cleanup and faster point sampling

Author: AndHell

src/elliptic/point.rs

@@ -1,5 +1,4 @@
 use fp2::traits::Fp as FpTrait;
-use rand_core::{CryptoRng, RngCore};
 
 /// Special x-only representation of a point (or a pair of points,
 /// since two Y coordinates may match a given X).
@@ -65,12 +64,6 @@ impl<Fq: FpTrait> PointX<Fq> {
             P.Z = Fq::ONE;
         }
     }
-
-    /// Return a new random X only point.
-    pub fn rand_point<R: CryptoRng + RngCore>(rng: &mut R) -> PointX<Fq> {
-        let x = Fq::rand(rng);
-        PointX::from_x_coord(&x)
-    }
 }
 
 impl<Fq: FpTrait> ::std::fmt::Display for PointX<Fq> {

src/protocols/csidh.rs

@@ -28,7 +28,7 @@ pub struct Csidh<Fp: FqTrait, const NUM_ELLS: usize, const FSQRTP: usize> {
 }
 
 pub struct CsidhPrivateKey<const NUM_ELLS: usize> {
-    e: [u64; NUM_ELLS],  // secret degree
+    e: [u32; NUM_ELLS],  // secret degree
     d: [bool; NUM_ELLS], // secret direction
 }
 
@@ -83,27 +83,35 @@ impl<Fp: FqTrait + std::fmt::Debug, const NUM_ELLS: usize, const FSQRTP: usize>
         C24: &Fp,
         rng: &mut R,
     ) -> (PointX<Fp>, bool) {
-        let curve = Curve::<Fp>::curve_from_A24_proj(&A24, &C24);
-        let P = PointX::rand_point(rng);
-
-        // to check if the point is on the curve,
-        // or on the twist
-        let (_, twist) = curve.lift_pointx(&P);
+        // get a random point
+        let x = Fp::rand(rng);
+        let P = PointX::from_x_coord(&x);
+
+        // projective curve: x^3C+4Ax^2−2x^2C2+XC​
+        let tmp = (*A24*x)+(*A24*x);
+        let four_Ax = tmp+tmp;
+        let tmp = *C24*x;
+        let Cxx = tmp*x;
+        let two_Cx = tmp+tmp;
+        
+        // if RHS i a sqrt, it is on the curve
+        let RHS = (Cxx+four_Ax-two_Cx+(*C24))*x;
+        let (_, is_sqrt) = RHS.sqrt();     
 
-        (P, twist == 0)
+        (P, is_sqrt == u32::MAX)
     }
 
     fn sample_secret_key<R: CryptoRng + RngCore>(&self, rng: &mut R) -> CsidhPrivateKey<NUM_ELLS> {
-        let mut e = [0u64; NUM_ELLS];
+        let mut e = [0u32; NUM_ELLS];
         let mut d = [false; NUM_ELLS];
 
         for i in 0..NUM_ELLS {
             // sample exponent between 0 and max_exponent
-            e[i] = rng.next_u64();
-            e[i] >>= 59; // shift to increase probabily to hit the range
-            while e[i] > self.max_exponent as u64 {
-                e[i] = rng.next_u64();
-                e[i] >>= 59;
+            e[i] = rng.next_u32();
+            e[i] >>= 27; // shift to increase probabily to hit the range
+            while e[i] > self.max_exponent as u32 {
+                e[i] = rng.next_u32() ;
+                e[i] >>= 27;
             }
 
             // sample direction
@@ -113,6 +121,10 @@ impl<Fp: FqTrait + std::fmt::Debug, const NUM_ELLS: usize, const FSQRTP: usize>
         CsidhPrivateKey { e, d }
     }
 
+    //
+    //      ACTION
+    //
+
     fn action<R: CryptoRng + RngCore>(
         &self,
         public_key: &CsidhPublicKey<Fp>,
@@ -125,7 +137,7 @@ impl<Fp: FqTrait + std::fmt::Debug, const NUM_ELLS: usize, const FSQRTP: usize>
         let mut sk_e = private_key.e;
         let sk_d = private_key.d;
 
-        let mut done: u64 = sk_e.iter().sum();
+        let mut done: u32 = sk_e.iter().sum();
         while done != 0 {
             let (mut P, direction) = self.rand_point(&A24, &C24, rng);
 
@@ -193,6 +205,13 @@ impl<Fp: FqTrait + std::fmt::Debug, const NUM_ELLS: usize, const FSQRTP: usize>
         }
     }
 
+
+
+    //  
+    //      VERIFICATION
+    //
+
+    /// recursily computes [p+1/l] for all l
     fn cofactor_multiples(&self, P : &mut [PointX<Fp>;NUM_ELLS], A24: &Fp , C24: &Fp, lower: usize, upper: usize) {
         if upper - lower == 1 {
             return;
@@ -238,16 +257,15 @@ impl<Fp: FqTrait + std::fmt::Debug, const NUM_ELLS: usize, const FSQRTP: usize>
                     continue;
                 }
 
+                // P should now have order l, so we verify that by checking [l]P = 0
                 P[i] = Curve::<Fp>::xmul_proj_u64_vartime(&A24, &C24, &P[i], self.primes[i]);
 
                 if P[i].is_zero() == 0 {
                     return false;
                 }
 
+                // if the order of out starting Point is > 4sqrt(p), the curve must be supersingular
                 order = mul_bn_by_u64_vartime(&order[..], self.primes[i]);
-
-                println!("{:#?}", order);
-
                 match bn_compare_vartime(&order[..], &self.four_sqrt_p[..]) {
                     std::cmp::Ordering::Greater => return true,
                     _ => {},

src/protocols/csidh_parameters.rs

@@ -14,7 +14,9 @@ mod csidh_512 {
         283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, 373, 587,
     ];
 
-    const FOUR_SQRT_P: [u64; 5] = [
+    // not the best place for this...
+    pub const LEN_4SQRTP: usize = 5;
+    const FOUR_SQRT_P: [u64; LEN_4SQRTP] = [
         0x17895e71e1a20b3f,
         0x38d0cd95f8636a56,
         0x142b9541e59682cd,
@@ -23,13 +25,13 @@ mod csidh_512 {
     ];
 
 
-    pub const CSIDH_PARAMS: CsidhParameters<NUM_PRIMES, 5> = CsidhParameters {
+    pub const CSIDH_PARAMS: CsidhParameters<NUM_PRIMES, LEN_4SQRTP> = CsidhParameters {
         max_exponent: MAX_EXPONENT,
         two_cofactor: COFACTOR,
         primes: PRIMES,
         four_sqrt_p: FOUR_SQRT_P,
     };
 }
 
-pub const CSIDH_512: Csidh<Csidh512, { csidh_512::NUM_PRIMES }, 5> =
+pub const CSIDH_512: Csidh<Csidh512, { csidh_512::NUM_PRIMES }, { csidh_512::LEN_4SQRTP}> =
     Csidh::new(&csidh_512::CSIDH_PARAMS);