refactor: address Ivo's review

Author: yelhousni

ecc/octobear/multiset-hash/cardano_test.go

@@ -81,3 +81,130 @@ func TestDepressedCubicRootFindsValidRoot(t *testing.T) {
 		require.True(t, lhs.IsZero())
 	}
 }
+
+// cardanoDelta returns the dispatch discriminant delta = 108 - 27·c² used by
+// cardanoRoots to choose a branch (zero → repeatedRoots, non-square →
+// quadratic-extension branch, square → base-field branch).
+func cardanoDelta(c *extensions.E8) extensions.E8 {
+	var c2, delta extensions.E8
+	c2.Square(c)
+	delta.Mul(&c2, &e8TwentySeven)
+	delta.Sub(&e8Neg4A3, &delta)
+	return delta
+}
+
+func checkCubicRoots(t *testing.T, c extensions.E8, roots []extensions.E8) {
+	t.Helper()
+	require.NotEmpty(t, roots, "cardanoRoots returned no roots")
+	for _, x := range roots {
+		var lhs, x3 extensions.E8
+		x3.Square(&x).Mul(&x3, &x)
+		lhs.Set(&x3)
+		lhs.Sub(&lhs, &x).Sub(&lhs, &x).Sub(&lhs, &x).Add(&lhs, &c)
+		require.True(t, lhs.IsZero(), "root does not satisfy x^3 - 3x + c = 0")
+	}
+}
+
+// TestCardanoRepeatedRootBranch exercises the delta = 0 branch with c = 2:
+// x^3 - 3x + 2 = (x-1)^2 (x+2), so the dispatcher must hit repeatedRoots.
+func TestCardanoRepeatedRootBranch(t *testing.T) {
+	var c extensions.E8
+	c.C0.B0.A0.SetUint64(2)
+
+	delta := cardanoDelta(&c)
+	require.True(t, delta.IsZero(), "c = 2 must drive delta to zero")
+
+	roots := cardanoRoots(c)
+	checkCubicRoots(t, c, roots)
+
+	var one, negTwo extensions.E8
+	one.SetOne()
+	negTwo.SetOne().Double(&negTwo).Neg(&negTwo)
+	var foundOne, foundNegTwo bool
+	for _, x := range roots {
+		if x.Equal(&one) {
+			foundOne = true
+		}
+		if x.Equal(&negTwo) {
+			foundNegTwo = true
+		}
+	}
+	require.True(t, foundOne, "repeated-root branch must produce x = 1")
+	require.True(t, foundNegTwo, "repeated-root branch must produce x = -2")
+}
+
+// TestCardanoBaseFieldBranch exercises the square-delta path. We build c from
+// a known root x in the prime subfield: c = 3x - x^3 guarantees that x solves
+// x^3 - 3x + c = 0, and any c whose components all lie in Fp produces a delta
+// that is a square in E8 (since [E8 : Fp] = 8 is even, every element of Fp is
+// a square in E8). Whether Cardano can recover roots through E8 depends on
+// whether the cube root needed by the formula lies in E8, so we search across
+// x values until the dispatcher returns a non-empty set including x.
+func TestCardanoBaseFieldBranch(t *testing.T) {
+	for n := uint64(3); n < 10_000; n++ {
+		var x extensions.E8
+		x.C0.B0.A0.SetUint64(n)
+
+		var c, x3 extensions.E8
+		x3.Square(&x).Mul(&x3, &x)
+		c.Double(&x).Add(&c, &x).Sub(&c, &x3)
+
+		delta := cardanoDelta(&c)
+		if delta.IsZero() {
+			continue
+		}
+		require.Equal(t, 1, delta.Legendre(), "c in Fp must give a square delta in E8")
+
+		roots := cardanoRoots(c)
+		if len(roots) == 0 {
+			continue
+		}
+		checkCubicRoots(t, c, roots)
+		var found bool
+		for _, r := range roots {
+			if r.Equal(&x) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			continue
+		}
+		return
+	}
+	t.Fatal("could not find a base-field-branch witness in [3, 10000)")
+}
+
+// TestCardanoQuadraticExtensionBranch exercises the non-square-delta path.
+// To force delta to be a non-square in E8, c must have a non-trivial
+// extension component (any element of the prime subfield is a square in E8).
+// We construct x with both a base and an extension component, compute
+// c = 3x - x^3, and search for one whose delta is a non-square.
+func TestCardanoQuadraticExtensionBranch(t *testing.T) {
+	for n := uint64(1); n < 4096; n++ {
+		var x extensions.E8
+		x.C0.B0.A0.SetUint64(n)
+		x.C1.B0.A0.SetUint64(1)
+
+		var c, x3 extensions.E8
+		x3.Square(&x).Mul(&x3, &x)
+		c.Double(&x).Add(&c, &x).Sub(&c, &x3)
+
+		delta := cardanoDelta(&c)
+		if delta.IsZero() || delta.Legendre() != -1 {
+			continue
+		}
+		roots := cardanoRoots(c)
+		checkCubicRoots(t, c, roots)
+		var found bool
+		for _, r := range roots {
+			if r.Equal(&x) {
+				found = true
+				break
+			}
+		}
+		require.True(t, found, "extension branch must recover x at n = %d", n)
+		return
+	}
+	t.Fatal("could not find a quadratic-extension-branch witness in [1, 4096)")
+}

ecc/octobear/multiset-hash/multiset_hash.go

@@ -4,12 +4,11 @@ import (
 	"errors"
 
 	"github.com/consensys/gnark-crypto/ecc/octobear"
-	"github.com/consensys/gnark-crypto/field/koalabear/extensions"
 )
 
 const tweakBound = 256
 
-var errMapFailure = errors.New("octobear multiset hash: failed to map message after 256 y-increments")
+var errMapFailure = errors.New("octobear multiset hash: failed to map message in tweak window")
 
 // Accumulator stores an additive multiset hash state in affine coordinates.
 type Accumulator struct {
@@ -70,26 +69,5 @@ func Hash(msgs []uint16) (octobear.G1Affine, error) {
 // y = msg*256 + k yields a point (x, y) on octobear.
 func Map(msg uint16) (octobear.G1Affine, uint8, error) {
 	_, b := octobear.CurveCoefficients()
-	baseY := uint64(msg) * tweakBound
-
-	for k := uint16(0); k < tweakBound; k++ {
-		var y, c, ySquared extensions.E8
-		y.SetZero()
-		y.C0.B0.A0.SetUint64(baseY + uint64(k))
-
-		ySquared.Square(&y)
-		c.Sub(&b, &ySquared)
-
-		x, ok := depressedCubicRoot(c)
-		if !ok {
-			continue
-		}
-
-		p := octobear.G1Affine{X: x, Y: y}
-		if p.IsOnCurve() && p.IsInSubGroup() {
-			return p, uint8(k), nil
-		}
-	}
-
-	return octobear.G1Affine{}, 0, errMapFailure
+	return mapAtBase(uint64(msg)*tweakBound, tweakBound, &b)
 }

ecc/octobear/multiset-hash/vector_multiset_hash_linear.go

@@ -1,7 +1,6 @@
 package multisethash
 
 import (
-	"errors"
 	"fmt"
 
 	"github.com/consensys/gnark-crypto/ecc/octobear"
@@ -115,11 +114,11 @@ func MapLinear(msg uint32) ([linearN]octobear.G1Affine, [linearN]uint8, error) {
 	return pts, offsets, nil
 }
 
-// mapAtBase scans k in [0, tweakBound) and returns the first curve point
-// whose ordinate is y = baseY + k in the base subfield. baseY + tweakBound
+// mapAtBase scans k in [0, bound) and returns the first curve point
+// whose ordinate is y = baseY + k in the base subfield. baseY + bound
 // must remain strictly below p/2 to keep the image inverse-free.
-func mapAtBase(baseY uint64, tweakBound uint64, b *extensions.E8) (octobear.G1Affine, uint8, error) {
-	for k := uint64(0); k < tweakBound; k++ {
+func mapAtBase(baseY uint64, bound uint64, b *extensions.E8) (octobear.G1Affine, uint8, error) {
+	for k := uint64(0); k < bound; k++ {
 		var y, c, ySquared extensions.E8
 		y.C0.B0.A0.SetUint64(baseY + k)
 
@@ -136,5 +135,5 @@ func mapAtBase(baseY uint64, tweakBound uint64, b *extensions.E8) (octobear.G1Af
 			return p, uint8(k), nil
 		}
 	}
-	return octobear.G1Affine{}, 0, errors.New("octobear vector multiset hash: failed to map message in tweak window")
+	return octobear.G1Affine{}, 0, errMapFailure
 }