# Elliptic curves

The cryptographic protocols used for confidential transfers in the Findora network rely on an implementation of elliptic curve operations. The curve used by Findora is Curve25519. Some of the protocols use the Ristretto group on Curve25519, which is a special subset of the points on the curve. Optimizations for implementing curve arithmetic in the Ristretto group are omitted from this specification. The main implemented functions that will be referenced in this specification are:

*ec_add*([curve_point]*G*, [curve_point]*H*): This implements curve point addition on Curve25519. It takes a curve point*G*and a curve point*H*and outputs the curve point*G*+*H*. Note that curve point addition has very different properties from integer addition.

*ec_scalar_multiply*([int]*r*, [curve_point]*G*): This implements curve point scalar multiplication. It gives an identical result to taking*r*identical copies of the curve point*G*and adding them together using curve point addition.

For the anonymous credential operations, Findora uses a separate elliptic curve which additionally supports a pairing operation. The pairing is a bilinear map between curve points. Findora uses the curve BLS12-381 which provides an optimal tradeoff between efficiency and security. The pairing operation is specified below:

*ec_pairing*([curve_point]*A*, [curve_point]*B*): This implements the pairing operation. The pairing is a bilinear map that takes in two curve points*A*and*B*and outputs an integer field element denoted by*T*=*e*(*A*,*B*). The pairing has the property that if*A*=*a***G*and*B*=*b***H*then*e*(*A*,*B*) = (ab)*e(G,H) for arbitrary curve points*G*,*H*and scalars*a*and*b*.