ed_on_bn254 isn't compatible with ERC-2494 babyjub

[TheFrozenFire]

I've been porting my circom/snarkjs circuits to arkworks, and found that the implementation of ed_on_bn254 isn't compatible with the curve as described in ERC-2494, in the iden3 js-crypto library, and in the circomlib circuits.

Particularly, the TECurveConfig specifies an a coefficient of 1, calculates the d coefficient in some manner I'm not familiar with, and specifies an affine generator which is different from the spec. The MontCurveConfig is similarly different in specifying the b coefficient as 1.

By "fixing" the coefficients, and using the base 8 point, I get the same outputs as js-crypto and circomlib produce.

Is there some logic underlying the difference in arkworks' implementation of babyjub?

[kwantam]

It appears that ed_on_bn254 implements a related curve, not Baby Jubjub.

Specifically, it implements the Edwards curve that is isomorphic to Baby Jubjub rather than Baby Jubjub itself. (This curve is isomorphic because Baby Jubjub's A = 168700 is square mod the order of the base field.)

It's possible to use this implementation and convert points to the correct format: for a point (X, Y) on the Edwards curve implemented here, the point (X / sqrt(A), Y) is on the Twisted Edwards curve Baby Jubjub.

(Note that the generator point doesn't match either, so you'll also have to deal with that if you want to use this impl.)

See page 3 of this paper for more info: https://eprint.iacr.org/2008/013.pdf

To the authors of the library: it would be great if you'd actually implement the right curve! :)