44 | 45 | | Montgomery | y²=x³+505186*x²+x | 46 | |--|--| 47 | | u(P) | 4 | `u` coordinate of the Montgomery Basepoint, X-coordinate | \ 48 | | A | 505186 | | 49 | 50 |
51 | 52 | | Weierstrass | y²=x³+ax+b | 53 | |--|--| 54 | | a | 7237005577332262213973186563042994240857116359379907606001950828033483786813 | | 55 | | b | 445582015604702849664 | | 56 | 57 | | Variable | Value | Explanation | 58 | |--|--|--| 59 | | G | 2²⁵² + 115924404605461509904689566245241897752 | Curve order | 60 | | p | 2²⁵² + 27742317777372353535851937790883648493 | Prime of the field | 61 | | r | 2²⁴⁹ + 15114490550575682688738086195780655237219 | Prime of the Sub-Group |\ 62 | 63 |
64 | 65 | ### Encoding / Decoding tools 66 | In order to work with our points along the curve, or any non trivial computuaions, for example those with tough notations - there has been a set of tools and examples which have been created to make facilitate the Encoding/Decoding processes. These can be found at: `tools/src/main.rs` 67 | 68 | ### Examples 69 | 70 | ```rust 71 | num_from_bytes_le(&[76, 250, 187, 243, 105, 92, 117, 70, 234, 124, 126, 180, 87, 149, 62, 249, 16, 149, 138, 56, 26, 87, 14, 76, 251, 39, 168, 74, 176, 202, 26, 84]); 72 | // Prints: 38041616210253564751207933125345413214423929536328854382158537130491690875468 73 | 74 | let res = to_field_elem_51(&"1201935917638644956968126114584555454358623906841733991436515590915937358637"); 75 | println!("{:?}", res); 76 | // Gives us: [939392471225133, 1174884015108736, 2226020409917912, 1948943783348399, 46747909865470] 77 | 78 | hex_bytes_le("120193591763864495696812611458455545435862390684173399143651559091593735863735685683568356835683"); 79 | // Prints: Encoding result -> [63, 41, b7, c, b, 79, 94, 7b, 21, d2, fe, 7b, c8, 89, c9, 7f, 76, c8, 9b, a3, 58, 18, 39, a, f2, d2, 7c, 17, ed, 7f, 6, c4, 9d, 44, f3, 7c, 85, c2, 67, e] 80 | // Put the 0x by yourseleves and if there's any value alone like `c` padd it with a 0 on the left like: `0x0c` 81 | 82 | from_radix_to_radix_10("1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab", 16u32); 83 | // Prints: 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787 84 | 85 | ``` 86 | 87 | > When performing operations with large values, such as: `2²⁵² - 121160309657751286123858757838224683208`, it is recomended to compute them through `SageMath`, as the user interface adheres to these types of functions. From `SageMath`, they can be converted in a consistent format and easily compiled into Rust. 88 | 89 | ### Roadmap: 90 | 91 | Note: the refactoring relations are expressed as indentations 92 | 93 | 94 | - [x] Build Scalar Arithmetics and Scalar Struct definition. 95 | - [x] Find the proper radix value for FieldElement. 96 | - [x] Add the required constants for computation. 97 | - [x] Implement Addition. 98 | - [x] implement Subtraction. 99 | - [x] Implement Byte-encoding/decoding. 100 | - [x] Implement From for uint native types. 101 | - [x] Implement Ord, PartialOrd, Eq & PartialEq. 102 | - [x] Implement Multiplication on u64-backend with u128 usage. 103 | - [x] Implement Squaring. 104 | - [x] Implement Half for even numbers. 105 | - [x] Implement Modular Negation. 106 | - [x] Implement Montgomery_reduction. 107 | - [x] Define Montgomery_reduction algorithm. 108 | - [x] Create FieldElement Struct and implement the basic operations we need on a u64 backend. 109 | - [x] Find the proper radix value for FieldElement. 110 | - [x] Add basic and needed constants. 111 | - [x] Implement Reduce function to make the FieldElements fit on a 5 u64-bit limbs. 112 | - [x] Implement Addition. 113 | - [x] Implement Subtraction. 114 | - [x] Implement Byte-encoding/decoding. 115 | - [x] Implement From for uint native types. 116 | - [x] Implement Ord, PartialOrd, Eq & PartialEq. 117 | - [x] Implement Multiplication on u64-backend with u128 usage. 118 | - [x] Implement Squaring. 119 | - [x] Implement Half for even numbers 120 | - [x] Implement Modular Negation. 121 | - [x] Implement Montgomery_reduction. 122 | - [x] Define Montgomery_reduction algorithm. 123 | - [x] Implement Modular inversion. 124 | - [x] Research about addition chains inversion methods. 125 | - [x] Add proper tests for every function. 126 | - [x] Implement Edwards Points 127 | - [x] Implement Twisted Edwards Extended Coordiantes. 128 | - [x] Implement Point Addition. 129 | - [x] Implement Point Subtraction. 130 | - [x] Implement Point Doubling. 131 | - [x] Implement Scalar Mul. 132 | - [x] Implement from_bytes conversions. 133 | - [x] Implement to byte conversions. 134 | - [x] Implement compressed Edwards point Y-coordinate. 135 | - [x] Implement Twisted Edwards Projective Coordiates. 136 | - [x] Implement Point Addition. 137 | - [x] Implement Point Subtraction. 138 | - [x] Implement Point Doubling. 139 | - [x] Implement Scalar Mul. 140 | - [x] Implement from_bytes conversions. 141 | - [x] Implement to byte conversions. 142 | - [x] Implement compressed Edwards point Y-coordinate. 143 | - [x] Represent Edwards points as Ristretto points using wrapping type or struct. 144 | - [x] Cargo doc testing and improvement. 145 | - [x] Decide the best use cases of the various Edwards coordinate types (compressed, standard, extended, projective). 146 | - [x] Benchmark different implementations and algorithms. 147 | - [x] Implement Ristretto Mapping. 148 | - [x] Implement 4coset debugging function. 149 | - [x] Build and test torsion points. 150 | - [x] Implement Ecoding & Decoding algorithms. 151 | - [x] Implement Equalty testing. 152 | - [x] Implement Elligator-ristretto-flavour. 153 | - [x] Test all of the algorithms implemented. 154 | -------------------------------------------------------------------------------- /benchmarks/dusk_benchmarks.rs: -------------------------------------------------------------------------------- 1 | #![allow(non_snake_case)] 2 | 3 | #[macro_use] 4 | extern crate criterion; 5 | 6 | use criterion::{criterion_group, criterion_main, Criterion, BenchmarkId}; 7 | 8 | use zerocaf::edwards::*; 9 | use zerocaf::ristretto::*; 10 | use zerocaf::traits::ops::*; 11 | use zerocaf::constants::*; 12 | use zerocaf::field::*; 13 | use zerocaf::scalar::*; 14 | #[allow(unused_imports)] 15 | use zerocaf::traits::Identity; 16 | 17 | use rand::rngs::OsRng; 18 | 19 | mod field_benches { 20 | 21 | use super::*; 22 | use subtle::Choice; 23 | 24 | /// `B = 904625697166532776746648320197686575422163851717637391703244652875051672039` 25 | pub static B: FieldElement = FieldElement([ 26 | 2766226127823335, 27 | 4237835465749098, 28 | 4503599626623787, 29 | 4503599627370493, 30 | 2199023255551, 31 | ]); 32 | 33 | /// `A = 182687704666362864775460604089535377456991567872` 34 | pub static A: FieldElement = FieldElement([0, 0, 0, 2, 0]); 35 | 36 | pub fn bench_field_element_ops(c: &mut Criterion) { 37 | let inp = (A, B); 38 | let inp2 = (A, Choice::from(1u8)); 39 | let pow = 249u64; 40 | 41 | c.bench_with_input( 42 | BenchmarkId::new("Addition", "Fixed FieldElements"), &inp , |b, &inp| { 43 | b.iter(|| inp.1 + inp.0); 44 | } 45 | ); 46 | 47 | c.bench_with_input( 48 | BenchmarkId::new("Subtraction", "Fixed FieldElements"), &inp , |b, &inp| { 49 | b.iter(|| inp.0 - inp.1); 50 | } 51 | ); 52 | 53 | c.bench_with_input( 54 | BenchmarkId::new("Multiplication", "Fixed FieldElements"), &inp , |b, &inp| { 55 | b.iter(|| inp.0 * inp.1); 56 | } 57 | ); 58 | 59 | c.bench_with_input( 60 | BenchmarkId::new("Division", "Fixed FieldElements"), &inp , |b, &inp| { 61 | b.iter(|| inp.0/inp.1); 62 | } 63 | ); 64 | 65 | c.bench_with_input( 66 | BenchmarkId::new("Square", "Fixed FieldElements"), &inp , |b, &inp| { 67 | b.iter(|| inp.1.square()); 68 | } 69 | ); 70 | 71 | c.bench_with_input( 72 | BenchmarkId::new("Half", "Fixed FieldElements"), &inp , |b, &inp| { 73 | b.iter(|| inp.0.half()); 74 | } 75 | ); 76 | 77 | c.bench_with_input( 78 | BenchmarkId::new("Two pow K", "Fixed constant"), &pow , |b, &pow| { 79 | b.iter(|| FieldElement::two_pow_k(pow)) 80 | } 81 | ); 82 | 83 | c.bench_with_input( 84 | BenchmarkId::new("Power", "Fixed FieldElements"), &inp , |b, &inp| { 85 | b.iter(|| inp.0.pow(&inp.1)); 86 | } 87 | ); 88 | 89 | c.bench_with_input( 90 | BenchmarkId::new("Legendre Symbol", "Fixed FieldElement"), &inp , |b, &inp| { 91 | b.iter(|| inp.0.legendre_symbol()); 92 | } 93 | ); 94 | 95 | c.bench_with_input( 96 | BenchmarkId::new("Modular Sqrt", "Fixed FieldElements"), &inp2 , |b, &inp| { 97 | b.iter(|| inp2.0.mod_sqrt(inp2.1)); 98 | } 99 | ); 100 | 101 | c.bench_with_input( 102 | BenchmarkId::new("Modular inverse", "Fixed FieldElements"), &inp , |b, &inp| { 103 | b.iter(|| inp.0.inverse()); 104 | } 105 | ); 106 | 107 | c.bench_with_input( 108 | BenchmarkId::new("Sqrt ratio i", "Fixed FieldElements"), &inp , |b, &inp| { 109 | b.iter(|| inp.0.sqrt_ratio_i(&inp.1)); 110 | } 111 | ); 112 | 113 | c.bench_with_input( 114 | BenchmarkId::new("Inverse sqrt", "Fixed FieldElements"), &inp , |b, &inp| { 115 | b.iter(|| inp.0.inv_sqrt()); 116 | } 117 | ); 118 | 119 | c.bench_function("Random FieldElement generation", |b| b.iter(|| FieldElement::random(&mut OsRng))); 120 | } 121 | } 122 | 123 | mod scalar_benches { 124 | use super::*; 125 | use zerocaf::scalar::Scalar; 126 | 127 | /// `C = 182687704666362864775460604089535377456991567872`. 128 | pub static C: Scalar = Scalar([0, 0, 0, 2, 0]); 129 | 130 | /// `D = 904625697166532776746648320197686575422163851717637391703244652875051672039` 131 | pub static D: Scalar = Scalar([ 132 | 2766226127823335, 133 | 4237835465749098, 134 | 4503599626623787, 135 | 4503599627370493, 136 | 2199023255551, 137 | ]); 138 | 139 | pub fn bench_scalar_element_ops(c: &mut Criterion) { 140 | let inp = (C, D, 4u8); 141 | let pow = 215u64; 142 | 143 | c.bench_with_input( 144 | BenchmarkId::new("Addition", "Fixed Scalars"), &inp , |b, &inp| { 145 | b.iter(|| inp.0 + inp.1); 146 | } 147 | ); 148 | 149 | c.bench_with_input( 150 | BenchmarkId::new("Subtraction", "Fixed Scalars"), &inp , |b, &inp| { 151 | b.iter(|| inp.0 - inp.1); 152 | } 153 | ); 154 | 155 | c.bench_with_input( 156 | BenchmarkId::new("Mul", "Fixed Scalars"), &inp , |b, &inp| { 157 | b.iter(|| inp.0 * inp.1); 158 | } 159 | ); 160 | 161 | c.bench_with_input( 162 | BenchmarkId::new("Squaring", "Fixed Scalars"), &inp , |b, &inp| { 163 | b.iter(|| inp.1.square()); 164 | } 165 | ); 166 | 167 | c.bench_with_input( 168 | BenchmarkId::new("Half", "Fixed Scalars"), &inp , |b, &inp| { 169 | b.iter(|| inp.0.half()); 170 | } 171 | ); 172 | 173 | c.bench_with_input( 174 | BenchmarkId::new("Two pow K", "Fixed Scalar"), &pow , |b, &pow| { 175 | b.iter(|| Scalar::two_pow_k(pow)); 176 | } 177 | ); 178 | 179 | c.bench_with_input( 180 | BenchmarkId::new("Power", "Fixed Scalars"), &inp , |b, &inp| { 181 | b.iter(|| inp.0.pow(&inp.1)); 182 | } 183 | ); 184 | 185 | c.bench_with_input( 186 | BenchmarkId::new("Into-bits conversion", "Fixed Scalar"), &inp , |b, &inp| { 187 | b.iter(|| inp.1.into_bits()); 188 | } 189 | ); 190 | 191 | c.bench_with_input( 192 | BenchmarkId::new("Shr", "Fixed Scalar"), &inp , |b, &inp| { 193 | b.iter(|| inp.1 >> 135); 194 | } 195 | ); 196 | 197 | c.bench_with_input( 198 | BenchmarkId::new("Scalar mod 4", "Fixed Scalar"), &inp , |b, &inp| { 199 | b.iter(|| inp.1.mod_2_pow_k(inp.2)); 200 | } 201 | ); 202 | 203 | c.bench_with_input( 204 | BenchmarkId::new("Compute NAF", "Fixed Scalar"), &inp , |b, &inp| { 205 | b.iter(|| inp.1.compute_NAF()); 206 | } 207 | ); 208 | 209 | c.bench_with_input( 210 | BenchmarkId::new("Compute windowed-NAF", "Fixed Scalar"), &inp , |b, &inp| { 211 | b.iter(|| inp.1.compute_window_NAF(inp.2)); 212 | } 213 | ); 214 | 215 | c.bench_function("Random Scalar generation", |b| b.iter(|| Scalar::random(&mut OsRng))); 216 | } 217 | } 218 | 219 | mod edwards_benches { 220 | 221 | use super::*; 222 | use subtle::Choice; 223 | 224 | pub static P1_EXTENDED: EdwardsPoint = EdwardsPoint { 225 | X: FieldElement([13, 0, 0, 0, 0]), 226 | Y: FieldElement([ 227 | 606320128494542, 228 | 1597163540666577, 229 | 1835599237877421, 230 | 1667478411389512, 231 | 3232679738299, 232 | ]), 233 | Z: FieldElement([1, 0, 0, 0, 0]), 234 | T: FieldElement([ 235 | 2034732376387996, 236 | 3922598123714460, 237 | 1344791952818393, 238 | 3662820838581677, 239 | 6840464509059, 240 | ]), 241 | }; 242 | 243 | pub static P2_EXTENDED: EdwardsPoint = EdwardsPoint { 244 | X: FieldElement([67, 0, 0, 0, 0]), 245 | Y: FieldElement([ 246 | 2369245568431362, 247 | 2665603790611352, 248 | 3317390952748653, 249 | 1908583331312524, 250 | 8011773354506, 251 | ]), 252 | Z: FieldElement([1, 0, 0, 0, 0]), 253 | T: FieldElement([ 254 | 3474019263728064, 255 | 2548729061993416, 256 | 1588812051971430, 257 | 1774293631565269, 258 | 9023233419450, 259 | ]), 260 | }; 261 | 262 | pub static P1_PROJECTIVE: ProjectivePoint = ProjectivePoint { 263 | X: FieldElement([13, 0, 0, 0, 0]), 264 | Y: FieldElement([ 265 | 606320128494542, 266 | 1597163540666577, 267 | 1835599237877421, 268 | 1667478411389512, 269 | 3232679738299, 270 | ]), 271 | Z: FieldElement([1, 0, 0, 0, 0]), 272 | }; 273 | 274 | pub static P2_PROJECTIVE: ProjectivePoint = ProjectivePoint { 275 | X: FieldElement([67, 0, 0, 0, 0]), 276 | Y: FieldElement([ 277 | 2369245568431362, 278 | 2665603790611352, 279 | 3317390952748653, 280 | 1908583331312524, 281 | 8011773354506, 282 | ]), 283 | Z: FieldElement([1, 0, 0, 0, 0]), 284 | }; 285 | 286 | /// `D = 904625697166532776746648320197686575422163851717637391703244652875051672039` 287 | pub static D: Scalar = Scalar([ 288 | 2766226127823335, 289 | 4237835465749098, 290 | 4503599626623787, 291 | 4503599627370493, 292 | 2199023255551, 293 | ]); 294 | 295 | /// `P1_EXTENDED on `CompressedEdwardsY` format. 296 | pub(self) static P1_COMPRESSED: CompressedEdwardsY = CompressedEdwardsY([ 297 | 206, 11, 225, 231, 113, 39, 18, 141, 213, 215, 201, 201, 90, 173, 14, 134, 192, 119, 133, 298 | 134, 164, 26, 38, 1, 201, 94, 187, 59, 186, 170, 240, 2, 299 | ]); 300 | 301 | pub fn bench_extended_point_ops(c: &mut Criterion) { 302 | 303 | let extend_inp = (P1_EXTENDED, P2_EXTENDED, D); 304 | let y_gen = (FieldElement([ 305 | 2369245568431362, 306 | 2665603790611352, 307 | 3317390952748653, 308 | 1908583331312524, 309 | 8011773354506, 310 | ]), Choice::from(1u8)); 311 | 312 | c.bench_with_input( 313 | BenchmarkId::new("Extended Coordinates Point Addition", "Fixed Points"), &extend_inp , |b, &extend_inp| { 314 | b.iter(|| extend_inp.0 + extend_inp.1); 315 | } 316 | ); 317 | 318 | c.bench_with_input( 319 | BenchmarkId::new("Extended Coordinates Point Subtraction", "Fixed Points"), &extend_inp , |b, &extend_inp| { 320 | b.iter(|| extend_inp.0 - extend_inp.1); 321 | } 322 | ); 323 | 324 | c.bench_with_input( 325 | BenchmarkId::new("Extended Coordinates Point Doubling", "Fixed Points"), &extend_inp , |b, &extend_inp| { 326 | b.iter(|| extend_inp.0.double()); 327 | } 328 | ); 329 | 330 | c.bench_with_input( 331 | BenchmarkId::new("Extended Coordinates Point Multiplication", "Fixed Points"), &extend_inp , |b, &extend_inp| { 332 | b.iter(|| extend_inp.0 * extend_inp.2); 333 | } 334 | ); 335 | 336 | c.bench_with_input( 337 | BenchmarkId::new("Extended Coordinates Point Generation", "Fixed y-coordinate"), &y_gen , |b, &y_gen| { 338 | b.iter(|| EdwardsPoint::new_from_y_coord(&y_gen.0, y_gen.1)); 339 | } 340 | ); 341 | 342 | c.bench_function("Random EdwardsPoint generation", |b| b.iter(|| EdwardsPoint::new_random_point(&mut OsRng))); 343 | } 344 | 345 | pub fn bench_projective_point_ops(c: &mut Criterion) { 346 | 347 | let proj_inp = (P1_PROJECTIVE, P2_PROJECTIVE, D); 348 | let y_gen = (FieldElement([ 349 | 2369245568431362, 350 | 2665603790611352, 351 | 3317390952748653, 352 | 1908583331312524, 353 | 8011773354506, 354 | ]), Choice::from(1u8)); 355 | 356 | c.bench_with_input( 357 | BenchmarkId::new("Projective Coordinates Point Addition", "Fixed Points"), &proj_inp , |b, &proj_inp| { 358 | b.iter(|| proj_inp.0 + proj_inp.1); 359 | } 360 | ); 361 | 362 | c.bench_with_input( 363 | BenchmarkId::new("Projective Coordinates Point Subtraction", "Fixed Points"), &proj_inp , |b, &proj_inp| { 364 | b.iter(|| proj_inp.0 - proj_inp.1); 365 | } 366 | ); 367 | 368 | c.bench_with_input( 369 | BenchmarkId::new("Projective Coordinates Point Doubling", "Fixed Point"), &proj_inp , |b, &proj_inp| { 370 | b.iter(|| proj_inp.0.double()); 371 | } 372 | ); 373 | 374 | c.bench_with_input( 375 | BenchmarkId::new("Projective Coordinates Point Multiplication", "Fixed Points"), &proj_inp , |b, &proj_inp| { 376 | b.iter(|| proj_inp.0 * proj_inp.2); 377 | } 378 | ); 379 | 380 | c.bench_with_input( 381 | BenchmarkId::new("Projective Coordinates Point Generation", "Fixed y-coordinate"), &y_gen , |b, &y_gen| { 382 | b.iter(|| ProjectivePoint::new_from_y_coord(&y_gen.0, y_gen.1)); 383 | } 384 | ); 385 | 386 | c.bench_function("Random ProjectivePoint generation", |b| b.iter(|| ProjectivePoint::new_random_point(&mut OsRng))); 387 | } 388 | 389 | pub fn bench_point_compression_decompression(c: &mut Criterion) { 390 | let cd_inp = (P1_COMPRESSED, P1_EXTENDED); 391 | 392 | c.bench_with_input( 393 | BenchmarkId::new("Point Compression", "Fixed Extended Point"), &cd_inp , |b, &cd_inp| { 394 | b.iter(|| cd_inp.1.compress()); 395 | } 396 | ); 397 | 398 | c.bench_with_input( 399 | BenchmarkId::new("Point Decompression", "Fixed Compressed-Point"), &cd_inp , |b, &cd_inp| { 400 | b.iter(|| cd_inp.0.decompress().unwrap()); 401 | } 402 | ); 403 | } 404 | } 405 | 406 | mod ristretto_benches { 407 | use super::*; 408 | 409 | /// `D = 904625697166532776746648320197686575422163851717637391703244652875051672039` 410 | pub static D: Scalar = Scalar([ 411 | 2766226127823335, 412 | 4237835465749098, 413 | 4503599626623787, 414 | 4503599627370493, 415 | 2199023255551, 416 | ]); 417 | 418 | pub fn bench_ristretto_point_ops(c: &mut Criterion) { 419 | 420 | let proj_inp = (RISTRETTO_BASEPOINT, D); 421 | 422 | c.bench_with_input( 423 | BenchmarkId::new("Ristretto Random Point Addition", "Fixed Points"), &proj_inp , |b, &proj_inp| { 424 | b.iter(|| proj_inp.0 + proj_inp.0); 425 | } 426 | ); 427 | 428 | c.bench_with_input( 429 | BenchmarkId::new("Ristretto Random Point Subtraction", "Fixed Points"), &proj_inp , |b, &proj_inp| { 430 | b.iter(|| proj_inp.0 + -proj_inp.0); 431 | } 432 | ); 433 | 434 | c.bench_with_input( 435 | BenchmarkId::new("Ristretto Random Point Doubling", "Fixed Point"), &proj_inp , |b, &proj_inp| { 436 | b.iter(|| proj_inp.0.double()); 437 | } 438 | ); 439 | 440 | c.bench_with_input( 441 | BenchmarkId::new("Ristretto Random Point Multiplication", "Fixed Points"), &proj_inp , |b, &proj_inp| { 442 | b.iter(|| proj_inp.0 * proj_inp.1); 443 | } 444 | ); 445 | 446 | c.bench_function("Ristretto random Point generation", |b| b.iter(|| RistrettoPoint::new_random_point(&mut OsRng))); 447 | } 448 | 449 | pub fn bench_ristretto_protocol_impl(c: &mut Criterion) { 450 | 451 | let inputs = (RISTRETTO_BASEPOINT, 452 | FieldElement([ 453 | 2369245568431362, 454 | 2665603790611352, 455 | 3317390952748653, 456 | 1908583331312524, 457 | 8011773354506, 458 | ]), 459 | RISTRETTO_BASEPOINT_COMPRESSED); 460 | 461 | c.bench_with_input( 462 | BenchmarkId::new("Ristretto Encoding", "Ristretto Basepoint"), &inputs , |b, &inputs| { 463 | b.iter(|| inputs.0.compress()); 464 | } 465 | ); 466 | 467 | c.bench_with_input( 468 | BenchmarkId::new("Ristretto Decoding", "Ristretto Basepoint"), &inputs , |b, &inputs| { 469 | b.iter(|| inputs.2.decompress().unwrap()); 470 | } 471 | ); 472 | 473 | c.bench_with_input( 474 | BenchmarkId::new("Ristretto Elligator", "Fixed FieldElement"), &inputs , |b, &inputs| { 475 | b.iter(|| RistrettoPoint::elligator_ristretto_flavor(&inputs.1)); 476 | } 477 | ); 478 | 479 | c.bench_with_input( 480 | BenchmarkId::new("Ristretto Equalty", "Ristretto Basepoint"), &inputs , |b, &inputs| { 481 | b.iter(|| inputs.0 == inputs.0); 482 | } 483 | ); 484 | } 485 | } 486 | 487 | mod comparaisons { 488 | use super::*; 489 | use rand::rngs::OsRng; 490 | use zerocaf::constants::RISTRETTO_BASEPOINT; 491 | 492 | static P1_EXTENDED: RistrettoPoint = RistrettoPoint( EdwardsPoint { 493 | X: FieldElement([13, 0, 0, 0, 0]), 494 | Y: FieldElement([ 495 | 606320128494542, 496 | 1597163540666577, 497 | 1835599237877421, 498 | 1667478411389512, 499 | 3232679738299, 500 | ]), 501 | Z: FieldElement([1, 0, 0, 0, 0]), 502 | T: FieldElement([ 503 | 2034732376387996, 504 | 3922598123714460, 505 | 1344791952818393, 506 | 3662820838581677, 507 | 6840464509059, 508 | ]), 509 | }); 510 | 511 | /// `D = 904625697166532776746648320197686575422163851717637391703244652875051672038` 512 | pub static D: Scalar = Scalar([ 513 | 2766226127823334, 514 | 4237835465749098, 515 | 4503599626623787, 516 | 4503599627370493, 517 | 2199023255551, 518 | ]); 519 | 520 | pub fn bench_point_ops_impl(c: &mut Criterion) { 521 | let i = P1_EXTENDED; 522 | let mul = (RISTRETTO_BASEPOINT, D); 523 | 524 | let mut group = c.benchmark_group("Half"); 525 | 526 | group.bench_with_input(BenchmarkId::new("Fast Even Half", "Fixed even FieldElement"), &i, 527 | |b, &i| b.iter(|| i.0.T.old_half())); 528 | group.bench_with_input(BenchmarkId::new("Constant usage impl", "Fixed even FieldElement"), &i, 529 | |b, &i| b.iter(|| i.0.T.half())); 530 | 531 | group.finish(); 532 | 533 | 534 | // Equalty 535 | let mut group = c.benchmark_group("Equalty"); 536 | 537 | group.bench_with_input(BenchmarkId::new("Compressing", "Fixed Point"), &i, 538 | |b, &i| b.iter(|| i.compress() == i.compress())); 539 | group.bench_with_input(BenchmarkId::new("To Affine", "Fixed Point"), &i, 540 | |b, &i| b.iter(|| i == i)); 541 | 542 | group.finish(); 543 | 544 | // Point Mul 545 | let mut group = c.benchmark_group("Point Multiplication"); 546 | 547 | group.bench_with_input(BenchmarkId::new("Double And Add", "Fixed inputs"), &mul, 548 | |b, &mul| b.iter(|| double_and_add(&mul.0, &mul.1))); 549 | group.bench_with_input(BenchmarkId::new("Left to right binary method", "Fixed inputs"), &mul, 550 | |b, &mul| b.iter(|| ltr_bin_mul(&mul.0, &mul.1))); 551 | group.bench_with_input(BenchmarkId::new("NAF binary", "Fixed inputs"), &mul, 552 | |b, &mul| b.iter(|| binary_naf_mul(&mul.0, &mul.1))); 553 | group.bench_with_input(BenchmarkId::new("Window w-NAF binary", "Fixed inputs"), &mul, 554 | |b, &mul| b.iter(|| window_naf_mul(&mul.1, 5u8))); 555 | 556 | group.finish(); 557 | } 558 | 559 | // Helpers for benchmarking the whole ECDH process // 560 | 561 | // Left to right shift method. 562 | fn generate_kp_ltrs() -> (Scalar, RistrettoPoint) { 563 | let sk = Scalar::random(&mut OsRng); 564 | let pk = ltr_bin_mul(&RISTRETTO_BASEPOINT, &sk); 565 | 566 | (sk, pk) 567 | } 568 | 569 | fn ecdh_ltrs() -> () { 570 | let alice_kp = generate_kp_ltrs(); 571 | let bob_kp = generate_kp_ltrs(); 572 | 573 | let alice_computes_S = ltr_bin_mul(&bob_kp.1, &alice_kp.0); 574 | let bob_computes_S = ltr_bin_mul(&alice_kp.1, &bob_kp.0); 575 | } 576 | 577 | // Binary NAF 578 | fn generate_kp_binary_naf() -> (Scalar, RistrettoPoint) { 579 | let sk = Scalar::random(&mut OsRng); 580 | let pk = binary_naf_mul(&RISTRETTO_BASEPOINT, &sk); 581 | 582 | (sk, pk) 583 | } 584 | 585 | fn ecdh_binary_naf() -> () { 586 | let alice_kp = generate_kp_binary_naf(); 587 | let bob_kp = generate_kp_binary_naf(); 588 | 589 | let alice_computes_S = binary_naf_mul(&bob_kp.1, &alice_kp.0); 590 | let bob_computes_S = binary_naf_mul(&alice_kp.1, &bob_kp.0); 591 | } 592 | 593 | // Double and Add 594 | fn generate_kp_double_add() -> (Scalar, RistrettoPoint) { 595 | let sk = Scalar::random(&mut OsRng); 596 | let pk = double_and_add(&RISTRETTO_BASEPOINT, &sk); 597 | 598 | (sk, pk) 599 | } 600 | 601 | fn ecdh_double_add() -> () { 602 | let alice_kp = generate_kp_double_add(); 603 | let bob_kp = generate_kp_double_add(); 604 | 605 | let alice_computes_S = double_and_add(&bob_kp.1, &alice_kp.0); 606 | let bob_computes_S = double_and_add(&alice_kp.1, &bob_kp.0); 607 | } 608 | 609 | 610 | 611 | /// ECDH bench function. 612 | pub fn bench_ecdh(c: &mut Criterion) { 613 | let mut group = c.benchmark_group("ECDH"); 614 | 615 | group.bench_function("Double and Add", |b| b.iter(|| ecdh_double_add())); 616 | group.bench_function("Left to right binary method", |b| b.iter(|| ecdh_ltrs())); 617 | group.bench_function("Binary NAF method", |b| b.iter(|| ecdh_binary_naf())); 618 | 619 | group.finish(); 620 | } 621 | 622 | } 623 | 624 | criterion_group!( 625 | benchmarks, 626 | comparaisons::bench_point_ops_impl, 627 | comparaisons::bench_ecdh, 628 | field_benches::bench_field_element_ops, 629 | scalar_benches::bench_scalar_element_ops, 630 | edwards_benches::bench_extended_point_ops, 631 | edwards_benches::bench_projective_point_ops, 632 | edwards_benches::bench_point_compression_decompression, 633 | ristretto_benches::bench_ristretto_point_ops, 634 | ristretto_benches::bench_ristretto_protocol_impl, 635 | ); 636 | criterion_main!( 637 | benchmarks, 638 | ); 639 | -------------------------------------------------------------------------------- /docs/Safe Curve criteria: -------------------------------------------------------------------------------- 1 | ### Documentation of save curve criteria for Sonny 2 | 3 | Safe Curve criteria checklist: 4 | 5 | - [x] The curve must be defined over a prime field F_p 6 | - [x] The conditions on the curve constants for the relevant curve shape must be met 7 | - [x] The cost of a rho attack must be > 2^100 8 | - [x] Let l be the large prime factor of the group order. l must be relatively prime to p, and the embedding degree must be at least (l-1)/100 9 | - [x] The CM discriminant must be > 2^100 10 | - [x] There must be an explanation of how the curve constants were derived 11 | - [x] The curve must admit a Montgomery ladder; this effectively restricts the shape to Montgomery or [twisted] Edwards 12 | - [ ] The security against "combined attacks" on the twist, which is the a generalisation of rho security, must be > 2^100 13 | - [x] The curve must admit a simple complete addition law; this further restricts which Montgomery and Edwards curves are admitted 14 | - [x] The Elligator 2 algorithm for hashing to the curve must work 15 | - [x] There is proven birationality between the Edwards and Montgomery forms of the curve 16 | 17 | The factors to document against can be found at https://safecurves.cr.yp.to/ 18 | 19 | 20 | -------------------------------------------------------------------------------- /docs/lit.bib: -------------------------------------------------------------------------------- 1 | @misc{bulletproofs, 2 | author = {Benedikt Bünz and Jonathan Bootle and Dan Boneh and Andrew Poelstra and Pieter Wuille and Greg Maxwell}, 3 | title = {Bulletproofs: Short Proofs for Confidential Transactions and More}, 4 | howpublished = {Cryptology ePrint Archive, Report 2017/1066}, 5 | year = {2017}, 6 | note = {\url{https://eprint.iacr.org/2017/1066}}, 7 | } 8 | 9 | @InProceedings{stoc85, 10 | author={Shafi Goldwasser and Silvio Micali and Charles Rackoff}, 11 | title={The knowledge complexity of interactive 12 | proof-systems (extended abstract)}, 13 | booktitle={STOC '85: Proceedings of the seventeenth annual ACM symposium on Theory of computing}, 14 | year=1985, 15 | pages={291--304}, 16 | } 17 | 18 | @InProceedings{pedersen, 19 | author="Pedersen, Torben Pryds", 20 | editor="Feigenbaum, Joan", 21 | title="Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing", 22 | booktitle="Advances in Cryptology --- CRYPTO '91", 23 | series="Lecture Notes in Computer Science", 24 | volume = "576", 25 | year="1992", 26 | publisher="Springer Berlin Heidelberg", 27 | address="Berlin, Heidelberg", 28 | pages="129--140", 29 | } 30 | 31 | @misc{ristretto, 32 | title = {The ristretto255 Group}, 33 | author = {Henry de~Valence and Jack Grigg and George Tankersley and Filippo Valsorda and Isis Lovecruft}, 34 | series = {Crypto Forum Research Group. IETF Internet-Draft.}, 35 | year = {January, 2019}, 36 | note = {\url{https://tools.ietf.org/pdf/draft-hdevalence-cfrg-ristretto-00.pdf}}, 37 | } 38 | 39 | 40 | @misc{eddsa, 41 | title = {Edwards-Curve {D}igital {S}ignature {A}lgorithm {(EdDSA)}}, 42 | author = {Simon Josefsson and Ilari Liusvaara}, 43 | series = {Request for Comments}, 44 | number = 8032, 45 | year = {January, 2017}, 46 | note = {\url{https://tools.ietf.org/html/8032}}, 47 | } 48 | 49 | @misc{decaf, 50 | author = {Mike Hamburg}, 51 | title = {Decaf: Eliminating cofactors through point compression}, 52 | howpublished = {Cryptology ePrint Archive, Report 2015/673}, 53 | year = {2015}, 54 | note = {\url{https://eprint.iacr.org/2015/673}}, 55 | } 56 | 57 | @misc{hao, 58 | author = {Feng Hao}, 59 | title = {On Small Subgroup Non-confinement Attack}, 60 | howpublished = {Cryptology ePrint Archive, Report 2010/149}, 61 | year = {2010}, 62 | note = {\url{https://eprint.iacr.org/2010/149}}, 63 | } 64 | 65 | 66 | @InProceedings{dijkgraaf, 67 | author="Dijkgraaf, Robbert", 68 | editor="Dijkgraaf, Robbert H. 69 | and Faber, Carel F. 70 | and van der Geer, Gerard B. M.", 71 | title="Mirror Symmetry and Elliptic Curves", 72 | booktitle="The Moduli Space of Curves", 73 | year="1995", 74 | publisher="Birkh{\"a}user Boston", 75 | address="Boston, MA", 76 | pages="149--163", 77 | } 78 | 79 | 80 | @InProceedings{bit-shifting, 81 | author="B. Ravi Kumar, P.R.K.Murti", 82 | title="Data Encryption and Decryption process Using Bit Shifting and Stuffing BSS Methodology", 83 | booktitle="International Journal on Computer Science and Engineering (IJCSE)", 84 | year="2011", 85 | volume = "3", 86 | number = "7", 87 | pages="2818--2827", 88 | } 89 | 90 | @unpublished {safe-curves, 91 | AUTHOR = {Daniel J. Bernstein and Tanja Lange}, 92 | TITLE = {SafeCurves: choosing safe curves for elliptic-curve cryptography}, 93 | NOTE = {\url{https://safecurves.cr.yp.to}}, 94 | YEAR = {Accessed February 25, 2019}, 95 | } 96 | 97 | @unpublished {github:daira:safe, 98 | AUTHOR = {Daira Hopwood}, 99 | TITLE = {Supporting evidence for security of the Jubjub curve to be used in Zcash 100 | }, 101 | NOTE = {\url{https://github.com/daira/jubjub/blob/master/verify.sage}}, 102 | YEAR = {November 2, 2017}, 103 | } 104 | 105 | @book {seroussi, 106 | AUTHOR = {Ian Blake and Gadiel Seroussi and Nigel Smart}, 107 | TITLE = {Elliptic Curves in Cryptography}, 108 | PUBLISHER = {Cambridge University Press}, 109 | SERIES = {London Mathematical Society Lecture Note Series}, 110 | VOLUME = {256}, 111 | ADDRESS = {Cambridge}, 112 | YEAR = {1999}, 113 | } 114 | 115 | @article{montgomery, 116 | author = {L. Montgomery, Peter}, 117 | year = {1987}, 118 | month = {01}, 119 | pages = {243-243}, 120 | title = {Montgomery, P.L.: Speeding the Pollard and Elliptic Curve Methods of Factorization}, 121 | volume = {48}, 122 | journal = {Mathematics of Computation - Math. Comput.}, 123 | doi = {10.1090/S0025-5718-1987-0866113-7} 124 | } 125 | 126 | @misc{indist, 127 | author = {Daniel J. Bernstein and Mike Hamburg and Anna Krasnova and Tanja Lange}, 128 | title = {Elligator: Elliptic-curve points indistinguishable from uniform random strings}, 129 | howpublished = {Cryptology ePrint Archive, Report 2013/325}, 130 | year = {2013}, 131 | note = {\url{https://eprint.iacr.org/2013/325}}, 132 | } 133 | 134 | @misc{teds, 135 | author = {Daniel J. Bernstein and Peter Birkner and Marc Joye and Tanja Lange and Christiane Peters}, 136 | title = {Twisted Edwards Curves}, 137 | howpublished = {Cryptology ePrint Archive, Report 2008/013}, 138 | year = {2008}, 139 | note = {\url{https://eprint.iacr.org/2008/013}}, 140 | } 141 | 142 | @misc{scaling, 143 | author = {Huseyin Hisil and Kenneth Koon-Ho Wong and Gary Carter and Ed Dawson}, 144 | title = {Twisted Edwards Curves Revisited}, 145 | howpublished = {Cryptology ePrint Archive, Report 2008/522}, 146 | year = {2008}, 147 | note = {\url{https://eprint.iacr.org/2008/522}}, 148 | } 149 | 150 | @misc{generation, 151 | series = {Request for Comments}, 152 | number = 7748, 153 | howpublished = {RFC 7748}, 154 | publisher = {RFC Editor}, 155 | doi = {10.17487/RFC7748}, 156 | note = {\url{https://rfc-editor.org/rfc/rfc7748.txt}}, 157 | author = {Adam Langley and Mike Hamburg and Sean Turner}, 158 | title = {{Elliptic Curves for Security}}, 159 | pagetotal = 22, 160 | year = {January, 2016}, 161 | } 162 | 163 | @unpublished {github:zkcrypto:derive, 164 | AUTHOR = {Sean Bowe}, 165 | TITLE = {Derivation of Jubjub elliptic curve}, 166 | NOTE = {\url{https://github.com/zkcrypto/jubjub/blob/master/doc/derive/derive.sage}}, 167 | YEAR = {May 10, 2019}, 168 | } 169 | -------------------------------------------------------------------------------- /docs/main.tex: -------------------------------------------------------------------------------- 1 | \documentclass{article} 2 | 3 | \usepackage[colorlinks=true, urlcolor=black, linkcolor=black, citecolor=black]{hyperref} 4 | 5 | \usepackage[english]{babel} 6 | \usepackage[utf8]{inputenc} 7 | \usepackage{amsmath, amsthm, amssymb, mathtools} 8 | \usepackage{enumerate, enumitem} 9 | \usepackage{graphicx, color, xcolor} 10 | \usepackage{epsfig, wrapfig, caption} 11 | 12 | \graphicspath{ {images/} } 13 | \newcommand{\N}{\ensuremath{\mathbb{N}}} 14 | \newcommand{\Np}{\ensuremath{\mathbb{N}^{+}}} 15 | \newcommand{\Z}{\ensuremath{\mathbb{Z}}} 16 | \newcommand{\Q}{\ensuremath{\mathbb{Q}}} 17 | \newcommand{\R}{\ensuremath{\mathbb{R}}} 18 | \newcommand{\C}{\ensuremath{\mathbb{C}}} 19 | \newcommand{\F}{\ensuremath{\mathbb{F}}} 20 | \newcommand{\Fp}{\ensuremath{\mathbb{F}_p}} 21 | \newcommand{\Fq}{\ensuremath{\mathbb{F}_q}} 22 | \newcommand{\Fr}{\ensuremath{\mathbb{F}_r}} 23 | \newcommand{\Fl}{\ensuremath{\mathbb{F}_l}} 24 | \newcommand{\G}{\ensuremath{\mathbb{G}}} 25 | \newcommand{\point}[1]{P_{#1} = (x_{#1}, y_{#1})} 26 | \newcommand{\noi}{\noindent} 27 | \newcommand{\Prover}{\ensuremath{\mathcal{P }}} 28 | \newcommand{\V}{\ensuremath{\mathcal{V }}} 29 | 30 | \newtheorem{thm}{Theorem}[section] 31 | \newtheorem{lem}[thm]{Lemma} 32 | \newtheorem{prop}[thm]{Proposition} 33 | \newtheorem{cor}[thm]{Corollary} 34 | \newtheorem{grouplaw}[thm]{Group Law} 35 | \newtheorem{prob}[thm]{Problem} 36 | \theoremstyle{definition} 37 | \newtheorem{defn}[thm]{Definition} 38 | \theoremstyle{remark} 39 | \newtheorem{rem}[thm]{Remark} 40 | \newtheorem{exmp}[thm]{Example} 41 | 42 | \begin{document} 43 | 44 | \title{Sonny: A Bulletproof Friendly Elliptic Curve\\ 45 | (Draft)} 46 | \author{ 47 | Carlos Pérez\\ 48 | {\small Dusk Foundation\footnote{https://dusk.network/}}\\ 49 | \texttt{\small carlos@dusk.network} 50 | \and 51 | Luke Pearson\\ 52 | {\small Dusk Foundation}\\ 53 | \texttt{\small luke@dusk.network} 54 | \and 55 | Marta Bell\'es-Mu\~noz\\ 56 | {\small Dusk Foundation}\\ 57 | \texttt{\small marta@dusk.network} 58 | } 59 | 60 | \date{April 2020} 61 | 62 | \maketitle 63 | 64 | \begin{abstract} 65 | 66 | Signature schemes are used to verify signatures and statements. These schemes and their statements oft rely upon Elliptic Curve Cryptography (ECC), which use primitives where the discrete logarithm problems are assumed to be hard. A lot of zero-knowledge proofs use elliptic curves in their construction, to aid in proving a statement. However, zero-knowledge proofs are built from a circuit, which is defined over a different group to a signature scheme. In order to prove a signature in zero knowledge, a scheme cannot utilise the properties of only curve, as the modular operations are asynchronous. To counter this problem, zero knowledge statements and other ECC operations can rely upon a curve, which is embedded within another curve. This work presents a new elliptic curve, named Sonny, which is suitable for performing signature algorithms in zero-knowledge. When constructing elliptic curves, there are many features which must be considered and amongst the all the possible choices, Sonny was designed to operate with high speed and rigid security for both theory and implementations. The curve is a Montgomery Curve, with a birationally equivalent twisted Edwards curve - this allows for the use of high speed curve formulae for operations, performed in and out of arithmetic circuits. In addition to the speed, the curve can make use of complete formulas to increase the security of the curve arithmetic. Twisted Edwards curves have a group of points which have non-prime order and the points instead have a small cofactor, of order 8. The Sonny curve was constructed to be compatible with the Ristretto technique of cofactor compression, which can omit any cofactor related issues.\\ 67 | 68 | {\bf Keywords:} Elliptic curve cryptography, signature verification, blockchain, zero-knowledge proofs, bulletproof, embedded curve, cofactor security. \\ 69 | 70 | \end{abstract} 71 | 72 | \newpage 73 | 74 | \tableofcontents 75 | 76 | \newpage 77 | 78 | \section{Introduction} 79 | 80 | \subsection{Motivation} 81 | 82 | A significant portion of contemporary cryptography is in someway connected to zero knowledge proofs. With the benefit of greater privacy, many new practical systems utilise zero knowledge proofs in their design. Alongside the incorporation of these privacy preserving features into novel techniques and designs, there is also a large effort to port them onto existing systems - including already standardised models. There are many different curves or primitives and thus choices for outlining protocols, the need for ECC in zero knowledge is fundamental to the design of a lot of modern ideas. Many blockchains need to use signature schemes in order to achieve scalability. The underlying ideas is that signature schemes can be used to reduce the size of the signature, or compress multiple signatures into one and ultimately reduce the size of the block - which allows more transactions per block. Notable signature schemes which are interoperable with elliptic curves are the Elliptic Curve Digital Signature Algorithm (ECDSA), which is used in Bitcoin. As well as Edwards-curve Digital Signature Algorithm (EdDSA), which was designed by Bernstein et al. in 2011 to provide high speed signatures that do not forgo any security parameters. EdDSA is a variant of the Schnorr signature algorithm, which was designed by Claus Schnorr to generate short and efficient signatures.\\\\ 83 | 84 | Having statements proved in zero-knowledge is paramount in maintaining a high level of privacy. Unfortunately, conducting proofs about signature schemes, in zero knowledge, is non-trivial; this is because of the fields in which the two different protocols operate. A signature algorithm, such as ECDSA relies upon a finite base field of an elliptic curve, where all of the operations are performed across the integers, made modular for some $prime$ $p$. However, to perform signatures in zero knowledge inexpensively, they need to be done in the scalar field of the group where the proof system operates; this difference in use of finite fields is where we have the mismatch when trying to align the protocols. \\\\ 85 | 86 | In 1985, Koblitz and Miller independently introduced elliptic curves into public key cryptography (PKC), they proved to be an improvement to existing primitves due to their short key sizes which lead to no compromise in security - as a 256 bit elliptic curve public key will provide similar security to a 3072 bit RSA public key. Since the 2004, there has been a surge in the use of elliptic curves for PKG; the choice for elliptic curves has grown tremendously and has lead to an eclectic range of options when selecting or constructing elliptic curves. Being spoilt for choice sadly doesn't mean each option is an all-purpose fit, as elliptic curve models have multitude of features which differ depending on design; often regarded as factors of opportunity cost within ECC. \\\\ 87 | 88 | {\bf A profound solution}. In this work, we present an elliptic curve that is capable of performing ECC operations in zero knowledge, with bulletproofs as the argument. elaborate on how to use embedded curves to to extend the circuit operations to those which exceed the traditional bounds of constraint systems. We have constructed a curve, across the scalar field of curve25519 to extend the rang of EC operations inside bulletproofs, with increased security at minimal overhead.\\\\ 89 | 90 | curves elliptic curve cryptography performed perfo l all of these operations can be performed a with those which rely upon elliptic curves there are a multitude of features which are affected depending on design; often regarded as factors of opportunity cost within Elliptic Curve Cryptography (ECC). However, some contemporary techniques can be used to better facilitate systems that rely so heavily upon these primitives. Since many previous protocols are proven to be secure, it is $often$ far more efficient to add to these standards with compound technologies rather than seeking entire system replacements. \\\\ 91 | 92 | One of the most used in state of the art cryptography is the constructing of Zero Knowledge (ZK) proofs for nearly universal computation. As is with many cryptographic protocols, there is a choice of which proof system is best tailored to a system. Which includes a trade off, between proof sizes, verification times and other factors making up a ZK proof. For particular proof systems, their expression relies upon an elliptic curve and an arithmetic circuit. The elliptic curve here is a function used to encode the public outputs which are represented as field elements, upon which a lot of operations rely. The operations for these proofs systems, however, are expressed in terms of a circuit which is determined by scalar curve arithmetic. This unfortunately restricts the operations which can be performed as they are dependent upon standard arithmetic circuit outputs - addition, multiplication, subtraction and division. Many protocols such as Elliptic Curve Digital Signature Algorithms (ECDSA), which are performed using field encodings, are in operable through the medium of generic ZK proofs which are expressed in terms of a circuit. \\\\ 93 | 94 | {\bf A profound solution}. 95 | In section 3, we elaborate on how to use embedded curves to to extend the circuit operations to those which exceed the traditional bounds of constraint systems. We have constructed a curve, across the scalar field of curve25519 to extend the rang of EC operations inside bulletproofs, with increased security at minimal overhead.\\\\ 96 | As with all elliptic curves, their construction will strongly influence the outcomes of the protocols in which they are implemented. In addition to this, there can be discrepancies in both the security and speed of cryptographic systems dependant upon on how they're implemented. For this reason, we wanted to construct the embedded curve such that we can make use of the the fastest formulas for elliptic curves, which are for Twisted Edwards curves. The Edwards form of a curve is considered complete, as any two inputs, given as x and y, provide a correct result. In conjunction to their complete formulas, Twisted Edwards curves have been proven by Bernstein et al, to be Birationally equivalent to Montgomery curves. Which fit the purpose of the augmented construction, as Montgomery operations in arithmetic circuits were proven by the Z-cash team to provide a fast Montgomery ladder for in circuit multiplication. Whilst these curves models can provide some of the fastest and most simplistic operations, they do provide issues in security. Neither Montgomery, nor Edwards curves deliver prime order groups in their implementations. They provide curves which have a cofactor, $h$, which multiplies the prime of the subgroup to give the group order. Whereas curves like Weierstrass give prime order but their formulas are too inefficient for circuit operations.\\\\ 97 | 98 | For non prime order curve groups, the mismatch in desirability of prime order curves and inability to implement one directly from the curve can be patched with uniquely tailored modifications. However, these fixes oft become perplexing to the non-implementors and with higher level protocols they are seldom straightforward. Using curves which provide prime order groups, such as Weierstrass Curves, have slower formulae and are very difficult to implement in constant time. Plentiful curve families allow for the encoding of different related curves for protocol specific purposes. For example, [] library uses Twisted Edwards forms for out of circuit operations like public key generation to exploit the high speed formula but uses Montgomery form for in circuit operations to benefit from the ladder multiplication. If an ad hoc fix needs to be given to each related curve model, then the implementation can become tedious and very complex.\\\\ 99 | 100 | {\bf A centric solution}. 101 | In section 4, we explain how to use the Ristretto technique, which constructs prime order Edwards curves from non prime order groups, with our embedded curve, to compress the cofactor such that $h$ = 1. Ristretto makes use of the relationship between curves and provides a fix for the cofactor complication for all models in one place.\\\\ 102 | 103 | Alongside the companies which revolve around the idea of privacy at the grassroots of society, such as Z-cash and Monero, the privacy cryptocurrencies, there are many more areas where signature schemes are handling sensitive data which can be easily expoloited. For example, when signing to a website the website privacy. 104 | 105 | \subsection{State of the Art} 106 | 107 | [Work in progress] 108 | 109 | %TODO: Talk about zcash, ethereum, etc. 110 | 111 | \subsection{Our Contributions} 112 | 113 | Here we present an elliptic curve, created for a safe and efficient elliptic curve operations inside discrete log based proofs; called Sonny. Sonny is defined as an embedded curve which the gives the input for the proofs and the outer curve, Curve25519, will be used to implement the proof itself. \\\\ 114 | 115 | This curve is used to prove the outcomes of elliptic curve functions in general knowledge. An elliptic curve statement, such as a signature scheme, allows a for the generation and verification of digital signatures from an EC key pair. However, such statements cannot be made in ZK as they are made with the Elliptic curve operations and not scalar arithmetic. With the Sonny curve, elliptic curve operations can be performed using inside circuits, with bulletproofs as the argument, so that we have ZK proof statements for signatures. \\ 116 | 117 | 118 | \section{Notation and Formulae} 119 | 120 | \subsection{Elliptic Curves} 121 | 122 | \begin{itemize} 123 | 124 | \item Finite field: let \Fp{ }denote a prime finite field with characteristic $\neq {2}\vee{3}$. 125 | 126 | \item Edwards curve: let $\varepsilon_{a,d}$ denote an Edwards curve, given by equation 127 | $$ {a}x^2+y^2=1+{d}x^2y^2, $$ 128 | where {$d$} and {$ad$} are non-square elements of $\Fp$ and with no points at infinity. %TODO: what do you mean with no points at infinity? 129 | In this paper, the primary focus is upon Twisted Edwards curves, where $a = -1$. 130 | The identity point of an Edwards curve, $\varepsilon$, where (X,Y) $\epsilon$ in \Fp, is given encoded to $(0,1)$. When Edwards points are expressed in Extended Twisted coordinates, the identity encoding is given by $(X : Y : Z : T) = (0 : 1 : 1 : 0)$. 131 | 132 | \item Montgomery curve: ${M}_{a,\frac{2-4d}{a}}$ is a Montgomery curve, given by equation 133 | $$y^2=x^3+Ax^2+Bx.$$ 134 | A Montgomery curve is birationally equivalent to an Edwards curve - a definition used for algebraic substitution - where its point at of infinity is the identity point, denoted as $(0 : 1 : 0)$. 135 | 136 | \item Jacobi curve: $\jmath_{a^{2},a-{2d}}$ is a Jacobi curve, given by an equation of the form 137 | $$y^2 = {e}x^4 + 2Ax^2 + 1.$$ 138 | A Jacobi curve, better known as a Jacobi quartic, is central to all curve models and to utilise this curve relationship we will only be using Jacobi curves where $e = {a}^2$, as such curves have a full 2-torsion point. 139 | 140 | \item Torsion points: An element $[P]$ in $G$ is a torsion point if there is a mapping of $M$, by means of multiplication, where $M \cdot\ [P] = 0_{G}$. Torquing elements for a curve form a subgroup, $G[M]$, where the order is divisible by ${M}^2$. The torsion subgroups for this curve family have order 1, 2 or 4. 141 | 142 | \item Isogeny: An isogeny $\varphi$ is a function which maps algebraic groups whilst preserving the group structure. This mapping must satisfy the properties of being surjective and having a finite kernel. The isogeny, in this paper, is used to transport an encoding between different curve models. 143 | 144 | \item Curve forms: $\varepsilon_{a,d}$; ${M}_{a,\frac{2-4d}{a}}$; $\jmath_{a^{2},a-{2d}}$ These curve models are all isogenous to one another. The Edwards, Montgomery and Twisted Edwards are independently 2-isogenous to the Jacobi quartic and are therefore 4-isogenous to one another. 145 | 146 | \item Arithmetic circuits: These are the computational models for computing circuits. They are universally bound to add and multiply, which are the functions performed at each node on all given inputs. 147 | 148 | \item Cofactor compression: This refers a quasi-construction of cofactor 1 curves from cofactor 8 groups. Also known as cofactor division, it involves the process of point compression when points of order 4 or 8 are produced. 149 | 150 | \end{itemize} 151 | 152 | \subsection{Zero-Knowledge Proofs} 153 | 154 | [Work in progress] 155 | 156 | \subsubsection{Bulletproofs} 157 | 158 | [Work in progress] 159 | 160 | \newpage 161 | 162 | \section{Sonny Elliptic Curve} 163 | 164 | %TODO: Explain Ed-255, etc. 165 | 166 | 167 | \subsection{Definition} 168 | \noindent 169 | Let $\Fp$ be the prime finite field with $p$ elements, where 170 | \begin{align*} 171 | p = 2^{252} + 27742317777372353535851937790883648493. 172 | \end{align*} 173 | 174 | \begin{defn}[Sonny] 175 | Let $C$ be the twisted Edwards elliptic curve defined over $\Fp$ 176 | described by equation 177 | $$ -x^2 + y^2 = 1 + \frac{126296}{126297}x^2y^2. $$ 178 | We call {\it Sonny} the curve $E = C(\Fp)$. That is, $E$ is the subgroup of $\Fp$-rational points of $C$. 179 | \end{defn} 180 | % 181 | \subsection{Order} 182 | \noindent Sonny has order 183 | \begin{align*} 184 | n = 2^{252}+115924404605461509904689566245241897752, 185 | \end{align*} 186 | which factors in $h \times r$ where $h=8$ and 187 | \begin{align*} 188 | r = 2^{249}+15114490550575682688738086195780655237219 189 | \end{align*} 190 | is a prime number.\\ 191 | 192 | \subsection{Security Level} 193 | %TODO: Luke? 194 | It is claimed that the security level of the curve is of $N\approx 127$. We show why here. 195 | 196 | 197 | \subsection{Forms} 198 | 199 | \subsubsection{Montgomery} 200 | \begin{itemize} 201 | \item Equation $B y^2 = x^3 + A x^2 + x$ 202 | \item Parameters $A = 505186$, $B = 1$ 203 | \item Generator $G = (x_0, y_0)$ with coordinates 204 | \begin{align*} 205 | x_0 = \\ 206 | y_0 = 207 | \end{align*} 208 | \item Base point $B = (x_1, y_1)$ with coordinates 209 | \begin{align*} 210 | x_1 = \\ 211 | y_1 = 212 | \end{align*} 213 | \end{itemize} 214 | 215 | \subsubsection{Twisted Edwards} 216 | \begin{itemize} 217 | \item Equation $a x^2 + y^2 = 1 + d x^2 y^2$ 218 | \item Parameters $a = -1$, $d= -\frac{126296}{126297}$. %TODO: Change to field rep. 219 | \item Generator $G = (x_0, y_0)$ with coordinates 220 | \begin{align*} 221 | x_0 = \\ 222 | y_0 = 223 | \end{align*} 224 | \item Base point $B = (x_1, y_1)$ with coordinates 225 | \begin{align*} 226 | x_1 = \\ 227 | y_1 = 228 | \end{align*} 229 | \end{itemize} 230 | 231 | \subsubsection{Conversion maps} 232 | The following rational maps convert points of Sonny from one form of the curve to another \cite[Theorem 3.2]{teds}. %TODO: Add reference. 233 | \begin{itemize} 234 | \item Montgomery to Twisted Edwards 235 | \begin{align} 236 | \label{eq-mon-to-ted} 237 | (u, v)&\mapsto \left(\frac{u}{v}, \frac{u-1}{u+1}\right) 238 | \end{align} 239 | \item Twisted Edwards to Montgomery 240 | \begin{align} 241 | \label{eq-ted-to-mon} 242 | (x, y)&\mapsto \left(\frac{1+y}{1-y}, \frac{1+y}{(1-y)x}\right) 243 | \end{align} 244 | \end{itemize} 245 | 246 | \subsection{Curve Generation} 247 | 248 | We start by deterministically generating a Montgomery elliptic curve $E^M$ over $\Fp$ and then setting the generator and base points. Afterwards, we convert the curve and the points to twisted Edwards form using the maps of theorem [REF]. %TODO: Add ref. 249 | We finally rescale all parameters so that the parameter $a = -1$. This last step has the advantage that the arithmetic in the curve can be speeded up \cite{scaling}. %it requires less operations 250 | 251 | Our algorithm takes prime number $p$ and returns a twisted Edwards curve defined over $\Fp$. The specific outputs of the algorithm are: 252 | \begin{itemize} 253 | \item The prime order of the finite field the curve is defined over (which is the input $p$). 254 | \item Parameters $a$ and $d$ of the equation that defines the twisted Edwards curve. 255 | \item Order of the curve and its decomposition into the product of a cofactor and a large prime. 256 | \item Generator and base points. 257 | \end{itemize} 258 | 259 | As the finite field is defined by the input $p$, no specification of this parameter is required. In the same way, the order of the curve and its decomposition is determined once the parameters of the equation describing the curve are fixed. Hence, the only remaining specifications are parameters $a$ and $d$ and the choice of generator and base point. 260 | 261 | \subsubsection{Choice of Montgomery Equation} 262 | 263 | We start by finding a Montgomery curve defined over $\Fp$ where $p$ is the order of Ed255 used to generate and verify Bulletproofs. given prime number. The assumptions and algorithm presented are based on the work of \cite{generation} and Zcash team \cite{github:zkcrypto:derive}. 264 | 265 | The algorithm takes a prime $p$, fixes $B = 1$ and returns the Montgomery elliptic curve defined over $\Fp$ with smallest coefficient $A$ such that $A-2$ is a multiple of 4. 266 | % Choosing curve constants with extremely small sizes or extremely low (or high) hamming weight can be used to eliminate the computational overhead of a field multiplication. 267 | This comes from the fact that this value is used in many operations, so trying to keep it smaller and divisible by four is a reasonable assumption \cite{generation}. As with $A=1$ and $A=2$ the equation does not describe a smooth curve, the algorithm starts with $A=3$. 268 | 269 | For primes congruent to 1 mod 4, the minimal cofactors of the curve and its twist are either $\{4, 8\}$ or $\{8, 4\}$. We choose a curve with the latter cofactors so that any algorithms that take the cofactor into account don't have to worry about checking for points on the twist, because the twist cofactor will be the smaller of the two \cite{generation}. For a prime congruent to 3 mod 4, both the curve and twist cofactors can be 4, and this is minimal. 270 | 271 | \subsubsection{Choice of Generator and Base Points} 272 | 273 | To pick a generator $G_0$ of the curve, we choose the smallest element of $\Fp$ that corresponds to an $x$-coordinate of a point in the curve of order $n$. Then as a base point, we define $G_1 = 8\cdot G_0$, which has order $l$. 274 | 275 | \subsubsection{Transformation to Twisted Edwards} 276 | 277 | Use the birational map of equation (\ref{eq-mon-to-ted}) to get the coefficients, generator and base points in twisted Edwards form. 278 | 279 | \subsubsection{Optimisation of Parameters} 280 | 281 | As pointed out in \cite[Sec. 3.1]{scaling}, if $-a$ is a square in $\Fp$, it is possible to optimise the number of operations in a twisted Edwards curve by scaling it. 282 | 283 | \begin{thm} \label{thm-scale} %[Rescaling of E] 284 | Consider a twisted Edwards curve defined over $\Fp$ given by equation $ax^2+y^2= 1 +dx^2y^2.$ If $-a$ is a square in $\Fp$, then the map $(x, y) \to (x/\sqrt{-a}, y)$ defines the curve $-x^2+y^2= 1 +(-d/a)x^2y^2.$ We denote by $f = \sqrt{-a}$ the scaling factor. 285 | \end{thm} 286 | 287 | \begin{proof} 288 | The result follows directly from the map's definition. 289 | \end{proof} 290 | 291 | \subsection{Security Analysis} 292 | 293 | This section specifies the safety criteria that the elliptic curve should satisfy. The choices of security parameters are based on the joint work of Bernstein and Lange summarised in \cite{safe-curves}. To this purpose, we defined an algorithm that should be run after finding the elliptic curve as proposed in previous section. The algorithm is based on the the code of Daira Hopewood \cite{github:daira:safe}, which is an extension of the original SAGE code \cite{safe-curves} to general twisted Edwards curves. 294 | 295 | \subsubsection{Curve Parameters} 296 | 297 | Check all given parameters describe a well-defined elliptic curve over a prime finite field. 298 | 299 | \begin{itemize} 300 | \item The given number $p$ is prime. 301 | \item The given parameters define an equation that corresponds to an elliptic curve. 302 | \item The product of $h$ and $l$ results into the order of the curve and the point $G_0$ is a generator. 303 | \item The given number $l$ is prime and the point $G_1$ is a generator of $\G$. 304 | \end{itemize} 305 | 306 | \subsubsection{Elliptic Curve Discrete Logarithm Problem} 307 | 308 | Check that the discrete logarithm problem remains difficult in the given curve. For that, we check it is resistant to the following known attacks. %ECDLP attacks. 309 | 310 | \begin{itemize} 311 | \item {\it Rho method} \cite[Sec. V.1]{seroussi}: we require the cost for the rho method, which takes on average around $0.886 \sqrt{l}$ additions, to be above $2^{100}$. 312 | \item {\it Additive and multiplicative %(MOV attacks) 313 | transfers} \cite[Sec. V.2]{seroussi}: we require the embedding degree to be at least $(l-1)/100$. 314 | \item {\it High discriminant} \cite[Sec. IX.3]{seroussi}: we require the complex-multiplication field discriminant $D$ to be larger than $2^{100}$. 315 | % Although it is not clear it is better for security to have large $|D|$, there are speed ups to the rho method for some curves where this value is very small. 316 | \end{itemize} 317 | 318 | \subsubsection{Elliptic Curve Cryptography} 319 | 320 | \begin{itemize} 321 | \item {\it Ladders} \cite{montgomery}: check the curve supports the Montgomery ladder. 322 | \item {\it Twists} \cite[twist]{safe-curves}: check it is secure against the small-subgroup attack, invalid-curve attacks and twisted-attacks. 323 | \item {\it Completeness} \cite[complete]{safe-curves}: check if the curve has complete single-scalar and multiple-scalar formulas. It is enough to check that there is only one point of order 2 and 2 of order 4. 324 | \item {\it Indistinguishability} \cite{indist}: check availability of maps that turn elliptic-curve points indistinguishable from uniform random strings. 325 | \end{itemize} 326 | 327 | \subsection{Cofactor Compression} 328 | 329 | \subsubsection{Isogenies} 330 | 331 | \subsubsection {Curve Mappings} 332 | 333 | \section{ECC for Zero Knowledge Proofs} 334 | 335 | Elliptic Curve arithmetic uses the finite field of integers reduced mod$p$, where $p$ is some usually large prime. The use of finite fields as the extension of elliptic curves allows make certain cryptographic assumptions about the order of the set. The choice of finite fields for elliptic curves, known as base curves, provide a cyclic group which gives precise knowledge to the amount of bits that need to be stored by point outputs. As stated, the base fields dictate the operations for the elliptic curves and thus selection of these fields affects the security, speed and simplicity of the implementation of the curve. Supplementary to standard operations performed mod $p$, there are many protocols can be performed in ECC which are implemented using finite sets but do not make use of the base field. As previously touched on, they rely upon another prime order field, which is the curves scalar field, also known as the prime subgroup. Elliptic curve operations are utilised for an eclectic variety of reasons within cryptography, the predominant reason is the security that couples each of operations - resulting from hard a DLP.\\\\ 336 | 337 | Elliptic curves are capable of generating public/private key pairs, which can be signed with a digital signature scheme to become security keys, and these security keys are rapidly becoming replacements for many password schemes. For example, security keys are used to show attestation certificates for websites, which allows the website to verify that a user is genuine by receiving a copy of a users authenticity. The issue arises when a verified key is registered, as becomes possible for a server to learn the make, model, and batch of the verification for the key. This data can be manipulated by website owners and then used to discriminate which batches and models can be trusted in the future. If these key signatures and EC statements are generated in Zero Knowledge, we can provide the proof of the users signed certificate without providing additional information about the signature; this can mitigate the security risks that are tied to the data sensitivity.\\\\ 338 | 339 | Solving this issue involves using a zero-knowledge proof schemes. For our scheme, we choose bulletproofs. The existing systems like the verification systems are already deployed and because their operations are performed on on the base field, and not a scalar field, they are not directly updateable with a large range of contemporary techniques. This paper and findings focuses on Zero Knowledge proofs as the 'add-on technology' for existing schemes. \\\\ 340 | 341 | Elliptic curves have both a base field, which is the finite field in which they are defined; and a scalar field, which is associated with the number of points on the curve. DL based proofs which use a curve and a circuit rely upon both of the finite fields. The base field here is a function used to encode the public coordinates which are represented as field elements. However, as the operations are performed mod$p$, where $p$ is prime, the outputs are reduced to the prime scalar field. Thus operations which require the base field, cannot be performed inside proof systems which use arithmetic circuits as an expression. As a result the ZK outputs are limited to what circuit operations can be performed by the elliptic curves scalar field. The circuit, in this case, encodes relation between the input and outputs. 342 | 343 | \subsection{Efficient ZK for higher operability} 344 | 345 | To extend the range of ZK elliptic curves operations to those which employ the base field, we have built a curve which has a base field equal to the scalar field of Curve25519. This is defined in the following manner: Let $\varepsilon_{1}$ and $\varepsilon_{2}$ be elliptic curves. Where the prime subgroup order, or scalar field, of $\varepsilon_{1}$ is $r$; we define $\varepsilon_{2}$ over the base field $F_p$, where \#$F_p$ = $r$. 346 | This will allow us to perform fast in circuit operations using $\varepsilon_{2}$ as the embedded curve within the scalar field of $\varepsilon_{1}$.One particular current issue that embedding curves helps to alleviate is the adding to, or updating of, existing software protocols with privacy techniques so that already deployed systems can benefit from high levels of privacy preservation. By constructing this, we are making a quasi representation of one finite field as both a scalar and a base field. We can therefore encode the field based protocols curve over the scalar field of existing systems - and protocols such as key signature verification, can be performed inside a Zero Knowledge proof. We present a means of verifying only the scalar operation, in Zero Knowledge , so that Zero Knowledge proof of statements derived for signature schemes can be proven rather than the signature itself. This is performed by expressing ZK proof of computations as the argument for computational models, such as arithmetic circuits.\\\\ 347 | 348 | In the case of Zerocaf protocol, we have the outer curve operations, using Curve25519, which implement the ZK proof system, where the operations are performed as integers mod the base field. Then there is Sonny, the inner curve, known as the embedded curve which is the curve we make the proofs about. For the case of signature schemes, like Elliptic Curve Digital Signature Algorithm (ECDSA), the operations for the signature generation are made using Sonny then the Zero Knowledge arguments for these outputs are generated using Curve25519. By setting the scalar field of Curve25519 as the base field of Sonny, all the operations are efficient when expressed in terms of a circuit. The validation keys here are effectively turned into discrete log proofs, as the generation of ZK values is performed in one amalgamated protocol, even though it comes from two different curves. \\\\ 349 | 350 | Many software layers require information from the user - just like authentication certificates for websites, where the type of secret keys is known to the website for verification. The information given is often burnt into the hard memory of the website, which can be used by the software owners to discriminate against different keys and brands of keys hence the need to preserve privacy on these existing protocols. 351 | 352 | \subsection{Circuits} 353 | 354 | An circuit is combinational set of operations which are aligned in a set or series for the ultimate purpose of optimising otherwise standardised mathematical process. The operations, better known as the basic arithmetic operations (addition, subtraction, multiplication, and division), are theoretically performed in constant time. This statement is derived from the fact that the required RAM required is roughly equal for all operations. However, when computing these operations for some large integers, it is apparent that the magnitude greatly affects the costs of RAM. Thus giving a discrepancy for computational time between the theoretical arguments and the practical implementation. When the expression of these arithmetic operations is performed in a circuit, it is referred to as an arithmetic circuit. When expressed for computations within computer systems, any arithmetic circuit is constructed from various combinational elements, which are connected by wires. A combinational element is fixed element which performs a specific function from a constant number of inputs and outputs. Circuits are used alongside the elliptic curves to construct discrete log based proof systems; when the circuit is defined over the scalar field. 355 | 356 | \section{Prime Order Groups} 357 | 358 | 'A group of prime order' is always a cyclic group, that has a mapping - which respects the group structure - to the quotient of the group of integers by a subgroup. This subgroup is generated by a prime number. Groups of prime order are often a prerequisite to crytpographic prototcols, as they provide the basis for a hard DLP and thus increased security for implementation. For implementation, we have made efficiency the most paramount factor for curve selection, which led to us choosing a Twisted Edwards curve form. This is because the Edwards forms of the curves provide the fastest known formulas, which can be accredited to extended Twisted Edwards, introduced by Hysil et al, where auxiliary points are used with fewer field inversions. As elliptic curves are Abelian groups, they provide varying order for their respective groups. Edwards curves and their birational Montgomery equivalents, provide 'not quite' prime order groups over finite fields - the absence of prime groups can lead to timing variations when implementing protocols such as the signature schemes Sonny implements. Instead of certain Elliptic curve groups being prime, they have a cofactor $h$, meaning that $h \cdot q$ is the group order, where $h > 1$ and $q$ is a large prime. Having this property where $h > 1$ can lead to many implementation complexities.\\\\ 359 | 360 | There are cofactor relates attacks designed to extract information, in the form of bits, about a users private key. When generating a public key, it is ideally performed using a point operation on a given curve point, where a chosen scalar outputs a new point, modulo the base field. This provides a public key, from which the scalar, known as the private key, cannot be extracted. However, if points on the curve are selected by attackers to have order which divides $h$, then presented as valid curve points, they can be mistakenly used by a user. If an incognizant user generates a public key by inputting a secret scalar to a function which operates with points of order $h$, then the attacker can gain some bits about the input scalar. Whereas within a prime order group, there is no means of generating valid points which have order dividing $h$. The abstraction of having non prime order groups can be solved with specialised modifications towards individual protocols. One notorious method is to multiply points by the cofactor and check the result; if the resulting point is the identity point then it can be discarded. Many of the individual techniques produce continuous and substantial flaws, especially with regards to patchwork comprehension, which occurs when the protocols are being implemented by those who did not design them, i.e. Implementors not knowing at which step to multiply by $h$. 361 | 362 | \subsection{Cofactor Compression} 363 | 364 | There are various advantages and disadvantages to having a cofactor larger than one, therefore a thorough analysis must be performed, so that it is known whether or not cofactor manipulation is needed. For all curves, except for Hessian curves, the cofactor is divisible by 4. To become more useful to a broad spectrum of cryptography, Ristretto is apt for a large number of curves, which have a cofactor of 8 or 4. When the cofactor is greater than 1 multiple operations can be hindered. A quotient group can be constructed to allow for the implementation of prime order groups, thus effectively compressing the cofactor, by applying the Ristretto technique. This technique requires just one additional step to Mike Hamburgs decaf proposal for cofactor-4 curves. The technique works using following four functions:\\\\ 365 | 366 | ${Equality}$ ${testing}$ This function checks the equality of group elements. \\\\ 367 | 368 | ${Encode}$\ The encoding function is applied to an Edwards point and this becomes the internal representation for the new "Ristretto point', meaning the same Edwards point operations are performed on the Ristretto point, and with no overhead cost. The function encodes the elements as byte strings so that that the Ristretto elements can be encoded identically.\\\\ 369 | 370 | ${Decode}$\ This function decodes the byte strings into the internal representations of Ristretto points. There is also a validity check which assesses the canonical representation of points, and only accepts those which are outputs of the encoding function. \\\\ 371 | 372 | ${Curve}$ ${hashing}$\ For many protocols, mapping elements in a group to a curve is done by a hash function, as it provides standardised digests which can be encoded. Ristretto using an Elligator 2, which gives a 1:1 mapping of group elements to the curve. Elliga 373 | 374 | \subsection{Isogenies} 375 | 376 | By using the Ristretto technique, we are able to solve all cofactor related issues in one place and with one step. This is facilitated by its use in the relationship of the curves, and how this lets us transport the cofactor compression for curves, via the isogeny, to another curve in the same family. Which in turn means we work with prime order points in any operations of ECC. Otherwise, the implementation would have to deal with the issue at varying stages which is dependent upon a protocols ultimate design. An isogeny is a function which maps one algebraic group to another, whilst maintaining the structure of the group - which in terms of elliptic curves, means that a curve is allowed curve to take on the values of another and preserve the same point addition method. These functions are non-constant and are used as a tool for effective 'transportation' between curve models. Just as with all concrete mathematical formulae, these functions have a domain and co-domain, which means that given these two, it is possible to compute the function itself. In this document isogenies will be given the generalization as the multiplication by $m$ map, where they have a finite kernel and are restricted to rational mappings. 377 | A deeper understanding of isogenies for elliptic curves has greatly advanced the field of ECC, as it is possible to deduce one mapping from the form of another. Additionally, if these relationships are well understood then they can be applied or integrated into other functions and broaden their domain of propriety to more use cases.\\\\ 378 | 379 | When there exists a non-constant function, $\varphi$, which gives a rational mapping from one group to another denoted as $\varphi$ : $\varepsilon$ $\rightarrow$ $\varepsilon\prime$. This mapping from $\varepsilon$ to $\varepsilon\prime$ has degree $n$. Where there is this separable isogeny, then exists a mapping from $\varepsilon$ to $\varepsilon\prime$, which is known as the dual isogeny, $\hat{\varphi}$, where both functions have degree $n$. The dual isogeny is conveyed as $\hat{\varphi}$ : $\varepsilon\prime$ $\rightarrow$ $\varepsilon$ of degree $n$. The isogeny $\hat{\varphi}$ here is known as the dual of $\varphi$, such that $\hat{\varphi}$ $\circ$ $\varphi$ is the multiplication by $n$, where $n$ = $\hat{\varphi}$ $\circ$ $\varphi$, from $\varepsilon$ to $\varepsilon\prime$. This dual isogeny has certain properties which allow for the two way transportation of functions between curves. These can be exploited to provide abstraction of protocols where it would otherwise be inapplicable. 380 | 381 | \subsubsection {Curve Mappings} 382 | 383 | As curve models $\varepsilon_{a,d}$; ${M}_{a,\frac{2-4d}{a}}$; $\jmath_{a^{2},a-{2d}}$, have different implementation features we can utilise these relationships to achieve the implementation we desire, namely a prime order curve. It is possible to construct prime order curves using the Montgomery and Edwards curve forms by transporting encoding to and from the Jacobi quartic, via isogenies. The functions for cofactor compression would typically be used on the Jacobi quartic form, by means of canonically selecting outputs for curve points. Now this selection process can be applied to the Edwards and Montgomery form by integrating it to the function which maps between them. \\\\ 384 | 385 | \section{Elliptic Curve Operations in Zero Knowledge} 386 | 387 | Elliptic curve operations are utilised for an eclectic variety of reasons within cryptography, the predominant reason is the security that couples each of operations - resulting from hard a DLP. Elliptic curves are capable of generating public/private key pairs, as well as signing with them for accessing websites, and these keys are rapidly becoming replacements for many password schemes. The issue arises when a verified key is registered, as becomes possible for a server to learn the make, model, and batch of the verification for the key. This data can be manipulated by website owners and then used to discriminate which batches and models can be trusted in the future. If we generate these key signatures and EC statements in Zero Knowledge then we can mitigate the security risks that are tied to the data sensitivity. 388 | 389 | Unfortunately, in their raw form, elliptic curve field operations are not compatible with zero knowledge proof systems which 390 | 391 | \section{Implementation} 392 | 393 | There exists a comprehensive and detailed implementation of Sonny Curve in a cryptographic library named Zerocaf. This implementation is done by Dusk Network and can be found here {\url{https://github.com/dusk-network/dusk-zerocaf}}.\\\\ 394 | 395 | The difficulty of breaking cryptographic systems stems solely from the hardness of the mathematical problems on which they are based. However, this proves not to be the case in practical implementations because of side channel attacks, which target the implementation as medium of encoding the cryptography - to circumvent these attacks, the operations are performed in constant time. The use of Edwards curve form results in a uniform implementation which better facilitates these constant time operations. Whereas the efficiency for in circuit operations can greater benefit from the variable time implementations. These operations are applied when there is no secret data to protect. We therefore present an implementation which performs statement proofs in constant time with high security, and verification in variable time and high speed. \\ 396 | 397 | 398 | 399 | 400 | 401 | 402 | \section{Future Work} 403 | 404 | R1CS optimisation for constraints 405 | 406 | Further isogeny use cases 407 | 408 | \section{Conclusions} 409 | 410 | \section{Acknowledgements} 411 | 412 | We would like to give special thanks to Henry de Valence for his personalised help in understanding the Ristretto Protocol and being so responsive for questions regarding the implementation. 413 | %We would also like to show our strong appreciation for Marta Bellés Muñoz for her contributions with the discrete log based theory used in the understanding of this project. 414 | 415 | \newpage 416 | 417 | %\bibliographystyle{unsrt} 418 | \bibliographystyle{alpha} 419 | \bibliography{lit} 420 | 421 | \end{document} 422 | -------------------------------------------------------------------------------- /examples/basic_ops.rs: -------------------------------------------------------------------------------- 1 | #![allow(non_snake_case)] 2 | extern crate rand; 3 | /// The purpose of this implementation is to provide support for one of the most 4 | /// commonly used operations in Elliptic Curve Cryptography (ECC), which is Random Scalar Mul. 5 | /// 6 | /// This is one of the first steps to take on the implementation of algorithms, 7 | /// such as Diffie-Hellman Key Exchange. 8 | /// 9 | /// Let G be a point over Sonny, let k = Scalar random value over the Sonny Sub-group. 10 | /// Let P = G*k; 11 | extern crate zerocaf; 12 | 13 | use zerocaf::edwards::EdwardsPoint; 14 | use zerocaf::field::FieldElement; 15 | use zerocaf::scalar::Scalar; 16 | 17 | use rand::{thread_rng, Rng}; 18 | 19 | fn main() -> () { 20 | // Let G be an `EdwardsPoint` which is a point over the Twisted Edwards Extended Coordinates. 21 | let G: EdwardsPoint = EdwardsPoint { 22 | X: FieldElement([23, 0, 0, 0, 0]), 23 | Y: FieldElement([ 24 | 1664892896009688, 25 | 132583819244870, 26 | 812547420185263, 27 | 637811013879057, 28 | 13284180325998, 29 | ]), 30 | Z: FieldElement([1, 0, 0, 0, 0]), 31 | T: FieldElement([ 32 | 4351986304670635, 33 | 4020128726404030, 34 | 674192131526433, 35 | 1158854437106827, 36 | 6468984742885, 37 | ]), 38 | }; 39 | 40 | let scalar: Scalar = rand_scalar_generation(); 41 | println!("{:?}", scalar); 42 | 43 | // Perform G*k, Point mul uses the `add_and_double` standard algorithm. 44 | let P = &G * &scalar; 45 | println!("{:?}", P); 46 | } 47 | 48 | /// Generate a random `Scalar` defined over the sub-group field 49 | /// modulo: `2^249 - 15145038707218910765482344729778085401` 50 | pub fn rand_scalar_generation() -> Scalar { 51 | // Gen random 32-byte array. 52 | let mut bytes = [0u8; 32]; 53 | 54 | // Fill the bytes varible with random bytes. We can use the 32 bytes to give 55 | // total randomness, but then we will need to be aware because we can also generate 56 | // values greater than `L = 2^252 + 27742317777372353535851937790883648493` and 57 | // the program will panic if we don't catch the error correctly on the 58 | // `from_bytes()` Scalar method call. 59 | thread_rng() 60 | .try_fill(&mut bytes[..31]) 61 | .expect("Error getting the random bytes"); 62 | 63 | Scalar::from_bytes(&bytes) 64 | } 65 | -------------------------------------------------------------------------------- /sage_codes/LFACTOR_comp: -------------------------------------------------------------------------------- 1 | // LFACTOR Computation 2 | 3 | sage: l = 2^249 + 14490550575682688738086195780655237219 4 | sage: l 5 | 904625697166532776746648320380374280118162305775999595296348570842476562531 6 | sage: (-1 / l) % (2^52) 7 | 1331240223835829 8 | 9 | 10 | //The result is the LFACTOR needed on the Montgomery Reduction algorithm to adjust the number to be divisible 11 | by R mod L it also fits on an u64 as 1331240223835829 < 2^64 -------------------------------------------------------------------------------- /sage_codes/Point computation : -------------------------------------------------------------------------------- 1 | \\\ Base point computation for Sonny Curve. 2 | 3 | sage: prime = 2^252 + 27742317777372353535851937790883648493 4 | 5 | sage: A = 505186 6 | 7 | sage: def findBasepoint(prime, A): 8 | F = GF(prime) 9 | E = EllipticCurve(F, [0, A, 0, 1, 0]) 10 | for uInt in range(1, 1e3): 11 | u = F(uInt) 12 | v2 = u^3 + A*u^2 + u 13 | if not v2.is_square(): 14 | v = v2.sqrt() 15 | point = E(u, v) 16 | pointOrder = point.order() 17 | if pointOrder > 8 and pointOrder.is_prime(): 18 | Q=u^3 + A*u^2 + u 19 | return u, Q, sqrt(Q), point 20 | 21 | sage: res = findBasepoint(prime, A) 22 | 23 | sage: res 24 | 25 | (4, 26 | 8083044, 27 | 2387694734969974503585694617203302024142786955946516383730480941479078023877, 28 | 29 | (4 : 2387694734969974503585694617203302024142786955946516383730480941479078023877 : 1) 30 | 31 | /// Computation of Edwards points in Twisted Edwards format to produce (X:Y:T:Z) from given a X value. 32 | /// Using a manipulated version of the Edwards equation, 33 | /// written below, allows for the computation. 34 | /// a*X^2+Y^2 = 1+d*X^2*Y^2 35 | /// a = -1, d = -126296/126297 36 | /// In fractions in the mod l need to be `inverse_mod`, calculated for d as below: 37 | 38 | sage: p = 2^252 + 27742317777372353535851937790883648493 39 | sage: d = -(126296)/(126297) 40 | sage: d = ((-126296)*inverse_mod(126297,p))%p 41 | sage: d 42 | 951605751702391019481481818669129158712512026257330939079110344917983315091 43 | 44 | /// For use in the equation Y^2 will be written as Y, as sage will attempt to compute the square root. 45 | /// For arbitrarlily chosen X = 14 46 | 47 | sage: X = 14 48 | sage: Y = (-(X)^2-1)*inverse_mod(d*(X)^2-1,p)%p 49 | sage: Y 50 | 51 | 4097294349129061626216953635182512769012007176856180609903321124717525537317 52 | 53 | /// It needs to be checked if the Y here is a quadratic residue in p, 54 | /// using the legendre symbol [http://people.bath.ac.uk/masgks/XX10190/legendresymbol.pdf], 55 | /// if confirmed as QR in p, then tonelli-shanks is used to find the corresponing Y coordinates. 56 | 57 | sage: legendre_symbol(Y,p) 58 | 1 59 | sage: z += 1 60 | ....: c = pow(z, q, p) 61 | ....: 62 | ....: # Search for a solution 63 | ....: x = pow(a, (q + 1)/2, p) 64 | ....: t = pow(a, q, p) 65 | ....: m = s 66 | ....: while t != 1: 67 | ....: # Find the lowest i such that t^(2^i) = 1 68 | ....: i, e = 0, 2 69 | ....: for i in xrange(1, m): 70 | ....: if pow(t, e, p) == 1: 71 | ....: break 72 | ....: e *= 2 73 | ....: 74 | ....: # Update next value to iterate 75 | ....: b = pow(c, 2**(m - i - 1), p) 76 | ....: x = (x * b) % p 77 | ....: t = (t * b * b) % p 78 | ....: c = (b * b) % p 79 | ....: m = i 80 | ....: 81 | ....: return [x, p-x] 82 | ....: 83 | sage: prime_mod_sqrt(Y,p) 84 | [7027685437011822135117075804201712829494335458984232261155589991678118276875, 85 | 209320140320440078856110758841281411362780900395675344846360946607335974114] 86 | 87 | /// Using formulae from (http://eprint.iacr.org/2008/522), Section 3.1., compute T. 88 | /// Set initial Z = 1 89 | 90 | Y = 209320140320440078856110758841281411362780900395675344846360946607335974114 91 | sage: T = (X*Y)%p 92 | sage: T 93 | 2930481964486161103985550623777939759078932605539454827849053252502703637596 94 | sage: print X, Y, T, Z 95 | 14, 96 | 209320140320440078856110758841281411362780900395675344846360946607335974114, 97 | 2930481964486161103985550623777939759078932605539454827849053252502703637596, 98 | 1 99 | 100 | ///Using formulae from (http://eprint.iacr.org/2008/522), Section 3.1. 101 | /// We can perform addition for twisted edwards on two points computed 102 | /// using the aforementioned method. Addition requires two points, P and Q. 103 | 104 | X3 = (X1Y2 + Y1X2)(Z1Z2 − d*T1T2), 105 | Y3 = (Y1Y2 − a*X1X2)(T1T2 + d*T1T2), 106 | T3 = (Y1Y2 − a*X1X2)(X1Y2 + Y1X2), 107 | Z3 = (Z1Z2 − d*T1T2)(Z1Z2 + d*T1T2) 108 | ///all of the above operations are to be performed in modp 109 | 110 | /// Define the above calculated variables as follows: X = X1 : Y = Y1 : T = T1 : Z = Z1 111 | sage: print X1, Y1, T1, Z1 112 | 14, 113 | 209320140320440078856110758841281411362780900395675344846360946607335974114, 114 | 2930481964486161103985550623777939759078932605539454827849053252502703637596, 115 | 1 116 | 117 | /// In order to show a complete Edwards addition in Twisted extended coordinates, 118 | /// a second point must be computed. 119 | /// Take an arbitrary X as 67 and perform the same process. 120 | 121 | sage: X = 67 122 | sage: Y = (-(X)^2-1)*inverse_mod(d*(X)^2-1,p)%p 123 | sage: Y 124 | 2083393178995948293615321623635643301289972308686668478963476666090583806680 125 | sage: legendre_symbol(Y,p) 126 | 1 127 | sage: prime_mod_sqrt(Y,p) 128 | [3941153185566030503197827307080909868202351422646487319508322021660996132587, 129 | 3295852391766231710775359255962084372654764936733420286493628916624458118402] 130 | Y = 32958523917662317107753592559620843726547649367334202 131 | sage: Z = 1 132 | sage: T = X*Y%p 133 | sage: T 134 | 3711942928369658202753473258169825742155759979741931015014609265275066403264 135 | /// /// Define the above calculated variables as follows: X = X2 : Y = Y2 : T = T2 : Z = Z2 136 | sage: print X2, Y2, T2, Z2 137 | 67, 138 | 3295852391766231710775359255962084372654764936733420286493628916624458118402, 139 | 3711942928369658202753473258169825742155759979741931015014609265275066403264, 140 | 1 141 | 142 | sage: print a,d 143 | -1, 951605751702391019481481818669129158712512026257330939079110344917983315091 144 | 145 | sage: print p 146 | 7237005577332262213973186563042994240857116359379907606001950938285454250989 147 | 148 | sage: X3 = ((X1*Y2+Y1*X2)*(Z1*Z2-d*T1*T2))%p 149 | sage: Y3 = ((Y1*Y2-a*X1*X2)*(Z1*Z2+d*T1*T2))%p 150 | sage: t3 = ((Y1*Y2-a*X1*X2)*(X1*Y2+Y1*X2))%p 151 | sage: z3 = ((Z1*Z2-d*T1*T2)*(Z1*Z2+d*T1*T2))%p 152 | sage: print X3, Y3, T3, Z3 153 | 6071577539228590191219387911031602982956051495655581694654126271979753651722, 154 | 837202702872841412924343780706778248153230580612427863707303374823451692769, 155 | 3870569102798123767101920828945730089305537575358572428982223506408632563886, 156 | 5030678076965133398451320860257582818948884882165145613987735041289292101393 157 | 158 | ///Using formulae from (http://eprint.iacr.org/2008/522), Section 3.1. 159 | /// We can perform doubling for twisted edwards on two points computed 160 | /// using the aforementioned method. Doubling requires only one point, P. 161 | 162 | X3 = 2X1Y1(2*Z1^2-Y1^2-a*X1^2) 163 | Y3 = (Y1^2+a*X1^2)(Y1^2-a*X1^2) 164 | T3 = 2X1Y1(Y1^2-a*X1^2) 165 | Z3 = (Y1^2+a*X1^2)(2*Z1^2-Y1^2-a*X1^2) 166 | 167 | sage: print X1, Y1, T1, Z1 168 | sage: print X1, Y1, T1, Z1 169 | 14, 170 | 209320140320440078856110758841281411362780900395675344846360946607335974114, 171 | 2930481964486161103985550623777939759078932605539454827849053252502703637596, 172 | 1 173 | sage: print a,d 174 | -1, 951605751702391019481481818669129158712512026257330939079110344917983315091 175 | sage: print p 176 | 7237005577332262213973186563042994240857116359379907606001950938285454250989 177 | 178 | sage: X3 = (2*X1*Y1)*(2*z1^2-Y1^2-a*X1^2)%p 179 | sage: Y3 = (Y1^2+a*X1^2)*(Y1^2-a*X1^2)%p 180 | sage: T3 = ((2*X1*Y1)*(Y1^2-a*X1^2))%p 181 | sage: z3 = (Y1^2+a*X1^2)*(2*z1^2-Y1^2-a*X1^2)%p 182 | sage: print X3, Y3, t3, z3 183 | 149787030802898863214220589614787467360377956858885734134859441157998105502, 184 | 4114181249139963708922561672280278463269518807069632207462778037420327721750, 185 | 465221815300404819953157336686579853418396566040992296296754217912562254655, 186 | 3604554139948105518509753594085031057181477091926039562012636801913890184366 187 | 188 | 189 | 190 | 191 | /// For scalar multiplication, where the input is a random chosen 192 | /// scalar - denoted by k. A random point P is computed k times, 193 | /// to achieve a new output. First define constants and algorithm 194 | /// then perform computation and check. 195 | 196 | sage: x = 2^252 + 27742317777372353535851937790883648493 197 | sage: F = GF(x) 198 | sage: E = EllipticCurve(F,[0,505186,0,1,0]) 199 | sage: def mult(P,k): 200 | ....: if k == 0: 201 | ....: return E(0) 202 | ....: elif k%2 ==1: 203 | ....: return P + mult(P+P,k//2) 204 | ....: else: 205 | ....: return mult(P+P,k//2) 206 | ....: 207 | sage: P = E.random_element();P 208 | 5051189995337479708433119006747039364870785988521470496097671181243562411695, 209 | 7155958472685660389975401207154951743382380416674787893210035445445872196541, 210 | 1 211 | sage: mult(P,8) 212 | 1868330701290932041393248498391407583880515981499204757603220260047257156875, 213 | 5999066270237031196158421153363394298942525294456370395071609058345162660448, 214 | 1 215 | sage: 8*P 216 | 1868330701290932041393248498391407583880515981499204757603220260047257156875, 217 | 5999066270237031196158421153363394298942525294456370395071609058345162660448, 218 | 1 219 | 220 | -------------------------------------------------------------------------------- /sage_codes/Safe Curve code: -------------------------------------------------------------------------------- 1 | /// This section shows all of the proofs from their 2 | /// written in line with the safecurves document. 3 | 4 | /// Here is the outline of the sage code for 5 | /// the compuatation of values for proving 6 | /// all safe curve criteria. 7 | /// Taken from https://safecurves.cr.yp.to/ (July, 2019) 8 | 9 | import os 10 | import sys 11 | 12 | def readfile(fn): 13 | fd = open(fn,'r') 14 | r = fd.read() 15 | fd.close() 16 | return r 17 | 18 | def writefile(fn,s): 19 | fd = open(fn,'w') 20 | fd.write(s) 21 | fd.close() 22 | 23 | def expand2(n): 24 | s = "" 25 | 26 | while n != 0: 27 | j = 16 28 | while 2**j < abs(n): j += 1 29 | if 2**j - abs(n) > abs(n) - 2**(j-1): j -= 1 30 | 31 | if abs(abs(n) - 2**j) > 2**(j - 10): 32 | if n > 0: 33 | if s != "": s += " + " 34 | s += str(n) 35 | else: 36 | s += " - " + str(-n) 37 | n = 0 38 | elif n > 0: 39 | if s != "": s += " + " 40 | s += "2^" + str(j) 41 | n -= 2**j 42 | else: 43 | s += " - 2^" + str(j) 44 | n += 2**j 45 | 46 | return s 47 | 48 | def requirement(fn,istrue): 49 | writefile(fn,str(istrue) + '\n') 50 | return istrue 51 | 52 | def verify(): 53 | p = Integer(readfile('p')) 54 | k = GF(p) 55 | kz.
Take b = %s.\n' % base 89 | proof += '
b^(n-1) mod n = 1.\n' 90 | f = factor(1) 91 | for v in reversed(V): 92 | if f.prod()^2 <= n: 93 | if n % v == 1: 94 | u = base^((n-1)/v)-1 95 | if u.is_unit(): 96 | proof += '
%s is prime.\n' % (v,v)
97 | proof += '
b^((n-1)/%s)-1 mod n = %s, which is a unit, inverse %s.\n' % (v,u,1/u)
98 | f *= factor(v)^(n-1).valuation(v)
99 | if f.prod()^2 <= n: continue
100 | if n % f.prod() != 1: continue
101 | proof += '
(%s) divides n-1.\n' % f 102 | proof += '
(%s)^2 > n.\n' % f 103 | proof += "
n is prime by Pocklington's theorem.\n"
104 | proof += '\n'
105 | writefile('../../../proof/%s.html' % n,proof)
106 | if not n in V: V += [n]
107 | break
108 |
109 | writefile('verify-primes',''.join('%s\n' % (v,v) for v in V))
110 |
111 | pstatus = 'Unverified'
112 | if not p.is_prime(): pstatus = 'False'
113 | if p in V: pstatus = 'True'
114 | if pstatus != 'True': safefield = False
115 | writefile('verify-pisprime',pstatus + '\n')
116 |
117 | pstatus = 'Unverified'
118 | if not l.is_prime(): pstatus = 'False'
119 | if l in V: pstatus = 'True'
120 | if pstatus != 'True': safebase = False
121 | writefile('verify-lisprime',pstatus + '\n')
122 |
123 | writefile('expand2-p','= %s\n' % expand2(p))
124 | writefile('expand2-l','
= %s\n' % expand2(l))
125 |
126 | writefile('hex-p',hex(p) + '\n')
127 | writefile('hex-l',hex(l) + '\n')
128 | writefile('hex-x0',hex(x0) + '\n')
129 | writefile('hex-x1',hex(x1) + '\n')
130 | writefile('hex-y0',hex(y0) + '\n')
131 | writefile('hex-y1',hex(y1) + '\n')
132 |
133 | gcdlpis1 = gcd(l,p) == 1
134 | safetransfer &= requirement('verify-gcdlp1',gcdlpis1)
135 |
136 | writefile('verify-movsafe','Unverified\n')
137 | writefile('verify-embeddingdegree','Unverified\n')
138 | if gcdlpis1 and l.is_prime():
139 | u = Integers(l)(p)
140 | d = l-1
141 | for v in V:
142 | while d % v == 0: d /= v
143 | if d == 1:
144 | d = l-1
145 | for v in V:
146 | while d % v == 0:
147 | if u^(d/v) != 1: break
148 | d /= v
149 | safetransfer &= requirement('verify-movsafe',(l-1)/d <= 100)
150 | writefile('verify-embeddingdegree','%s
= (l-1)/%s\n' % (d,(l-1)/d))
151 |
152 | t = p+1-l*round((p+1)/l)
153 | if l^2 > 16*p:
154 | writefile('verify-trace','%s\n' % t)
155 | f = factor(1)
156 | d = (p+1-t)/l
157 | for v in V:
158 | while d % v == 0:
159 | d //= v
160 | f *= factor(v)
161 | writefile('verify-cofactor','%s\n' % f)
162 | else:
163 | writefile('verify-trace','Unverified\n')
164 | writefile('verify-cofactor','Unverified\n')
165 |
166 | D = t^2-4*p
167 | for v in V:
168 | while D % v^2 == 0: D /= v^2
169 | if prod([v for v in V if D % v == 0]) != -D:
170 | writefile('verify-disc','Unverified\n')
171 | writefile('verify-discisbig','Unverified\n')
172 | safedisc = False
173 | else:
174 | f = -prod([factor(v) for v in V if D % v == 0])
175 | if D % 4 != 1:
176 | D *= 4
177 | f = factor(4) * f
178 | Dbits = (log(-D)/log(2)).numerical_approx()
179 | writefile('verify-disc','%s
= %s
≈ -2^%.1f\n' % (D,f,Dbits))
180 | safedisc &= requirement('verify-discisbig',D < -2^100)
181 |
182 | pi4 = 0.78539816339744830961566084581987572105
183 | rho = log(pi4*l)/log(4)
184 | writefile('verify-rho','%.1f\n' % rho)
185 | saferho &= requirement('verify-rhoabove100',rho.numerical_approx() >= 100)
186 |
187 | twistl = 'Unverified'
188 | d = p+1+t
189 | for v in V:
190 | while d % v == 0: d /= v
191 | if d == 1:
192 | d = p+1+t
193 | for v in V:
194 | if d % v == 0:
195 | if twistl == 'Unverified' or v > twistl: twistl = v
196 |
197 | writefile('verify-twistl','%s\n' % twistl)
198 | writefile('verify-twistembeddingdegree','Unverified\n')
199 | writefile('verify-twistmovsafe','Unverified\n')
200 | if twistl == 'Unverified':
201 | writefile('hex-twistl','Unverified\n')
202 | writefile('expand2-twistl','Unverified\n')
203 | writefile('verify-twistcofactor','Unverified\n')
204 | writefile('verify-gcdtwistlp1','Unverified\n')
205 | writefile('verify-twistrho','Unverified\n')
206 | safetwist = False
207 | else:
208 | writefile('hex-twistl',hex(twistl) + '\n')
209 | writefile('expand2-twistl','
= %s\n' % expand2(twistl))
210 | f = factor(1)
211 | d = (p+1+t)/twistl
212 | for v in V:
213 | while d % v == 0:
214 | d //= v
215 | f *= factor(v)
216 | writefile('verify-twistcofactor','%s\n' % f)
217 | gcdtwistlpis1 = gcd(twistl,p) == 1
218 | safetwist &= requirement('verify-gcdtwistlp1',gcdtwistlpis1)
219 |
220 | movsafe = 'Unverified'
221 | embeddingdegree = 'Unverified'
222 | if gcdtwistlpis1 and twistl.is_prime():
223 | u = Integers(twistl)(p)
224 | d = twistl-1
225 | for v in V:
226 | while d % v == 0: d /= v
227 | if d == 1:
228 | d = twistl-1
229 | for v in V:
230 | while d % v == 0:
231 | if u^(d/v) != 1: break
232 | d /= v
233 | safetwist &= requirement('verify-twistmovsafe',(twistl-1)/d <= 100)
234 | writefile('verify-twistembeddingdegree',"%s
= (l'-1)/%s\n" % (d,(twistl-1)/d))
235 |
236 | rho = log(pi4*twistl)/log(4)
237 | writefile('verify-twistrho','%.1f\n' % rho)
238 | safetwist &= requirement('verify-twistrhoabove100',rho.numerical_approx() >= 100)
239 |
240 | precomp = 0
241 | joint = l
242 | for v in V:
243 | d1 = p+1-t
244 | d2 = p+1+t
245 | while d1 % v == 0 or d2 % v == 0:
246 | if d1 % v == 0: d1 //= v
247 | if d2 % v == 0: d2 //= v
248 | # best case for attack: cyclic; each power is usable
249 | # also assume that kangaroo is as efficient as rho
250 | if v + sqrt(pi4*joint/v) < sqrt(pi4*joint):
251 | precomp += v
252 | joint /= v
253 |
254 | rho = log(precomp + sqrt(pi4 * joint))/log(2)
255 | writefile('verify-jointrho','%.1f\n' % rho)
256 | safetwist &= requirement('verify-jointrhoabove100',rho.numerical_approx() >= 100)
257 |
258 |
259 | x0 = k(x0)
260 | y0 = k(y0)
261 | x1 = k(x1)
262 | y1 = k(y1)
263 |
264 | if shape == 'edwards':
265 | d = Integer(readfile('d'))
266 | writefile('verify-shape','Edwards\n')
267 | writefile('verify-equation','x^2+y^2 = 1%+dx^2y^2\n' % d)
268 |
269 | d = k(d)
270 | elliptic = d*(1-d)
271 | level0 = x0^2+y0^2-1-d*x0^2*y0^2
272 | level1 = x1^2+y1^2-1-d*x1^2*y1^2
273 |
274 | if shape == 'montgomery':
275 | writefile('verify-shape','Montgomery\n')
276 | A = Integer(readfile('A'))
277 | B = Integer(readfile('B'))
278 | equation = '%sy^2 = x^3
7 | //!
8 | //!
9 | //! 
10 | //!
11 | //!
12 | //! 
13 | //!
14 | //!
15 | //! 
16 | //!
17 | //!
18 | //!
19 | //!
21 | //!
23 | //!
24 | //! # What is Zerocaf?
25 | //! Zerocaf is a pure Rust cryptographic library constructed to define operations for an elliptic curve embedded
26 | //! into the Ristretto scalar field, which allows the construction of prime order groups
27 | //! from an otherwise non prime order curve.
28 | //!
29 | //! The ultimate purpose of defining operations is for set inclusion proofs - where it is shown, in zero-knowledge,
30 | //! that a private key exists in a set of many public keys.
31 | //!
32 | //! Additionally, the zero-knowledge proofs use Bulletproofs as the argument for arithmetic circuits
33 | //! that are used to form arbitrary constraint systems.
34 | //!
35 | //! # What can it be used for?
36 | //! The main goal of the library, as said before, is to be the base of operations over set inclusion proofs
37 | //! and other Zero-Knowledge protocols.
38 | //!
39 | //! But since Zerocaf is build upon the SonnyCurve using the Ristretto protocol, it allows other devs to build
40 | //! cryptographic protocols over it without needing to take care about the co-factor of the curve.
41 | //!
42 | //! This, brings to developers, a good mathematical backend library which can be used as a `mid-level` API
43 | //! for building all kinds of cryptographic protocols over it such as key agreement, signatures,
44 | //! anonymous credentials, rangeproofs...
45 | //!
46 | //! # Usage
47 | //! To import the library as a dependency of your project, just add on your `Cargo.toml`s project file:
48 | //! ```toml
49 | //! zerocaf = "0.1.1"
50 | //! ```
51 | //!
52 | //! Then import the crate as:
53 | //! ```rust
54 | //! extern crate zerocaf;
55 | //! ```
56 | //!
57 | //! # Backends.
58 | //! Zerocaf has been built following the [Curve25519-dalek](https://docs.rs/curve25519-dalek/1.2.1/curve25519_dalek/) library structure, which allows for multiple
59 | //! backend implementations. All of the works are built to enable modularity.
60 | //!
61 | //! Currently, `Zerocaf` has implemented the u64 backend.
62 | //! By default, the `u64` backend is the one which is used to perform all of
63 | //! the operations.
64 | //! Additionly, for future works, we would like to implement a `u32` backend aswell.
65 | //!
66 | //! To select a backend type, the following method can be used:
67 | //! ```sh
68 | //! // For unoptimized builds:
69 | //! cargo build --features "u64_backend"
70 | //!
71 | //! // For optimized/release builds:
72 | //! cargo build --release --features "u64_backend"
73 | //! ```
74 | //!
75 | //!
76 | //! NOTE: If no backend is selected, the compilation will fail!
77 | //!
78 | //! # Security and features of Zerocaf
79 | //!
80 | //! As is previously mentioned, zerocaf is designed to host the fastest possible curve operations whilst
81 | //! simultaneously avoiding all of the drawbacks associated with having a cofactor such that h > 1.
82 | //!
83 | //! To achieve this we make use of Ristretto, which is a technique to construct prime order elliptic curve groups.
84 | //! The Ristretto protocol compresses the cofactor by adding a thin abstraction layer to allow small changes
85 | //! in code to ultimately omit the cofactor issues.
86 | //!
87 | //! This is achieved by having defining the twisted edwards curve over the ristretto scalar field,
88 | //! which means to perform every operation on the curve in modulo L,
89 | //! where L is the order of the ristretto scalar field.
90 | //!
91 | //! `L = 2^252 + 27742317777372353535851937790883648493`.
92 | //!
93 | //! By expounding the operations in this manner, we can benefit from the speed of a non-prime order twisted
94 | //! edwards curve whilst not suffering the pitfalls of a cofactor greater than one.
95 | //!
96 | //!
97 | //! # Performance & Benchmarks
98 | //! Benchmarks have been implemented using [Criterion.rs](https://docs.rs/criterion/0.2.11/criterion/).
99 | //! To run them just execute `cargo bench` on the repository root.
100 | //!
101 | //! All of the operatons have been implemented using bit-shifting techniques to allow better performance
102 | //! and a significant reduction in execution time.
103 | //!
104 | //! # Examples
105 | //! We are planning to add some examples about tha basics of the `Zerocaf` library usage.
106 | //! They will be uploaded to the [examples](https://github.com/dusk-network/dusk-zerocaf/tree/master/docs) folder.
107 | //!
108 | //! This is a very basic usage example of the Zerocaf lib:
109 | //! ```rust
110 | //! extern crate zerocaf;
111 | //! extern crate rand;
112 | //!
113 | //! use zerocaf::field::FieldElement;
114 | //! use zerocaf::scalar::Scalar;
115 | //! use zerocaf::edwards::EdwardsPoint;
116 | //!
117 | //! use rand::{Rng, thread_rng};
118 | //!
119 | //! fn main() -> () {
120 | //!
121 | //! // Let G be an `EdwardsPoint` which is a point over the Twisted Eds Extended Coordinates.
122 | //! let G: EdwardsPoint = EdwardsPoint {
123 | //! X: FieldElement([23, 0, 0, 0, 0]),
124 | //! Y: FieldElement([1664892896009688, 132583819244870, 812547420185263, 637811013879057, 13284180325998]),
125 | //! Z: FieldElement([1, 0, 0, 0, 0]),
126 | //! T: FieldElement([4351986304670635, 4020128726404030, 674192131526433, 1158854437106827, 6468984742885])
127 | //! };
128 | //!
129 | //! let scalar: Scalar = rand_scalar_generation();
130 | //! println!("{:?}", scalar);
131 | //!
132 | //! // Perform G*k, Point mul uses the `add_and_double` standard algorithm.
133 | //! let P = &G * &scalar;
134 | //! println!("{:?}", P);
135 | //! }
136 | //!
137 | //! /// Generate a random `Scalar` defined over the sub-group field
138 | //! /// modulo: `2^249 - 15145038707218910765482344729778085401`
139 | //! pub fn rand_scalar_generation() -> Scalar {
140 | //! // Gen random 32-byte array.
141 | //! let mut bytes = [0u8;32];
142 | //!
143 | //! // Fill the bytes varible with random bytes. We can use the 32 bytes co give
144 | //! // total randomness but then we will need to be aware because we can generate
145 | //! // values greater than `L = 2^252 + 27742317777372353535851937790883648493` and
146 | //! // the program will panic if we don't catch the error correctly on the
147 | //! // `from_bytes()` Scalar method call.
148 | //! thread_rng().try_fill(&mut bytes[..31]).expect("Error getting the random bytes");
149 | //!
150 | //! Scalar::from_bytes(&bytes)
151 | //! }
152 | //! ```
153 | //!
154 | //! We will also publish some videos talking about how is the library built and
155 | //! the maths that are happening behind the scenes.
156 | //! Videos can also include programming examples using `Zerocaf` as a dependency.
157 | //! You can check them on the [Dusk Network Youtube Channel](https://www.youtube.com/channel/UCAfY3VcuaxAelPp44B253Rw).
158 | //!
159 |
160 | // Used for traits related to constant-time code.
161 | extern crate subtle;
162 | // Used for Ristretto255Scalar trait.
163 | extern crate curve25519_dalek;
164 | extern crate num;
165 |
166 | pub mod backend;
167 | pub mod constants;
168 | pub mod edwards;
169 | pub mod field;
170 | pub mod montgomery;
171 | pub mod ristretto;
172 | pub mod scalar;
173 | pub mod traits;
174 |
--------------------------------------------------------------------------------
/src/montgomery.rs:
--------------------------------------------------------------------------------
1 | //! Implementation that provides support for Montgomery Points
2 | //! over the Sonnycurve.
3 | //!
4 | //! A `MontgomeryPoint` is represented as the `u-coordinate`
5 | //! of itself in LE bytes-format.
6 |
7 | use crate::edwards::EdwardsPoint;
8 | use crate::field::FieldElement;
9 |
10 | use subtle::Choice;
11 | use subtle::ConstantTimeEq;
12 |
13 | /// Holds the u-coordinate of a point on the Montgomery form of
14 | /// Doppio-curve or its twist.
15 | #[derive(Copy, Clone, Debug)]
16 | pub struct MontgomeryPoint(pub [u8; 32]);
17 |
18 | /// Equality of `MontgomeryPoint`s is defined mod p.
19 | impl ConstantTimeEq for MontgomeryPoint {
20 | fn ct_eq(&self, other: &MontgomeryPoint) -> Choice {
21 | let self_fe = FieldElement::from_bytes(&self.0);
22 | let other_fe = FieldElement::from_bytes(&other.0);
23 |
24 | self_fe.ct_eq(&other_fe)
25 | }
26 | }
27 |
28 | impl Default for MontgomeryPoint {
29 | fn default() -> MontgomeryPoint {
30 | MontgomeryPoint([0u8; 32])
31 | }
32 | }
33 |
34 | impl PartialEq for MontgomeryPoint {
35 | fn eq(&self, other: &MontgomeryPoint) -> bool {
36 | self.ct_eq(other).unwrap_u8() == 1u8
37 | }
38 | }
39 |
40 | impl Eq for MontgomeryPoint {}
41 |
42 | impl MontgomeryPoint {
43 | /// View this `MontgomeryPoint` as an array of bytes.
44 | pub fn as_bytes<'a>(&'a self) -> &'a [u8; 32] {
45 | &self.0
46 | }
47 |
48 | /// Convert this `MontgomeryPoint` to an array of bytes.
49 | pub fn to_bytes(&self) -> [u8; 32] {
50 | self.0
51 | }
52 |
53 | /// Attempt to convert to an `EdwardsPoint`, using the supplied
54 | /// choice of sign for the `EdwardsPoint`.
55 | pub fn to_edwards(&self, _sign: u8) -> Option