Hinted scalar decomposition in a gadget #268
Assignees
Labels
question
Further information is requested
Comments
gbotrel
added a commit
that referenced
this issue
Mar 24, 2022
gbotrel
added a commit
that referenced
this issue
Mar 24, 2022
* perf(std/tEd): first bit in ScalarMul handled separately * perf(std/tEd): rearrange Double --> less constraints * perf(std/EdDSA): rearrange eddsa verify (-1 addtion, -1 MustBeOnCurve) * perf(std/tEd): Lookup2 for first 2 bits in ScalarMulFixedBase * perf(std/tEd): FixedPoint should be hidden by the API * test(tEd): test scalarMul for all curves and schemes * fix(tEd): case when scalar size is odd * fix(tEd): case when scalar size is odd * refactor(eddsa): rearrange eddsa verif as cofactor clearing counts * feat(tEd): implements double-base scalar mul * perf(EdDSA): eddsa gadget using double-base scalar mul * perf(bandersnatch): apply tEd perf changes to Bandersnatch * fix: fixed wrong bigInt op in plonk api * style(eddsa, tEd): no benchmarks * style(eddsa, tEd): no benchmarks * perf(bandersnatch): GLV scalar mul in-circuit * test(twistededwards): randomise test * refactor(bandersnatch): review PR 263 * fix(bandersnatch): curveID in hint not checked * fix(bandersnatch): check curveID for endomorphism availability * style(bandersnatch): correct comment * style(bandersnatch): correct comment about negative scalars * fix(bandersnatch): increase scalars size bound to 129 + comments * fix: hint signature in bandersnatch matches new format * refactor: eddsa factorizing and code cleaning (#285) * build: updated to latest gnark-crypto * build: updated to latest gnark-crypto * refactor: introduce Curve interface in std/ and updated eddsa tests * feat: added std/eddsa publicKey and signature assign helpers * refactor(std): merged twistededwards and bandersnatch. IsOnCurve failing for bandersnatch * fix: closes #283. ensure test.Assert compile cache handles different object of same type * fix: use UnsafeAddr instead of UnsafePointer to be retro compatible * fix: fix previous commit * test: test all twisted ed curve operations * Fixes #283 : ensure test.Assert compile cache handles different objects of same type (#284) * fix: closes #283. ensure test.Assert compile cache handles different object of same type * fix: use UnsafeAddr instead of UnsafePointer to be retro compatible * fix: fix previous commit * fix: apply pr patch * style: make twistededwards/Point methods package private * style: fix gosec errors in std/eddsa * feat: disable GLV mul in bandersnatch until #268 is fixed Co-authored-by: Thomas Piellard <[email protected]> Co-authored-by: Gautam Botrel <[email protected]>
|
@yelhousni status? |
10 tasks
Fixed in #1271 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In SW and tEd gadgets, when using the hinted scalar decomposition for GLV, we only check that
s1 + λ * s2 == s + k*obut this is donemod r(whereois the order of SW/tEd curve prime subgroup andrthe order of the SNARK curve prime subgroup).It means that in Z:
s1 + λ * s2 - s - k*o = c * rbut with no guarantee thatcis always0. We should look for edge cases if any and constrain them or look for a better constrained decomposition.The text was updated successfully, but these errors were encountered: