Ecosystem/serai
Ecosystem/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-01-19 09:15:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
serai/crypto/ed448/src/point.rs

390 lines
8.8 KiB
Rust
Raw Normal View History

FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
use core::{
\#242 Expand usage of black_box/zeroize This commit greatly expands the usage of black_box/zeroize on bits, as it originally should have. It is likely overkill, leading to less efficient code generation, yet does its best to be comprehensive where comprehensiveness is extremely annoying to achieve. In the future, this usage of black_box may be desirable to move to its own crate. Credit to @AaronFeickert for identifying the original commit was incomplete.
2023-03-10 11:27:44 +00:00
ops::{DerefMut, Add, AddAssign, Neg, Sub, SubAssign, Mul, MulAssign},
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
iter::Sum,
};
use lazy_static::lazy_static;
use rand_core::RngCore;
use zeroize::Zeroize;
use subtle::{Choice, CtOption, ConstantTimeEq, ConditionallySelectable, ConditionallyNegatable};
Minimize use of lazy_static in ed448 Increases usage of const values along with overall Field impl sanity with regards to the crypto_bigint backend.
2022-08-31 07:33:19 +00:00
use crypto_bigint::U512;
Update and remove unused dependencies
2023-03-07 08:06:46 +00:00
use group::{
ff::{Field, PrimeField, PrimeFieldBits},
Group, GroupEncoding,
prime::PrimeGroup,
};
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
use crate::{
\#242 Expand usage of black_box/zeroize This commit greatly expands the usage of black_box/zeroize on bits, as it originally should have. It is likely overkill, leading to less efficient code generation, yet does its best to be comprehensive where comprehensiveness is extremely annoying to achieve. In the future, this usage of black_box may be desirable to move to its own crate. Credit to @AaronFeickert for identifying the original commit was incomplete.
2023-03-10 11:27:44 +00:00
backend::u8_from_bool,
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
scalar::{Scalar, MODULUS as SCALAR_MODULUS},
Minimize use of lazy_static in ed448 Increases usage of const values along with overall Field impl sanity with regards to the crypto_bigint backend.
2022-08-31 07:33:19 +00:00
field::{FieldElement, MODULUS as FIELD_MODULUS, Q_4},
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
};
Minimize use of lazy_static in ed448 Increases usage of const values along with overall Field impl sanity with regards to the crypto_bigint backend.
2022-08-31 07:33:19 +00:00
const D: FieldElement = FieldElement(FIELD_MODULUS.0.saturating_sub(&U512::from_u16(39081)));
const G_Y: FieldElement = FieldElement(U512::from_be_hex(concat!(
"00000000000000",
"00",
"693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e",
"05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14",
)));
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
fn recover_x(y: FieldElement) -> CtOption<FieldElement> {
let ysq = y.square();
#[allow(non_snake_case)]
Minimize use of lazy_static in ed448 Increases usage of const values along with overall Field impl sanity with regards to the crypto_bigint backend.
2022-08-31 07:33:19 +00:00
let D_ysq = D * ysq;
ff 0.13 (#269) * Partial move to ff 0.13 It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further work at this time. * Update all crates to work on ff 0.13 The provided curves still need to be expanded to fit the new API. * Finish adding dalek-ff-group ff 0.13 constants * Correct FieldElement::product definition Also stops exporting macros. * Test most new parts of ff 0.13 * Additionally test ff-group-tests with BLS12-381 and the pasta curves We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto, the group behind ff/group, and the pasta curves, which is by Zcash (though Zcash developers are also behind zk-crypto). * Finish Ed448 Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13. * Add RustCrypto/elliptic-curves to allowed git repos Needed due to k256/p256 incorrectly defining product. * Finish writing ff 0.13 tests * Add additional comments to dalek * Further comments * Update ethereum-serai to ff 0.13
2023-03-28 08:38:01 +00:00
(D_ysq - FieldElement::ONE).invert().and_then(|inverted| {
let temp = (ysq - FieldElement::ONE) * inverted;
Minimize use of lazy_static in ed448 Increases usage of const values along with overall Field impl sanity with regards to the crypto_bigint backend.
2022-08-31 07:33:19 +00:00
let mut x = temp.pow(Q_4);
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
x.conditional_negate(x.is_odd());
let xsq = x.square();
ff 0.13 (#269) * Partial move to ff 0.13 It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further work at this time. * Update all crates to work on ff 0.13 The provided curves still need to be expanded to fit the new API. * Finish adding dalek-ff-group ff 0.13 constants * Correct FieldElement::product definition Also stops exporting macros. * Test most new parts of ff 0.13 * Additionally test ff-group-tests with BLS12-381 and the pasta curves We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto, the group behind ff/group, and the pasta curves, which is by Zcash (though Zcash developers are also behind zk-crypto). * Finish Ed448 Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13. * Add RustCrypto/elliptic-curves to allowed git repos Needed due to k256/p256 incorrectly defining product. * Finish writing ff 0.13 tests * Add additional comments to dalek * Further comments * Update ethereum-serai to ff 0.13
2023-03-28 08:38:01 +00:00
CtOption::new(x, (xsq + ysq).ct_eq(&(FieldElement::ONE + (xsq * D_ysq))))
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
})
}
Fully document crypto/
2023-03-21 00:10:00 +00:00
/// Ed448 point.
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
#[derive(Clone, Copy, Debug, Zeroize)]
pub struct Point {
x: FieldElement,
y: FieldElement,
z: FieldElement,
}
lazy_static! {
ff 0.13 (#269) * Partial move to ff 0.13 It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further work at this time. * Update all crates to work on ff 0.13 The provided curves still need to be expanded to fit the new API. * Finish adding dalek-ff-group ff 0.13 constants * Correct FieldElement::product definition Also stops exporting macros. * Test most new parts of ff 0.13 * Additionally test ff-group-tests with BLS12-381 and the pasta curves We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto, the group behind ff/group, and the pasta curves, which is by Zcash (though Zcash developers are also behind zk-crypto). * Finish Ed448 Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13. * Add RustCrypto/elliptic-curves to allowed git repos Needed due to k256/p256 incorrectly defining product. * Finish writing ff 0.13 tests * Add additional comments to dalek * Further comments * Update ethereum-serai to ff 0.13
2023-03-28 08:38:01 +00:00
static ref G: Point = Point { x: recover_x(G_Y).unwrap(), y: G_Y, z: FieldElement::ONE };
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
}
impl ConstantTimeEq for Point {
fn ct_eq(&self, other: &Self) -> Choice {
let x1 = self.x * other.z;
let x2 = other.x * self.z;
let y1 = self.y * other.z;
let y2 = other.y * self.z;
x1.ct_eq(&x2) & y1.ct_eq(&y2)
}
}
impl PartialEq for Point {
fn eq(&self, other: &Point) -> bool {
self.ct_eq(other).into()
}
}
impl Eq for Point {}
impl ConditionallySelectable for Point {
fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self {
Point {
x: FieldElement::conditional_select(&a.x, &b.x, choice),
y: FieldElement::conditional_select(&a.y, &b.y, choice),
z: FieldElement::conditional_select(&a.z, &b.z, choice),
}
}
}
impl Add for Point {
type Output = Point;
fn add(self, other: Self) -> Self {
// 12 muls, 7 additions, 4 negations
let xcp = self.x * other.x;
let ycp = self.y * other.y;
let zcp = self.z * other.z;
#[allow(non_snake_case)]
let B = zcp.square();
#[allow(non_snake_case)]
Minimize use of lazy_static in ed448 Increases usage of const values along with overall Field impl sanity with regards to the crypto_bigint backend.
2022-08-31 07:33:19 +00:00
let E = D * xcp * ycp;
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
#[allow(non_snake_case)]
let F = B - E;
#[allow(non_snake_case)]
let G_ = B + E;
Point {
x: zcp * F * ((self.x + self.y) * (other.x + other.y) - xcp - ycp),
y: zcp * G_ * (ycp - xcp),
z: F * G_,
}
}
}
impl AddAssign for Point {
fn add_assign(&mut self, other: Point) {
*self = *self + other;
}
}
impl Add<&Point> for Point {
type Output = Point;
fn add(self, other: &Point) -> Point {
self + *other
}
}
impl AddAssign<&Point> for Point {
fn add_assign(&mut self, other: &Point) {
*self += *other;
}
}
impl Neg for Point {
type Output = Point;
fn neg(self) -> Self {
Point { x: -self.x, y: self.y, z: self.z }
}
}
impl Sub for Point {
type Output = Point;
#[allow(clippy::suspicious_arithmetic_impl)]
fn sub(self, other: Self) -> Self {
self + other.neg()
}
}
impl SubAssign for Point {
fn sub_assign(&mut self, other: Point) {
*self = *self - other;
}
}
impl Sub<&Point> for Point {
type Output = Point;
fn sub(self, other: &Point) -> Point {
self - *other
}
}
impl SubAssign<&Point> for Point {
fn sub_assign(&mut self, other: &Point) {
*self -= *other;
}
}
impl Group for Point {
type Scalar = Scalar;
Use a Group::random which doesn't have a known DL While Group::random shouldn't be used instead of a hash to curve, anyone who did would've previously been insecure and now isn't. Could've done a recover_x and a raw Point construction, followed by a cofactor mul, to avoid the serialization, yet the serialization ensures full validity under the standard from_bytes function. THis also doesn't need to be micro-optimized.
2022-08-29 17:02:20 +00:00
fn random(mut rng: impl RngCore) -> Self {
loop {
let mut bytes = FieldElement::random(&mut rng).to_repr();
let mut_ref: &mut [u8] = bytes.as_mut();
mut_ref[56] |= u8::try_from(rng.next_u32() % 2).unwrap() << 7;
let opt = Self::from_bytes(&bytes);
if opt.is_some().into() {
return opt.unwrap();
}
}
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
}
fn identity() -> Self {
ff 0.13 (#269) * Partial move to ff 0.13 It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further work at this time. * Update all crates to work on ff 0.13 The provided curves still need to be expanded to fit the new API. * Finish adding dalek-ff-group ff 0.13 constants * Correct FieldElement::product definition Also stops exporting macros. * Test most new parts of ff 0.13 * Additionally test ff-group-tests with BLS12-381 and the pasta curves We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto, the group behind ff/group, and the pasta curves, which is by Zcash (though Zcash developers are also behind zk-crypto). * Finish Ed448 Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13. * Add RustCrypto/elliptic-curves to allowed git repos Needed due to k256/p256 incorrectly defining product. * Finish writing ff 0.13 tests * Add additional comments to dalek * Further comments * Update ethereum-serai to ff 0.13
2023-03-28 08:38:01 +00:00
Point { x: FieldElement::ZERO, y: FieldElement::ONE, z: FieldElement::ONE }
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
}
fn generator() -> Self {
*G
}
fn is_identity(&self) -> Choice {
self.ct_eq(&Self::identity())
}
fn double(&self) -> Self {
// 7 muls, 7 additions, 4 negations
let xsq = self.x.square();
let ysq = self.y.square();
let zsq = self.z.square();
let xy = self.x + self.y;
#[allow(non_snake_case)]
let F = xsq + ysq;
#[allow(non_snake_case)]
let J = F - zsq.double();
Point { x: J * (xy.square() - xsq - ysq), y: F * (xsq - ysq), z: F * J }
}
}
impl Sum<Point> for Point {
fn sum<I: Iterator<Item = Point>>(iter: I) -> Point {
let mut res = Self::identity();
for i in iter {
res += i;
}
res
}
}
impl<'a> Sum<&'a Point> for Point {
fn sum<I: Iterator<Item = &'a Point>>(iter: I) -> Point {
Point::sum(iter.cloned())
}
}
impl Mul<Scalar> for Point {
type Output = Point;
\#242 Expand usage of black_box/zeroize This commit greatly expands the usage of black_box/zeroize on bits, as it originally should have. It is likely overkill, leading to less efficient code generation, yet does its best to be comprehensive where comprehensiveness is extremely annoying to achieve. In the future, this usage of black_box may be desirable to move to its own crate. Credit to @AaronFeickert for identifying the original commit was incomplete.
2023-03-10 11:27:44 +00:00
fn mul(self, mut other: Scalar) -> Point {
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
// Precompute the optimal amount that's a multiple of 2
let mut table = [Point::identity(); 16];
table[1] = self;
for i in 2 .. 16 {
table[i] = table[i - 1] + self;
}
let mut res = Self::identity();
let mut bits = 0;
\#242 Expand usage of black_box/zeroize This commit greatly expands the usage of black_box/zeroize on bits, as it originally should have. It is likely overkill, leading to less efficient code generation, yet does its best to be comprehensive where comprehensiveness is extremely annoying to achieve. In the future, this usage of black_box may be desirable to move to its own crate. Credit to @AaronFeickert for identifying the original commit was incomplete.
2023-03-10 11:27:44 +00:00
for (i, mut bit) in other.to_le_bits().iter_mut().rev().enumerate() {
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
bits <<= 1;
\#242 Expand usage of black_box/zeroize This commit greatly expands the usage of black_box/zeroize on bits, as it originally should have. It is likely overkill, leading to less efficient code generation, yet does its best to be comprehensive where comprehensiveness is extremely annoying to achieve. In the future, this usage of black_box may be desirable to move to its own crate. Credit to @AaronFeickert for identifying the original commit was incomplete.
2023-03-10 11:27:44 +00:00
let mut bit = u8_from_bool(bit.deref_mut());
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
bits |= bit;
\#242 Expand usage of black_box/zeroize This commit greatly expands the usage of black_box/zeroize on bits, as it originally should have. It is likely overkill, leading to less efficient code generation, yet does its best to be comprehensive where comprehensiveness is extremely annoying to achieve. In the future, this usage of black_box may be desirable to move to its own crate. Credit to @AaronFeickert for identifying the original commit was incomplete.
2023-03-10 11:27:44 +00:00
bit.zeroize();
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
if ((i + 1) % 4) == 0 {
if i != 3 {
for _ in 0 .. 4 {
res = res.double();
}
}
res += table[usize::from(bits)];
bits = 0;
}
}
\#242 Expand usage of black_box/zeroize This commit greatly expands the usage of black_box/zeroize on bits, as it originally should have. It is likely overkill, leading to less efficient code generation, yet does its best to be comprehensive where comprehensiveness is extremely annoying to achieve. In the future, this usage of black_box may be desirable to move to its own crate. Credit to @AaronFeickert for identifying the original commit was incomplete.
2023-03-10 11:27:44 +00:00
other.zeroize();
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
res
}
}
impl MulAssign<Scalar> for Point {
fn mul_assign(&mut self, other: Scalar) {
*self = *self * other;
}
}
impl Mul<&Scalar> for Point {
type Output = Point;
fn mul(self, other: &Scalar) -> Point {
self * *other
}
}
impl MulAssign<&Scalar> for Point {
fn mul_assign(&mut self, other: &Scalar) {
*self *= *other;
}
}
impl Point {
Fully document crypto/
2023-03-21 00:10:00 +00:00
fn is_torsion_free(&self) -> Choice {
Minimize use of lazy_static in ed448 Increases usage of const values along with overall Field impl sanity with regards to the crypto_bigint backend.
2022-08-31 07:33:19 +00:00
(*self * SCALAR_MODULUS).is_identity()
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
}
}
impl GroupEncoding for Point {
type Repr = <FieldElement as PrimeField>::Repr;
fn from_bytes(bytes: &Self::Repr) -> CtOption<Self> {
// Extract and clear the sign bit
let sign = Choice::from(bytes[56] >> 7);
let mut bytes = *bytes;
let mut_ref: &mut [u8] = bytes.as_mut();
mut_ref[56] &= !(1 << 7);
// Parse y, recover x
FieldElement::from_repr(bytes).and_then(|y| {
recover_x(y).and_then(|mut x| {
x.conditional_negate(x.is_odd().ct_eq(&!sign));
let not_negative_zero = !(x.is_zero() & sign);
ff 0.13 (#269) * Partial move to ff 0.13 It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further work at this time. * Update all crates to work on ff 0.13 The provided curves still need to be expanded to fit the new API. * Finish adding dalek-ff-group ff 0.13 constants * Correct FieldElement::product definition Also stops exporting macros. * Test most new parts of ff 0.13 * Additionally test ff-group-tests with BLS12-381 and the pasta curves We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto, the group behind ff/group, and the pasta curves, which is by Zcash (though Zcash developers are also behind zk-crypto). * Finish Ed448 Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13. * Add RustCrypto/elliptic-curves to allowed git repos Needed due to k256/p256 incorrectly defining product. * Finish writing ff 0.13 tests * Add additional comments to dalek * Further comments * Update ethereum-serai to ff 0.13
2023-03-28 08:38:01 +00:00
let point = Point { x, y, z: FieldElement::ONE };
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
CtOption::new(point, not_negative_zero & point.is_torsion_free())
})
})
}
fn from_bytes_unchecked(bytes: &Self::Repr) -> CtOption<Self> {
Point::from_bytes(bytes)
}
fn to_bytes(&self) -> Self::Repr {
let z = self.z.invert().unwrap();
let x = self.x * z;
let y = self.y * z;
let mut bytes = y.to_repr();
let mut_ref: &mut [u8] = bytes.as_mut();
mut_ref[56] |= x.is_odd().unwrap_u8() << 7;
bytes
}
}
impl PrimeGroup for Point {}
#[test]
Add a dedicated crate for testing ff/group implementors Provides extensive testing for dalek-ff-group and ed448. Also includes a fix for an observed bug in ed448.
2022-12-24 20:09:09 +00:00
fn test_group() {
ff 0.13 (#269) * Partial move to ff 0.13 It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further work at this time. * Update all crates to work on ff 0.13 The provided curves still need to be expanded to fit the new API. * Finish adding dalek-ff-group ff 0.13 constants * Correct FieldElement::product definition Also stops exporting macros. * Test most new parts of ff 0.13 * Additionally test ff-group-tests with BLS12-381 and the pasta curves We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto, the group behind ff/group, and the pasta curves, which is by Zcash (though Zcash developers are also behind zk-crypto). * Finish Ed448 Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13. * Add RustCrypto/elliptic-curves to allowed git repos Needed due to k256/p256 incorrectly defining product. * Finish writing ff 0.13 tests * Add additional comments to dalek * Further comments * Update ethereum-serai to ff 0.13
2023-03-28 08:38:01 +00:00
ff_group_tests::group::test_prime_group_bits::<_, Point>(&mut rand_core::OsRng);
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
}
#[test]
fn torsion() {
Add a dedicated crate for testing ff/group implementors Provides extensive testing for dalek-ff-group and ed448. Also includes a fix for an observed bug in ed448.
2022-12-24 20:09:09 +00:00
use generic_array::GenericArray;
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
// Uses the originally suggested generator which had torsion
Add a dedicated crate for testing ff/group implementors Provides extensive testing for dalek-ff-group and ed448. Also includes a fix for an observed bug in ed448.
2022-12-24 20:09:09 +00:00
let old_y = FieldElement::from_repr(*GenericArray::from_slice(
&hex::decode(
"\
12796c1532041525945f322e414d434467cfd5c57c9a9af2473b2775\
8c921c4828b277ca5f2891fc4f3d79afdf29a64c72fb28b59c16fa51\
00",
)
.unwrap(),
))
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
.unwrap();
ff 0.13 (#269) * Partial move to ff 0.13 It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further work at this time. * Update all crates to work on ff 0.13 The provided curves still need to be expanded to fit the new API. * Finish adding dalek-ff-group ff 0.13 constants * Correct FieldElement::product definition Also stops exporting macros. * Test most new parts of ff 0.13 * Additionally test ff-group-tests with BLS12-381 and the pasta curves We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto, the group behind ff/group, and the pasta curves, which is by Zcash (though Zcash developers are also behind zk-crypto). * Finish Ed448 Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13. * Add RustCrypto/elliptic-curves to allowed git repos Needed due to k256/p256 incorrectly defining product. * Finish writing ff 0.13 tests * Add additional comments to dalek * Further comments * Update ethereum-serai to ff 0.13
2023-03-28 08:38:01 +00:00
let old = Point { x: -recover_x(old_y).unwrap(), y: old_y, z: FieldElement::ONE };
FROST Ed448 (#107) * Theoretical ed448 impl * Fixes * Basic tests * More efficient scalarmul Precomputes a table to minimize additions required. * Add a torsion test * Split into a constant and variable time backend The variable time one is still far too slow, at 53s for the tests (~5s a scalarmul). It should be usable as a PoC though. * Rename unsafe Ed448 It's not only unworthy of the Serai branding and deserves more clarity in the name. * Add wide reduction to ed448 * Add Zeroize to Ed448 * Rename Ed448 group.rs to point.rs * Minor lint to FROST * Ed448 ciphersuite with 8032 test vector * Macro out the backend fields * Slight efficiency improvement to point decompression * Disable the multiexp test in FROST for Ed448 * fmt + clippy ed448 * Fix an infinite loop in the constant time ed448 backend * Add b"chal" to the 8032 context string for Ed448 Successfully tests against proposed vectors for the FROST IETF draft. * Fix fmt and clippy * Use a tabled pow algorithm in ed448's const backend * Slight tweaks to variable time backend Stop from_repr(MODULUS) from passing. * Use extended points Almost two orders of magnitude faster. * Efficient ed448 doubling * Remove the variable time backend With the recent performance improvements, the constant time backend is now 4x faster than the variable time backend was. While the variable time backend remains much faster, and the constant time backend is still slow compared to other libraries, it's sufficiently performant now. The FROST test, which runs a series of multiexps over the curve, does take 218.26s while Ristretto takes 1 and secp256k1 takes 4.57s. While 50x slower than secp256k1 is horrible, it's ~1.5 orders of magntiude, which is close enough to the desire stated in https://github.com/serai-dex/serai/issues/108 to meet it. Largely makes this library safe to use. * Correct constants in ed448 * Rename unsafe-ed448 to minimal-ed448 Enables all FROST tests against it. * No longer require the hazmat feature to use ed448 * Remove extraneous as_refs
2022-08-29 07:32:59 +00:00
assert!(bool::from(!old.is_torsion_free()));
}
#[test]
fn vector() {
use generic_array::GenericArray;
assert_eq!(
Point::generator().double(),
Point::from_bytes(GenericArray::from_slice(
&hex::decode(
"\
ed8693eacdfbeada6ba0cdd1beb2bcbb98302a3a8365650db8c4d88a\
726de3b7d74d8835a0d76e03b0c2865020d659b38d04d74a63e905ae\
80"
)
.unwrap()
))
.unwrap()
);
assert_eq!(
Point::generator() *
Scalar::from_repr(*GenericArray::from_slice(
&hex::decode(
"\
6298e1eef3c379392caaed061ed8a31033c9e9e3420726f23b404158\
a401cd9df24632adfe6b418dc942d8a091817dd8bd70e1c72ba52f3c\
00"
)
.unwrap()
))
.unwrap(),
Point::from_bytes(GenericArray::from_slice(
&hex::decode(
"\
3832f82fda00ff5365b0376df705675b63d2a93c24c6e81d40801ba2\
65632be10f443f95968fadb70d10786827f30dc001c8d0f9b7c1d1b0\
00"
)
.unwrap()
))
.unwrap()
);
}
Use a Group::random which doesn't have a known DL While Group::random shouldn't be used instead of a hash to curve, anyone who did would've previously been insecure and now isn't. Could've done a recover_x and a raw Point construction, followed by a cofactor mul, to avoid the serialization, yet the serialization ensures full validity under the standard from_bytes function. THis also doesn't need to be micro-optimized.
2022-08-29 17:02:20 +00:00
Add a dedicated crate for testing ff/group implementors Provides extensive testing for dalek-ff-group and ed448. Also includes a fix for an observed bug in ed448.
2022-12-24 20:09:09 +00:00
// Checks random won't infinitely loop
Use a Group::random which doesn't have a known DL While Group::random shouldn't be used instead of a hash to curve, anyone who did would've previously been insecure and now isn't. Could've done a recover_x and a raw Point construction, followed by a cofactor mul, to avoid the serialization, yet the serialization ensures full validity under the standard from_bytes function. THis also doesn't need to be micro-optimized.
2022-08-29 17:02:20 +00:00
#[test]
fn random() {
Point::random(&mut rand_core::OsRng);
}
Reference in a new issue Copy permalink