cleanups [skip ci]

constantine/elliptic/ec_endomorphism_accel.nim

@@ -168,18 +168,10 @@ func buildLookupTable[M: static int, F](
   #   - 2 represented as 0b0010 already required P0 + P2
   #   To find the already computed table entry, we can index
   #   the table with the current `u` with the MSB unset
-  #   and add to it the endormorphism at the index matching the MSB position
+  #   and add to it the endomorphism at the index matching the MSB position
   #
   #   This scheme ensures 1 addition per table entry instead of a number
   #   of addition dependent on `u` Hamming Weight
-  #
-  # TODO:
-  # 1. Window method for M == 2
-  # 2. Have P in affine coordinate and build the table with mixed addition
-  #    assuming endomorphism φi(P) do not affect the Z coordinates
-  #    (if table is big enough/inversion cost is amortized)
-  # 3. Use Montgomery simultaneous inversion to have the table in
-  #    affine coordinate so that we can use mixed addition in teh main loop
   lut[0] = P
   for u in 1'u32 ..< 1 shl (M-1):
     # The recoding allows usage of 2^(n-1) table instead of the usual 2^n with NAF
@@ -266,7 +258,7 @@ func scalarMulGLV*[scalBits](
     Q += tmp
 
   # Now we need to correct if the sign miniscalar was not odd
-  P.diff(Q, lut[0]) # Contains Q - P0
+  P.diff(Q, P)
   P.ccopy(Q, k0isOdd)
 
 # Windowed GLV

sage/lattice_decomposition_bls12_381_g1.sage

@@ -184,7 +184,7 @@ def scalarMulGLV(scalar, P0):
 
     print('final Q: ' + pointToString(Q))
     print('expected: ' + pointToString(expected))
-    assert Q == expected # TODO debug
+    assert Q == expected
 
 # Test generator
 set_random_seed(1337)

sage/lattice_decomposition_bn254_snarks_g1.sage

@@ -105,16 +105,16 @@ def getGLV2_decomp(scalar):
 
 def recodeScalars(k):
     m = 2
-    l = ((int(r).bit_length() + m-1) // m) + 1 # l = ⌈log2 r/m⌉ + 1
+    L = ((int(r).bit_length() + m-1) // m) + 1 # l = ⌈log2 r/m⌉ + 1
 
-    b = [[0] * l, [0] * l]
-    b[0][l-1] = 1
-    for i in range(0, l-1): # l-2 inclusive
-        b[0][i] = 2 * ((k[0] >> (i+1)) & 1) - 1
+    b = [[0] * L, [0] * L]
+    b[0][L-1] = 0
+    for i in range(0, L-1): # l-2 inclusive
+        b[0][i] = 1 - ((k[0] >> (i+1)) & 1)
     for j in range(1, m):
-        for i in range(0, l):
-            b[j][i] = b[0][i] * (k[j] & 1)
-            k[j] = (k[j]//2) - (b[j][i] // 2)
+        for i in range(0, L):
+            b[j][i] = k[j] & 1
+            k[j] = k[j]//2 + (b[j][i] & b[0][i])
 
     return b
 
@@ -151,9 +151,9 @@ def scalarMulGLV(scalar, P0):
     assert expected == decomp
 
     print('------ recode scalar -----------')
-    even = k0 & 1 == 1
+    even = k0 & 1 == 0
     if even:
-        k0 -= 1
+        k0 += 1
 
     b = recodeScalars([k0, k1])
     print('b0: ' + str(list(reversed(b[0]))))
@@ -164,18 +164,18 @@ def scalarMulGLV(scalar, P0):
     lut = buildLut(P0, P1)
 
     print('------------ mul ---------------')
-    print('b0 L-1: ' + str(b[0][L-1]))
-    Q = b[0][L-1] * lut[b[1][L-1] & 1]
+    # b[0][L-1] is always 0
+    Q = lut[b[1][L-1]]
     for i in range(L-2, -1, -1):
         Q *= 2
-        Q += b[0][i] * lut[b[1][i] & 1]
+        Q += (1 - 2 * b[0][i]) * lut[b[1][i]]
 
     if even:
-        Q += P0
+        Q -= P0
 
     print('final Q: ' + pointToString(Q))
     print('expected: ' + pointToString(expected))
-    assert Q == expected # TODO debug
+    assert Q == expected
 
 # Test generator
 set_random_seed(1337)