Instead of having the Group crate hold a Subgroup associated type (and
thus needing to define the subgroup of a prime-order group as itself),
we specify two separate sets of traits for prime-order groups and ones
with a cofactor.
Protocol implementors can either restrict their implementations to only
work with PrimeGroup, or can explicitly choose to support CofactorGroup
and then explicitly handle the subgroup edge cases with e.g.
CofactorGroup::mul_by_cofactor (which would be a no-op for PrimeGroup).
Protocol implementors can also choose to specialise to elliptic curves
if they want to leverage an affine representation and mixed addition in
their protocol for efficiency, or they can ignore those traits and stick
with the simpler group-focused traits.
Now that PrimeField::ReprEndianness exists, users can obtain a
known-endianness representation from the output of PrimeField::char
(which is a PrimeField::Repr, and should return a representation with
the same endianness as PrimeField::into_repr).
ff_derive still implements Ord and PartialOrd for the fields it
implements, because pairing::bls12_381 internally assumes that those are
implemented. Once we delete that implementation, we will remove the Ord
and PartialOrd implementations from ff_derive.
This enables generic code to reliably operate on the bits of an encoded
field element, by converting them to and from a known (little)
endianness.
The BitAnd and Shr bounds on PrimeField are now removed, as users can
perform these operations themselves as needed.
The sqrt() function is now part of the Field trait. ff_derive returns an
error on fields for which it does not support generating a square root
function.
Note that Fq6 and Fq12 in pairing::bls12_381 leave the function
unimplemented. They will be dropped once the migration to the bls12_381
crate is complete. The equivalent structs in that crate are not exposed.
The trait is implemented by default for u8 and u64, allowing pow_vartime
to be used with both the byte encoding and limb representation of field
elements.
Uses the addchain crate to obtain an addition chain for the exponent,
and then generates the corresponding constant-time square-and-multiply
algorithm.
Building ff with the std feature flag was previously broken because it
required importing byteorder functionality behind the byteorder/std
feature flag. We don't use byteorder inside ff in no_std mode, so we can
just make it optional.
WARNING: THIS IS NOT ACTUALLY CONSTANT TIME YET!
The jubjub and bls12_381 crates will replace our constant-time usages,
but we NEED to fix ff_derive because other users will expect it to
implement the Field trait correctly.
The ff_derive, pairing, zcash_primitives::jubjub, and bellman dummy_engine
changes are minimally implemented on top of the existing *_assign()
functions.
Jack Grigg
Sean Bowe
NikVolf
Eirik Ogilvie-Wigley