From eb15fb33b5ecabdbae0d7c425b8ae57db6b64c47 Mon Sep 17 00:00:00 2001 From: mratsim Date: Sat, 1 Dec 2018 20:12:05 +0100 Subject: [PATCH] Rebrand to Constantine. Bigints representation should stay opaque. Exporting just the word_types would make a super small library. --- LICENSE-APACHEv2 | 2 +- LICENSE-MIT | 2 +- README.md | 10 +- hardy.nim => constantine.nim | 6 +- hardy.nimble => constantine.nimble | 2 +- .../word_types.nim | 83 +++++--- hardy/datatypes.nim | 40 ---- tests/all_tests.nim | 183 +---------------- tests/test_word_types.nim | 186 ++++++++++++++++++ 9 files changed, 251 insertions(+), 263 deletions(-) rename hardy.nim => constantine.nim (83%) rename hardy.nimble => constantine.nimble (94%) rename hardy/ct_primitives.nim => constantine/word_types.nim (60%) delete mode 100644 hardy/datatypes.nim create mode 100644 tests/test_word_types.nim diff --git a/LICENSE-APACHEv2 b/LICENSE-APACHEv2 index d350ada..2e12d5c 100644 --- a/LICENSE-APACHEv2 +++ b/LICENSE-APACHEv2 @@ -1,4 +1,4 @@ -hardy is licensed under the Apache License version 2 +constantine is licensed under the Apache License version 2 Copyright (c) 2018 Status Research & Development GmbH ----------------------------------------------------- diff --git a/LICENSE-MIT b/LICENSE-MIT index dcda44b..042feea 100644 --- a/LICENSE-MIT +++ b/LICENSE-MIT @@ -1,4 +1,4 @@ -hardy is licensed under the MIT License +constantine is licensed under the MIT License Copyright (c) 2018 Status Research & Development GmbH ----------------------------------------------------- diff --git a/README.md b/README.md index e317fba..dc854b0 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,19 @@ -# Hardy - Hardened big int primitives +# Constantine - Constant time finitie field primitives for Elliptic Curve Cryptography -[![Build Status (Travis)](https://img.shields.io/travis/status-im/nim-hardy/master.svg?label=Linux%20/%20macOS "Linux/macOS build status (Travis)")](https://travis-ci.org/status-im/nim-hardy) -[![Windows build status (Appveyor)](https://img.shields.io/appveyor/ci/nimbus/nim-hardy/master.svg?label=Windows "Windows build status (Appveyor)")](https://ci.appveyor.com/project/nimbus/nim-hardy) +[![Build Status (Travis)](https://img.shields.io/travis/status-im/nim-constantine/master.svg?label=Linux%20/%20macOS "Linux/macOS build status (Travis)")](https://travis-ci.org/status-im/nim-constantine) +[![Windows build status (Appveyor)](https://img.shields.io/appveyor/ci/nimbus/nim-constantine/master.svg?label=Windows "Windows build status (Appveyor)")](https://ci.appveyor.com/project/nimbus/nim-constantine) [![License: Apache](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT) ![Stability: experimental](https://img.shields.io/badge/stability-experimental-orange.svg) -This library provides constant time big int primitives. +This library provides constant time finite field primitives. The main use will be for implementation of elliptic curve cryptography ## Installation You can install the developement version of the library through nimble with the following command ``` -nimble install https://github.com/status-im/nim-hardy@#master +nimble install https://github.com/status-im/nim-constantine@#master ``` ## License diff --git a/hardy.nim b/constantine.nim similarity index 83% rename from hardy.nim rename to constantine.nim index cce022d..83ef5ad 100644 --- a/hardy.nim +++ b/constantine.nim @@ -1,10 +1,6 @@ -# Hardy +# Constantine # Copyright (c) 2018 Status Research & Development GmbH # Licensed and distributed under either of # * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT). # * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0). # at your option. This file may not be copied, modified, or distributed except according to those terms. - -import hardy/[ct_primitives, datatypes] -export ct_primitives, datatypes - diff --git a/hardy.nimble b/constantine.nimble similarity index 94% rename from hardy.nimble rename to constantine.nimble index dcab1e7..bf151d8 100644 --- a/hardy.nimble +++ b/constantine.nimble @@ -1,4 +1,4 @@ -packageName = "hardy" +packageName = "constantine" version = "0.0.1" author = "Status Research & Development GmbH" description = "This library provides constant time big int primitives." diff --git a/hardy/ct_primitives.nim b/constantine/word_types.nim similarity index 60% rename from hardy/ct_primitives.nim rename to constantine/word_types.nim index e8ded4d..6df8d43 100644 --- a/hardy/ct_primitives.nim +++ b/constantine/word_types.nim @@ -1,11 +1,34 @@ -# Hardy +# Constantine # Copyright (c) 2018 Status Research & Development GmbH # Licensed and distributed under either of # * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT). # * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0). # at your option. This file may not be copied, modified, or distributed except according to those terms. -import ./datatypes +type + BaseUint* = SomeUnsignedInt or byte + + Ct*[T: BaseUint] = distinct T + + CTBool*[T: Ct] = distinct range[T(0)..T(1)] + ## To avoid the compiler replacing bitwise boolean operations + ## by conditional branches, we don't use booleans. + ## We use an int to prevent compiler "optimization" and introduction of branches + +func ctrue*(T: type(BaseUint)): auto {.inline.}= + (CTBool[Ct[T]])(true) + +func cfalse*(T: type(BaseUint)): auto {.inline.}= + (CTBool[Ct[T]])(false) + +func ct*[T: BaseUint](x: T): Ct[T] {.inline.}= + (Ct[T])(x) + +func `$`*[T](x: Ct[T]): string {.inline.} = + $T(x) + +func `$`*(x: CTBool): string {.inline.} = + $bool(x) # ######################### # @@ -22,7 +45,7 @@ import ./datatypes # does not guarantee a constant-time conditional move # The compiler might introduce branching. -# These primitives are distinct type and internal to Hardy. +# These primitives are distinct type and internal to Constantine. # We don't want to pollute unsuspecting users # with `not` and `-` on unsigned ints @@ -32,26 +55,26 @@ import ./datatypes # - https://github.com/nim-lang/Nim/pull/8531 # - https://github.com/nim-lang/Nim/issues/4121 (can be workaround with #8531) -func high*(T: typedesc[HardBase]): T {.inline.}= +func high*(T: typedesc[Ct]): T {.inline.}= not T(0) -func `and`*[T: HardBase](x, y: T): T {.magic: "BitandI".} -func `or`*[T: HardBase](x, y: T): T {.magic: "BitorI".} -func `xor`*[T: HardBase](x, y: T): T {.magic: "BitxorI".} -func `not`*[T: HardBase](x: T): T {.magic: "BitnotI".} -func `+`*[T: HardBase](x, y: T): T {.magic: "AddU".} -func `-`*[T: HardBase](x, y: T): T {.magic: "SubU".} -func `shr`*[T: HardBase](x: T, y: SomeInteger): T {.magic: "ShrI".} -func `shl`*[T: HardBase](x: T, y: SomeInteger): T {.magic: "ShlI".} +func `and`*[T: Ct](x, y: T): T {.magic: "BitandI".} +func `or`*[T: Ct](x, y: T): T {.magic: "BitorI".} +func `xor`*[T: Ct](x, y: T): T {.magic: "BitxorI".} +func `not`*[T: Ct](x: T): T {.magic: "BitnotI".} +func `+`*[T: Ct](x, y: T): T {.magic: "AddU".} +func `-`*[T: Ct](x, y: T): T {.magic: "SubU".} +func `shr`*[T: Ct](x: T, y: SomeInteger): T {.magic: "ShrI".} +func `shl`*[T: Ct](x: T, y: SomeInteger): T {.magic: "ShlI".} -func `*`*[T: HardBase](x, y: T): T {.magic: "MulU".} +func `*`*[T: Ct](x, y: T): T {.magic: "MulU".} # Warning ⚠️ : We assume that mul hardware multiplication is constant time # but this is not always true, especially on ARMv7 and ARMv9 # We don't implement div/mod as we can't assume the hardware implementation # is constant-time -func `-`*(x: HardBase): HardBase {.inline.}= +func `-`*(x: Ct): Ct {.inline.}= ## Unary minus returns the two-complement representation ## of an unsigned integer {.emit:"`result` = -`x`;".} @@ -62,10 +85,10 @@ func `-`*(x: HardBase): HardBase {.inline.}= # # ############################################################ -func isMsbSet*[T: HardBase](x: T): HardBool[T] {.inline.} = +func isMsbSet*[T: Ct](x: T): CTBool[T] {.inline.} = ## Returns the most significant bit of an integer const msb_pos = T.sizeof * 8 - 1 - result = (HardBool[T])(x shr msb_pos) + result = (CTBool[T])(x shr msb_pos) # ############################################################ # @@ -73,14 +96,14 @@ func isMsbSet*[T: HardBase](x: T): HardBool[T] {.inline.} = # # ############################################################ -template undistinct[T: HardBase](x: HardBool[T]): T = +template undistinct[T: Ct](x: CTBool[T]): T = T(x) -func `not`*(ctl: HardBool): HardBool {.inline.}= +func `not`*(ctl: CTBool): CTBool {.inline.}= ## Negate a constant-time boolean (type result)(ctl.undistinct xor (type ctl.undistinct)(1)) -template mux*[T: HardBase](ctl: HardBool[T], x, y: T): T = +template mux*[T: Ct](ctl: CTBool[T], x, y: T): T = ## Multiplexer / selector ## Returns x if ctl == 1 ## else returns y @@ -92,22 +115,22 @@ template mux*[T: HardBase](ctl: HardBool[T], x, y: T): T = # the alternative `(x and ctl) or (y and -ctl)` # is optimized into a branch by Clang :/ -func noteq[T: HardBase](x, y: T): HardBool[T] {.inline.}= +func noteq[T: Ct](x, y: T): CTBool[T] {.inline.}= const msb = T.sizeof * 8 - 1 let z = x xor y result = (type result)((z or -z) shr msb) -func `==`*[T: HardBase](x, y: T): HardBool[T] {.inline.}= +func `==`*[T: Ct](x, y: T): CTBool[T] {.inline.}= not(noteq(x, y)) -func `<`*[T: HardBase](x, y: T): HardBool[T] {.inline.}= +func `<`*[T: Ct](x, y: T): CTBool[T] {.inline.}= result = isMsbSet( x xor ( (x xor y) or ((x - y) xor y) ) ) -func `<=`*[T: HardBase](x, y: T): HardBool[T] {.inline.}= +func `<=`*[T: Ct](x, y: T): CTBool[T] {.inline.}= not(y < x) # ############################################################ @@ -120,7 +143,7 @@ func `<=`*[T: HardBase](x, y: T): HardBool[T] {.inline.}= # in terms of `==` while we define `==` in terms of `!=` # So we would have not(not(noteq(x,y))) -template trmFixSystemNotEq*{x != y}[T: HardBase](x, y: T): HardBool[T] = +template trmFixSystemNotEq*{x != y}[T: Ct](x, y: T): CTBool[T] = noteq(x, y) # ############################################################ @@ -129,10 +152,10 @@ template trmFixSystemNotEq*{x != y}[T: HardBase](x, y: T): HardBool[T] = # # ############################################################ -func isNonZero*[T: HardBase](x: T): HardBool[T] {.inline.} = +func isNonZero*[T: Ct](x: T): CTBool[T] {.inline.} = isMsbSet(x or -x) -func isZero*[T: HardBase](x: T): HardBool[T] {.inline.} = +func isZero*[T: Ct](x: T): CTBool[T] {.inline.} = not x.isNonZero # ############################################################ @@ -142,7 +165,7 @@ func isZero*[T: HardBase](x: T): HardBool[T] {.inline.} = # # ############################################################ -template trmIsZero*{x == 0}[T: HardBase](x: T): HardBool[T] = x.isZero -template trmIsZero*{0 == x}[T: HardBase](x: T): HardBool[T] = x.isZero -template trmIsNonZero*{x != 0}[T: HardBase](x: T): HardBool[T] = x.isNonZero -template trmIsNonZero*{0 != x}[T: HardBase](x: T): HardBool[T] = x.isNonZero +template trmIsZero*{x == 0}[T: Ct](x: T): CTBool[T] = x.isZero +template trmIsZero*{0 == x}[T: Ct](x: T): CTBool[T] = x.isZero +template trmIsNonZero*{x != 0}[T: Ct](x: T): CTBool[T] = x.isNonZero +template trmIsNonZero*{0 != x}[T: Ct](x: T): CTBool[T] = x.isNonZero diff --git a/hardy/datatypes.nim b/hardy/datatypes.nim deleted file mode 100644 index ceb12b3..0000000 --- a/hardy/datatypes.nim +++ /dev/null @@ -1,40 +0,0 @@ -# Hardy -# Copyright (c) 2018 Status Research & Development GmbH -# Licensed and distributed under either of -# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT). -# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0). -# at your option. This file may not be copied, modified, or distributed except according to those terms. - -type - BaseUint* = SomeUnsignedInt or byte - - HardBase*[T: BaseUint] = distinct T - - HardBool*[T: HardBase] = distinct range[T(0)..T(1)] - ## To avoid the compiler replacing bitwise boolean operations - ## by conditional branches, we don't use booleans. - ## We use an int to prevent compiler "optimization" and introduction of branches - - Hard*[T: HardBase] = distinct openarray[T] - ## Hardy primitives are memory-backend agnostic. - ## Hardy integers can be stored in an opaque stack array - ## or a seq or even a string. - ## - ## Allocations is left to the client library. - ## Note that constant-time allocation is very involved for - ## heap-allocated types (i.e. requires a memory pool) - -func htrue*(T: type(BaseUint)): auto {.inline.}= - (HardBool[HardBase[T]])(true) - -func hfalse*(T: type(BaseUint)): auto {.inline.}= - (HardBool[HardBase[T]])(false) - -func hard*[T: BaseUint](x: T): HardBase[T] {.inline.}= - (HardBase[T])(x) - -func `$`*[T](x: HardBase[T]): string {.inline.} = - $T(x) - -func `$`*(x: HardBool): string {.inline.} = - $bool(x) diff --git a/tests/all_tests.nim b/tests/all_tests.nim index c297070..f766bdf 100644 --- a/tests/all_tests.nim +++ b/tests/all_tests.nim @@ -1,186 +1,9 @@ -# hardy +# constantine # Copyright (c) 2018 Status Research & Development GmbH # Licensed and distributed under either of # * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT). # * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0). # at your option. This file may not be copied, modified, or distributed except according to those terms. -import unittest, random, math, - ../hardy - -# Random seed for reproducibility -randomize(0xDEADBEEF) - -template undistinct[T](x: HardBase[T]): T = - T(x) - -suite "Hardened unsigned integers": - test "High - getting the biggest representable number": - check: - high(HardBase[byte]).undistinct == 0xFF.byte - high(HardBase[uint8]).undistinct == 0xFF.uint8 - - high(HardBase[uint16]).undistinct == 0xFFFF.uint16 - high(HardBase[uint32]).undistinct == 0xFFFFFFFF.uint32 - high(HardBase[uint64]).undistinct == 0xFFFFFFFF_FFFFFFFF.uint64 - - test "bitwise `and`, `or`, `xor`, `not`": - let x1 = rand(high(int)).uint64 - let y1 = rand(high(int)).uint64 - let x2 = rand(high(int)).uint64 - let y2 = rand(high(int)).uint64 - let x3 = rand(high(int)).uint64 - let y3 = rand(high(int)).uint64 - template bitwise_check(op: untyped): untyped = - block: - check: - op(hard(0'u32), hard(0'u32)).undistinct == op(0'u32, 0'u32) - op(hard(0'u32), hard(1'u32)).undistinct == op(0'u32, 1'u32) - op(hard(1234'u64), hard(5678'u64)).undistinct == op(1234'u64, 5678'u64) - - op(x1.hard, y1.hard).undistinct == op(x1, y1) - op(x2.hard, y2.hard).undistinct == op(x2, y2) - op(x3.hard, y3.hard).undistinct == op(x3, y3) - bitwise_check(`and`) - bitwise_check(`or`) - bitwise_check(`xor`) - - block: - check: - not(hard(0'u32)).undistinct == not 0'u32 - not(hard(1'u32)).undistinct == not 1'u32 - not(hard(1234'u64)).undistinct == not 1234'u64 - not(hard(5678'u64)).undistinct == not 5678'u64 - not(hard(x1)).undistinct == not x1 - not(hard(x2)).undistinct == not x2 - not(hard(x3)).undistinct == not x3 - not(hard(y1)).undistinct == not y1 - not(hard(y2)).undistinct == not y2 - not(hard(y3)).undistinct == not y3 - - test "Logical shifts": - let x1 = rand(high(int)).uint64 - let y1 = rand(high(int)).uint64 - let x2 = rand(high(int)).uint64 - let y2 = rand(high(int32)).uint64 - let x3 = rand(high(int32)).uint64 - let y3 = rand(high(int32)).uint64 - - let s1 = rand(10) - let s2 = rand(10) - let s3 = rand(10) - - template shift_check(op: untyped): untyped = - block: - check: - op(hard(0'u32), 1).undistinct == op(0'u32, 1) - op(hard(1'u32), 2).undistinct == op(1'u32, 2) - op(hard(1234'u64), 3).undistinct == op(1234'u64, 3) - op(hard(2'u64^30), 1).undistinct == op(2'u64^30, 1) - op(hard(2'u64^31 + 1), 1).undistinct == op(2'u64^31 + 1, 1) - op(hard(2'u64^32), 1).undistinct == op(2'u64^32, 1) - - op(x1.hard, s1).undistinct == op(x1, s1) - op(x2.hard, s2).undistinct == op(x2, s2) - op(x3.hard, s3).undistinct == op(x3, s3) - - - op(y1.hard, s1).undistinct == op(y1, s1) - op(y2.hard, s2).undistinct == op(y2, s2) - op(y3.hard, s3).undistinct == op(y3, s3) - - shift_check(`shl`) - shift_check(`shr`) - - - test "Operators `+`, `-`, `*`": - let x1 = rand(high(int)).uint64 - let y1 = rand(high(int)).uint64 - let x2 = rand(high(int)).uint64 - let y2 = rand(high(int)).uint64 - let x3 = rand(high(int)).uint64 - let y3 = rand(high(int)).uint64 - template operator_check(op: untyped): untyped = - block: - check: - op(hard(0'u32), hard(0'u32)).undistinct == op(0'u32, 0'u32) - op(hard(0'u32), hard(1'u32)).undistinct == op(0'u32, 1'u32) - op(hard(1234'u64), hard(5678'u64)).undistinct == op(1234'u64, 5678'u64) - - op(x1.hard, y1.hard).undistinct == op(x1, y1) - op(x2.hard, y2.hard).undistinct == op(x2, y2) - op(x3.hard, y3.hard).undistinct == op(x3, y3) - operator_check(`+`) - operator_check(`-`) - operator_check(`*`) - - test "Unary `-`, returning the 2-complement of an unsigned integer": - let x1 = rand(high(int)).uint64 - let y1 = rand(high(int)).uint64 - let x2 = rand(high(int)).uint64 - let y2 = rand(high(int)).uint64 - let x3 = rand(high(int)).uint64 - let y3 = rand(high(int)).uint64 - check: - (-hard(0'u32)).undistinct == 0 - (-high(HardBase[uint32])).undistinct == 1'u32 - (-hard(0x80000000'u32)).undistinct == 0x80000000'u32 # This is low(int32) == 0b10000..0000 - - undistinct(-x1.hard) == undistinct(not(x1.hard) + hard(1'u64)) - undistinct(-x2.hard) == undistinct(not(x2.hard) + hard(1'u64)) - undistinct(-x3.hard) == undistinct(not(x3.hard) + hard(1'u64)) - undistinct(-y1.hard) == undistinct(not(y1.hard) + hard(1'u64)) - undistinct(-y2.hard) == undistinct(not(y2.hard) + hard(1'u64)) - undistinct(-y3.hard) == undistinct(not(y3.hard) + hard(1'u64)) - -suite "Hardened booleans": - test "Boolean not": - check: - not(htrue(uint32)).bool == false - not(hfalse(uint32)).bool == true - - test "Comparison": - check: - bool(hard(0'u32) != hard(0'u32)) == false - bool(hard(0'u32) != hard(1'u32)) == true - - bool(hard(10'u32) == hard(10'u32)) == true - bool(hard(10'u32) != hard(20'u32)) == true - - bool(hard(10'u32) <= hard(10'u32)) == true - bool(hard(10'u32) <= hard(20'u32)) == true - bool(hard(10'u32) <= hard(5'u32)) == false - bool(hard(10'u32) <= hard(0xFFFFFFFF'u32)) == true - - bool(hard(10'u32) < hard(10'u32)) == false - bool(hard(10'u32) < hard(20'u32)) == true - bool(hard(10'u32) < hard(5'u32)) == false - bool(hard(10'u32) < hard(0xFFFFFFFF'u32)) == true - - bool(hard(10'u32) > hard(10'u32)) == false - bool(hard(10'u32) > hard(20'u32)) == false - bool(hard(10'u32) > hard(5'u32)) == true - bool(hard(10'u32) > hard(0xFFFFFFFF'u32)) == false - - bool(hard(10'u32) >= hard(10'u32)) == true - bool(hard(10'u32) >= hard(20'u32)) == false - bool(hard(10'u32) >= hard(5'u32)) == true - bool(hard(10'u32) >= hard(0xFFFFFFFF'u32)) == false - - test "Multiplexer/selector - mux(ctl, x, y) <=> ctl? x: y": - let u = 10'u32.hard - let v = 20'u32.hard - let w = 5'u32.hard - - let y = htrue(uint32) - let n = hfalse(uint32) - - check: - bool(mux(y, u, v) == u) - bool(mux(n, u, v) == v) - - bool(mux(y, u, w) == u) - bool(mux(n, u, w) == w) - - bool(mux(y, v, w) == v) - bool(mux(n, v, w) == w) +import + test_word_types diff --git a/tests/test_word_types.nim b/tests/test_word_types.nim new file mode 100644 index 0000000..3395be8 --- /dev/null +++ b/tests/test_word_types.nim @@ -0,0 +1,186 @@ +# constantine +# Copyright (c) 2018 Status Research & Development GmbH +# Licensed and distributed under either of +# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT). +# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0). +# at your option. This file may not be copied, modified, or distributed except according to those terms. + +import unittest, random, math, + ../constantine/word_types + +# Random seed for reproducibility +randomize(0xDEADBEEF) + +template undistinct[T](x: Ct[T]): T = + T(x) + +suite "Constant-time unsigned integers": + test "High - getting the biggest representable number": + check: + high(Ct[byte]).undistinct == 0xFF.byte + high(Ct[uint8]).undistinct == 0xFF.uint8 + + high(Ct[uint16]).undistinct == 0xFFFF.uint16 + high(Ct[uint32]).undistinct == 0xFFFFFFFF.uint32 + high(Ct[uint64]).undistinct == 0xFFFFFFFF_FFFFFFFF.uint64 + + test "bitwise `and`, `or`, `xor`, `not`": + let x1 = rand(high(int)).uint64 + let y1 = rand(high(int)).uint64 + let x2 = rand(high(int)).uint64 + let y2 = rand(high(int)).uint64 + let x3 = rand(high(int)).uint64 + let y3 = rand(high(int)).uint64 + template bitwise_check(op: untyped): untyped = + block: + check: + op(ct(0'u32), ct(0'u32)).undistinct == op(0'u32, 0'u32) + op(ct(0'u32), ct(1'u32)).undistinct == op(0'u32, 1'u32) + op(ct(1234'u64), ct(5678'u64)).undistinct == op(1234'u64, 5678'u64) + + op(x1.ct, y1.ct).undistinct == op(x1, y1) + op(x2.ct, y2.ct).undistinct == op(x2, y2) + op(x3.ct, y3.ct).undistinct == op(x3, y3) + bitwise_check(`and`) + bitwise_check(`or`) + bitwise_check(`xor`) + + block: + check: + not(ct(0'u32)).undistinct == not 0'u32 + not(ct(1'u32)).undistinct == not 1'u32 + not(ct(1234'u64)).undistinct == not 1234'u64 + not(ct(5678'u64)).undistinct == not 5678'u64 + not(ct(x1)).undistinct == not x1 + not(ct(x2)).undistinct == not x2 + not(ct(x3)).undistinct == not x3 + not(ct(y1)).undistinct == not y1 + not(ct(y2)).undistinct == not y2 + not(ct(y3)).undistinct == not y3 + + test "Logical shifts": + let x1 = rand(high(int)).uint64 + let y1 = rand(high(int)).uint64 + let x2 = rand(high(int)).uint64 + let y2 = rand(high(int32)).uint64 + let x3 = rand(high(int32)).uint64 + let y3 = rand(high(int32)).uint64 + + let s1 = rand(10) + let s2 = rand(10) + let s3 = rand(10) + + template shift_check(op: untyped): untyped = + block: + check: + op(ct(0'u32), 1).undistinct == op(0'u32, 1) + op(ct(1'u32), 2).undistinct == op(1'u32, 2) + op(ct(1234'u64), 3).undistinct == op(1234'u64, 3) + op(ct(2'u64^30), 1).undistinct == op(2'u64^30, 1) + op(ct(2'u64^31 + 1), 1).undistinct == op(2'u64^31 + 1, 1) + op(ct(2'u64^32), 1).undistinct == op(2'u64^32, 1) + + op(x1.ct, s1).undistinct == op(x1, s1) + op(x2.ct, s2).undistinct == op(x2, s2) + op(x3.ct, s3).undistinct == op(x3, s3) + + + op(y1.ct, s1).undistinct == op(y1, s1) + op(y2.ct, s2).undistinct == op(y2, s2) + op(y3.ct, s3).undistinct == op(y3, s3) + + shift_check(`shl`) + shift_check(`shr`) + + + test "Operators `+`, `-`, `*`": + let x1 = rand(high(int)).uint64 + let y1 = rand(high(int)).uint64 + let x2 = rand(high(int)).uint64 + let y2 = rand(high(int)).uint64 + let x3 = rand(high(int)).uint64 + let y3 = rand(high(int)).uint64 + template operator_check(op: untyped): untyped = + block: + check: + op(ct(0'u32), ct(0'u32)).undistinct == op(0'u32, 0'u32) + op(ct(0'u32), ct(1'u32)).undistinct == op(0'u32, 1'u32) + op(ct(1234'u64), ct(5678'u64)).undistinct == op(1234'u64, 5678'u64) + + op(x1.ct, y1.ct).undistinct == op(x1, y1) + op(x2.ct, y2.ct).undistinct == op(x2, y2) + op(x3.ct, y3.ct).undistinct == op(x3, y3) + operator_check(`+`) + operator_check(`-`) + operator_check(`*`) + + test "Unary `-`, returning the 2-complement of an unsigned integer": + let x1 = rand(high(int)).uint64 + let y1 = rand(high(int)).uint64 + let x2 = rand(high(int)).uint64 + let y2 = rand(high(int)).uint64 + let x3 = rand(high(int)).uint64 + let y3 = rand(high(int)).uint64 + check: + (-ct(0'u32)).undistinct == 0 + (-high(Ct[uint32])).undistinct == 1'u32 + (-ct(0x80000000'u32)).undistinct == 0x80000000'u32 # This is low(int32) == 0b10000..0000 + + undistinct(-x1.ct) == undistinct(not(x1.ct) + ct(1'u64)) + undistinct(-x2.ct) == undistinct(not(x2.ct) + ct(1'u64)) + undistinct(-x3.ct) == undistinct(not(x3.ct) + ct(1'u64)) + undistinct(-y1.ct) == undistinct(not(y1.ct) + ct(1'u64)) + undistinct(-y2.ct) == undistinct(not(y2.ct) + ct(1'u64)) + undistinct(-y3.ct) == undistinct(not(y3.ct) + ct(1'u64)) + +suite "Constant-time booleans": + test "Boolean not": + check: + not(ctrue(uint32)).bool == false + not(cfalse(uint32)).bool == true + + test "Comparison": + check: + bool(ct(0'u32) != ct(0'u32)) == false + bool(ct(0'u32) != ct(1'u32)) == true + + bool(ct(10'u32) == ct(10'u32)) == true + bool(ct(10'u32) != ct(20'u32)) == true + + bool(ct(10'u32) <= ct(10'u32)) == true + bool(ct(10'u32) <= ct(20'u32)) == true + bool(ct(10'u32) <= ct(5'u32)) == false + bool(ct(10'u32) <= ct(0xFFFFFFFF'u32)) == true + + bool(ct(10'u32) < ct(10'u32)) == false + bool(ct(10'u32) < ct(20'u32)) == true + bool(ct(10'u32) < ct(5'u32)) == false + bool(ct(10'u32) < ct(0xFFFFFFFF'u32)) == true + + bool(ct(10'u32) > ct(10'u32)) == false + bool(ct(10'u32) > ct(20'u32)) == false + bool(ct(10'u32) > ct(5'u32)) == true + bool(ct(10'u32) > ct(0xFFFFFFFF'u32)) == false + + bool(ct(10'u32) >= ct(10'u32)) == true + bool(ct(10'u32) >= ct(20'u32)) == false + bool(ct(10'u32) >= ct(5'u32)) == true + bool(ct(10'u32) >= ct(0xFFFFFFFF'u32)) == false + + test "Multiplexer/selector - mux(ctl, x, y) <=> ctl? x: y": + let u = 10'u32.ct + let v = 20'u32.ct + let w = 5'u32.ct + + let y = ctrue(uint32) + let n = cfalse(uint32) + + check: + bool(mux(y, u, v) == u) + bool(mux(n, u, v) == v) + + bool(mux(y, u, w) == u) + bool(mux(n, u, w) == w) + + bool(mux(y, v, w) == v) + bool(mux(n, v, w) == w)