Endo

algebra/src/curves/bls12_377/g1.rs

@@ -4,7 +4,7 @@ use crate::{
     curves::models::{ModelParameters, SWModelParameters},
     fields::{
         bls12_377::*,
-        Field, FpParameters,
+        Field,
     },
 };
 
@@ -56,10 +56,6 @@ impl SWModelParameters for Bls12_377G1Parameters {
     fn mul_by_a(_: &Self::BaseField) -> Self::BaseField {
         Self::BaseField::zero()
     }
-
-    const ENDO_COEFF: Self::BaseField = FQ_ONE;   
-
-    const ENDO_SCALAR: Self::ScalarField = field_new!(Fr, FrParameters::R);    
 }
 
 /// G1_GENERATOR_X =

algebra/src/curves/bls12_377/g2.rs

@@ -5,7 +5,7 @@ use crate::{
     curves::models::{ModelParameters, SWModelParameters},
     fields::{
         bls12_377::*,
-        Field, FpParameters,
+        Field,
     },
 };
 
@@ -80,10 +80,6 @@ impl SWModelParameters for Bls12_377G2Parameters {
     fn mul_by_a(_: &Self::BaseField) -> Self::BaseField {
         Self::BaseField::zero()
     }
-
-    const ENDO_COEFF: Self::BaseField = FQ2_ONE;   
-
-    const ENDO_SCALAR: Self::ScalarField = field_new!(Fr, FrParameters::R);
 }
 
 pub const G2_GENERATOR_X: Fq2 = field_new!(Fq2, G2_GENERATOR_X_C0, G2_GENERATOR_X_C1);

algebra/src/curves/bls12_381/g1.rs

@@ -8,7 +8,7 @@ use crate::{
     },
     fields::{
         bls12_381::*,
-        Field, FpParameters
+        Field,
     },
 };
 
@@ -63,10 +63,6 @@ impl SWModelParameters for Bls12_381G1Parameters {
     fn mul_by_a(_: &Self::BaseField) -> Self::BaseField {
         Self::BaseField::zero()
     }
-
-    const ENDO_COEFF: Self::BaseField = FQ_ONE;   
-
-    const ENDO_SCALAR: Self::ScalarField = field_new!(Fr, FrParameters::R);    
 }
 
 /// G1_GENERATOR_X =

algebra/src/curves/bls12_381/g2.rs

@@ -8,7 +8,7 @@ use crate::{
     },
     fields::{
         bls12_381::*,
-        Field, FpParameters,
+        Field,
     },
 };
 
@@ -72,10 +72,6 @@ impl SWModelParameters for Bls12_381G2Parameters {
     fn mul_by_a(_: &Self::BaseField) -> Self::BaseField {
         Self::BaseField::zero()
     }
-
-    const ENDO_COEFF: Self::BaseField = FQ2_ONE;   
-
-    const ENDO_SCALAR: Self::ScalarField = field_new!(Fr, FrParameters::R);    
 }
 
 pub const G2_GENERATOR_X: Fq2 = field_new!(Fq2, G2_GENERATOR_X_C0, G2_GENERATOR_X_C1);

algebra/src/curves/bn_382/g.rs

@@ -4,8 +4,9 @@ use crate::{
         models::short_weierstrass_jacobian::{GroupAffine, GroupProjective},
         ModelParameters, SWModelParameters,
     },
-    Field, field_new, FpParameters,
-    fields::bn_382::*
+    field_new,
+    fields::bn_382::*,
+    Field,
 };
 
 #[derive(Copy, Clone, Default, PartialEq, Eq)]
@@ -60,10 +61,6 @@ impl SWModelParameters for Bn382GParameters {
     fn mul_by_a(_: &Self::BaseField) -> Self::BaseField {
         Self::BaseField::zero()
     }
-
-    const ENDO_COEFF: Self::BaseField = field_new!(Fr, FrParameters::R);
-
-    const ENDO_SCALAR: Self::ScalarField = FQ_ONE;
 }
 
 /// G_GENERATOR_X =

algebra/src/curves/bn_382/g1.rs

@@ -3,10 +3,7 @@ use crate::{
     curves::models::{ModelParameters, SWModelParameters},
     field_new,
     fields::bn_382::*,
-    curves::{
-        models::{ModelParameters, SWModelParameters},
-    },
-    Field, field_new, FpParameters,
+    Field,
 };
 
 #[derive(Copy, Clone, Default, PartialEq, Eq)]
@@ -58,10 +55,6 @@ impl SWModelParameters for Bn382G1Parameters {
     fn mul_by_a(_: &Self::BaseField) -> Self::BaseField {
         Self::BaseField::zero()
     }
-
-    const ENDO_COEFF: Self::BaseField = FQ_ONE;   
-
-    const ENDO_SCALAR: Self::ScalarField = field_new!(Fr, FrParameters::R);
 }
 
 /// G1_GENERATOR_X =

algebra/src/curves/bn_382/g2.rs

@@ -1,8 +1,9 @@
 use crate::{
     biginteger::BigInteger384 as BigInteger,
     curves::models::{ModelParameters, SWModelParameters},
-    Field, field_new, FpParameters,
-    fields::bn_382::*
+    field_new,
+    fields::bn_382::*,
+    Field,
 };
 
 #[derive(Copy, Clone, Default, PartialEq, Eq)]
@@ -75,10 +76,6 @@ impl SWModelParameters for Bn382G2Parameters {
     fn mul_by_a(_: &Self::BaseField) -> Self::BaseField {
         Self::BaseField::zero()
     }
-
-    const ENDO_COEFF: Self::BaseField = FQ2_ONE;
-
-    const ENDO_SCALAR: Self::ScalarField = field_new!(Fr, FrParameters::R);
 }
 
 pub const G2_GENERATOR_X: Fq2 = field_new!(Fq2, G2_GENERATOR_X_C0, G2_GENERATOR_X_C1);

algebra/src/curves/check_curve_parameters.sage

@@ -1,11 +1,20 @@
 # The following Sage script check the consistency of the following curves parameters:
 #
+<<<<<<< HEAD
 #   1) P=(GENERATOR_X,GENERATOR_Y)      must belongs to the curve of equation E: y^2 = x^3 + Ax + B   
 #   2) P                                must have order equal to the MODULUS of the scalar field
 #   3) COFACTOR                         must be equal to Order(E)/Order(P)
 #   4) COFACTOR_INV                     must be the inverse of COFACTOR in the scalar Field
 #   5) ENDO_COEFF                       must be a cube root in the base field.
-#   6) ENDO_SCALAR                      must be a cube root in the scalar field and satisfy ENDO_SCALAR * (X, Y) == (ENDO_COEFF * X, Y)                                 
+#   6) ENDO_SCALAR                      must be a cube root in the scalar field and satisfy ENDO_SCALAR * (X, Y) == (ENDO_COEFF * X, Y)        
+#   7) The intersection of the plane lattice spanned by {(1, ENDO_SCALAR), (0, SCALAR_FIELD_MODULUS)} with the square [-A,A]^2 must be empty,
+#       where A = 2^65 + 2^64 + 1.                         
+=======
+#   1) P=(GENERATOR_X,GENERATOR_Y)  must belongs to the curve of equation E: y^2 = x^3 + Ax + B   
+#   2) P                                must have order equal to the MODULUS of the scalar field
+#   3) COFACTOR                         must be equal to Order(E)/Order(P)
+#   4) COFACTOR_INV                     must be the inverse of COFACTOR in the scalar Field
+>>>>>>> development
 # Open Sage Shell in the corresponding folder and run the command 
 #       "sage check_curve_paramaters sage [file_path_curve] [file_path_basefield] [file_path_scalarfield]".
 
@@ -67,10 +76,17 @@ scalar_field_name = re.findall(pattern, readfile)[0]
 fn = "(?:" + base_field_name + "|" + scalar_field_name + ")" #fn = field name = "(:?Fr|Fq)". Useful declaration for the pattern
 
 #### Reading the big integers list and extracting names and values
+<<<<<<< HEAD
 pattern = "const\s+(\w+)[:\w\s]*=\s*field_new!\([\s\w,]*\(\s*\[" + "([0-9a-fA-Fxu\s,]+)\s*" + "\]\s*\)"
 big_int_ls = re.findall(pattern,readfile)    #####list of couples of the form ('[VARIABLE_NAME]',"[u64],..,[u64]")
 
 big_int_names = [b[0] for b in big_int_ls]
+=======
+pattern = "const\s+(\w+):\s*" + fn + "\s*=\s*field_new!\(\s*" + fn + "\s*,\s*BigInteger\d*\s*\(\s*\[" + "([0-9a-fA-Fxu\s,]+)\s*" + "\]\s*\)"
+big_int_ls = re.findall(pattern,readfile)    #####list of couples of the form ('[VARIABLE_NAME]',"[u64],..,[u64]")
+
+big_int_names = [b[0] for b in big_int_ls] 
+>>>>>>> development
 big_int_values = [BigInteger_to_number(b[1]) for b in big_int_ls]
 
 BigIntegerLen = BigInteger_len(big_int_ls[0][1])
@@ -165,6 +181,7 @@ else:
 if Fr(COFACTOR) * Fr(COFACTOR_INV) == Fr(SCALAR_FIELD_R):
     print("Correct. COFACTOR_INV is the inverse of COFACTOR in the the scalar field.")
 else:
+<<<<<<< HEAD
     print("WARNING! COFACTOR_INV IS NOT THE INVERSE OF COFACTOR IN THE SCALAR FIELD!")
 ####### Checking the correctness of ENDO_COEFF and ENDO_FACTOR ############
 endo_mul_is_used = False
@@ -195,29 +212,33 @@ if endo_mul_is_used:
 ## The Halo paper (https://eprint.iacr.org/2019/1021.pdf) proves the injectivity of the endo_mul map.
 ## The injectivity of the map (a,b) |-> a\zeta + b for a,b in [0,A] (essential for using add_unsafe)
 ## is equivalent the lattice condition below.
-## In the Halo paper is explained that the condition that a*zeta + b != a'*zeta + b' for a,a',b,b' in [0,A] is equivalent
-## to the condition that min({distance(zeta*a,zeta*a'): a,a' in [0,A]}) > A. This can be plainly restated as
-## a*zeta notin [-A,A] mod r if a in [-A,A] mod r.
-## This can be restated as a lattice condition: suppose in fact that
-##      a * zeta = b mod r  for a,b in [-A,A].
+## a*zeta + b = a'*zeta_r + b' mod r   for a,a',b,b' in [0,A] 
+## is equivalent to the fact that there are non-zero solutions to 
+##      a * zeta_r = b mod r      for a,b in [-A,A].
 ## Then it would exists c such that
-##      b = a * zeta + c * r.
-## Then
-##      (a, b) = (a, c) * (1  zeta)
+##      b = a * zeta_r + c * r.
+## Any such solution correspond to a point of the lattice spanned by (1, zeta_r) and (0, r).
+##      (a, b) = (a, c) * (1  zeta_r)
 ##                        (0    r )
-## would be vector of length <= sqrt(2)*A in a lattice of  determinant r (Gaussian expectation for the shortest vector ~sqrt(r)).
-## If we show that the shortest vector in the lattice spanned by (1, zeta) and (0, r) is longer than sqrt(2)*A, then we
-## have a sufficient (but not necessary) condition.
-## We could have indeed also a necessary condition: if there were a Sage functions listing all the vector shorter than sqrt(2)*A
-## one can look at them: if none of them has both coordinates in the range [-A,A] then the parameters can be accepted
-## even if the shortest vector has length in the range (A, sqrt(2)A].
-## Anyway, due to our choice of parameters, A ~ 2^65, while sqrt(r) ~ 2^128.
-## In general it is A = 2**(l/2 + 1) + 2**(l/2), where l is the length of the input string (in endo_mul we use l = 128)
+## The injectivity is equivalent to the fact that the intersection between this lattice and [-A, A]^2
+## is trivial. To verify this we first compute a LLL reduced basis {v,w} and
+## then check if at least one of v, w, v + w, v - w is belongs to such a square.
+## If not, there can't be other lattice points in the square.
 if endo_mul_is_used:
     A = 2**65 + 2**64 
-    from sage.modules.free_module_integer import IntegerLattice
-    L = IntegerLattice([[1,int(zeta_r)],[0,SCALAR_FIELD_MODULUS]])
-    if L.shortest_vector().norm().n() <= (sqrt(2)*A).n():
-        print("WARNING! WE CAN'T USE add_unsafe FOR endo_mul")
+    L = Matrix([[1,Integer(zeta_r)],[0,SCALAR_FIELD_MODULUS]])
+    Lred = L.LLL()
+    set = [Lred.row(0), Lred.row(1), Lred.row(0) - Lred.row(1), Lred.row(0) + Lred.row(1)]
+    add_unsafe = True
+    for v in set:
+        if abs(v[0]) <= A and abs(v[1]) <= A:
+            add_unsafe = False
+    if add_unsafe:
+        print("We can use add_unsafe for endo_mul.")
+    else:
+        print("WARNING! WE CAN'T USE add_unsafe FOR endo_mul!")
 else:
-    print("endo_mul is not used for this curve.")
+    print("endo_mul is not used for this curve.")
+=======
+    print("WARNING! COFACTOR_INV IS NOT THE INVERSE OF COFACTOR IN THE SCALAR FIELD!")
+>>>>>>> development

algebra/src/curves/mnt4753/g1.rs

@@ -1,13 +1,8 @@
 use crate::field_new;
 use crate::{
     biginteger::BigInteger768,
-    curves::{
-        models::{ModelParameters, SWModelParameters},
-    },
-    fields::{
-        mnt4753::*,
-        FpParameters,
-    }
+    curves::models::{ModelParameters, SWModelParameters},
+    fields::mnt4753::{Fq, Fr},
 };
 
 #[derive(Copy, Clone, Default, PartialEq, Eq)]
@@ -83,10 +78,6 @@ impl SWModelParameters for MNT4G1Parameters {
     /// AFFINE_GENERATOR_COEFFS = (G1_GENERATOR_X, G1_GENERATOR_Y)
     const AFFINE_GENERATOR_COEFFS: (Self::BaseField, Self::BaseField) =
         (G1_GENERATOR_X, G1_GENERATOR_Y);
-
-    const ENDO_COEFF: Self::BaseField = FQ_ONE;   
-
-    const ENDO_SCALAR: Self::ScalarField = field_new!(Fr, FrParameters::R);    
 }
 
 // generator of prime order r

algebra/src/curves/mnt4753/g2.rs

@@ -3,13 +3,8 @@ use crate::curves::models::mnt4::MNT4Parameters;
 use crate::field_new;
 use crate::{
     biginteger::BigInteger768,
-    curves::{
-        models::{ModelParameters, SWModelParameters},
-    },
-    fields::{
-        mnt4753::*,
-        FpParameters,
-    },
+    curves::models::{ModelParameters, SWModelParameters},
+    fields::mnt4753::{Fq, Fq2, Fr},
 };
 
 #[derive(Copy, Clone, Default, PartialEq, Eq)]
@@ -128,14 +123,6 @@ impl SWModelParameters for MNT4G2Parameters {
     fn mul_by_a(elt: &Fq2) -> Fq2 {
         field_new!(Fq2, MUL_BY_A_C0 * &elt.c0, MUL_BY_A_C1 * &elt.c1,)
     }
-
-    const ENDO_COEFF: Self::BaseField = field_new!(
-        Fq2,
-        FQ_ONE,
-        FQ_ZERO
-    );
-
-    const ENDO_SCALAR: Self::ScalarField = field_new!(Fr, FrParameters::R);    
 }
 
 const G2_GENERATOR_X: Fq2 = field_new!(Fq2, G2_GENERATOR_X_C0, G2_GENERATOR_X_C1);

algebra/src/curves/mnt6/g1.rs

@@ -7,10 +7,7 @@ use crate::{
         short_weierstrass_projective::{GroupAffine, GroupProjective},
         AffineCurve,
     },
-    fields::{
-        mnt6::*,
-        FpParameters,
-    },
+    fields::mnt6::*,
 };
 use crate::{field_new, FromBytes};
 use serde::{Deserialize, Serialize};
@@ -72,11 +69,6 @@ impl SWModelParameters for MNT6G1Parameters {
     /// AFFINE_GENERATOR_COEFFS = (G1_GENERATOR_X, G1_GENERATOR_Y)
     const AFFINE_GENERATOR_COEFFS: (Self::BaseField, Self::BaseField) =
         (G1_GENERATOR_X, G1_GENERATOR_Y);
-
-
-    const ENDO_COEFF: Self::BaseField = FQ_ONE;   
-
-    const ENDO_SCALAR: Self::ScalarField = field_new!(Fr, FrParameters::R);    
 }
 
 /// G1_GENERATOR_X =

algebra/src/curves/mnt6/g2.rs

@@ -7,10 +7,7 @@ use crate::{
         short_weierstrass_projective::{GroupAffine, GroupProjective},
         AffineCurve,
     },
-    fields::{
-        mnt6::*,
-        FpParameters,
-    },
+    fields::mnt6::*,
 };
 use crate::{field_new, FromBytes};
 use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt};
@@ -115,15 +112,6 @@ impl SWModelParameters for MNT6G2Parameters {
             MUL_BY_A_C2 * &elt.c0,
         )
     }
-
-    const ENDO_COEFF: Self::BaseField = field_new!(
-        Fq3,
-        FQ_ONE,
-        FQ_ZERO,
-        FQ_ZERO,
-    );
-
-    const ENDO_SCALAR: Self::ScalarField = field_new!(Fr, FrParameters::R);    
 }
 
 const G2_GENERATOR_X: Fq3 =

algebra/src/curves/mnt6753/g1.rs

@@ -1,13 +1,8 @@
 use crate::field_new;
 use crate::{
     biginteger::BigInteger768,
-    curves::{
-        models::{ModelParameters, SWModelParameters},
-    },
-    fields::{
-        mnt6753::*,
-        FpParameters,
-    },
+    curves::models::{ModelParameters, SWModelParameters},
+    fields::mnt6753::{Fq, Fr},
 };
 
 #[derive(Copy, Clone, Default, PartialEq, Eq)]
@@ -83,10 +78,6 @@ impl SWModelParameters for MNT6G1Parameters {
 
     const AFFINE_GENERATOR_COEFFS: (Self::BaseField, Self::BaseField) =
         (G1_GENERATOR_X, G1_GENERATOR_Y);
-
-    const ENDO_COEFF: Self::BaseField = FQ_ONE;   
-
-    const ENDO_SCALAR: Self::ScalarField = field_new!(Fr, FrParameters::R);    
 }
 
 //generator of prime order r