Documentation
¶
Index ¶
- Variables
- func FFT64(a []fr.Element, twiddlesCoset []fr.Element)
- func LimbDecomposeBytes(buf []byte, m fr.Vector, logTwoBound int)
- func NewRingSISMaker(seed int64, logTwoDegree, logTwoBound, maxNbElementsToHash int) (func() hash.Hash, error)
- func PrecomputeTwiddlesCoset(generator, shifter fr.Element) []fr.Element
- type RSis
Constants ¶
This section is empty.
Variables ¶
var (
ErrNotAPowerOfTwo = errors.New("d must be a power of 2")
)
Functions ¶
func FFT64 ¶
FFT64 is generated by gnark-crypto and contains the unrolled code for FFT (DIF) on 64 elements equivalent code: r.Domain.FFT(k, fft.DIF, fft.OnCoset(), fft.WithNbTasks(1)) twiddlesCoset must be pre-computed from twiddles and coset table, see PrecomputeTwiddlesCoset
func LimbDecomposeBytes ¶
Split an slice of bytes representing an array of serialized field element in big-endian form into an array of limbs representing the same field elements in little-endian form. Namely, if our field is represented with 64 bits and we have the following field element 0x0123456789abcdef (0 being the most significant character and and f being the least significant one) and our log norm bound is 16 (so 1 hex character = 1 limb). The function assigns the values of m to [f, e, d, c, b, a, ..., 3, 2, 1, 0]. m should be preallocated and zeroized. Additionally, we have the guarantee that 2 bits contributing to different field elements cannot be part of the same limb.
Types ¶
type RSis ¶
type RSis struct {
// Vectors in ℤ_{p}/Xⁿ+1
// A[i] is the i-th polynomial.
// Ag the evaluation form of the polynomials in A on the coset √(g) * <g>
A [][]fr.Element
Ag [][]fr.Element
// LogTwoBound (Infinity norm) of the vector to hash. It means that each component in m
// is < 2^B, where m is the vector to hash (the hash being A*m).
// cf https://hackmd.io/7OODKWQZRRW9RxM5BaXtIw , B >= 3.
LogTwoBound int
// domain for the polynomial multiplication
Domain *fft.Domain
// d, the degree of X^{d}+1
Degree int
// contains filtered or unexported fields
}
Ring-SIS instance
func NewRSis ¶
NewRSis creates an instance of RSis. seed: seed for the randomness for generating A. logTwoDegree: if d := logTwoDegree, the ring will be ℤ_{p}[X]/Xᵈ-1, where X^{2ᵈ} is the 2ᵈ⁺¹-th cyclotomic polynomial logTwoBound: the bound of the vector to hash (using the infinity norm). maxNbElementsToHash: maximum number of field elements the instance handles used to derived n, the number of polynomials in A, and max size of instance's internal buffer.
func (*RSis) BlockSize ¶
BlockSize returns the hash's underlying block size. The Write method must be able to accept any amount of data, but it may operate more efficiently if all writes are a multiple of the block size.
func (*RSis) CopyWithFreshBuffer ¶
Returns a clone of the RSis parameters with a fresh and empty buffer. Does not mutate the current instance. The keys and the public parameters of the SIS instance are not deep-copied. It is useful when we want to hash in parallel. Otherwise, we would have to generate an entire RSis for each thread.
func (*RSis) Sum ¶
Sum appends the current hash to b and returns the resulting slice. It does not change the underlying hash state. The instance buffer is interpreted as a sequence of coefficients of size r.Bound bits long. The function returns the hash of the polynomial as a a sequence []fr.Elements, interpreted as []bytes, corresponding to sum_i A[i]*m Mod X^{d}+1
Source Files