ec: implement double-odd curves (#986)

* ec: implement double-odd curves

Implements Thomas Pornin's “A Prime-Order Group with Complete Formulas
from Even-Order Elliptic Curves” [1], often referred to as "double odd"
curves.

Includes the double-odd curve “JQ255s” as presented in the paper.

[1] T. Pornin, “A Prime-Order Group with Complete Formulas from Even-Order Elliptic Curves,” IACR CiC, vol. 1, no. 1, p. 33, Apr. 2024, doi: 10.62056/akmp-4c2h.

* docs: link to Double Odd website for double_in_place

* ec: generalize add_assign for curves different from jq255s

* fix: addresses errors and most warnings raised by cargo doc

* fix: implemented missing is_zero fn for DO AffineRepr

* fix: unescaped backtick in documentation

* impl: no_std check for jq255s similar to other curves

* fix: cargo fmt hotfix

* copied curve25519 field tests to jq255s

* perf: removed one mul from add functions

* fix: slightly faster addition for two affines

* fix: removed unneccessary projectiverefs

* fix: comply models/double_odd/mod.rs with clippy rules

* Update COEFF_A in curves/jq255s/src/curves/mod.rs

Although the same value, this rewrite more clearly indicates the value of COEFF_A (equal to -1 as described in https://eprint.iacr.org/2022/1052)

Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>

* fix: Add clarifying documentation and missing refs

* deduplicating obtaining e from u

* remove n()-function and redundancy, better docs, faster is_zero checka, formatting

fix: faster projective eq check

fix: code deduplication + removal of additional n-function

extra comment linking test to encoding standard

fixed unescaped backtick warning

fix cargo fmt error

fix: n() back for testing

fix: style

fix: style (bracket)

fix: lint deadcode ignore

n migration

---------

Co-authored-by: Robrecht <robrecht.blancquaert@gmail.com>
Co-authored-by: prismaman <svdv2000@gmail.com>
Co-authored-by: Sam Van de Velde <58397500+samvandevelde@users.noreply.github.com>
Co-authored-by: Pratyush Mishra <pratyush795@gmail.com>

Author: 4 people

curves/Cargo.toml

@@ -42,6 +42,7 @@ members = [
     "ed25519",
 
     "starkcurve",
+    "jq255s",
 ]
 resolver = "2"
 

curves/jq255s/Cargo.toml

@@ -0,0 +1,38 @@
+[package]
+name = "ark-jq255s"
+version.workspace = true
+authors.workspace = true
+description = "The do255s curve"
+homepage.workspace = true
+repository.workspace = true
+documentation = "https://docs.rs/ark-secp256r1/"
+keywords.workspace = true
+categories.workspace = true
+include.workspace = true
+license.workspace = true
+edition.workspace = true
+
+[dependencies]
+ark-ff = { workspace = true }
+ark-ec = { workspace = true }
+ark-r1cs-std = { workspace = true, optional = true }
+ark-std = { workspace = true }
+hex = "0.4.3"
+
+[dev-dependencies]
+ark-relations = { workspace = true }
+ark-serialize = { workspace = true }
+ark-algebra-test-templates = { workspace = true }
+ark-curve-constraint-tests = { path = "../curve-constraint-tests" }
+
+[features]
+default = []
+std = [ "ark-std/std", "ark-ff/std", "ark-ec/std" ]
+r1cs = [ "ark-r1cs-std" ]
+asm = [ "ark-ff/asm" ]
+
+#[patch.crates-io]
+#ark-ec = { path = "../../algebra/ec" }
+#ark-ff = { path = "../../algebra/ff" }
+#ark-poly = { path = "../../algebra/poly"  }
+#ark-serialize = {  path = "../../algebra/serialize" }

curves/jq255s/LICENSE-APACHE

@@ -0,0 +1 @@
+../LICENSE-APACHE

curves/jq255s/LICENSE-MIT

@@ -0,0 +1 @@
+../LICENSE-MIT

curves/jq255s/src/constraints/curves.rs

@@ -0,0 +1,5 @@
+use crate::{constraints::FqVar, *};
+use ark_r1cs_std::groups::curves::short_weierstrass::ProjectiveVar;
+
+/// A group element in the Jq255s curve.
+pub type GVar = ProjectiveVar<Config, FqVar>;

curves/jq255s/src/constraints/fields.rs

@@ -0,0 +1,11 @@
+use ark_r1cs_std::fields::fp::FpVar;
+
+use crate::fq::Fq;
+
+/// A variable that is the R1CS equivalent of `crate::Fq`.
+pub type FqVar = FpVar<Fq>;
+
+#[test]
+fn test() {
+    ark_curve_constraint_tests::fields::field_test::<_, _, FqVar>().unwrap();
+}

curves/jq255s/src/constraints/mod.rs

@@ -0,0 +1,7 @@
+//! This module implements the R1CS equivalent of `ark_jq255s`.
+
+mod curves;
+mod fields;
+
+pub use curves::*;
+pub use fields::*;

curves/jq255s/src/curves/mod.rs

@@ -0,0 +1,48 @@
+use ark_ec::{
+    double_odd::{self as doo, DOCurveConfig},
+    models::CurveConfig,
+};
+use ark_ff::MontFp;
+
+use crate::{fq::Fq, fr::Fr};
+
+#[cfg(test)]
+mod tests;
+
+pub type Affine = doo::Affine<Config>;
+pub type Projective = doo::Projective<Config>;
+
+#[derive(Copy, Clone, Default, PartialEq, Eq)]
+pub struct Config;
+
+impl CurveConfig for Config {
+    type BaseField = Fq;
+    type ScalarField = Fr;
+
+    /// COFACTOR = 2
+    const COFACTOR: &'static [u64] = &[2];
+
+    #[rustfmt::skip]
+    const COFACTOR_INV: Fr = MontFp!("14474011154664524427946373126085988481687200150840406918337755177497658435940");
+}
+
+impl DOCurveConfig for Config {
+    /// COEFF_A = -1
+    const COEFF_A: Fq = MontFp!("-1");
+
+    /// COEFF_B = 1/2
+    const COEFF_B: Fq =
+        MontFp!("28948022309329048855892746252171976963317496166410141009864396001978282408006");
+
+    /// GENERATOR = (G_GENERATOR_X, G_GENERATOR_Y)
+    const GENERATOR: Affine = Affine::new_unchecked(G_GENERATOR_E, G_GENERATOR_U);
+}
+
+/// G_GENERATOR_X =
+/// 0x0076aab95b2acbae4747482ba7081f7b94193dad9f96fdd2516283980459b09eaa
+pub const G_GENERATOR_E: Fq =
+    MontFp!("6929650852805837546485348833751579670837850621479164143703164723313568683024");
+
+/// G_GENERATOR_Y =
+/// 0x00b7d601b4cb25f8249b65e89b8f584a5494e592f3895d54f9002202b0530e6fbc
+pub const G_GENERATOR_U: Fq = MontFp!("3");