poc/sswu_*.sage: use sgn0_be with bls12381, as specified. #211
Conversation
|
Thanks! I'll follow up asap. |
|
OK, looking into this more: The suite definitions don't have any issues with this, because suites set the appropriate sgn0 variant as part of the suite definition (see h2c_suite.sage line 31). So it looks to me like the only place that this could arguably be an issue is in the BLS12-381-isogenous curve in sswu_opt.sage. (To me, that doesn't matter much---it's a simple functionality test, not a suite definition---but I'm happy to fix it.) I'll take care of this when editing suites for #212. |
While the test passes in so to say loopback mode, i.e. when both optimized and generic implementations use same variant of sgn0, I'd still argue that it's not insignificant difference. If an implementation fails to process test vector and you have to dig into it, rigid compliance with specification even at this level helps.
Cool! Thanks! |
BLS12-381 suites are specified to use big-endian variant of sgn0, while sswu_*.sage scripts default to little-endian one in all cases. This pull request should probably be viewed rather as "here is a problem" than "this is how to fix it," as there might be better way to achieve the goal. Cheers.