From 2e43a5faa7220b9f4ebce0f7770c91ef6478e01d Mon Sep 17 00:00:00 2001
From: Suyash Bagad <suyashnbagad1997@gmail.com>
Date: Tue, 11 Apr 2023 20:44:04 +0000
Subject: [PATCH 1/3] Add `stdlib_keccak` in cmake.

Correct an assertion in `to_byte_array` in bigfield.
---
 cpp/src/CMakeLists.txt                                       | 3 +++
 cpp/src/barretenberg/stdlib/primitives/bigfield/bigfield.hpp | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/cpp/src/CMakeLists.txt b/cpp/src/CMakeLists.txt
index a90789f9c6..d199134cb6 100644
--- a/cpp/src/CMakeLists.txt
+++ b/cpp/src/CMakeLists.txt
@@ -90,6 +90,7 @@ if(WASM)
         $<TARGET_OBJECTS:stdlib_pedersen_commitment_objects>
         $<TARGET_OBJECTS:stdlib_blake2s_objects>
         $<TARGET_OBJECTS:stdlib_blake3s_objects>
+        $<TARGET_OBJECTS:stdlib_keccak_objects>
         $<TARGET_OBJECTS:stdlib_sha256_objects>
         $<TARGET_OBJECTS:stdlib_aes128_objects>
         $<TARGET_OBJECTS:stdlib_merkle_tree_objects>
@@ -192,6 +193,7 @@ if(WASM)
         $<TARGET_OBJECTS:stdlib_pedersen_commitment_objects>
         $<TARGET_OBJECTS:stdlib_blake2s_objects>
         $<TARGET_OBJECTS:stdlib_blake3s_objects>
+        $<TARGET_OBJECTS:stdlib_keccak_objects>
         $<TARGET_OBJECTS:stdlib_sha256_objects>
         $<TARGET_OBJECTS:stdlib_aes128_objects>
         $<TARGET_OBJECTS:stdlib_merkle_tree_objects>
@@ -227,6 +229,7 @@ else()
         $<TARGET_OBJECTS:stdlib_pedersen_commitment_objects>
         $<TARGET_OBJECTS:stdlib_blake2s_objects>
         $<TARGET_OBJECTS:stdlib_blake3s_objects>
+        $<TARGET_OBJECTS:stdlib_keccak_objects>
         $<TARGET_OBJECTS:stdlib_sha256_objects>
         $<TARGET_OBJECTS:stdlib_aes128_objects>
         $<TARGET_OBJECTS:stdlib_merkle_tree_objects>
diff --git a/cpp/src/barretenberg/stdlib/primitives/bigfield/bigfield.hpp b/cpp/src/barretenberg/stdlib/primitives/bigfield/bigfield.hpp
index 002fce1df1..b87bf158c4 100644
--- a/cpp/src/barretenberg/stdlib/primitives/bigfield/bigfield.hpp
+++ b/cpp/src/barretenberg/stdlib/primitives/bigfield/bigfield.hpp
@@ -160,7 +160,7 @@ template <typename Composer, typename T> class bigfield {
         field_t<Composer> lo = binary_basis_limbs[0].element + (binary_basis_limbs[1].element * shift_1);
         field_t<Composer> hi = binary_basis_limbs[2].element + (binary_basis_limbs[3].element * shift_1);
         // n.b. this only works if NUM_LIMB_BITS * 2 is divisible by 8
-        ASSERT((NUM_LIMB_BITS / 8) * 8 == NUM_LIMB_BITS);
+        ASSERT((NUM_LIMB_BITS * 2 / 8) * 8 == NUM_LIMB_BITS * 2);
         result.write(byte_array<Composer>(hi, 32 - (NUM_LIMB_BITS / 4)));
         result.write(byte_array<Composer>(lo, (NUM_LIMB_BITS / 4)));
         return result;

From fb3212570f2842a9265ff92dd5c996840225fd4c Mon Sep 17 00:00:00 2001
From: Suyash Bagad <suyashnbagad1997@gmail.com>
Date: Sun, 16 Apr 2023 14:25:16 +0000
Subject: [PATCH 2/3] Add `random_element` to affine element.

---
 .../ecc/groups/affine_element.hpp             |  7 +++++++
 .../ecc/groups/affine_element_impl.hpp        | 21 +++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/cpp/src/barretenberg/ecc/groups/affine_element.hpp b/cpp/src/barretenberg/ecc/groups/affine_element.hpp
index 81e6099030..293ba2bd53 100644
--- a/cpp/src/barretenberg/ecc/groups/affine_element.hpp
+++ b/cpp/src/barretenberg/ecc/groups/affine_element.hpp
@@ -49,6 +49,13 @@ template <typename Fq, typename Fr, typename Params> class alignas(64) affine_el
 
     constexpr bool on_curve() const noexcept;
 
+    /**
+     * @brief Samples a random point on the curve.
+     *
+     * @return A randomly chosen point on the curve
+     */
+    static affine_element random_element(numeric::random::Engine* engine = nullptr) noexcept;
+
     /**
      * @brief Hash a seed value to curve.
      *
diff --git a/cpp/src/barretenberg/ecc/groups/affine_element_impl.hpp b/cpp/src/barretenberg/ecc/groups/affine_element_impl.hpp
index 691f03f942..e618f4c928 100644
--- a/cpp/src/barretenberg/ecc/groups/affine_element_impl.hpp
+++ b/cpp/src/barretenberg/ecc/groups/affine_element_impl.hpp
@@ -202,5 +202,26 @@ affine_element<Fq, Fr, T> affine_element<Fq, Fr, T>::hash_to_curve(const uint64_
 
     return affine_element<Fq, Fr, T>(x_out, y_out_);
 }
+
+template <typename Fq, typename Fr, typename T>
+affine_element<Fq, Fr, T> affine_element<Fq, Fr, T>::random_element(numeric::random::Engine* engine) noexcept
+{
+    bool found_one = false;
+    Fq yy;
+    Fq x;
+    Fq y;
+    while (!found_one) {
+        x = Fq::random_element(engine);
+        yy = x.sqr() * x + T::b;
+        if constexpr (T::has_a) {
+            yy += (x * T::a);
+        }
+        auto [found_root, y1] = yy.sqrt();
+        y = y1;
+        found_one = found_root;
+    }
+    return affine_element<Fq, Fr, T>(x, y);
+}
+
 } // namespace group_elements
 } // namespace barretenberg

From 875117a71613b599cfddfb557f0cb3b948fef1e2 Mon Sep 17 00:00:00 2001
From: Suyash Bagad <suyashnbagad1997@gmail.com>
Date: Wed, 19 Apr 2023 10:49:36 +0000
Subject: [PATCH 3/3] negate y conditionally.

---
 cpp/src/barretenberg/ecc/groups/affine_element_impl.hpp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cpp/src/barretenberg/ecc/groups/affine_element_impl.hpp b/cpp/src/barretenberg/ecc/groups/affine_element_impl.hpp
index e618f4c928..356f2719c4 100644
--- a/cpp/src/barretenberg/ecc/groups/affine_element_impl.hpp
+++ b/cpp/src/barretenberg/ecc/groups/affine_element_impl.hpp
@@ -211,6 +211,7 @@ affine_element<Fq, Fr, T> affine_element<Fq, Fr, T>::random_element(numeric::ran
     Fq x;
     Fq y;
     while (!found_one) {
+        // Sample a random x-coordinate and check if it satisfies curve equation.
         x = Fq::random_element(engine);
         yy = x.sqr() * x + T::b;
         if constexpr (T::has_a) {
@@ -218,6 +219,13 @@ affine_element<Fq, Fr, T> affine_element<Fq, Fr, T>::random_element(numeric::ran
         }
         auto [found_root, y1] = yy.sqrt();
         y = y1;
+
+        // Negate the y-coordinate based on a randomly sampled bit.
+        bool random_bit = (engine->get_random_uint8() & 1);
+        if (random_bit) {
+            y = -y;
+        }
+
         found_one = found_root;
     }
     return affine_element<Fq, Fr, T>(x, y);