Algebraic Primitives & Notation

Algebraic Primitives

Unless otherwise specified, all values are assumed to be elements of the Scalar field of BN254 as defined in EIP-197. We will refer to this field as the "BN254 Scalar field" or $\mathbb{F}_p$ for short. We will use $p$ to refer to the order of the BN254 scalar field.

For all elliptic curve cryptography, including our addressing and signature schemes, we use the Baby Jubjub curve, the curve whose base field is $\mathbb{F_p}$ as defined in EIP-2494. All operations are performed in Baby Jubjub's prime-order subgroup, which we will refer to as "Baby Jubjub", or $\mathbb{G}$ (blackboard "G" as opposed to regular "G") for short.

We will use $r$ to refer to the order of Baby Jubjub's scalar field (again, the prime-order subgroup, not the curve group), and we will refer that scalar field as "Baby Jubjub Scalar field", or $\mathbb{F}_r$ for short.

We will use additive notation. More specifically, we use:

• "$+$" to denote curve addition or field addition depending on whether we are adding curve elements or field elements

• "$\cdot$" or juxtaposition to denote field multiplication

• "$\times$" to denote scalar multiplication, in order to clearly distinguish it from field multiplication

Additionally, for byte arrays, we will use "slice" notation to specify "sub-arrays" - $\text{bytes}[K:N]$ means "from the $K$th byte up to, but not including the $N$th byte".

Furthermore, we will use all-capital letters for curve elements and all-lowercase lettrs for field elements.

Hashing

We use the Poseidon hash function defined over the $\mathbb{F}_p$, the BN254 scalar field, instantiated using the parameters set in circomlib's implementation. We will denote this function $H$.