Fix BLS120377 generator and two-adic root of unity

howardwu · howardwu · commit a9de5932c0a3 · 2021-06-25T20:36:02.000-07:00
diff --git a/curves/src/bls12_377/fr.rs b/curves/src/bls12_377/fr.rs
@@ -17,6 +17,27 @@
 use snarkvm_fields::{FftParameters, FieldParameters, Fp256, Fp256Parameters};
 use snarkvm_utilities::biginteger::BigInteger256 as BigInteger;
 
+/// BLS12-377 scalar field.
+///
+/// Roots of unity computed from modulus and R using this sage code:
+///
+/// ```ignore
+/// q = 8444461749428370424248824938781546531375899335154063827935233455917409239041
+/// R = 6014086494747379908336260804527802945383293308637734276299549080986809532403 # Montgomery R
+/// s = 47
+/// o = q - 1
+/// F = GF(q)
+/// g = F.multiplicative_generator()
+/// g = F.multiplicative_generator()
+/// assert g.multiplicative_order() == o
+/// g2 = g ** (o/2**s)
+/// assert g2.multiplicative_order() == 2**s
+/// def into_chunks(val, width, n):
+///     return [int(int(val) // (2 ** (width * i)) % 2 ** width) for i in range(n)]
+/// print("Gen: ", g * R % q)
+/// print("Gen: ", into_chunks(g * R % q, 64, 4))
+/// print("2-adic gen: ", into_chunks(g2 * R % q, 64, 4))
+/// ```
 pub type Fr = Fp256<FrParameters>;
 
 pub struct FrParameters;
@@ -30,23 +51,26 @@ impl FftParameters for FrParameters {
     const TWO_ADICITY: u32 = 47;
     #[rustfmt::skip]
     const TWO_ADIC_ROOT_OF_UNITY: BigInteger = BigInteger([
-        0x3c3d3ca739381fb2,
-        0x9a14cda3ec99772b,
-        0xd7aacc7c59724826,
-        0xd1ba211c5cc349c,
+        12646347781564978760u64,
+        6783048705277173164u64,
+        268534165941069093u64,
+        1121515446318641358u64,
     ]);
 }
 
 impl FieldParameters for FrParameters {
     #[rustfmt::skip]
     const CAPACITY: u32 = Self::MODULUS_BITS - 1;
-    /// GENERATOR = 11
+    /// GENERATOR = 22
+    /// Encoded in Montgomery form, so the value is
+    /// (22 * R) % q = 5642976643016801619665363617888466827793962762719196659561577942948671127251
+    #[rustfmt::skip]
     #[rustfmt::skip]
     const GENERATOR: BigInteger = BigInteger([
-        1855201571499933546u64,
-        8511318076631809892u64,
-        6222514765367795509u64,
-        1122129207579058019u64,
+        2984901390528151251u64,
+        10561528701063790279u64,
+        5476750214495080041u64,
+        898978044469942640u64,
     ]);
     #[rustfmt::skip]
     const INV: u64 = 725501752471715839u64;
