Returning int instead of bool in fp448 predicates.

Author: armfazh

ecc/decaf/constants.go group/decaf448/constants.go

@@ -1,4 +1,4 @@
-package decaf
+package decaf448
 
 import (
 	"errors"

ecc/decaf/decaf.go group/decaf448/decaf.go

@@ -1,4 +1,4 @@
-// Package decaf provides a prime-order group derived from a quotient of
+// Package decaf448 provides a prime-order group derived from a quotient of
 // Edwards curves.
 //
 // Decaf Group
@@ -29,10 +29,11 @@
 // (4) https://sourceforge.net/p/ed448goldilocks/code/ci/v1.0/tree/
 //
 // (5) https://mailarchive.ietf.org/arch/msg/cfrg/S4YUTt_5eD4kwYbDuhEK0tXT1aM/
-package decaf
+package decaf448
 
 import (
-	"unsafe"
+	"crypto/subtle"
+	"math/bits"
 
 	"github.com/cloudflare/circl/internal/ted448"
 	fp "github.com/cloudflare/circl/math/fp448"
@@ -79,15 +80,20 @@ func Mul(c *Elt, n *Scalar, a *Elt) { ted448.ScalarMult(&c.p, n, &a.p) }
 func MulGen(c *Elt, n *Scalar) { ted448.ScalarBaseMult(&c.p, n) }
 
 // IsIdentity returns True if e is the identity of the group.
-func (e *Elt) IsIdentity() bool { return fp.IsZero(&e.p.X) && !fp.IsZero(&e.p.Y) && !fp.IsZero(&e.p.Z) }
+func (e *Elt) IsIdentity() bool {
+	b0 := fp.IsZero(&e.p.X)
+	b1 := 1 - fp.IsZero(&e.p.Y)
+	b2 := 1 - fp.IsZero(&e.p.Z)
+	return subtle.ConstantTimeEq(int32(4*b2+2*b1+b0), 0x7) == 1
+}
 
 // IsEqual returns True if e=a, where = is an equivalence relation.
 func (e *Elt) IsEqual(a *Elt) bool {
 	l, r := &fp.Elt{}, &fp.Elt{}
 	fp.Mul(l, &e.p.X, &a.p.Y)
 	fp.Mul(r, &a.p.X, &e.p.Y)
 	fp.Sub(l, l, r)
-	return fp.IsZero(l)
+	return fp.IsZero(l) == 1
 }
 
 // UnmarshalBinary interprets the first EncodingSize bytes passed in data, and
@@ -101,7 +107,7 @@ func (e *Elt) UnmarshalBinary(data []byte) error {
 	copy(s[:], data[:EncodingSize])
 	p := fp.P()
 	isLessThanP := isLessThan(s[:], p[:])
-	isPositiveS := fp.Parity(s) == 0
+	isPositiveS := 1 - fp.Parity(s)
 
 	den, num := &fp.Elt{}, &fp.Elt{}
 	isr, altx, t0 := &fp.Elt{}, &fp.Elt{}, &fp.Elt{}
@@ -132,14 +138,16 @@ func (e *Elt) UnmarshalBinary(data []byte) error {
 	fp.Add(x, x, x)                   // x = 2*s*isr^2*den*num
 	fp.Mul(y, y, t0)                  // y = (1 - a*s^2)*isr*den
 
-	isValid := isPositiveS && isLessThanP && isQR
-	b := uint(*((*byte)(unsafe.Pointer(&isValid))))
+	b0 := isPositiveS
+	b1 := isLessThanP
+	b2 := isQR
+	b := uint(subtle.ConstantTimeEq(int32(4*b2+2*b1+b0), 0x7))
 	fp.Cmov(&e.p.X, x, b)
 	fp.Cmov(&e.p.Y, y, b)
 	fp.Cmov(&e.p.Ta, x, b)
 	fp.Cmov(&e.p.Tb, y, b)
 	fp.Cmov(&e.p.Z, &one, b)
-	if !isValid {
+	if b == 0 {
 		return ErrInvalidDecoding
 	}
 	return nil
@@ -180,12 +188,14 @@ func (e *Elt) marshalBinary(enc []byte) error {
 	return fp.ToBytes(enc[:], s)
 }
 
-// isLessThan returns true if 0 <= x < y, and assumes that slices are of the
+// isLessThan returns 1 if 0 <= x < y, and assumes that slices are of the
 // same length and are interpreted in little-endian order.
-func isLessThan(x, y []byte) bool {
+func isLessThan(x, y []byte) int {
 	i := len(x) - 1
 	for i > 0 && x[i] == y[i] {
 		i--
 	}
-	return x[i] < y[i]
+	xi := int(x[i])
+	yi := int(y[i])
+	return ((xi - yi) >> (bits.UintSize - 1)) & 1
 }

ecc/decaf/decaf_test.go group/decaf448/decaf_test.go

@@ -1,4 +1,4 @@
-package decaf_test
+package decaf448_test
 
 import (
 	"bytes"
@@ -9,7 +9,7 @@ import (
 	"os"
 	"testing"
 
-	"github.com/cloudflare/circl/ecc/decaf"
+	"github.com/cloudflare/circl/group/decaf448"
 	"github.com/cloudflare/circl/internal/test"
 	fp "github.com/cloudflare/circl/math/fp448"
 )
@@ -44,8 +44,8 @@ func (kat *testJSONFile) readFile(t *testing.T, fileName string) {
 	}
 }
 
-func verify(t *testing.T, i int, gotkG *decaf.Elt, wantEnckG []byte) {
-	wantkG := &decaf.Elt{}
+func verify(t *testing.T, i int, gotkG *decaf448.Elt, wantEnckG []byte) {
+	wantkG := &decaf448.Elt{}
 
 	gotEnckG, err := gotkG.MarshalBinary()
 	got := err == nil && bytes.Equal(gotEnckG, wantEnckG)
@@ -56,8 +56,8 @@ func verify(t *testing.T, i int, gotkG *decaf.Elt, wantEnckG []byte) {
 
 	err = wantkG.UnmarshalBinary(wantEnckG)
 	got = err == nil &&
-		decaf.IsValid(gotkG) &&
-		decaf.IsValid(wantkG) &&
+		decaf448.IsValid(gotkG) &&
+		decaf448.IsValid(wantkG) &&
 		gotkG.IsEqual(wantkG)
 	want = true
 	if got != want {
@@ -76,34 +76,34 @@ func TestDecafv1_0(t *testing.T) {
 		test.ReportError(t, got, want)
 	}
 	got = kat.Version
-	want = decaf.Version
+	want = decaf448.Version
 	if got != want {
 		test.ReportError(t, got, want)
 	}
-	var scalar decaf.Scalar
-	var P decaf.Elt
-	G := decaf.Generator()
+	var scalar decaf448.Scalar
+	var P decaf448.Elt
+	G := decaf448.Generator()
 	for i := range kat.Vectors {
 		k, _ := hex.DecodeString(kat.Vectors[i].K)
 		wantEnckG, _ := hex.DecodeString(kat.Vectors[i].KG)
 		wantEnckP, _ := hex.DecodeString(kat.Vectors[i].KP)
 		scalar.FromBytes(k)
 
-		decaf.MulGen(&P, &scalar)
+		decaf448.MulGen(&P, &scalar)
 		verify(t, i, &P, wantEnckG)
 
-		decaf.Mul(&P, &scalar, G)
+		decaf448.Mul(&P, &scalar, G)
 		verify(t, i, &P, wantEnckG)
 
-		decaf.Mul(&P, &scalar, &P)
+		decaf448.Mul(&P, &scalar, &P)
 		verify(t, i, &P, wantEnckP)
 	}
 }
 
 func TestDecafRandom(t *testing.T) {
 	const testTimes = 1 << 10
-	var e decaf.Elt
-	var enc [decaf.EncodingSize]byte
+	var e decaf448.Elt
+	var enc [decaf448.EncodingSize]byte
 
 	for i := 0; i < testTimes; i++ {
 		for found := false; !found; {
@@ -119,44 +119,44 @@ func TestDecafRandom(t *testing.T) {
 	}
 }
 
-func randomPoint() decaf.Elt {
-	var k decaf.Scalar
+func randomPoint() decaf448.Elt {
+	var k decaf448.Scalar
 	_, _ = rand.Read(k[:])
-	var P decaf.Elt
-	decaf.MulGen(&P, &k)
+	var P decaf448.Elt
+	decaf448.MulGen(&P, &k)
 	return P
 }
 
 func TestPointAdd(t *testing.T) {
 	const testTimes = 1 << 10
-	Q := &decaf.Elt{}
+	Q := &decaf448.Elt{}
 	for i := 0; i < testTimes; i++ {
 		P := randomPoint()
 		// Q = 16P = 2^4P
-		decaf.Double(Q, &P) // 2P
-		decaf.Double(Q, Q)  // 4P
-		decaf.Double(Q, Q)  // 8P
-		decaf.Double(Q, Q)  // 16P
+		decaf448.Double(Q, &P) // 2P
+		decaf448.Double(Q, Q)  // 4P
+		decaf448.Double(Q, Q)  // 8P
+		decaf448.Double(Q, Q)  // 16P
 		got := Q
 		// R = 16P = P+P...+P
-		R := decaf.Identity()
+		R := decaf448.Identity()
 		for j := 0; j < 16; j++ {
-			decaf.Add(R, R, &P)
+			decaf448.Add(R, R, &P)
 		}
 		want := R
-		if !decaf.IsValid(got) || !decaf.IsValid(want) || !got.IsEqual(want) {
+		if !decaf448.IsValid(got) || !decaf448.IsValid(want) || !got.IsEqual(want) {
 			test.ReportError(t, got, want, P)
 		}
 	}
 }
 
 func TestPointNeg(t *testing.T) {
 	const testTimes = 1 << 10
-	Q := &decaf.Elt{}
+	Q := &decaf448.Elt{}
 	for i := 0; i < testTimes; i++ {
 		P := randomPoint()
-		decaf.Neg(Q, &P)
-		decaf.Add(Q, Q, &P)
+		decaf448.Neg(Q, &P)
+		decaf448.Add(Q, Q, &P)
 		got := Q.IsIdentity()
 		want := true
 		if got != want {
@@ -167,12 +167,12 @@ func TestPointNeg(t *testing.T) {
 
 func TestDecafOrder(t *testing.T) {
 	const testTimes = 1 << 10
-	Q := &decaf.Elt{}
-	order := decaf.Order()
+	Q := &decaf448.Elt{}
+	order := decaf448.Order()
 	for i := 0; i < testTimes; i++ {
 		P := randomPoint()
 
-		decaf.Mul(Q, &order, &P)
+		decaf448.Mul(Q, &order, &P)
 		got := Q.IsIdentity()
 		want := true
 		if got != want {
@@ -193,37 +193,65 @@ func TestDecafInvalid(t *testing.T) {
 		nonQR[:],     // s=4 and (a^2s^4 + (2a - 4d)*s^2 + 1) is non-QR.
 	}
 
-	var e decaf.Elt
+	var e decaf448.Elt
 	for _, enc := range badEncodings {
 		got := e.UnmarshalBinary(enc)
-		want := decaf.ErrInvalidDecoding
+		want := decaf448.ErrInvalidDecoding
 		if got != want {
 			test.ReportError(t, got, want, enc)
 		}
 	}
 }
 
 func BenchmarkDecaf(b *testing.B) {
-	var k, l decaf.Scalar
+	var k, l decaf448.Scalar
 	_, _ = rand.Read(k[:])
 	_, _ = rand.Read(l[:])
-	G := decaf.Generator()
-	P := decaf.Generator()
+	G := decaf448.Generator()
+	P := decaf448.Generator()
+	Z := decaf448.Identity()
 	enc, _ := G.MarshalBinary()
 
+	x := &fp.Elt{}
+	y := &fp.Elt{}
+	_, _ = rand.Read(y[:])
+	// p := fp.P()
+	// one := fp.One()
+	// fp.Sub(y, &p, &one)
+
 	b.Run("Add", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
-			decaf.Add(P, P, G)
+			decaf448.Add(P, P, G)
+		}
+	})
+	b.Run("IsZeroSub0", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			fp.IsZero(x)
+		}
+	})
+	b.Run("IsZeroSub1", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			fp.IsZero(y)
+		}
+	})
+	b.Run("IsZeroSi", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			_ = Z.IsIdentity()
+		}
+	})
+	b.Run("IsZero", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			_ = P.IsIdentity()
 		}
 	})
 	b.Run("Mul", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
-			decaf.Mul(G, &k, G)
+			decaf448.Mul(G, &k, G)
 		}
 	})
 	b.Run("MulGen", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
-			decaf.MulGen(P, &k)
+			decaf448.MulGen(P, &k)
 		}
 	})
 	b.Run("Marshal", func(b *testing.B) {

ecc/decaf/testdata/decafv1.0_vectors.json group/decaf448/testdata/decafv1.0_vectors.json

@@ -46,7 +46,12 @@ func ParamD() fp.Elt { return paramD }
 
 // IsOnCurve returns true if the point lies on the curve.
 func IsOnCurve(P *Point) bool {
-	eq0 := *P != Point{}
+	eq0 := fp.IsZero(&P.X)
+	eq0 &= fp.IsZero(&P.Y)
+	eq0 &= fp.IsZero(&P.Z)
+	eq0 &= fp.IsZero(&P.Ta)
+	eq0 &= fp.IsZero(&P.Tb)
+	eq0 = 1 - eq0
 	x2, y2, t, t2, z2 := &fp.Elt{}, &fp.Elt{}, &fp.Elt{}, &fp.Elt{}, &fp.Elt{}
 	rhs, lhs := &fp.Elt{}, &fp.Elt{}
 	fp.Mul(t, &P.Ta, &P.Tb)  // t = ta*tb
@@ -63,7 +68,7 @@ func IsOnCurve(P *Point) bool {
 	fp.Mul(rhs, t, &P.Z)    // tz
 	fp.Sub(lhs, lhs, rhs)   // xy - tz
 	eq2 := fp.IsZero(lhs)
-	return eq0 && eq1 && eq2
+	return subtle.ConstantTimeByteEq(byte(4*eq2+2*eq1+eq0), 0x7) == 1
 }
 
 // subYDiv16 update x = (x - y) / 16.

internal/ted448/curve.go

@@ -39,6 +39,23 @@ func TestPointAdd(t *testing.T) {
 	}
 }
 
+func TestIsOnCurve(t *testing.T) {
+	for _, v := range []struct {
+		P    ted448.Point
+		want bool
+	}{
+		{ted448.Point{}, false},
+		{ted448.Identity(), true},
+		{ted448.Generator(), true},
+		{randomPoint(), true},
+	} {
+		got := ted448.IsOnCurve(&v.P)
+		if got != v.want {
+			test.ReportError(t, got, v.want, v.P)
+		}
+	}
+}
+
 func TestPointNeg(t *testing.T) {
 	const testTimes = 1 << 10
 	for i := 0; i < testTimes; i++ {