p256: implement Scalar::sqrt
#392
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implements Tonelli-Shank's algorithm for q mod 16 = 1 as synthesized using the `ff_derive` crate, then modified to use `Self::pow_vartime` (with a fixed exponent, where it is only variable time with respect to the exponent) As part of implementing this, it was discovered that `root_of_unity()` was incorrect. I calculated it using sage: ```sage sage: n = 115792089210356248762697446949407573529996955224135760342422259061068512044369 sage: GF(n).primitive_element() 7 sage: s = 4 sage: t = (n - 1) >> s sage: power_mod(7,t,n) 115695789336771192084080718687965001507772259361175921799893286721837170845186 ``` Closes #170
Codecov Report
@@ Coverage Diff @@
## master #392 +/- ##
==========================================
+ Coverage 59.06% 59.40% +0.33%
==========================================
Files 29 29
Lines 4175 4207 +32
==========================================
+ Hits 2466 2499 +33
+ Misses 1709 1708 -1
Continue to review full report at Codecov.
|
tarcieri
added a commit
that referenced
this pull request
Aug 31, 2021
Implements Tonelli-Shank's algorithm for q mod 16 = 1 as synthesized using the `ff_derive` crate, similar to #392 which implements it for the `p256`. Like `p256`, as part of implementing this it was discovered that `root_of_unity()` was incorrect. Here it is (re)calculated with sage: sage: n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 sage: GF(n).primitive_element() 7 sage: s = 6 sage: t = (n - 1) >> s sage: power_mod(7,t,n) 5480320495727936603795231718619559942670027629901634955707709633242980176626 Note that the value was computed correctly originally, but the hex digits were shifted such that the resulting value was left shifted by 4-bits. This has now been corrected.
tarcieri
added a commit
that referenced
this pull request
Aug 31, 2021
Implements Tonelli-Shank's algorithm for q mod 16 = 1 as synthesized using the `ff_derive` crate, similar to #392 which implements it for the `p256`. Like `p256`, as part of implementing this it was discovered that `root_of_unity()` was incorrect. Here it is (re)calculated with sage: sage: n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 sage: GF(n).primitive_element() 7 sage: s = 6 sage: t = (n - 1) >> s sage: power_mod(7,t,n) 5480320495727936603795231718619559942670027629901634955707709633242980176626 Note that the value was computed correctly originally, but the hex digits were shifted such that the resulting value was left shifted by 4-bits. This has now been corrected.
tarcieri
added a commit
that referenced
this pull request
Aug 31, 2021
Implements Tonelli-Shank's algorithm for q mod 16 = 1 as synthesized using the `ff_derive` crate, similar to #392 which implements it for the `p256`. Like `p256`, as part of implementing this it was discovered that `root_of_unity()` was incorrect. Here it is (re)calculated with sage: sage: n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 sage: GF(n).primitive_element() 7 sage: s = 6 sage: t = (n - 1) >> s sage: power_mod(7,t,n) 5480320495727936603795231718619559942670027629901634955707709633242980176626 Note that the value was computed correctly originally, but the hex digits were shifted such that the resulting value was left shifted by 4-bits. This has now been corrected.
tarcieri
added a commit
that referenced
this pull request
Aug 31, 2021
Implements Tonelli-Shank's algorithm for q mod 16 = 1 as synthesized using the `ff_derive` crate, similar to #392 which implements it for the `p256`. Like `p256`, as part of implementing this it was discovered that `root_of_unity()` was incorrect. Here it is (re)calculated with sage: sage: n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 sage: GF(n).primitive_element() 7 sage: s = 6 sage: t = (n - 1) >> s sage: power_mod(7,t,n) 5480320495727936603795231718619559942670027629901634955707709633242980176626 Note that the value was computed correctly originally, but the hex digits were shifted such that the resulting value was left shifted by 4-bits. This has now been corrected.
tarcieri
added a commit
that referenced
this pull request
Aug 31, 2021
Implements Tonelli-Shank's algorithm for q mod 16 = 1 as synthesized using the `ff_derive` crate, similar to #392 which implements it for the `p256`. Like `p256`, as part of implementing this it was discovered that `root_of_unity()` was incorrect. Here it is (re)calculated with sage: sage: n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 sage: GF(n).primitive_element() 7 sage: s = 6 sage: t = (n - 1) >> s sage: power_mod(7,t,n) 5480320495727936603795231718619559942670027629901634955707709633242980176626 Note that the value was computed correctly originally, but the hex digits were shifted such that the resulting value was left shifted by 4-bits. This has now been corrected.
tarcieri
added a commit
that referenced
this pull request
Aug 31, 2021
Implements Tonelli-Shank's algorithm for q mod 16 = 1 as synthesized using the `ff_derive` crate, similar to #392 which implements it for the `p256`. Like `p256`, as part of implementing this it was discovered that `root_of_unity()` was incorrect. Here it is (re)calculated with sage: sage: n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 sage: GF(n).primitive_element() 7 sage: s = 6 sage: t = (n - 1) >> s sage: power_mod(7,t,n) 5480320495727936603795231718619559942670027629901634955707709633242980176626 Note that the value was computed correctly originally, but the hex digits were shifted such that the resulting value was left shifted by 4-bits. This has now been corrected.
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements Tonelli-Shank's algorithm for q mod 16 = 1 as synthesized using the
ff_derivecrate, then modified to useSelf::pow_vartime(with a fixed exponent, where it is only variable time with respect to the exponent)As part of implementing this, it was discovered that
root_of_unity()was incorrect. I (re)calculated it using sage:Closes #170