shallue_van_de_woestijne rewrite #286
Conversation
|
I didn't actually count the operations. I just eyeballed that this was better. AFAICT, |
|
A quick count shows you are deleting 7 muls+sqrs and adding 6. The number of |
|
That seems off to me. I just counted deleting 11 muls+sqrs and adding 5 (I assert that 'mul_int' doesn't count as a mul). |
|
Oh, you're right, I remembered not to count A more careful count:
Which matches your numbers. |
|
Just a note for reviewers that this "speed improvement" is simply incidental. Given the enormous number of square root operations the function has, it is not expected to make a serious impact on execution time. |
There was a problem hiding this comment.
Concept ACK
I wrote a commit that adds a test for t = 0 (which confirms the off-curve point on master) and documentation improvements: https://github.com/jonasnick/secp256k1-zkp/commits/2024-01-swu-rewrite-jn/
Feel free to cherry-pick.
I also checked algebra & magnitudes.
| @@ -48,7 +48,9 @@ static void test_generator_api(void) { | |||
|
|
|||
| static void test_shallue_van_de_woestijne(void) { | |||
| /* Matches with the output of the shallue_van_de_woestijne.sage SAGE program */ | |||
There was a problem hiding this comment.
Do you want to change the loop there to cover the new points? The script could also print out -c and d.
"No" is fine as an answer. :)
There was a problem hiding this comment.
I did look into this, but I couldn't figure out an elegant way to change the sage code myself, being neither a sage nor a python expert. I'd welcome such a patch though.
There was a problem hiding this comment.
The previous implementation returns an off-curve point for the input t=0. This rewrite addresses that issue by implicity returning the on-curve point (d, sqrt(1 + b)), which is the point that the paper Indifferentiable Hashing to Barreto–Naehrig Curves suggests returning in this case. Note: At the moment it is cryptographically impossible for the input t to be 0.
roconnor-blockstream
force-pushed
the
2024-01-swu-rewrite
branch
from
26ab228
to
6b9d335
Compare
The previous implementation returns an off-curve point for the input t=0.
This rewrite addresses that issue by implicity returning the on-curve point (d, sqrt(8)), which is the point that the paper Indifferentiable Hashing to Barreto–Naehrig Curves suggests returning in this case.
Note: At the moment it is cryptographically impossible for the input t to be 0.