arnaucube
/
go-iden3-crypto
mirror of https://github.com/arnaucube/go-iden3-crypto.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 Commits
26 Branches
7 Tags
4.8 MiB
Branch: feature/goff-0-2-0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'feature/goff-0-2-0'
${ noResults }
go-iden3-crypto/ff/element_test.go

474 lines
12 KiB
Raw Permalink Normal View History

Update to goff v0.2.0
4 years ago
Add goff generated finite field arithmetic code for used field
4 years ago
Update to goff v0.2.0
4 years ago
Add goff generated finite field arithmetic code for used field
4 years ago
Update to goff v0.2.0
4 years ago
Add goff generated finite field arithmetic code for used field
4 years ago
Update to goff v0.2.0
4 years ago
Add goff generated finite field arithmetic code for used field
4 years ago
Update to goff v0.2.0
4 years ago
Add goff generated finite field arithmetic code for used field
4 years ago
Update to goff v0.2.0
4 years ago
Add goff generated finite field arithmetic code for used field
4 years ago
Update to goff v0.2.0
4 years ago
Add goff generated finite field arithmetic code for used field
4 years ago
Update to goff v0.2.0
4 years ago
Add goff generated finite field arithmetic code for used field
4 years ago
Update to goff v0.2.0
4 years ago
  1. // Copyright 2020 ConsenSys AG
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  15. // Code generated by goff (v0.2.0) DO NOT EDIT
  17. // Package ff contains field arithmetic operations
  18. package ff
  20. import (
  21. "crypto/rand"
  22. "math/big"
  23. "math/bits"
  24. mrand "math/rand"
  25. "testing"
  26. )
  28. func TestELEMENTCorrectnessAgainstBigInt(t *testing.T) {
  29. modulus, _ := new(big.Int).SetString("21888242871839275222246405745257275088548364400416034343698204186575808495617", 10)
  30. cmpEandB := func(e *Element, b *big.Int, name string) {
  31. var _e big.Int
  32. if e.FromMont().ToBigInt(&_e).Cmp(b) != 0 {
  33. t.Fatal(name, "failed")
  34. }
  35. }
  36. var modulusMinusOne, one big.Int
  37. one.SetUint64(1)
  39. modulusMinusOne.Sub(modulus, &one)
  41. var n int
  42. if testing.Short() {
  43. n = 10
  44. } else {
  45. n = 500
  46. }
  48. for i := 0; i < n; i++ {
  50. // sample 2 random big int
  51. b1, _ := rand.Int(rand.Reader, modulus)
  52. b2, _ := rand.Int(rand.Reader, modulus)
  53. rExp := mrand.Uint64()
  55. // adding edge cases
  56. // TODO need more edge cases
  57. switch i {
  58. case 0:
  59. rExp = 0
  60. b1.SetUint64(0)
  61. case 1:
  62. b2.SetUint64(0)
  63. case 2:
  64. b1.SetUint64(0)
  65. b2.SetUint64(0)
  66. case 3:
  67. rExp = 0
  68. case 4:
  69. rExp = 1
  70. case 5:
  71. rExp = ^uint64(0) // max uint
  72. case 6:
  73. rExp = 2
  74. b1.Set(&modulusMinusOne)
  75. case 7:
  76. b2.Set(&modulusMinusOne)
  77. case 8:
  78. b1.Set(&modulusMinusOne)
  79. b2.Set(&modulusMinusOne)
  80. }
  82. rbExp := new(big.Int).SetUint64(rExp)
  84. var bMul, bAdd, bSub, bDiv, bNeg, bLsh, bInv, bExp, bExp2, bSquare big.Int
  86. // e1 = mont(b1), e2 = mont(b2)
  87. var e1, e2, eMul, eAdd, eSub, eDiv, eNeg, eLsh, eInv, eExp, eSquare, eMulAssign, eSubAssign, eAddAssign Element
  88. e1.SetBigInt(b1)
  89. e2.SetBigInt(b2)
  91. // (e1*e2).FromMont() === b1*b2 mod q ... etc
  92. eSquare.Square(&e1)
  93. eMul.Mul(&e1, &e2)
  94. eMulAssign.Set(&e1)
  95. eMulAssign.MulAssign(&e2)
  96. eAdd.Add(&e1, &e2)
  97. eAddAssign.Set(&e1)
  98. eAddAssign.AddAssign(&e2)
  99. eSub.Sub(&e1, &e2)
  100. eSubAssign.Set(&e1)
  101. eSubAssign.SubAssign(&e2)
  102. eDiv.Div(&e1, &e2)
  103. eNeg.Neg(&e1)
  104. eInv.Inverse(&e1)
  105. eExp.Exp(e1, rExp)
  106. eLsh.Double(&e1)
  108. // same operations with big int
  109. bAdd.Add(b1, b2).Mod(&bAdd, modulus)
  110. bMul.Mul(b1, b2).Mod(&bMul, modulus)
  111. bSquare.Mul(b1, b1).Mod(&bSquare, modulus)
  112. bSub.Sub(b1, b2).Mod(&bSub, modulus)
  113. bDiv.ModInverse(b2, modulus)
  114. bDiv.Mul(&bDiv, b1).
  115. Mod(&bDiv, modulus)
  116. bNeg.Neg(b1).Mod(&bNeg, modulus)
  118. bInv.ModInverse(b1, modulus)
  119. bExp.Exp(b1, rbExp, modulus)
  120. bLsh.Lsh(b1, 1).Mod(&bLsh, modulus)
  122. cmpEandB(&eSquare, &bSquare, "Square")
  123. cmpEandB(&eMul, &bMul, "Mul")
  124. cmpEandB(&eMulAssign, &bMul, "MulAssign")
  125. cmpEandB(&eAdd, &bAdd, "Add")
  126. cmpEandB(&eAddAssign, &bAdd, "AddAssign")
  127. cmpEandB(&eSub, &bSub, "Sub")
  128. cmpEandB(&eSubAssign, &bSub, "SubAssign")
  129. cmpEandB(&eDiv, &bDiv, "Div")
  130. cmpEandB(&eNeg, &bNeg, "Neg")
  131. cmpEandB(&eInv, &bInv, "Inv")
  132. cmpEandB(&eExp, &bExp, "Exp")
  134. cmpEandB(&eLsh, &bLsh, "Lsh")
  136. // legendre symbol
  137. if e1.Legendre() != big.Jacobi(b1, modulus) {
  138. t.Fatal("legendre symbol computation failed")
  139. }
  140. if e2.Legendre() != big.Jacobi(b2, modulus) {
  141. t.Fatal("legendre symbol computation failed")
  142. }
  144. // these are slow, killing circle ci
  145. if n <= 5 {
  146. // sqrt
  147. var eSqrt, eExp2 Element
  148. var bSqrt big.Int
  149. bSqrt.ModSqrt(b1, modulus)
  150. eSqrt.Sqrt(&e1)
  151. cmpEandB(&eSqrt, &bSqrt, "Sqrt")
  153. bits := b2.Bits()
  154. exponent := make([]uint64, len(bits))
  155. for k := 0; k < len(bits); k++ {
  156. exponent[k] = uint64(bits[k])
  157. }
  158. eExp2.Exp(e1, exponent...)
  159. bExp2.Exp(b1, b2, modulus)
  160. cmpEandB(&eExp2, &bExp2, "Exp multi words")
  161. }
  162. }
  163. }
  165. func TestELEMENTIsRandom(t *testing.T) {
  166. for i := 0; i < 50; i++ {
  167. var x, y Element
  168. x.SetRandom()
  169. y.SetRandom()
  170. if x.Equal(&y) {
  171. t.Fatal("2 random numbers are unlikely to be equal")
  172. }
  173. }
  174. }
  176. // -------------------------------------------------------------------------------------------------
  177. // benchmarks
  178. // most benchmarks are rudimentary and should sample a large number of random inputs
  179. // or be run multiple times to ensure it didn't measure the fastest path of the function
  181. var benchResElement Element
  183. func BenchmarkInverseELEMENT(b *testing.B) {
  184. var x Element
  185. x.SetRandom()
  186. benchResElement.SetRandom()
  187. b.ResetTimer()
  189. for i := 0; i < b.N; i++ {
  190. benchResElement.Inverse(&x)
  191. }
  193. }
  194. func BenchmarkExpELEMENT(b *testing.B) {
  195. var x Element
  196. x.SetRandom()
  197. benchResElement.SetRandom()
  198. b.ResetTimer()
  199. for i := 0; i < b.N; i++ {
  200. benchResElement.Exp(x, mrand.Uint64())
  201. }
  202. }
  204. func BenchmarkDoubleELEMENT(b *testing.B) {
  205. benchResElement.SetRandom()
  206. b.ResetTimer()
  207. for i := 0; i < b.N; i++ {
  208. benchResElement.Double(&benchResElement)
  209. }
  210. }
  212. func BenchmarkAddELEMENT(b *testing.B) {
  213. var x Element
  214. x.SetRandom()
  215. benchResElement.SetRandom()
  216. b.ResetTimer()
  217. for i := 0; i < b.N; i++ {
  218. benchResElement.Add(&x, &benchResElement)
  219. }
  220. }
  222. func BenchmarkSubELEMENT(b *testing.B) {
  223. var x Element
  224. x.SetRandom()
  225. benchResElement.SetRandom()
  226. b.ResetTimer()
  227. for i := 0; i < b.N; i++ {
  228. benchResElement.Sub(&x, &benchResElement)
  229. }
  230. }
  232. func BenchmarkNegELEMENT(b *testing.B) {
  233. benchResElement.SetRandom()
  234. b.ResetTimer()
  235. for i := 0; i < b.N; i++ {
  236. benchResElement.Neg(&benchResElement)
  237. }
  238. }
  240. func BenchmarkDivELEMENT(b *testing.B) {
  241. var x Element
  242. x.SetRandom()
  243. benchResElement.SetRandom()
  244. b.ResetTimer()
  245. for i := 0; i < b.N; i++ {
  246. benchResElement.Div(&x, &benchResElement)
  247. }
  248. }
  250. func BenchmarkFromMontELEMENT(b *testing.B) {
  251. benchResElement.SetRandom()
  252. b.ResetTimer()
  253. for i := 0; i < b.N; i++ {
  254. benchResElement.FromMont()
  255. }
  256. }
  258. func BenchmarkToMontELEMENT(b *testing.B) {
  259. benchResElement.SetRandom()
  260. b.ResetTimer()
  261. for i := 0; i < b.N; i++ {
  262. benchResElement.ToMont()
  263. }
  264. }
  265. func BenchmarkSquareELEMENT(b *testing.B) {
  266. benchResElement.SetRandom()
  267. b.ResetTimer()
  268. for i := 0; i < b.N; i++ {
  269. benchResElement.Square(&benchResElement)
  270. }
  271. }
  273. func BenchmarkSqrtELEMENT(b *testing.B) {
  274. var a Element
  275. a.SetRandom()
  276. b.ResetTimer()
  277. for i := 0; i < b.N; i++ {
  278. benchResElement.Sqrt(&a)
  279. }
  280. }
  282. func BenchmarkMulAssignELEMENT(b *testing.B) {
  283. x := Element{
  284. 1997599621687373223,
  285. 6052339484930628067,
  286. 10108755138030829701,
  287. 150537098327114917,
  288. }
  289. benchResElement.SetOne()
  290. b.ResetTimer()
  291. for i := 0; i < b.N; i++ {
  292. benchResElement.MulAssign(&x)
  293. }
  294. }
  296. func BenchmarkMulAssignASMELEMENT(b *testing.B) {
  297. x := Element{
  298. 1997599621687373223,
  299. 6052339484930628067,
  300. 10108755138030829701,
  301. 150537098327114917,
  302. }
  303. benchResElement.SetOne()
  304. b.ResetTimer()
  305. for i := 0; i < b.N; i++ {
  306. MulAssignElement(&benchResElement, &x)
  307. }
  308. }
  310. func TestELEMENTAsm(t *testing.T) {
  311. // ensure ASM implementations matches the ones using math/bits
  312. modulus, _ := new(big.Int).SetString("21888242871839275222246405745257275088548364400416034343698204186575808495617", 10)
  313. for i := 0; i < 500; i++ {
  314. // sample 2 random big int
  315. b1, _ := rand.Int(rand.Reader, modulus)
  316. b2, _ := rand.Int(rand.Reader, modulus)
  318. // e1 = mont(b1), e2 = mont(b2)
  319. var e1, e2, eTestMul, eMulAssign, eSquare, eTestSquare Element
  320. e1.SetBigInt(b1)
  321. e2.SetBigInt(b2)
  323. eTestMul = e1
  324. eTestMul.testMulAssign(&e2)
  325. eMulAssign = e1
  326. eMulAssign.MulAssign(&e2)
  328. if !eTestMul.Equal(&eMulAssign) {
  329. t.Fatal("inconsisntencies between MulAssign and testMulAssign --> check if MulAssign is calling ASM implementaiton on amd64")
  330. }
  332. // square
  333. eSquare.Square(&e1)
  334. eTestSquare.testSquare(&e1)
  336. if !eTestSquare.Equal(&eSquare) {
  337. t.Fatal("inconsisntencies between Square and testSquare --> check if Square is calling ASM implementaiton on amd64")
  338. }
  339. }
  340. }
  342. // this is here for consistency purposes, to ensure MulAssign on AMD64 using asm implementation gives consistent results
  343. func (z *Element) testMulAssign(x *Element) *Element {
  345. var t [4]uint64
  346. var c [3]uint64
  347. {
  348. // round 0
  349. v := z[0]
  350. c[1], c[0] = bits.Mul64(v, x[0])
  351. m := c[0] * 14042775128853446655
  352. c[2] = madd0(m, 4891460686036598785, c[0])
  353. c[1], c[0] = madd1(v, x[1], c[1])
  354. c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
  355. c[1], c[0] = madd1(v, x[2], c[1])
  356. c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
  357. c[1], c[0] = madd1(v, x[3], c[1])
  358. t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
  359. }
  360. {
  361. // round 1
  362. v := z[1]
  363. c[1], c[0] = madd1(v, x[0], t[0])
  364. m := c[0] * 14042775128853446655
  365. c[2] = madd0(m, 4891460686036598785, c[0])
  366. c[1], c[0] = madd2(v, x[1], c[1], t[1])
  367. c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
  368. c[1], c[0] = madd2(v, x[2], c[1], t[2])
  369. c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
  370. c[1], c[0] = madd2(v, x[3], c[1], t[3])
  371. t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
  372. }
  373. {
  374. // round 2
  375. v := z[2]
  376. c[1], c[0] = madd1(v, x[0], t[0])
  377. m := c[0] * 14042775128853446655
  378. c[2] = madd0(m, 4891460686036598785, c[0])
  379. c[1], c[0] = madd2(v, x[1], c[1], t[1])
  380. c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
  381. c[1], c[0] = madd2(v, x[2], c[1], t[2])
  382. c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
  383. c[1], c[0] = madd2(v, x[3], c[1], t[3])
  384. t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
  385. }
  386. {
  387. // round 3
  388. v := z[3]
  389. c[1], c[0] = madd1(v, x[0], t[0])
  390. m := c[0] * 14042775128853446655
  391. c[2] = madd0(m, 4891460686036598785, c[0])
  392. c[1], c[0] = madd2(v, x[1], c[1], t[1])
  393. c[2], z[0] = madd2(m, 2896914383306846353, c[2], c[0])
  394. c[1], c[0] = madd2(v, x[2], c[1], t[2])
  395. c[2], z[1] = madd2(m, 13281191951274694749, c[2], c[0])
  396. c[1], c[0] = madd2(v, x[3], c[1], t[3])
  397. z[3], z[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
  398. }
  400. // if z > q --> z -= q
  401. // note: this is NOT constant time
  402. if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
  403. var b uint64
  404. z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
  405. z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
  406. z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
  407. z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
  408. }
  409. return z
  410. }
  412. // this is here for consistency purposes, to ensure Square on AMD64 using asm implementation gives consistent results
  413. func (z *Element) testSquare(x *Element) *Element {
  415. var p [4]uint64
  417. var u, v uint64
  418. {
  419. // round 0
  420. u, p[0] = bits.Mul64(x[0], x[0])
  421. m := p[0] * 14042775128853446655
  422. C := madd0(m, 4891460686036598785, p[0])
  423. var t uint64
  424. t, u, v = madd1sb(x[0], x[1], u)
  425. C, p[0] = madd2(m, 2896914383306846353, v, C)
  426. t, u, v = madd1s(x[0], x[2], t, u)
  427. C, p[1] = madd2(m, 13281191951274694749, v, C)
  428. _, u, v = madd1s(x[0], x[3], t, u)
  429. p[3], p[2] = madd3(m, 3486998266802970665, v, C, u)
  430. }
  431. {
  432. // round 1
  433. m := p[0] * 14042775128853446655
  434. C := madd0(m, 4891460686036598785, p[0])
  435. u, v = madd1(x[1], x[1], p[1])
  436. C, p[0] = madd2(m, 2896914383306846353, v, C)
  437. var t uint64
  438. t, u, v = madd2sb(x[1], x[2], p[2], u)
  439. C, p[1] = madd2(m, 13281191951274694749, v, C)
  440. _, u, v = madd2s(x[1], x[3], p[3], t, u)
  441. p[3], p[2] = madd3(m, 3486998266802970665, v, C, u)
  442. }
  443. {
  444. // round 2
  445. m := p[0] * 14042775128853446655
  446. C := madd0(m, 4891460686036598785, p[0])
  447. C, p[0] = madd2(m, 2896914383306846353, p[1], C)
  448. u, v = madd1(x[2], x[2], p[2])
  449. C, p[1] = madd2(m, 13281191951274694749, v, C)
  450. _, u, v = madd2sb(x[2], x[3], p[3], u)
  451. p[3], p[2] = madd3(m, 3486998266802970665, v, C, u)
  452. }
  453. {
  454. // round 3
  455. m := p[0] * 14042775128853446655
  456. C := madd0(m, 4891460686036598785, p[0])
  457. C, z[0] = madd2(m, 2896914383306846353, p[1], C)
  458. C, z[1] = madd2(m, 13281191951274694749, p[2], C)
  459. u, v = madd1(x[3], x[3], p[3])
  460. z[3], z[2] = madd3(m, 3486998266802970665, v, C, u)
  461. }
  463. // if z > q --> z -= q
  464. // note: this is NOT constant time
  465. if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
  466. var b uint64
  467. z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
  468. z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
  469. z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
  470. z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
  471. }
  472. return z
  474. }