Compression for bls12381 (lambdaclass#904)

lazcanoluca · web-flow · commit 3795dbc6368d · 2024-09-04T16:20:57.000Z
* Define trait Compress * Implement `Compress` for short weierstrass with BLS12381 curve The implementation was ported and adapted from https://github.com/lambdaclass/lambdaworks_kzg/blob/8f031b1f32e170c1af06029e46c73404f4c85e2e/src/compression.rs#L29. * Implement `decompress_g2_point` for BLS12381 The implementation was ported from https://github.com/lambdaclass/lambdaworks_kzg/blob/8f031b1f32e170c1af06029e46c73404f4c85e2e/src/compression.rs#L105 * Use `Compress` trait in BLS12381 benches * Fix return type `Compress` for no std * Fix no std for Compress trait * Remove alias types public visibility * Fix typo * Change `Compress` implementation from G1 point to bls12381 curve * Fix use of bls12381 compression in benches
diff --git a/math/benches/elliptic_curves/bls12_381.rs b/math/benches/elliptic_curves/bls12_381.rs
@@ -2,11 +2,11 @@ use criterion::{black_box, Criterion};
 use lambdaworks_math::{
     cyclic_group::IsGroup,
     elliptic_curve::{
-        short_weierstrass::curves::bls12_381::{
-            compression::{compress_g1_point, decompress_g1_point},
-            curve::BLS12381Curve,
-            pairing::BLS12381AtePairing,
-            twist::BLS12381TwistCurve,
+        short_weierstrass::{
+            curves::bls12_381::{
+                curve::BLS12381Curve, pairing::BLS12381AtePairing, twist::BLS12381TwistCurve,
+            },
+            traits::Compress,
         },
         traits::{IsEllipticCurve, IsPairing},
     },
@@ -70,13 +70,13 @@ pub fn bls12_381_elliptic_curve_benchmarks(c: &mut Criterion) {
 
     // Compress_G1_point
     group.bench_function("Compress G1 point", |bencher| {
-        bencher.iter(|| black_box(compress_g1_point(black_box(&a_g1))));
+        bencher.iter(|| black_box(BLS12381Curve::compress_g1_point(black_box(&a_g1))));
     });
 
     // Decompress_G1_point
     group.bench_function("Decompress G1 Point", |bencher| {
-        let a: [u8; 48] = compress_g1_point(&a_g1).try_into().unwrap();
-        bencher.iter(|| black_box(decompress_g1_point(&mut black_box(a))).unwrap());
+        let a: [u8; 48] = BLS12381Curve::compress_g1_point(&a_g1).try_into().unwrap();
+        bencher.iter(|| black_box(BLS12381Curve::decompress_g1_point(&mut black_box(a))).unwrap());
     });
 
     // Subgroup Check G1
diff --git a/math/benches/elliptic_curves/iai_bls12_381.rs b/math/benches/elliptic_curves/iai_bls12_381.rs
@@ -4,16 +4,15 @@ use lambdaworks_math::{
     elliptic_curve::{
         short_weierstrass::{
             curves::bls12_381::{
-                compression::{compress_g1_point, decompress_g1_point},
-                curve::BLS12381Curve,
-                pairing::BLS12381AtePairing,
-                twist::BLS12381TwistCurve,
+                curve::BLS12381Curve, pairing::BLS12381AtePairing, twist::BLS12381TwistCurve,
             },
             point::ShortWeierstrassProjectivePoint,
+            traits::Compress,
         },
         traits::{IsEllipticCurve, IsPairing},
     },
 };
+
 use rand::{rngs::StdRng, Rng, SeedableRng};
 #[allow(dead_code)]
 type G1 = ShortWeierstrassProjectivePoint<BLS12381Curve>;
@@ -91,14 +90,14 @@ pub fn bls12_381_neg_g2() {
 #[allow(dead_code)]
 pub fn bls12_381_compress_g1() {
     let (a, _, _, _) = rand_points_g1();
-    let _ = black_box(compress_g1_point(black_box(&a)));
+    let _ = black_box(BLS12381Curve::compress_g1_point(black_box(&a)));
 }
 
 #[allow(dead_code)]
 pub fn bls12_381_decompress_g1() {
     let (a, _, _, _) = rand_points_g1();
-    let a: [u8; 48] = compress_g1_point(&a).try_into().unwrap();
-    let _ = black_box(decompress_g1_point(&mut black_box(a))).unwrap();
+    let a: [u8; 48] = BLS12381Curve::compress_g1_point(&a).try_into().unwrap();
+    let _ = black_box(BLS12381Curve::decompress_g1_point(&mut black_box(a))).unwrap();
 }
 
 #[allow(dead_code)]
diff --git a/math/src/elliptic_curve/short_weierstrass/curves/bls12_381/compression.rs b/math/src/elliptic_curve/short_weierstrass/curves/bls12_381/compression.rs
@@ -1,7 +1,14 @@
-use super::field_extension::BLS12381PrimeField;
+use super::{field_extension::BLS12381PrimeField, twist::BLS12381TwistCurve};
 use crate::{
-    elliptic_curve::short_weierstrass::{
-        curves::bls12_381::curve::BLS12381Curve, point::ShortWeierstrassProjectivePoint,
+    elliptic_curve::{
+        short_weierstrass::{
+            curves::bls12_381::{
+                curve::BLS12381Curve, field_extension::Degree2ExtensionField, sqrt,
+            },
+            point::ShortWeierstrassProjectivePoint,
+            traits::Compress,
+        },
+        traits::IsEllipticCurve,
     },
     field::element::FieldElement,
 };
@@ -12,95 +19,138 @@ use crate::{
     traits::ByteConversion,
 };
 
-pub type G1Point = ShortWeierstrassProjectivePoint<BLS12381Curve>;
-pub type BLS12381FieldElement = FieldElement<BLS12381PrimeField>;
-
-pub fn decompress_g1_point(input_bytes: &mut [u8; 48]) -> Result<G1Point, ByteConversionError> {
-    let first_byte = input_bytes.first().unwrap();
-    // We get the 3 most significant bits
-    let prefix_bits = first_byte >> 5;
-    let first_bit = (prefix_bits & 4_u8) >> 2;
-    // If first bit is not 1, then the value is not compressed.
-    if first_bit != 1 {
-        return Err(ByteConversionError::ValueNotCompressed);
-    }
-    let second_bit = (prefix_bits & 2_u8) >> 1;
-    // If the second bit is 1, then the compressed point is the
-    // point at infinity and we return it directly.
-    if second_bit == 1 {
-        return Ok(G1Point::neutral_element());
+type G1Point = ShortWeierstrassProjectivePoint<BLS12381Curve>;
+type BLS12381FieldElement = FieldElement<BLS12381PrimeField>;
+
+impl Compress for BLS12381Curve {
+    type G1Point = G1Point;
+
+    type G2Point = <BLS12381TwistCurve as IsEllipticCurve>::PointRepresentation;
+
+    type Error = ByteConversionError;
+
+    #[cfg(feature = "alloc")]
+    fn compress_g1_point(point: &Self::G1Point) -> alloc::vec::Vec<u8> {
+        if *point == G1Point::neutral_element() {
+            // point is at infinity
+            let mut x_bytes = alloc::vec![0_u8; 48];
+            x_bytes[0] |= 1 << 7;
+            x_bytes[0] |= 1 << 6;
+            x_bytes
+        } else {
+            // point is not at infinity
+            let point_affine = point.to_affine();
+            let x = point_affine.x();
+            let y = point_affine.y();
+
+            let mut x_bytes = x.to_bytes_be();
+
+            // Set first bit to to 1 indicate this is compressed element.
+            x_bytes[0] |= 1 << 7;
+
+            let y_neg = core::ops::Neg::neg(y);
+            if y_neg.representative() < y.representative() {
+                x_bytes[0] |= 1 << 5;
+            }
+            x_bytes
+        }
     }
-    let third_bit = prefix_bits & 1_u8;
-
-    let first_byte_without_control_bits = (first_byte << 3) >> 3;
-    input_bytes[0] = first_byte_without_control_bits;
-
-    let x = BLS12381FieldElement::from_bytes_be(input_bytes)?;
-
-    // We apply the elliptic curve formula to know the y^2 value.
-    let y_squared = x.pow(3_u16) + BLS12381FieldElement::from(4);
-
-    let (y_sqrt_1, y_sqrt_2) = &y_squared.sqrt().ok_or(ByteConversionError::InvalidValue)?;
-
-    // we call "negative" to the greate root,
-    // if the third bit is 1, we take this grater value.
-    // Otherwise, we take the second one.
-    let y = match (
-        y_sqrt_1.representative().cmp(&y_sqrt_2.representative()),
-        third_bit,
-    ) {
-        (Ordering::Greater, 0) => y_sqrt_2,
-        (Ordering::Greater, _) => y_sqrt_1,
-        (Ordering::Less, 0) => y_sqrt_1,
-        (Ordering::Less, _) => y_sqrt_2,
-        (Ordering::Equal, _) => y_sqrt_1,
-    };
 
-    let point =
-        G1Point::from_affine(x, y.clone()).map_err(|_| ByteConversionError::InvalidValue)?;
+    fn decompress_g1_point(input_bytes: &mut [u8; 48]) -> Result<Self::G1Point, Self::Error> {
+        let first_byte = input_bytes.first().unwrap();
+        // We get the 3 most significant bits
+        let prefix_bits = first_byte >> 5;
+        let first_bit = (prefix_bits & 4_u8) >> 2;
+        // If first bit is not 1, then the value is not compressed.
+        if first_bit != 1 {
+            return Err(ByteConversionError::ValueNotCompressed);
+        }
+        let second_bit = (prefix_bits & 2_u8) >> 1;
+        // If the second bit is 1, then the compressed point is the
+        // point at infinity and we return it directly.
+        if second_bit == 1 {
+            return Ok(G1Point::neutral_element());
+        }
+        let third_bit = prefix_bits & 1_u8;
 
-    point
-        .is_in_subgroup()
-        .then_some(point)
-        .ok_or(ByteConversionError::PointNotInSubgroup)
-}
+        let first_byte_without_control_bits = (first_byte << 3) >> 3;
+        input_bytes[0] = first_byte_without_control_bits;
+
+        let x = BLS12381FieldElement::from_bytes_be(input_bytes)?;
+
+        // We apply the elliptic curve formula to know the y^2 value.
+        let y_squared = x.pow(3_u16) + BLS12381FieldElement::from(4);
+
+        let (y_sqrt_1, y_sqrt_2) = &y_squared.sqrt().ok_or(ByteConversionError::InvalidValue)?;
+
+        // we call "negative" to the greate root,
+        // if the third bit is 1, we take this grater value.
+        // Otherwise, we take the second one.
+        let y = match (
+            y_sqrt_1.representative().cmp(&y_sqrt_2.representative()),
+            third_bit,
+        ) {
+            (Ordering::Greater, 0) => y_sqrt_2,
+            (Ordering::Greater, _) => y_sqrt_1,
+            (Ordering::Less, 0) => y_sqrt_1,
+            (Ordering::Less, _) => y_sqrt_2,
+            (Ordering::Equal, _) => y_sqrt_1,
+        };
+
+        let point =
+            G1Point::from_affine(x, y.clone()).map_err(|_| ByteConversionError::InvalidValue)?;
+
+        point
+            .is_in_subgroup()
+            .then_some(point)
+            .ok_or(ByteConversionError::PointNotInSubgroup)
+    }
+
+    #[allow(unused)]
+    fn decompress_g2_point(input_bytes: &mut [u8; 96]) -> Result<Self::G2Point, Self::Error> {
+        let first_byte = input_bytes.first().unwrap();
 
-#[cfg(feature = "alloc")]
-pub fn compress_g1_point(point: &G1Point) -> alloc::vec::Vec<u8> {
-    if *point == G1Point::neutral_element() {
-        // point is at infinity
-        let mut x_bytes = alloc::vec![0_u8; 48];
-        x_bytes[0] |= 1 << 7;
-        x_bytes[0] |= 1 << 6;
-        x_bytes
-    } else {
-        // point is not at infinity
-        let point_affine = point.to_affine();
-        let x = point_affine.x();
-        let y = point_affine.y();
-
-        let mut x_bytes = x.to_bytes_be();
-
-        // Set first bit to to 1 indicate this is compressed element.
-        x_bytes[0] |= 1 << 7;
-
-        let y_neg = core::ops::Neg::neg(y);
-        if y_neg.representative() < y.representative() {
-            x_bytes[0] |= 1 << 5;
+        // We get the first 3 bits
+        let prefix_bits = first_byte >> 5;
+        let first_bit = (prefix_bits & 4_u8) >> 2;
+        // If first bit is not 1, then the value is not compressed.
+        if first_bit != 1 {
+            return Err(ByteConversionError::InvalidValue);
+        }
+        let second_bit = (prefix_bits & 2_u8) >> 1;
+        // If the second bit is 1, then the compressed point is the
+        // point at infinity and we return it directly.
+        if second_bit == 1 {
+            return Ok(Self::G2Point::neutral_element());
         }
-        x_bytes
+
+        let first_byte_without_control_bits = (first_byte << 3) >> 3;
+        input_bytes[0] = first_byte_without_control_bits;
+
+        let input0 = &input_bytes[48..];
+        let input1 = &input_bytes[0..48];
+        let x0 = BLS12381FieldElement::from_bytes_be(input0).unwrap();
+        let x1 = BLS12381FieldElement::from_bytes_be(input1).unwrap();
+        let x: FieldElement<Degree2ExtensionField> = FieldElement::new([x0, x1]);
+
+        const VALUE: BLS12381FieldElement = BLS12381FieldElement::from_hex_unchecked("4");
+        let b_param_qfe = FieldElement::<Degree2ExtensionField>::new([VALUE, VALUE]);
+
+        let y = sqrt::sqrt_qfe(&(x.pow(3_u64) + b_param_qfe), 0)
+            .ok_or(ByteConversionError::InvalidValue)?;
+
+        Self::G2Point::from_affine(x, y).map_err(|_| ByteConversionError::InvalidValue)
     }
 }
 
 #[cfg(test)]
 mod tests {
     use super::{BLS12381FieldElement, G1Point};
     use crate::elliptic_curve::short_weierstrass::curves::bls12_381::curve::BLS12381Curve;
+    use crate::elliptic_curve::short_weierstrass::traits::Compress;
     use crate::elliptic_curve::traits::{FromAffine, IsEllipticCurve};
 
     #[cfg(feature = "alloc")]
-    use super::compress_g1_point;
-    use super::decompress_g1_point;
     use crate::{
         cyclic_group::IsGroup, traits::ByteConversion, unsigned_integer::element::UnsignedInteger,
     };
@@ -121,8 +171,10 @@ mod tests {
     #[cfg(feature = "alloc")]
     #[test]
     fn test_g1_compress_generator() {
+        use crate::elliptic_curve::short_weierstrass::traits::Compress;
+
         let g = BLS12381Curve::generator();
-        let mut compressed_g = compress_g1_point(&g);
+        let mut compressed_g = BLS12381Curve::compress_g1_point(&g);
         let first_byte = compressed_g.first().unwrap();
 
         let first_byte_without_control_bits = (first_byte << 3) >> 3;
@@ -137,8 +189,10 @@ mod tests {
     #[cfg(feature = "alloc")]
     #[test]
     fn test_g1_compress_point_at_inf() {
+        use crate::elliptic_curve::short_weierstrass::traits::Compress;
+
         let inf = G1Point::neutral_element();
-        let compressed_inf = compress_g1_point(&inf);
+        let compressed_inf = BLS12381Curve::compress_g1_point(&inf);
         let first_byte = compressed_inf.first().unwrap();
 
         assert_eq!(*first_byte >> 6, 3_u8);
@@ -147,11 +201,13 @@ mod tests {
     #[cfg(feature = "alloc")]
     #[test]
     fn test_compress_decompress_generator() {
+        use crate::elliptic_curve::short_weierstrass::traits::Compress;
+
         let g = BLS12381Curve::generator();
-        let compressed_g = compress_g1_point(&g);
+        let compressed_g = BLS12381Curve::compress_g1_point(&g);
         let mut compressed_g_slice: [u8; 48] = compressed_g.try_into().unwrap();
 
-        let decompressed_g = decompress_g1_point(&mut compressed_g_slice).unwrap();
+        let decompressed_g = BLS12381Curve::decompress_g1_point(&mut compressed_g_slice).unwrap();
 
         assert_eq!(g, decompressed_g);
     }
@@ -163,10 +219,10 @@ mod tests {
         // calculate g point operate with itself
         let g_2 = g.operate_with_self(UnsignedInteger::<4>::from("2"));
 
-        let compressed_g2 = compress_g1_point(&g_2);
+        let compressed_g2 = BLS12381Curve::compress_g1_point(&g_2);
         let mut compressed_g2_slice: [u8; 48] = compressed_g2.try_into().unwrap();
 
-        let decompressed_g2 = decompress_g1_point(&mut compressed_g2_slice).unwrap();
+        let decompressed_g2 = BLS12381Curve::decompress_g1_point(&mut compressed_g2_slice).unwrap();
 
         assert_eq!(g_2, decompressed_g2);
     }
diff --git a/math/src/elliptic_curve/short_weierstrass/traits.rs b/math/src/elliptic_curve/short_weierstrass/traits.rs
@@ -1,3 +1,4 @@
+use crate::cyclic_group::IsGroup;
 use crate::elliptic_curve::traits::IsEllipticCurve;
 use crate::field::element::FieldElement;
 use core::fmt::Debug;
@@ -18,3 +19,16 @@ pub trait IsShortWeierstrass: IsEllipticCurve + Clone + Debug {
         y.pow(2_u16) - x.pow(3_u16) - Self::a() * x - Self::b()
     }
 }
+
+pub trait Compress {
+    type G1Point: IsGroup;
+    type G2Point: IsGroup;
+    type Error;
+
+    #[cfg(feature = "alloc")]
+    fn compress_g1_point(point: &Self::G1Point) -> alloc::vec::Vec<u8>;
+
+    fn decompress_g1_point(input_bytes: &mut [u8; 48]) -> Result<Self::G1Point, Self::Error>;
+
+    fn decompress_g2_point(input_bytes: &mut [u8; 96]) -> Result<Self::G2Point, Self::Error>;
+}
