diff --git a/constantine/elliptic/ec_endomorphism_accel.nim b/constantine/elliptic/ec_endomorphism_accel.nim index bd27459..ed3b78a 100644 --- a/constantine/elliptic/ec_endomorphism_accel.nim +++ b/constantine/elliptic/ec_endomorphism_accel.nim @@ -168,18 +168,10 @@ func buildLookupTable[M: static int, F]( # - 2 represented as 0b0010 already required P0 + P2 # To find the already computed table entry, we can index # the table with the current `u` with the MSB unset - # and add to it the endormorphism at the index matching the MSB position + # and add to it the endomorphism at the index matching the MSB position # # This scheme ensures 1 addition per table entry instead of a number # of addition dependent on `u` Hamming Weight - # - # TODO: - # 1. Window method for M == 2 - # 2. Have P in affine coordinate and build the table with mixed addition - # assuming endomorphism φi(P) do not affect the Z coordinates - # (if table is big enough/inversion cost is amortized) - # 3. Use Montgomery simultaneous inversion to have the table in - # affine coordinate so that we can use mixed addition in teh main loop lut[0] = P for u in 1'u32 ..< 1 shl (M-1): # The recoding allows usage of 2^(n-1) table instead of the usual 2^n with NAF @@ -266,7 +258,7 @@ func scalarMulGLV*[scalBits]( Q += tmp # Now we need to correct if the sign miniscalar was not odd - P.diff(Q, lut[0]) # Contains Q - P0 + P.diff(Q, P) P.ccopy(Q, k0isOdd) # Windowed GLV diff --git a/sage/lattice_decomposition_bls12_381_g1.sage b/sage/lattice_decomposition_bls12_381_g1.sage index ef9ec82..0a328b1 100644 --- a/sage/lattice_decomposition_bls12_381_g1.sage +++ b/sage/lattice_decomposition_bls12_381_g1.sage @@ -184,7 +184,7 @@ def scalarMulGLV(scalar, P0): print('final Q: ' + pointToString(Q)) print('expected: ' + pointToString(expected)) - assert Q == expected # TODO debug + assert Q == expected # Test generator set_random_seed(1337) diff --git a/sage/lattice_decomposition_bn254_snarks_g1.sage b/sage/lattice_decomposition_bn254_snarks_g1.sage index ab2fb49..5d2f999 100644 --- a/sage/lattice_decomposition_bn254_snarks_g1.sage +++ b/sage/lattice_decomposition_bn254_snarks_g1.sage @@ -105,16 +105,16 @@ def getGLV2_decomp(scalar): def recodeScalars(k): m = 2 - l = ((int(r).bit_length() + m-1) // m) + 1 # l = ⌈log2 r/m⌉ + 1 + L = ((int(r).bit_length() + m-1) // m) + 1 # l = ⌈log2 r/m⌉ + 1 - b = [[0] * l, [0] * l] - b[0][l-1] = 1 - for i in range(0, l-1): # l-2 inclusive - b[0][i] = 2 * ((k[0] >> (i+1)) & 1) - 1 + b = [[0] * L, [0] * L] + b[0][L-1] = 0 + for i in range(0, L-1): # l-2 inclusive + b[0][i] = 1 - ((k[0] >> (i+1)) & 1) for j in range(1, m): - for i in range(0, l): - b[j][i] = b[0][i] * (k[j] & 1) - k[j] = (k[j]//2) - (b[j][i] // 2) + for i in range(0, L): + b[j][i] = k[j] & 1 + k[j] = k[j]//2 + (b[j][i] & b[0][i]) return b @@ -151,9 +151,9 @@ def scalarMulGLV(scalar, P0): assert expected == decomp print('------ recode scalar -----------') - even = k0 & 1 == 1 + even = k0 & 1 == 0 if even: - k0 -= 1 + k0 += 1 b = recodeScalars([k0, k1]) print('b0: ' + str(list(reversed(b[0])))) @@ -164,18 +164,18 @@ def scalarMulGLV(scalar, P0): lut = buildLut(P0, P1) print('------------ mul ---------------') - print('b0 L-1: ' + str(b[0][L-1])) - Q = b[0][L-1] * lut[b[1][L-1] & 1] + # b[0][L-1] is always 0 + Q = lut[b[1][L-1]] for i in range(L-2, -1, -1): Q *= 2 - Q += b[0][i] * lut[b[1][i] & 1] + Q += (1 - 2 * b[0][i]) * lut[b[1][i]] if even: - Q += P0 + Q -= P0 print('final Q: ' + pointToString(Q)) print('expected: ' + pointToString(expected)) - assert Q == expected # TODO debug + assert Q == expected # Test generator set_random_seed(1337)