Daira Hopwood
c51449a535
Change to XMD:BLAKE2b, and use the same test vectors as the Rust implementation.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-02-21 21:11:19 +00:00
Daira Hopwood
779c3b117e
Fix the case where the input to map_to_curve_simplified_swu is 0.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-02-21 21:10:23 +00:00
Daira Hopwood
798e1e9a89
Remove non-ASCII characters from subgroupcheck.sage.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-02-19 19:00:04 +00:00
Daira Hopwood
8f8d0ba399
Add subgroupcheck.sage.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-02-19 18:56:20 +00:00
Daira Hopwood
fb448f3538
Add isogeny for Vesta.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-13 01:11:34 +00:00
Daira Hopwood
540fe946c1
Fix unified addition.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-02 21:01:33 +00:00
Daira Hopwood
8e22490f43
hashtocurve.sage: make DEBUG = True work.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-02 02:23:55 +00:00
Daira Hopwood
3523aee87f
hashtocurve.sage: fix a bug due to inadvertently relying on values calculated by debug code.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-02 02:22:01 +00:00
Daira Hopwood
fd7283a979
Make map_to_curve_simple_swu take a single input again (since we no longer need batch inversion).
...
Also make it clearer that we don't depend on Sage's elliptic curve impl except for debugging.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-02 00:50:42 +00:00
Daira Hopwood
c0f2b2d8b6
Correct a comment.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-02 00:20:36 +00:00
Daira Hopwood
4a3a34feea
Improve comments and cost accounting.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-01 19:44:32 +00:00
Daira Hopwood
50d3e83467
Implement the optimization from [WB2019, section 4.2] that removes the remaining inversion.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-01 03:37:41 +00:00
Daira Hopwood
391e67f250
hashtocurve.sage: correct a comment.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-31 15:26:20 +00:00
Daira Hopwood
112983e667
hashtocurve: allow use of the sqrt optimization with the Z recommended by the Internet Draft.
...
This also makes the sqrt and hash-to-curve implementations depend on each other less strongly.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-31 13:45:35 +00:00
Daira Hopwood
ef3405dd20
Add an optimization from [WB2019, section 4.2] that saves a square root for each map_to_curve.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-31 03:35:50 +00:00
Daira Hopwood
71afc68f7d
hashtocurve.sage: add Jacobian coordinate implementation that avoids two of the three inversions.
...
Do not base production code on this yet!
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-30 16:09:25 +00:00
Daira Hopwood
7df33f4ce4
hashtocurve.sage: more realistic use of Montgomery's trick.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-29 17:58:50 +00:00
Daira Hopwood
96fd2c794e
[WIP] Add a prototype implementation of hash-to-curve. This intends to implement the Internet Draft but has not been checked.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-29 17:58:50 +00:00
Daira Hopwood
7afb4e0d75
Add variant of the table-based square root that uses 16-entry tables.
...
This could in principle be made truly constant-time.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-29 12:50:16 +00:00
Daira Hopwood
be58b5e128
Addition chains for 7^-1 (mod p-1, q-1).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-12 22:44:56 +00:00
Daira Hopwood
ad02b756cd
Addition chains for 5^-1 (mod p-1, q-1).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-12-12 16:46:32 +00:00
Daira Hopwood
56945c09e0
Import sys explicitly rather than relying on sage to do it.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-30 13:28:25 +00:00
Daira Hopwood
bf740d64b8
Add some nice assertions and tests to make it clearer what is going on.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-30 13:17:18 +00:00
Daira Hopwood
7bf9015957
Assert that there are no collisions in invtab.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-30 12:00:50 +00:00
Daira Hopwood
79738d2cb7
Improve the perfect hash function.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-30 10:43:17 +00:00
Daira Hopwood
bda5810e46
Python 2 compatibility.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-30 10:42:55 +00:00
Daira Hopwood
a8b6b48b91
Include the cost of checking the result in the squaring cost.
...
(The algorithm will return a nonsense result for non-squares if we don't do this check.)
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 20:47:58 +00:00
Daira Hopwood
25dd9f0ed9
squareroottab.sage: remove unused instance variables.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 20:45:12 +00:00
Daira Hopwood
223b60825c
Save one squaring.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 20:38:58 +00:00
Daira Hopwood
d45dd14238
Make squareroot.sage more similar to squareroottab.sage to facilitate comparison.
...
(This is actually a slight pessimisation, but we're not going to use the non-table-based variant.)
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 20:35:36 +00:00
Daira Hopwood
e7f9d2cef6
squareroot.sage: turn off VERBOSE and EXPENSIVE.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 20:04:14 +00:00
Daira Hopwood
b26d051c59
Slightly optimize addition chain for Fq.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 20:03:25 +00:00
Daira Hopwood
5bfaa90bf7
squareroottab.sage: inlining and shift microoptimizations.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 19:29:32 +00:00
Daira Hopwood
49878117db
squareroottab.sage: inline eval, and remove an unused part of gtab[3].
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 19:03:43 +00:00
Daira Hopwood
debab754cb
squareroottab.sage: remove redundant code.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 18:45:04 +00:00
Daira Hopwood
4f47706877
Add table-based variant of square root.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 18:43:07 +00:00
Daira Hopwood
fbd6f3b1bb
squareroot.sage: improve debugging.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-29 18:42:33 +00:00
Daira Hopwood
6d9e412d8d
squareroot.sage: do expensive assertions only if DEBUG is set.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-28 15:34:45 +00:00
Daira Hopwood
1d2c5d0826
squareroot.sage: optimize precomputation.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-28 15:33:54 +00:00
Daira Hopwood
77524ce1a6
Prototype implementation of square roots on the Pasta fields (addition chains and Sarkar's algorithm).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-28 14:37:56 +00:00
Daira Hopwood
15a23b3b3b
README: cosmetics.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-27 09:35:53 +00:00
Daira Hopwood
8f82a22d2c
Remove requirement for sortedcontainers.
...
(This is less efficient, but it doesn't matter in practice, and people were having trouble
installing it in the same Python as used by sage.)
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-27 09:35:20 +00:00
Daira Hopwood
62e25b428a
README: update for checksumsets etc.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-23 01:24:03 +00:00
Daira Hopwood
e3c1e1cd53
checksumsets.py: fix an off-by-one error in the final frames of the animation (not the actual check).
...
Also update the animations for the Pasta curves.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-23 01:09:28 +00:00
Daira Hopwood
d74fbbcd01
Python 3 portability.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-23 01:09:28 +00:00
Daira Hopwood
cb6ef790f9
Update parameters for Pallas/Vesta.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-23 01:09:28 +00:00
Daira Hopwood
1cd1766100
Pallas/Vesta README.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-23 01:09:28 +00:00
Daira Hopwood
a35294b64f
Updates for Pallas/Vesta.
...
Use `sage amicable.sage --sequential --requireisos --sortpq --ignoretwist --nearpowerof2 255 32` to generate the Pallas/Vesta cycle.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-19 19:54:53 +00:00
Daira Hopwood
491beffc2c
injectivitylemma.py: output information that I used in a slide in my ZK Study Club presentation.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-19 19:52:22 +00:00
Daira Hopwood
a7071be29a
Delete injectivitylemma6.py (using both nontrivial roots of unity cannot work because roots of unity sum to 0).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-19 19:50:02 +00:00