pub fn endos<G: CommitmentCurve>() -> (G::BaseField, G::ScalarField)where
G::BaseField: PrimeField,Expand description
Computes the endomorphism coefficients (ξ, λ) for a curve.
For curves of the form y² = x³ + b (like Pallas and Vesta), there exists an efficient endomorphism φ defined by:
φ(x, y) = (ξ · x, y)
where ξ is a primitive cube root of unity in the base field (ξ³ = 1, ξ ≠ 1). This works because (ξx)³ = ξ³x³ = x³, so the point remains on the curve.
This endomorphism corresponds to scalar multiplication by λ:
φ(P) = [λ]P
where λ is a primitive cube root of unity in the scalar field.
§Returns
A tuple (endo_q, endo_r) where:
endo_q(ξ): cube root of unity in the base fieldF_q, used to compute φ(P)endo_r(λ): the corresponding scalar inF_rsuch that φ(P) = [λ]P
§Mathematical Background
The cube root is computed as ξ = g^((p-1)/3) where g is a generator of F_p*.
By Fermat’s Little Theorem, ξ³ = g^(p-1) = 1.
Since there are two primitive cube roots of unity (ξ and ξ²), the function verifies which one corresponds to the endomorphism by checking:
[potential_λ]G == φ(G)
If not, it uses λ = potential_λ² instead.
§Panics
Panics if the generator point coordinates cannot be extracted.
§References
- Halo paper, Section 6.2: https://eprint.iacr.org/2019/1021
- GLV method for fast scalar multiplication