kwantam
commented
3 years ago I did a bit more pseudocode cleanup, both for sqrt_ratio and for the constant-time Tonelli-Shanks impl in a different appendix (and I back-ported the changed code to the codebase, and tested it).
The goal was to remove expressions from CMOVs, just to emphasize that every expression needs to be evaluated in a straight-line impl.
daira
(cc @chris-wood @daira @armfazh)
This PR does the following:
S, which does not appear necessary (discussion below)The generic
sqrt_ratioroutine has a constantSthat was previously defined as a primitive element of the field. This certainly works, but there are two issues with it:S != Zneeds an extra "cleanup" multiplication and a corresponding constant in the sswu routineq - 1, and I'm not aware of another method. This is infeasible for BLS12-381 G2, for example.Fortunately, we don't actually need
Sto be a primitive element of F. Definingq - 1 = 2^l * owithoodd, what we actually need is thatS^ogenerates the multiplicative subgroup of order2^l. This is satisfied by any non-square in F: ifSis non-square, thenS^ois also non-square (becauseois odd), and is also an element of the order-2^lsubgroup by construction. Moreover, any element of this subgroup that is a non-square in F must generate the subgroup, and likewise any generator must be non-square in F. Since we require the constantZto be non-square already, and since the genericsqrt_ratioroutine already computesS^o, settingS = Zappears to suffice.But @daira I'd appreciate if you'd double check me on the above!