Ecosystem/serai
Ecosystem/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-03-24 08:08:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Minimize use of lazy_static in ed448

Browse source 
Increases usage of const values along with overall Field impl sanity 
with regards to the crypto_bigint backend.
This commit is contained in:
Luke Parker 2022-08-31 03:33:19 -04:00
parent a59bbe7635
commit 73566e756d
No known key found for this signature in database
GPG key ID: F9F1386DB1E119B6
6 changed files with 100 additions and 112 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

70
crypto/dalek-ff-group/src/field.rs
View file

@ -2,9 +2,12 @@ use core::ops::{Add, AddAssign, Sub, SubAssign, Neg, Mul, MulAssign};
use rand_core::RngCore; use rand_core::RngCore;
use subtle::{Choice, CtOption, ConstantTimeEq, ConditionallyNegatable, ConditionallySelectable}; use subtle::{
Choice, CtOption, ConstantTimeEq, ConstantTimeLess, ConditionallyNegatable,
ConditionallySelectable,
};
use crypto_bigint::{Encoding, U256, U512}; use crypto_bigint::{Integer, Encoding, U256, U512};
use ff::{Field, PrimeField, FieldBits, PrimeFieldBits}; use ff::{Field, PrimeField, FieldBits, PrimeFieldBits};
@ -13,9 +16,19 @@ use crate::{constant_time, math, from_uint};
const FIELD_MODULUS: U256 = const FIELD_MODULUS: U256 =
U256::from_be_hex("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed"); U256::from_be_hex("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed");
const WIDE_MODULUS: U512 = U512::from_be_hex(concat!(
"0000000000000000000000000000000000000000000000000000000000000000",
"7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed"
));
#[derive(Clone, Copy, PartialEq, Eq, Default, Debug)] #[derive(Clone, Copy, PartialEq, Eq, Default, Debug)]
pub struct FieldElement(U256); pub struct FieldElement(U256);
pub const MOD_3_8: FieldElement =
FieldElement(FIELD_MODULUS.saturating_add(&U256::from_u8(3)).wrapping_div(&U256::from_u8(8)));
pub const MOD_5_8: FieldElement = FieldElement(MOD_3_8.0.saturating_sub(&U256::ONE));
pub const EDWARDS_D: FieldElement = FieldElement(U256::from_be_hex( pub const EDWARDS_D: FieldElement = FieldElement(U256::from_be_hex(
"52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3", "52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3",
)); ));
@ -24,6 +37,10 @@ pub const SQRT_M1: FieldElement = FieldElement(U256::from_be_hex(
"2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0", "2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0",
)); ));
fn reduce(x: U512) -> U256 {
U256::from_le_slice(&x.reduce(&WIDE_MODULUS).unwrap().to_le_bytes()[.. 32])
}
constant_time!(FieldElement, U256); constant_time!(FieldElement, U256);
math!( math!(
FieldElement, FieldElement,
@ -31,14 +48,8 @@ math!(
|x, y| U256::add_mod(&x, &y, &FIELD_MODULUS), |x, y| U256::add_mod(&x, &y, &FIELD_MODULUS),
|x, y| U256::sub_mod(&x, &y, &FIELD_MODULUS), |x, y| U256::sub_mod(&x, &y, &FIELD_MODULUS),
|x, y| { |x, y| {
#[allow(non_snake_case)]
let WIDE_MODULUS: U512 = U512::from((U256::ZERO, FIELD_MODULUS));
debug_assert_eq!(FIELD_MODULUS.to_le_bytes()[..], WIDE_MODULUS.to_le_bytes()[.. 32]);
let wide = U256::mul_wide(&x, &y); let wide = U256::mul_wide(&x, &y);
U256::from_le_slice( reduce(U512::from((wide.1, wide.0)))
&U512::from((wide.1, wide.0)).reduce(&WIDE_MODULUS).unwrap().to_le_bytes()[.. 32],
)
} }
); );
from_uint!(FieldElement, U256); from_uint!(FieldElement, U256);
@ -61,14 +72,7 @@ impl Field for FieldElement {
fn random(mut rng: impl RngCore) -> Self { fn random(mut rng: impl RngCore) -> Self {
let mut bytes = [0; 64]; let mut bytes = [0; 64];
rng.fill_bytes(&mut bytes); rng.fill_bytes(&mut bytes);
FieldElement(reduce(U512::from_le_bytes(bytes)))
#[allow(non_snake_case)]
let WIDE_MODULUS: U512 = U512::from((U256::ZERO, FIELD_MODULUS));
debug_assert_eq!(FIELD_MODULUS.to_le_bytes()[..], WIDE_MODULUS.to_le_bytes()[.. 32]);
FieldElement(U256::from_le_slice(
&U512::from_be_bytes(bytes).reduce(&WIDE_MODULUS).unwrap().to_le_bytes()[.. 32],
))
} }
fn zero() -> Self { fn zero() -> Self {
@ -78,24 +82,20 @@ impl Field for FieldElement {
Self(U256::ONE) Self(U256::ONE)
} }
fn square(&self) -> Self { fn square(&self) -> Self {
*self * self FieldElement(reduce(self.0.square()))
} }
fn double(&self) -> Self { fn double(&self) -> Self {
*self + self FieldElement((self.0 << 1).reduce(&FIELD_MODULUS).unwrap())
} }
fn invert(&self) -> CtOption<Self> { fn invert(&self) -> CtOption<Self> {
CtOption::new(self.pow(-FieldElement(U256::from(2u64))), !self.is_zero()) const NEG_2: FieldElement = FieldElement(FIELD_MODULUS.saturating_sub(&U256::from_u8(2)));
CtOption::new(self.pow(NEG_2), !self.is_zero())
} }
fn sqrt(&self) -> CtOption<Self> { fn sqrt(&self) -> CtOption<Self> {
let c1 = SQRT_M1; let tv1 = self.pow(MOD_3_8);
let c2 = FIELD_MODULUS.saturating_add(&U256::from(3u8)).checked_div(&U256::from(8u8)).unwrap(); let tv2 = tv1 * SQRT_M1;
let tv1 = self.pow(FieldElement(c2));
let tv2 = tv1 * c1;
let res = Self::conditional_select(&tv2, &tv1, tv1.square().ct_eq(self));
debug_assert_eq!(res * res, *self);
CtOption::new(Self::conditional_select(&tv2, &tv1, tv1.square().ct_eq(self)), 1.into()) CtOption::new(Self::conditional_select(&tv2, &tv1, tv1.square().ct_eq(self)), 1.into())
} }
@ -103,7 +103,7 @@ impl Field for FieldElement {
self.0.ct_eq(&U256::ZERO) self.0.ct_eq(&U256::ZERO)
} }
fn cube(&self) -> Self { fn cube(&self) -> Self {
*self * self * self self.square() * self
} }
fn pow_vartime<S: AsRef<[u64]>>(&self, _exp: S) -> Self { fn pow_vartime<S: AsRef<[u64]>>(&self, _exp: S) -> Self {
unimplemented!() unimplemented!()
@ -116,7 +116,7 @@ impl PrimeField for FieldElement {
const CAPACITY: u32 = 254; const CAPACITY: u32 = 254;
fn from_repr(bytes: [u8; 32]) -> CtOption<Self> { fn from_repr(bytes: [u8; 32]) -> CtOption<Self> {
let res = Self(U256::from_le_bytes(bytes)); let res = Self(U256::from_le_bytes(bytes));
CtOption::new(res, res.0.add_mod(&U256::ZERO, &FIELD_MODULUS).ct_eq(&res.0)) CtOption::new(res, res.0.ct_lt(&FIELD_MODULUS))
} }
fn to_repr(&self) -> [u8; 32] { fn to_repr(&self) -> [u8; 32] {
self.0.to_le_bytes() self.0.to_le_bytes()
@ -124,7 +124,7 @@ impl PrimeField for FieldElement {
const S: u32 = 2; const S: u32 = 2;
fn is_odd(&self) -> Choice { fn is_odd(&self) -> Choice {
(self.to_repr()[0] & 1).into() self.0.is_odd()
} }
fn multiplicative_generator() -> Self { fn multiplicative_generator() -> Self {
2u64.into() 2u64.into()
@ -187,8 +187,7 @@ impl FieldElement {
let v3 = v.square() * v; let v3 = v.square() * v;
let v7 = v3.square() * v; let v7 = v3.square() * v;
let mut r = (u * v3) * let mut r = (u * v3) * (u * v7).pow(MOD_5_8);
(u * v7).pow((-FieldElement::from(5u8)) * FieldElement::from(8u8).invert().unwrap());
let check = v * r.square(); let check = v * r.square();
let correct_sign = check.ct_eq(&u); let correct_sign = check.ct_eq(&u);
@ -224,9 +223,10 @@ fn test_conditional_negate() {
#[test] #[test]
fn test_edwards_d() { fn test_edwards_d() {
let a = -FieldElement(U256::from_u32(121665)); // TODO: Generate the constant with this when const fn mul_mod is available, removing the need
let b = FieldElement(U256::from_u32(121666)); // for this test
let a = -FieldElement::from(121665u32);
let b = FieldElement::from(121666u32);
assert_eq!(EDWARDS_D, a * b.invert().unwrap()); assert_eq!(EDWARDS_D, a * b.invert().unwrap());
} }

2
crypto/ed448/Cargo.toml
View file

@ -9,7 +9,6 @@ keywords = ["ed448", "ff", "group"]
edition = "2021" edition = "2021"
[dependencies] [dependencies]
hex-literal = "0.3"
lazy_static = "1" lazy_static = "1"
rand_core = "0.6" rand_core = "0.6"
@ -27,4 +26,5 @@ crypto-bigint = { version = "0.4", features = ["zeroize"] }
dalek-ff-group = { path = "../dalek-ff-group", version = "^0.1.2" } dalek-ff-group = { path = "../dalek-ff-group", version = "^0.1.2" }
[dev-dependencies] [dev-dependencies]
hex-literal = "0.3"
hex = "0.4" hex = "0.4"

33
crypto/ed448/src/backend.rs
View file

@ -6,10 +6,10 @@ macro_rules! field {
use rand_core::RngCore; use rand_core::RngCore;
use subtle::{Choice, CtOption, ConstantTimeEq, ConditionallySelectable}; use subtle::{Choice, CtOption, ConstantTimeEq, ConstantTimeLess, ConditionallySelectable};
use generic_array::{typenum::U57, GenericArray}; use generic_array::{typenum::U57, GenericArray};
use crypto_bigint::Encoding; use crypto_bigint::{Integer, Encoding};
use ff::{Field, PrimeField, FieldBits, PrimeFieldBits}; use ff::{Field, PrimeField, FieldBits, PrimeFieldBits};
@ -38,7 +38,7 @@ macro_rules! field {
impl Neg for $FieldName { impl Neg for $FieldName {
type Output = $FieldName; type Output = $FieldName;
fn neg(self) -> $FieldName { fn neg(self) -> $FieldName {
*$MODULUS - self $MODULUS - self
} }
} }
@ -49,21 +49,15 @@ macro_rules! field {
} }
} }
lazy_static! {
pub(crate) static ref ZERO: $FieldName = $FieldName(U512::ZERO);
pub(crate) static ref ONE: $FieldName = $FieldName(U512::ONE);
pub(crate) static ref TWO: $FieldName = $FieldName(U512::ONE.saturating_add(&U512::ONE));
}
impl $FieldName { impl $FieldName {
pub fn pow(&self, other: $FieldName) -> $FieldName { pub fn pow(&self, other: $FieldName) -> $FieldName {
let mut table = [*ONE; 16]; let mut table = [Self(U512::ONE); 16];
table[1] = *self; table[1] = *self;
for i in 2 .. 16 { for i in 2 .. 16 {
table[i] = table[i - 1] * self; table[i] = table[i - 1] * self;
} }
let mut res = *ONE; let mut res = Self(U512::ONE);
let mut bits = 0; let mut bits = 0;
for (i, bit) in other.to_le_bits().iter().rev().enumerate() { for (i, bit) in other.to_le_bits().iter().rev().enumerate() {
bits <<= 1; bits <<= 1;
@ -93,20 +87,21 @@ macro_rules! field {
} }
fn zero() -> Self { fn zero() -> Self {
*ZERO Self(U512::ZERO)
} }
fn one() -> Self { fn one() -> Self {
*ONE Self(U512::ONE)
} }
fn square(&self) -> Self { fn square(&self) -> Self {
*self * self *self * self
} }
fn double(&self) -> Self { fn double(&self) -> Self {
*self + self $FieldName((self.0 << 1).reduce(&$MODULUS.0).unwrap())
} }
fn invert(&self) -> CtOption<Self> { fn invert(&self) -> CtOption<Self> {
CtOption::new(self.pow(-*TWO), !self.is_zero()) const NEG_2: $FieldName = Self($MODULUS.0.saturating_sub(&U512::from_u8(2)));
CtOption::new(self.pow(NEG_2), !self.is_zero())
} }
fn sqrt(&self) -> CtOption<Self> { fn sqrt(&self) -> CtOption<Self> {
@ -114,10 +109,10 @@ macro_rules! field {
} }
fn is_zero(&self) -> Choice { fn is_zero(&self) -> Choice {
self.ct_eq(&ZERO) self.0.ct_eq(&U512::ZERO)
} }
fn cube(&self) -> Self { fn cube(&self) -> Self {
*self * self * self self.square() * self
} }
fn pow_vartime<S: AsRef<[u64]>>(&self, _exp: S) -> Self { fn pow_vartime<S: AsRef<[u64]>>(&self, _exp: S) -> Self {
unimplemented!() unimplemented!()
@ -130,7 +125,7 @@ macro_rules! field {
const CAPACITY: u32 = $NUM_BITS - 1; const CAPACITY: u32 = $NUM_BITS - 1;
fn from_repr(bytes: Self::Repr) -> CtOption<Self> { fn from_repr(bytes: Self::Repr) -> CtOption<Self> {
let res = $FieldName(U512::from_le_slice(&[bytes.as_ref(), [0; 7].as_ref()].concat())); let res = $FieldName(U512::from_le_slice(&[bytes.as_ref(), [0; 7].as_ref()].concat()));
CtOption::new(res, res.0.add_mod(&U512::ZERO, &$MODULUS.0).ct_eq(&res.0)) CtOption::new(res, res.0.ct_lt(&$MODULUS.0))
} }
fn to_repr(&self) -> Self::Repr { fn to_repr(&self) -> Self::Repr {
let mut repr = GenericArray::<u8, U57>::default(); let mut repr = GenericArray::<u8, U57>::default();
@ -141,7 +136,7 @@ macro_rules! field {
// True for both the Ed448 Scalar field and FieldElement field // True for both the Ed448 Scalar field and FieldElement field
const S: u32 = 1; const S: u32 = 1;
fn is_odd(&self) -> Choice { fn is_odd(&self) -> Choice {
(self.to_repr()[0] & 1).into() self.0.is_odd()
} }
fn multiplicative_generator() -> Self { fn multiplicative_generator() -> Self {
unimplemented!() unimplemented!()

43
crypto/ed448/src/field.rs
View file

@ -1,10 +1,6 @@
use core::ops::Div;
use lazy_static::lazy_static;
use zeroize::Zeroize; use zeroize::Zeroize;
use crypto_bigint::{NonZero, U512, U1024}; use crypto_bigint::{U512, U1024};
use crate::field; use crate::field;
@ -12,28 +8,27 @@ use crate::field;
pub struct FieldElement(pub(crate) U512); pub struct FieldElement(pub(crate) U512);
// 2**448 - 2**224 - 1 // 2**448 - 2**224 - 1
lazy_static! { pub const MODULUS: FieldElement = FieldElement(U512::from_be_hex(concat!(
pub static ref MODULUS: FieldElement = FieldElement(U512::from_be_hex(concat!( "00000000000000",
"00000000000000", "00",
"00", "fffffffffffffffffffffffffffffffffffffffffffffffffffffffe",
"fffffffffffffffffffffffffffffffffffffffffffffffffffffffe", "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
"ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", )));
)));
static ref WIDE_MODULUS: U1024 = { const WIDE_MODULUS: U1024 = U1024::from_be_hex(concat!(
let res = U1024::from((U512::ZERO, MODULUS.0)); "0000000000000000000000000000000000000000000000000000000000000000",
debug_assert_eq!(MODULUS.0.to_le_bytes()[..], res.to_le_bytes()[.. 64]); "0000000000000000000000000000000000000000000000000000000000000000",
res "00000000000000",
}; "00",
} "fffffffffffffffffffffffffffffffffffffffffffffffffffffffe",
"ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
));
pub(crate) const Q_4: FieldElement =
FieldElement(MODULUS.0.saturating_add(&U512::ONE).wrapping_div(&U512::from_u8(4)));
field!(FieldElement, MODULUS, WIDE_MODULUS, 448); field!(FieldElement, MODULUS, WIDE_MODULUS, 448);
lazy_static! {
pub(crate) static ref Q_4: FieldElement = FieldElement(
MODULUS.0.saturating_add(&U512::ONE).div(NonZero::new(TWO.0.saturating_add(&TWO.0)).unwrap())
);
}
#[test] #[test]
fn repr() { fn repr() {
assert_eq!(FieldElement::from_repr(FieldElement::one().to_repr()).unwrap(), FieldElement::one()); assert_eq!(FieldElement::from_repr(FieldElement::one().to_repr()).unwrap(), FieldElement::one());

34
crypto/ed448/src/point.rs
View file

@ -10,25 +10,32 @@ use rand_core::RngCore;
use zeroize::Zeroize; use zeroize::Zeroize;
use subtle::{Choice, CtOption, ConstantTimeEq, ConditionallySelectable, ConditionallyNegatable}; use subtle::{Choice, CtOption, ConstantTimeEq, ConditionallySelectable, ConditionallyNegatable};
use crypto_bigint::U512;
use ff::{Field, PrimeField, PrimeFieldBits}; use ff::{Field, PrimeField, PrimeFieldBits};
use group::{Group, GroupEncoding, prime::PrimeGroup}; use group::{Group, GroupEncoding, prime::PrimeGroup};
use crate::{ use crate::{
scalar::{Scalar, MODULUS as SCALAR_MODULUS}, scalar::{Scalar, MODULUS as SCALAR_MODULUS},
field::{FieldElement, Q_4}, field::{FieldElement, MODULUS as FIELD_MODULUS, Q_4},
}; };
lazy_static! { const D: FieldElement = FieldElement(FIELD_MODULUS.0.saturating_sub(&U512::from_u16(39081)));
static ref D: FieldElement = -FieldElement::from(39081u16);
} const G_Y: FieldElement = FieldElement(U512::from_be_hex(concat!(
"00000000000000",
"00",
"693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e",
"05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14",
)));
fn recover_x(y: FieldElement) -> CtOption<FieldElement> { fn recover_x(y: FieldElement) -> CtOption<FieldElement> {
let ysq = y.square(); let ysq = y.square();
#[allow(non_snake_case)] #[allow(non_snake_case)]
let D_ysq = *D * ysq; let D_ysq = D * ysq;
(D_ysq - FieldElement::one()).invert().and_then(|inverted| { (D_ysq - FieldElement::one()).invert().and_then(|inverted| {
let temp = (ysq - FieldElement::one()) * inverted; let temp = (ysq - FieldElement::one()) * inverted;
let mut x = temp.pow(*Q_4); let mut x = temp.pow(Q_4);
x.conditional_negate(x.is_odd()); x.conditional_negate(x.is_odd());
let xsq = x.square(); let xsq = x.square();
@ -43,17 +50,8 @@ pub struct Point {
z: FieldElement, z: FieldElement,
} }
#[rustfmt::skip]
lazy_static! { lazy_static! {
static ref G_Y: FieldElement = FieldElement::from_repr( static ref G: Point = Point { x: recover_x(G_Y).unwrap(), y: G_Y, z: FieldElement::one() };
hex_literal::hex!(
"14fa30f25b790898adc8d74e2c13bdfdc4397ce61cffd33ad7c2a0051e9c78874098a36c7373ea4b62c7c9563720768824bcb66e71463f6900"
)
.into()
)
.unwrap();
static ref G: Point = Point { x: recover_x(*G_Y).unwrap(), y: *G_Y, z: FieldElement::one() };
} }
impl ConstantTimeEq for Point { impl ConstantTimeEq for Point {
@ -96,7 +94,7 @@ impl Add for Point {
#[allow(non_snake_case)] #[allow(non_snake_case)]
let B = zcp.square(); let B = zcp.square();
#[allow(non_snake_case)] #[allow(non_snake_case)]
let E = *D * xcp * ycp; let E = D * xcp * ycp;
#[allow(non_snake_case)] #[allow(non_snake_case)]
let F = B - E; let F = B - E;
#[allow(non_snake_case)] #[allow(non_snake_case)]
@ -268,7 +266,7 @@ impl MulAssign<&Scalar> for Point {
impl Point { impl Point {
pub fn is_torsion_free(&self) -> Choice { pub fn is_torsion_free(&self) -> Choice {
(*self * *SCALAR_MODULUS).is_identity() (*self * SCALAR_MODULUS).is_identity()
} }
} }

30
crypto/ed448/src/scalar.rs
View file

@ -1,5 +1,3 @@
use lazy_static::lazy_static;
use zeroize::Zeroize; use zeroize::Zeroize;
use crypto_bigint::{U512, U1024}; use crypto_bigint::{U512, U1024};
@ -10,19 +8,21 @@ pub use crate::field;
pub struct Scalar(pub(crate) U512); pub struct Scalar(pub(crate) U512);
// 2**446 - 13818066809895115352007386748515426880336692474882178609894547503885 // 2**446 - 13818066809895115352007386748515426880336692474882178609894547503885
lazy_static! { pub const MODULUS: Scalar = Scalar(U512::from_be_hex(concat!(
pub static ref MODULUS: Scalar = Scalar(U512::from_be_hex(concat!( "00000000000000",
"00000000000000", "00",
"00", "3fffffffffffffffffffffffffffffffffffffffffffffffffffffff",
"3fffffffffffffffffffffffffffffffffffffffffffffffffffffff", "7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3",
"7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3", )));
)));
static ref WIDE_MODULUS: U1024 = { const WIDE_MODULUS: U1024 = U1024::from_be_hex(concat!(
let res = U1024::from((U512::ZERO, MODULUS.0)); "0000000000000000000000000000000000000000000000000000000000000000",
debug_assert_eq!(MODULUS.0.to_le_bytes()[..], res.to_le_bytes()[.. 64]); "0000000000000000000000000000000000000000000000000000000000000000",
res "00000000000000",
}; "00",
} "3fffffffffffffffffffffffffffffffffffffffffffffffffffffff",
"7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3",
));
field!(Scalar, MODULUS, WIDE_MODULUS, 446); field!(Scalar, MODULUS, WIDE_MODULUS, 446);