Add a dedicated crate for testing ff/group implementors

Provides extensive testing for dalek-ff-group and ed448. Also includes a fix for an observed bug in ed448.
2025-12-08 12:19:24 +00:00 · 2022-12-24 15:09:09 -05:00
parent 6e518f5c22
commit 445bb3786e
18 changed files with 701 additions and 336 deletions
--- a/crypto/dalek-ff-group/Cargo.toml
+++ b/crypto/dalek-ff-group/Cargo.toml
@@ -24,3 +24,6 @@ group = "0.12"

 crypto-bigint = "0.4"
 curve25519-dalek =  "3.2"
+
+[dev-dependencies]
+ff-group-tests = { path = "../ff-group-tests" }
--- a/crypto/dalek-ff-group/src/field.rs
+++ b/crypto/dalek-ff-group/src/field.rs
@@ -99,30 +99,6 @@ impl Field for FieldElement {
    let candidate = Self::conditional_select(&tv2, &tv1, tv1.square().ct_eq(self));
    CtOption::new(candidate, candidate.square().ct_eq(self))
  }
-
-  fn is_zero(&self) -> Choice {
-    self.0.ct_eq(&U256::ZERO)
-  }
-
-  fn cube(&self) -> Self {
-    self.square() * self
-  }
-
-  fn pow_vartime<S: AsRef<[u64]>>(&self, exp: S) -> Self {
-    let mut sum = Self::one();
-    let mut accum = *self;
-    for (_, num) in exp.as_ref().iter().enumerate() {
-      let mut num = *num;
-      for _ in 0 .. 64 {
-        if (num & 1) == 1 {
-          sum *= accum;
-        }
-        num >>= 1;
-        accum *= accum;
-      }
-    }
-    sum
-  }
 }

 impl PrimeField for FieldElement {
@@ -218,160 +194,6 @@ impl FieldElement {
 }

 #[test]
-fn test_s() {
-  // "This is the number of leading zero bits in the little-endian bit representation of
-  // `modulus - 1`."
-  let mut s = 0;
-  for b in (FieldElement::zero() - FieldElement::one()).to_le_bits() {
-    if b {
-      break;
-    }
-    s += 1;
-  }
-  assert_eq!(s, FieldElement::S);
-}
-
-#[test]
-fn test_root_of_unity() {
-  // "It can be calculated by exponentiating `Self::multiplicative_generator` by `t`, where
-  // `t = (modulus - 1) >> Self::S`."
-  let t = FieldElement::zero() - FieldElement::one();
-  let mut bytes = t.to_repr();
-  for _ in 0 .. FieldElement::S {
-    bytes[0] >>= 1;
-    for b in 1 .. 32 {
-      // Shift the dropped but down a byte
-      bytes[b - 1] |= (bytes[b] & 1) << 7;
-      // Shift the byte
-      bytes[b] >>= 1;
-    }
-  }
-  let t = FieldElement::from_repr(bytes).unwrap();
-
-  assert_eq!(FieldElement::multiplicative_generator().pow(t), FieldElement::root_of_unity());
-  assert_eq!(
-    FieldElement::root_of_unity()
-      .pow(FieldElement::from(2u64).pow(FieldElement::from(FieldElement::S))),
-    FieldElement::one()
-  );
-}
-
-#[test]
-fn test_conditional_negate() {
-  let one = FieldElement::one();
-  let true_choice = 1.into();
-  let false_choice = 0.into();
-
-  let mut var = one;
-
-  var.conditional_negate(false_choice);
-  assert_eq!(var, FieldElement::one());
-
-  var.conditional_negate(true_choice);
-  assert_eq!(var, -FieldElement::one());
-
-  var.conditional_negate(false_choice);
-  assert_eq!(var, -FieldElement::one());
-}
-
-#[test]
-fn test_edwards_d() {
-  // TODO: Generate the constant with this when const fn mul_mod is available, removing the need
-  // for this test
-  let a = -FieldElement::from(121665u32);
-  let b = FieldElement::from(121666u32);
-  assert_eq!(EDWARDS_D, a * b.invert().unwrap());
-}
-
-#[test]
-fn test_sqrt_m1() {
-  // TODO: Ideally, tlike EDWARDS_D, this would be calculated undder const. A const pow is just
-  // even more unlikely than a const mul...
-  let sqrt_m1 = MODULUS.saturating_sub(&U256::from_u8(1)).wrapping_div(&U256::from_u8(4));
-  let sqrt_m1 =
-    FieldElement::one().double().pow(FieldElement::from_repr(sqrt_m1.to_le_bytes()).unwrap());
-  assert_eq!(SQRT_M1, sqrt_m1);
-}
-
-#[test]
-fn test_is_odd() {
-  assert_eq!(0, FieldElement::zero().is_odd().unwrap_u8());
-  assert_eq!(1, FieldElement::one().is_odd().unwrap_u8());
-  assert_eq!(0, FieldElement::one().double().is_odd().unwrap_u8());
-
-  // 0 is even, yet the modulus is odd
-  // -1 moves to the even value before the modulus
-  assert_eq!(0, (-FieldElement::one()).is_odd().unwrap_u8());
-  assert_eq!(1, (-FieldElement::one().double()).is_odd().unwrap_u8());
-}
-
-#[test]
-fn test_mul() {
-  assert_eq!(FieldElement(MODULUS) * FieldElement::one(), FieldElement::zero());
-  assert_eq!(FieldElement(MODULUS) * FieldElement::one().double(), FieldElement::zero());
-  assert_eq!(SQRT_M1.square(), -FieldElement::one());
-}
-
-#[test]
-fn test_sqrt() {
-  assert_eq!(FieldElement::zero().sqrt().unwrap(), FieldElement::zero());
-  assert_eq!(FieldElement::one().sqrt().unwrap(), FieldElement::one());
-  for _ in 0 .. 10 {
-    let mut elem;
-    while {
-      elem = FieldElement::random(&mut rand_core::OsRng);
-      elem.sqrt().is_none().into()
-    } {}
-    assert_eq!(elem.sqrt().unwrap().square(), elem);
-  }
-}
-
-#[test]
-fn test_pow() {
-  let base = FieldElement::from(0b11100101u64);
-  assert_eq!(base.pow(FieldElement::zero()), FieldElement::one());
-  assert_eq!(base.pow_vartime(&[]), FieldElement::one());
-  assert_eq!(base.pow_vartime(&[0]), FieldElement::one());
-  assert_eq!(base.pow_vartime(&[0, 0]), FieldElement::one());
-
-  assert_eq!(base.pow(FieldElement::one()), base);
-  assert_eq!(base.pow_vartime(&[1]), base);
-  assert_eq!(base.pow_vartime(&[1, 0]), base);
-
-  let one_65 = FieldElement::from(u64::MAX) + FieldElement::one();
-  assert_eq!(base.pow_vartime(&[0, 1]), base.pow(one_65));
-  assert_eq!(base.pow_vartime(&[1, 1]), base.pow(one_65 + FieldElement::one()));
-}
-
-#[test]
-fn test_sqrt_ratio_i() {
-  let zero = FieldElement::zero();
-  let one = FieldElement::one();
-  let two = one + one;
-  let three = two + one;
-
-  let (choice, sqrt) = FieldElement::sqrt_ratio_i(zero, zero);
-  assert_eq!(sqrt, zero);
-  assert_eq!(sqrt.is_odd().unwrap_u8(), 0);
-  assert_eq!(choice.unwrap_u8(), 1);
-
-  let (choice, sqrt) = FieldElement::sqrt_ratio_i(one, zero);
-  assert_eq!(sqrt, zero);
-  assert_eq!(sqrt.is_odd().unwrap_u8(), 0);
-  assert_eq!(choice.unwrap_u8(), 0);
-
-  let (choice, sqrt) = FieldElement::sqrt_ratio_i(two, one);
-  assert_eq!(sqrt.square(), two * SQRT_M1);
-  assert_eq!(sqrt.is_odd().unwrap_u8(), 0);
-  assert_eq!(choice.unwrap_u8(), 0);
-
-  let (choice, sqrt) = FieldElement::sqrt_ratio_i(three, one);
-  assert_eq!(sqrt.square(), three);
-  assert_eq!(sqrt.is_odd().unwrap_u8(), 0);
-  assert_eq!(choice.unwrap_u8(), 1);
-
-  let (choice, sqrt) = FieldElement::sqrt_ratio_i(one, three);
-  assert_eq!(sqrt.square() * three, one);
-  assert_eq!(sqrt.is_odd().unwrap_u8(), 0);
-  assert_eq!(choice.unwrap_u8(), 1);
+fn test_field() {
+  ff_group_tests::prime_field::test_prime_field_bits::<FieldElement>();
 }
--- a/crypto/dalek-ff-group/src/lib.rs
+++ b/crypto/dalek-ff-group/src/lib.rs
@@ -1,3 +1,4 @@
+#![cfg_attr(docsrs, feature(doc_auto_cfg))]
 #![no_std]

 use core::{
@@ -256,27 +257,6 @@ impl Field for Scalar {
    let candidate = Self::conditional_select(&tv2, &tv1, tv1.square().ct_eq(self));
    CtOption::new(candidate, candidate.square().ct_eq(self))
  }
-  fn is_zero(&self) -> Choice {
-    self.0.ct_eq(&DScalar::zero())
-  }
-  fn cube(&self) -> Self {
-    *self * self * self
-  }
-  fn pow_vartime<S: AsRef<[u64]>>(&self, exp: S) -> Self {
-    let mut sum = Self::one();
-    let mut accum = *self;
-    for (_, num) in exp.as_ref().iter().enumerate() {
-      let mut num = *num;
-      for _ in 0 .. 64 {
-        if (num & 1) == 1 {
-          sum *= accum;
-        }
-        num >>= 1;
-        accum *= accum;
-      }
-    }
-    sum
-  }
 }

 impl PrimeField for Scalar {
@@ -454,70 +434,11 @@ dalek_group!(
 );

 #[test]
-fn test_s() {
-  // "This is the number of leading zero bits in the little-endian bit representation of
-  // `modulus - 1`."
-  let mut s = 0;
-  for b in (Scalar::zero() - Scalar::one()).to_le_bits() {
-    if b {
-      break;
-    }
-    s += 1;
-  }
-  assert_eq!(s, Scalar::S);
+fn test_ed25519_group() {
+  ff_group_tests::group::test_prime_group_bits::<EdwardsPoint>();
 }

 #[test]
-fn test_root_of_unity() {
-  // "It can be calculated by exponentiating `Self::multiplicative_generator` by `t`, where
-  // `t = (modulus - 1) >> Self::S`."
-  let t = Scalar::zero() - Scalar::one();
-  let mut bytes = t.to_repr();
-  for _ in 0 .. Scalar::S {
-    bytes[0] >>= 1;
-    for b in 1 .. 32 {
-      // Shift the dropped but down a byte
-      bytes[b - 1] |= (bytes[b] & 1) << 7;
-      // Shift the byte
-      bytes[b] >>= 1;
-    }
-  }
-  let t = Scalar::from_repr(bytes).unwrap();
-
-  assert_eq!(Scalar::multiplicative_generator().pow(t), Scalar::root_of_unity());
-  assert_eq!(
-    Scalar::root_of_unity().pow(Scalar::from(2u64).pow(Scalar::from(Scalar::S))),
-    Scalar::one()
-  );
-}
-
-#[test]
-fn test_sqrt() {
-  assert_eq!(Scalar::zero().sqrt().unwrap(), Scalar::zero());
-  assert_eq!(Scalar::one().sqrt().unwrap(), Scalar::one());
-  for _ in 0 .. 10 {
-    let mut elem;
-    while {
-      elem = Scalar::random(&mut rand_core::OsRng);
-      elem.sqrt().is_none().into()
-    } {}
-    assert_eq!(elem.sqrt().unwrap().square(), elem);
-  }
-}
-
-#[test]
-fn test_pow() {
-  let base = Scalar::from(0b11100101u64);
-  assert_eq!(base.pow(Scalar::zero()), Scalar::one());
-  assert_eq!(base.pow_vartime(&[]), Scalar::one());
-  assert_eq!(base.pow_vartime(&[0]), Scalar::one());
-  assert_eq!(base.pow_vartime(&[0, 0]), Scalar::one());
-
-  assert_eq!(base.pow(Scalar::one()), base);
-  assert_eq!(base.pow_vartime(&[1]), base);
-  assert_eq!(base.pow_vartime(&[1, 0]), base);
-
-  let one_65 = Scalar::from(u64::MAX) + Scalar::one();
-  assert_eq!(base.pow_vartime(&[0, 1]), base.pow(one_65));
-  assert_eq!(base.pow_vartime(&[1, 1]), base.pow(one_65 + Scalar::one()));
+fn test_ristretto_group() {
+  ff_group_tests::group::test_prime_group_bits::<RistrettoPoint>();
 }