Qortal/pirate-librustzcash
3
0
Fork 0
mirror of https://github.com/Qortal/pirate-librustzcash.git synced 2025-02-01 08:12:14 +00:00
Code Issues Projects Releases Wiki Activity

Improve Field::pow API and impl

Browse Source 
Renamed to Field::pow_vartime to indicate it is still variable time with
respect to the exponent.
This commit is contained in:
Jack Grigg 2019-05-15 11:24:00 +01:00
parent e88e2a9dc2
commit 1c9f5742fa
No known key found for this signature in database
GPG Key ID: 9E8255172BBF9898
15 changed files with 75 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
bellman/src/domain.rs
View File

@ -106,7 +106,7 @@ impl<E: ScalarEngine, G: Group<E>> EvaluationDomain<E, G> {
worker.scope(self.coeffs.len(), |scope, chunk| {
for (i, v) in self.coeffs.chunks_mut(chunk).enumerate() {
scope.spawn(move |_scope| {
let mut u = g.pow(&[(i * chunk) as u64]);
let mut u = g.pow_vartime(&[(i * chunk) as u64]);
for v in v.iter_mut() {
v.group_mul_assign(&u);
u.mul_assign(&g);
@ -131,7 +131,7 @@ impl<E: ScalarEngine, G: Group<E>> EvaluationDomain<E, G> {
/// This evaluates t(tau) for this domain, which is
/// tau^m - 1 for these radix-2 domains.
pub fn z(&self, tau: &E::Fr) -> E::Fr {
let mut tmp = tau.pow(&[self.coeffs.len() as u64]);
let mut tmp = tau.pow_vartime(&[self.coeffs.len() as u64]);
tmp.sub_assign(&E::Fr::one());
tmp
@ -294,7 +294,7 @@ fn serial_fft<E: ScalarEngine, T: Group<E>>(a: &mut [T], omega: &E::Fr, log_n: u
let mut m = 1;
for _ in 0..log_n {
let w_m = omega.pow(&[u64::from(n / (2 * m))]);
let w_m = omega.pow_vartime(&[u64::from(n / (2 * m))]);
let mut k = 0;
while k < n {
@ -328,7 +328,7 @@ fn parallel_fft<E: ScalarEngine, T: Group<E>>(
let num_cpus = 1 << log_cpus;
let log_new_n = log_n - log_cpus;
let mut tmp = vec![vec![T::group_zero(); 1 << log_new_n]; num_cpus];
let new_omega = omega.pow(&[num_cpus as u64]);
let new_omega = omega.pow_vartime(&[num_cpus as u64]);
worker.scope(0, |scope, _| {
let a = &*a;
@ -336,8 +336,8 @@ fn parallel_fft<E: ScalarEngine, T: Group<E>>(
for (j, tmp) in tmp.iter_mut().enumerate() {
scope.spawn(move |_scope| {
// Shuffle into a sub-FFT
let omega_j = omega.pow(&[j as u64]);
let omega_step = omega.pow(&[(j as u64) << log_new_n]);
let omega_j = omega.pow_vartime(&[j as u64]);
let omega_step = omega.pow_vartime(&[(j as u64) << log_new_n]);
let mut elt = E::Fr::one();
for (i, tmp) in tmp.iter_mut().enumerate() {

4
bellman/src/gadgets/multieq.rs
View File

@ -50,7 +50,9 @@ impl<E: ScalarEngine, CS: ConstraintSystem<E>> MultiEq<E, CS> {
assert!((E::Fr::CAPACITY as usize) > (self.bits_used + num_bits));
let coeff = E::Fr::from_str("2").unwrap().pow(&[self.bits_used as u64]);
let coeff = E::Fr::from_str("2")
.unwrap()
.pow_vartime(&[self.bits_used as u64]);
self.lhs = self.lhs.clone() + (coeff, lhs);
self.rhs = self.rhs.clone() + (coeff, rhs);
self.bits_used += num_bits;

2
bellman/src/gadgets/test/mod.rs
View File

@ -155,7 +155,7 @@ impl<E: ScalarEngine> TestConstraintSystem<E> {
let negone = E::Fr::one().neg();
let powers_of_two = (0..E::Fr::NUM_BITS)
.map(|i| E::Fr::from_str("2").unwrap().pow(&[u64::from(i)]))
.map(|i| E::Fr::from_str("2").unwrap().pow_vartime(&[u64::from(i)]))
.collect::<Vec<_>>();
let pp = |s: &mut String, lc: &LinearCombination<E>| {

2
bellman/src/groth16/generator.rs
View File

@ -242,7 +242,7 @@ where
worker.scope(powers_of_tau.len(), |scope, chunk| {
for (i, powers_of_tau) in powers_of_tau.chunks_mut(chunk).enumerate() {
scope.spawn(move |_scope| {
let mut current_tau_power = tau.pow(&[(i * chunk) as u64]);
let mut current_tau_power = tau.pow_vartime(&[(i * chunk) as u64]);
for p in powers_of_tau {
p.0 = current_tau_power;

9
bellman/src/groth16/tests/dummy_engine.rs
View File

@ -172,7 +172,10 @@ impl Field for Fr {
if <Fr as Field>::is_zero(self) {
CtOption::new(<Fr as Field>::zero(), Choice::from(0))
} else {
CtOption::new(self.pow(&[(MODULUS_R.0 as u64) - 2]), Choice::from(1))
CtOption::new(
self.pow_vartime(&[(MODULUS_R.0 as u64) - 2]),
Choice::from(1),
)
}
}
@ -187,9 +190,9 @@ impl SqrtField for Fr {
// https://eprint.iacr.org/2012/685.pdf (page 12, algorithm 5)
let mut c = Fr::root_of_unity();
// r = self^((t + 1) // 2)
let mut r = self.pow([32]);
let mut r = self.pow_vartime([32]);
// t = self^t
let mut t = self.pow([63]);
let mut t = self.pow_vartime([63]);
let mut m = Fr::S;
while t != <Fr as Field>::one() {

10
bellman/src/groth16/tests/mod.rs
View File

@ -127,22 +127,22 @@ fn test_xordemo() {
let mut root_of_unity = Fr::root_of_unity();
// We expect this to be a 2^10 root of unity
assert_eq!(Fr::one(), root_of_unity.pow(&[1 << 10]));
assert_eq!(Fr::one(), root_of_unity.pow_vartime(&[1 << 10]));
// Let's turn it into a 2^3 root of unity.
root_of_unity = root_of_unity.pow(&[1 << 7]);
assert_eq!(Fr::one(), root_of_unity.pow(&[1 << 3]));
root_of_unity = root_of_unity.pow_vartime(&[1 << 7]);
assert_eq!(Fr::one(), root_of_unity.pow_vartime(&[1 << 3]));
assert_eq!(Fr::from_str("20201").unwrap(), root_of_unity);
// Let's compute all the points in our evaluation domain.
let mut points = Vec::with_capacity(8);
for i in 0..8 {
points.push(root_of_unity.pow(&[i]));
points.push(root_of_unity.pow_vartime(&[i]));
}
// Let's compute t(tau) = (tau - p_0)(tau - p_1)...
// = tau^8 - 1
let mut t_at_tau = tau.pow(&[8]);
let mut t_at_tau = tau.pow_vartime(&[8]);
t_at_tau.sub_assign(&Fr::one());
{
let mut tmp = Fr::one();

4
ff/ff_derive/src/lib.rs
View File

@ -427,7 +427,7 @@ fn prime_field_constants_and_sqrt(
// Because r = 3 (mod 4)
// sqrt can be done with only one exponentiation,
// via the computation of self^((r + 1) // 4) (mod r)
let sqrt = self.pow(#mod_plus_1_over_4);
let sqrt = self.pow_vartime(#mod_plus_1_over_4);
::subtle::CtOption::new(
sqrt,
@ -447,7 +447,7 @@ fn prime_field_constants_and_sqrt(
use ::subtle::{ConditionallySelectable, ConstantTimeEq};
// w = self^((t - 1) // 2)
let w = self.pow(#t_minus_1_over_2);
let w = self.pow_vartime(#t_minus_1_over_2);
let mut v = S;
let mut x = *self * &w;

22
ff/src/lib.rs
View File

@ -69,24 +69,22 @@ pub trait Field:
/// the Frobenius automorphism.
fn frobenius_map(&mut self, power: usize);
/// Exponentiates this element by a number represented with `u64` limbs,
/// least significant digit first.
fn pow<S: AsRef<[u64]>>(&self, exp: S) -> Self {
/// Exponentiates `self` by `exp`, where `exp` is a little-endian order
/// integer exponent.
///
/// **This operation is variable time with respect to the exponent.** If the
/// exponent is fixed, this operation is effectively constant time.
fn pow_vartime<S: AsRef<[u64]>>(&self, exp: S) -> Self {
let mut res = Self::one();
let mut found_one = false;
for i in BitIterator::new(exp) {
if found_one {
for e in exp.as_ref().iter().rev() {
for i in (0..64).rev() {
res = res.square();
} else {
found_one = i;
}
if i {
if ((*e >> i) & 1) == 1 {
res.mul_assign(self);
}
}
}
res
}

52
pairing/src/bls12_381/fq.rs
View File

@ -464,7 +464,7 @@ fn test_frob_coeffs() {
assert_eq!(FROBENIUS_COEFF_FQ2_C1[0], Fq::one());
assert_eq!(
FROBENIUS_COEFF_FQ2_C1[1],
nqr.pow([
nqr.pow_vartime([
0xdcff7fffffffd555,
0xf55ffff58a9ffff,
0xb39869507b587b12,
@ -482,7 +482,7 @@ fn test_frob_coeffs() {
assert_eq!(FROBENIUS_COEFF_FQ6_C1[0], Fq2::one());
assert_eq!(
FROBENIUS_COEFF_FQ6_C1[1],
nqr.pow([
nqr.pow_vartime([
0x9354ffffffffe38e,
0xa395554e5c6aaaa,
0xcd104635a790520c,
@ -493,7 +493,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ6_C1[2],
nqr.pow([
nqr.pow_vartime([
0xb78e0000097b2f68,
0xd44f23b47cbd64e3,
0x5cb9668120b069a9,
@ -510,7 +510,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ6_C1[3],
nqr.pow([
nqr.pow_vartime([
0xdbc6fcd6f35b9e06,
0x997dead10becd6aa,
0x9dbbd24c17206460,
@ -533,7 +533,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ6_C1[4],
nqr.pow([
nqr.pow_vartime([
0x4649add3c71c6d90,
0x43caa6528972a865,
0xcda8445bbaaa0fbb,
@ -562,7 +562,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ6_C1[5],
nqr.pow([
nqr.pow_vartime([
0xf896f792732eb2be,
0x49c86a6d1dc593a1,
0xe5b31e94581f91c3,
@ -599,7 +599,7 @@ fn test_frob_coeffs() {
assert_eq!(FROBENIUS_COEFF_FQ6_C2[0], Fq2::one());
assert_eq!(
FROBENIUS_COEFF_FQ6_C2[1],
nqr.pow([
nqr.pow_vartime([
0x26a9ffffffffc71c,
0x1472aaa9cb8d5555,
0x9a208c6b4f20a418,
@ -610,7 +610,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ6_C2[2],
nqr.pow([
nqr.pow_vartime([
0x6f1c000012f65ed0,
0xa89e4768f97ac9c7,
0xb972cd024160d353,
@ -627,7 +627,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ6_C2[3],
nqr.pow([
nqr.pow_vartime([
0xb78df9ade6b73c0c,
0x32fbd5a217d9ad55,
0x3b77a4982e40c8c1,
@ -650,7 +650,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ6_C2[4],
nqr.pow([
nqr.pow_vartime([
0x8c935ba78e38db20,
0x87954ca512e550ca,
0x9b5088b775541f76,
@ -679,7 +679,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ6_C2[5],
nqr.pow([
nqr.pow_vartime([
0xf12def24e65d657c,
0x9390d4da3b8b2743,
0xcb663d28b03f2386,
@ -716,7 +716,7 @@ fn test_frob_coeffs() {
assert_eq!(FROBENIUS_COEFF_FQ12_C1[0], Fq2::one());
assert_eq!(
FROBENIUS_COEFF_FQ12_C1[1],
nqr.pow([
nqr.pow_vartime([
0x49aa7ffffffff1c7,
0x51caaaa72e35555,
0xe688231ad3c82906,
@ -727,7 +727,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ12_C1[2],
nqr.pow([
nqr.pow_vartime([
0xdbc7000004bd97b4,
0xea2791da3e5eb271,
0x2e5cb340905834d4,
@ -744,7 +744,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ12_C1[3],
nqr.pow(vec![
nqr.pow_vartime(vec![
0x6de37e6b79adcf03,
0x4cbef56885f66b55,
0x4edde9260b903230,
@ -767,7 +767,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ12_C1[4],
nqr.pow(vec![
nqr.pow_vartime(vec![
0xa324d6e9e38e36c8,
0xa1e5532944b95432,
0x66d4222ddd5507dd,
@ -796,7 +796,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ12_C1[5],
nqr.pow(vec![
nqr.pow_vartime(vec![
0xfc4b7bc93997595f,
0xa4e435368ee2c9d0,
0xf2d98f4a2c0fc8e1,
@ -831,7 +831,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ12_C1[6],
nqr.pow(vec![
nqr.pow_vartime(vec![
0x21219610a012ba3c,
0xa5c19ad35375325,
0x4e9df1e497674396,
@ -872,7 +872,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ12_C1[7],
nqr.pow(vec![
nqr.pow_vartime(vec![
0x742754a1f22fdb,
0x2a1955c2dec3a702,
0x9747b28c796d134e,
@ -919,7 +919,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ12_C1[8],
nqr.pow(vec![
nqr.pow_vartime(vec![
0x802f5720d0b25710,
0x6714f0a258b85c7c,
0x31394c90afdf16e,
@ -972,7 +972,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ12_C1[9],
nqr.pow(vec![
nqr.pow_vartime(vec![
0x4af4accf7de0b977,
0x742485e21805b4ee,
0xee388fbc4ac36dec,
@ -1031,7 +1031,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ12_C1[10],
nqr.pow(vec![
nqr.pow_vartime(vec![
0xe5953a4f96cdda44,
0x336b2d734cbc32bb,
0x3f79bfe3cd7410e,
@ -1096,7 +1096,7 @@ fn test_frob_coeffs() {
);
assert_eq!(
FROBENIUS_COEFF_FQ12_C1[11],
nqr.pow(vec![
nqr.pow_vartime(vec![
0x107db680942de533,
0x6262b24d2052393b,
0x6136df824159ebc,
@ -2032,7 +2032,7 @@ fn test_fq_pow() {
// Exponentiate by various small numbers and ensure it consists with repeated
// multiplication.
let a = Fq::random(&mut rng);
let target = a.pow(&[i]);
let target = a.pow_vartime(&[i]);
let mut c = Fq::one();
for _ in 0..i {
c.mul_assign(&a);
@ -2044,7 +2044,7 @@ fn test_fq_pow() {
// Exponentiating by the modulus should have no effect in a prime field.
let a = Fq::random(&mut rng);
assert_eq!(a, a.pow(Fq::char()));
assert_eq!(a, a.pow_vartime(Fq::char()));
}
}
@ -2195,7 +2195,7 @@ fn test_fq_root_of_unity() {
Fq::from_repr(FqRepr::from(2)).unwrap()
);
assert_eq!(
Fq::multiplicative_generator().pow([
Fq::multiplicative_generator().pow_vartime([
0xdcff7fffffffd555,
0xf55ffff58a9ffff,
0xb39869507b587b12,
@ -2205,7 +2205,7 @@ fn test_fq_root_of_unity() {
]),
Fq::root_of_unity()
);
assert_eq!(Fq::root_of_unity().pow([1 << Fq::S]), Fq::one());
assert_eq!(Fq::root_of_unity().pow_vartime([1 << Fq::S]), Fq::one());
assert!(bool::from(Fq::multiplicative_generator().sqrt().is_none()));
}

4
pairing/src/bls12_381/fq2.rs
View File

@ -253,7 +253,7 @@ impl SqrtField for Fq2 {
CtOption::new(Self::zero(), Choice::from(1))
} else {
// a1 = self^((q - 3) / 4)
let mut a1 = self.pow([
let mut a1 = self.pow_vartime([
0xee7fbfffffffeaaa,
0x7aaffffac54ffff,
0xd9cc34a83dac3d89,
@ -285,7 +285,7 @@ impl SqrtField for Fq2 {
} else {
alpha.add_assign(&Fq2::one());
// alpha = alpha^((q - 1) / 2)
alpha = alpha.pow([
alpha = alpha.pow_vartime([
0xdcff7fffffffd555,
0xf55ffff58a9ffff,
0xb39869507b587b12,

8
pairing/src/bls12_381/fr.rs
View File

@ -767,7 +767,7 @@ fn test_fr_pow() {
// Exponentiate by various small numbers and ensure it consists with repeated
// multiplication.
let a = Fr::random(&mut rng);
let target = a.pow(&[i]);
let target = a.pow_vartime(&[i]);
let mut c = Fr::one();
for _ in 0..i {
c.mul_assign(&a);
@ -779,7 +779,7 @@ fn test_fr_pow() {
// Exponentiating by the modulus should have no effect in a prime field.
let a = Fr::random(&mut rng);
assert_eq!(a, a.pow(Fr::char()));
assert_eq!(a, a.pow_vartime(Fr::char()));
}
}
@ -964,7 +964,7 @@ fn test_fr_root_of_unity() {
Fr::from_repr(FrRepr::from(7)).unwrap()
);
assert_eq!(
Fr::multiplicative_generator().pow([
Fr::multiplicative_generator().pow_vartime([
0xfffe5bfeffffffff,
0x9a1d80553bda402,
0x299d7d483339d808,
@ -972,7 +972,7 @@ fn test_fr_root_of_unity() {
]),
Fr::root_of_unity()
);
assert_eq!(Fr::root_of_unity().pow([1 << Fr::S]), Fr::one());
assert_eq!(Fr::root_of_unity().pow_vartime([1 << Fr::S]), Fr::one());
assert!(bool::from(Fr::multiplicative_generator().sqrt().is_none()));
}

2
pairing/src/bls12_381/mod.rs
View File

@ -124,7 +124,7 @@ impl Engine for Bls12 {
r.mul_assign(&f2);
fn exp_by_x(f: &mut Fq12, x: u64) {
*f = f.pow(&[x]);
*f = f.pow_vartime(&[x]);
if BLS_X_IS_NEGATIVE {
f.conjugate();
}

2
pairing/src/tests/engine.rs
View File

@ -130,7 +130,7 @@ fn random_bilinearity_tests<E: Engine>() {
let mut cd = c;
cd.mul_assign(&d);
let abcd = E::pairing(a, b).pow(cd.into_repr());
let abcd = E::pairing(a, b).pow_vartime(cd.into_repr());
assert_eq!(acbd, adbc);
assert_eq!(acbd, abcd);

2
pairing/src/tests/field.rs
View File

@ -14,7 +14,7 @@ pub fn random_frobenius_tests<F: Field, C: AsRef<[u64]>>(characteristic: C, maxp
let mut b = a;
for _ in 0..i {
a = a.pow(&characteristic);
a = a.pow_vartime(&characteristic);
}
b.frobenius_map(i);

10
zcash_primitives/src/jubjub/fs.rs
View File

@ -744,7 +744,7 @@ impl SqrtField for Fs {
// https://eprint.iacr.org/2012/685.pdf (page 9, algorithm 2)
// a1 = self^((s - 3) // 4)
let mut a1 = self.pow([
let mut a1 = self.pow_vartime([
0xb425c397b5bdcb2d,
0x299a0824f3320420,
0x4199cec0404d0ec0,
@ -1495,7 +1495,7 @@ fn test_fs_pow() {
// Exponentiate by various small numbers and ensure it consists with repeated
// multiplication.
let a = Fs::random(&mut rng);
let target = a.pow(&[i]);
let target = a.pow_vartime(&[i]);
let mut c = Fs::one();
for _ in 0..i {
c.mul_assign(&a);
@ -1507,7 +1507,7 @@ fn test_fs_pow() {
// Exponentiating by the modulus should have no effect in a prime field.
let a = Fs::random(&mut rng);
assert_eq!(a, a.pow(Fs::char()));
assert_eq!(a, a.pow_vartime(Fs::char()));
}
}
@ -1688,7 +1688,7 @@ fn test_fs_root_of_unity() {
Fs::from_repr(FsRepr::from(6)).unwrap()
);
assert_eq!(
Fs::multiplicative_generator().pow([
Fs::multiplicative_generator().pow_vartime([
0x684b872f6b7b965b,
0x53341049e6640841,
0x83339d80809a1d80,
@ -1696,6 +1696,6 @@ fn test_fs_root_of_unity() {
]),
Fs::root_of_unity()
);
assert_eq!(Fs::root_of_unity().pow([1 << Fs::S]), Fs::one());
assert_eq!(Fs::root_of_unity().pow_vartime([1 << Fs::S]), Fs::one());
assert!(bool::from(Fs::multiplicative_generator().sqrt().is_none()));
}