bandersnatch/wagon: fix scalar decomposition

mratsim · Jun 27, 2024 · 8a06133 · 8a06133
1 parent 4bd7939
commit 8a06133
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 23 deletions.
diff --git a/constantine/math/elliptic/ec_scalar_mul_vartime.nim b/constantine/math/elliptic/ec_scalar_mul_vartime.nim
@@ -17,10 +17,9 @@ import
   constantine/math/arithmetic,
   constantine/math/extension_fields,
   constantine/math/io/io_bigints,
-  constantine/named/zoo_endomorphisms,
-  constantine/math/isogenies/frobenius,
   constantine/platforms/abstractions,
-  constantine/math_arbitrary_precision/arithmetic/limbs_views
+  constantine/math_arbitrary_precision/arithmetic/limbs_views,
+  constantine/named/zoo_endomorphisms
 
 {.push raises: [].} # No exceptions allowed in core cryptographic operations
 {.push checks: off.} # No defects due to array bound checking or signed integer overflow allowed

diff --git a/constantine/named/constants/bandersnatch_endomorphisms.nim b/constantine/named/constants/bandersnatch_endomorphisms.nim
@@ -14,14 +14,14 @@ import
 
 const Bandersnatch_Lattice_G1* = (
   # (BigInt, isNeg)
-  ((BigInt[127].fromHex"0x555fe2004be6928e4b02f94a9789181f", true),
-   (BigInt[124].fromHex"0x814b3eee55e8f5df8e2591a23d61f44", true)),
+  ((BigInt[127].fromHex"0x555fe2004be6928e4b02f94a9789181f", false),
+   (BigInt[124].fromHex"0x814b3eee55e8f5df8e2591a23d61f44", false)),
   ((BigInt[125].fromHex"0x102967ddcabd1ebbf1c4b23447ac3e88", false),
    (BigInt[127].fromHex"0x555fe2004be6928e4b02f94a9789181f", true))
 )
 
 const Bandersnatch_Babai_G1* = (
   # (BigInt, isNeg)
-  (BigInt[4].fromHex"0xc", false),
-  (BigInt[1].fromHex"0x0", false)
+  (BigInt[130].fromHex"0x2f21df5b0541cf632debac77a3f4747c1", false),
+  (BigInt[127].fromHex"0x4760f127d8767bde993b75e7547768aa", false)
 )
diff --git a/constantine/named/constants/banderwagon_endomorphisms.nim b/constantine/named/constants/banderwagon_endomorphisms.nim
@@ -14,14 +14,14 @@ import
 
 const Banderwagon_Lattice_G1* = (
   # (BigInt, isNeg)
-  ((BigInt[127].fromHex"0x555fe2004be6928e4b02f94a9789181f", true),
-   (BigInt[124].fromHex"0x814b3eee55e8f5df8e2591a23d61f44", true)),
+  ((BigInt[127].fromHex"0x555fe2004be6928e4b02f94a9789181f", false),
+   (BigInt[124].fromHex"0x814b3eee55e8f5df8e2591a23d61f44", false)),
   ((BigInt[125].fromHex"0x102967ddcabd1ebbf1c4b23447ac3e88", false),
    (BigInt[127].fromHex"0x555fe2004be6928e4b02f94a9789181f", true))
 )
 
 const Banderwagon_Babai_G1* = (
   # (BigInt, isNeg)
-  (BigInt[4].fromHex"0xc", false),
-  (BigInt[1].fromHex"0x0", false)
+  (BigInt[130].fromHex"0x2f21df5b0541cf632debac77a3f4747c1", false),
+  (BigInt[127].fromHex"0x4760f127d8767bde993b75e7547768aa", false)
 )
diff --git a/constantine/named/zoo_endomorphisms.nim b/constantine/named/zoo_endomorphisms.nim
@@ -85,7 +85,7 @@ func computeEndomorphism*[EC](endo: var EC, P: EC) =
   elif P.G == G1:
     endo.x.prod(P.x, C.getCubicRootOfUnity_mod_p())
     endo.y = P.y
-    when P isnot ECP_ShortW_Aff:
+    when P isnot EC_ShortW_Aff:
       endo.z = P.z
   else: # For BW6-761, both G1 and G2 are on Fp
     endo.frobenius_psi(P, 2)

diff --git a/sage/derive_endomorphisms_bandersnatch.sage b/sage/derive_endomorphisms_bandersnatch.sage
@@ -61,11 +61,14 @@ def pretty_print_babai(Basis):
       print(f'  𝛼\u0305{i}:  0x{Integer(int(v)).hex()}')
 
 def derive_lattice(r, lambdaR, m):
-  lat = Matrix(matrix.identity(m))
-  lat[0, 0] = r
-  for i in range(1, m):
-     lat[i, 0] = -lambdaR^i
-
+  # Note:
+  # - There are 2 solutions to sqrt(-2), each corresponding to a different endomorphism
+  # We derive the lattice decomposition for Bandersnatch according
+  # to the reference Python implementation instead as what we use for the other curves.
+  # For the other short weierstrass curves we can easily test
+  # the correspondance Qendo = lambdaR * P
+  # but SageMath does not implement Twisted Edwards curves.
+  lat = Matrix([[-lambdaR,1], [r,0]])
   return lat.LLL()
 
 def derive_babai(r, lattice, m):
@@ -85,19 +88,22 @@ r = Integer('0x1cfb69d4ca675f520cce760202687600ff8f87007419047174fd06b52876e7e1'
 Fr = GF(r)
 
 sol = [Integer(root) for root in Fr(-2).nth_root(2, all=True) if root != 1]
+print([x.hex() for x in sol])
 
 # Paper: https://eprint.iacr.org/2021/1152.pdf
 #  - https://ethresear.ch/t/introducing-bandersnatch-a-fast-elliptic-curve-built-over-the-bls12-381-scalar-field/9957
 #  - https://github.com/asanso/Bandersnatch/
-L = Integer('0x13b4f3dc4a39a493edf849562b38c72bcfc49db970a5056ed13d21408783df05')
-assert L in sol
+lambda1 = Integer('0x13b4f3dc4a39a493edf849562b38c72bcfc49db970a5056ed13d21408783df05')
+lambda2 = Integer(-Fr(lambda1))
+assert lambda1 in sol
+assert lambda2 in sol
 
 print('Deriving Lattice')
-lattice = derive_lattice(r, L, 2)
+lattice = derive_lattice(r, lambda1, 2)
 pretty_print_lattice(lattice)
 
 print('Deriving Babai basis')
-babai = derive_babai(r, L, 2)
+babai = derive_babai(r, lattice, 2)
 pretty_print_babai(babai)
 
 

diff --git a/tests/math_elliptic_curves/t_ec_template.nim b/tests/math_elliptic_curves/t_ec_template.nim
@@ -742,8 +742,9 @@ proc run_EC_mul_endomorphism_impl*(
           var scalar {.noInit.}: BigInt[bits]
           discard scalar.limbs.reduce_vartime(scalarUnreduced.limbs, EC.F.Name.scalarFieldModulus().limbs)
 
-          proc diagnostic(expected, computed: EC): string =
-            return "Type: " & $EC & "\n" &
+          proc diagnostic(expected, computed: EC): string {.used.} =
+            return "\n" &
+                   "Type: " & $EC & "\n" &
                    "Point:  " & P.toHex() & "\n" &
                    "scalar: " & scalar.toHex() & "\n" &
                    "expected: " & expected.toHex() & "\n" &