Barretenberg: src/barretenberg/ecc/curves/secp256k1/secp256k1_endo_notes.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: Planned, auditors: [Raju], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#pragma once


#include "barretenberg/numeric/uintx/uintx.hpp"

#include "secp256k1.hpp"


namespace bb::secp256k1 {


struct basis_vectors {

    uint64_t endo_g1_lo = 0;

    uint64_t endo_g1_mid = 0;

    uint64_t endo_g1_hi = 0;

    uint64_t endo_g2_lo = 0;

    uint64_t endo_g2_mid = 0;

    uint64_t endo_g2_hi = 0;

    uint64_t endo_minus_b1_lo = 0;

    uint64_t endo_minus_b1_mid = 0;

    uint64_t endo_b2_lo = 0;

    uint64_t endo_b2_mid = 0;

    uint64_t endo_a1_lo = 0;

    uint64_t endo_a1_mid = 0;

    uint64_t endo_a1_hi = 0;

    uint64_t endo_a2_lo = 0;

    uint64_t endo_a2_mid = 0;

    uint64_t endo_a2_hi = 0;


    bool real = false;

};


[[maybe_unused]] static basis_vectors get_endomorphism_basis_vectors(const secp256k1::fr& lambda)

{

    uint512_t approximate_square_root;

    uint512_t z = (uint512_t(secp256k1::fr::modulus) + uint512_t(2)) >> 1;

    auto y = uint512_t(secp256k1::fr::modulus);

    while (z < y) {

        y = z;

        z = (uint512_t(secp256k1::fr::modulus) / z + z) >> 1;

    }

    approximate_square_root = y;

    // Run the extended greatest common divisor algorithm until out * (\lambda + 1) < approximate_square_root


    uint512_t u(lambda);

    uint512_t v(secp256k1::fr::modulus);

    uint512_t x1 = 1;

    uint512_t y1 = 0;

    uint512_t x2 = 0;

    uint512_t y2 = 1;


    uint512_t a0 = 0;

    uint512_t b0 = 0;


    uint512_t a1 = 0;

    uint512_t b1 = 0;


    uint512_t a2 = 0;

    uint512_t b2 = 0;


    uint512_t prevOut = 0;

    uint512_t i = 0;

    uint512_t out = 0;

    uint512_t x = 0;


    while (u != 0) {

        uint512_t q = v / u;

        out = v - uint512_t(uint512_t(q) * uint512_t(u));

        x = x2 - (q * x1);

        uint512_t y = y2 - (q * y1);

        if ((a1 == 0) && (out < approximate_square_root)) {

            a0 = -prevOut;

            b0 = x1;

            a1 = -out;

            b1 = x;

        } else if ((a1 > 0) && (++i == 2)) {

            break;

        }

        prevOut = out;


        v = u;

        u = out;

        x2 = x1;

        x1 = x;

        y2 = y1;

        y1 = y;

    }


    a2 = -out;

    b2 = x;


    uint512_t len1 = (a1 * a1) + (b1 * b1);

    uint512_t len2 = (a2 * a2) + (b2 * b2);

    if (len2 >= len1) {

        a2 = a0;

        b2 = b0;

    }


    if (a1.get_msb() >= 128) {

        a1 = -a1;

        b1 = -b1;

    }

    if (a2.get_msb() >= 128) {

        a2 = -a2;

        b2 = -b2;

    }


    uint512_t minus_b1 = -b1;

    uint512_t shift256 = uint512_t(1) << 256;

    uint512_t g1 = (-b1 * shift256) / uint512_t(secp256k1::fr::modulus);

    uint512_t g2 = (b2 * shift256) / uint512_t(secp256k1::fr::modulus);


    basis_vectors result;

    result.endo_g1_lo = g1.lo.data[0];

    result.endo_g1_mid = g1.lo.data[1];

    result.endo_g1_hi = g1.lo.data[2];

    result.endo_g2_lo = g2.lo.data[0];

    result.endo_g2_mid = g2.lo.data[1];

    result.endo_g2_hi = g2.lo.data[2];

    result.endo_minus_b1_lo = minus_b1.lo.data[0];

    result.endo_minus_b1_mid = minus_b1.lo.data[1];

    result.endo_b2_lo = b2.lo.data[0];

    result.endo_b2_mid = b2.lo.data[1];

    result.endo_a1_lo = a1.lo.data[0];

    result.endo_a1_mid = a1.lo.data[1];

    result.endo_a1_hi = a1.lo.data[2];

    result.endo_a2_lo = a2.lo.data[0];

    result.endo_a2_mid = a2.lo.data[1];

    result.endo_a2_hi = a2.lo.data[2];

    return result;

}


[[maybe_unused]] static std::pair<secp256k1::fq, secp256k1::fr> get_endomorphism_scalars()

{

    // find beta \in secp256k1::fq and lambda \in secp256k1::fr such that:


    // 1. beta^3 = 1 mod q

    // 2. lambda^3 = 1 mod r

    // 3. for [P] \in G with coordinates (P.x, P.y) \in secp256k1::fq:

    //      \lambda.[P] = (\beta . P.x, P.y)

    const secp256k1::fq beta = secp256k1::fq::cube_root_of_unity();

    const secp256k1::fr lambda = secp256k1::fr::cube_root_of_unity();


    if (beta * beta * beta != secp256k1::fq(1)) {

        std::cerr << "beta is not a cube root of unity" << std::endl;

    }

    if (lambda * lambda * lambda != secp256k1::fr(1)) {

        std::cerr << "lambda is not a cube root of unity" << std::endl;

    }


    secp256k1::g1::element P = secp256k1::g1::one;

    secp256k1::g1::element endoP = P;

    endoP.x *= beta;


    if (P * lambda == endoP) {

        return { beta, lambda };

    }

    endoP.x *= beta;

    if ((P * lambda) == endoP) {

        return { beta * beta, lambda };

    }

    endoP.y = -endoP.y;

    std::cerr << "could not find endomorphism scalars???" << std::endl;

    return { secp256k1::fq(0), secp256k1::fr(0) };

}

}; // namespace bb::secp256k1

bb::group_elements::element::x
Fq x
Definition element.hpp:118

bb::group::one
static constexpr element one
Definition group.hpp:46

bb::group::element
group_elements::element< Fq, Fr, Params > element
Definition group.hpp:41

bb::numeric::uint256_t::data
uint64_t data[4]
Definition uint256.hpp:219

bb::numeric::uintx< uint256_t >

bb::numeric::uintx::lo
base_uint lo
Definition uintx.hpp:271

bb::numeric::uintx::get_msb
constexpr uint64_t get_msb() const
Definition uintx.hpp:68

bb::numeric::uint512_t
uintx< uint256_t > uint512_t
Definition uintx.hpp:306

bb::secp256k1
Definition secp256k1.hpp:15

bb::secp256k1::fr
field< FrParams > fr
Definition secp256k1.hpp:269

bb::secp256k1::g1
group< fq, fr, G1Params > g1
Definition secp256k1.hpp:285

bb::secp256k1::fq
field< FqParams > fq
Definition secp256k1.hpp:135

bb::g2
group< fq2, fr, Bn254G2Params > g2
Definition g2.hpp:39

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

secp256k1.hpp

bb::field< FrParams >

bb::field::cube_root_of_unity
static constexpr field cube_root_of_unity()
Definition field_declarations.hpp:255

bb::field< FrParams >::modulus
static constexpr uint256_t modulus
Definition field_declarations.hpp:234

bb::secp256k1::basis_vectors
Definition secp256k1_endo_notes.hpp:13

bb::secp256k1::basis_vectors::real
bool real
Definition secp256k1_endo_notes.hpp:31

bb::secp256k1::basis_vectors::endo_a1_mid
uint64_t endo_a1_mid
Definition secp256k1_endo_notes.hpp:25

bb::secp256k1::basis_vectors::endo_a2_mid
uint64_t endo_a2_mid
Definition secp256k1_endo_notes.hpp:28

bb::secp256k1::basis_vectors::endo_a2_lo
uint64_t endo_a2_lo
Definition secp256k1_endo_notes.hpp:27

bb::secp256k1::basis_vectors::endo_a2_hi
uint64_t endo_a2_hi
Definition secp256k1_endo_notes.hpp:29

bb::secp256k1::basis_vectors::endo_b2_mid
uint64_t endo_b2_mid
Definition secp256k1_endo_notes.hpp:23

bb::secp256k1::basis_vectors::endo_a1_hi
uint64_t endo_a1_hi
Definition secp256k1_endo_notes.hpp:26

bb::secp256k1::basis_vectors::endo_minus_b1_mid
uint64_t endo_minus_b1_mid
Definition secp256k1_endo_notes.hpp:21

bb::secp256k1::basis_vectors::endo_g2_mid
uint64_t endo_g2_mid
Definition secp256k1_endo_notes.hpp:18

bb::secp256k1::basis_vectors::endo_a1_lo
uint64_t endo_a1_lo
Definition secp256k1_endo_notes.hpp:24

bb::secp256k1::basis_vectors::endo_g1_lo
uint64_t endo_g1_lo
Definition secp256k1_endo_notes.hpp:14

bb::secp256k1::basis_vectors::endo_minus_b1_lo
uint64_t endo_minus_b1_lo
Definition secp256k1_endo_notes.hpp:20

bb::secp256k1::basis_vectors::endo_g2_hi
uint64_t endo_g2_hi
Definition secp256k1_endo_notes.hpp:19

bb::secp256k1::basis_vectors::endo_b2_lo
uint64_t endo_b2_lo
Definition secp256k1_endo_notes.hpp:22

bb::secp256k1::basis_vectors::endo_g1_hi
uint64_t endo_g1_hi
Definition secp256k1_endo_notes.hpp:16

bb::secp256k1::basis_vectors::endo_g1_mid
uint64_t endo_g1_mid
Definition secp256k1_endo_notes.hpp:15

bb::secp256k1::basis_vectors::endo_g2_lo
uint64_t endo_g2_lo
Definition secp256k1_endo_notes.hpp:17

uintx.hpp