codex-storage
/
constantine
mirror of https://github.com/codex-storage/constantine.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

reorg the codebase + add/update READMEs in folders with research (#12) 

* reorg the codebase + add/update READMEs in folders with research

* fix readme

* update pairing implementation papers

* Seperate hash-to-curve in its own folder, distinguish between norms, research and presentations

* Better markdown line breaks

* Add in-depth analysis of towers of extension fields for BN curve

* Fix Colm Ó hÉigeartaigh name and add Hash-to-Curve reference
This commit is contained in:
Mamy Ratsimbazafy 2020-02-24 10:50:19 +01:00 committed by GitHub
parent d83101153a
commit 3bd70991d4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 207 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -26,6 +26,7 @@ The library focuses on following properties:
- constant-time (not leaking secret data via side-channels)
- generated code size, datatype size and stack usage
- performance
in this order
## Security

2
constantine/math/README.md → constantine/arithmetic/README.md
View File

@ -1,5 +1,5 @@
# BigInt and Finite Field Arithmetic
This folder contains the implementation of
- big integer
- big integers
- finite field arithmetic (i.e. modular arithmetic)

0
constantine/math/bigints_checked.nim → constantine/arithmetic/bigints_checked.nim
View File

0
constantine/math/bigints_raw.nim → constantine/arithmetic/bigints_raw.nim
View File

0
constantine/math/finite_fields.nim → constantine/arithmetic/finite_fields.nim
View File

0
constantine/math/precomputed.nim → constantine/arithmetic/precomputed.nim
View File

5
constantine/config/README.md Normal file
View File

@ -0,0 +1,5 @@
# Common configuration
- Low-level logical and physical word definitions
- Elliptic curve declarations
- Cipher suites

2
constantine/config/curves.nim
View File

@ -11,7 +11,7 @@ import
macros,
# Internal
./curves_parser, ./common,
../math/[precomputed, bigints_checked]
../arithmetic/[precomputed, bigints_checked]
# ############################################################

2
constantine/config/curves_parser.nim
View File

@ -10,7 +10,7 @@ import
# Standard library
macros,
# Internal
../io/io_bigints, ../math/bigints_checked
../io/io_bigints, ../arithmetic/bigints_checked
# Macro to parse declarative curves configuration.

6
constantine/elliptic/README.md
View File

@ -1,7 +1,9 @@
# Elliptic Curves
This folder will hold the implementation of elliptic curves.
This folder will hold the implementation of elliptic curves arithmetic
## References
- Pairing-Friendly Curves https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-00#section-2.1
- Pairing-Friendly Curves\
(Draft, expires May 4, 2020)\
https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-00#section-2.1

32
constantine/hash_to_curve/README.md Normal file
View File

@ -0,0 +1,32 @@
# Hashing to Elliptic Curves
## References
### Normative references
- Hashing to Elliptic Curve\
(Draft, expires May 5, 2020)\
https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05 \
https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve
### Research
- Fast Hashing to $G_2$ on Pairing-Friendly Curves \
Michael Scott, Naomi Benger, Manuel Charlemagne, Luis J. Dominguez Perez, Ezekiel J. Kachisa, 2009\
https://doi.org/10.1007/978-3-642-03298-1_8
- Faster Hashing to $G_2$\
Laura Fuentes-Castañeda, Edward Knapp, Francisco Rodríguez-Henríquez, 2011\
https://link.springer.com/chapter/10.1007%2F978-3-642-28496-0_25
- Indifferentiable Hashing to BarretoNaehrig Curves\
Pierre-Alain Fouque, Mehdi Tibouchi, 2012\
https://hal.inria.fr/hal-01094321/file/FT12.pdf
- Hashing to $G_2$ on BLS pairing-friendly curves\
Alessandro Budroni, Federico Pintore, 2019\
https://doi.org/10.1145/3313880.3313884
- Fast and simple constant-time hashing to the BLS12-381 elliptic curve\
Riad S. Wahby and Dan Boneh, 2019\
https://eprint.iacr.org/2019/403

8
constantine/io/README.md
View File

@ -1,7 +1,9 @@
# I/O and serialization
# I/O, serialization, encoding/decoding
## References
- Standards for Efficient Cryptography Group (SECG),
"SEC 1: Elliptic Curve Cryptography", May 2009,
### Normative references
- Standards for Efficient Cryptography Group (SECG),\
"SEC 1: Elliptic Curve Cryptography", May 2009,\
http://www.secg.org/sec1-v2.pdf

2
constantine/io/io_bigints.nim
View File

@ -12,7 +12,7 @@
import
../primitives/constant_time,
../math/bigints_checked,
../arithmetic/bigints_checked,
../config/common
# ############################################################

2
constantine/io/io_fields.nim
View File

@ -9,7 +9,7 @@
import
./io_bigints,
../config/curves,
../math/[bigints_checked, finite_fields]
../arithmetic/[bigints_checked, finite_fields]
# No exceptions allowed
{.push raises: [].}

15
constantine/isogeny/README.md Normal file
View File

@ -0,0 +1,15 @@
# Isogeny-based Cryptography
This folder will hold the implementations of isogeny-based cryptography.
The initial focus will be the isogeny maps necessary to implement
hashing to elliptic curve
## References
### Normative references
- Hashing to Elliptic Curve\
(Draft, expires May 5, 2020)\
https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-05 \
https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve

40
constantine/pairing/README.md
View File

@ -2,20 +2,42 @@
## References
- Pairing-Friendly Curves
IETF Draft Specification (expires May 2020)
### Normative references
- Pairing-Friendly Curves\
IETF Draft Specification (expires May 2020)\
https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-00#ref-KB16
- Multiplication and Squaring on Pairing-Friendly Fields
### Research
Devigili et al
- On the Implementation of Pairing-based Cryptosystems\
PhD Thesis\
Ben Lynn, 2007\
https://crypto.stanford.edu/pbc/thesis.pdf
https://eprint.iacr.org/2006/471
- Pairings for beginners\
Craig Costello, 2012 (?)\
http://www.craigcostello.com.au/pairings/PairingsForBeginners.pdf
- Constructing Tower Extensions for the implementation of Pairing-Based Cryptography
- Fast Formulas for Computing Cryptographic Pairings\
PhD Thesis\
Craig Costello, 2012\
https://eprints.qut.edu.au/61037/1/Craig_Costello_Thesis.pdf
Benger et al
- Efficient Implementations of Pairing-Based Cryptography on Embedded Systems\
Master Thesis\
Rajeev Verma, 2015\
https://scholarworks.rit.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=10083&context=theses
https://github.com/rajeevakarv/FiniteFieldComputations
https://eprint.iacr.org/2009/556
- A taxonomy of pairings, their security, their complexity\
Razvan Barbulescu, Nadia El Mrabet, and Loubna Ghammam, 2019\
https://hal.archives-ouvertes.fr/hal-02129868/file/2019-485.pdf
### Presentations
- Introduction to pairings\
ECC Summer School\
Diego F. Aranha, 2017\
https://ecc2017.cs.ru.nl/slides/ecc2017school-aranha.pdf

7
constantine/primitives/README.md
View File

@ -1,3 +1,8 @@
# Constant-time primitives
This folder holds the constant-time primitives
This folder holds:
- the constant-time primitives, implemented as distinct types
to have the compiler enforce proper usage
- extended precision multiplication and division primitives
- assembly primitives

15
constantine/signatures/README.md
View File

@ -11,6 +11,17 @@ Note: The BLS signature scheme should not be confused
## References
### ECDSA
### Normative references
-
#### ECDSA
- RFC 6979 Deterministic Usage of the Digital Signature Algorithm (DSA) and
Elliptic Curve Digital Signature Algorithm (ECDSA)\
https://tools.ietf.org/html/rfc6979
#### BLS signatures
- BLS Signature Scheme\
(Draft, expires Feb 9, 2020)\
https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-00 \
https://github.com/cfrg/draft-irtf-cfrg-bls-signature

82
constantine/tower_field_extensions/README.md Normal file
View File

@ -0,0 +1,82 @@
# Tower Extensions of Finite Fields
## Overview
From Ben Edgington, https://hackmd.io/@benjaminion/bls12-381
> ### Field extensions
>
> Field extensions are fundamental to elliptic curve pairings. The "12" is BLS12-381 is not only the embedding degree, it is also (relatedly) the degree of field extension that we will need to use.
>
> The field $F_q$ can be thought of as just the integers modulo $q$: $0,1,...,q-1$. But what kind of beast is $F_{q^{12}}$, the twelfth extension of $F_q$?
>
> I totally failed to find any straightforward explainers of field extensions out there, so here's my attempt after wrestling with this for a while.
>
> Let's construct an $F_{q^2}$, the quadratic extension of $F_q$. In $F_{q^2}$ we will represent field elements as first-degree polynomials like $a_0 + a_1x$, which we can write more concisely as $(a_0, a_1)$ if we wish.
>
> Adding two elements is easy: $(a, b) + (c, d) =$$a + bx + c + dx =$$(a+c) + (b+d)x =$$(a+c, b+d)$. We just need to be sure to reduce $a+c$ and $b+d$ modulo $q$.
>
> What about multiplying? $(a, b) \times (c, d) =$$(a + bx)(c + dx) =$$ac + (ad+bc)x+ bdx^2 =$$???$. Oops - what are we supposed to do with that $x^2$ coefficient?
>
> We need a rule for reducing polynomials so that they have a degree less than two. In this example we're going to take $x^2 + 1 = 0$ as our rule, but we could make other choices. There are only two rules about our rule^[Our rule is "an extension field modular reduction" (terminology from [here](https://www.emsec.ruhr-uni-bochum.de/media/crypto/veroeffentlichungen/2015/03/26/crypto98rc9.pdf)).]:
> 1. it must be a degree $k$ polynomial, where $k$ is our extension degree, $2$ in this case; and
> 2. it must be [irreducible](https://en.wikipedia.org/wiki/Irreducible_polynomial) in the field we are extending. That means it must not be possible to factor it into two or more lower degree polynomials.
>
> Applying our rule, by substituting $x^2 = -1$, gives us the final result $(a, b) \times (c, d) =$$ac + (ad+bc)x + bdx^2 =$$(ac-bd) + (ad+bc)x =$$(ac-bd, ad+bc)$. This might look a little familiar from complex arithmetic: $(a+ib) \times (c+id) =$$(ac-bd) + (ad+bc)i$. This is not a coincidence! The complex numbers are a quadratic extension of the real numbers.
>
> Complex numbers can't be extended any further because there are [no irreducible polynomials over the complex numbers](https://en.wikipedia.org/wiki/Fundamental_theorem_of_algebra). But for finite fields, if we can find an irreducible $k$-degree polynomial in our field $F_q$, and we often can, then we are able to extend the field to $F_{q^k}$, and represent the elements of the extended field as degree $k-1$ polynomials, $a_0 + a_1x +$$...$$+ a_{k-1}x^{k-1}$. We can represent this compactly as $(a_0,...,a_{k-1})$, as long as we remember that there may be some very funky arithmetic going on.
>
> Also worth noting is that modular reductions like this (our reduction rule) can be chosen so that they play nicely with the twisting operation.
>
> In practice, large extension fields like $F_{q^{12}}$ are implemented as towers of smaller extensions. That's an implementation aspect, so I've put it in the more practical section [below](#Extension-towers).
>
> ### Extension towers
>
> Recall our discussion of [field extensions](#Field-extensions)? In practice, rather than implementing a massive 12th-degree extension directly, it is more efficient to build it up from smaller extensions: [a tower of extensions](https://eprint.iacr.org/2009/556.pdf).
>
> For BLS12-381, the $F_{q^{12}}$ field is implemented as a quadratic (degree two) extension, on top of a cubic (degree three) extension, on top of a quadratic extension of $F_q$.
>
> As long as the modular reduction polynomial (our reduction rule) is irreducible (can't be factored) in the field being extended at each stage, then this all works out fine.
>
> [Specifically](https://github.com/zkcrypto/pairing/tree/master/src/bls12_381):
>
> 1. $F_{q^2}$ is constructed as $F_q(u) / (u^2 - \beta)$ where $\beta = -1$.
> 2. $F_{q^6}$ is constructed as $F_{q^2}(v) / (v^3 - \xi)$ where $\xi = u + 1$.
> 3. $F_{q^{12}}$ is constructed as $F_{q^6}(w) / (w^2 - \gamma)$ where $\gamma = v$
>
> Interpreting these in terms of our previous explantation:
> 1. We write elements of the $F_{q^2}$ field as first degree polynomials in $u$, with coefficients from $F_q$, and apply the reduction rule $u^2 + 1 = 0$, which is irreducible in $F_q$.
> - an element of $F_{q^2}$ looks like $a_0 + a_1u$ where $a_j \in F_q$.
> 3. We write elements of the $F_{q^6}$ field as second degree polynomials in $v$, with coefficients from the $F_{q^2}$ field we just constructed, and apply the reduction rule $v^3 - (u + 1) = 0$, which is irreducible in $F_{q^2}$.
> - an element of $F_{q^6}$ looks like $b_0 + b_1v + b_2v^2$ where $b_j \in F_{q^2}$.
> 4. We write elements of the $F_{q^{12}}$ field as first degree polynomials in $w$, with coefficients from the $F_{q^6}$ field we just constructed, and apply the reduction rule $w^2 - v = 0$, which is irreducible in $F_{q^6}$.
> - an element of $F_{q^{12}}$ looks like $c_0 + c_1w$ where $c_j \in F_{q^6}$.
>
> This towered extension can replace the direct extension as a basis for pairings, and when well-implemented can save a huge amount of arithmetic when multiplying $F_{q^{12}}$ points. See [Pairings for Beginners](http://www.craigcostello.com.au/pairings/PairingsForBeginners.pdf) section 7.3 for a full discussion of the advantages.
## References
### Research
- Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms\
Daniel V. Bailey and Christof Paar, 1998\
https://www.emsec.ruhr-uni-bochum.de/media/crypto/veroeffentlichungen/2015/03/26/crypto98rc9.pdf
- Multiplication and Squaring on Pairing-Friendly Fields\
Augusto Jun Devegili and Colm Ó hÉigeartaigh and Michael Scott and Ricardo Dahab, 2006\
https://eprint.iacr.org/2006/471
- Constructing Tower Extensions for the implementation of Pairing-Based Cryptography\
Naomi Benger and Michael Scott, 2009\
https://eprint.iacr.org/2009/556
- Choosing and generating parameters for low level pairing implementation on BN curves\
Sylvain Duquesne and Nadia El Mrabet and Safia Haloui and Franck Rondepierre, 2015\
https://eprint.iacr.org/2015/1212
### Presentations
- BLS12-381 For The Rest Of Us\
Ben Edgington, 2019\
https://hackmd.io/@benjaminion/bls12-381

2
tests/test_bigints.nim
View File

@ -8,7 +8,7 @@
import unittest, random, strutils,
../constantine/io/io_bigints,
../constantine/math/bigints_checked,
../constantine/arithmetic/bigints_checked,
../constantine/config/common,
../constantine/primitives/constant_time

2
tests/test_bigints_multimod.nim
View File

@ -11,7 +11,7 @@ import
unittest, random, strutils,
# Third-party
../constantine/io/io_bigints,
../constantine/math/[bigints_raw, bigints_checked],
../constantine/arithmetic/[bigints_raw, bigints_checked],
../constantine/primitives/constant_time
proc main() =

2
tests/test_bigints_vs_gmp.nim
View File

@ -13,7 +13,7 @@ import
gmp, stew/byteutils,
# Internal
../constantine/io/io_bigints,
../constantine/math/[bigints_raw, bigints_checked],
../constantine/arithmetic/[bigints_raw, bigints_checked],
../constantine/primitives/constant_time
# We test up to 1024-bit, more is really slow

2
tests/test_finite_fields.nim
View File

@ -7,7 +7,7 @@
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import unittest, random,
../constantine/math/finite_fields,
../constantine/arithmetic/finite_fields,
../constantine/io/io_fields,
../constantine/config/curves

2
tests/test_finite_fields_powinv.nim
View File

@ -7,7 +7,7 @@
# at your option. This file may not be copied, modified, or distributed except according to those terms.
import unittest, random,
../constantine/math/[bigints_checked, finite_fields],
../constantine/arithmetic/[bigints_checked, finite_fields],
../constantine/io/io_fields,
../constantine/config/curves

2
tests/test_finite_fields_vs_gmp.nim
View File

@ -13,7 +13,7 @@ import
gmp, stew/byteutils,
# Internal
../constantine/io/[io_bigints, io_fields],
../constantine/math/[finite_fields, bigints_checked],
../constantine/arithmetic/[finite_fields, bigints_checked],
../constantine/primitives/constant_time,
../constantine/config/curves

2
tests/test_io_bigints.nim
View File

@ -9,7 +9,7 @@
import unittest, random,
../constantine/io/io_bigints,
../constantine/config/common,
../constantine/math/bigints_checked
../constantine/arithmetic/bigints_checked
randomize(0xDEADBEEF) # Random seed for reproducibility
type T = BaseType

2
tests/test_io_fields.nim
View File

@ -10,7 +10,7 @@ import unittest, random,
../constantine/io/[io_bigints, io_fields],
../constantine/config/curves,
../constantine/config/common,
../constantine/math/[bigints_checked, finite_fields]
../constantine/arithmetic/[bigints_checked, finite_fields]
randomize(0xDEADBEEF) # Random seed for reproducibility
type T = BaseType