Updating Decaf documentation.

armfazh · armfazh · commit f5957e78c9e4 · 2020-07-24T13:32:29.000-07:00
diff --git a/ecc/decaf/constants.go b/ecc/decaf/constants.go
@@ -13,10 +13,10 @@ const EncodingSize = fp.Size
 var ErrInvalidDecoding = errors.New("invalid decoding")
 
 var (
-	// aMinusD is paramA-paramD used in Decaf.
-	aMinusDTwist = fp.Elt{0xa9, 0x98}
-	// sqrtAMinusDTwist is the smallest sqrt(paramATwist-paramDTwist) used in Decaf.
-	sqrtAMinusDTwist = fp.Elt{
+	// aMinusD is paramA-paramD = (-1)-(-39082) = 39081.
+	aMinusD = fp.Elt{0xa9, 0x98}
+	// sqrtAMinusD is the smallest root of sqrt(paramA-paramD) = sqrt(39081).
+	sqrtAMinusD = fp.Elt{
 		0x36, 0x27, 0x57, 0x45, 0x0f, 0xef, 0x42, 0x96,
 		0x52, 0xce, 0x20, 0xaa, 0xf6, 0x7b, 0x33, 0x60,
 		0xd2, 0xde, 0x6e, 0xfd, 0xf4, 0x66, 0x9a, 0x83,
diff --git a/ecc/decaf/decaf.go b/ecc/decaf/decaf.go
@@ -5,7 +5,7 @@
 //
 // Decaf (3) is a prime-order group constructed as a quotient of groups. A Decaf
 // element can be represented by any point in the coset P+J[2], where J is a
-// Jacobi quartic and J[2] are its 2-torsion points.
+// Jacobi quartic curve and J[2] are its 2-torsion points.
 // Since P+J[2] has four points, Decaf specifies rules to choose one canonical
 // representative, which has a unique encoding. Two representations are
 // equivalent if they belong to the same coset.
@@ -15,17 +15,9 @@
 //
 // Version
 //
-// This implementation uses Decaf v1.0 of the encoding (see (4) for a complete
+// This implementation uses Decaf v1.0 of the encoding (see (4,5) for a complete
 // specification).
 //
-// Internals
-//
-// Decaf uses as internal representation the curve
-//   ted448: ax^2+y^2 = 1 + dx^2y^2, where a=-1 and d=-39082.
-// This curve is 4-degree isogeneous to the Goldilocks curve, and 2-degree
-// isogeneous to the Jacobi quartic. The ted448 curve was chosen because it
-// provides faster arithmetic operations.
-//
 // References
 //
 // (1) https://www.shiftleft.org/papers/goldilocks
@@ -35,6 +27,8 @@
 // (3) https://doi.org/10.1007/978-3-662-47989-6_34 and https://www.shiftleft.org/papers/decaf
 //
 // (4) https://sourceforge.net/p/ed448goldilocks/code/ci/v1.0/tree/
+//
+// (5) https://mailarchive.ietf.org/arch/msg/cfrg/S4YUTt_5eD4kwYbDuhEK0tXT1aM/
 package decaf
 
 import (
@@ -96,8 +90,8 @@ func (e *Elt) IsEqual(a *Elt) bool {
 	return fp.IsZero(l)
 }
 
-// UnmarshalBinary if succeeds returns a Decaf element by decoding the first
-// DecafEncodingSize bytes of data.
+// UnmarshalBinary interprets the first EncodingSize bytes passed in data, and
+// returns a Decaf element.
 func (e *Elt) UnmarshalBinary(data []byte) error {
 	if len(data) < EncodingSize {
 		return ErrInvalidDecoding
@@ -109,35 +103,34 @@ func (e *Elt) UnmarshalBinary(data []byte) error {
 	isLessThanP := isLessThan(s[:], p[:])
 	isPositiveS := fp.Parity(s) == 0
 
-	s2, den, num := &fp.Elt{}, &fp.Elt{}, &fp.Elt{}
-	isr, altx := &fp.Elt{}, &fp.Elt{}
-	t0, t1 := &fp.Elt{}, &fp.Elt{}
+	den, num := &fp.Elt{}, &fp.Elt{}
+	isr, altx, t0 := &fp.Elt{}, &fp.Elt{}, &fp.Elt{}
 	x, y := &fp.Elt{}, &fp.Elt{}
 	one := fp.One()
-	fp.Sqr(s2, s)                       // s2  = s^2
-	fp.Sub(den, &one, s2)               // den = 1 + a*s^2
-	fp.Mul(t1, s2, &ted448.ParamD)      // t1 = d*s^2
-	fp.Add(t1, t1, t1)                  // t1 = 2*d*s^2
-	fp.Add(t1, t1, t1)                  // t1 = 4*d*s^2
-	fp.Sqr(t0, den)                     // num = (1 + a*s^2)^2
-	fp.Sub(num, t0, t1)                 // num = (1 + a*s^2)^2 - 4*d*s^2
-	fp.Mul(t0, t0, num)                 // t0 = num*den^2
-	isQR := fp.InvSqrt(isr, &one, t0)   // v = 1/sqrt(num*den^2)
-	fp.Mul(t1, den, isr)                // altx = isr*den
-	fp.Mul(t1, t1, s)                   // altx = s*isr*den
-	fp.Add(t1, t1, t1)                  // t1   = 2*s*isr*den
-	fp.Mul(altx, t1, &sqrtAMinusDTwist) // altx = 2*s*isr*den*sqrt(A-D)
-	isNegX := fp.Parity(altx)           // isNeg = sgn(altx)
-	fp.Neg(t0, isr)                     // t0 = -isr
-	fp.Cmov(isr, t0, uint(isNegX))      // if altx is negative then isr = -isr
-	fp.Sqr(x, isr)                      // x = isr^2
-	fp.Mul(x, x, den)                   // x = isr^2*den
-	fp.Mul(x, x, num)                   // x = isr^2*den*num
-	fp.Mul(x, x, s)                     // x = s*isr^2*den*num
-	fp.Add(x, x, x)                     // x = 2*s*isr^2*den*num
-	fp.Mul(y, isr, den)                 // y = isr*den
-	fp.Add(t0, &one, s2)                // t0 = 1 - a*s^2
-	fp.Mul(y, y, t0)                    // y = (1 - a*s^2)*isr*den
+	paramD := ted448.ParamD()
+	fp.Sqr(t0, s)                     // t0  = s^2
+	fp.Sub(den, &one, t0)             // den = 1 + a*s^2
+	fp.Add(y, &one, t0)               // y   = 1 - a*s^2
+	fp.Mul(num, t0, &paramD)          // num = d*s^2
+	fp.Add(num, num, num)             //     = 2*d*s^2
+	fp.Add(num, num, num)             //     = 4*d*s^2
+	fp.Sqr(t0, den)                   // t0  = den^2 = (1 + a*s^2)^2
+	fp.Sub(num, t0, num)              // num = den^2 - 4*d*s^2
+	fp.Mul(t0, t0, num)               // t0  = den^2*num
+	isQR := fp.InvSqrt(isr, &one, t0) // isr = 1/(den*sqrt(num))
+	fp.Mul(altx, isr, den)            // altx = isr*den
+	fp.Mul(altx, altx, s)             //      = s*isr*den
+	fp.Add(altx, altx, altx)          //      = 2*s*isr*den
+	fp.Mul(altx, altx, &sqrtAMinusD)  //      = 2*s*isr*den*sqrt(A-D)
+	isNegX := fp.Parity(altx)         // isNeg = sgn(altx)
+	fp.Neg(t0, isr)                   // t0 = -isr
+	fp.Cmov(isr, t0, uint(isNegX))    // if altx is negative then isr = -isr
+	fp.Mul(t0, isr, den)              // t0 = isr*den
+	fp.Mul(x, t0, isr)                // x = isr^2*den
+	fp.Mul(x, x, num)                 // x = isr^2*den*num
+	fp.Mul(x, x, s)                   // x = s*isr^2*den*num
+	fp.Add(x, x, x)                   // x = 2*s*isr^2*den*num
+	fp.Mul(y, y, t0)                  // y = (1 - a*s^2)*isr*den
 
 	isValid := isPositiveS && isLessThanP && isQR
 	b := uint(*((*byte)(unsafe.Pointer(&isValid))))
@@ -146,45 +139,45 @@ func (e *Elt) UnmarshalBinary(data []byte) error {
 	fp.Cmov(&e.p.Ta, x, b)
 	fp.Cmov(&e.p.Tb, y, b)
 	fp.Cmov(&e.p.Z, &one, b)
-	var err error
 	if !isValid {
-		err = ErrInvalidDecoding
+		return ErrInvalidDecoding
 	}
-	return err
+	return nil
 }
 
 // MarshalBinary returns a unique encoding of the element e.
 func (e *Elt) MarshalBinary() ([]byte, error) {
-	x, ta, tb, z := &e.p.X, &e.p.Ta, &e.p.Tb, &e.p.Z
-	one, t, t2, s := &fp.Elt{}, &fp.Elt{}, &fp.Elt{}, &fp.Elt{}
-	fp.SetOne(one)
-	fp.Mul(t, ta, tb)                  // t = ta*tb
-	t0, t1 := *x, *t                   // (t0,t1) = (x,t)
-	fp.Sqr(t2, x)                      // t2 = x^2
-	fp.AddSub(&t0, &t1)                // (t0,t1) = (x+t,x-t)
-	fp.Mul(&t1, &t0, &t1)              // t1 = (x+t)*(x-t)
-	fp.Mul(&t0, &t1, &aMinusDTwist)    // t0 = (a-d)*(x+t)*(x-t)
-	fp.Mul(&t0, &t0, t2)               // t0 = x^2*(a-d)*(x+t)*(x-t)
-	fp.InvSqrt(&t0, one, &t0)          // t0 = 1/sqrt( x^2*(a-d)*(z+y)*(z-y) )
-	fp.Mul(&t1, &t1, &t0)              // t1 = (z+y)*(z-y)/sqrt( x^2*(a-d)*(z+y)*(z-y) )
-	fp.Mul(t2, &t1, &sqrtAMinusDTwist) // t2 = sqrt( (z+y)*(z-y) )/z
-	isNeg := fp.Parity(t2)             // isNeg = sgn(t2)
-	fp.Neg(t2, &t1)                    // t2 = -t1
-	fp.Cmov(&t1, t2, uint(isNeg))      // if t2 is negative then t1 = -t1
-	fp.Mul(s, &t1, z)                  // s = t1*z
-	fp.Sub(s, s, t)                    // s = t1*z - t
-	fp.Mul(s, s, x)                    // s = x*(t1*z - t)
-	fp.Mul(s, s, &t0)                  // s = isr*x*(t1*z - t)
-	fp.Mul(s, s, &aMinusDTwist)        // s = (a-d)*isr*x*(t1*z - t)
-	isNeg = fp.Parity(s)               // isNeg = sgn(s)
-	fp.Neg(&t0, s)                     // t0 = -s
-	fp.Cmov(s, &t0, uint(isNeg))       // if s is negative then s = -s
-
 	var encS [EncodingSize]byte
-	if err := fp.ToBytes(encS[:], s); err != nil {
-		return nil, err
-	}
-	return encS[:], nil
+	err := e.marshalBinary(encS[:])
+	return encS[:], err
+}
+
+func (e *Elt) marshalBinary(enc []byte) error {
+	x, ta, tb, z := &e.p.X, &e.p.Ta, &e.p.Tb, &e.p.Z
+	t, t2, s := &fp.Elt{}, &fp.Elt{}, &fp.Elt{}
+	one := fp.One()
+	fp.Mul(t, ta, tb)             // t = ta*tb
+	t0, t1 := *x, *t              // (t0,t1) = (x,t)
+	fp.AddSub(&t0, &t1)           // (t0,t1) = (x+t,x-t)
+	fp.Mul(&t1, &t0, &t1)         // t1 = num = (x+t)*(x-t) = x^2*(z^2-y^2)/z^2
+	fp.Mul(&t0, &t1, &aMinusD)    // t0 = (a-d)*(x+t)*(x-t) = (a-d)*x^2*(z^2-y^2)/z^2
+	fp.Sqr(t2, x)                 // t2 = x^2
+	fp.Mul(&t0, &t0, t2)          // t0 = x^2*(a-d)*(x+t)*(x-t) = (a-d)*x^4*(z^2-y^2)/z^2
+	fp.InvSqrt(&t0, &one, &t0)    // t0 = isr = z/(x^2*sqrt((a-d)*(z^2-y^2)))
+	fp.Mul(&t1, &t1, &t0)         // t1 = ratio = (z^2-y^2)/(z*sqrt((a-d)*(z^2-y^2)))
+	fp.Mul(t2, &t1, &sqrtAMinusD) // t2 = altx = sqrt((z^2-y^2))/z
+	isNeg := fp.Parity(t2)        // isNeg = sgn(t2)
+	fp.Neg(t2, &t1)               // t2 = -t1
+	fp.Cmov(&t1, t2, uint(isNeg)) // if t2 is negative then t1 = -t1
+	fp.Mul(s, &t1, z)             // s = t1*z
+	fp.Sub(s, s, t)               // s = t1*z - t
+	fp.Mul(s, s, x)               // s = x*(t1*z - t)
+	fp.Mul(s, s, &t0)             // s = isr*x*(t1*z - t)
+	fp.Mul(s, s, &aMinusD)        // s = (a-d)*isr*x*(t1*z - t)
+	isNeg = fp.Parity(s)          // isNeg = sgn(s)
+	fp.Neg(&t0, s)                // t0 = -s
+	fp.Cmov(s, &t0, uint(isNeg))  // if s is negative then s = -s
+	return fp.ToBytes(enc[:], s)
 }
 
 // isLessThan returns true if 0 <= x < y, and assumes that slices are of the
diff --git a/ecc/decaf/decaf_test.go b/ecc/decaf/decaf_test.go
@@ -164,6 +164,7 @@ func TestPointNeg(t *testing.T) {
 		}
 	}
 }
+
 func TestDecafOrder(t *testing.T) {
 	const testTimes = 1 << 10
 	Q := &decaf.Elt{}

Original file line number	Diff line number	Diff line change
`@@ -164,6 +164,7 @@ func TestPointNeg(t *testing.T) {`
`164`	`164`	`}`
`165`	`165`	`}`
`166`	`166`	`}`
	`167`	`+`
`167`	`168`	`func TestDecafOrder(t *testing.T) {`
`168`	`169`	`const testTimes = 1 << 10`
`169`	`170`	`Q := &decaf.Elt{}`