2023-03-10 11:27:44 +00:00
|
|
|
use zeroize::Zeroize;
|
|
|
|
|
|
2023-03-28 08:43:10 +00:00
|
|
|
// Use black_box when possible
|
|
|
|
|
#[rustversion::since(1.66)]
|
|
|
|
|
use core::hint::black_box;
|
|
|
|
|
#[rustversion::before(1.66)]
|
|
|
|
|
fn black_box<T>(val: T) -> T {
|
2023-03-10 11:27:44 +00:00
|
|
|
val
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub(crate) fn u8_from_bool(bit_ref: &mut bool) -> u8 {
|
|
|
|
|
let bit_ref = black_box(bit_ref);
|
|
|
|
|
|
|
|
|
|
let mut bit = black_box(*bit_ref);
|
2023-12-17 01:54:24 +00:00
|
|
|
#[allow(clippy::cast_lossless)]
|
2023-03-10 11:27:44 +00:00
|
|
|
let res = black_box(bit as u8);
|
|
|
|
|
bit.zeroize();
|
|
|
|
|
debug_assert!((res | 1) == 1);
|
|
|
|
|
|
|
|
|
|
bit_ref.zeroize();
|
|
|
|
|
res
|
|
|
|
|
}
|
|
|
|
|
|
2023-03-28 08:38:01 +00:00
|
|
|
macro_rules! math_op {
|
|
|
|
|
(
|
|
|
|
|
$Value: ident,
|
|
|
|
|
$Other: ident,
|
|
|
|
|
$Op: ident,
|
|
|
|
|
$op_fn: ident,
|
|
|
|
|
$Assign: ident,
|
|
|
|
|
$assign_fn: ident,
|
|
|
|
|
$function: expr
|
|
|
|
|
) => {
|
|
|
|
|
impl $Op<$Other> for $Value {
|
|
|
|
|
type Output = $Value;
|
|
|
|
|
fn $op_fn(self, other: $Other) -> Self::Output {
|
2024-06-02 01:46:47 +00:00
|
|
|
$Value($function(self.0, other.0))
|
2023-03-28 08:38:01 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
impl $Assign<$Other> for $Value {
|
|
|
|
|
fn $assign_fn(&mut self, other: $Other) {
|
|
|
|
|
self.0 = $function(self.0, other.0);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
impl<'a> $Op<&'a $Other> for $Value {
|
|
|
|
|
type Output = $Value;
|
|
|
|
|
fn $op_fn(self, other: &'a $Other) -> Self::Output {
|
2024-06-02 01:46:47 +00:00
|
|
|
$Value($function(self.0, other.0))
|
2023-03-28 08:38:01 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
impl<'a> $Assign<&'a $Other> for $Value {
|
|
|
|
|
fn $assign_fn(&mut self, other: &'a $Other) {
|
|
|
|
|
self.0 = $function(self.0, other.0);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
macro_rules! from_wrapper {
|
|
|
|
|
($wrapper: ident, $inner: ident, $uint: ident) => {
|
|
|
|
|
impl From<$uint> for $wrapper {
|
|
|
|
|
fn from(a: $uint) -> $wrapper {
|
2024-06-02 01:46:47 +00:00
|
|
|
$wrapper(Residue::new(&$inner::from(a)))
|
2023-03-28 08:38:01 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-29 07:32:59 +00:00
|
|
|
macro_rules! field {
|
2023-03-28 08:38:01 +00:00
|
|
|
(
|
|
|
|
|
$FieldName: ident,
|
2023-04-19 08:02:59 +00:00
|
|
|
$ResidueType: ident,
|
2023-03-28 08:38:01 +00:00
|
|
|
|
|
|
|
|
$MODULUS_STR: ident,
|
|
|
|
|
$MODULUS: ident,
|
|
|
|
|
$WIDE_MODULUS: ident,
|
|
|
|
|
|
|
|
|
|
$NUM_BITS: literal,
|
|
|
|
|
|
|
|
|
|
$MULTIPLICATIVE_GENERATOR: literal,
|
|
|
|
|
$DELTA: expr,
|
|
|
|
|
) => {
|
|
|
|
|
use core::{
|
2023-07-08 15:29:05 +00:00
|
|
|
ops::{Add, AddAssign, Neg, Sub, SubAssign, Mul, MulAssign},
|
2023-03-28 08:38:01 +00:00
|
|
|
iter::{Sum, Product},
|
|
|
|
|
};
|
2022-08-29 07:32:59 +00:00
|
|
|
|
2022-08-31 07:33:19 +00:00
|
|
|
use subtle::{Choice, CtOption, ConstantTimeEq, ConstantTimeLess, ConditionallySelectable};
|
2023-03-10 11:27:44 +00:00
|
|
|
use rand_core::RngCore;
|
2022-08-29 07:32:59 +00:00
|
|
|
|
|
|
|
|
use generic_array::{typenum::U57, GenericArray};
|
2023-04-19 06:25:19 +00:00
|
|
|
use crypto_bigint::{Integer, NonZero, Encoding, impl_modulus};
|
2022-08-29 07:32:59 +00:00
|
|
|
|
2023-03-28 08:38:01 +00:00
|
|
|
use ff::{Field, PrimeField, FieldBits, PrimeFieldBits, helpers::sqrt_ratio_generic};
|
2022-08-29 07:32:59 +00:00
|
|
|
|
2023-03-10 11:27:44 +00:00
|
|
|
use $crate::backend::u8_from_bool;
|
|
|
|
|
|
2023-05-09 08:12:13 +00:00
|
|
|
fn reduce(x: U896) -> U448 {
|
|
|
|
|
U448::from_le_slice(&x.rem(&NonZero::new($WIDE_MODULUS).unwrap()).to_le_bytes()[.. 56])
|
2022-08-29 07:32:59 +00:00
|
|
|
}
|
|
|
|
|
|
2023-03-28 08:38:01 +00:00
|
|
|
impl ConstantTimeEq for $FieldName {
|
|
|
|
|
fn ct_eq(&self, other: &Self) -> Choice {
|
|
|
|
|
self.0.ct_eq(&other.0)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl ConditionallySelectable for $FieldName {
|
|
|
|
|
fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self {
|
2023-04-19 08:02:59 +00:00
|
|
|
$FieldName(Residue::conditional_select(&a.0, &b.0, choice))
|
2023-03-28 08:38:01 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-19 08:02:59 +00:00
|
|
|
math_op!($FieldName, $FieldName, Add, add, AddAssign, add_assign, |x: $ResidueType, y| x
|
|
|
|
|
.add(&y));
|
|
|
|
|
math_op!($FieldName, $FieldName, Sub, sub, SubAssign, sub_assign, |x: $ResidueType, y| x
|
|
|
|
|
.sub(&y));
|
|
|
|
|
math_op!($FieldName, $FieldName, Mul, mul, MulAssign, mul_assign, |x: $ResidueType, y| x
|
|
|
|
|
.mul(&y));
|
2023-03-28 08:38:01 +00:00
|
|
|
|
2023-05-09 08:12:13 +00:00
|
|
|
from_wrapper!($FieldName, U448, u8);
|
|
|
|
|
from_wrapper!($FieldName, U448, u16);
|
|
|
|
|
from_wrapper!($FieldName, U448, u32);
|
|
|
|
|
from_wrapper!($FieldName, U448, u64);
|
|
|
|
|
from_wrapper!($FieldName, U448, u128);
|
2022-08-29 07:32:59 +00:00
|
|
|
|
|
|
|
|
impl Neg for $FieldName {
|
|
|
|
|
type Output = $FieldName;
|
|
|
|
|
fn neg(self) -> $FieldName {
|
2024-06-02 01:46:47 +00:00
|
|
|
$FieldName(self.0.neg())
|
2022-08-29 07:32:59 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl<'a> Neg for &'a $FieldName {
|
|
|
|
|
type Output = $FieldName;
|
|
|
|
|
fn neg(self) -> Self::Output {
|
|
|
|
|
(*self).neg()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl $FieldName {
|
2023-12-17 07:06:51 +00:00
|
|
|
/// Perform an exponentiation.
|
2022-08-29 07:32:59 +00:00
|
|
|
pub fn pow(&self, other: $FieldName) -> $FieldName {
|
2024-06-02 01:46:47 +00:00
|
|
|
let mut table = [$FieldName(Residue::ONE); 16];
|
2022-08-29 07:32:59 +00:00
|
|
|
table[1] = *self;
|
|
|
|
|
for i in 2 .. 16 {
|
|
|
|
|
table[i] = table[i - 1] * self;
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-02 01:46:47 +00:00
|
|
|
let mut res = $FieldName(Residue::ONE);
|
2022-08-29 07:32:59 +00:00
|
|
|
let mut bits = 0;
|
2023-03-10 11:27:44 +00:00
|
|
|
for (i, mut bit) in other.to_le_bits().iter_mut().rev().enumerate() {
|
2022-08-29 07:32:59 +00:00
|
|
|
bits <<= 1;
|
2023-07-08 15:29:05 +00:00
|
|
|
let mut bit = u8_from_bool(&mut bit);
|
2022-08-29 07:32:59 +00:00
|
|
|
bits |= bit;
|
2023-03-10 11:27:44 +00:00
|
|
|
bit.zeroize();
|
2022-08-29 07:32:59 +00:00
|
|
|
|
|
|
|
|
if ((i + 1) % 4) == 0 {
|
|
|
|
|
if i != 3 {
|
|
|
|
|
for _ in 0 .. 4 {
|
|
|
|
|
res *= res;
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-10-27 12:51:19 +00:00
|
|
|
|
|
|
|
|
let mut scale_by = $FieldName(Residue::ONE);
|
|
|
|
|
#[allow(clippy::needless_range_loop)]
|
|
|
|
|
for i in 0 .. 16 {
|
|
|
|
|
#[allow(clippy::cast_possible_truncation)] // Safe since 0 .. 16
|
|
|
|
|
{
|
|
|
|
|
scale_by = <_>::conditional_select(&scale_by, &table[i], bits.ct_eq(&(i as u8)));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
res *= scale_by;
|
2022-08-29 07:32:59 +00:00
|
|
|
bits = 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
res
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Field for $FieldName {
|
2024-06-02 01:46:47 +00:00
|
|
|
const ZERO: Self = $FieldName(Residue::ZERO);
|
|
|
|
|
const ONE: Self = $FieldName(Residue::ONE);
|
2023-03-28 08:38:01 +00:00
|
|
|
|
2022-08-29 07:32:59 +00:00
|
|
|
fn random(mut rng: impl RngCore) -> Self {
|
2023-05-09 08:12:13 +00:00
|
|
|
let mut bytes = [0; 112];
|
2022-08-29 07:32:59 +00:00
|
|
|
rng.fill_bytes(&mut bytes);
|
2023-05-09 08:12:13 +00:00
|
|
|
$FieldName(Residue::new(&reduce(U896::from_le_slice(bytes.as_ref()))))
|
2022-08-29 07:32:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn square(&self) -> Self {
|
|
|
|
|
*self * self
|
|
|
|
|
}
|
|
|
|
|
fn double(&self) -> Self {
|
2023-04-19 08:02:59 +00:00
|
|
|
*self + self
|
2022-08-29 07:32:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn invert(&self) -> CtOption<Self> {
|
2023-04-19 08:02:59 +00:00
|
|
|
const NEG_2: $FieldName =
|
2024-06-02 01:46:47 +00:00
|
|
|
$FieldName($ResidueType::sub(&$ResidueType::ZERO, &$ResidueType::new(&U448::from_u8(2))));
|
2022-08-31 07:33:19 +00:00
|
|
|
CtOption::new(self.pow(NEG_2), !self.is_zero())
|
2022-08-29 07:32:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn sqrt(&self) -> CtOption<Self> {
|
2024-06-02 01:46:47 +00:00
|
|
|
const MOD_1_4: $FieldName = $FieldName($ResidueType::new(
|
2023-05-09 08:12:13 +00:00
|
|
|
&$MODULUS.saturating_add(&U448::ONE).wrapping_div(&U448::from_u8(4)),
|
2023-04-19 08:02:59 +00:00
|
|
|
));
|
|
|
|
|
|
2022-12-24 20:09:09 +00:00
|
|
|
let res = self.pow(MOD_1_4);
|
|
|
|
|
CtOption::new(res, res.square().ct_eq(self))
|
2022-08-29 07:32:59 +00:00
|
|
|
}
|
2023-03-28 08:38:01 +00:00
|
|
|
|
|
|
|
|
fn sqrt_ratio(num: &Self, div: &Self) -> (Choice, Self) {
|
|
|
|
|
sqrt_ratio_generic(num, div)
|
|
|
|
|
}
|
2022-08-29 07:32:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl PrimeField for $FieldName {
|
|
|
|
|
type Repr = GenericArray<u8, U57>;
|
2023-03-28 08:38:01 +00:00
|
|
|
|
|
|
|
|
const MODULUS: &'static str = $MODULUS_STR;
|
|
|
|
|
|
2022-08-29 07:32:59 +00:00
|
|
|
const NUM_BITS: u32 = $NUM_BITS;
|
|
|
|
|
const CAPACITY: u32 = $NUM_BITS - 1;
|
2023-03-28 08:38:01 +00:00
|
|
|
|
2023-05-09 08:12:13 +00:00
|
|
|
const TWO_INV: Self = $FieldName($ResidueType::new(&U448::from_u8(2)).invert().0);
|
2023-03-28 08:38:01 +00:00
|
|
|
|
2023-04-19 08:02:59 +00:00
|
|
|
const MULTIPLICATIVE_GENERATOR: Self =
|
2024-06-02 01:46:47 +00:00
|
|
|
$FieldName(Residue::new(&U448::from_u8($MULTIPLICATIVE_GENERATOR)));
|
2023-03-28 08:38:01 +00:00
|
|
|
// True for both the Ed448 Scalar field and FieldElement field
|
|
|
|
|
const S: u32 = 1;
|
|
|
|
|
|
|
|
|
|
// Both fields have their root of unity as -1
|
2023-04-19 08:02:59 +00:00
|
|
|
const ROOT_OF_UNITY: Self =
|
2024-06-02 01:46:47 +00:00
|
|
|
$FieldName($ResidueType::sub(&$ResidueType::ZERO, &$ResidueType::new(&U448::ONE)));
|
|
|
|
|
const ROOT_OF_UNITY_INV: Self = $FieldName(Self::ROOT_OF_UNITY.0.invert().0);
|
2023-03-28 08:38:01 +00:00
|
|
|
|
2023-05-09 08:12:13 +00:00
|
|
|
const DELTA: Self = $FieldName(Residue::new(&U448::from_le_hex($DELTA)));
|
2023-03-28 08:38:01 +00:00
|
|
|
|
2022-08-29 07:32:59 +00:00
|
|
|
fn from_repr(bytes: Self::Repr) -> CtOption<Self> {
|
2023-05-09 08:12:13 +00:00
|
|
|
let res = U448::from_le_slice(&bytes[.. 56]);
|
|
|
|
|
CtOption::new($FieldName(Residue::new(&res)), res.ct_lt(&$MODULUS) & bytes[56].ct_eq(&0))
|
2022-08-29 07:32:59 +00:00
|
|
|
}
|
|
|
|
|
fn to_repr(&self) -> Self::Repr {
|
|
|
|
|
let mut repr = GenericArray::<u8, U57>::default();
|
2023-05-09 08:12:13 +00:00
|
|
|
repr[.. 56].copy_from_slice(&self.0.retrieve().to_le_bytes());
|
2022-08-29 07:32:59 +00:00
|
|
|
repr
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn is_odd(&self) -> Choice {
|
2023-04-19 08:02:59 +00:00
|
|
|
self.0.retrieve().is_odd()
|
2022-08-29 07:32:59 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl PrimeFieldBits for $FieldName {
|
|
|
|
|
type ReprBits = [u8; 56];
|
|
|
|
|
|
|
|
|
|
fn to_le_bits(&self) -> FieldBits<Self::ReprBits> {
|
|
|
|
|
let mut repr = [0; 56];
|
|
|
|
|
repr.copy_from_slice(&self.to_repr()[.. 56]);
|
|
|
|
|
repr.into()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn char_le_bits() -> FieldBits<Self::ReprBits> {
|
2023-04-19 08:02:59 +00:00
|
|
|
let mut repr = [0; 56];
|
|
|
|
|
repr.copy_from_slice(&MODULUS.to_le_bytes()[.. 56]);
|
|
|
|
|
repr.into()
|
2022-08-29 07:32:59 +00:00
|
|
|
}
|
|
|
|
|
}
|
2023-03-28 08:38:01 +00:00
|
|
|
|
|
|
|
|
impl Sum<$FieldName> for $FieldName {
|
|
|
|
|
fn sum<I: Iterator<Item = $FieldName>>(iter: I) -> $FieldName {
|
|
|
|
|
let mut res = $FieldName::ZERO;
|
|
|
|
|
for item in iter {
|
|
|
|
|
res += item;
|
|
|
|
|
}
|
|
|
|
|
res
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl<'a> Sum<&'a $FieldName> for $FieldName {
|
|
|
|
|
fn sum<I: Iterator<Item = &'a $FieldName>>(iter: I) -> $FieldName {
|
|
|
|
|
iter.cloned().sum()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Product<$FieldName> for $FieldName {
|
|
|
|
|
fn product<I: Iterator<Item = $FieldName>>(iter: I) -> $FieldName {
|
|
|
|
|
let mut res = $FieldName::ONE;
|
|
|
|
|
for item in iter {
|
|
|
|
|
res *= item;
|
|
|
|
|
}
|
|
|
|
|
res
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl<'a> Product<&'a $FieldName> for $FieldName {
|
|
|
|
|
fn product<I: Iterator<Item = &'a $FieldName>>(iter: I) -> $FieldName {
|
|
|
|
|
iter.cloned().product()
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-08-29 07:32:59 +00:00
|
|
|
};
|
|
|
|
|
}
|
