449 Commits

Author SHA1 Message Date
Mamy Ratsimbazafy
0e4dbfe400
BLS12-377 (#91)
* add Sage for constant time tonelli shanks

* Fused sqrt and invsqrt via Tonelli Shanks

* isolate sqrt in their own folder

* Implement constant-time Tonelli Shanks for any prime

* Implement Fp2 sqrt for any non-residue

* Add tests for BLS12_377

* Lattice decomposition script for BLS12_377 G1

* BLS12-377 G1 GLV ok, G2 GLV issue

* Proper endomorphism acceleration support for BLS12-377

* Add naive pairing support for BLS12-377

* Activate more bench for BLS12-377

* Fix MSB computation

* Optimize final exponentiation + add benches
2020-09-27 09:15:14 +02:00
Mamy André-Ratsimbazafy
ac37b55aa1
publish the lattice decomposition finder mentioned in https://github.com/scipr-lab/zexe/issues/267 2020-09-26 15:33:41 +02:00
Mamy Ratsimbazafy
6ecbedbd09
Mixed addition (#90)
* ptrettier comments

* Implement mixed addition on G1

* Test for mixed addition in G2 and use it for Miller Loop
2020-09-26 09:16:29 +02:00
Mamy Ratsimbazafy
03ecb31c57
Pairings for BN254-Nogami and BN254-Snarks (#86)
* Implement optimized final exponentiation for BN254-Nogami

* And BN254 Snarks support

* Optimize D-Twist sparse Fp12 x line multiplication

* Move quadruple/octuple and add to Github issues: https://github.com/mratsim/constantine/issues/88 [skip ci]
2020-09-25 21:58:20 +02:00
Mamy Ratsimbazafy
f78ed23dad
Pairing optim (#85)
* Fix fp12 Frobenius map

* Implement cyclotomic subgroup acceleration

* make cyclotomic squaring in-place

* Add back out-place cycl squaring and add cyclotomic inverse

* Implement state-of-the-art BLS12-381 final exponentiation

* save a cyclotomic squaring

* Accelerate sparse line multiplication in Miller loop

* Add pairing bench

* fix comments
2020-09-24 17:18:23 +02:00
Mamy André-Ratsimbazafy
0c18f4436c
Frobenius map over fp12 (works for power 1 and 3 but not 2) 2020-09-23 01:21:35 +02:00
Mamy André-Ratsimbazafy
406d999a9b
Higher-power frobenius applications 2020-09-23 00:55:32 +02:00
Mamy Ratsimbazafy
d84edcd217
Naive pairings + Naive cofactor clearing (#82)
* Pairing - initial commit
- line functions
- sparse Fp12 functions

* Small fixes:
- Line parametrized by twist for generic algorithm
- Add a conjugate operator for quadratic extensions
- Have frobenius use it
- Create an Affine coordinate type for elliptic curve

* Implement (failing) pairing test

* Stash pairing debug session, temp switch Fp12 over Fp4

* Proper naive pairing on BLS12-381

* Frobenius map

* Implement naive pairing for BN curves

* Add pairing tests to CI + reduce time spent on lower-level tests

* Test without assembler in Github Actions + less base layers test iterations
2020-09-21 23:24:00 +02:00
Mamy Ratsimbazafy
28e83e7b49
Faster inversion with addition chains (#80) 2020-09-04 19:04:32 +02:00
Mamy André-Ratsimbazafy
c2313ad697
5.3x faster test suite.
The running time of the test suite has increased significantly with:
- new tests (for example scalar mul implementations)
- new tests that stresses the whole stack/tower
- x3 randomizers for fuzzing
- new CI and platforms: Total 16x runs per commit

This would let all tests take less than 10 min on CI even non-parallelized one like on Windows.
2020-09-03 23:30:39 +02:00
Mamy Ratsimbazafy
85d365359d
Endomorphism G2 (#79)
* Clear cofactor in BN254 G2 testgen and frobenius

* Implement G2 endomorphism acceleration in Sage

* Somewhat working accelerated scalar mul G2 (2.2x) faster
- OK for BN254_Snarks
- Some test failing for BLS12-381

* Fix negative miniscalars by adding an extra bit of encoding

* Cleanup accel params

* Small recoding optimizations
2020-09-03 23:10:48 +02:00
Mamy André-Ratsimbazafy
92939d40fb
deactivated Linux 32-bit tests on Azure for now 2020-09-01 14:17:38 +02:00
Mamy André-Ratsimbazafy
437a61bd93
Bash ~_~ .... Azure 32-bit (+ fix BN inversion alternative path) 2020-09-01 13:40:39 +02:00
Mamy André-Ratsimbazafy
303ce5b74c
Fix GCC 32-bit script install 2020-09-01 12:33:41 +02:00
Mamy André-Ratsimbazafy
5c1c4e40eb
and a missed UCPU 2020-09-01 11:53:58 +02:00
Mamy André-Ratsimbazafy
9976ac70bf
Add gcc -m32 to path in Azure 2020-09-01 10:29:02 +02:00
Mamy André-Ratsimbazafy
42e05af698
Add PowerPC64 support badge to the README 2020-08-31 23:38:58 +02:00
Mamy André-Ratsimbazafy
a6e980c866
Deactivate s390x - https://github.com/nim-lang/Nim/issues/15253 2020-08-31 23:36:23 +02:00
Mamy Ratsimbazafy
4a308c2148
Frobenius endomorphism ψ = φ−1 πp φ (psi = untwist-Frobenius-Twist) (#78)
* Sage script for frobenius isogeny

* Implement ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2

* Implement sparse mul for frpbenius endomorphism

* Implement optimized psi2
2020-08-31 23:18:48 +02:00
Mamy André-Ratsimbazafy
c8e4346414
Fix UCPU for Linux i386 in Azure 2020-08-31 23:18:16 +02:00
Mamy André-Ratsimbazafy
54af3579f2
Add PowerPC LittleEndian and s390x (big-endian) to the Travis test suite 2020-08-31 23:13:16 +02:00
Mamy André-Ratsimbazafy
e3e9fc0e7f
Add Linux 32-bit to Azure 2020-08-31 23:04:41 +02:00
Mamy André-Ratsimbazafy
f57a7bfd77
Deactivate windows 32-bit tests for the time being 2020-08-31 22:47:57 +02:00
Mamy André-Ratsimbazafy
66d9799918
cleanups [skip ci] 2020-08-25 01:01:38 +02:00
Mamy Ratsimbazafy
6ac974d65e
Windowed GLV acceleration - 25% faster signing on G1 (#74)
* Fix 8x bigger than necessary encoding size of miniscalars in scalar mul

* initial windowed GLV-SAC implementation

* Simplify table encoding to match k0 without flipping bits
2020-08-25 00:02:30 +02:00
Mamy André-Ratsimbazafy
00ff599106
Fix 8x bigger than necessary encoding size of miniscalars in scalar mul 2020-08-24 18:31:27 +02:00
Mamy André-Ratsimbazafy
442c3f6cf6
Consolidate output folders of bench and testsuite 2020-08-22 23:00:05 +02:00
Mamy Ratsimbazafy
eee0f4f0fc
Lattice decomposition fixes (#71)
* Sage: Lattice decomp script fixes from anonymous reviewer

* update recoding mini test and add recoding primitives

* Update the GLV recoding

* update comments on positive/negative recoding [skip ci]

* sprinkle some {.noInit.} where possible
2020-08-22 19:45:44 +02:00
Mamy Ratsimbazafy
d41c653c8a
Double-width tower extension part 1 (#72)
* Implement double-width field multiplication for double-width towering

* Fp2 mul acceleration via double-width lazy reduction (pure Nim)

* Inline assembly for basic add and sub

* Use 2 registers instead of 12+ for ASM conditional copy

* Prepare assembly for extended multiprecision multiplication support

* Add assembly for mul

* initial implementation of assembly reduction

* stash current progress of assembly reduction

* Fix clobbering issue, only P256 comparison remain buggy

* Fix asm montgomery reduction for NIST P256 as well

* MULX/ADCX/ADOX multi-precision multiplication

* MULX/ADCX/ADOX reduction v1

* Add (deactivated) assembly for double-width substraction + rework benches

* Add bench to nimble and deactivate double-width for now. slower than classic

* Fix x86-32 running out of registers for mul

* Clang needs to be at v9 to support flag output constraints (Xcode 11.4.2 / OSX Catalina)

* 32-bit doesn't have enough registers for ASM mul

* Fix again Travis Clang 9 issues

* LLVM 9 is not whitelisted in travis

* deactivated assembler with travis clang

* syntax error

* another

* ...

* missing space, yeah ...
2020-08-20 10:21:39 +02:00
Mamy André-Ratsimbazafy
5e8b1870a6
Rename files 2020-07-24 23:08:00 +02:00
Mamy Ratsimbazafy
d97bc9b61c
Assembly backend (#69)
* Proof-of-Concept Assembly code generator

* Tag inline per procedure so we can easily track the tradeoff on tower fields

* Implement Assembly for modular addition (but very curious off-by-one)

* Fix off-by one for moduli with non msb set

* Stash (super fast) alternative but still off by carry

* Fix GCC optimizing ASM away

* Save 1 register to allow compiling for BLS12-381 (in the GMP test)

* The compiler cannot find enough registers if the ASM file is not compiled with -O3

* Add modsub

* Add field negation

* Implement no-carry Assembly optimized field multiplication

* Expose UseX86ASM to the EC benchmark

* omit frame pointer to save registers instead of hardcoding -O3. Also ensure early clobber constraints for Clang

* Prepare for assembly fallback

* Implement fallback for CPU that don't support ADX and BMI2

* Add CPU runtime detection

* Update README closes #66

* Remove commented out code
2020-07-24 22:02:30 +02:00
Mamy Ratsimbazafy
504e2a9c25
typo 2020-07-09 14:05:11 +02:00
Mamy Ratsimbazafy
ec76ac5ea6
Fuzzing campaign fixes (#58)
* Add test case for #30 - Euler's criterion doesn't return 1 for a square

* Detect #42 in the test suite

* Detect #43 in the test suite

* comment in sqrt tests

* Add #67 to the anti-regression suite

* Add #61 to the anti-regression suite

* Add #62 to anti-regression suite

* Add #60 to the anti-regression suite

* Add #64 to the test suite

* Add #65 - case 1

* Add #65 case 2

* Add #65 case 3

* Add debug check to isSquare/Euler's Criterion/Legendre Symbol

* Make sure our primitives are correct

* For now deactivate montySquare CIOS fix #61 #62

* Narrow down #42 and #43 to powinv on 32-bit

* Detect #42 #43 at the fast squaring level

* More #42, #43 tests, Use multiplication instead of squaring as a temporary workaround, see https://github.com/mratsim/constantine/issues/68

* Prevent regression of #67 now that squaring is "fixed"
2020-06-23 01:27:40 +02:00
Mamy Ratsimbazafy
0400187f05
Use GMP and GNU parallel in GIthub Actions (#63)
* Use GMP and GNU parallel in GIthub Actions

* try gmp:i386

* Don't do GMP tests on i386
2020-06-20 19:46:30 +02:00
Mamy Ratsimbazafy
e491f3b91d
[WIP] Skewed RNGs that trigger corner cases (#59)
* Add a RNG skewed to high hamming weights

* Add libsecp256k1 skewed RNG that found a CVE in OpenSSL

* Add initial skewed RNGs tests to finite fields

* Add Fp towers skewed tests

* Add ellptic curve skewed tests
2020-06-20 18:55:27 +02:00
Mamy Ratsimbazafy
a2a2495351
Github Action CI (without GMP) (#29)
* Github Action CI (without GMP)

* Deactivate MacOS, spurious failures: https://github.com/actions/virtual-environments/issues/841

* force install with nimble

* Add badge

* Don"t include Nim 1.2.x https://github.com/mratsim/constantine/pull/20#issuecomment-646327952

* Action branch mistake

* Add back OSX? https://github.com/actions/virtual-environments/issues/841, https://github.com/actions/virtual-environments/issues/969

* fix MacOS target

* comment out RDTSC on i386

* Add initialization canaries

* Add more verbose output to debug windows failures

* spurious windows i386 test

* For now only activate Linux and mac

* missed include
2020-06-19 22:08:15 +02:00
Mamy Ratsimbazafy
b509eeaeb6
Don't use memcpy / memmove (#57) 2020-06-19 20:29:11 +02:00
Mamy André-Ratsimbazafy
608d26e497
Fix #55 2020-06-19 00:24:50 +02:00
Mamy André-Ratsimbazafy
4bbfd1dd45
Add test generator for BLS12-381 G2 and pass the tests 2020-06-18 22:00:31 +02:00
Mamy André-Ratsimbazafy
dc83855f26
Add a test vector generator for BN254 on G2 and pass the tests 2020-06-18 01:40:13 +02:00
Mamy André-Ratsimbazafy
d22d981e9e
Implement fused sqrt invsqrt on Fp: Accelerate sqrt on Fp2 by 20% (hashToG2 and property-based testing bottleneck, 4 times slower than inversion and 87 times slower than Fp2 multiplication) 2020-06-17 22:44:52 +02:00
Mamy André-Ratsimbazafy
53c94e8aab
cosmetic fix on non-residue 2020-06-16 12:03:09 +02:00
Mamy André-Ratsimbazafy
43abf9dfc4
SHorter test names for github display 2020-06-15 23:15:01 +02:00
Mamy Ratsimbazafy
d376f08d1b
G2 / Operations on the twisted curve E'(Fp2) (#51)
* Split elliptic curve tests to better use parallel testing

* Add support for printing points on G2

* Implement multiplication and division by optimal sextic non-residue (BLS12-381)

* Implement modular square root in 𝔽p2

* Support EC add and EC double on G2 (for BLS12-381)

* Support G2 divisive twists with non-unit sextic-non-residue like BN254 snarks

* Add EC G2 bench

* cleanup some unused warnings

* Reorg the tests for parallelization and to avoid instantiating huge files
2020-06-15 22:58:56 +02:00
Mamy Ratsimbazafy
2613356281
Endomorphism acceleration for Scalar Multiplication (#44)
* Add MultiScalar recoding from "Efficient and Secure Algorithms for GLV-Based Scalar Multiplication" by Faz et al

* precompute cube root of unity - Add VM precomputation of Fp - workaround upstream bug https://github.com/nim-lang/Nim/issues/14585

* Add the φ-accelerated lookup table builder

* Add a dedicated bithacks file

* cosmetic import consistency

* Build the φ precompute table with n-1 EC additions instead of 2^(n-1) additions

* remove binary

* Add the GLV precomputations to the sage scripts

* You can't avoid it, bigint multiplication is needed at one point

* Add bigint multiplication discarding some low words

* Implement the lattice decomposition in sage

* Proper decomposition for BN254

* Prepare the code for a new scalar mul

* We compile, and now debugging hunt

* More helpers to debug GLV scalar Mul

* Fix conditional negation

* Endomorphism accelerated scalar mul working for BN254 curve

* Implement endomorphism acceleration for BLS12-381 (needed cofactor clearing of the point)

* fix nimble test script after bench rename
2020-06-14 15:39:06 +02:00
Mamy Ratsimbazafy
f8fb54faef
Build and run tests in parallel (#41)
* Build and run tests in parallel

* Workaround travis OSX Homebrew bug

* semicolons ...

* Don't auto-update before installing homebrew packages
2020-06-07 19:39:34 +02:00
Mamy Ratsimbazafy
3d1b1fab98
Fix benchmark on ARM (#31) 2020-06-04 22:09:30 +02:00
Mamy Ratsimbazafy
82ceca6e3b
Scalar mul tests (#28)
* Add sage script for BN254

* Implement (failing) scalar multiplication tests

* Add a first test against sagemath

* Finish the tests against SAGE for BN254

* Add significant test coverage of scalar multiplication with reference checks for BN254_Snarks and BLS12_381
2020-06-04 20:37:29 +02:00
Mamy André-Ratsimbazafy
71a2acc202
Report interesting moduli for BLS and BN curves 2020-05-22 17:55:03 +02:00
Mamy André-Ratsimbazafy
ff9dec4813
Initial impl of side-channel resistant scalar mul to securely handle secret keys inputs. 2020-04-17 22:17:28 +02:00