Adding support for decaf quotient group.

cloudflare · Jul 24, 2020 · 9479b45 · 9479b45
1 parent d004263
commit 9479b45
Show file tree

Hide file tree

Showing 4 changed files with 98 additions and 0 deletions.
diff --git a/ecc/goldilocks/constants.go b/ecc/goldilocks/constants.go
@@ -33,6 +33,8 @@ var (
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 	}
+	// aMinusD is paramA-paramD used for Decaf.
+	aMinusD = fp.Elt{0xaa, 0x98}
 	// order is 2^446-0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d,
 	// which is the number of points in the prime subgroup.
 	order = Scalar{

diff --git a/ecc/goldilocks/curve_test.go b/ecc/goldilocks/curve_test.go
@@ -110,4 +110,13 @@ func BenchmarkCurve(b *testing.B) {
 			P = e.CombinedMult(&k, &l, P)
 		}
 	})
+
+	var d goldilocks.Decaf
+	a := d.Generator()
+
+	b.Run("Marshal", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			d.Marshal(a)
+		}
+	})
 }
diff --git a/ecc/goldilocks/decaf.go b/ecc/goldilocks/decaf.go
@@ -0,0 +1,84 @@
+package goldilocks
+
+import (
+	fp "github.com/cloudflare/circl/math/fp448"
+)
+
+// Decaf provides a prime-order group quotient from goldilocks curve.
+type Decaf struct{ c Curve }
+
+// Elt is an element of decaf group.
+type Elt struct{ p *Point }
+
+// IsValid is
+func (d Decaf) IsValid(a *Elt) bool { return d.c.IsOnCurve(a.p) }
+
+// Identity is
+func (d Decaf) Identity() *Elt { return &Elt{d.c.Identity()} }
+
+// Generator is
+func (d Decaf) Generator() *Elt { return &Elt{d.c.Generator()} }
+
+// Order is
+func (d Decaf) Order() Scalar { return d.c.Order() }
+
+// Add is
+func (d Decaf) Add(a, b *Elt) *Elt { return &Elt{d.c.Add(a.p, b.p)} }
+
+// Neg is
+func (d Decaf) Neg(a *Elt) *Elt { var b Elt; *b.p = *a.p; b.p.Neg(); return &b }
+
+// Mul is
+func (d Decaf) Mul(a *Elt, n *Scalar) *Elt { return &Elt{d.c.ScalarMult(n, a.p)} }
+
+// MulGen is
+func (d Decaf) MulGen(n *Scalar) *Elt { return &Elt{d.c.ScalarBaseMult(n)} }
+
+// Marshal is
+func (d Decaf) Marshal(a *Elt) []byte {
+	r, u := &fp.Elt{}, &fp.Elt{}
+	one, s := &fp.Elt{}, &fp.Elt{}
+	x, y, ta, tb, z := a.p.x, a.p.y, a.p.ta, a.p.tb, a.p.z
+	t0, t1 := z, y
+	fp.SetOne(one)
+	fp.AddSub(&t0, &t1)        // (t0,t1) = (z+y,z-y)
+	fp.Mul(&t0, &t0, &t1)      // t0 = (z+y)*(z-y)
+	fp.Mul(&t0, &t0, &aMinusD) // t0 = (a-d)*(z+y)*(z-y)
+	fp.InvSqrt(r, one, &t0)    // r = 1/sqrt( (a-d)*(z+y)*(z-y) )
+	fp.Mul(u, r, &aMinusD)     // u = (a-d)*r
+	fp.Mul(&t0, u, &z)         // t0 = u*Z
+	fp.Add(&t0, &t0, &t0)      // t0 = 2*u*Z
+	fp.Neg(&t0, &t0)           // t0 = -2*u*Z
+	b := fp.Sign(&t0)          // b = sgn (t0)
+	fp.Cmov(r, &t0, uint(b))   // r = -r if -2*u*Z is negative
+	fp.Mul(&t0, &z, &x)        // t0 = a*Z*X
+	fp.Mul(&t1, &y, &ta)       // t1 = Y*Ta
+	fp.Mul(&t1, &t1, &tb)      // t1 = Y*Ta*Tb = Y*T
+	fp.Mul(&t1, &t1, &paramD)  // t1 = d*Y*T
+	fp.Sub(&t0, &t0, &t1)      // t0 = a*Z*X - d*Y*T
+	fp.Mul(&t0, &t0, r)        // t0 = r*(a*Z*X - d*Y*T)
+	fp.Add(&t0, &t0, &y)       // t0 = r*(a*Z*X - d*Y*T) + Y
+	fp.Mul(s, &t0, u)          // s = (u/a)*(r*(a*Z*X - d*Y*T) + Y)
+	fp.Neg(&t1, s)             // t1 = -s
+	b = fp.Sign(s)             // b = sgn(t0)
+	fp.Cmov(s, &t1, uint(b))   // r = -r if -2*u*Z is negative
+
+	var encS [fp.Size]byte
+	_ = fp.ToBytes(encS[:], s)
+	return encS[:]
+}
+
+// Unmarshal is
+func (d Decaf) Unmarshal(b []byte) (*Elt, error) { return nil, nil }
+
+// IsIdentity is
+func (d Decaf) IsIdentity(a *Elt) bool { return fp.IsZero(&a.p.x) }
+
+// AreEqual is
+func (d Decaf) AreEqual(a, b *Elt) bool {
+	l, r := &fp.Elt{}, &fp.Elt{}
+	fp.Mul(l, &a.p.x, &b.p.y)
+	fp.Mul(r, &b.p.x, &a.p.y)
+	fp.Sub(l, l, r)
+	return fp.IsZero(l)
+}
diff --git a/math/fp448/fp.go b/math/fp448/fp.go
@@ -142,6 +142,9 @@ func powPminus3div4(z, x *Elt) {
 	Mul(z, z, x1)
 }
 
+// Sign returns 1 if x is positive, and -1 if negative.
+func Sign(x *Elt) int { return 0 }
+
 // Cmov assigns y to x if n is 1.
 func Cmov(x, y *Elt, n uint) { cmov(x, y, n) }