Skip to content

group crate refactoring#230

Merged
str4d merged 11 commits into
zcash:masterfrom
str4d:group-trait
May 18, 2020
Merged

group crate refactoring#230
str4d merged 11 commits into
zcash:masterfrom
str4d:group-trait

Conversation

@str4d
Copy link
Copy Markdown
Contributor

@str4d str4d commented May 14, 2020

The new Group trait represents a cryptographic group with a large prime-order subgroup and a small cofactor. The PrimeGroup trait further constrains the group to have a cofactor of one. CurveProjective now primarily contains EC-specific functionality.

Part of #161.

str4d added 9 commits May 15, 2020 00:20
@str4d
Remove explicit std::marker from Sized bound
d7d4928 
Sized is always part of the prelude, and binding on std causes
compilation issues for no-std crates.
@str4d
group: Rename zero and one to identity and generator
4f2220f
@str4d
Make CurveProjective::double take &self and return Self
8add78a
@str4d
Remove Engine associated type from CurveAffine and CurveProjective
7203a7a 
The type Curve*::Engine::Fr is equivalent to Curve*::Scalar, making
Engine a redundant associated type.
@str4d
group: Introduce Group and PrimeGroup traits
69f53fe 
Group represents a cryptographic group with a large prime-order subgroup
and a small cofactor. PrimeGroup further constrains the group to have a
cofactor of one.
@str4d
group: Define group operations on Group trait
5397d73 
The GroupOps trait represents the group operation (addition), and the
combination of the group operation with group inversion (subtraction).
Group inversion (negation) is constrained directly on the Group trait.
@str4d
group: Sum + for<'a> Sum<&'a Self> bounds for Group
e3d8428
@str4d
group: Move CurveProjective::double to Group
d2aa87f
@str4d
group: Add Group::Subgroup associated type
0df950d 
For prime-order groups, this may be Self.
@str4d str4d requested a review from ebfull May 14, 2020 12:24
@codecov
Copy link
Copy Markdown

codecov Bot commented May 14, 2020
edited
Loading

Codecov Report

Merging #230 into master will increase coverage by 0.11%.
The diff coverage is 78.06%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #230      +/-   ##
==========================================
+ Coverage   65.25%   65.37%   +0.11%     
==========================================
  Files         106      106              
  Lines       14973    14968       -5     
==========================================
+ Hits         9771     9785      +14     
+ Misses       5202     5183      -19
Impacted Files Coverage Δ
bellman/src/domain.rs 63.58% <0.00%> (ø)
ff/ff_derive/src/lib.rs 15.38% <ø> (ø)
ff/src/lib.rs 47.29% <ø> (ø)
group/src/lib.rs 11.76% <ø> (ø)
pairing/src/bls12_381/fq2.rs 63.17% <0.00%> (+1.16%) ⬆️
pairing/src/bls12_381/fq6.rs 48.90% <0.00%> (ø)
pairing/src/lib.rs 75.00% <ø> (ø)
bellman/src/groth16/tests/dummy_engine.rs 7.64% <5.55%> (+0.54%) ⬆️
group/src/wnaf.rs 66.07% <60.00%> (-0.60%) ⬇️
pairing/src/bls12_381/ec.rs 74.27% <84.93%> (+1.17%) ⬆️
... and 31 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 41d9f29...669f2b4. Read the comment docs.

@str4d
Copy link
Copy Markdown
Contributor Author

str4d commented May 14, 2020

The first commit in this PR is also in #227; I'll rebase whichever PR is not merged first.

@str4d str4d mentioned this pull request May 14, 2020
Merged
@daira
Copy link
Copy Markdown
Contributor

daira commented May 17, 2020

Group is implemented for Fr, as the additive group (Fr, +). This is a little strange because that's not a cryptographic group, and it's only one of two natural choices of implementation, the other being the multiplicative group (Fr*, *). Do we actually use the Group implementation for Fr?

@ebfull
Copy link
Copy Markdown
Collaborator

ebfull commented May 18, 2020

We want to be able to apply FFTs either to elements of the group or to the scalars themselves, which requires us to reason about a shared "scalar" field and group-like arithmetic in either case.

@str4d str4d merged commit 4969ad4 into zcash:master May 18, 2020
daira
daira reviewed May 21, 2020
View reviewed changes
Comment thread group/src/lib.rs
/// Returns the additive identity.
fn zero() -> Self;
/// Returns the additive identity, also known as the "neutral element".
fn identity() -> Self;
Copy link
Copy Markdown
Contributor

@daira daira May 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually prefer zero for the additive identity. So I would prefer to revert all of the s/zero/identity/ changes. I find zero more natural especially if we're implementing Add and Neg. additive_identity is too long, and identity is ambiguous.

Comment thread group/src/lib.rs
/// Returns a fixed generator of unknown exponent.
fn one() -> Self;
/// Returns a fixed generator of the prime-order subgroup.
fn generator() -> Self::Subgroup;
Copy link
Copy Markdown
Contributor

@daira daira May 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This on the other hand, is much better.

Comment thread group/src/lib.rs
Comment on lines 151 to 152
/// Determines if this point represents the point at infinity; the
/// additive identity.
Copy link
Copy Markdown
Contributor

@daira daira May 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/// Determines if this point represents the point at infinity; the
/// additive identity.
/// Determines if this point represents the additive identity, or zero point.

It's not the point at infinity for Edwards curves. (Edwards curves over the rationals, or incomplete Edwards curves, do have points at infinity that are not the additive identity. This is a hobby horse but I am right :-p )

Copy link
Copy Markdown
Contributor Author

@str4d str4d May 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's an old doc-comment; it should match the Group::identity doc-comment, which is currently:

    /// Determines if this point is the identity.

Comment thread pairing/src/bls12_381/ec.rs
@str4d str4d deleted the group-trait branch May 21, 2020 07:02
@str4d str4d added this to the Core Sprint 2020-19 milestone May 23, 2020
@ebfull ebfull mentioned this pull request Jun 26, 2020
Closed
18 tasks
greg0x pushed a commit to valargroup/librustzcash that referenced this pull request Mar 12, 2026
@czarcas7ic
Merge pull request zcash#230 from valargroup/adam/sdk-security-hardening
65a5cf3 
Harden SDK: audit fixes, error handling, constant extraction
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daira daira daira left review comments

@ebfull ebfull ebfull approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Core Sprint 2020-19

Development

Successfully merging this pull request may close these issues.

3 participants

@str4d @daira @ebfull