Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce an explicit clear-cofactor method #420

Merged
merged 11 commits into from
Jun 28, 2022
Merged

Introduce an explicit clear-cofactor method #420

merged 11 commits into from
Jun 28, 2022

Conversation

mmagician
Copy link
Member

@mmagician mmagician commented May 24, 2022
edited
Loading

There are faster ways to clear the cofactor that multiplying by h, see e.g. https://eprint.iacr.org/2021/1130.pdf.
In this PR I expose a method clear_cofactor on AffineCurve, which SW/TE-ModelParameters implement with a default mul_by_cofactor() call, but which allows upstream implementers of these traits to override with a more efficient implementation.

As an example, I've added a concrete speedup for bls12-381 G1 (see companion PR in curves) which employs multiplication by a smaller scalar than the cofactor itself.

Description

related to #308

Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.

  • Targeted PR against correct branch (master)
  • Linked to GitHub issue with discussion and accepted design OR have an explanation in the PR that describes this work.
  • Wrote unit tests
  • Updated relevant documentation in the code
  • Added a relevant changelog entry to the Pending section in CHANGELOG.md
  • Re-reviewed Files changed in the GitHub PR explorer

mmagician added 6 commits May 24, 2022 10:46
@mmagician
Add a clear_cofactor method
b16ee7a
@mmagician
Refactor clear_cofactor
a35ce5c 
Allowing implementers of <SW/TE>ModelParameters to override the default implementation
@mmagician
Add the first custom implementation
541cb87 
multiply by h_eff instead of by cofactor in G1 of BLS12-381
@mmagician
Include cofactor tests in test-templates
baa1ec4
@mmagician
Update documentation and fix formatting
42e9b37
@mmagician
Update CHANGELOG.md
c82a28a
@mmagician mmagician requested a review from Pratyush May 24, 2022 15:25
@Pratyush
Copy link
Member

Pratyush commented Jun 1, 2022

The effect of these methods is to mul_by_cofactor, right? I.e., if I have a group element g that's already in the prime order subgroup, does this assertion hold: assert_eq!(g.clear_cofactor(), g.mul_by_cofactor())?

@mmagician
Copy link
Member Author

Not necessarily. AFAIU the point of clearing the cofactor is to return a point in the prime order subgroup, but different techniques for clearing will return different points with the same order.
So if there's a non-default clear_cofactor implementation (like here), the above assertion won't hold, just as assert_eq!(g, g.mul_by_cofactor()) won't hold now.

@mmagician mmagician mentioned this pull request Jun 23, 2022
Merged
6 tasks
@mmagician
Copy link
Member Author

Is this PR ok to go ahead with? It's necessary for #430.

@mmagician mmagician merged commit 6657240 into arkworks-rs:master Jun 28, 2022
@mmagician mmagician deleted the clear-cofactor branch June 28, 2022 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pratyush Pratyush Pratyush approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mmagician @Pratyush