poseidon consistent use of T

fix #9
Add test that breaks poseidion due to padding
2026-02-07 11:36:41 +01:00 · 2019-12-17 18:15:22 +01:00 · 2019-12-17 18:04:49 +01:00 · 2019-12-16 17:24:22 +01:00 · 2019-12-16 16:48:38 +01:00 · 2019-12-16 13:36:43 +01:00
5 changed files with 176 additions and 13 deletions
--- a/babyjub/babyjub_test.go
+++ b/babyjub/babyjub_test.go
@@ -3,8 +3,10 @@ package babyjub
 import (
 	"encoding/hex"
 	"math/big"
+	"math/rand"
 	"testing"

+	"github.com/iden3/go-iden3-crypto/constants"
 	"github.com/iden3/go-iden3-crypto/utils"
 	"github.com/stretchr/testify/assert"
 )
@@ -231,3 +233,74 @@ func TestCompressDecompressRnd(t *testing.T) {
 		assert.Equal(t, p1, p2)
 	}
 }
+
+func BenchmarkBabyjub(b *testing.B) {
+	const n = 256
+
+	rnd := rand.New(rand.NewSource(42))
+
+	var badpoints [n]*Point
+	for i := 0; i < n; i++ {
+		x := new(big.Int).Rand(rnd, constants.Q)
+		y := new(big.Int).Rand(rnd, constants.Q)
+		badpoints[i] = &Point{X: x, Y: y}
+	}
+
+	var points [n]*Point
+	baseX := utils.NewIntFromString(
+		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
+	baseY := utils.NewIntFromString(
+		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
+	base := &Point{X: baseX, Y: baseY}
+	for i := 0; i < n; i++ {
+		s := new(big.Int).Rand(rnd, constants.Q)
+		points[i] = NewPoint().Mul(s, base)
+	}
+
+	var scalars [n]*big.Int
+	for i := 0; i < n; i++ {
+		scalars[i] = new(big.Int).Rand(rnd, constants.Q)
+	}
+
+	b.Run("AddConst", func(b *testing.B) {
+		p0 := &Point{X: big.NewInt(0), Y: big.NewInt(1)}
+		p1 := &Point{X: big.NewInt(0), Y: big.NewInt(1)}
+
+		p2 := NewPoint()
+		for i := 0; i < b.N; i++ {
+			p2.Add(p0, p1)
+		}
+	})
+
+	b.Run("AddRnd", func(b *testing.B) {
+		res := NewPoint()
+		for i := 0; i < b.N; i++ {
+			res.Add(points[i%(n/2)], points[i%(n/2)+1])
+		}
+	})
+
+	b.Run("MulRnd", func(b *testing.B) {
+		res := NewPoint()
+		for i := 0; i < b.N; i++ {
+			res.Mul(scalars[i%n], points[i%n])
+		}
+	})
+
+	b.Run("Compress", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			points[i%n].Compress()
+		}
+	})
+
+	b.Run("InCurve", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			badpoints[i%n].InCurve()
+		}
+	})
+
+	b.Run("InSubGroup", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			points[i%n].InCurve()
+		}
+	})
+}
--- a/babyjub/eddsa_test.go
+++ b/babyjub/eddsa_test.go
@@ -25,6 +25,16 @@ func genInputs() (*PrivateKey, *big.Int) {
 	return &k, msg
 }

+func TestPublicKey(t *testing.T) {
+	var k PrivateKey
+	for i := 0; i < 256; i++ {
+		hex.Decode(k[:], []byte{byte(i)})
+	}
+	pk := k.Public()
+	assert.True(t, pk.X.Cmp(constants.Q) == -1)
+	assert.True(t, pk.Y.Cmp(constants.Q) == -1)
+}
+
 func TestSignVerifyMimc7(t *testing.T) {
 	var k PrivateKey
 	hex.Decode(k[:], []byte("0001020304050607080900010203040506070809000102030405060708090001"))
@@ -131,3 +141,54 @@ func TestCompressDecompress(t *testing.T) {
 		assert.Equal(t, true, ok)
 	}
 }
+
+func BenchmarkBabyjubEddsa(b *testing.B) {
+	var k PrivateKey
+	hex.Decode(k[:], []byte("0001020304050607080900010203040506070809000102030405060708090001"))
+	pk := k.Public()
+
+	const n = 256
+
+	msgBuf, err := hex.DecodeString("00010203040506070809")
+	if err != nil {
+		panic(err)
+	}
+	msg := utils.SetBigIntFromLEBytes(new(big.Int), msgBuf)
+	var msgs [n]*big.Int
+	for i := 0; i < n; i++ {
+		msgs[i] = new(big.Int).Add(msg, big.NewInt(int64(i)))
+	}
+	var sigs [n]*Signature
+
+	b.Run("SignMimc7", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			k.SignMimc7(msgs[i%n])
+		}
+	})
+
+	for i := 0; i < n; i++ {
+		sigs[i%n] = k.SignMimc7(msgs[i%n])
+	}
+
+	b.Run("VerifyMimc7", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			pk.VerifyMimc7(msgs[i%n], sigs[i%n])
+		}
+	})
+
+	b.Run("SignPoseidon", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			k.SignPoseidon(msgs[i%n])
+		}
+	})
+
+	for i := 0; i < n; i++ {
+		sigs[i%n] = k.SignPoseidon(msgs[i%n])
+	}
+
+	b.Run("VerifyPoseidon", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			pk.VerifyPoseidon(msgs[i%n], sigs[i%n])
+		}
+	})
+}
--- a/mimc7/mimc7_test.go
+++ b/mimc7/mimc7_test.go
@@ -91,9 +91,7 @@ func BenchmarkMIMC7(b *testing.B) {
 	b41 := big.NewInt(int64(41))
 	bigArray4 := []*big.Int{b12, b45, b78, b41}

-	var h4 *big.Int
 	for i := 0; i < b.N; i++ {
-		h4, _ = Hash(bigArray4, nil)
+		Hash(bigArray4, nil)
 	}
-	println(h4)
 }
--- a/poseidon/poseidon.go
+++ b/poseidon/poseidon.go
@@ -101,7 +101,7 @@ func checkAllDifferent(v []*big.Int) bool {

 // ark computes Add-Round Key, from the paper https://eprint.iacr.org/2019/458.pdf
 func ark(state []*big.Int, c *big.Int) []*big.Int {
-	for i := 0; i < len(state); i++ {
+	for i := 0; i < T; i++ {
 		state[i] = constants.fqR.Add(state[i], c)
 	}
 	return state
@@ -167,16 +167,17 @@ func Hash(arr []*big.Int) (*big.Int, error) {
 	}

 	r := constants.fqR.Zero()
-	for i := 0; i < len(arr); i = i + 5 {
-		var fiveElems []*big.Int
-		for j := 0; j < 5; j++ {
+	for i := 0; i < len(arr); i = i + T - 1 {
+		var toHash [T]*big.Int
+		for j := 0; j < T-1; j++ {
 			if i+j < len(arr) {
-				fiveElems = append(fiveElems, arr[i+j])
+				toHash[j] = arr[i+j]
 			} else {
-				fiveElems = append(fiveElems, big.NewInt(int64(0)))
+				toHash[j] = _constants.Zero
 			}
 		}
-		ph, err := PoseidonHash(fiveElems)
+		toHash[T-1] = r
+		ph, err := PoseidonHash(toHash[:])
 		if err != nil {
 			return nil, err
 		}
--- a/poseidon/poseidon_test.go
+++ b/poseidon/poseidon_test.go
@@ -43,7 +43,7 @@ func TestPoseidon(t *testing.T) {
 	}
 	hmsg, err := Hash(msgElems)
 	assert.Nil(t, err)
-	assert.Equal(t, "11821124228916291136371255062457365369197326845706357273715164664419275913793", hmsg.String())
+	assert.Equal(t, "19204466598658860237115179437116112945222240370078952939676636700594938553268", hmsg.String())

 	msg2 := []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Lorem ipsum dolor sit amet.")
 	msg2Elems := make([]*big.Int, 0, len(msg2)/n+1)
@@ -59,9 +59,39 @@ func TestPoseidon(t *testing.T) {
 	}
 	hmsg2, err := Hash(msg2Elems)
 	assert.Nil(t, err)
-	assert.Equal(t, "10747013384255785702102976082726575658403084163954725275481577373644732938016", hmsg2.String())
+	assert.Equal(t, "11846976426841208067103690249139614816718727366915557488657094868020932500524", hmsg2.String())

 	hmsg2, err = HashBytes(msg2)
 	assert.Nil(t, err)
-	assert.Equal(t, "10747013384255785702102976082726575658403084163954725275481577373644732938016", hmsg2.String())
+	assert.Equal(t, "11846976426841208067103690249139614816718727366915557488657094868020932500524", hmsg2.String())
+}
+
+func TestPoseidonBrokenChunks(t *testing.T) {
+	h1, err := Hash([]*big.Int{big.NewInt(0), big.NewInt(1), big.NewInt(2), big.NewInt(3), big.NewInt(4),
+		big.NewInt(5), big.NewInt(6), big.NewInt(7), big.NewInt(8), big.NewInt(9)})
+	assert.Nil(t, err)
+	h2, err := Hash([]*big.Int{big.NewInt(5), big.NewInt(6), big.NewInt(7), big.NewInt(8), big.NewInt(9),
+		big.NewInt(0), big.NewInt(1), big.NewInt(2), big.NewInt(3), big.NewInt(4)})
+	assert.Nil(t, err)
+	assert.NotEqual(t, h1, h2)
+}
+
+func TestPoseidonBrokenPadding(t *testing.T) {
+	h1, err := Hash([]*big.Int{big.NewInt(1)})
+	assert.Nil(t, err)
+	h2, err := Hash([]*big.Int{big.NewInt(1), big.NewInt(0)})
+	assert.Nil(t, err)
+	assert.NotEqual(t, h1, h2)
+}
+
+func BenchmarkPoseidon(b *testing.B) {
+	b12 := big.NewInt(int64(12))
+	b45 := big.NewInt(int64(45))
+	b78 := big.NewInt(int64(78))
+	b41 := big.NewInt(int64(41))
+	bigArray4 := []*big.Int{b12, b45, b78, b41}
+
+	for i := 0; i < b.N; i++ {
+		Hash(bigArray4)
+	}
 }
Author	SHA1	Message	Date
arnaucube	c754d01ce0	poseidon consistent use of T	2019-12-17 18:15:22 +01:00
arnaucube	fcb586591a	fix #9	2019-12-17 18:04:49 +01:00
Eduard S	7c6170453e	Add test that breaks poseidion due to padding	2019-12-16 17:24:22 +01:00
Eduard S	27ec5b26df	Add test that breaks poseidon due to a security issue	2019-12-16 16:48:38 +01:00
Eduard S	53b9050d0a	Add babujub eddsa benchmarks	2019-12-16 13:36:43 +01:00
Eduard S	a5b6afcb16	Add poseidon and babyjub benchmarks	2019-12-16 13:08:34 +01:00
arnau	4356f44a3d	Merge pull request #6 from iden3/feature/testBJPKField Test that babyjub pk is always < Q	2019-12-09 15:59:10 +01:00
Eduard S	5ade04e079	Test that babyjub pk is always < Q	2019-12-09 12:30:50 +01:00
Eduard S	eb7d86c5b3	Merge pull request #5 from iden3/decompress-modsqrt return error if no ModSqrt(x, q) exist in babyjubjub decompress point	2019-09-10 10:48:18 +02:00