Beginning of curve arithmetic implementation.

2018-09-02 08:33:52 -06:00 · 2018-09-02 08:33:52 -06:00 · f6aea143ed
parent eb4dc1592f
commit f6aea143ed
3 changed files with 69 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -20,7 +20,7 @@ This is a pure Rust implementation of the Jubjub elliptic curve group and its as

 ## Curve Description

-Jubjub is the [twisted Edwards curve](https://en.wikipedia.org/wiki/Twisted_Edwards_curve) `-x^2 + y^2 = 1 + d.x^2.y^2` of rational points over `GF(q)` with a subgroup of prime order `r` and cofactor `8`.
+Jubjub is the [twisted Edwards curve](https://en.wikipedia.org/wiki/Twisted_Edwards_curve) `-u^2 + v^2 = 1 + d.u^2.v^2` of rational points over `GF(q)` with a subgroup of prime order `r` and cofactor `8`.

 ```
 q = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
--- a/src/fq.rs
+++ b/src/fq.rs
@ -78,7 +78,7 @@ fn mac_with_carry(a: u64, b: u64, c: u64, carry: &mut u128) -> u64 {
    *carry as u64
 }

-impl Neg for Fq {
+impl<'a> Neg for &'a Fq {
    type Output = Fq;

    fn neg(self) -> Fq {
@ -325,6 +325,12 @@ impl Fq {
    }
 }

+impl<'a> From<&'a Fq> for [u8; 32] {
+    fn from(value: &'a Fq) -> [u8; 32] {
+        value.into_bytes()
+    }
+}
+
 #[test]
 fn test_inv() {
    // Compute -(q^{-1} mod 2^64) mod 2^64 by exponentiating
@ -375,12 +381,12 @@ fn test_into_bytes() {
    );

    assert_eq!(
-        (-Fq::one()).into_bytes(),
+        (-&Fq::one()).into_bytes(),
        [0, 0, 0, 0, 255, 255, 255, 255, 254, 91, 254, 255, 2, 164, 189, 83, 5, 216, 161, 9, 8, 216, 57, 51, 72, 125, 157, 41, 83, 167, 237, 115]
    );

    assert_eq!(
-        (-Fq::one()).into_bytes(),
+        (-&Fq::one()).into_bytes(),
        [0, 0, 0, 0, 255, 255, 255, 255, 254, 91, 254, 255, 2, 164, 189, 83, 5, 216, 161, 9, 8, 216, 57, 51, 72, 125, 157, 41, 83, 167, 237, 115]
    );
 }
@ -451,7 +457,7 @@ fn test_addition() {

 #[test]
 fn test_negation() {
-    let tmp = -LARGEST;
+    let tmp = -&LARGEST;

    assert_eq!(
        tmp,
@ -460,9 +466,9 @@ fn test_negation() {
        ])
    );

-    let tmp = -Fq::zero();
+    let tmp = -&Fq::zero();
    assert_eq!(tmp, Fq::zero());
-    let tmp = -Fq([1, 0, 0, 0]);
+    let tmp = -&Fq([1, 0, 0, 0]);
    assert_eq!(tmp, LARGEST);
 }

@ -536,7 +542,7 @@ fn test_squaring() {
 #[test]
 fn test_inversion() {
    assert_eq!(Fq::one().pow_q_minus_2(), Fq::one());
-    assert_eq!((-Fq::one()).pow_q_minus_2(), -Fq::one());
+    assert_eq!((-&Fq::one()).pow_q_minus_2(), -&Fq::one());

    let mut tmp = R2;

--- a/src/lib.rs
+++ b/src/lib.rs
@ -7,5 +7,60 @@ extern crate std;
 extern crate byteorder;
 extern crate subtle;

+use core::ops::{Neg};
+
 mod fq;
 pub use fq::*;
+
+/// This represents a point on the Jubjub curve.
+/// `-u^2 + v^2 = 1 + d.u^2.v^2` over `Fq` with
+/// `d = -(10240/10241)`.
+
+// We're going to use the "extended twisted Edwards
+// coordinates" from "Twisted Edwards Curves
+// Revisited" by Hisil, Wong, Carter and Dawson.
+//
+// See https://iacr.org/archive/asiacrypt2008/53500329/53500329.pdf
+//
+// We're going to use `u` and `v` to refer to what
+// the paper calls `x` and `y`.
+//
+// In these coordinates, the affine point `(u, v)` is
+// represented by `(U, V, T, Z)` where `U = u/Z`,
+// `V = v/Z`, `T = uv/Z` for any nonzero `Z`.
+#[derive(Clone, Copy)]
+struct Point {
+    // U = u/Z
+    u: Fq,
+    // V = v/Z
+    v: Fq,
+    // T = uv/Z
+    t: Fq,
+    z: Fq,
+}
+
+impl Point {
+    pub fn zero() -> Point {
+        // (0, 1) is the neutral element of the group.
+
+        Point {
+            u: Fq::zero(),
+            v: Fq::one(),
+            t: Fq::zero(),
+            z: Fq::one()
+        }
+    }
+}
+
+impl<'a> Neg for &'a Point {
+    type Output = Point;
+
+    fn neg(self) -> Point {
+        Point {
+            u: -&self.u,
+            v: self.v,
+            t: -&self.t,
+            z: self.z
+        }
+    }
+}