Added cofactors to non-edwardian curve interfaces (#50)

* Added cofactors to non-edwardian curve interfaces

* Added mnt sage script

* Added more sage and fixed mnt4 g2 cofactor

libff/algebra/curves/alt_bn128/README.md

@@ -0,0 +1,10 @@
+# Implementation of altbn128
+
+## Run the sage script to generate the curve parameters
+
+1. Make sure that you have [SageMath](https://www.sagemath.org/) installed
+
+2. Run:
+```bash
+sage alt_bn128.sage
+```

libff/algebra/curves/alt_bn128/alt_bn128.sage

@@ -0,0 +1,66 @@
+#!/usr/bin/env sage -python
+
+from sage.all import *
+import sys
+sys.path.append("../")
+import params_generator
+
+# Prime order of the subgroup we work in
+def r(x):
+    return 36*(x**4) + 36*(x**3) + 18*(x**2) + 6*x + 1
+
+# Prime used to generate the base finite field
+def q(x):
+    return 36*(x**4) + 36*(x**3) + 24*(x**2) + 6*x + 1
+
+# Compute G2 cofactor
+# See: Proposition 1, Section 3.3: https://eprint.iacr.org/2015/247.pdf
+def g2_h(x):
+    return 36*x^4+ 36*x^3+ 30*x^2+ 6*x + 1
+
+# Computes the order of G1, the safe subgroup of E/Fq
+def g1_order(curve_order):
+    decomposition = factor(curve_order)
+    # Factor returns the prime decomposition and orders prime
+    # factors from smaller to biggest
+    biggest_factor = decomposition[-1]
+    assert(biggest_factor[1] == 1)
+    return biggest_factor[0]
+
+def main():
+    print("Generating parameters for alt_bn128")
+    # Curve parameter
+    param = 0x44e992b44a6909f1
+
+    prime_r = r(param)
+    assert(prime_r == 21888242871839275222246405745257275088548364400416034343698204186575808495617)
+
+    prime_q = q(param)
+    assert(prime_q == 21888242871839275222246405745257275088696311157297823662689037894645226208583)
+    if (mod(prime_q, 6) != 1):
+        raise BaseException("Unexpected: q should be = 1 (mod 6). See: https://eprint.iacr.org/2007/390.pdf")
+
+    # Scalar field
+    print('prime_r = {}'.format(prime_r))
+    #params_generator.generate_libff_Fp_model_params(prime_r)
+    Fr = GF(prime_r)
+
+    # Base field
+    print('prime_q = {}'.format(prime_q))
+    #params_generator.generate_libff_Fp_model_params(prime_q)
+    Fq = GF(prime_q)
+
+    # E/Fq
+    curve = EllipticCurve(Fq, [0, 3])
+    curve_order = curve.order()
+
+    # Cofactors
+    h1 = curve_order // g1_order(curve_order)
+    # G1 cofactor should be 1
+    assert(h1 == 1)
+    print('h1 = {}'.format(h1))
+    h2 = g2_h(param)
+    print('h2 = {}'.format(h2))
+
+if __name__ == '__main__':
+    main()

libff/algebra/curves/alt_bn128/alt_bn128_g1.cpp

@@ -19,6 +19,7 @@ std::vector<size_t> alt_bn128_G1::fixed_base_exp_window_table;
 alt_bn128_G1 alt_bn128_G1::G1_zero = {};
 alt_bn128_G1 alt_bn128_G1::G1_one = {};
 bool alt_bn128_G1::initialized = false;
+bigint<alt_bn128_G1::h_limbs> alt_bn128_G1::h;
 
 alt_bn128_G1::alt_bn128_G1()
 {
@@ -319,6 +320,12 @@ alt_bn128_G1 alt_bn128_G1::dbl() const
     return alt_bn128_G1(X3, Y3, Z3);
 }
 
+alt_bn128_G1 alt_bn128_G1::mul_by_cofactor() const
+{
+    // Cofactor = 1
+    return *this;
+}
+
 bool alt_bn128_G1::is_well_formed() const
 {
     if (this->is_zero())

libff/algebra/curves/alt_bn128/alt_bn128_g1.hpp

@@ -33,6 +33,11 @@ class alt_bn128_G1 {
     typedef alt_bn128_Fq base_field;
     typedef alt_bn128_Fr scalar_field;
 
+    // Cofactor
+    static const mp_size_t h_bitcount = 1;
+    static const mp_size_t h_limbs = (h_bitcount+GMP_NUMB_BITS-1)/GMP_NUMB_BITS;
+    static bigint<h_limbs> h;
+
     alt_bn128_Fq X, Y, Z;
 
     // using Jacobian coordinates
@@ -58,6 +63,7 @@ class alt_bn128_G1 {
     alt_bn128_G1 add(const alt_bn128_G1 &other) const;
     alt_bn128_G1 mixed_add(const alt_bn128_G1 &other) const;
     alt_bn128_G1 dbl() const;
+    alt_bn128_G1 mul_by_cofactor() const;
 
     bool is_well_formed() const;
 

libff/algebra/curves/alt_bn128/alt_bn128_g2.cpp

@@ -19,6 +19,7 @@ std::vector<size_t> alt_bn128_G2::fixed_base_exp_window_table;
 alt_bn128_G2 alt_bn128_G2::G2_zero = {};
 alt_bn128_G2 alt_bn128_G2::G2_one = {};
 bool alt_bn128_G2::initialized = false;
+bigint<alt_bn128_G2::h_limbs> alt_bn128_G2::h;
 
 alt_bn128_G2::alt_bn128_G2()
 {
@@ -336,6 +337,11 @@ alt_bn128_G2 alt_bn128_G2::mul_by_q() const
                       (this->Z).Frobenius_map(1));
 }
 
+alt_bn128_G2 alt_bn128_G2::mul_by_cofactor() const
+{
+    return alt_bn128_G2::h * (*this);
+}
+
 bool alt_bn128_G2::is_well_formed() const
 {
     if (this->is_zero())

libff/algebra/curves/alt_bn128/alt_bn128_g2.hpp

@@ -34,6 +34,11 @@ class alt_bn128_G2 {
     typedef alt_bn128_Fq2 twist_field;
     typedef alt_bn128_Fr scalar_field;
 
+    // Cofactor
+    static const mp_size_t h_bitcount = 256;
+    static const mp_size_t h_limbs = (h_bitcount+GMP_NUMB_BITS-1)/GMP_NUMB_BITS;
+    static bigint<h_limbs> h;
+
     alt_bn128_Fq2 X, Y, Z;
 
     // using Jacobian coordinates
@@ -62,6 +67,7 @@ class alt_bn128_G2 {
     alt_bn128_G2 mixed_add(const alt_bn128_G2 &other) const;
     alt_bn128_G2 dbl() const;
     alt_bn128_G2 mul_by_q() const;
+    alt_bn128_G2 mul_by_cofactor() const;
 
     bool is_well_formed() const;
 

libff/algebra/curves/alt_bn128/alt_bn128_init.cpp

@@ -150,6 +150,9 @@ void init_alt_bn128_params()
                                     alt_bn128_Fq::one());
     alt_bn128_G1::initialized = true;
 
+    // Cofactor
+    alt_bn128_G1::h = bigint<alt_bn128_G1::h_limbs>("1");
+
     alt_bn128_G1::wnaf_window_table.resize(0);
     alt_bn128_G1::wnaf_window_table.push_back(11);
     alt_bn128_G1::wnaf_window_table.push_back(24);
@@ -215,6 +218,14 @@ void init_alt_bn128_params()
                                     alt_bn128_Fq2::one());
     alt_bn128_G2::initialized = true;
 
+    // Cofactor
+    // [Sage excerpt]
+    // See: https://eprint.iacr.org/2015/247.pdf
+    // u = 4965661367192848881
+    // h2 = (36 * u^4) + (36 * u^3) + (30 * u^2) + 6*u + 1; h2
+    // # 21888242871839275222246405745257275088844257914179612981679871602714643921549
+    alt_bn128_G2::h = bigint<alt_bn128_G2::h_limbs>("21888242871839275222246405745257275088844257914179612981679871602714643921549");
+
     alt_bn128_G2::wnaf_window_table.resize(0);
     alt_bn128_G2::wnaf_window_table.push_back(5);
     alt_bn128_G2::wnaf_window_table.push_back(15);

libff/algebra/curves/bn128/bn128_g1.cpp

@@ -20,6 +20,7 @@ std::vector<size_t> bn128_G1::fixed_base_exp_window_table;
 bn128_G1 bn128_G1::G1_zero = {};
 bn128_G1 bn128_G1::G1_one = {};
 bool bn128_G1::initialized = false;
+bigint<bn128_G1::h_limbs> bn128_G1::h;
 
 bn::Fp bn128_G1::sqrt(const bn::Fp &el)
 {
@@ -337,6 +338,12 @@ bn128_G1 bn128_G1::dbl() const
     return result;
 }
 
+bn128_G1 bn128_G1::mul_by_cofactor() const
+{
+    // Cofactor = 1
+    return (*this);
+}
+
 bn128_G1 bn128_G1::zero()
 {
     return G1_zero;

libff/algebra/curves/bn128/bn128_g1.hpp

@@ -37,6 +37,11 @@ class bn128_G1 {
     typedef bn128_Fq base_field;
     typedef bn128_Fr scalar_field;
 
+    // Cofactor
+    static const mp_size_t h_bitcount = 1;
+    static const mp_size_t h_limbs = (h_bitcount+GMP_NUMB_BITS-1)/GMP_NUMB_BITS;
+    static bigint<h_limbs> h;
+
     bn::Fp X, Y, Z;
     void fill_coord(bn::Fp coord[3]) const { coord[0] = this->X; coord[1] = this->Y; coord[2] = this->Z; return; };
 
@@ -62,6 +67,7 @@ class bn128_G1 {
     bn128_G1 add(const bn128_G1 &other) const;
     bn128_G1 mixed_add(const bn128_G1 &other) const;
     bn128_G1 dbl() const;
+    bn128_G1 mul_by_cofactor() const;
 
     bool is_well_formed() const;
 

libff/algebra/curves/bn128/bn128_g2.cpp

@@ -20,6 +20,7 @@ std::vector<size_t> bn128_G2::fixed_base_exp_window_table;
 bn128_G2 bn128_G2::G2_zero = {};
 bn128_G2 bn128_G2::G2_one = {};
 bool bn128_G2::initialized = false;
+bigint<bn128_G2::h_limbs> bn128_G2::h;
 
 bn::Fp2 bn128_G2::sqrt(const bn::Fp2 &el)
 {
@@ -337,6 +338,11 @@ bn128_G2 bn128_G2::dbl() const
     return result;
 }
 
+bn128_G2 bn128_G2::mul_by_cofactor() const
+{
+    return bn128_G2::h * (*this);
+}
+
 bool bn128_G2::is_well_formed() const
 {
     if (this->is_zero())

libff/algebra/curves/bn128/bn128_g2.hpp

@@ -38,6 +38,11 @@ class bn128_G2 {
     typedef bn128_Fq base_field;
     typedef bn128_Fr scalar_field;
 
+    // Cofactor
+    static const mp_size_t h_bitcount = 256;
+    static const mp_size_t h_limbs = (h_bitcount+GMP_NUMB_BITS-1)/GMP_NUMB_BITS;
+    static bigint<h_limbs> h;
+
     bn::Fp2 X, Y, Z;
     void fill_coord(bn::Fp2 coord[3]) const { coord[0] = this->X; coord[1] = this->Y; coord[2] = this->Z; };
 
@@ -63,6 +68,7 @@ class bn128_G2 {
     bn128_G2 add(const bn128_G2 &other) const;
     bn128_G2 mixed_add(const bn128_G2 &other) const;
     bn128_G2 dbl() const;
+    bn128_G2 mul_by_cofactor() const;
 
     bool is_well_formed() const;
 

libff/algebra/curves/bn128/bn128_init.cpp

@@ -108,6 +108,9 @@ void init_bn128_params()
 
     bn128_G1::initialized = true;
 
+    // Cofactor
+    bn128_G1::h = bigint<bn128_G1::h_limbs>("1");
+
     bn128_G1::wnaf_window_table.resize(0);
     bn128_G1::wnaf_window_table.push_back(10);
     bn128_G1::wnaf_window_table.push_back(24);
@@ -173,6 +176,9 @@ void init_bn128_params()
 
     bn128_G2::initialized = true;
 
+    // Cofactor
+    bn128_G2::h = bigint<bn128_G2::h_limbs>("21888242871839275222246405745257275088844257914179612981679871602714643921549");
+
     bn128_G2::wnaf_window_table.resize(0);
     bn128_G2::wnaf_window_table.push_back(7);
     bn128_G2::wnaf_window_table.push_back(18);

libff/algebra/curves/mnt/README.md

@@ -0,0 +1,10 @@
+# Implementation of the MNT4/6 cycle
+
+## Run the sage script to generate the curve parameters
+
+1. Make sure that you have [SageMath](https://www.sagemath.org/) installed
+
+2. Run:
+```bash
+sage mnt.sage
+```