Banderwagon: clearing cofactors - Githubissues

mratsim / constantine

Constantine: modular, high-performance, zero-dependency cryptography stack for verifiable computation, proof systems and blockchain protocols.

Other

413 stars 44 forks source link

Banderwagon: clearing cofactors #378

Closed mratsim closed 5 months ago

mratsim commented 6 months ago

The documentation is clear on clearing Bandersnatch cofactor: https://hackmd.io/@6iQDuIePQjyYBqDChYw_jg/BJBNcv9fq#Bandersnatch-Subgroup

However it is unclear if this also applies for Banderwagon.

Clearing cofactor is necessary for a generic test suites for endomorphism acceleration (see #298)

The alternatives are:

Repeatedly creating points and checking if (1-aX²)/p = 1 which is not ideally if probability is low as it will slow down CI.
Or scalar multiplying a generator point. This is somewhat self-defeating if what we want to test is scalar multiplication

mratsim commented 5 months ago

There is no cofactor to clear since the curve is of prime order. However we can move from Bandersnatch to Banderwagon by adapting the deserialization strategy.