ff 0.13 (#269)

* Partial move to ff 0.13 It turns out the newly released k256 0.12 isn't on ff 0.13, preventing further work at this time. * Update all crates to work on ff 0.13 The provided curves still need to be expanded to fit the new API. * Finish adding dalek-ff-group ff 0.13 constants * Correct FieldElement::product definition Also stops exporting macros. * Test most new parts of ff 0.13 * Additionally test ff-group-tests with BLS12-381 and the pasta curves We only tested curves from RustCrypto. Now we test a curve offered by zk-crypto, the group behind ff/group, and the pasta curves, which is by Zcash (though Zcash developers are also behind zk-crypto). * Finish Ed448 Fully specifies all constants, passes all tests in ff-group-tests, and finishes moving to ff-0.13. * Add RustCrypto/elliptic-curves to allowed git repos Needed due to k256/p256 incorrectly defining product. * Finish writing ff 0.13 tests * Add additional comments to dalek * Further comments * Update ethereum-serai to ff 0.13
2025-12-09 04:39:24 +00:00 · 2023-03-28 04:38:01 -04:00
parent a9f6300e86
commit 79aff5d4c8
59 changed files with 865 additions and 429 deletions
--- a/crypto/dalek-ff-group/src/field.rs
+++ b/crypto/dalek-ff-group/src/field.rs
@@ -1,4 +1,7 @@
-use core::ops::{DerefMut, Add, AddAssign, Sub, SubAssign, Neg, Mul, MulAssign};
+use core::{
+  ops::{DerefMut, Add, AddAssign, Sub, SubAssign, Neg, Mul, MulAssign},
+  iter::{Sum, Product},
+};

 use zeroize::Zeroize;
 use rand_core::RngCore;
@@ -12,7 +15,7 @@ use crypto_bigint::{Integer, NonZero, Encoding, U256, U512};

 use group::ff::{Field, PrimeField, FieldBits, PrimeFieldBits};

-use crate::{u8_from_bool, constant_time, math, from_uint};
+use crate::{u8_from_bool, constant_time, math_op, math, from_wrapper, from_uint};

 // 2^255 - 19
 // Uses saturating_sub because checked_sub isn't available at compile time
@@ -107,18 +110,15 @@ impl<'a> Neg for &'a FieldElement {
 }

 impl Field for FieldElement {
+  const ZERO: Self = Self(U256::ZERO);
+  const ONE: Self = Self(U256::ONE);
+
  fn random(mut rng: impl RngCore) -> Self {
    let mut bytes = [0; 64];
    rng.fill_bytes(&mut bytes);
    FieldElement(reduce(U512::from_le_bytes(bytes)))
  }

-  fn zero() -> Self {
-    Self(U256::ZERO)
-  }
-  fn one() -> Self {
-    Self(U256::ONE)
-  }
  fn square(&self) -> Self {
    FieldElement(reduce(self.0.square()))
  }
@@ -138,12 +138,68 @@ impl Field for FieldElement {
    let candidate = Self::conditional_select(&tv2, &tv1, tv1.square().ct_eq(self));
    CtOption::new(candidate, candidate.square().ct_eq(self))
  }
+
+  fn sqrt_ratio(u: &FieldElement, v: &FieldElement) -> (Choice, FieldElement) {
+    let i = SQRT_M1;
+
+    let u = *u;
+    let v = *v;
+
+    let v3 = v.square() * v;
+    let v7 = v3.square() * v;
+    let mut r = (u * v3) * (u * v7).pow(MOD_5_8);
+
+    let check = v * r.square();
+    let correct_sign = check.ct_eq(&u);
+    let flipped_sign = check.ct_eq(&(-u));
+    let flipped_sign_i = check.ct_eq(&((-u) * i));
+
+    r.conditional_assign(&(r * i), flipped_sign | flipped_sign_i);
+
+    let r_is_negative = r.is_odd();
+    r.conditional_negate(r_is_negative);
+
+    (correct_sign | flipped_sign, r)
+  }
 }

 impl PrimeField for FieldElement {
  type Repr = [u8; 32];
+
+  // Big endian representation of the modulus
+  const MODULUS: &'static str = "7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed";
+
  const NUM_BITS: u32 = 255;
  const CAPACITY: u32 = 254;
+
+  // 2.invert()
+  const TWO_INV: Self = FieldElement(U256::from_be_hex(
+    "3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7",
+  ));
+
+  // This was calculated with the method from the ff crate docs
+  // SageMath GF(modulus).primitive_element()
+  const MULTIPLICATIVE_GENERATOR: Self = Self(U256::from_u8(2));
+  // This was set per the specification in the ff crate docs
+  // The number of leading zero bits in the little-endian bit representation of (modulus - 1)
+  const S: u32 = 2;
+
+  // This was calculated via the formula from the ff crate docs
+  // Self::MULTIPLICATIVE_GENERATOR ** ((modulus - 1) >> Self::S)
+  const ROOT_OF_UNITY: Self = FieldElement(U256::from_be_hex(
+    "2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0",
+  ));
+  // Self::ROOT_OF_UNITY.invert()
+  const ROOT_OF_UNITY_INV: Self = FieldElement(U256::from_be_hex(
+    "547cdb7fb03e20f4d4b2ff66c2042858d0bce7f952d01b873b11e4d8b5f15f3d",
+  ));
+
+  // This was calculated via the formula from the ff crate docs
+  // Self::MULTIPLICATIVE_GENERATOR ** (2 ** Self::S)
+  const DELTA: Self = FieldElement(U256::from_be_hex(
+    "0000000000000000000000000000000000000000000000000000000000000010",
+  ));
+
  fn from_repr(bytes: [u8; 32]) -> CtOption<Self> {
    let res = Self(U256::from_le_bytes(bytes));
    CtOption::new(res, res.0.ct_lt(&MODULUS))
@@ -152,23 +208,12 @@ impl PrimeField for FieldElement {
    self.0.to_le_bytes()
  }

-  // This was set per the specification in the ff crate docs
-  // The number of leading zero bits in the little-endian bit representation of (modulus - 1)
-  const S: u32 = 2;
  fn is_odd(&self) -> Choice {
    self.0.is_odd()
  }
-  fn multiplicative_generator() -> Self {
-    // This was calculated with the method from the ff crate docs
-    // SageMath GF(modulus).primitive_element()
-    2u64.into()
-  }
-  fn root_of_unity() -> Self {
-    // This was calculated via the formula from the ff crate docs
-    // Self::multiplicative_generator() ** ((modulus - 1) >> Self::S)
-    FieldElement(U256::from_be_hex(
-      "2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0",
-    ))
+
+  fn from_u128(num: u128) -> Self {
+    Self::from(num)
  }
 }

@@ -193,13 +238,13 @@ impl FieldElement {

  /// Perform an exponentation.
  pub fn pow(&self, other: FieldElement) -> FieldElement {
-    let mut table = [FieldElement::one(); 16];
+    let mut table = [FieldElement::ONE; 16];
    table[1] = *self;
    for i in 2 .. 16 {
      table[i] = table[i - 1] * self;
    }

-    let mut res = FieldElement::one();
+    let mut res = FieldElement::ONE;
    let mut bits = 0;
    for (i, mut bit) in other.to_le_bits().iter_mut().rev().enumerate() {
      bits <<= 1;
@@ -257,6 +302,38 @@ impl FieldElement {
  }
 }

+impl Sum<FieldElement> for FieldElement {
+  fn sum<I: Iterator<Item = FieldElement>>(iter: I) -> FieldElement {
+    let mut res = FieldElement::ZERO;
+    for item in iter {
+      res += item;
+    }
+    res
+  }
+}
+
+impl<'a> Sum<&'a FieldElement> for FieldElement {
+  fn sum<I: Iterator<Item = &'a FieldElement>>(iter: I) -> FieldElement {
+    iter.cloned().sum()
+  }
+}
+
+impl Product<FieldElement> for FieldElement {
+  fn product<I: Iterator<Item = FieldElement>>(iter: I) -> FieldElement {
+    let mut res = FieldElement::ONE;
+    for item in iter {
+      res *= item;
+    }
+    res
+  }
+}
+
+impl<'a> Product<&'a FieldElement> for FieldElement {
+  fn product<I: Iterator<Item = &'a FieldElement>>(iter: I) -> FieldElement {
+    iter.cloned().product()
+  }
+}
+
 #[test]
 fn test_wide_modulus() {
  let mut wide = [0; 64];
@@ -275,9 +352,8 @@ fn test_sqrt_m1() {
  // 2 ** ((MODULUS - 1) // 4) % MODULUS
  assert_eq!(
    SQRT_M1,
-    FieldElement::from(2u8).pow(FieldElement(
-      (FieldElement::zero() - FieldElement::one()).0.wrapping_div(&U256::from(4u8))
-    ))
+    FieldElement::from(2u8)
+      .pow(FieldElement((FieldElement::ZERO - FieldElement::ONE).0.wrapping_div(&U256::from(4u8))))
  );
 }