Constant-time field inversion

WARNING: THIS IS NOT ACTUALLY CONSTANT TIME YET! The jubjub and bls12_381 crates will replace our constant-time usages, but we NEED to fix ff_derive because other users will expect it to implement the Field trait correctly.
2025-07-30 20:11:23 +00:00 · 2019-05-14 14:18:37 +01:00
parent e85a9f309f
commit 40749da9a7
25 changed files with 243 additions and 221 deletions
--- a/ff/ff_derive/src/lib.rs
+++ b/ff/ff_derive/src/lib.rs
@@ -791,6 +791,12 @@ fn prime_field_impl(
            }
        }

+        impl ::std::default::Default for #name {
+            fn default() -> #name {
+                #name::zero()
+            }
+        }
+
        impl ::std::cmp::PartialEq for #name {
            fn eq(&self, other: &#name) -> bool {
                self.0 == other.0
@@ -1062,9 +1068,11 @@ fn prime_field_impl(
                ret
            }

-            fn inverse(&self) -> Option<Self> {
+            /// WARNING: THIS IS NOT ACTUALLY CONSTANT TIME YET!
+            /// TODO: Make this constant-time.
+            fn invert(&self) -> ::subtle::CtOption<Self> {
                if self.is_zero() {
-                    None
+                    ::subtle::CtOption::new(#name::zero(), ::subtle::Choice::from(0))
                } else {
                    // Guajardo Kumar Paar Pelzl
                    // Efficient Software-Implementation of Finite Fields with Applications to Cryptography
@@ -1110,9 +1118,9 @@ fn prime_field_impl(
                    }

                    if u == one {
-                        Some(b)
+                        ::subtle::CtOption::new(b, ::subtle::Choice::from(1))
                    } else {
-                        Some(c)
+                        ::subtle::CtOption::new(c, ::subtle::Choice::from(1))
                    }
                }
            }
--- a/ff/src/lib.rs
+++ b/ff/src/lib.rs
@@ -12,7 +12,7 @@ use std::error::Error;
 use std::fmt;
 use std::io::{self, Read, Write};
 use std::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign};
-use subtle::ConditionallySelectable;
+use subtle::{ConditionallySelectable, CtOption};

 /// This trait represents an element of a field.
 pub trait Field:
@@ -20,6 +20,7 @@ pub trait Field:
    + Eq
    + Copy
    + Clone
+    + Default
    + Send
    + Sync
    + fmt::Debug
@@ -60,8 +61,9 @@ pub trait Field:
    #[must_use]
    fn double(&self) -> Self;

-    /// Computes the multiplicative inverse of this element, if nonzero.
-    fn inverse(&self) -> Option<Self>;
+    /// Computes the multiplicative inverse of this element,
+    /// failing if the element is zero.
+    fn invert(&self) -> CtOption<Self>;

    /// Exponentiates this element by a power of the base prime modulus via
    /// the Frobenius automorphism.