diff --git a/crypto/dalek-ff-group/src/field.rs b/crypto/dalek-ff-group/src/field.rs index 527e187f..cac19b25 100644 --- a/crypto/dalek-ff-group/src/field.rs +++ b/crypto/dalek-ff-group/src/field.rs @@ -2,9 +2,12 @@ use core::ops::{Add, AddAssign, Sub, SubAssign, Neg, Mul, MulAssign}; use rand_core::RngCore; -use subtle::{Choice, CtOption, ConstantTimeEq, ConditionallyNegatable, ConditionallySelectable}; +use subtle::{ + Choice, CtOption, ConstantTimeEq, ConstantTimeLess, ConditionallyNegatable, + ConditionallySelectable, +}; -use crypto_bigint::{Encoding, U256, U512}; +use crypto_bigint::{Integer, Encoding, U256, U512}; use ff::{Field, PrimeField, FieldBits, PrimeFieldBits}; @@ -13,9 +16,19 @@ use crate::{constant_time, math, from_uint}; const FIELD_MODULUS: U256 = U256::from_be_hex("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed"); +const WIDE_MODULUS: U512 = U512::from_be_hex(concat!( + "0000000000000000000000000000000000000000000000000000000000000000", + "7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed" +)); + #[derive(Clone, Copy, PartialEq, Eq, Default, Debug)] pub struct FieldElement(U256); +pub const MOD_3_8: FieldElement = + FieldElement(FIELD_MODULUS.saturating_add(&U256::from_u8(3)).wrapping_div(&U256::from_u8(8))); + +pub const MOD_5_8: FieldElement = FieldElement(MOD_3_8.0.saturating_sub(&U256::ONE)); + pub const EDWARDS_D: FieldElement = FieldElement(U256::from_be_hex( "52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3", )); @@ -24,6 +37,10 @@ pub const SQRT_M1: FieldElement = FieldElement(U256::from_be_hex( "2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0", )); +fn reduce(x: U512) -> U256 { + U256::from_le_slice(&x.reduce(&WIDE_MODULUS).unwrap().to_le_bytes()[.. 32]) +} + constant_time!(FieldElement, U256); math!( FieldElement, @@ -31,14 +48,8 @@ math!( |x, y| U256::add_mod(&x, &y, &FIELD_MODULUS), |x, y| U256::sub_mod(&x, &y, &FIELD_MODULUS), |x, y| { - #[allow(non_snake_case)] - let WIDE_MODULUS: U512 = U512::from((U256::ZERO, FIELD_MODULUS)); - debug_assert_eq!(FIELD_MODULUS.to_le_bytes()[..], WIDE_MODULUS.to_le_bytes()[.. 32]); - let wide = U256::mul_wide(&x, &y); - U256::from_le_slice( - &U512::from((wide.1, wide.0)).reduce(&WIDE_MODULUS).unwrap().to_le_bytes()[.. 32], - ) + reduce(U512::from((wide.1, wide.0))) } ); from_uint!(FieldElement, U256); @@ -61,14 +72,7 @@ impl Field for FieldElement { fn random(mut rng: impl RngCore) -> Self { let mut bytes = [0; 64]; rng.fill_bytes(&mut bytes); - - #[allow(non_snake_case)] - let WIDE_MODULUS: U512 = U512::from((U256::ZERO, FIELD_MODULUS)); - debug_assert_eq!(FIELD_MODULUS.to_le_bytes()[..], WIDE_MODULUS.to_le_bytes()[.. 32]); - - FieldElement(U256::from_le_slice( - &U512::from_be_bytes(bytes).reduce(&WIDE_MODULUS).unwrap().to_le_bytes()[.. 32], - )) + FieldElement(reduce(U512::from_le_bytes(bytes))) } fn zero() -> Self { @@ -78,24 +82,20 @@ impl Field for FieldElement { Self(U256::ONE) } fn square(&self) -> Self { - *self * self + FieldElement(reduce(self.0.square())) } fn double(&self) -> Self { - *self + self + FieldElement((self.0 << 1).reduce(&FIELD_MODULUS).unwrap()) } fn invert(&self) -> CtOption { - CtOption::new(self.pow(-FieldElement(U256::from(2u64))), !self.is_zero()) + const NEG_2: FieldElement = FieldElement(FIELD_MODULUS.saturating_sub(&U256::from_u8(2))); + CtOption::new(self.pow(NEG_2), !self.is_zero()) } fn sqrt(&self) -> CtOption { - let c1 = SQRT_M1; - let c2 = FIELD_MODULUS.saturating_add(&U256::from(3u8)).checked_div(&U256::from(8u8)).unwrap(); - - let tv1 = self.pow(FieldElement(c2)); - let tv2 = tv1 * c1; - let res = Self::conditional_select(&tv2, &tv1, tv1.square().ct_eq(self)); - debug_assert_eq!(res * res, *self); + let tv1 = self.pow(MOD_3_8); + let tv2 = tv1 * SQRT_M1; CtOption::new(Self::conditional_select(&tv2, &tv1, tv1.square().ct_eq(self)), 1.into()) } @@ -103,7 +103,7 @@ impl Field for FieldElement { self.0.ct_eq(&U256::ZERO) } fn cube(&self) -> Self { - *self * self * self + self.square() * self } fn pow_vartime>(&self, _exp: S) -> Self { unimplemented!() @@ -116,7 +116,7 @@ impl PrimeField for FieldElement { const CAPACITY: u32 = 254; fn from_repr(bytes: [u8; 32]) -> CtOption { let res = Self(U256::from_le_bytes(bytes)); - CtOption::new(res, res.0.add_mod(&U256::ZERO, &FIELD_MODULUS).ct_eq(&res.0)) + CtOption::new(res, res.0.ct_lt(&FIELD_MODULUS)) } fn to_repr(&self) -> [u8; 32] { self.0.to_le_bytes() @@ -124,7 +124,7 @@ impl PrimeField for FieldElement { const S: u32 = 2; fn is_odd(&self) -> Choice { - (self.to_repr()[0] & 1).into() + self.0.is_odd() } fn multiplicative_generator() -> Self { 2u64.into() @@ -187,8 +187,7 @@ impl FieldElement { let v3 = v.square() * v; let v7 = v3.square() * v; - let mut r = (u * v3) * - (u * v7).pow((-FieldElement::from(5u8)) * FieldElement::from(8u8).invert().unwrap()); + let mut r = (u * v3) * (u * v7).pow(MOD_5_8); let check = v * r.square(); let correct_sign = check.ct_eq(&u); @@ -224,9 +223,10 @@ fn test_conditional_negate() { #[test] fn test_edwards_d() { - let a = -FieldElement(U256::from_u32(121665)); - let b = FieldElement(U256::from_u32(121666)); - + // TODO: Generate the constant with this when const fn mul_mod is available, removing the need + // for this test + let a = -FieldElement::from(121665u32); + let b = FieldElement::from(121666u32); assert_eq!(EDWARDS_D, a * b.invert().unwrap()); } diff --git a/crypto/ed448/Cargo.toml b/crypto/ed448/Cargo.toml index 945e529f..f262b3fd 100644 --- a/crypto/ed448/Cargo.toml +++ b/crypto/ed448/Cargo.toml @@ -9,7 +9,6 @@ keywords = ["ed448", "ff", "group"] edition = "2021" [dependencies] -hex-literal = "0.3" lazy_static = "1" rand_core = "0.6" @@ -27,4 +26,5 @@ crypto-bigint = { version = "0.4", features = ["zeroize"] } dalek-ff-group = { path = "../dalek-ff-group", version = "^0.1.2" } [dev-dependencies] +hex-literal = "0.3" hex = "0.4" diff --git a/crypto/ed448/src/backend.rs b/crypto/ed448/src/backend.rs index 686c2f8e..a4cc5921 100644 --- a/crypto/ed448/src/backend.rs +++ b/crypto/ed448/src/backend.rs @@ -6,10 +6,10 @@ macro_rules! field { use rand_core::RngCore; - use subtle::{Choice, CtOption, ConstantTimeEq, ConditionallySelectable}; + use subtle::{Choice, CtOption, ConstantTimeEq, ConstantTimeLess, ConditionallySelectable}; use generic_array::{typenum::U57, GenericArray}; - use crypto_bigint::Encoding; + use crypto_bigint::{Integer, Encoding}; use ff::{Field, PrimeField, FieldBits, PrimeFieldBits}; @@ -38,7 +38,7 @@ macro_rules! field { impl Neg for $FieldName { type Output = $FieldName; fn neg(self) -> $FieldName { - *$MODULUS - self + $MODULUS - self } } @@ -49,21 +49,15 @@ macro_rules! field { } } - lazy_static! { - pub(crate) static ref ZERO: $FieldName = $FieldName(U512::ZERO); - pub(crate) static ref ONE: $FieldName = $FieldName(U512::ONE); - pub(crate) static ref TWO: $FieldName = $FieldName(U512::ONE.saturating_add(&U512::ONE)); - } - impl $FieldName { pub fn pow(&self, other: $FieldName) -> $FieldName { - let mut table = [*ONE; 16]; + let mut table = [Self(U512::ONE); 16]; table[1] = *self; for i in 2 .. 16 { table[i] = table[i - 1] * self; } - let mut res = *ONE; + let mut res = Self(U512::ONE); let mut bits = 0; for (i, bit) in other.to_le_bits().iter().rev().enumerate() { bits <<= 1; @@ -93,20 +87,21 @@ macro_rules! field { } fn zero() -> Self { - *ZERO + Self(U512::ZERO) } fn one() -> Self { - *ONE + Self(U512::ONE) } fn square(&self) -> Self { *self * self } fn double(&self) -> Self { - *self + self + $FieldName((self.0 << 1).reduce(&$MODULUS.0).unwrap()) } fn invert(&self) -> CtOption { - CtOption::new(self.pow(-*TWO), !self.is_zero()) + const NEG_2: $FieldName = Self($MODULUS.0.saturating_sub(&U512::from_u8(2))); + CtOption::new(self.pow(NEG_2), !self.is_zero()) } fn sqrt(&self) -> CtOption { @@ -114,10 +109,10 @@ macro_rules! field { } fn is_zero(&self) -> Choice { - self.ct_eq(&ZERO) + self.0.ct_eq(&U512::ZERO) } fn cube(&self) -> Self { - *self * self * self + self.square() * self } fn pow_vartime>(&self, _exp: S) -> Self { unimplemented!() @@ -130,7 +125,7 @@ macro_rules! field { const CAPACITY: u32 = $NUM_BITS - 1; fn from_repr(bytes: Self::Repr) -> CtOption { let res = $FieldName(U512::from_le_slice(&[bytes.as_ref(), [0; 7].as_ref()].concat())); - CtOption::new(res, res.0.add_mod(&U512::ZERO, &$MODULUS.0).ct_eq(&res.0)) + CtOption::new(res, res.0.ct_lt(&$MODULUS.0)) } fn to_repr(&self) -> Self::Repr { let mut repr = GenericArray::::default(); @@ -141,7 +136,7 @@ macro_rules! field { // True for both the Ed448 Scalar field and FieldElement field const S: u32 = 1; fn is_odd(&self) -> Choice { - (self.to_repr()[0] & 1).into() + self.0.is_odd() } fn multiplicative_generator() -> Self { unimplemented!() diff --git a/crypto/ed448/src/field.rs b/crypto/ed448/src/field.rs index 05931d14..1b5ca571 100644 --- a/crypto/ed448/src/field.rs +++ b/crypto/ed448/src/field.rs @@ -1,10 +1,6 @@ -use core::ops::Div; - -use lazy_static::lazy_static; - use zeroize::Zeroize; -use crypto_bigint::{NonZero, U512, U1024}; +use crypto_bigint::{U512, U1024}; use crate::field; @@ -12,28 +8,27 @@ use crate::field; pub struct FieldElement(pub(crate) U512); // 2**448 - 2**224 - 1 -lazy_static! { - pub static ref MODULUS: FieldElement = FieldElement(U512::from_be_hex(concat!( - "00000000000000", - "00", - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffe", - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - ))); - static ref WIDE_MODULUS: U1024 = { - let res = U1024::from((U512::ZERO, MODULUS.0)); - debug_assert_eq!(MODULUS.0.to_le_bytes()[..], res.to_le_bytes()[.. 64]); - res - }; -} +pub const MODULUS: FieldElement = FieldElement(U512::from_be_hex(concat!( + "00000000000000", + "00", + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffe", + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", +))); + +const WIDE_MODULUS: U1024 = U1024::from_be_hex(concat!( + "0000000000000000000000000000000000000000000000000000000000000000", + "0000000000000000000000000000000000000000000000000000000000000000", + "00000000000000", + "00", + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffe", + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", +)); + +pub(crate) const Q_4: FieldElement = + FieldElement(MODULUS.0.saturating_add(&U512::ONE).wrapping_div(&U512::from_u8(4))); field!(FieldElement, MODULUS, WIDE_MODULUS, 448); -lazy_static! { - pub(crate) static ref Q_4: FieldElement = FieldElement( - MODULUS.0.saturating_add(&U512::ONE).div(NonZero::new(TWO.0.saturating_add(&TWO.0)).unwrap()) - ); -} - #[test] fn repr() { assert_eq!(FieldElement::from_repr(FieldElement::one().to_repr()).unwrap(), FieldElement::one()); diff --git a/crypto/ed448/src/point.rs b/crypto/ed448/src/point.rs index 8f9d1b10..d5500a8d 100644 --- a/crypto/ed448/src/point.rs +++ b/crypto/ed448/src/point.rs @@ -10,25 +10,32 @@ use rand_core::RngCore; use zeroize::Zeroize; use subtle::{Choice, CtOption, ConstantTimeEq, ConditionallySelectable, ConditionallyNegatable}; +use crypto_bigint::U512; + use ff::{Field, PrimeField, PrimeFieldBits}; use group::{Group, GroupEncoding, prime::PrimeGroup}; use crate::{ scalar::{Scalar, MODULUS as SCALAR_MODULUS}, - field::{FieldElement, Q_4}, + field::{FieldElement, MODULUS as FIELD_MODULUS, Q_4}, }; -lazy_static! { - static ref D: FieldElement = -FieldElement::from(39081u16); -} +const D: FieldElement = FieldElement(FIELD_MODULUS.0.saturating_sub(&U512::from_u16(39081))); + +const G_Y: FieldElement = FieldElement(U512::from_be_hex(concat!( + "00000000000000", + "00", + "693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e", + "05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14", +))); fn recover_x(y: FieldElement) -> CtOption { let ysq = y.square(); #[allow(non_snake_case)] - let D_ysq = *D * ysq; + let D_ysq = D * ysq; (D_ysq - FieldElement::one()).invert().and_then(|inverted| { let temp = (ysq - FieldElement::one()) * inverted; - let mut x = temp.pow(*Q_4); + let mut x = temp.pow(Q_4); x.conditional_negate(x.is_odd()); let xsq = x.square(); @@ -43,17 +50,8 @@ pub struct Point { z: FieldElement, } -#[rustfmt::skip] lazy_static! { - static ref G_Y: FieldElement = FieldElement::from_repr( - hex_literal::hex!( - "14fa30f25b790898adc8d74e2c13bdfdc4397ce61cffd33ad7c2a0051e9c78874098a36c7373ea4b62c7c9563720768824bcb66e71463f6900" - ) - .into() - ) - .unwrap(); - - static ref G: Point = Point { x: recover_x(*G_Y).unwrap(), y: *G_Y, z: FieldElement::one() }; + static ref G: Point = Point { x: recover_x(G_Y).unwrap(), y: G_Y, z: FieldElement::one() }; } impl ConstantTimeEq for Point { @@ -96,7 +94,7 @@ impl Add for Point { #[allow(non_snake_case)] let B = zcp.square(); #[allow(non_snake_case)] - let E = *D * xcp * ycp; + let E = D * xcp * ycp; #[allow(non_snake_case)] let F = B - E; #[allow(non_snake_case)] @@ -268,7 +266,7 @@ impl MulAssign<&Scalar> for Point { impl Point { pub fn is_torsion_free(&self) -> Choice { - (*self * *SCALAR_MODULUS).is_identity() + (*self * SCALAR_MODULUS).is_identity() } } diff --git a/crypto/ed448/src/scalar.rs b/crypto/ed448/src/scalar.rs index b0db88c0..72b7b2fa 100644 --- a/crypto/ed448/src/scalar.rs +++ b/crypto/ed448/src/scalar.rs @@ -1,5 +1,3 @@ -use lazy_static::lazy_static; - use zeroize::Zeroize; use crypto_bigint::{U512, U1024}; @@ -10,19 +8,21 @@ pub use crate::field; pub struct Scalar(pub(crate) U512); // 2**446 - 13818066809895115352007386748515426880336692474882178609894547503885 -lazy_static! { - pub static ref MODULUS: Scalar = Scalar(U512::from_be_hex(concat!( - "00000000000000", - "00", - "3fffffffffffffffffffffffffffffffffffffffffffffffffffffff", - "7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3", - ))); - static ref WIDE_MODULUS: U1024 = { - let res = U1024::from((U512::ZERO, MODULUS.0)); - debug_assert_eq!(MODULUS.0.to_le_bytes()[..], res.to_le_bytes()[.. 64]); - res - }; -} +pub const MODULUS: Scalar = Scalar(U512::from_be_hex(concat!( + "00000000000000", + "00", + "3fffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3", +))); + +const WIDE_MODULUS: U1024 = U1024::from_be_hex(concat!( + "0000000000000000000000000000000000000000000000000000000000000000", + "0000000000000000000000000000000000000000000000000000000000000000", + "00000000000000", + "00", + "3fffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3", +)); field!(Scalar, MODULUS, WIDE_MODULUS, 446);