From a030ac3abcc6b061cd590e4f05ea6b72ac3f0f2c Mon Sep 17 00:00:00 2001
From: Andy Polyakov <appro@cryptogams.org>
Date: Sun, 16 Jun 2024 21:57:14 +0200
Subject: [PATCH] ntt/parameters/baby_bear.h: add "canonical" parameters.

Customarily one uses primitive root as generator, but RISC Zero
used an alternative generator, which remains the default choice.
---
 ntt/parameters/baby_bear.h | 78 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 75 insertions(+), 3 deletions(-)

diff --git a/ntt/parameters/baby_bear.h b/ntt/parameters/baby_bear.h
index c5378e6..56cdda7 100644
--- a/ntt/parameters/baby_bear.h
+++ b/ntt/parameters/baby_bear.h
@@ -2,12 +2,83 @@
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 
+const int S = 27;
+
+#ifdef BABY_BEAR_CANONICAL
+
+const fr_t group_gen = fr_t(0x1f);  // primitive_root(0x78000001)
+const fr_t group_gen_inverse = fr_t(0x03def7be);
+
 // Values in Montgomery form
 
-const fr_t group_gen = fr_t(0x2ffffffau);
-const fr_t group_gen_inverse = fr_t(0x2d555555u);
+const fr_t forward_roots_of_unity[S + 1] = {
+    fr_t(0x0ffffffeu),
+    fr_t(0x68000003u),
+    fr_t(0x1c38d511u),
+    fr_t(0x3d85298fu),
+    fr_t(0x5f06e481u),
+    fr_t(0x3f5c39ecu),
+    fr_t(0x5516a97au),
+    fr_t(0x3d6be592u),
+    fr_t(0x5bb04149u),
+    fr_t(0x4907f9abu),
+    fr_t(0x548b8e90u),
+    fr_t(0x1d8ca617u),
+    fr_t(0x2ce7f0e6u),
+    fr_t(0x621b371fu),
+    fr_t(0x6d4d2d78u),
+    fr_t(0x18716fcdu),
+    fr_t(0x3b30a682u),
+    fr_t(0x1c6f4728u),
+    fr_t(0x59b01f7cu),
+    fr_t(0x1a7f97acu),
+    fr_t(0x0732561cu),
+    fr_t(0x2b5a1cd4u),
+    fr_t(0x6f7d26f9u),
+    fr_t(0x16e2f919u),
+    fr_t(0x285ab85bu),
+    fr_t(0x0dd5a9ecu),
+    fr_t(0x43f13568u),
+    fr_t(0x57fab6eeu)
+};
 
-const int S = 27;
+const fr_t inverse_roots_of_unity[S + 1] = {
+    fr_t(0x0ffffffeu),
+    fr_t(0x68000003u),
+    fr_t(0x5bc72af0u),
+    fr_t(0x02ec07f3u),
+    fr_t(0x67e027cau),
+    fr_t(0x5e1a0700u),
+    fr_t(0x4bcc008cu),
+    fr_t(0x0bed94d1u),
+    fr_t(0x330b2e00u),
+    fr_t(0x6b469805u),
+    fr_t(0x0d83fad2u),
+    fr_t(0x26e64394u),
+    fr_t(0x0855523bu),
+    fr_t(0x5c9f0045u),
+    fr_t(0x5a7ba8c3u),
+    fr_t(0x3c8b04e2u),
+    fr_t(0x0c0f2066u),
+    fr_t(0x1b51d34cu),
+    fr_t(0x59f9bc12u),
+    fr_t(0x3511f012u),
+    fr_t(0x061ec85fu),
+    fr_t(0x5fd09c6bu),
+    fr_t(0x26bdc06cu),
+    fr_t(0x1272832eu),
+    fr_t(0x052ce2e8u),
+    fr_t(0x02ff110du),
+    fr_t(0x216ce204u),
+    fr_t(0x5e12c8e9u)
+};
+
+#else
+
+const fr_t group_gen = fr_t(3);
+const fr_t group_gen_inverse = fr_t(0x50000001);
+
+// Values in Montgomery form
 
 const fr_t forward_roots_of_unity[S + 1] = {
     fr_t(0x0ffffffeu),
@@ -70,6 +141,7 @@ const fr_t inverse_roots_of_unity[S + 1] = {
     fr_t(0x167ca34bu),
     fr_t(0x50b3630au)
 };
+#endif
 
 const fr_t domain_size_inverse[S + 1] = {
     fr_t(0x0ffffffeu),