add support for T-256 curve (#197)

* add T-256 curve

* update README

* move comment up

* make it no-std compat

---------

Co-authored-by: guorong009 <[email protected]>

Author: srinathsetty

README.md

@@ -12,7 +12,7 @@ This library provides efficient and flexible implementations of various halo2-fr
 
 The implementations were originally ported from [matterlabs/pairing](https://github.com/matter-labs/pairing/tree/master/src/bn256) and [zkcrypto/bls12-381](https://github.com/zkcrypto/bls12_381), but have been extended and optimized to cover a broader set of curves and use cases. Since its initial release, the library has expanded to include additional curves, along with the following features:
 
-* `secp256k1`, `secp256r1`, `pluto`, `eris` and `grumpkin` curves, enhancing its usability across a range of cryptographic protocols.
+* `secp256k1`, `secp256r1`, `pluto`, `eris`, `T-256`, and `grumpkin` curves, enhancing its usability across a range of cryptographic protocols.
 * Assembly optimizations leading to significantly improved performance.
 * Various features related to serialization and deserialization of curve points and field elements.
 * Curve-specific optimizations and benchmarking capabilities.
@@ -59,4 +59,4 @@ The library's top-level directories are organized as follows:
 
 * `benches`: Contains benchmarking tests.
 * `script`: Contains utility scripts.
-* `src`: Contains the source code of the library, further subdivided into modules for each supported curve (`bn256`, `grumpkin`, `secp256k1`, `secp256r1`, `secq256k1`, `pasta`, `pluto`, `eris`) and additional functionalities (`derive`, `tests`).
+* `src`: Contains the source code of the library, further subdivided into modules for each supported curve (`bn256`, `grumpkin`, `secp256k1`, `secp256r1`, `secq256k1`, `pasta`, `pluto`, `eris`, `t256`) and additional functionalities (`derive`, `tests`).

src/lib.rs

@@ -16,6 +16,7 @@ pub mod pluto_eris;
 pub mod secp256k1;
 pub mod secp256r1;
 pub mod secq256k1;
+pub mod t256;
 
 #[macro_use]
 mod derive;

src/t256/curve.rs

@@ -0,0 +1,137 @@
+#[cfg(not(feature = "std"))]
+extern crate alloc;
+#[cfg(not(feature = "std"))]
+use alloc::{boxed::Box, vec::Vec};
+
+use core::{
+    cmp,
+    fmt::Debug,
+    iter::Sum,
+    ops::{Add, Mul, Neg, Sub},
+};
+
+use rand_core::RngCore;
+use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
+
+use crate::{
+    ff::{Field, PrimeField, WithSmallOrderMulGroup},
+    group::{prime::PrimeCurveAffine, Curve, Group as _, GroupEncoding},
+    t256::{Fp, Fq},
+    Coordinates, CurveAffine, CurveExt,
+};
+
+impl group::cofactor::CofactorGroup for T256 {
+    type Subgroup = T256;
+
+    fn clear_cofactor(&self) -> Self {
+        *self
+    }
+
+    fn into_subgroup(self) -> CtOption<Self::Subgroup> {
+        CtOption::new(self, 1.into())
+    }
+
+    fn is_torsion_free(&self) -> Choice {
+        1.into()
+    }
+}
+
+// We take these parameters from: https://github.com/pag-crypto/sigpop/blob/eb7ea5914e8303b5484fe5bb8d200d08345a46c6/circ_fields/src/t256/curves/mod.rs
+// Generator   (x = 5,  y as in sigpop)
+const T256_GENERATOR_X: Fp = Fp::from_raw([
+    0x0000000000000005,
+    0x0000000000000000,
+    0x0000000000000000,
+    0x0000000000000000,
+]);
+
+const T256_GENERATOR_Y: Fp = Fp::from_raw([
+    0x5826108A653DE28D,
+    0x0ED60B9E33CE397C,
+    0x5EFC7B55F6B24FBE,
+    0x3E86C0CFEBF2C716,
+]);
+
+// a  =  p − 3
+const T256_A: Fp = Fp::from_raw([
+    0x93135661B1C4B114,
+    0x7E72B42B30E73177,
+    0x0000000000000001,
+    0xFFFFFFFF00000001,
+]);
+
+// b  =  0xB441071B12F4A0366FB552F8E21ED4AC36B06ACEEB354224863E60F20219FC56
+const T256_B: Fp = Fp::from_raw([
+    0x863E60F20219FC56,
+    0x36B06ACEEB354224,
+    0x6FB552F8E21ED4AC,
+    0xB441071B12F4A036,
+]);
+
+use crate::{
+    impl_binops_additive, impl_binops_additive_specify_output, impl_binops_multiplicative,
+    impl_binops_multiplicative_mixed, new_curve_impl,
+};
+
+new_curve_impl!(
+    (pub),
+    T256,
+    T256Affine,
+    Fp,
+    Fq,
+    (T256_GENERATOR_X,T256_GENERATOR_Y),
+    T256_A,
+    T256_B,
+    "t256",
+    |domain_prefix| hash_to_curve(domain_prefix, hash_to_curve_suite(b"T256_XMD:SHA-256_SSWU_RO_")),
+    crate::serde::CompressedFlagConfig::Extra,
+    standard_sign
+);
+
+fn hash_to_curve_suite(domain: &[u8]) -> crate::hash_to_curve::Suite<T256, sha2::Sha256, 48> {
+    // Z : <https://datatracker.ietf.org/doc/html/rfc9380#sswu-z-code>
+    // Z = -2
+    const SSWU_Z: Fp = Fp::from_raw([
+        0x93135661B1C4B115,
+        0x7E72B42B30E73177,
+        0x0000000000000001,
+        0xFFFFFFFF00000001,
+    ]);
+
+    let iso_map = crate::hash_to_curve::Iso {
+        a: T256::a(),
+        b: T256::b(),
+        map: Box::new(move |x, y, z| T256 { x, y, z }),
+    };
+
+    crate::hash_to_curve::Suite::new(domain, SSWU_Z, crate::hash_to_curve::Method::SSWU(iso_map))
+}
+
+#[allow(clippy::type_complexity)]
+pub(crate) fn hash_to_curve<'a>(
+    domain_prefix: &'a str,
+    suite: crate::hash_to_curve::Suite<T256, sha2::Sha256, 48>,
+) -> Box<dyn Fn(&[u8]) -> T256 + 'a> {
+    Box::new(move |message| suite.hash_to_curve(domain_prefix, message))
+}
+
+#[cfg(test)]
+mod test {
+    use group::UncompressedEncoding;
+    use rand_core::OsRng;
+
+    use super::*;
+    use crate::serde::SerdeObject;
+    crate::curve_testing_suite!(T256);
+    crate::curve_testing_suite!(T256, "ecdsa_example");
+    crate::curve_testing_suite!(
+        T256,
+        "constants",
+        Fp::MODULUS,
+        T256_A,
+        T256_B,
+        T256_GENERATOR_X,
+        T256_GENERATOR_Y,
+        Fq::MODULUS
+    );
+}

src/t256/fp.rs

@@ -0,0 +1,46 @@
+#[cfg(not(feature = "std"))]
+extern crate alloc;
+#[cfg(not(feature = "std"))]
+use alloc::vec::Vec;
+
+use core::convert::TryInto;
+
+use halo2derive::impl_field;
+use rand_core::RngCore;
+use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
+
+impl_field!(
+    t256_base,
+    Fp,
+    modulus = "ffffffff0000000100000000000000017e72b42b30e7317793135661b1c4b117",
+    mul_gen = "6",
+    zeta = "b6e848ab29fcd1fa4bdd4681fd4839c7bce2889d6b27546299d130ed370be14d",
+    from_uniform = [48, 64],
+    endian = "big",
+);
+
+crate::extend_field_legendre!(Fp);
+crate::impl_binops_calls!(Fp);
+crate::impl_binops_additive!(Fp, Fp);
+crate::impl_binops_multiplicative!(Fp, Fp);
+crate::field_bits!(Fp);
+crate::serialize_deserialize_primefield!(Fp);
+crate::impl_from_u64!(Fp);
+crate::impl_from_bool!(Fp);
+
+#[cfg(test)]
+mod test {
+    use super::Fp;
+    use crate::{
+        arith_test, constants_test, from_uniform_bytes_test, legendre_test, serde_test, test,
+    };
+
+    constants_test!(Fp);
+
+    arith_test!(Fp);
+    legendre_test!(Fp);
+    test!(arith, Fp, sqrt_test, 1000);
+
+    serde_test!(Fp PrimeFieldBits);
+    from_uniform_bytes_test!(Fp, 1000, L 64, L 48);
+}

src/t256/mod.rs

@@ -0,0 +1,7 @@
+mod curve;
+mod fp;
+
+// the base field of secp256r1 is Fq
+pub use crate::secp256r1::Fp as Fq;
+pub use curve::*;
+pub use fp::*;