mirror of
https://github.com/codex-storage/constantine.git
synced 2025-01-26 02:28:48 +00:00
d69c7bf8e9
* H2C: fix fuzz failure 2, non-fully reduced in isogeny EC addition * faster hashToG2 by using sparsity
90 lines
3.3 KiB
Nim
90 lines
3.3 KiB
Nim
# Constantine
|
|
# Copyright (c) 2018-2019 Status Research & Development GmbH
|
|
# Copyright (c) 2020-Present Mamy André-Ratsimbazafy
|
|
# Licensed and distributed under either of
|
|
# * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
|
|
# * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
|
|
# at your option. This file may not be copied, modified, or distributed except according to those terms.
|
|
|
|
import
|
|
# Standard library
|
|
std/[unittest, times],
|
|
# Internals
|
|
../constantine/math/config/curves,
|
|
../constantine/math/extension_fields,
|
|
../constantine/math/ec_shortweierstrass,
|
|
../constantine/hash_to_curve/hash_to_curve,
|
|
../constantine/hashes,
|
|
../constantine/math/constants/zoo_subgroups,
|
|
../constantine/math/io/io_ec,
|
|
# Test utilities
|
|
../helpers/prng_unsafe
|
|
|
|
const Iters = 6
|
|
|
|
# Random seed for reproducibility
|
|
var rng: RngState
|
|
let seed = uint32(getTime().toUnix() and (1'i64 shl 32 - 1)) # unixTime mod 2^32
|
|
rng.seed(seed)
|
|
echo "\n------------------------------------------------------\n"
|
|
echo "Hash-to-curve (randomized) xoshiro512** seed: ", seed
|
|
|
|
proc testH2C_consistency[EC: ECP_ShortW](curve: typedesc[EC]) =
|
|
var P{.noInit.}: EC
|
|
let msg = rng.random_byte_seq(32)
|
|
sha256.hashToCurve(
|
|
k = 128,
|
|
output = P,
|
|
augmentation = "",
|
|
message = msg,
|
|
domainSepTag = "H2C-CONSTANTINE-TESTSUITE"
|
|
)
|
|
|
|
doAssert bool isOnCurve(P.x, P.y, EC.G)
|
|
doAssert bool isInSubgroup(P)
|
|
|
|
suite "Hash-to-curve produces points on curve and in correct subgroup":
|
|
test "BLS12-381 G1":
|
|
for i in 0 ..< Iters:
|
|
testH2C_consistency(ECP_ShortW_Aff[Fp[BLS12_381], G1])
|
|
test "BLS12-381 G2":
|
|
for i in 0 ..< Iters:
|
|
testH2C_consistency(ECP_ShortW_Aff[Fp2[BLS12_381], G2])
|
|
test "BN254_Snarks G1":
|
|
for i in 0 ..< Iters:
|
|
testH2C_consistency(ECP_ShortW_Aff[Fp[BN254_Snarks], G1])
|
|
test "BN254_Snarks G2":
|
|
for i in 0 ..< Iters:
|
|
testH2C_consistency(ECP_ShortW_Aff[Fp2[BN254_Snarks], G2])
|
|
|
|
proc testH2C_guidovranken_fuzz_failure_2() =
|
|
# From Guido Vranken differential fuzzing
|
|
# Summing elliptic curve on an isogeny was mistakenly not fully reducing HHH_or_Mpre
|
|
let msg = [
|
|
uint8 0xa7, 0x1b, 0x0a, 0x38, 0xd4, 0x09, 0x2b, 0x3b,
|
|
0xdc, 0x9e, 0x75, 0x0a, 0x27, 0x0a, 0xd5, 0xdd,
|
|
0x16, 0x6f, 0x32, 0x5c, 0x16, 0xf5, 0x6d, 0x2f,
|
|
0x87, 0xbb, 0x6b, 0xf5, 0xd2]
|
|
let dst = [
|
|
uint8 0x5a, 0x59, 0xae, 0x59, 0x04, 0x8a, 0x29, 0x0f,
|
|
0x9a, 0xc1, 0x80, 0x26, 0xba, 0x6d, 0xd8, 0x7f,
|
|
0x54, 0xf0, 0x5a, 0x01, 0x49, 0xad, 0x2b, 0x95,
|
|
0xfe]
|
|
let aug = [
|
|
uint8 0x70, 0x20, 0xde, 0x7c, 0x51, 0x88, 0x88, 0x54,
|
|
0xf1, 0xaf, 0xa5, 0x06, 0x78, 0x80, 0xde, 0xf0,
|
|
0x0d, 0xdf]
|
|
|
|
var r{.noInit}: ECP_ShortW_Jac[Fp[BLS12_381], G1]
|
|
sha256.hashToCurve(128, r, aug, msg, dst)
|
|
|
|
let expected = ECP_ShortW_Jac[Fp[BLS12_381], G1].fromHex(
|
|
x = "0x48f2bbee30aa236feaa7fb924d8a3de3090ff160f9972a8afda302bd248248527dcc59ce195cd5f5a1488417cfc64cc",
|
|
y = "0xe91b0a3cdea4981741791c8e9b4287d2f693c6626d8e4408ecaaa473e6ff2f691f5f23f8b7b46bdf3560e7cca67e5bc"
|
|
)
|
|
|
|
doAssert bool(r == expected)
|
|
|
|
suite "Hash-to-curve anti-regression":
|
|
test "BLS12-381 G1 - Fuzzing Failure 2":
|
|
testH2C_guidovranken_fuzz_failure_2() |