Towered extension comparison bug: squaring in 𝔽p6 is not properly implemented

2020-04-14 13:40:03 +02:00 · 2020-04-14 13:40:03 +02:00 · 5784e78606
parent c8935f0a1d
commit 5784e78606
4 changed files with 123 additions and 14 deletions
--- a/constantine/tower_field_extensions/tower_common.nim
+++ b/constantine/tower_field_extensions/tower_common.nim
@ -61,9 +61,24 @@ func setOne*(a: var ExtensionField) =

 func `==`*(a, b: ExtensionField): CTBool[Word] =
  ## Constant-time equality check
-  result = CtFalse
+  result = CtTrue
  for fA, fB in fields(a, b):
-    result = result or (fA == fB)
+    result = result and (fA == fB)
+
+func isZero*(a: ExtensionField): CTBool[Word] =
+  ## Constant-time check if zero
+  result = CtTrue
+  for fA in fields(a):
+    result = result and fA.isZero()
+
+func isOne*(a: ExtensionField): CTBool[Word] =
+  ## Constant-time check if one
+  result = CtTrue
+  for fieldName, fA in fields(a):
+    when fieldName == "c0":
+      result = result and fA.isOne()
+    else:
+      result = result and fA.isZero()

 # Abelian group
 # -------------------------------------------------------------------
--- a/tests/test_fp12.nim
+++ b/tests/test_fp12.nim
@ -30,7 +30,20 @@ echo "test_fp12 xoshiro512** seed: ", seed
 #         having too many elements on the stack (a couple kB)
 #         will significantly slow down testing (100x is possible)

-suite "𝔽p12 = 𝔽p6[√∛(1+𝑖)]":
+suite "𝔽p12 = 𝔽p6[w] (irreducible polynomial w² - γ)":
+
+  test "Comparison sanity checks":
+    proc test(C: static Curve) =
+      var z, o {.noInit.}: Fp12[C]
+
+      z.setZero()
+      o.setOne()
+
+      check: not bool(z == o)
+
+    test(BN254_Snarks)
+    test(BLS12_381)
+
  test "Squaring 1 returns 1":
    template test(C: static Curve) =
      block:
@ -338,7 +351,7 @@ suite "𝔽p12 = 𝔽p6[√∛(1+𝑖)]":
    # test(BLS12_461)
    # test(BN462)

-  test "𝔽p12 = 𝔽p6[√∛(1+𝑖)] addition is associative and commutative":
+  test "Addition is associative and commutative":
    proc abelianGroup(curve: static Curve) =
      for _ in 0 ..< Iters:
        let a = rng.random(Fp12[curve])
@ -389,7 +402,7 @@ suite "𝔽p12 = 𝔽p6[√∛(1+𝑖)]":
    # abelianGroup(BLS12_461)
    # abelianGroup(BN462)

-  test "𝔽p12 = 𝔽p6[√∛(1+𝑖)] multiplication is associative and commutative":
+  test "Multiplication is associative and commutative":
    proc commutativeRing(curve: static Curve) =
      for _ in 0 ..< Iters:
        let a = rng.random(Fp12[curve])
@ -440,7 +453,7 @@ suite "𝔽p12 = 𝔽p6[√∛(1+𝑖)]":
    # commutativeRing(BLS12_461)
    # commutativeRing(BN462)

-  test "𝔽p6 = 𝔽p2[∛(1+𝑖)] extension field multiplicative inverse":
+  test "Extension field multiplicative inverse":
    proc mulInvOne(curve: static Curve) =
      var one: Fp12[curve]
      one.setOne()
@ -470,3 +483,22 @@ suite "𝔽p12 = 𝔽p6[√∛(1+𝑖)]":
    # mulInvOne(FKM12_447)
    # mulInvOne(BLS12_461)
    # mulInvOne(BN462)
+
+  test "0 does not have a multiplicative inverse and should return 0 for projective/jacobian => affine coordinates conversion":
+    proc test(curve: static Curve) =
+      var z: Fp12[curve]
+      z.setZero()
+
+      var zInv{.noInit.}: Fp6[curve]
+
+      zInv.inv(z)
+      check: bool zInv.isZero()
+
+    # test(BN254_Nogami)
+    test(BN254_Snarks)
+    test(BLS12_377)
+    test(BLS12_381)
+    # test(BN446)
+    # test(FKM12_447)
+    # test(BLS12_461)
+    # test(BN462)
--- a/tests/test_fp2.nim
+++ b/tests/test_fp2.nim
@ -30,7 +30,19 @@ echo "test_fp2 xoshiro512** seed: ", seed
 #         having too many elements on the stack (a couple kB)
 #         will significantly slow down testing (100x is possible)

-suite "𝔽p2 = 𝔽p[𝑖] (irreducible polynomial x²+1)":
+suite "𝔽p2 = 𝔽p[µ] (irreducible polynomial x²+µ)":
+  test "Comparison sanity checks":
+    proc test(C: static Curve) =
+      var z, o {.noInit.}: Fp2[C]
+
+      z.setZero()
+      o.setOne()
+
+      check: not bool(z == o)
+
+    test(BN254_Snarks)
+    test(BLS12_381)
+
  test "Fp2 '1' coordinates in canonical domain":
    template test(C: static Curve) =
      block:
@ -235,7 +247,7 @@ suite "𝔽p2 = 𝔽p[𝑖] (irreducible polynomial x²+1)":
    # test(BLS12_461)
    # test(BN462)

-  test "𝔽p2 = 𝔽p[𝑖] addition is associative and commutative":
+  test "Addition is associative and commutative":
    proc abelianGroup(curve: static Curve) =
      for _ in 0 ..< Iters:
        let a = rng.random(Fp2[curve])
@ -286,7 +298,7 @@ suite "𝔽p2 = 𝔽p[𝑖] (irreducible polynomial x²+1)":
    # abelianGroup(BLS12_461)
    # abelianGroup(BN462)

-  test "𝔽p2 = 𝔽p[𝑖] multiplication is associative and commutative":
+  test "Multiplication is associative and commutative":
    proc commutativeRing(curve: static Curve) =
      for _ in 0 ..< Iters:
        let a = rng.random(Fp2[curve])
@ -337,7 +349,7 @@ suite "𝔽p2 = 𝔽p[𝑖] (irreducible polynomial x²+1)":
    # commutativeRing(BLS12_461)
    # commutativeRing(BN462)

-  test "𝔽p2 = 𝔽p[𝑖] extension field multiplicative inverse":
+  test "Extension field multiplicative inverse":
    proc mulInvOne(curve: static Curve) =
      var one: Fp2[curve]
      one.setOne()
@ -360,3 +372,22 @@ suite "𝔽p2 = 𝔽p[𝑖] (irreducible polynomial x²+1)":
    # mulInvOne(FKM12_447)
    # mulInvOne(BLS12_461)
    # mulInvOne(BN462)
+
+  test "0 does not have a multiplicative inverse and should return 0 for projective/jacobian => affine coordinates conversion":
+    proc test(curve: static Curve) =
+      var z: Fp2[curve]
+      z.setZero()
+
+      var zInv{.noInit.}: Fp2[curve]
+
+      zInv.inv(z)
+      check: bool zInv.isZero()
+
+    # test(BN254_Nogami)
+    test(BN254_Snarks)
+    test(BLS12_377)
+    test(BLS12_381)
+    # test(BN446)
+    # test(FKM12_447)
+    # test(BLS12_461)
+    # test(BN462)
--- a/tests/test_fp6.nim
+++ b/tests/test_fp6.nim
@ -30,7 +30,19 @@ echo "test_fp6 xoshiro512** seed: ", seed
 #         having too many elements on the stack (a couple kB)
 #         will significantly slow down testing (100x is possible)

-suite "𝔽p6 = 𝔽p2[∛(1+𝑖)] (irreducible polynomial x³ - (1+𝑖))":
+suite "𝔽p6 = 𝔽p2[v] (irreducible polynomial v³ - ξ)":
+  test "Comparison sanity checks":
+    proc test(C: static Curve) =
+      var z, o {.noInit.}: Fp6[C]
+
+      z.setZero()
+      o.setOne()
+
+      check: not bool(z == o)
+
+    test(BN254_Snarks)
+    test(BLS12_381)
+
  test "Squaring 1 returns 1":
    template test(C: static Curve) =
      block:
@ -338,7 +350,7 @@ suite "𝔽p6 = 𝔽p2[∛(1+𝑖)] (irreducible polynomial x³ - (1+𝑖))":
    # test(BLS12_461)
    # test(BN462)

-  test "𝔽p6 = 𝔽p2[∛(1+𝑖)] addition is associative and commutative":
+  test "Addition is associative and commutative":
    proc abelianGroup(curve: static Curve) =
      for _ in 0 ..< Iters:
        let a = rng.random(Fp6[curve])
@ -389,7 +401,7 @@ suite "𝔽p6 = 𝔽p2[∛(1+𝑖)] (irreducible polynomial x³ - (1+𝑖))":
    # abelianGroup(BLS12_461)
    # abelianGroup(BN462)

-  test "𝔽p6 = 𝔽p2[∛(1+𝑖)] multiplication is associative and commutative":
+  test "Multiplication is associative and commutative":
    proc commutativeRing(curve: static Curve) =
      for _ in 0 ..< Iters:
        let a = rng.random(Fp6[curve])
@ -440,7 +452,7 @@ suite "𝔽p6 = 𝔽p2[∛(1+𝑖)] (irreducible polynomial x³ - (1+𝑖))":
    # commutativeRing(BLS12_461)
    # commutativeRing(BN462)

-  test "𝔽p6 = 𝔽p2[∛(1+𝑖)] extension field multiplicative inverse":
+  test "Extension field multiplicative inverse":
    proc mulInvOne(curve: static Curve) =
      var one: Fp6[curve]
      one.setOne()
@ -470,3 +482,22 @@ suite "𝔽p6 = 𝔽p2[∛(1+𝑖)] (irreducible polynomial x³ - (1+𝑖))":
    # mulInvOne(FKM12_447)
    # mulInvOne(BLS12_461)
    # mulInvOne(BN462)
+
+  test "0 does not have a multiplicative inverse and should return 0 for projective/jacobian => affine coordinates conversion":
+    proc test(curve: static Curve) =
+      var z: Fp6[curve]
+      z.setZero()
+
+      var zInv{.noInit.}: Fp6[curve]
+
+      zInv.inv(z)
+      check: bool zInv.isZero()
+
+    # test(BN254_Nogami)
+    test(BN254_Snarks)
+    test(BLS12_377)
+    test(BLS12_381)
+    # test(BN446)
+    # test(FKM12_447)
+    # test(BLS12_461)
+    # test(BN462)