Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Breaking additions to the Field trait #93

Merged
merged 3 commits into from
Nov 2, 2022
Merged

Breaking additions to the Field trait #93

merged 3 commits into from
Nov 2, 2022

Conversation

str4d
Copy link
Member

@str4d str4d commented Oct 28, 2022
edited
Loading

These new trait methods are moved from the FieldExt trait in pasta_curves, where we had placed them while figuring out their APIs.

Closes #33.

@str4d str4d requested a review from ebfull October 28, 2022 11:29
@str4d str4d mentioned this pull request Oct 28, 2022
Open
Base automatically changed from release-0.12.1 to main October 28, 2022 20:46
@str4d str4d mentioned this pull request Oct 31, 2022
Open
@daira daira mentioned this pull request Oct 31, 2022
Closed
daira
daira reviewed Oct 31, 2022
View reviewed changes
src/helpers.rs Outdated Show resolved Hide resolved
daira
daira reviewed Oct 31, 2022
View reviewed changes
src/helpers.rs Outdated
for j in 2..max_v {
let tmp_is_one = tmp.ct_eq(&F::one());
let squared = F::conditional_select(&tmp, &z, tmp_is_one).square();
tmp = F::conditional_select(&squared, &tmp, tmp_is_one);
Copy link
Contributor

@daira daira Oct 31, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure this is right? If tmp == 1 then we set squared = tmp (= 1) and then tmp = squared (i.e. no effect on tmp).
Otherwise we set squared = z2 and tmp = tmp (i.e. no effect on tmp).
In either case, this line is redundant, if it is correct.

Suggested change
tmp = F::conditional_select(&squared, &tmp, tmp_is_one);

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're reading the conditional select method backwards. Per the API docs, it is conditional_select(false_case, true_case, condition). Therefore, what this does is:

  • If tmp != 1, squared <-- tmp^2 and then tmp <-- squared. Thus squared = tmp = tmp^2.
  • If tmp == 1, squared <-- z^2 and then tmp <-- tmp. Thus squared = z^2 and tmp = 1.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh! Google found docs for a really old version of subtle in which true_case came before false_case. Ok I'll need to re-review with that in mind.

daira
daira reviewed Oct 31, 2022
View reviewed changes
src/helpers.rs
let mut z = F::root_of_unity();

for max_v in (1..=F::S).rev() {
let mut k = 1;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't follow algorithm 5 in the paper, because step 8 can result in k = 0 and this cannot.

Copy link
Member Author

@str4d str4d Oct 31, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a typo in Algorithm 5. $k = 0$ can never occur, because by definition we set $k$ to the least integer such that $b^{2^k} = 1$, and if we could produce $k = 0$ then that means $b^1 = 1$ and thus $b = 1$, which is filtered out by the loop condition on step 7.

daira
daira reviewed Oct 31, 2022
View reviewed changes
src/helpers.rs
Comment on lines +46 to +55
let result = x * z;
x = F::conditional_select(&result, &x, b.ct_eq(&F::one()));
z = z.square();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cannot follow how this corresponds to the paper.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This corresponds to step 9. This specific line corresponds to $z \leftarrow \omega^2$. We elide $\omega$ in this implementation because we never compute it directly; we instead compute its effective value incrementally in constant time via the z update on line 43.

daira
daira reviewed Oct 31, 2022
View reviewed changes
src/helpers.rs Show resolved Hide resolved
daira
daira suggested changes Oct 31, 2022
View reviewed changes
Copy link
Contributor

@daira daira left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[I think I clicked the wrong review outcome here; should have been Request changes]

daira
daira suggested changes Oct 31, 2022
View reviewed changes
Copy link
Contributor

@daira daira left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Responses needed. In particular I think sqrt_ratio_generic may be incorrect, and I wasn't able to verify sqrt_tonelli_shanks against the implementation in the paper.

str4d
str4d commented Oct 31, 2022
View reviewed changes
src/helpers.rs Show resolved Hide resolved
str4d
str4d commented Oct 31, 2022
View reviewed changes
src/helpers.rs Outdated Show resolved Hide resolved
daira
daira reviewed Oct 31, 2022
View reviewed changes
src/helpers.rs Outdated Show resolved Hide resolved
daira
daira reviewed Oct 31, 2022
View reviewed changes
src/helpers.rs Show resolved Hide resolved
daira
daira reviewed Oct 31, 2022
View reviewed changes
src/helpers.rs Outdated Show resolved Hide resolved
daira
daira approved these changes Oct 31, 2022
View reviewed changes
Copy link
Contributor

@daira daira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK modulo comments and variable renaming.

ebfull
ebfull requested changes Nov 2, 2022
View reviewed changes
Copy link
Collaborator

@ebfull ebfull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

possible improvement to wording of changelog

CHANGELOG.md Outdated Show resolved Hide resolved
@str4d
Add ff::Field::{sqrt_ratio, sqrt_alt}
58741b7 
We also provide helper methods for implementing the square root trait
methods.

Ported from zcash/pasta_curves@db83057.
@str4d
Copy link
Member Author

str4d commented Nov 2, 2022

Force-pushed to address review comments from @ebfull and @daira.

@str4d
Document that Field::{sqrt, sqrt_alt} provided impls use sqrt_ratio
cc08c5e 
This makes the potential for a cycle clear (if the `Field` implementor
uses `sqrt` to implement `sqrt_ratio`).
ebfull
ebfull approved these changes Nov 2, 2022
View reviewed changes
Copy link
Collaborator

@ebfull ebfull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK -- didn't look at the Tonelli-Shanks algorithm in detail; I'm just assuming it's been lifted from pasta_curves.

@ebfull ebfull merged commit 9a844a7 into main Nov 2, 2022
@str4d str4d deleted the field-trait-changes branch November 2, 2022 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daira daira daira approved these changes

@ebfull ebfull ebfull approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Other possible sqrt-related operations
3 participants
@str4d @daira @ebfull