kayabanerve[m]: what would happen if you just use ed25519 for both curves in a curve tree (just add a constraint that the child point coordinate is congruent with the parent scalar, instead of equal)?

That's not how it works, at all, because it needs to curve operations over the embedded curve. That means we'd do a single proof over an Ed25519 tower, not Ed25518.

We'd have to do the congruency in ZK, which is expensive. Naively, it's non-native field arithmetic, which requires rebuilding the field over bits.

Several times larger circuits.

Despite my tone, sorry for being harsh, it'd be worthwhile if you have an efficient congruence in ZK.

I see

can you do x*scalar == coordinate with a range proof on x?

I may sketch out the exact requirements later. It's def worth further consideration to know the exact bound.

AFAIK, it breaks the curve formula. That's the issue

Reducing TowField to TowScalar will break the xy relationship. You'd need to calculate a new y.

If that allows proving a point's negative, it may require a new range proof/in-membership composition proof?

not sure I follow, isn't curve trees already using compressed points?

Then it's branch hash congruent must be unblinded to in circuit.

That requires applying the congruence on the blinded point, and still knowing the blind between the congruences.

You wouldn't maintain knowledge of dlog through the congruence though.

And if you unblind first, then it's non-native field arith. Very expensive.

UkoeHB: We still check y validity. We then drop y.

The issue with this is it drops the y entirely. Not dropping a y we know to be valid.

So you need a congruence that's an isomorphism, preserving knowledge of the dlog between C(P) and C(B) given the dlog of P - B, and a way to not allow proving negatives.

The first is the issue. I'm not saying that's impossible. It's past me. The fact you then need a efficient ZK proof of it though?

And AFAIK this isomorphism requires the tower have an identical order to the embedded curve. I believe that would make it impossible

(Truly not my field though)

I wouldn't be surprised if it's possible to construct. I'd be surprised if it's secure. At all.

it would be nice to know exactly how insecure, if you only lose 3 bits it might be worth at least looking at

I'm pretty sure DLog over fields with equivalent order is trivially broken.

It was a random insight I heard when I saw it asked why do scalars have a distinct field. While technically, distinct fields are here, you're asking for an isomorphism from a curve with order m to a curve with order n. I wouldn't be surprised if that implies a solution to the discrete log problem, or requires the orders to be equal. For the orders to be equal, the scalar and field element fields have to be the same.

Obviously, not my field of expertise. I'd point to tevador or sarang, then to people affiliated with unis to clarify.

As for non native field arith, that's a bit decomposition of every item. Very very expensive.