Implement squaring for 𝔽p6 = 𝔽p2[∛(1+𝑖)]

2020-03-21 01:59:23 +01:00 · 2020-03-21 01:59:23 +01:00 · 03898b2292
parent bde619155b
commit 03898b2292
5 changed files with 293 additions and 62 deletions
--- a/constantine/tower_field_extensions/README.md
+++ b/constantine/tower_field_extensions/README.md
@ -63,6 +63,10 @@ From Ben Edgington, https://hackmd.io/@benjaminion/bls12-381
  Daniel V. Bailey and Christof Paar, 1998\
  https://www.emsec.ruhr-uni-bochum.de/media/crypto/veroeffentlichungen/2015/03/26/crypto98rc9.pdf

+- Asymmetric Squaring Formulae\
+  Jaewook Chung and M. Anwar Hasan\
+  http://cacr.uwaterloo.ca/techreports/2006/cacr2006-24.pdf
+
 - Multiplication and Squaring on Pairing-Friendly Fields\
  Augusto Jun Devegili and Colm Ó hÉigeartaigh and Michael Scott and Ricardo Dahab, 2006\
  https://eprint.iacr.org/2006/471
--- a/constantine/tower_field_extensions/abelian_groups.nim
+++ b/constantine/tower_field_extensions/abelian_groups.nim
@ -29,67 +29,6 @@ import
 #     sum(mR, a, b)
 #     diff(mR, a, b)

-# ############################################################
-#
-#                 Quadratic Extension fields
-#
-# ############################################################
-
-type
-  QuadExtAddGroup* = concept x
-    ## Quadratic extension fields - Abelian Additive Group concept
-    type BaseField = auto
-    x.c0 is BaseField
-    x.c1 is BaseField
-
-func `==`*(a, b: QuadExtAddGroup): CTBool[Word] =
-  ## Constant-time equality check
-  (a.c0 == b.c0) and (a.c1 == b.c1)
-
-func setZero*(a: var QuadExtAddGroup) =
-  ## Set ``a`` to zero in the extension field
-  ## Coordinates 0 + 0 𝛼
-  ## with 𝛼 the solution of f(x) = x² - µ = 0
-  a.c0.setZero()
-  a.c1.setZero()
-
-func setOne*(a: var QuadExtAddGroup) =
-  ## Set ``a`` to one in the extension field
-  ## Coordinates 1 + 0 𝛼
-  ## with 𝛼 the solution of f(x) = x² - µ = 0
-  a.c0.setOne()
-  a.c1.setZero()
-
-func `+=`*(a: var QuadExtAddGroup, b: QuadExtAddGroup) =
-  ## Addition in the extension field
-  a.c0 += b.c0
-  a.c1 += b.c1
-
-func `-=`*(a: var QuadExtAddGroup, b: QuadExtAddGroup) =
-  ## Substraction in the extension field
-  a.c0 -= b.c0
-  a.c1 -= b.c1
-
-func double*(r: var QuadExtAddGroup, a: QuadExtAddGroup) =
-  ## Double in the extension field
-  r.c0.double(a.c0)
-  r.c1.double(a.c1)
-
-func sum*(r: var QuadExtAddGroup, a, b: QuadExtAddGroup) =
-  ## Sum ``a`` and ``b`` into r
-  r.c0.sum(a.c0, b.c0)
-  r.c1.sum(a.c1, b.c1)
-
-func diff*(r: var QuadExtAddGroup, a, b: QuadExtAddGroup) =
-  ## Difference of ``a`` by `b`` into r
-  r.c0.diff(a.c0, b.c0)
-  r.c1.diff(a.c1, b.c1)
-
-func neg*(r: var QuadExtAddGroup, a: QuadExtAddGroup) =
-  ## Negate ``a`` into ``r``
-  r.c0.neg(a.c0)
-  r.c1.neg(a.c1)
-
 # ############################################################
 #
 #                 Cubic Extension fields
@ -142,6 +81,12 @@ func double*(r: var CubicExtAddGroup, a: CubicExtAddGroup) =
  r.c1.double(a.c1)
  r.c2.double(a.c2)

+func double*(a: var CubicExtAddGroup) =
+  ## Double in the extension field
+  double(a.c0)
+  double(a.c1)
+  double(a.c2)
+
 func sum*(r: var CubicExtAddGroup, a, b: CubicExtAddGroup) =
  ## Sum ``a`` and ``b`` into r
  r.c0.sum(a.c0, b.c0)
@ -153,3 +98,70 @@ func diff*(r: var CubicExtAddGroup, a, b: CubicExtAddGroup) =
  r.c0.diff(a.c0, b.c0)
  r.c1.diff(a.c1, b.c1)
  r.c2.diff(a.c2, b.c2)
+
+# ############################################################
+#
+#                 Quadratic Extension fields
+#
+# ############################################################
+
+type
+  QuadExtAddGroup* = concept x
+    ## Quadratic extension fields - Abelian Additive Group concept
+    not(x is CubicExtAddGroup)
+    type BaseField = auto
+    x.c0 is BaseField
+    x.c1 is BaseField
+
+func `==`*(a, b: QuadExtAddGroup): CTBool[Word] =
+  ## Constant-time equality check
+  (a.c0 == b.c0) and (a.c1 == b.c1)
+
+func setZero*(a: var QuadExtAddGroup) =
+  ## Set ``a`` to zero in the extension field
+  ## Coordinates 0 + 0 𝛼
+  ## with 𝛼 the solution of f(x) = x² - µ = 0
+  a.c0.setZero()
+  a.c1.setZero()
+
+func setOne*(a: var QuadExtAddGroup) =
+  ## Set ``a`` to one in the extension field
+  ## Coordinates 1 + 0 𝛼
+  ## with 𝛼 the solution of f(x) = x² - µ = 0
+  a.c0.setOne()
+  a.c1.setZero()
+
+func `+=`*(a: var QuadExtAddGroup, b: QuadExtAddGroup) =
+  ## Addition in the extension field
+  a.c0 += b.c0
+  a.c1 += b.c1
+
+func `-=`*(a: var QuadExtAddGroup, b: QuadExtAddGroup) =
+  ## Substraction in the extension field
+  a.c0 -= b.c0
+  a.c1 -= b.c1
+
+func double*(r: var QuadExtAddGroup, a: QuadExtAddGroup) =
+  ## Double in the extension field
+  r.c0.double(a.c0)
+  r.c1.double(a.c1)
+
+func double*(a: var QuadExtAddGroup) =
+  ## Double in the extension field
+  double(a.c0)
+  double(a.c1)
+
+func sum*(r: var QuadExtAddGroup, a, b: QuadExtAddGroup) =
+  ## Sum ``a`` and ``b`` into r
+  r.c0.sum(a.c0, b.c0)
+  r.c1.sum(a.c1, b.c1)
+
+func diff*(r: var QuadExtAddGroup, a, b: QuadExtAddGroup) =
+  ## Difference of ``a`` by `b`` into r
+  r.c0.diff(a.c0, b.c0)
+  r.c1.diff(a.c1, b.c1)
+
+func neg*(r: var QuadExtAddGroup, a: QuadExtAddGroup) =
+  ## Negate ``a`` into ``r``
+  r.c0.neg(a.c0)
+  r.c1.neg(a.c1)
--- a/constantine/tower_field_extensions/fp2_complex.nim
+++ b/constantine/tower_field_extensions/fp2_complex.nim
@ -61,7 +61,7 @@ type
    c0*, c1*: Fp[C]

 func square*(r: var Fp2, a: Fp2) =
-  ## Return a^2 in 𝔽p2 = 𝔽p[𝑖] in ``r``
+  ## Return a² in 𝔽p2 = 𝔽p[𝑖] in ``r``
  ## ``r`` is initialized/overwritten
  # (c0, c1)² => (c0 + c1𝑖)²
  #           => c0² + 2 c0 c1𝑖 + (c1𝑖)²
--- a/constantine/tower_field_extensions/fp6_1_plus_i.nim
+++ b/constantine/tower_field_extensions/fp6_1_plus_i.nim
@ -0,0 +1,82 @@
+# Constantine
+# Copyright (c) 2018-2019    Status Research & Development GmbH
+# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
+# Licensed and distributed under either of
+#   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
+#   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
+# at your option. This file may not be copied, modified, or distributed except according to those terms.
+
+# ############################################################
+#
+#        Cubic Extension field over base field 𝔽p2
+#             𝔽p6 = 𝔽p2[∛(1 + 𝑖)]
+#
+# ############################################################
+
+# This implements a quadratic extension field over 𝔽p2 = 𝔽p[𝑖]
+# the base field 𝔽p:
+#   𝔽p6 = 𝔽p2[∛(1 + 𝑖)]
+# with element A of coordinates (a0, a1) represented
+# by a0 + a1 ξ + a2 ξ²
+#
+# The irreducible polynomial chosen is
+#   x³ - ξ with ξ = 𝑖+1
+#
+#
+# Consequently, for this file Fp2 to be valid
+# 𝑖+1 MUST not be a square in 𝔽p2
+
+import
+  ../arithmetic,
+  ../config/curves,
+  ./abelian_groups,
+  ./fp2_complex
+
+type
+  Fp6*[C: static Curve] = object
+    ## Element of the extension field
+    ## 𝔽p6 = 𝔽p2[∛(1 + 𝑖)]
+    ##
+    ## with coordinates (c0, c1, c2) such as
+    ## c0 + c1 ξ + c2 ξ²
+    ##
+    ## This requires 1 + 𝑖 to not be a cube in 𝔽p2
+    c0*, c1*, c2*: Fp2[C]
+
+  Xi = object
+    ## ξ (Xi) the cubic non-residue
+
+func `*`(_: typedesc[Xi], a: Fp2): Fp2 =
+  ## Multiply an element of 𝔽p2 by 𝔽p6 cubic non-residue 1 + 𝑖
+  ## (c0 + c1 𝑖) (1 + 𝑖) => c0 + (c0 + c1)𝑖 + c1 𝑖²
+  ##                     => c0 - c1 + (c0 + c1) 𝑖
+  result.c0 = a.c0 - a.c1
+  result.c1 = a.c0 + a.c1
+
+template `*`(a: Fp2, _: typedesc[Xi]): Fp2 =
+  Xi * a
+
+func square*[C](r: var Fp6[C], a: Fp6[C]) =
+  ## Return a²
+  ##
+  # Algorithm is Chung-Hasan Squaring SQR3
+  # http://cacr.uwaterloo.ca/techreports/2006/cacr2006-24.pdf
+  var v2{.noInit.}, v3{.noInit.}, v4{.noInit.}, v5{.noInit.}: Fp2[C]
+
+  v4.prod(a.c0, a.c1)
+  v4.double()
+  v5.square(a.c2)
+  r.c1 = Xi * v5
+  r.c1 += v4
+  v2.diff(v4, v5)
+  v3.square(a.c0)
+  v4.diff(a.c0, a.c1)
+  v4 += a.c2
+  v5.prod(a.c1, a.c2)
+  v5.double()
+  v4.square(v4)
+  r.c0 = Xi * v5
+  r.c0 += v3
+  r.c2.sum(v2, v4)
+  r.c2 += v5
+  r.c2 -= v3
--- a/tests/test_fp6.nim
+++ b/tests/test_fp6.nim
@ -0,0 +1,133 @@
+# Constantine
+# Copyright (c) 2018-2019    Status Research & Development GmbH
+# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
+# Licensed and distributed under either of
+#   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
+#   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
+# at your option. This file may not be copied, modified, or distributed except according to those terms.
+
+import
+  # Standard library
+  unittest, times, random,
+  # Internals
+  ../constantine/tower_field_extensions/[abelian_groups, fp6_1_plus_i],
+  ../constantine/config/[common, curves],
+  ../constantine/arithmetic,
+  # Test utilities
+  ../helpers/prng
+
+const Iters = 128
+
+var rng: RngState
+let seed = uint32(getTime().toUnix() and (1'i64 shl 32 - 1)) # unixTime mod 2^32
+rng.seed(seed)
+echo "test_fp6 xoshiro512** seed: ", seed
+
+# Import: wrap in field element tests in small procedures
+#         otherwise they will become globals,
+#         and will create binary size issues.
+#         Also due to Nim stack scanning,
+#         having too many elements on the stack (a couple kB)
+#         will significantly slow down testing (100x is possible)
+
+suite "𝔽p6 = 𝔽p2[∛(1+𝑖)] (irreducible polynomial x³ - (1+𝑖))":
+  test "Squaring 1 returns 1":
+    template test(C: static Curve) =
+      block:
+        proc testInstance() =
+          let One = block:
+            var O{.noInit.}: Fp6[C]
+            O.setOne()
+            O
+          block:
+            var r{.noinit.}: Fp6[C]
+            r.square(One)
+            check: bool(r == One)
+          # block:
+          #   var r{.noinit.}: Fp6[C]
+          #   r.prod(One, One)
+          #   check: bool(r == One)
+
+        testInstance()
+
+    test(BN254)
+    test(BLS12_381)
+
+  test "Squaring 2 returns 4":
+    template test(C: static Curve) =
+      block:
+        proc testInstance() =
+          let One = block:
+            var O{.noInit.}: Fp6[C]
+            O.setOne()
+            O
+
+          var Two: Fp6[C]
+          Two.double(One)
+
+          var Four: Fp6[C]
+          Four.double(Two)
+
+          var r: Fp6[C]
+          r.square(Two)
+
+          check: bool(r == Four)
+
+        testInstance()
+
+    test(BN254)
+    test(BLS12_381)
+
+  test "Squaring 3 returns 9":
+    template test(C: static Curve) =
+      block:
+        proc testInstance() =
+          let One = block:
+            var O{.noInit.}: Fp6[C]
+            O.setOne()
+            O
+
+          var Three: Fp6[C]
+          for _ in 0 ..< 3:
+            Three += One
+
+          var Nine: Fp6[C]
+          for _ in 0 ..< 9:
+            Nine += One
+
+          var u: Fp6[C]
+          u.square(Three)
+
+          check: bool(u == Nine)
+
+        testInstance()
+
+    test(BN254)
+    test(BLS12_381)
+
+  test "Squaring -3 returns 9":
+    template test(C: static Curve) =
+      block:
+        proc testInstance() =
+          let One = block:
+            var O{.noInit.}: Fp6[C]
+            O.setOne()
+            O
+
+          var MinusThree: Fp6[C]
+          for _ in 0 ..< 3:
+            MinusThree -= One
+
+          var Nine: Fp6[C]
+          for _ in 0 ..< 9:
+            Nine += One
+
+          var u: Fp6[C]
+          u.square(MinusThree)
+
+          check: bool(u == Nine)
+
+        testInstance()
+
+    test(BN254)
+    test(BLS12_381)