Minimize use of lazy_static in ed448

Increases usage of const values along with overall Field impl sanity with regards to the crypto_bigint backend.
2025-12-08 12:19:24 +00:00 · 2022-08-31 03:33:19 -04:00
parent a59bbe7635
commit 73566e756d
6 changed files with 100 additions and 112 deletions
--- a/crypto/dalek-ff-group/src/field.rs
+++ b/crypto/dalek-ff-group/src/field.rs
@@ -2,9 +2,12 @@ use core::ops::{Add, AddAssign, Sub, SubAssign, Neg, Mul, MulAssign};

 use rand_core::RngCore;

-use subtle::{Choice, CtOption, ConstantTimeEq, ConditionallyNegatable, ConditionallySelectable};
+use subtle::{
+  Choice, CtOption, ConstantTimeEq, ConstantTimeLess, ConditionallyNegatable,
+  ConditionallySelectable,
+};

-use crypto_bigint::{Encoding, U256, U512};
+use crypto_bigint::{Integer, Encoding, U256, U512};

 use ff::{Field, PrimeField, FieldBits, PrimeFieldBits};

@@ -13,9 +16,19 @@ use crate::{constant_time, math, from_uint};
 const FIELD_MODULUS: U256 =
  U256::from_be_hex("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed");

+const WIDE_MODULUS: U512 = U512::from_be_hex(concat!(
+  "0000000000000000000000000000000000000000000000000000000000000000",
+  "7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed"
+));
+
 #[derive(Clone, Copy, PartialEq, Eq, Default, Debug)]
 pub struct FieldElement(U256);

+pub const MOD_3_8: FieldElement =
+  FieldElement(FIELD_MODULUS.saturating_add(&U256::from_u8(3)).wrapping_div(&U256::from_u8(8)));
+
+pub const MOD_5_8: FieldElement = FieldElement(MOD_3_8.0.saturating_sub(&U256::ONE));
+
 pub const EDWARDS_D: FieldElement = FieldElement(U256::from_be_hex(
  "52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3",
 ));
@@ -24,6 +37,10 @@ pub const SQRT_M1: FieldElement = FieldElement(U256::from_be_hex(
  "2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0",
 ));

+fn reduce(x: U512) -> U256 {
+  U256::from_le_slice(&x.reduce(&WIDE_MODULUS).unwrap().to_le_bytes()[.. 32])
+}
+
 constant_time!(FieldElement, U256);
 math!(
  FieldElement,
@@ -31,14 +48,8 @@ math!(
  |x, y| U256::add_mod(&x, &y, &FIELD_MODULUS),
  |x, y| U256::sub_mod(&x, &y, &FIELD_MODULUS),
  |x, y| {
-    #[allow(non_snake_case)]
-    let WIDE_MODULUS: U512 = U512::from((U256::ZERO, FIELD_MODULUS));
-    debug_assert_eq!(FIELD_MODULUS.to_le_bytes()[..], WIDE_MODULUS.to_le_bytes()[.. 32]);
-
    let wide = U256::mul_wide(&x, &y);
-    U256::from_le_slice(
-      &U512::from((wide.1, wide.0)).reduce(&WIDE_MODULUS).unwrap().to_le_bytes()[.. 32],
-    )
+    reduce(U512::from((wide.1, wide.0)))
  }
 );
 from_uint!(FieldElement, U256);
@@ -61,14 +72,7 @@ impl Field for FieldElement {
  fn random(mut rng: impl RngCore) -> Self {
    let mut bytes = [0; 64];
    rng.fill_bytes(&mut bytes);
-
-    #[allow(non_snake_case)]
-    let WIDE_MODULUS: U512 = U512::from((U256::ZERO, FIELD_MODULUS));
-    debug_assert_eq!(FIELD_MODULUS.to_le_bytes()[..], WIDE_MODULUS.to_le_bytes()[.. 32]);
-
-    FieldElement(U256::from_le_slice(
-      &U512::from_be_bytes(bytes).reduce(&WIDE_MODULUS).unwrap().to_le_bytes()[.. 32],
-    ))
+    FieldElement(reduce(U512::from_le_bytes(bytes)))
  }

  fn zero() -> Self {
@@ -78,24 +82,20 @@ impl Field for FieldElement {
    Self(U256::ONE)
  }
  fn square(&self) -> Self {
-    *self * self
+    FieldElement(reduce(self.0.square()))
  }
  fn double(&self) -> Self {
-    *self + self
+    FieldElement((self.0 << 1).reduce(&FIELD_MODULUS).unwrap())
  }

  fn invert(&self) -> CtOption<Self> {
-    CtOption::new(self.pow(-FieldElement(U256::from(2u64))), !self.is_zero())
+    const NEG_2: FieldElement = FieldElement(FIELD_MODULUS.saturating_sub(&U256::from_u8(2)));
+    CtOption::new(self.pow(NEG_2), !self.is_zero())
  }

  fn sqrt(&self) -> CtOption<Self> {
-    let c1 = SQRT_M1;
-    let c2 = FIELD_MODULUS.saturating_add(&U256::from(3u8)).checked_div(&U256::from(8u8)).unwrap();
-
-    let tv1 = self.pow(FieldElement(c2));
-    let tv2 = tv1 * c1;
-    let res = Self::conditional_select(&tv2, &tv1, tv1.square().ct_eq(self));
-    debug_assert_eq!(res * res, *self);
+    let tv1 = self.pow(MOD_3_8);
+    let tv2 = tv1 * SQRT_M1;
    CtOption::new(Self::conditional_select(&tv2, &tv1, tv1.square().ct_eq(self)), 1.into())
  }

@@ -103,7 +103,7 @@ impl Field for FieldElement {
    self.0.ct_eq(&U256::ZERO)
  }
  fn cube(&self) -> Self {
-    *self * self * self
+    self.square() * self
  }
  fn pow_vartime<S: AsRef<[u64]>>(&self, _exp: S) -> Self {
    unimplemented!()
@@ -116,7 +116,7 @@ impl PrimeField for FieldElement {
  const CAPACITY: u32 = 254;
  fn from_repr(bytes: [u8; 32]) -> CtOption<Self> {
    let res = Self(U256::from_le_bytes(bytes));
-    CtOption::new(res, res.0.add_mod(&U256::ZERO, &FIELD_MODULUS).ct_eq(&res.0))
+    CtOption::new(res, res.0.ct_lt(&FIELD_MODULUS))
  }
  fn to_repr(&self) -> [u8; 32] {
    self.0.to_le_bytes()
@@ -124,7 +124,7 @@ impl PrimeField for FieldElement {

  const S: u32 = 2;
  fn is_odd(&self) -> Choice {
-    (self.to_repr()[0] & 1).into()
+    self.0.is_odd()
  }
  fn multiplicative_generator() -> Self {
    2u64.into()
@@ -187,8 +187,7 @@ impl FieldElement {

    let v3 = v.square() * v;
    let v7 = v3.square() * v;
-    let mut r = (u * v3) *
-      (u * v7).pow((-FieldElement::from(5u8)) * FieldElement::from(8u8).invert().unwrap());
+    let mut r = (u * v3) * (u * v7).pow(MOD_5_8);

    let check = v * r.square();
    let correct_sign = check.ct_eq(&u);
@@ -224,9 +223,10 @@ fn test_conditional_negate() {

 #[test]
 fn test_edwards_d() {
-  let a = -FieldElement(U256::from_u32(121665));
-  let b = FieldElement(U256::from_u32(121666));
-
+  // TODO: Generate the constant with this when const fn mul_mod is available, removing the need
+  // for this test
+  let a = -FieldElement::from(121665u32);
+  let b = FieldElement::from(121666u32);
  assert_eq!(EDWARDS_D, a * b.invert().unwrap());
 }