-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add GLV for simple curves: BW6-767, Grumpkin, secp256k1, secq256k1 #778
base: master
Are you sure you want to change the base?
Conversation
Can we reuse standard settings of beta and lambda that are also used by other implementations? Also, can we add the relevant sage scripts to the curve folders? |
Let me ask a clarifying question. What do you mean by standard settings? So, I cross check with BW6-761 and I can reproduce their parameters, although the scalar decomposition is a little bit different---BW6-761's scalar decomposition coeffs are true, false, true, true. I, locally, have false, true, false, false, which would be equivalent but just not sure why BW6-761's coeffs prefer negations. (If you have any info about why previous implementation tends to prefer negations, or whether we should ping @simonmasson for help...) For the rest, there is an issue. BLS12-381, BLS12-377, BN254 don't use the standard GLV parameters. They use a special trick that is tailored for them (as you can see, their scalar decomposition is fairly simple). The curves that we are implementing here, however, does not have those special parameters. So the references for those would be a specific paper. |
Let me organize my script and can include one. My current script is mostly doing a trial-and-error to figure out which lambda should be used, which is clearly not ideal. Another thing pending for this PR is that I may want to run the benchmark to see the improvement. |
@weikengchen I assume that secp256k1 uses particular parameters, especially in libsecp256, right? Similarly, for Grumpkin, other implementations might have a particular choice. Best to be compatible with them. That's all I meant |
Got it. Let me look around. By the way, the GLV implementation is already different from the standard GLV. The standard GLV rounds numbers. We floor. Per the original proof, this may imply that, for a 256-bit number, the decomposed scalar could be 129-bit instead of 128-bit. |
allow me to do additional review about the parameters. The problem is that the positive sign and negative sign are crucial, and I think the current test template is insufficient in that it does not detect "correct but not short vector GLV". |
@weikengchen indeed, the tests are only checking correctness. |
GLV are purely internal, being compatible helps for debugging but it wouldn't change the result of the scalar multiplication.
Here is my script for deriving GLV on G1 and G2 fo BN254, BLS12-381, BLS12-377, BW6-761 (though hardcoded because too slow in sage). I use LLL though instead. |
Description
This PR adds GLV curves for those simple cases where a = 0 and the curve is a SW curve.
The parameters are generated as follows. First of all, you get
beta
. Anotherbeta
would bebeta^2
.Then, you get
lambda
. There are two candidates. One can just test it out.Use an algorithm to find out the scalars
The implementation here follows this Hackmd https://hackmd.io/@drouyang/glv by @drouyang
This PR is related to #718 but does not solve it.
Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.
Pending
section inCHANGELOG.md
Files changed
in the GitHub PR explorerdo not apply: