constantine/tests/math_fields/t_finite_fields_vs_gmp.nim

272 lines
8.0 KiB
Nim
Raw Normal View History

# Constantine
# Copyright (c) 2018-2019 Status Research & Development GmbH
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
# Licensed and distributed under either of
# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import
# Standard library
std/[random, macros, times],
# Third-party
gmp,
# Internal
../../constantine/platforms/[abstractions, codecs],
../../constantine/math/io/[io_bigints, io_fields],
../../constantine/math/arithmetic,
../../constantine/math/config/curves,
# Test utilities
../../helpers/prng_unsafe
echo "\n------------------------------------------------------\n"
var RNG {.compileTime.} = initRand(1234)
const AvailableCurves = [
P224,
BN254_Nogami, BN254_Snarks,
P256, Secp256k1, Edwards25519, Bandersnatch, Pallas, Vesta,
BLS12_377, BLS12_381, BW6_761
]
const # https://gmplib.org/manual/Integer-Import-and-Export.html
GMP_WordLittleEndian = -1'i32
GMP_WordNativeEndian = 0'i32
GMP_WordBigEndian = 1'i32
GMP_MostSignificantWordFirst = 1'i32
GMP_LeastSignificantWordFirst = -1'i32
# ############################################################
#
# Helpers
#
# ############################################################
#
# Factor common things in proc to avoid generating 100k+ lines of C code
proc binary_prologue[C: static Curve, N: static int](
rng: var RngState,
a, b, p: var mpz_t,
aTest, bTest: var Fp[C],
aBuf, bBuf: var array[N, byte]) =
# Build the field elements
aTest = rng.random_unsafe(Fp[C])
bTest = rng.random_unsafe(Fp[C])
# Set modulus to curve modulus
let err = mpz_set_str(p, Curve(C).Mod.toHex(), 0)
2020-03-20 23:03:52 +01:00
doAssert err == 0, "Error on prime for curve " & $Curve(C)
#########################################################
# Conversion to GMP
const aLen = C.getCurveBitwidth().ceilDiv_vartime(8)
const bLen = C.getCurveBitwidth().ceilDiv_vartime(8)
var aBuf: array[aLen, byte]
var bBuf: array[bLen, byte]
aBuf.marshal(aTest, bigEndian)
bBuf.marshal(bTest, bigEndian)
mpz_import(a, aLen, GMP_MostSignificantWordFirst, 1, GMP_WordNativeEndian, 0, aBuf[0].addr)
mpz_import(b, bLen, GMP_MostSignificantWordFirst, 1, GMP_WordNativeEndian, 0, bBuf[0].addr)
proc binary_epilogue[C: static Curve, N: static int](
r, a, b: mpz_t,
rTest: Fp[C],
aBuf, bBuf: array[N, byte],
operation: string
) =
#########################################################
# Check
{.push warnings: off.} # deprecated csize
var aW, bW, rW: csize # Word written by GMP
{.pop.}
var rGMP: array[N, byte]
discard mpz_export(rGMP[0].addr, rW.addr, GMP_MostSignificantWordFirst, 1, GMP_WordNativeEndian, 0, r)
var rConstantine: array[N, byte]
marshal(rConstantine, rTest, bigEndian)
# Note: in bigEndian, GMP aligns left while constantine aligns right
doAssert rGMP.toOpenArray(0, rW-1) == rConstantine.toOpenArray(N-rW, N-1), block:
# Reexport as bigEndian for debugging
discard mpz_export(aBuf[0].unsafeAddr, aW.addr, GMP_MostSignificantWordFirst, 1, GMP_WordNativeEndian, 0, a)
discard mpz_export(bBuf[0].unsafeAddr, bW.addr, GMP_MostSignificantWordFirst, 1, GMP_WordNativeEndian, 0, b)
"\nModular " & operation & " on curve " & $C & " with operands\n" &
" a: " & aBuf.toHex & "\n" &
" b: " & bBuf.toHex & "\n" &
"failed:" & "\n" &
" GMP: " & rGMP.toHex() & "\n" &
Internals refactor + renewed focus on perf (#17) * Lay out the refactoring objectives and tradeoffs * Refactor the 32 and 64-bit primitives [skip ci] * BigInts and Modular BigInts compile * Make the bigints test compile * Fix modular reduction * Fix reduction tests vs GMP * Implement montegomery mul, pow, inverse, WIP finite field compilation * Make FiniteField compile * Fix exponentiation compilation * Fix Montgomery magic constant computation for 2^64 words * Fix typo in non-optimized CIOS - passing finite fields IO tests * Add limbs comparisons [skip ci] * Fix on precomputation of the Montgomery magic constant * Passing all tests including 𝔽p2 * modular addition, the test for mersenne prime was wrong * update benches * Fix "nimble test" + typo on out-of-place field addition * bigint division, normalization is needed: https://travis-ci.com/github/mratsim/constantine/jobs/298359743 * missing conversion in subborrow non-x86 fallback - https://travis-ci.com/github/mratsim/constantine/jobs/298359744 * Fix little-endian serialization * Constantine32 flag to run 32-bit constantine on 64-bit machines * IO Field test, ensure that BaseType is used instead of uint64 when the prime can field in uint32 * Implement proper addcarry and subborrow fallback for the compile-time VM * Fix export issue when the logical wordbitwidth == physical wordbitwidth - passes all tests (32-bit and 64-bit) * Fix uint128 on ARM * Fix C++ conditional copy and ARM addcarry/subborrow * Add investigation for SIGFPE in Travis * Fix debug display for unsafeDiv2n1n * multiplexer typo * moveMem bug in glibc of Ubuntu 16.04? * Was probably missing an early clobbered register annotation on conditional mov * Note on Montgomery-friendly moduli * Strongly suspect a GCC before GCC 7 codegen bug (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87139) * hex conversion was (for debugging) not taking requested order into account + inlining comment * Use 32-bit limbs on ARM64, uint128 builtin __udivti4 bug? * Revert "Use 32-bit limbs on ARM64, uint128 builtin __udivti4 bug?" This reverts commit 087f9aa7fb40bbd058d05cbd8eec7fc082911f49. * Fix subborrow fallback for non-x86 (need to maks the borrow)
2020-03-16 16:33:51 +01:00
" Constantine: " & rConstantine.toHex() & "\n" &
"(Note that GMP aligns bytes left while constantine aligns bytes right)"
# ############################################################
#
# Test Definitions
#
# ############################################################
proc addTests(rng: var RngState, a, b, p, r: var mpz_t, C: static Curve) =
# echo "Testing: random modular addition on ", $C
const
bits = C.getCurveBitwidth()
bufLen = bits.ceilDiv_vartime(8)
var
aTest, bTest{.noInit.}: Fp[C]
aBuf, bBuf: array[bufLen, byte]
binary_prologue(rng, a, b, p, aTest, bTest, aBuf, bBuf)
mpz_add(r, a, b)
mpz_mod(r, r, p)
var rTest {.noInit.}: Fp[C]
rTest.sum(aTest, bTest)
var r2Test = aTest
r2Test += bTest
binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Addition (with result)")
binary_epilogue(r, a, b, r2Test, aBuf, bBuf, "Addition (in-place)")
proc subTests(rng: var RngState, a, b, p, r: var mpz_t, C: static Curve) =
# echo "Testing: random modular substraction on ", $C
const
bits = C.getCurveBitwidth()
bufLen = bits.ceilDiv_vartime(8)
var
aTest, bTest{.noInit.}: Fp[C]
aBuf, bBuf: array[bufLen, byte]
binary_prologue(rng, a, b, p, aTest, bTest, aBuf, bBuf)
mpz_sub(r, a, b)
mpz_mod(r, r, p)
var rTest {.noInit.}: Fp[C]
rTest.diff(aTest, bTest)
var r2Test = aTest
r2Test -= bTest
# Substraction with r and b aliasing
var r3Test = bTest
r3Test.diff(aTest, r3Test)
binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Substraction (with result)")
binary_epilogue(r, a, b, r2Test, aBuf, bBuf, "Substraction (in-place)")
binary_epilogue(r, a, b, r3Test, aBuf, bBuf, "Substraction (result aliasing)")
proc mulTests(rng: var RngState, a, b, p, r: var mpz_t, C: static Curve) =
# echo "Testing: random modular multiplication on ", $C
const
bits = C.getCurveBitwidth()
bufLen = bits.ceilDiv_vartime(8)
var
aTest, bTest{.noInit.}: Fp[C]
aBuf, bBuf: array[bufLen, byte]
binary_prologue(rng, a, b, p, aTest, bTest, aBuf, bBuf)
mpz_mul(r, a, b)
mpz_mod(r, r, p)
var rTest {.noInit.}: Fp[C]
rTest.prod(aTest, bTest)
var r2Test = aTest
r2Test *= bTest
binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Multiplication (with result)")
binary_epilogue(r, a, b, r2Test, aBuf, bBuf, "Multiplication (in-place)")
proc invTests(rng: var RngState, a, b, p, r: var mpz_t, C: static Curve) =
# We use the binary prologue epilogue but the "b" parameter is actual unused
# echo "Testing: random modular inversion on ", $C
const
bits = C.getCurveBitwidth()
bufLen = bits.ceilDiv_vartime(8)
var
aTest, bTest{.noInit.}: Fp[C]
aBuf, bBuf: array[bufLen, byte]
binary_prologue(rng, a, b, p, aTest, bTest, aBuf, bBuf)
let exist = mpz_invert(r, a, p)
doAssert exist != 0
2020-03-20 23:03:52 +01:00
var rTest {.noInit.}: Fp[C]
rTest.inv(aTest)
binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Inversion (b is unused)")
# ############################################################
#
# Test Runners
#
# ############################################################
macro randomTests(numTests: static int, curveSym, body: untyped): untyped =
## Generate `num` random tests at compile-time to test against GMP
## for A mod M
result = newStmtList()
for _ in 0 ..< numTests:
2020-06-19 00:24:50 +02:00
let curve = RNG.sample(AvailableCurves)
result.add quote do:
block:
const `curveSym` = Curve(`curve`)
block:
`body`
template testSetup {.dirty.} =
var rng: RngState
let seed = uint32(getTime().toUnix() and (1'i64 shl 32 - 1)) # unixTime mod 2^32
rng.seed(seed)
echo "\n------------------------------------------------------\n"
echo "test_finite_fields_vs_gmp** seed: ", seed
var a, b, p, r: mpz_t
mpz_init(a)
mpz_init(b)
mpz_init(p)
mpz_init(r)
proc mainMul() =
testSetup()
echo "Testing modular multiplications vs GMP"
randomTests(24, curve):
mulTests(rng, a, b, p, r, curve)
proc mainAdd() =
testSetup()
echo "Testing modular additions vs GMP"
randomTests(24, curve):
addTests(rng, a, b, p, r, curve)
proc mainSub() =
testSetup()
echo "Testing modular substractions vs GMP"
randomTests(24, curve):
subTests(rng, a, b, p, r, curve)
proc mainInv() =
testSetup()
echo "Testing modular inversions vs GMP"
randomTests(24, curve):
invTests(rng, a, b, p, r, curve)
2020-02-22 19:50:24 +01:00
mainMul()
mainAdd()
mainSub()
mainInv()