Constant-time field inversion

WARNING: THIS IS NOT ACTUALLY CONSTANT TIME YET! The jubjub and bls12_381 crates will replace our constant-time usages, but we NEED to fix ff_derive because other users will expect it to implement the Field trait correctly.
2025-11-02 20:37:03 +00:00 · 2019-05-14 14:18:37 +01:00
parent e85a9f309f
commit 40749da9a7
25 changed files with 243 additions and 221 deletions
--- a/ff/ff_derive/src/lib.rs
+++ b/ff/ff_derive/src/lib.rs
@@ -791,6 +791,12 @@ fn prime_field_impl(
            }
        }

+        impl ::std::default::Default for #name {
+            fn default() -> #name {
+                #name::zero()
+            }
+        }
+
        impl ::std::cmp::PartialEq for #name {
            fn eq(&self, other: &#name) -> bool {
                self.0 == other.0
@@ -1062,9 +1068,11 @@ fn prime_field_impl(
                ret
            }

-            fn inverse(&self) -> Option<Self> {
+            /// WARNING: THIS IS NOT ACTUALLY CONSTANT TIME YET!
+            /// TODO: Make this constant-time.
+            fn invert(&self) -> ::subtle::CtOption<Self> {
                if self.is_zero() {
-                    None
+                    ::subtle::CtOption::new(#name::zero(), ::subtle::Choice::from(0))
                } else {
                    // Guajardo Kumar Paar Pelzl
                    // Efficient Software-Implementation of Finite Fields with Applications to Cryptography
@@ -1110,9 +1118,9 @@ fn prime_field_impl(
                    }

                    if u == one {
-                        Some(b)
+                        ::subtle::CtOption::new(b, ::subtle::Choice::from(1))
                    } else {
-                        Some(c)
+                        ::subtle::CtOption::new(c, ::subtle::Choice::from(1))
                    }
                }
            }