Minimize use of lazy_static in ed448

Increases usage of const values along with overall Field impl sanity with regards to the crypto_bigint backend.
2025-12-08 20:29:23 +00:00 · 2022-08-31 03:33:19 -04:00
parent a59bbe7635
commit 73566e756d
6 changed files with 100 additions and 112 deletions
--- a/crypto/ed448/src/backend.rs
+++ b/crypto/ed448/src/backend.rs
@@ -6,10 +6,10 @@ macro_rules! field {

    use rand_core::RngCore;

-    use subtle::{Choice, CtOption, ConstantTimeEq, ConditionallySelectable};
+    use subtle::{Choice, CtOption, ConstantTimeEq, ConstantTimeLess, ConditionallySelectable};

    use generic_array::{typenum::U57, GenericArray};
-    use crypto_bigint::Encoding;
+    use crypto_bigint::{Integer, Encoding};

    use ff::{Field, PrimeField, FieldBits, PrimeFieldBits};

@@ -38,7 +38,7 @@ macro_rules! field {
    impl Neg for $FieldName {
      type Output = $FieldName;
      fn neg(self) -> $FieldName {
-        *$MODULUS - self
+        $MODULUS - self
      }
    }

@@ -49,21 +49,15 @@ macro_rules! field {
      }
    }

-    lazy_static! {
-      pub(crate) static ref ZERO: $FieldName = $FieldName(U512::ZERO);
-      pub(crate) static ref ONE: $FieldName = $FieldName(U512::ONE);
-      pub(crate) static ref TWO: $FieldName = $FieldName(U512::ONE.saturating_add(&U512::ONE));
-    }
-
    impl $FieldName {
      pub fn pow(&self, other: $FieldName) -> $FieldName {
-        let mut table = [*ONE; 16];
+        let mut table = [Self(U512::ONE); 16];
        table[1] = *self;
        for i in 2 .. 16 {
          table[i] = table[i - 1] * self;
        }

-        let mut res = *ONE;
+        let mut res = Self(U512::ONE);
        let mut bits = 0;
        for (i, bit) in other.to_le_bits().iter().rev().enumerate() {
          bits <<= 1;
@@ -93,20 +87,21 @@ macro_rules! field {
      }

      fn zero() -> Self {
-        *ZERO
+        Self(U512::ZERO)
      }
      fn one() -> Self {
-        *ONE
+        Self(U512::ONE)
      }
      fn square(&self) -> Self {
        *self * self
      }
      fn double(&self) -> Self {
-        *self + self
+        $FieldName((self.0 << 1).reduce(&$MODULUS.0).unwrap())
      }

      fn invert(&self) -> CtOption<Self> {
-        CtOption::new(self.pow(-*TWO), !self.is_zero())
+        const NEG_2: $FieldName = Self($MODULUS.0.saturating_sub(&U512::from_u8(2)));
+        CtOption::new(self.pow(NEG_2), !self.is_zero())
      }

      fn sqrt(&self) -> CtOption<Self> {
@@ -114,10 +109,10 @@ macro_rules! field {
      }

      fn is_zero(&self) -> Choice {
-        self.ct_eq(&ZERO)
+        self.0.ct_eq(&U512::ZERO)
      }
      fn cube(&self) -> Self {
-        *self * self * self
+        self.square() * self
      }
      fn pow_vartime<S: AsRef<[u64]>>(&self, _exp: S) -> Self {
        unimplemented!()
@@ -130,7 +125,7 @@ macro_rules! field {
      const CAPACITY: u32 = $NUM_BITS - 1;
      fn from_repr(bytes: Self::Repr) -> CtOption<Self> {
        let res = $FieldName(U512::from_le_slice(&[bytes.as_ref(), [0; 7].as_ref()].concat()));
-        CtOption::new(res, res.0.add_mod(&U512::ZERO, &$MODULUS.0).ct_eq(&res.0))
+        CtOption::new(res, res.0.ct_lt(&$MODULUS.0))
      }
      fn to_repr(&self) -> Self::Repr {
        let mut repr = GenericArray::<u8, U57>::default();
@@ -141,7 +136,7 @@ macro_rules! field {
      // True for both the Ed448 Scalar field and FieldElement field
      const S: u32 = 1;
      fn is_odd(&self) -> Choice {
-        (self.to_repr()[0] & 1).into()
+        self.0.is_odd()
      }
      fn multiplicative_generator() -> Self {
        unimplemented!()
--- a/crypto/ed448/src/field.rs
+++ b/crypto/ed448/src/field.rs
@@ -1,10 +1,6 @@
-use core::ops::Div;
-
-use lazy_static::lazy_static;
-
 use zeroize::Zeroize;

-use crypto_bigint::{NonZero, U512, U1024};
+use crypto_bigint::{U512, U1024};

 use crate::field;

@@ -12,28 +8,27 @@ use crate::field;
 pub struct FieldElement(pub(crate) U512);

 // 2**448 - 2**224 - 1
-lazy_static! {
-  pub static ref MODULUS: FieldElement = FieldElement(U512::from_be_hex(concat!(
-    "00000000000000",
-    "00",
-    "fffffffffffffffffffffffffffffffffffffffffffffffffffffffe",
-    "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
-  )));
-  static ref WIDE_MODULUS: U1024 = {
-    let res = U1024::from((U512::ZERO, MODULUS.0));
-    debug_assert_eq!(MODULUS.0.to_le_bytes()[..], res.to_le_bytes()[.. 64]);
-    res
-  };
-}
+pub const MODULUS: FieldElement = FieldElement(U512::from_be_hex(concat!(
+  "00000000000000",
+  "00",
+  "fffffffffffffffffffffffffffffffffffffffffffffffffffffffe",
+  "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+)));
+
+const WIDE_MODULUS: U1024 = U1024::from_be_hex(concat!(
+  "0000000000000000000000000000000000000000000000000000000000000000",
+  "0000000000000000000000000000000000000000000000000000000000000000",
+  "00000000000000",
+  "00",
+  "fffffffffffffffffffffffffffffffffffffffffffffffffffffffe",
+  "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+));
+
+pub(crate) const Q_4: FieldElement =
+  FieldElement(MODULUS.0.saturating_add(&U512::ONE).wrapping_div(&U512::from_u8(4)));

 field!(FieldElement, MODULUS, WIDE_MODULUS, 448);

-lazy_static! {
-  pub(crate) static ref Q_4: FieldElement = FieldElement(
-    MODULUS.0.saturating_add(&U512::ONE).div(NonZero::new(TWO.0.saturating_add(&TWO.0)).unwrap())
-  );
-}
-
 #[test]
 fn repr() {
  assert_eq!(FieldElement::from_repr(FieldElement::one().to_repr()).unwrap(), FieldElement::one());
--- a/crypto/ed448/src/point.rs
+++ b/crypto/ed448/src/point.rs
@@ -10,25 +10,32 @@ use rand_core::RngCore;
 use zeroize::Zeroize;
 use subtle::{Choice, CtOption, ConstantTimeEq, ConditionallySelectable, ConditionallyNegatable};

+use crypto_bigint::U512;
+
 use ff::{Field, PrimeField, PrimeFieldBits};
 use group::{Group, GroupEncoding, prime::PrimeGroup};

 use crate::{
  scalar::{Scalar, MODULUS as SCALAR_MODULUS},
-  field::{FieldElement, Q_4},
+  field::{FieldElement, MODULUS as FIELD_MODULUS, Q_4},
 };

-lazy_static! {
-  static ref D: FieldElement = -FieldElement::from(39081u16);
-}
+const D: FieldElement = FieldElement(FIELD_MODULUS.0.saturating_sub(&U512::from_u16(39081)));
+
+const G_Y: FieldElement = FieldElement(U512::from_be_hex(concat!(
+  "00000000000000",
+  "00",
+  "693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e",
+  "05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14",
+)));

 fn recover_x(y: FieldElement) -> CtOption<FieldElement> {
  let ysq = y.square();
  #[allow(non_snake_case)]
-  let D_ysq = *D * ysq;
+  let D_ysq = D * ysq;
  (D_ysq - FieldElement::one()).invert().and_then(|inverted| {
    let temp = (ysq - FieldElement::one()) * inverted;
-    let mut x = temp.pow(*Q_4);
+    let mut x = temp.pow(Q_4);
    x.conditional_negate(x.is_odd());

    let xsq = x.square();
@@ -43,17 +50,8 @@ pub struct Point {
  z: FieldElement,
 }

-#[rustfmt::skip]
 lazy_static! {
-  static ref G_Y: FieldElement = FieldElement::from_repr(
-    hex_literal::hex!(
-      "14fa30f25b790898adc8d74e2c13bdfdc4397ce61cffd33ad7c2a0051e9c78874098a36c7373ea4b62c7c9563720768824bcb66e71463f6900"
-    )
-    .into()
-  )
-  .unwrap();
-
-  static ref G: Point = Point { x: recover_x(*G_Y).unwrap(), y: *G_Y, z: FieldElement::one() };
+  static ref G: Point = Point { x: recover_x(G_Y).unwrap(), y: G_Y, z: FieldElement::one() };
 }

 impl ConstantTimeEq for Point {
@@ -96,7 +94,7 @@ impl Add for Point {
    #[allow(non_snake_case)]
    let B = zcp.square();
    #[allow(non_snake_case)]
-    let E = *D * xcp * ycp;
+    let E = D * xcp * ycp;
    #[allow(non_snake_case)]
    let F = B - E;
    #[allow(non_snake_case)]
@@ -268,7 +266,7 @@ impl MulAssign<&Scalar> for Point {

 impl Point {
  pub fn is_torsion_free(&self) -> Choice {
-    (*self * *SCALAR_MODULUS).is_identity()
+    (*self * SCALAR_MODULUS).is_identity()
  }
 }

--- a/crypto/ed448/src/scalar.rs
+++ b/crypto/ed448/src/scalar.rs
@@ -1,5 +1,3 @@
-use lazy_static::lazy_static;
-
 use zeroize::Zeroize;

 use crypto_bigint::{U512, U1024};
@@ -10,19 +8,21 @@ pub use crate::field;
 pub struct Scalar(pub(crate) U512);

 // 2**446 - 13818066809895115352007386748515426880336692474882178609894547503885
-lazy_static! {
-  pub static ref MODULUS: Scalar = Scalar(U512::from_be_hex(concat!(
-    "00000000000000",
-    "00",
-    "3fffffffffffffffffffffffffffffffffffffffffffffffffffffff",
-    "7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3",
-  )));
-  static ref WIDE_MODULUS: U1024 = {
-    let res = U1024::from((U512::ZERO, MODULUS.0));
-    debug_assert_eq!(MODULUS.0.to_le_bytes()[..], res.to_le_bytes()[.. 64]);
-    res
-  };
-}
+pub const MODULUS: Scalar = Scalar(U512::from_be_hex(concat!(
+  "00000000000000",
+  "00",
+  "3fffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+  "7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3",
+)));
+
+const WIDE_MODULUS: U1024 = U1024::from_be_hex(concat!(
+  "0000000000000000000000000000000000000000000000000000000000000000",
+  "0000000000000000000000000000000000000000000000000000000000000000",
+  "00000000000000",
+  "00",
+  "3fffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+  "7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3",
+));

 field!(Scalar, MODULUS, WIDE_MODULUS, 446);