Add more curves for testing: Curve25519, BLS12-377, BN446, FKM-447, BLS12-461, BN462
This commit is contained in:
parent
9e78cd5d6d
commit
1855d14497
74
README.md
74
README.md
|
@ -35,6 +35,36 @@ The library focuses on following properties:
|
|||
|
||||
in this order
|
||||
|
||||
## Curves supported
|
||||
|
||||
At the moment the following curves are supported, adding a new curve only requires adding the prime modulus
|
||||
and its bitsize in [constantine/config/curves.nim]().
|
||||
|
||||
The following curves are configured:
|
||||
|
||||
### ECDH / ECDSA curves
|
||||
|
||||
- NIST P-224
|
||||
- Curve25519
|
||||
- NIST P-256 / Secp256r1
|
||||
- Secp256k1 (Bitcoin, Ethereum 1)
|
||||
|
||||
### Pairing-Friendly curves
|
||||
|
||||
Families:
|
||||
- BN: Barreto-Naerig
|
||||
- BLS: Barreto-Lynn-Scott
|
||||
- FKM: Fotiadis-Konstantinou-Martindale
|
||||
|
||||
Curves:
|
||||
- BN254 (Zero-Knowledge Proofs, Snarks, Starks, Zcash, Ethereum 1)
|
||||
- BLS12-377 (Zexe)
|
||||
- BLS12-381 (Algorand, Chia Networks, Dfinity, Ethereum 2, Filecoin, Zcash Sapling)
|
||||
- BN446
|
||||
- FKM12-447
|
||||
- BLS12-461
|
||||
- BN462
|
||||
|
||||
## Security
|
||||
|
||||
Hardening an implementation against all existing and upcoming attack vectors is an extremely complex task.
|
||||
|
@ -82,6 +112,50 @@ The previous implementation was 15x slower and one of the key optimizations
|
|||
was changing the elliptic curve cryptography backend.
|
||||
It had a direct implication on hardware cost and/or cloud computing resources required.
|
||||
|
||||
## Measuring performance
|
||||
|
||||
To measure the performance of Constantine
|
||||
|
||||
```bash
|
||||
git clone https://github.com/mratsim/constantine
|
||||
nimble bench_fp_clang
|
||||
nimble bench_fp2_clang
|
||||
```
|
||||
|
||||
As mentioned in the [Compiler caveats](#compiler-caveats) section, GCC is up to 2x slower than Clang due to mishandling of carries and register usage.
|
||||
|
||||
On my machine, for selected benchmarks on the prime field for popular pairing-friendly curves.
|
||||
|
||||
```
|
||||
⚠️ Measurements are approximate and use the CPU nominal clock: Turbo-Boost and overclocking will skew them.
|
||||
==========================================================================================================
|
||||
|
||||
All benchmarks are using constant-time implementations to protect against side-channel attacks.
|
||||
|
||||
Compiled with Clang
|
||||
Running on Intel(R) Core(TM) i9-9980XE CPU @ 3.00GHz (overclocked all-core Turbo @4.1GHz)
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
Addition Fp[BN254] 0 ns 0 cycles
|
||||
Substraction Fp[BN254] 0 ns 0 cycles
|
||||
Negation Fp[BN254] 0 ns 0 cycles
|
||||
Multiplication Fp[BN254] 21 ns 65 cycles
|
||||
Squaring Fp[BN254] 18 ns 55 cycles
|
||||
Inversion Fp[BN254] 6266 ns 18799 cycles
|
||||
--------------------------------------------------------------------------------
|
||||
Addition Fp[BLS12_381] 0 ns 0 cycles
|
||||
Substraction Fp[BLS12_381] 0 ns 0 cycles
|
||||
Negation Fp[BLS12_381] 0 ns 0 cycles
|
||||
Multiplication Fp[BLS12_381] 45 ns 136 cycles
|
||||
Squaring Fp[BLS12_381] 39 ns 118 cycles
|
||||
Inversion Fp[BLS12_381] 15683 ns 47050 cycles
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
Notes:
|
||||
GCC is significantly slower than Clang on multiprecision arithmetic.
|
||||
The simplest operations might be optimized away by the compiler.
|
||||
```
|
||||
|
||||
### Compiler caveats
|
||||
|
||||
Unfortunately compilers and in particular GCC are not very good at optimizing big integers and/or cryptographic code even when using intrinsics like `addcarry_u64`.
|
||||
|
|
|
@ -27,9 +27,15 @@ const InvIters = 1000
|
|||
const AvailableCurves = [
|
||||
P224,
|
||||
BN254,
|
||||
Curve25519,
|
||||
P256,
|
||||
Secp256k1,
|
||||
BLS12_381
|
||||
BLS12_377,
|
||||
BLS12_381,
|
||||
BN446,
|
||||
FKM12_447,
|
||||
BLS12_461,
|
||||
BN462
|
||||
]
|
||||
|
||||
proc main() =
|
||||
|
|
|
@ -26,8 +26,14 @@ import
|
|||
const Iters = 1_000_000
|
||||
const InvIters = 1000
|
||||
const AvailableCurves = [
|
||||
# Pairing-Friendly curves
|
||||
BN254,
|
||||
BLS12_381
|
||||
BLS12_377,
|
||||
BLS12_381,
|
||||
BN446,
|
||||
FKM12_447,
|
||||
BLS12_461,
|
||||
BN462
|
||||
]
|
||||
|
||||
proc main() =
|
||||
|
|
|
@ -26,8 +26,14 @@ import
|
|||
const Iters = 1_000_000
|
||||
const InvIters = 1000
|
||||
const AvailableCurves = [
|
||||
# Pairing-Friendly curves
|
||||
BN254,
|
||||
BLS12_381
|
||||
BLS12_377,
|
||||
BLS12_381,
|
||||
BN446,
|
||||
FKM12_447,
|
||||
BLS12_461,
|
||||
BN462
|
||||
]
|
||||
|
||||
proc main() =
|
||||
|
|
|
@ -39,54 +39,93 @@ import
|
|||
# - type Curve* = enum
|
||||
# - proc Mod*(curve: static Curve): auto
|
||||
# which returns the field modulus of the curve
|
||||
when not defined(testingCurves):
|
||||
declareCurves:
|
||||
curve P224: # NIST P-224
|
||||
bitsize: 224
|
||||
modulus: "0xffffffff_ffffffff_ffffffff_ffffffff_00000000_00000000_00000001"
|
||||
curve BN254:
|
||||
bitsize: 254
|
||||
modulus: "0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47"
|
||||
# Equation: Y^2 = X^3 + 3
|
||||
curve P256: # secp256r1 / NIST P-256
|
||||
bitsize: 256
|
||||
modulus: "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff"
|
||||
curve Secp256k1: # Bitcoin curve
|
||||
bitsize: 256
|
||||
modulus: "0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F"
|
||||
curve BLS12_381:
|
||||
bitsize: 381
|
||||
modulus: "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab"
|
||||
# Equation: y^2 = x^3 + 4
|
||||
else:
|
||||
# Fake curve for testing field arithmetic
|
||||
declareCurves:
|
||||
curve Fake101:
|
||||
bitsize: 7
|
||||
modulus: "0x65" # 101 in hex
|
||||
curve Mersenne61:
|
||||
bitsize: 61
|
||||
modulus: "0x1fffffffffffffff" # 2^61 - 1
|
||||
curve Mersenne127:
|
||||
bitsize: 127
|
||||
modulus: "0x7fffffffffffffffffffffffffffffff" # 2^127 - 1
|
||||
curve P224: # NIST P-224
|
||||
bitsize: 224
|
||||
modulus: "0xffffffff_ffffffff_ffffffff_ffffffff_00000000_00000000_00000001"
|
||||
curve BN254: # Zero-Knowledge proofs curve (SNARKS, STARKS)
|
||||
bitsize: 254
|
||||
modulus: "0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47"
|
||||
# Equation: Y^2 = X^3 + 3
|
||||
curve P256: # secp256r1 / NIST P-256
|
||||
bitsize: 256
|
||||
modulus: "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff"
|
||||
curve Secp256k1: # Bitcoin curve
|
||||
bitsize: 256
|
||||
modulus: "0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F"
|
||||
curve BLS12_381:
|
||||
bitsize: 381
|
||||
modulus: "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab"
|
||||
# Equation: y^2 = x^3 + 4
|
||||
|
||||
declareCurves:
|
||||
# -----------------------------------------------------------------------------
|
||||
# Curves added when passed "-d:testingCurves"
|
||||
curve Fake101:
|
||||
testingCurve: true
|
||||
bitsize: 7
|
||||
modulus: "0x65" # 101 in hex
|
||||
curve Mersenne61:
|
||||
testingCurve: true
|
||||
bitsize: 61
|
||||
modulus: "0x1fffffffffffffff" # 2^61 - 1
|
||||
curve Mersenne127:
|
||||
testingCurve: true
|
||||
bitsize: 127
|
||||
modulus: "0x7fffffffffffffffffffffffffffffff" # 2^127 - 1
|
||||
# -----------------------------------------------------------------------------
|
||||
curve P224: # NIST P-224
|
||||
bitsize: 224
|
||||
modulus: "0xffffffff_ffffffff_ffffffff_ffffffff_00000000_00000000_00000001"
|
||||
curve BN254: # Zero-Knowledge proofs curve (SNARKS, STARKS)
|
||||
bitsize: 254
|
||||
modulus: "0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47"
|
||||
# Equation: Y^2 = X^3 + 3
|
||||
curve Curve25519: # Bernstein curve
|
||||
bitsize: 255
|
||||
modulus: "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed"
|
||||
curve P256: # secp256r1 / NIST P-256
|
||||
bitsize: 256
|
||||
modulus: "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff"
|
||||
curve Secp256k1: # Bitcoin curve
|
||||
bitsize: 256
|
||||
modulus: "0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F"
|
||||
curve BLS12_377:
|
||||
# Zexe curve
|
||||
# (p41) https://eprint.iacr.org/2018/962.pdf
|
||||
# https://github.com/ethereum/EIPs/blob/41dea9615/EIPS/eip-2539.md
|
||||
bitsize: 377
|
||||
modulus: "0x01ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001"
|
||||
curve BLS12_381:
|
||||
bitsize: 381
|
||||
modulus: "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab"
|
||||
# Equation: y^2 = x^3 + 4
|
||||
curve BN446:
|
||||
bitsize: 446
|
||||
modulus: "0x2400000000000000002400000002d00000000d800000021c0000001800000000870000000b0400000057c00000015c000000132000000067"
|
||||
# u = 2^110 + 2^36 + 1
|
||||
curve FKM12_447: # Fotiadis-Konstantinou-Martindale
|
||||
bitsize: 447
|
||||
modulus: "0x4ce300001338c00001c08180000f20cfffffe5a8bffffd08a000000f228000007e8ffffffaddfffffffdc00000009efffffffca000000007"
|
||||
# TNFS Resistant Families of Pairing-Friendly Elliptic Curves
|
||||
# Georgios Fotiadis and Elisavet Konstantinou, 2018
|
||||
# https://eprint.iacr.org/2018/1017
|
||||
#
|
||||
# Family 17 choice b of
|
||||
# Optimal TNFS-secure pairings on elliptic curves with composite embedding degree
|
||||
# Georgios Fotiadis and Chloe Martindale, 2019
|
||||
# https://eprint.iacr.org/2019/555
|
||||
#
|
||||
# A short-list of pairing-friendly curves resistant toSpecial TNFS at the 128-bit security level
|
||||
# Aurore Guillevic
|
||||
# https://hal.inria.fr/hal-02396352v2/document
|
||||
#
|
||||
# p(x) = 1728x^6 + 2160x^5 + 1548x^4 + 756x^3 + 240x^2 + 54x + 7
|
||||
# t(x) = −6x² + 1, r(x) = 36x^4 + 36x^3 + 18x^2 + 6x + 1.
|
||||
# Choice (b):u=−2^72 − 2^71 − 2^36
|
||||
#
|
||||
# Note the paper mentions 446-bit but it's 447
|
||||
curve BLS12_461:
|
||||
# Updating Key Size Estimations for Pairings
|
||||
# Barbulescu, R. and S. Duquesne, 2018
|
||||
# https://hal.archives-ouvertes.fr/hal-01534101/file/main.pdf
|
||||
bitsize: 461
|
||||
modulus: "0x15555545554d5a555a55d69414935fbd6f1e32d8bacca47b14848b42a8dffa5c1cc00f26aa91557f00400020000555554aaaaaac0000aaaaaaab"
|
||||
# u = −2^77 + 2^50 + 2^33
|
||||
# p = (u - 1)^2 (u^4 - u^2 + 1)/3 + u
|
||||
curve BN462:
|
||||
# Pairing-Friendly Curves
|
||||
# IETF Draft
|
||||
# https://tools.ietf.org/id/draft-irtf-cfrg-pairing-friendly-curves-02.html
|
||||
|
||||
# Updating Key Size Estimations for Pairings
|
||||
# Barbulescu, R. and S. Duquesne, 2018
|
||||
# https://hal.archives-ouvertes.fr/hal-01534101/file/main.pdf
|
||||
bitsize: 462
|
||||
modulus: "0x240480360120023ffffffffff6ff0cf6b7d9bfca0000000000d812908f41c8020ffffffffff6ff66fc6ff687f640000000002401b00840138013"
|
||||
# u = 2^114 + 2^101 − 2^14 − 1
|
||||
|
||||
# ############################################################
|
||||
#
|
||||
|
@ -253,6 +292,10 @@ macro genMontyMagics(T: typed): untyped =
|
|||
|
||||
genMontyMagics(Curve)
|
||||
|
||||
func getCurveBitSize*(C: static Curve): static int =
|
||||
## Returns the number of bits taken by the curve modulus
|
||||
result = static(CurveBitSize[C])
|
||||
|
||||
macro canUseNoCarryMontyMul*(C: static Curve): untyped =
|
||||
## Returns true if the Modulus is compatible with a fast
|
||||
## Montgomery multiplication that avoids many carries
|
||||
|
|
|
@ -71,38 +71,45 @@ macro declareCurves*(curves: untyped): untyped =
|
|||
|
||||
let curve = curveDesc[1]
|
||||
|
||||
let sizeSection = curveDesc[2][0]
|
||||
var offset = 0
|
||||
var testCurve = false
|
||||
if curveDesc[2][0][0].eqident"testingCurve":
|
||||
offset = 1
|
||||
testCurve = curveDesc[2][0][1].boolVal
|
||||
|
||||
let sizeSection = curveDesc[2][offset]
|
||||
doAssert sizeSection[0].eqIdent"bitsize"
|
||||
sizeSection[1].expectKind(nnkStmtList)
|
||||
let bitSize = sizeSection[1][0]
|
||||
|
||||
let modSection = curveDesc[2][1]
|
||||
let modSection = curveDesc[2][offset+1]
|
||||
doAssert modSection[0].eqIdent"modulus"
|
||||
modSection[1].expectKind(nnkStmtList)
|
||||
let modulus = modSection[1][0]
|
||||
|
||||
Curves.add curve
|
||||
# "BN254: 254" for array construction
|
||||
CurveBitSize.add nnkExprColonExpr.newTree(
|
||||
curve, bitSize
|
||||
)
|
||||
if not testCurve or defined(testingCurves):
|
||||
Curves.add curve
|
||||
# "BN254: 254" for array construction
|
||||
CurveBitSize.add nnkExprColonExpr.newTree(
|
||||
curve, bitSize
|
||||
)
|
||||
|
||||
# const BN254_Modulus = Fp[BN254](value: fromHex(BigInt[254], "0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47"))
|
||||
let modulusID = ident($curve & "_Modulus")
|
||||
curveModStmts.add newConstStmt(
|
||||
modulusID,
|
||||
nnkObjConstr.newTree(
|
||||
nnkBracketExpr.newTree(Fp, curve),
|
||||
nnkExprColonExpr.newTree(
|
||||
ident"mres",
|
||||
newCall(
|
||||
bindSym"fromHex",
|
||||
nnkBracketExpr.newTree(bindSym"BigInt", bitSize),
|
||||
modulus
|
||||
# const BN254_Modulus = Fp[BN254](value: fromHex(BigInt[254], "0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47"))
|
||||
let modulusID = ident($curve & "_Modulus")
|
||||
curveModStmts.add newConstStmt(
|
||||
modulusID,
|
||||
nnkObjConstr.newTree(
|
||||
nnkBracketExpr.newTree(Fp, curve),
|
||||
nnkExprColonExpr.newTree(
|
||||
ident"mres",
|
||||
newCall(
|
||||
bindSym"fromHex",
|
||||
nnkBracketExpr.newTree(bindSym"BigInt", bitSize),
|
||||
modulus
|
||||
)
|
||||
)
|
||||
)
|
||||
)
|
||||
)
|
||||
|
||||
# end for ---------------------------------------------------
|
||||
|
||||
|
|
|
@ -15,6 +15,10 @@
|
|||
Ben Lynn, 2007\
|
||||
https://crypto.stanford.edu/pbc/thesis.pdf
|
||||
|
||||
- An Analysis of Affine Coordinates for Pairing Computation\
|
||||
Kristin Lauter, Peter L. Montgomery, and Michael Naehrig, 2010\
|
||||
https://eprint.iacr.org/2010/363.pdf
|
||||
|
||||
- Pairings for beginners\
|
||||
Craig Costello, 2012 (?)\
|
||||
http://www.craigcostello.com.au/pairings/PairingsForBeginners.pdf
|
||||
|
@ -30,11 +34,14 @@
|
|||
https://scholarworks.rit.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=10083&context=theses
|
||||
https://github.com/rajeevakarv/FiniteFieldComputations
|
||||
|
||||
|
||||
- A taxonomy of pairings, their security, their complexity\
|
||||
Razvan Barbulescu, Nadia El Mrabet, and Loubna Ghammam, 2019\
|
||||
https://hal.archives-ouvertes.fr/hal-02129868/file/2019-485.pdf
|
||||
|
||||
- A short-list of pairing-friendly curves resistantto Special TNFS at the 128-bit security level\
|
||||
Aurore Guillevic\
|
||||
https://eprint.iacr.org/2019/1371.pdf
|
||||
|
||||
### Presentations
|
||||
|
||||
- Introduction to pairings\
|
||||
|
|
|
@ -79,6 +79,10 @@ From Ben Edgington, https://hackmd.io/@benjaminion/bls12-381
|
|||
Naomi Benger and Michael Scott, 2009\
|
||||
https://eprint.iacr.org/2009/556
|
||||
|
||||
- Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions\
|
||||
Robert Granger and Michael Scott, 2009\
|
||||
https://eprint.iacr.org/2009/565.pdf
|
||||
|
||||
- High-Speed Software Implementation of the Optimal Ate Pairing over Barreto-Naehrig Curves\
|
||||
Jean-Luc Beuchat and Jorge Enrique González Díaz and Shigeo Mitsunari and Eiji Okamoto and Francisco Rodríguez-Henríquez and Tadanori Teruya, 2010\
|
||||
https://eprint.iacr.org/2010/354
|
||||
|
|
|
@ -19,11 +19,17 @@ import
|
|||
|
||||
var RNG {.compileTime.} = initRand(1234)
|
||||
const CurveParams = [
|
||||
P224: (224, "0xffffffffffffffffffffffffffffffff000000000000000000000001"),
|
||||
BN254: (254, "0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47"),
|
||||
P256: (256, "0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff"),
|
||||
Secp256k1: (256, "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F"),
|
||||
BLS12_381: (381, "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab")
|
||||
P224,
|
||||
BN254,
|
||||
Curve25519,
|
||||
P256,
|
||||
Secp256k1,
|
||||
BLS12_377,
|
||||
BLS12_381,
|
||||
BN446,
|
||||
FKM12_447,
|
||||
BLS12_461,
|
||||
BN462
|
||||
]
|
||||
|
||||
const AvailableCurves = [P224, BN254, P256, Secp256k1, BLS12_381]
|
||||
|
@ -49,13 +55,13 @@ proc binary_prologue[C: static Curve, N: static int](
|
|||
a, b, p: var mpz_t,
|
||||
aTest, bTest: var Fp[C],
|
||||
aBuf, bBuf: var array[N, byte]) =
|
||||
const bits = CurveParams[C][0]
|
||||
const bits = C.getCurveBitSize()
|
||||
|
||||
# Generate random value in the range 0 ..< 2^(bits-1)
|
||||
mpz_urandomb(a, gmpRng, uint bits)
|
||||
mpz_urandomb(b, gmpRng, uint bits)
|
||||
# Set modulus to curve modulus
|
||||
let err = mpz_set_str(p, CurveParams[C][1], 0)
|
||||
let err = mpz_set_str(p, Curve(C).Mod.mres.toHex(), 0)
|
||||
doAssert err == 0, "Error on prime for curve " & $Curve(C)
|
||||
|
||||
#########################################################
|
||||
|
@ -116,7 +122,7 @@ proc addTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curv
|
|||
# echo "Testing: random modular addition on ", $C
|
||||
|
||||
const
|
||||
bits = CurveParams[C][0]
|
||||
bits = C.getCurveBitSize()
|
||||
bufLen = (bits + 7) div 8
|
||||
var
|
||||
aTest, bTest{.noInit.}: Fp[C]
|
||||
|
@ -139,7 +145,7 @@ proc subTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curv
|
|||
# echo "Testing: random modular substraction on ", $C
|
||||
|
||||
const
|
||||
bits = CurveParams[C][0]
|
||||
bits = C.getCurveBitSize()
|
||||
bufLen = (bits + 7) div 8
|
||||
var
|
||||
aTest, bTest{.noInit.}: Fp[C]
|
||||
|
@ -162,7 +168,7 @@ proc mulTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curv
|
|||
# echo "Testing: random modular multiplication on ", $C
|
||||
|
||||
const
|
||||
bits = CurveParams[C][0]
|
||||
bits = C.getCurveBitSize()
|
||||
bufLen = (bits + 7) div 8
|
||||
var
|
||||
aTest, bTest{.noInit.}: Fp[C]
|
||||
|
@ -182,7 +188,7 @@ proc invTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curv
|
|||
# echo "Testing: random modular inversion on ", $C
|
||||
|
||||
const
|
||||
bits = CurveParams[C][0]
|
||||
bits = C.getCurveBitSize()
|
||||
bufLen = (bits + 7) div 8
|
||||
var
|
||||
aTest, bTest{.noInit.}: Fp[C]
|
||||
|
|
|
@ -76,9 +76,14 @@ suite "𝔽p2 = 𝔽p[𝑖] (irreducible polynomial x²+1)":
|
|||
testInstance()
|
||||
|
||||
test(BN254)
|
||||
test(BLS12_381)
|
||||
test(P256)
|
||||
test(Secp256k1)
|
||||
test(BLS12_377)
|
||||
test(BLS12_381)
|
||||
test(BN446)
|
||||
test(FKM12_447)
|
||||
test(BLS12_461)
|
||||
test(BN462)
|
||||
|
||||
test "Multiplication by 0 and 1":
|
||||
template test(C: static Curve, body: untyped) =
|
||||
|
@ -192,9 +197,14 @@ suite "𝔽p2 = 𝔽p[𝑖] (irreducible polynomial x²+1)":
|
|||
bool(r0 == r4)
|
||||
|
||||
abelianGroup(BN254)
|
||||
abelianGroup(BLS12_381)
|
||||
abelianGroup(Secp256k1)
|
||||
abelianGroup(P256)
|
||||
abelianGroup(Secp256k1)
|
||||
abelianGroup(BLS12_377)
|
||||
abelianGroup(BLS12_381)
|
||||
abelianGroup(BN446)
|
||||
abelianGroup(FKM12_447)
|
||||
abelianGroup(BLS12_461)
|
||||
abelianGroup(BN462)
|
||||
|
||||
test "𝔽p2 = 𝔽p[𝑖] multiplication is associative and commutative":
|
||||
proc commutativeRing(curve: static Curve) =
|
||||
|
@ -239,9 +249,14 @@ suite "𝔽p2 = 𝔽p[𝑖] (irreducible polynomial x²+1)":
|
|||
bool(r0 == r4)
|
||||
|
||||
commutativeRing(BN254)
|
||||
commutativeRing(BLS12_381)
|
||||
commutativeRing(Secp256k1)
|
||||
commutativeRing(P256)
|
||||
commutativeRing(Secp256k1)
|
||||
commutativeRing(BLS12_377)
|
||||
commutativeRing(BLS12_381)
|
||||
commutativeRing(BN446)
|
||||
commutativeRing(FKM12_447)
|
||||
commutativeRing(BLS12_461)
|
||||
commutativeRing(BN462)
|
||||
|
||||
test "𝔽p2 = 𝔽p[𝑖] extension field multiplicative inverse":
|
||||
proc mulInvOne(curve: static Curve) =
|
||||
|
@ -259,6 +274,11 @@ suite "𝔽p2 = 𝔽p[𝑖] (irreducible polynomial x²+1)":
|
|||
check: bool(r == one)
|
||||
|
||||
mulInvOne(BN254)
|
||||
mulInvOne(BLS12_381)
|
||||
mulInvOne(Secp256k1)
|
||||
mulInvOne(P256)
|
||||
mulInvOne(Secp256k1)
|
||||
mulInvOne(BLS12_377)
|
||||
mulInvOne(BLS12_381)
|
||||
mulInvOne(BN446)
|
||||
mulInvOne(FKM12_447)
|
||||
mulInvOne(BLS12_461)
|
||||
mulInvOne(BN462)
|
||||
|
|
|
@ -51,7 +51,14 @@ suite "𝔽p6 = 𝔽p2[∛(1+𝑖)] (irreducible polynomial x³ - (1+𝑖))":
|
|||
testInstance()
|
||||
|
||||
test(BN254)
|
||||
test(P256)
|
||||
test(Secp256k1)
|
||||
test(BLS12_377)
|
||||
test(BLS12_381)
|
||||
test(BN446)
|
||||
test(FKM12_447)
|
||||
test(BLS12_461)
|
||||
test(BN462)
|
||||
|
||||
test "Squaring 2 returns 4":
|
||||
template test(C: static Curve) =
|
||||
|
@ -76,7 +83,14 @@ suite "𝔽p6 = 𝔽p2[∛(1+𝑖)] (irreducible polynomial x³ - (1+𝑖))":
|
|||
testInstance()
|
||||
|
||||
test(BN254)
|
||||
test(P256)
|
||||
test(Secp256k1)
|
||||
test(BLS12_377)
|
||||
test(BLS12_381)
|
||||
test(BN446)
|
||||
test(FKM12_447)
|
||||
test(BLS12_461)
|
||||
test(BN462)
|
||||
|
||||
test "Squaring 3 returns 9":
|
||||
template test(C: static Curve) =
|
||||
|
@ -103,7 +117,14 @@ suite "𝔽p6 = 𝔽p2[∛(1+𝑖)] (irreducible polynomial x³ - (1+𝑖))":
|
|||
testInstance()
|
||||
|
||||
test(BN254)
|
||||
test(P256)
|
||||
test(Secp256k1)
|
||||
test(BLS12_377)
|
||||
test(BLS12_381)
|
||||
test(BN446)
|
||||
test(FKM12_447)
|
||||
test(BLS12_461)
|
||||
test(BN462)
|
||||
|
||||
test "Squaring -3 returns 9":
|
||||
template test(C: static Curve) =
|
||||
|
@ -130,4 +151,11 @@ suite "𝔽p6 = 𝔽p2[∛(1+𝑖)] (irreducible polynomial x³ - (1+𝑖))":
|
|||
testInstance()
|
||||
|
||||
test(BN254)
|
||||
test(P256)
|
||||
test(Secp256k1)
|
||||
test(BLS12_377)
|
||||
test(BLS12_381)
|
||||
test(BN446)
|
||||
test(FKM12_447)
|
||||
test(BLS12_461)
|
||||
test(BN462)
|
||||
|
|
Loading…
Reference in New Issue