Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Bandersnatch GLV scalar multiplication #1271

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Fix: Bandersnatch GLV scalar multiplication #1271

wants to merge 8 commits into from

Conversation

yelhousni
Copy link
Contributor

@yelhousni yelhousni commented Sep 6, 2024
edited
Loading

Description

Fixes #268

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

How has this been tested?

TestCurve for Bandersnatch pass when using scalarMulGLV.

How has this been benchmarked?

Bandersnatch in R1CS:
2-bit windowed double-and-add: 3,314
GLV: 2,735
Bandersnatch in SCS:
2-bit windowed double-and-add: 5,991
GLV: 6,077

So the GLV saves 579 r1cs but adds 86 scs, which is because of the non-native scalar decomposition check. In this PR we use GLV only if endomorphism + R1CS.

Checklist:

  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works
  • I did not modify files generated from templates
  • golangci-lint does not output errors locally
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@yelhousni yelhousni marked this pull request as draft September 6, 2024 00:07
@yelhousni yelhousni marked this pull request as ready for review September 6, 2024 15:00
@yelhousni yelhousni mentioned this pull request Sep 6, 2024
Closed
@yelhousni yelhousni self-assigned this Sep 6, 2024
@yelhousni yelhousni added the bug Something isn't working label Sep 6, 2024
@yelhousni yelhousni added this to the v0.9.0 milestone Sep 6, 2024
gbotrel
gbotrel approved these changes Sep 13, 2024
View reviewed changes
Copy link
Collaborator

@gbotrel gbotrel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A remark, that probably applies to other neighbor pacakges;

I checked the call graph to see how it is tested, and it seems we just test with testData --> with random scalars.

Should we add some edge cases tests ? (i.e. scalar at 0, p-1, 1, ...),

@yelhousni
Copy link
Contributor Author

A remark, that probably applies to other neighbor pacakges;

I checked the call graph to see how it is tested, and it seems we just test with testData --> with random scalars.

Should we add some edge cases tests ? (i.e. scalar at 0, p-1, 1, ...),

Yes indeed we should test edge cases. We already do so for emulated and native SW packages. Here it should be easier because formulas are complete.

ivokub
ivokub approved these changes Sep 25, 2024
View reviewed changes
Copy link
Collaborator

@ivokub ivokub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks perfect! I only added some comments what my local linter mentioned (unused arguments in methods).

std/algebra/native/twistededwards/point.go Outdated Show resolved Hide resolved
std/algebra/native/twistededwards/point.go Outdated Show resolved Hide resolved
@yelhousni yelhousni requested a review from ivokub October 15, 2024 18:16
ivokub
ivokub approved these changes Oct 16, 2024
View reviewed changes
Copy link
Collaborator

@ivokub ivokub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good again. Maybe we should add a comment to the Curve interface that the methods ScalarMul, Add etc. do not check that point is on the curve.

For the future, it would be nice to also implement this - #1159. There was actually a discussion related to it just recently - #1292

@ivokub ivokub removed this from the v0.9.0 milestone Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gbotrel gbotrel gbotrel approved these changes

@ivokub ivokub ivokub approved these changes

Assignees

@yelhousni yelhousni

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Hinted scalar decomposition in a gadget
3 participants
@yelhousni @ivokub @gbotrel