bandersnatch/wagon: fix scalar decomposition

constantine/math/constants/bandersnatch_endomorphisms.nim

@@ -7,23 +7,24 @@
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 
 import
-    ../config/curves,
     ../arithmetic,
-    ../io/[io_bigints, io_fields]
+    ../io/io_bigints
+
+{.used.} # Wrong warning
 
 # Bandersnatch
 # ------------------------------------------------------------
 
 const Bandersnatch_Lattice_G1* = (
   # (BigInt, isNeg)
-  ((BigInt[127].fromHex"0x555fe2004be6928e4b02f94a9789181f", true),
-   (BigInt[124].fromHex"0x814b3eee55e8f5df8e2591a23d61f44", true)),
+  ((BigInt[127].fromHex"0x555fe2004be6928e4b02f94a9789181f", false),
+   (BigInt[124].fromHex"0x814b3eee55e8f5df8e2591a23d61f44", false)),
   ((BigInt[125].fromHex"0x102967ddcabd1ebbf1c4b23447ac3e88", false),
    (BigInt[127].fromHex"0x555fe2004be6928e4b02f94a9789181f", true))
 )
 
 const Bandersnatch_Babai_G1* = (
   # (BigInt, isNeg)
-  (BigInt[4].fromHex"0xc", false),
-  (BigInt[1].fromHex"0x0", false)
+  (BigInt[130].fromHex"0x2f21df5b0541cf632debac77a3f4747c1", false),
+  (BigInt[127].fromHex"0x4760f127d8767bde993b75e7547768aa", false)
 )

constantine/math/constants/banderwagon_endomorphisms.nim

@@ -7,23 +7,24 @@
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 
 import
-    ../config/curves,
     ../arithmetic,
-    ../io/[io_bigints, io_fields]
+    ../io/io_bigints
+
+{.used.} # Wrong warning
 
 # Banderwagon
 # ------------------------------------------------------------
 
 const Banderwagon_Lattice_G1* = (
   # (BigInt, isNeg)
-  ((BigInt[127].fromHex"0x555fe2004be6928e4b02f94a9789181f", true),
-   (BigInt[124].fromHex"0x814b3eee55e8f5df8e2591a23d61f44", true)),
+  ((BigInt[127].fromHex"0x555fe2004be6928e4b02f94a9789181f", false),
+   (BigInt[124].fromHex"0x814b3eee55e8f5df8e2591a23d61f44", false)),
   ((BigInt[125].fromHex"0x102967ddcabd1ebbf1c4b23447ac3e88", false),
    (BigInt[127].fromHex"0x555fe2004be6928e4b02f94a9789181f", true))
 )
 
 const Banderwagon_Babai_G1* = (
   # (BigInt, isNeg)
-  (BigInt[4].fromHex"0xc", false),
-  (BigInt[1].fromHex"0x0", false)
+  (BigInt[130].fromHex"0x2f21df5b0541cf632debac77a3f4747c1", false),
+  (BigInt[127].fromHex"0x4760f127d8767bde993b75e7547768aa", false)
 )

constantine/math/elliptic/ec_multi_scalar_mul.nim

@@ -10,7 +10,6 @@ import ../config/curves,
        ./ec_multi_scalar_mul_scheduler,
        ./ec_endomorphism_accel,
        ../extension_fields,
-       ../isogenies/frobenius,
        ../constants/zoo_endomorphisms
 export bestBucketBitSize
 

constantine/math/elliptic/ec_scalar_mul_vartime.nim

@@ -18,7 +18,6 @@ import
   ../extension_fields,
   ../io/io_bigints,
   ../constants/zoo_endomorphisms,
-  ../isogenies/frobenius,
   ../../platforms/abstractions,
   ../../math_arbitrary_precision/arithmetic/limbs_views
 

sage/derive_endomorphisms_bandersnatch.sage

@@ -61,11 +61,14 @@ def pretty_print_babai(Basis):
       print(f'  𝛼\u0305{i}:  0x{Integer(int(v)).hex()}')
 
 def derive_lattice(r, lambdaR, m):
-  lat = Matrix(matrix.identity(m))
-  lat[0, 0] = r
-  for i in range(1, m):
-     lat[i, 0] = -lambdaR^i
-
+  # Note:
+  # - There are 2 solutions to sqrt(-2), each corresponding to a different endomorphism
+  # We derive the lattice decomposition for Bandersnatch according
+  # to the reference Python implementation instead as what we use for the other curves.
+  # For the other short weierstrass curves we can easily test
+  # the correspondance Qendo = lambdaR * P
+  # but SageMath does not implement Twisted Edwards curves.
+  lat = Matrix([[-lambdaR,1], [r,0]])
   return lat.LLL()
 
 def derive_babai(r, lattice, m):
@@ -85,19 +88,22 @@ r = Integer('0x1cfb69d4ca675f520cce760202687600ff8f87007419047174fd06b52876e7e1'
 Fr = GF(r)
 
 sol = [Integer(root) for root in Fr(-2).nth_root(2, all=True) if root != 1]
+print([x.hex() for x in sol])
 
 # Paper: https://eprint.iacr.org/2021/1152.pdf
 #  - https://ethresear.ch/t/introducing-bandersnatch-a-fast-elliptic-curve-built-over-the-bls12-381-scalar-field/9957
 #  - https://github.com/asanso/Bandersnatch/
-L = Integer('0x13b4f3dc4a39a493edf849562b38c72bcfc49db970a5056ed13d21408783df05')
-assert L in sol
+lambda1 = Integer('0x13b4f3dc4a39a493edf849562b38c72bcfc49db970a5056ed13d21408783df05')
+lambda2 = Integer(-Fr(lambda1))
+assert lambda1 in sol
+assert lambda2 in sol
 
 print('Deriving Lattice')
-lattice = derive_lattice(r, L, 2)
+lattice = derive_lattice(r, lambda1, 2)
 pretty_print_lattice(lattice)
 
 print('Deriving Babai basis')
-babai = derive_babai(r, L, 2)
+babai = derive_babai(r, lattice, 2)
 pretty_print_babai(babai)
 
 

tests/math_elliptic_curves/t_ec_template.nim

@@ -742,8 +742,9 @@ proc run_EC_mul_endomorphism_impl*(
           var scalar {.noInit.}: BigInt[bits]
           discard scalar.limbs.reduce_vartime(scalarUnreduced.limbs, EC.F.C.getCurveOrder().limbs)
 
-          proc diagnostic(expected, computed: EC): string =
-            return "Type: " & $EC & "\n" &
+          proc diagnostic(expected, computed: EC): string {.used.} =
+            return "\n" &
+                   "Type: " & $EC & "\n" &
                    "Point:  " & P.toHex() & "\n" &
                    "scalar: " & scalar.toHex() & "\n" &
                    "expected: " & expected.toHex() & "\n" &
@@ -786,6 +787,8 @@ proc run_EC_mul_endomorphism_impl*(
               endoWNAF.scalarMulEndo_minHammingWeight_windowed_vartime(scalar, window = w)
               doAssert bool(impl == endoWNAF), diagnostic(impl, endoWNAF)
 
+          stdout.write '.'
+
       test(ec, bits = ec.F.C.getCurveOrderBitwidth(), randZ = false, gen = Uniform)
       test(ec, bits = ec.F.C.getCurveOrderBitwidth(), randZ = true, gen = Uniform)
       test(ec, bits = ec.F.C.getCurveOrderBitwidth(), randZ = false, gen = HighHammingWeight)