fix: ec decompress - added r to outputs and inserted warning in docs

succinctlabs · Jan 12, 2024 · 2040524 · 2040524
1 parent 288b298
commit 2040524
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 7 deletions.
diff --git a/curta/src/chip/ec/edwards/ed25519/decompress.rs b/curta/src/chip/ec/edwards/ed25519/decompress.rs
@@ -15,10 +15,17 @@ use crate::math::field::Field;
 use crate::polynomial::Polynomial;
 
 impl<L: AirParameters> AirBuilder<L> {
+    /// Given a compressed point, returns a pair `(p,r)` consisting of the decompressed point `p`
+    /// and the positive suqare root of `x^2`, where `x` is the x-coordinate of `p`. To insure
+    /// soundness, the caller MUST verify that `r` is within the field modulus range, i.e
+    /// `0 <= r < modulus`.
     pub fn ed25519_decompress(
         &mut self,
         compressed_p: &CompressedPointRegister,
-    ) -> AffinePointRegister<EdwardsCurve<Ed25519Parameters>>
+    ) -> (
+        AffinePointRegister<EdwardsCurve<Ed25519Parameters>>,
+        FieldRegister<Ed25519BaseField>,
+    )
     where
         L::Instruction: FromFieldInstruction<Ed25519BaseField> + From<Ed25519FpSqrtInstruction>,
     {
@@ -61,11 +68,13 @@ impl<L: AirParameters> AirBuilder<L> {
         let v = self.fp_add::<Ed25519BaseField>(&one, &dyy);
         let u_div_v = self.fp_div::<Ed25519BaseField>(&u, &v);
 
-        let mut x = self.ed25519_sqrt(&u_div_v);
-        let neg_x = self.fp_sub::<Ed25519BaseField>(&zero, &x);
-        x = self.select(&compressed_p.sign, &neg_x, &x);
+        let r = self.ed25519_sqrt(&u_div_v);
+        let neg_r = self.fp_sub::<Ed25519BaseField>(&zero, &r);
+        let x = self.select(&compressed_p.sign, &neg_r, &r);
 
-        AffinePointRegister::<EdwardsCurve<Ed25519Parameters>>::new(x, compressed_p.y)
+        let point = AffinePointRegister::<EdwardsCurve<Ed25519Parameters>>::new(x, compressed_p.y);
+
+        (point, r)
     }
 }
 
@@ -293,7 +302,7 @@ mod tests {
         let mut builder = AirBuilder::<L>::new();
 
         let compressed_p_reg = builder.alloc_ec_compressed_point();
-        let affine_p_reg = builder.ed25519_decompress(&compressed_p_reg);
+        let (affine_p_reg, _) = builder.ed25519_decompress(&compressed_p_reg);
         let expected_affine_p = builder.alloc_ec_point();
         builder.assert_equal(&expected_affine_p.x, &affine_p_reg.x);
         builder.assert_equal(&expected_affine_p.y, &affine_p_reg.y);

diff --git a/curta/src/chip/ec/edwards/ed25519/sqrt.rs b/curta/src/chip/ec/edwards/ed25519/sqrt.rs
@@ -34,7 +34,11 @@ pub struct Ed25519FpSqrtInstruction {
 }
 
 impl<L: AirParameters> AirBuilder<L> {
-    /// given two field elements `a` and `b`, computes the quotient `a / b = c`.
+    /// given two field elements `a` and `b`, computes a positive square root.
+    ///
+    /// WARNING: While trace generation will give the correct result which is whithin the rangwe of
+    /// the field modulus, there are no constraints checking that and such checks must be done by
+    /// the caller.
     pub fn ed25519_sqrt(
         &mut self,
         a: &FieldRegister<Ed25519BaseField>,