Endomorphism acceleration for BN254-Nogami (#102)

mratsim · Oct 10, 2020 · 6530596 · 6530596
1 parent a2f46f7
commit 6530596
Show file tree

Hide file tree

Showing 10 changed files with 1,587 additions and 6 deletions.
diff --git a/benchmarks/bench_ec_g1.nim b/benchmarks/bench_ec_g1.nim
@@ -32,7 +32,7 @@ const Iters = 10_000
 const MulIters = 100
 const AvailableCurves = [
   # P224,
-  # BN254_Nogami,
+  BN254_Nogami,
   BN254_Snarks,
   # Curve25519,
   # P256,

diff --git a/benchmarks/bench_ec_g2.nim b/benchmarks/bench_ec_g2.nim
@@ -33,7 +33,7 @@ const Iters = 10_000
 const MulIters = 500
 const AvailableCurves = [
   # P224,
-  # BN254_Nogami,
+  BN254_Nogami,
   BN254_Snarks,
   # Curve25519,
   # P256,

diff --git a/benchmarks/bench_elliptic_template.nim b/benchmarks/bench_elliptic_template.nim
@@ -175,7 +175,7 @@ proc scalarMulGenericBench*(T: typedesc, window: static int, iters: int) =
 
   let exponent = rng.random_unsafe(BigInt[bits])
 
-  bench("EC ScalarMul " & $bits & "-bit Generic " & G1_or_G2 & " (window = " & $window & ')', T, iters):
+  bench("EC ScalarMul " & $bits & "-bit " & G1_or_G2 & " (window-" & $window & ", generic)", T, iters):
     r = P
     r.scalarMulGeneric(exponent, window)
 

diff --git a/constantine.nimble b/constantine.nimble
@@ -114,6 +114,7 @@ const testDesc: seq[tuple[path: string, useGMP: bool]] = @[
 
   # Elliptic curve arithmetic vs Sagemath
   ("tests/t_ec_frobenius.nim", false),
+  ("tests/t_ec_sage_bn254_nogami.nim", false),
   ("tests/t_ec_sage_bn254_snarks.nim", false),
   ("tests/t_ec_sage_bls12_377.nim", false),
   ("tests/t_ec_sage_bls12_381.nim", false),

diff --git a/constantine/curves/bn254_nogami_glv.nim b/constantine/curves/bn254_nogami_glv.nim
@@ -0,0 +1,63 @@
+# Constantine
+# Copyright (c) 2018-2019    Status Research & Development GmbH
+# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
+# Licensed and distributed under either of
+#   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
+#   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
+# at your option. This file may not be copied, modified, or distributed except according to those terms.
+
+import
+  ../config/[curves, type_bigint, type_fp],
+  ../io/[io_bigints, io_fields]
+
+# BN254_Nogami G1
+# ------------------------------------------------------------
+
+const BN254_Nogami_cubicRootOfUnity_mod_p* =
+  Fp[BN254_Nogami].fromHex"0x25236482400000017080eb4000000006181800000000000cd98000000000000b"
+
+const BN254_Nogami_Lattice_G1* = (
+  # (BigInt, isNeg)
+  ((BigInt[127].fromHex"0x61818000000000020400000000000003", true),
+   (BigInt[64].fromHex"0x8100000000000001", false)),
+  ((BigInt[64].fromHex"0x8100000000000001", false),
+   (BigInt[127].fromHex"0x61818000000000028500000000000004", false))
+)
+
+const BN254_Nogami_Babai_G1* = (
+  # (BigInt, isNeg)
+  (BigInt[130].fromHex"0x2a01fab7e04a017bd3a22fc67c12a7c5c", true),
+  (BigInt[66].fromHex"0x37937ca688a6b4904", false)
+)
+
+
+# BN254_Nogami G2
+# ------------------------------------------------------------
+
+const BN254_Nogami_Lattice_G2* = (
+  # (BigInt, isNeg)
+  ((BigInt[64].fromHex"0x8100000000000001", false),
+   (BigInt[63].fromHex"0x4080000000000001", true),
+   (BigInt[63].fromHex"0x4080000000000000", true),
+   (BigInt[63].fromHex"0x4080000000000001", true)),
+  ((BigInt[63].fromHex"0x4080000000000000", false),
+   (BigInt[63].fromHex"0x4080000000000001", false),
+   (BigInt[63].fromHex"0x4080000000000001", false),
+   (BigInt[64].fromHex"0x8100000000000002", true)),
+  ((BigInt[63].fromHex"0x4080000000000001", true),
+   (BigInt[63].fromHex"0x4080000000000001", false),
+   (BigInt[63].fromHex"0x4080000000000001", true),
+   (BigInt[64].fromHex"0x8100000000000001", true)),
+  ((BigInt[64].fromHex"0x8100000000000002", false),
+   (BigInt[63].fromHex"0x4080000000000000", false),
+   (BigInt[63].fromHex"0x4080000000000001", true),
+   (BigInt[63].fromHex"0x4080000000000001", false))
+)
+
+const BN254_Nogami_Babai_G2* = (
+  # (BigInt, isNeg)
+  (BigInt[192].fromHex"0xa957fab5402a55fc0d305f177b0b3c3e78cd599c2aa84979", false),
+  (BigInt[192].fromHex"0xa957fab5402a55fc0d305f177b0b3c43aea10938fa493703", false),
+  (BigInt[192].fromHex"0xa957fab5402a55fc0d305f177b0b3c4035693ed06fddedfe", true),
+  (BigInt[192].fromHex"0xa957fab5402a55fead500a957fab53fbb2f05603ebd2c5d5", false)
+)
diff --git a/constantine/curves/zoo_glv.nim b/constantine/curves/zoo_glv.nim
@@ -12,7 +12,7 @@ import
   ../towers,
   ./bls12_377_glv,
   ./bls12_381_glv,
-  # ./bn254_nogami_glv,
+  ./bn254_nogami_glv,
   ./bn254_snarks_glv
 
 {.experimental: "dynamicBindSym".}
@@ -35,3 +35,11 @@ template lattice*(F: typedesc[Fp or Fp2]): untyped =
 macro getCubicRootOfUnity_mod_p*(C: static Curve): untyped =
   ## Get a non-trivial cubic root of unity (mod p) with p the prime field
   result = bindSym($C & "_cubicRootOfUnity_mod_p")
+
+func hasEndomorphismAcceleration*(C: static Curve): bool =
+  C in {
+    BN254_Nogami,
+    BN254_Snarks,
+    BLS12_377,
+    BLS12_381
+  }
diff --git a/constantine/elliptic/ec_scalar_mul.nim b/constantine/elliptic/ec_scalar_mul.nim
@@ -12,6 +12,7 @@ import
   ../arithmetic,
   ../towers,
   ../io/io_bigints,
+  ../curves/zoo_glv,
   ./ec_endomorphism_accel
 
 # ############################################################
@@ -238,9 +239,9 @@ func scalarMul*[EC](
   ## Endomorphism acceleration requires:
   ## - Cofactor to be cleared
   ## - 0 <= scalar < curve order
-  ##   this will not automatically
+  ## Those will be assumed to maintain constant-time property
   when BigInt.bits <= EC.F.C.getCurveOrderBitwidth() and
-       EC.F.C in {BN254_Snarks, BLS12_377, BLS12_381}:
+       EC.F.C.hasEndomorphismAcceleration():
     when EC.F is Fp:
       P.scalarMulGLV_m2w2(scalar)
     elif EC.F is Fp2:

diff --git a/tests/t_ec_sage_bn254_nogami.nim b/tests/t_ec_sage_bn254_nogami.nim
@@ -0,0 +1,36 @@
+# Constantine
+# Copyright (c) 2018-2019    Status Research & Development GmbH
+# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
+# Licensed and distributed under either of
+#   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
+#   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
+# at your option. This file may not be copied, modified, or distributed except according to those terms.
+
+import
+  # Internals
+  ../constantine/config/[type_fp, curves],
+  ../constantine/towers,
+  ../constantine/elliptic/ec_shortweierstrass_jacobian,
+  ../constantine/elliptic/ec_shortweierstrass_projective,
+  # Test utilities
+  ./t_ec_sage_template
+
+run_scalar_mul_test_vs_sage(
+  ECP_ShortW_Proj[Fp[BN254_Nogami], NotOnTwist],
+  "t_ec_sage_bn254_nogami_g1_projective"
+)
+
+run_scalar_mul_test_vs_sage(
+  ECP_ShortW_Jac[Fp[BN254_Nogami], NotOnTwist],
+  "t_ec_sage_bn254_nogami_g1_jacobian"
+)
+
+run_scalar_mul_test_vs_sage(
+  ECP_ShortW_Proj[Fp2[BN254_Nogami], OnTwist],
+  "t_ec_sage_bn254_nogami_g2_projective"
+)
+
+run_scalar_mul_test_vs_sage(
+  ECP_ShortW_Jac[Fp2[BN254_Nogami], OnTwist],
+  "t_ec_sage_bn254_nogami_g2_jacobian"
+)