From ac37b55aa134f8adacc4df306dc905e11875af86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mamy=20Andr=C3=A9-Ratsimbazafy?= Date: Sat, 26 Sep 2020 15:33:41 +0200 Subject: [PATCH] publish the lattice decomposition finder mentioned in https://github.com/scipr-lab/zexe/issues/267 --- sage/lattice_decomposition_finder.sage | 38 ++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 sage/lattice_decomposition_finder.sage diff --git a/sage/lattice_decomposition_finder.sage b/sage/lattice_decomposition_finder.sage new file mode 100644 index 0000000..61abec4 --- /dev/null +++ b/sage/lattice_decomposition_finder.sage @@ -0,0 +1,38 @@ +# Constantine +# Copyright (c) 2018-2019 Status Research & Development GmbH +# Copyright (c) 2020-Present Mamy André-Ratsimbazafy +# Licensed and distributed under either of +# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT). +# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0). +# at your option. This file may not be copied, modified, or distributed except according to those terms. + +# ############################################################ +# +# Lattice decomposition finder +# +# ############################################################ + +# Example of BLS12-381 with the ψ (Psi) - Untwist-Frobenius-Twist endomorphism +x = -(2^63 + 2^62 + 2^60 + 2^57 + 2^48 + 2^16) +p = (x - 1)^2 * (x^4 - x^2 + 1)//3 + x +r = x^4 - x^2 + 1 +t = x + 1 # Trace of Frobenius + +lambda_psi = t - 1 + +Lpsi = Matrix([ + [ r, 0, 0, 0], + [-lambda_psi, 1, 0, 0], + [-lambda_psi^2, 0, 1, 0], + [-lambda_psi^3, 0, 0, 1], +]) + +Lpsi = Lpsi.LLL() +print(Lpsi) + +ahat = vector([r, 0, 0, 0]) * Lpsi.inverse() +print('ahat: ' + str(ahat)) + +v = int(r).bit_length() +v = int(((v + 64 - 1) // 64) * 64) +print([(a << v) // r for a in ahat])