Generate out of prime subgroup accumulator base for SW

davxy · Nov 11, 2024 · bb08915 · bb08915
1 parent 6cc0a2d
commit bb08915
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 10 deletions.
diff --git a/src/ring.rs b/src/ring.rs
@@ -368,10 +368,11 @@ pub(crate) mod testing {
     pub fn accumulator_base_check<S: RingSuite>()
     where
         BaseField<S>: ark_ff::PrimeField,
-        AffinePoint<S>: ring_proof::AffineCondAdd,
+        AffinePoint<S>: ring_proof::AffineCondAdd + utils::common::FindAccumulatorBase<S>,
     {
+        use utils::common::FindAccumulatorBase;
         const ACCUMULATOR_BASE_SEED: &[u8] = b"w3f/ring-proof/accumulator";
-        let p = S::data_to_point(ACCUMULATOR_BASE_SEED).unwrap();
+        let p = AffinePoint::<S>::find_accumulator_base(ACCUMULATOR_BASE_SEED).unwrap();
         assert_eq!(S::ACCUMULATOR_BASE, p);
     }
 

diff --git a/src/suites/bandersnatch.rs b/src/suites/bandersnatch.rs
@@ -98,10 +98,10 @@ pub mod weierstrass {
 
             const ACCUMULATOR_BASE: AffinePoint = {
                 const X: BaseField = MontFp!(
-                    "35802491285899595673230581729646824849514038723976226341205595068750227004007"
+                    "15150996146563882842769969038633761710782764651218288537939960956638818073022"
                 );
                 const Y: BaseField = MontFp!(
-                    "17572023958760623860499337087020156281410269069550950996534533909010878422310"
+                    "16757608954684538402264076732157050129188667760550924730618160766485829703559"
                 );
                 AffinePoint::new_unchecked(X, Y)
             };

diff --git a/src/utils/common.rs b/src/utils/common.rs
@@ -1,6 +1,10 @@
 use crate::*;
 
-use ark_ec::AffineRepr;
+use ark_ec::{
+    short_weierstrass::{self, SWCurveConfig},
+    twisted_edwards::{self, TECurveConfig},
+    AffineRepr,
+};
 use ark_ff::PrimeField;
 use digest::{Digest, FixedOutputReset};
 
@@ -92,9 +96,9 @@ pub fn hash_to_curve_ell2_rfc_9380<S: Suite>(
 ) -> Option<AffinePoint<S>>
 where
     <S as Suite>::Hasher: Default + Clone + FixedOutputReset + 'static,
-    crate::CurveConfig<S>: ark_ec::twisted_edwards::TECurveConfig,
-    crate::CurveConfig<S>: crate::utils::elligator2::Elligator2Config,
-    crate::utils::elligator2::Elligator2Map<crate::CurveConfig<S>>:
+    CurveConfig<S>: ark_ec::twisted_edwards::TECurveConfig,
+    CurveConfig<S>: utils::elligator2::Elligator2Config,
+    utils::elligator2::Elligator2Map<CurveConfig<S>>:
         ark_ec::hashing::map_to_curve_hasher::MapToCurve<<AffinePoint<S> as AffineRepr>::Group>,
 {
     use ark_ec::hashing::HashToCurve;
@@ -111,7 +115,7 @@ where
     let hasher = ark_ec::hashing::map_to_curve_hasher::MapToCurveBasedHasher::<
         <AffinePoint<S> as AffineRepr>::Group,
         ark_ff::field_hashers::DefaultFieldHasher<<S as Suite>::Hasher, SEC_PARAM>,
-        crate::utils::elligator2::Elligator2Map<crate::CurveConfig<S>>,
+        utils::elligator2::Elligator2Map<CurveConfig<S>>,
     >::new(&dst)
     .ok()?;
 
@@ -208,10 +212,71 @@ where
     S::Codec::scalar_decode(&v)
 }
 
+pub trait FindComplementPoint<C: ark_ec::CurveConfig>: Sized {
+    fn try_from(r: C::BaseField) -> Option<Self>;
+
+    fn find_complement_point() -> Self {
+        use ark_ff::{One, Zero};
+        assert!(!C::cofactor_is_one());
+        let mut r = C::BaseField::zero();
+        loop {
+            if let Some(p) = Self::try_from(r) {
+                return p;
+            }
+            r += C::BaseField::one();
+        }
+    }
+}
+
+impl<C: SWCurveConfig> FindComplementPoint<C> for short_weierstrass::Affine<C> {
+    fn try_from(r: C::BaseField) -> Option<Self> {
+        Self::get_point_from_x_unchecked(r, false)
+            .filter(|p| !p.is_in_correct_subgroup_assuming_on_curve())
+    }
+}
+
+impl<C: TECurveConfig> FindComplementPoint<C> for twisted_edwards::Affine<C> {
+    fn try_from(r: C::BaseField) -> Option<Self> {
+        Self::get_point_from_y_unchecked(r, false)
+            .filter(|p| !p.is_in_correct_subgroup_assuming_on_curve())
+    }
+}
+
+pub trait FindAccumulatorBase<S: Suite>: Sized {
+    #[allow(dead_code)]
+    fn find_accumulator_base(data: &[u8]) -> Option<Self>;
+}
+
+impl<S, C> FindAccumulatorBase<S> for short_weierstrass::Affine<C>
+where
+    C: SWCurveConfig,
+    S: Suite<Affine = Self>,
+{
+    fn find_accumulator_base(data: &[u8]) -> Option<Self> {
+        let p = S::data_to_point(data)?;
+        let c = Self::find_complement_point();
+        let res = (p + c).into_affine();
+        debug_assert!(!res.is_in_correct_subgroup_assuming_on_curve());
+        Some(res)
+    }
+}
+
+impl<S, C> FindAccumulatorBase<S> for twisted_edwards::Affine<C>
+where
+    C: TECurveConfig,
+    S: Suite<Affine = Self>,
+{
+    fn find_accumulator_base(data: &[u8]) -> Option<Self> {
+        let res = S::data_to_point(data)?;
+        debug_assert!(res.is_in_correct_subgroup_assuming_on_curve());
+        Some(res)
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::suites::testing::TestSuite;
+    use suites::testing::TestSuite;
 
     #[test]
     fn hash_to_curve_tai_works() {