Commit Graph

87 Commits

Author SHA1 Message Date
Daira Hopwood 3523aee87f hashtocurve.sage: fix a bug due to inadvertently relying on values calculated by debug code.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-02 02:22:01 +00:00
Daira Hopwood fd7283a979 Make map_to_curve_simple_swu take a single input again (since we no longer need batch inversion).
Also make it clearer that we don't depend on Sage's elliptic curve impl except for debugging.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-02 00:50:42 +00:00
Daira Hopwood c0f2b2d8b6 Correct a comment.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-02 00:20:36 +00:00
Daira Hopwood 4a3a34feea Improve comments and cost accounting.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-01 19:44:32 +00:00
Daira Hopwood 50d3e83467 Implement the optimization from [WB2019, section 4.2] that removes the remaining inversion.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-01 03:37:41 +00:00
Daira Hopwood 391e67f250 hashtocurve.sage: correct a comment.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-31 15:26:20 +00:00
Daira Hopwood 112983e667 hashtocurve: allow use of the sqrt optimization with the Z recommended by the Internet Draft.
This also makes the sqrt and hash-to-curve implementations depend on each other less strongly.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-31 13:45:35 +00:00
Daira Hopwood ef3405dd20 Add an optimization from [WB2019, section 4.2] that saves a square root for each map_to_curve.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-31 03:35:50 +00:00
Daira Hopwood 71afc68f7d hashtocurve.sage: add Jacobian coordinate implementation that avoids two of the three inversions.
Do not base production code on this yet!

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-30 16:09:25 +00:00
Daira Hopwood 7df33f4ce4 hashtocurve.sage: more realistic use of Montgomery's trick.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-29 17:58:50 +00:00
Daira Hopwood 96fd2c794e [WIP] Add a prototype implementation of hash-to-curve. This intends to implement the Internet Draft but has not been checked.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-29 17:58:50 +00:00
Daira Hopwood 7afb4e0d75 Add variant of the table-based square root that uses 16-entry tables.
This could in principle be made truly constant-time.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-29 12:50:16 +00:00
Daira Hopwood be58b5e128 Addition chains for 7^-1 (mod p-1, q-1).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-12 22:44:56 +00:00
Daira Hopwood ad02b756cd Addition chains for 5^-1 (mod p-1, q-1).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-12 16:46:32 +00:00
Daira Hopwood 56945c09e0 Import sys explicitly rather than relying on sage to do it.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-30 13:28:25 +00:00
Daira Hopwood bf740d64b8 Add some nice assertions and tests to make it clearer what is going on.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-30 13:17:18 +00:00
Daira Hopwood 7bf9015957 Assert that there are no collisions in invtab.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-30 12:00:50 +00:00
Daira Hopwood 79738d2cb7 Improve the perfect hash function.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-30 10:43:17 +00:00
Daira Hopwood bda5810e46 Python 2 compatibility.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-30 10:42:55 +00:00
Daira Hopwood a8b6b48b91 Include the cost of checking the result in the squaring cost.
(The algorithm will return a nonsense result for non-squares if we don't do this check.)

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 20:47:58 +00:00
Daira Hopwood 25dd9f0ed9 squareroottab.sage: remove unused instance variables.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 20:45:12 +00:00
Daira Hopwood 223b60825c Save one squaring.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 20:38:58 +00:00
Daira Hopwood d45dd14238 Make squareroot.sage more similar to squareroottab.sage to facilitate comparison.
(This is actually a slight pessimisation, but we're not going to use the non-table-based variant.)

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 20:35:36 +00:00
Daira Hopwood e7f9d2cef6 squareroot.sage: turn off VERBOSE and EXPENSIVE.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 20:04:14 +00:00
Daira Hopwood b26d051c59 Slightly optimize addition chain for Fq.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 20:03:25 +00:00
Daira Hopwood 5bfaa90bf7 squareroottab.sage: inlining and shift microoptimizations.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 19:29:32 +00:00
Daira Hopwood 49878117db squareroottab.sage: inline eval, and remove an unused part of gtab[3].
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 19:03:43 +00:00
Daira Hopwood debab754cb squareroottab.sage: remove redundant code.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 18:45:04 +00:00
Daira Hopwood 4f47706877 Add table-based variant of square root.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 18:43:07 +00:00
Daira Hopwood fbd6f3b1bb squareroot.sage: improve debugging.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 18:42:33 +00:00
Daira Hopwood 6d9e412d8d squareroot.sage: do expensive assertions only if DEBUG is set.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-28 15:34:45 +00:00
Daira Hopwood 1d2c5d0826 squareroot.sage: optimize precomputation.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-28 15:33:54 +00:00
Daira Hopwood 77524ce1a6 Prototype implementation of square roots on the Pasta fields (addition chains and Sarkar's algorithm).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-28 14:37:56 +00:00
Daira Hopwood 15a23b3b3b README: cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-27 09:35:53 +00:00
Daira Hopwood 8f82a22d2c Remove requirement for sortedcontainers.
(This is less efficient, but it doesn't matter in practice, and people were having trouble
installing it in the same Python as used by sage.)

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-27 09:35:20 +00:00
Daira Hopwood 62e25b428a README: update for checksumsets etc.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-23 01:24:03 +00:00
Daira Hopwood e3c1e1cd53 checksumsets.py: fix an off-by-one error in the final frames of the animation (not the actual check).
Also update the animations for the Pasta curves.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-23 01:09:28 +00:00
Daira Hopwood d74fbbcd01 Python 3 portability.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-23 01:09:28 +00:00
Daira Hopwood cb6ef790f9 Update parameters for Pallas/Vesta.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-23 01:09:28 +00:00
Daira Hopwood 1cd1766100 Pallas/Vesta README.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-23 01:09:28 +00:00
Daira Hopwood a35294b64f Updates for Pallas/Vesta.
Use `sage amicable.sage --sequential --requireisos --sortpq --ignoretwist --nearpowerof2 255 32` to generate the Pallas/Vesta cycle.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-19 19:54:53 +00:00
Daira Hopwood 491beffc2c injectivitylemma.py: output information that I used in a slide in my ZK Study Club presentation.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-19 19:52:22 +00:00
Daira Hopwood a7071be29a Delete injectivitylemma6.py (using both nontrivial roots of unity cannot work because roots of unity sum to 0).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-19 19:50:02 +00:00
Daira Hopwood 9e56d94ddd amicable.py: fix low Hamming weight strategy.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-09-27 21:18:47 +01:00
Daira Hopwood 4609be5090 verify.sage: make executable.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-09-26 21:43:46 +01:00
Daira Hopwood 87335537b3 amicable.sage: various updates
* support --isogenies and --ignoretwist options
* more comprehensive usage string
* if at least 6 threads are available, don't use 2 of them
* test multiple gcd primes.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-09-26 21:43:31 +01:00
Daira Hopwood 6c0f7ab40a amicable.sage: make executable.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-09-26 21:37:50 +01:00
Daira Hopwood 3dd5b562e1 amicable.sage: the 2-adicity of p could be less than specified when using stretch
(doesn't affect Tweedle curves).

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-09-26 21:32:27 +01:00
Daira Hopwood c6a6a04280 checksumsets.py: the fields of State can be just int, not Optional[int].
(The Optional was left over from a previous iteration of the code.)

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-24 12:56:05 +01:00
Daira Hopwood f761cc0833 Add animations.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-06-23 16:28:05 +01:00