-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EC point serialization #141
Conversation
- The bit flags for sign and identity have been fliped for curves with 2 spare bits: Bn256, Pluto and Eris.
src/derive/curve.rs
Outdated
#[macro_export] | ||
macro_rules! new_curve_impl { | ||
(($($privacy:tt)*), | ||
$name:ident, | ||
$name_affine:ident, | ||
$flags_extra_byte:expr, | ||
$spare_bits:expr, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think we can drive $spare_bits
from PrimeField::NUM_BITS
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea!
Done in 45e3366
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@davidnevadoc
I left some comments where there could be errors.
Pls check the comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe that the issue of mismatch still exists.
In case of 2 spare bits
uncompressed format, the proposal says the MSB of P.x
stores the identity flag.
Current implementation does it differently - reads/writes the identity flag in MSB of P.y
. @davidnevadoc
Maybe, should we update the proposal doc?
4501c29
to
45e3366
Compare
add: uncompressed identity test fix: uncompressed serialization fix: cleanup fix: review comments add: compute spare bits from NUM_BITS fix: strict flag decoding fix: imports add: check for the bits in 0 spare bits case
a25b316
to
66ba485
Compare
Modified the docs accordingly and rearranged x,y order.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Seen that there are NO flag bits in uncompressed format
.
Pls update the PR description & HackMD doc as is. @davidnevadoc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Great work!
* refactor!: Compressed format for EC points - The bit flags for sign and identity have been fliped for curves with 2 spare bits: Bn256, Pluto and Eris. * fix: bn test vectors * fix: update new_impl_curve calls * refactor! Uncompressed format for EC points * add: unchecked sered test * fix: review comments add: uncompressed identity test fix: uncompressed serialization fix: cleanup fix: review comments add: compute spare bits from NUM_BITS fix: strict flag decoding fix: imports add: check for the bits in 0 spare bits case * fix: fip FLAG_BITS * fix: make to_bytes constant time * add: Econding format doc * fix: typos * chore: update encoding spec with explicit byte/bit position and endianess * chore: Remove flags from uncompressed format Modified the docs accordingly and rearranged x,y order. --------- Co-authored-by: Eduard S <eduardsanou@posteo.net>
This PR follows up the serialization issue that was brought up in #109.
This PR applies the proposed solution for serialization of EC defined over prime fields with 0, 1 or 2 spare bits. (Bls12-381 has its own standard and has been left out).
Here is a summary with the main changes:
For the serialization of elliptic curve points defined over prime fields:
Change in flags:
Sign in 7th bit for 0, 1, 2 spare bits.
Identity in 6th bit for 0, 2 bits.
⚠️ This changes the serialization of compressed Bn254 points. The flag bits are now flipped.
Uncompressed format does not use flags. The spare bits must be set to 0.
Flag bits, according to the number of spare bits.
1 Spare bit.
Compressed format
Uncompressed format
b
must be != 0.2 Spare bits.
Compressed format
Uncompressed format
Spare bits are set to 0.
0 Spare bits.
Add an extra byte in the compressed format to hold the flags. Then follow the 2 spare bit flag format.
Compressed format
Same as 2 spare bits, with padding:
Uncompressed format