payment in > exchange for coding up JubJub for me. > > ------------------------------ >> *From:* Peter Dettman <peter.dett...@bouncycastle.org> >> *Sent:* Monday, May 22, 2023 4:56 AM >> *To:* andrewarn...@gmail.com <andrewarn...@gmail.com>; >> dev-crypto-csharp@bouncycastle.org <dev-crypto-csharp@bouncycastle.org> >> *Subject:* Re: [dev-crypto-csharp] How to implement the JubJub curve? >> >> Hi Andrew, >> We do not currently have any JubJub implementation in C# or Java. >> The class you mention is unknown to us, so is presumably a third-party >> addition in some fork. >> >> Regards, >> Pete Dettman >> >> On 22/05/2023 10:26 am, Andrew Arnott wrote: >> >> I'm implementing a portion of the Zcash protocol in C# and am looking for >> a way to instantiate an elliptic curve for JubJub as described in the >> Zcash protocol spec <https://zips.z.cash/protocol/protocol.pdf#jubjub>. >> Apparently JubJub is "a complete twisted Edwards elliptic curve". >> I even found (from Bing Chat) a reference to this class: >> >> org.bouncycastle.math.ec.custom.ed.TwistedEdwardsCurve >> >> But it was for the Java version of Bouncy Castle, and I couldn't found >> its source anyway. >> Is there such an implementation in C#? I wouldn't mind porting it from >> Java if someone can direct me to the source. >> >> Thanks. >> -- >> Andrew Arnott >> "I [may] not agree with what you have to say, but I'll defend to the >> death your right to say it." - S. G. Tallentyre >> >> >> >
