Merge pull request #192 from 0xPolygonMiden/bobbin-feature-cleanup

Feature clean up

CHANGELOG.md

@@ -3,9 +3,11 @@
 * Replaced `MerklePathSet` with `PartialMerkleTree` (#165).
 * Implemented clearing of nodes in `TieredSmt` (#173).
 * Added ability to generate inclusion proofs for `TieredSmt` (#174).
+* Implemented Falcon DSA (#179).
 * Added conditional `serde`` support for various structs (#180).
 * Implemented benchmarking for `TieredSmt` (#182).
 * Added more leaf traversal methods for `MerkleStore` (#185).
+* Added SVE acceleration for RPO hash function (#189).
 
 ## 0.6.0 (2023-06-25)
 

Cargo.toml

@@ -32,22 +32,21 @@ name = "store"
 harness = false
 
 [features]
-arch-arm64-sve = ["dep:cc"]
-default = ["blake3/default", "std", "winter_crypto/default", "winter_math/default", "winter_utils/default"]
+default = ["std"]
 executable = ["dep:clap", "dep:rand_utils", "std"]
-std = ["blake3/std", "dep:cc", "dep:libc", "dep:rand", "winter_crypto/std", "winter_math/std", "winter_utils/std"]
-serde = ["winter_math/serde", "dep:serde", "serde/alloc"]
+serde = ["dep:serde", "serde?/alloc", "winter_math/serde"]
+std = ["blake3/std", "dep:cc", "dep:libc", "winter_crypto/std", "winter_math/std", "winter_utils/std"]
+sve = ["std"]
 
 [dependencies]
 blake3 = { version = "1.4", default-features = false }
-clap = { version = "4.3", features = ["derive"], optional = true}
-libc = { version =  "0.2", optional = true, default-features = false }
-rand = { version =  "0.8", optional = true, default-features = false }
+clap = { version = "4.3", features = ["derive"], optional = true }
+libc = { version =  "0.2", default-features = false, optional = true }
+rand_utils = { version = "0.6", package = "winter-rand-utils", optional = true }
+serde = { version = "1.0", features = [ "derive" ], default-features = false, optional = true }
 winter_crypto = { version = "0.6", package = "winter-crypto", default-features = false }
 winter_math = { version = "0.6", package = "winter-math", default-features = false }
 winter_utils = { version = "0.6", package = "winter-utils", default-features = false }
-serde = { version = "1.0", features = [ "derive" ], optional = true, default-features = false }
-rand_utils = { version = "0.6", package = "winter-rand-utils", optional = true }
 
 [dev-dependencies]
 criterion = { version = "0.5", features = ["html_reports"] }

README.md

@@ -31,6 +31,12 @@ Both of these features imply the use of [alloc](https://doc.rust-lang.org/alloc/
 
 To compile with `no_std`, disable default features via `--no-default-features` flag.
 
+### SVE acceleration
+On platforms with [SVE](https://en.wikipedia.org/wiki/AArch64#Scalable_Vector_Extension_(SVE)) support, RPO hash function can be accelerated by using the vector processing unit. To enable SVE acceleration, the code needs to be compiled with the `sve` feature enabled. This feature has an effect only if the platform exposes `target-feature=sve` flag. On some platforms (e.g., Graviton 3), for this flag to be set, the compilation must be done in "native" mode. For example, to enable SVE acceleration on Graviton 3, we can execute the following:
+```shell
+RUSTFLAGS="-C target-cpu=native" cargo build --release --features sve
+```
+
 ## Testing
 
 You can use cargo defaults to test the library:

benches/README.md

@@ -19,7 +19,7 @@ The second scenario is that of sequential hashing where we take a sequence of le
 | ------------------- | ------ | --------| --------- | --------- | ------- |
 | Apple M1 Pro        | 80 ns  | 245 ns  |  1.5 us   |  9.1 us   | 5.4 us  |
 | Apple M2            | 76 ns  | 233 ns  |  1.3 us   |  7.9 us   | 5.0 us  |
-| Amazon Graviton 3   | 116 ns |         |           |           | 8.8 us  |
+| Amazon Graviton 3   | 108 ns |         |           |           | 5.3 us  |
 | AMD Ryzen 9 5950X   | 64 ns  | 273 ns  |  1.2 us   |  9.1 us   | 5.5 us  |
 | Intel Core i5-8279U | 80 ns  |         |           |           | 8.7 us  |
 | Intel Xeon 8375C    | 67 ns  |         |           |           | 8.2 us  |
@@ -30,11 +30,14 @@ The second scenario is that of sequential hashing where we take a sequence of le
 | ------------------- | -------| ------- | --------- | --------- | ------- |
 | Apple M1 Pro        | 1.0 us | 1.5 us  |  19.4 us  |   118 us  | 70 us   |
 | Apple M2            | 1.0 us | 1.5 us  |  17.4 us  |   103 us  | 65 us   |
-| Amazon Graviton 3   | 1.4 us |         |           |           | 114 us  |
+| Amazon Graviton 3   | 1.4 us |         |           |           | 69 us   |
 | AMD Ryzen 9 5950X   | 0.8 us | 1.7 us  |  15.7 us  |   120 us  | 72 us   |
 | Intel Core i5-8279U | 1.0 us |         |           |           | 116 us  |
 | Intel Xeon 8375C    | 0.8 ns |         |           |           | 110 us  |
 
+Notes:
+- On Graviton 3, RPO256 is run with SVE acceleration enabled.
+
 ### Instructions
 Before you can run the benchmarks, you'll need to make sure you have Rust [installed](https://www.rust-lang.org/tools/install). After that, to run the benchmarks for RPO and BLAKE3, clone the current repository, and from the root directory of the repo run the following:
 

build.rs

@@ -2,7 +2,7 @@ fn main() {
     #[cfg(feature = "std")]
     compile_rpo_falcon();
 
-    #[cfg(feature = "arch-arm64-sve")]
+    #[cfg(all(target_feature = "sve", feature = "sve"))]
     compile_arch_arm64_sve();
 }
 
@@ -10,31 +10,40 @@ fn main() {
 fn compile_rpo_falcon() {
     use std::path::PathBuf;
 
+    const RPO_FALCON_PATH: &str = "src/dsa/rpo_falcon512/falcon_c";
+
+    println!("cargo:rerun-if-changed={RPO_FALCON_PATH}/falcon.h");
+    println!("cargo:rerun-if-changed={RPO_FALCON_PATH}/falcon.c");
+    println!("cargo:rerun-if-changed={RPO_FALCON_PATH}/rpo.h");
+    println!("cargo:rerun-if-changed={RPO_FALCON_PATH}/rpo.c");
+
     let target_dir: PathBuf = ["PQClean", "crypto_sign", "falcon-512", "clean"].iter().collect();
     let common_dir: PathBuf = ["PQClean", "common"].iter().collect();
-    let rpo_dir: PathBuf = ["src", "dsa", "rpo_falcon512", "falcon_c"].iter().collect();
 
     let scheme_files = glob::glob(target_dir.join("*.c").to_str().unwrap()).unwrap();
     let common_files = glob::glob(common_dir.join("*.c").to_str().unwrap()).unwrap();
-    let rpo_files = glob::glob(rpo_dir.join("*.c").to_str().unwrap()).unwrap();
 
     cc::Build::new()
         .include(&common_dir)
         .include(target_dir)
         .files(scheme_files.into_iter().map(|p| p.unwrap().to_string_lossy().into_owned()))
         .files(common_files.into_iter().map(|p| p.unwrap().to_string_lossy().into_owned()))
-        .files(rpo_files.into_iter().map(|p| p.unwrap().to_string_lossy().into_owned()))
-        .compile("falcon-512_clean");
+        .file(format!("{RPO_FALCON_PATH}/falcon.c"))
+        .file(format!("{RPO_FALCON_PATH}/rpo.c"))
+        .flag("-O3")
+        .compile("rpo_falcon512");
 }
 
-#[cfg(feature = "arch-arm64-sve")]
+#[cfg(all(target_feature = "sve", feature = "sve"))]
 fn compile_arch_arm64_sve() {
-    println!("cargo:rerun-if-changed=arch/arm64-sve/rpo/library.c");
-    println!("cargo:rerun-if-changed=arch/arm64-sve/rpo/library.h");
-    println!("cargo:rerun-if-changed=arch/arm64-sve/rpo/rpo_hash.h");
+    const RPO_SVE_PATH: &str = "arch/arm64-sve/rpo";
+
+    println!("cargo:rerun-if-changed={RPO_SVE_PATH}/library.c");
+    println!("cargo:rerun-if-changed={RPO_SVE_PATH}/library.h");
+    println!("cargo:rerun-if-changed={RPO_SVE_PATH}/rpo_hash.h");
 
     cc::Build::new()
-        .file("arch/arm64-sve/rpo/library.c")
+        .file(format!("{RPO_SVE_PATH}/library.c"))
         .flag("-march=armv8-a+sve")
         .flag("-O3")
         .compile("rpo_sve");

src/dsa/rpo_falcon512/falcon_c/falcon_rpo.c → src/dsa/rpo_falcon512/falcon_c/falcon.c

@@ -4,7 +4,7 @@
 
 #include <string.h>
 #include "randombytes.h"
-#include "api_rpo.h"
+#include "falcon.h"
 #include "inner.h"
 #include "rpo.h"
 
@@ -37,10 +37,12 @@
  *      (signature length is 1+len(value), not counting the nonce)
  */
 
-/* see api_rpo.h */
+/* see falcon.h */
 int PQCLEAN_FALCON512_CLEAN_crypto_sign_keypair_from_seed_rpo(
-    uint8_t *pk, uint8_t *sk, unsigned char *seed)
-{
+    uint8_t *pk,
+    uint8_t *sk,
+    unsigned char *seed
+) {
     union
     {
         uint8_t b[FALCON_KEYGEN_TEMP_9];
@@ -111,8 +113,9 @@ int PQCLEAN_FALCON512_CLEAN_crypto_sign_keypair_from_seed_rpo(
 }
 
 int PQCLEAN_FALCON512_CLEAN_crypto_sign_keypair_rpo(
-    uint8_t *pk, uint8_t *sk)
-{
+    uint8_t *pk,
+    uint8_t *sk
+) {
     unsigned char seed[48];
 
     /*
@@ -137,10 +140,14 @@ int PQCLEAN_FALCON512_CLEAN_crypto_sign_keypair_rpo(
  *
  * Return value: 0 on success, -1 on error.
  */
-static int
-do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t *sigbuflen,
-        const uint8_t *m, size_t mlen, const uint8_t *sk)
-{
+static int do_sign(
+    uint8_t *nonce,
+    uint8_t *sigbuf,
+    size_t *sigbuflen,
+    const uint8_t *m,
+    size_t mlen,
+    const uint8_t *sk
+) {
     union
     {
         uint8_t b[72 * 512];
@@ -261,11 +268,14 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t *sigbuflen,
  * (of size sigbuflen) contains the signature value, not including the
  * header byte or nonce. Return value is 0 on success, -1 on error.
  */
-static int
-do_verify(
-    const uint8_t *nonce, const uint8_t *sigbuf, size_t sigbuflen,
-    const uint8_t *m, size_t mlen, const uint8_t *pk)
-{
+static int do_verify(
+    const uint8_t *nonce,
+    const uint8_t *sigbuf,
+    size_t sigbuflen,
+    const uint8_t *m,
+    size_t mlen,
+    const uint8_t *pk
+) {
     union
     {
         uint8_t b[2 * 512];
@@ -341,11 +351,14 @@ do_verify(
     return 0;
 }
 
-/* see api_rpo.h */
+/* see falcon.h */
 int PQCLEAN_FALCON512_CLEAN_crypto_sign_signature_rpo(
-    uint8_t *sig, size_t *siglen,
-    const uint8_t *m, size_t mlen, const uint8_t *sk)
-{
+    uint8_t *sig,
+    size_t *siglen,
+    const uint8_t *m,
+    size_t mlen,
+    const uint8_t *sk
+) {
     /*
      * The PQCLEAN_FALCON512_CLEAN_CRYPTO_BYTES constant is used for
      * the signed message object (as produced by crypto_sign())
@@ -369,11 +382,14 @@ int PQCLEAN_FALCON512_CLEAN_crypto_sign_signature_rpo(
     return 0;
 }
 
-/* see api_rpo.h */
+/* see falcon.h */
 int PQCLEAN_FALCON512_CLEAN_crypto_sign_verify_rpo(
-    const uint8_t *sig, size_t siglen,
-    const uint8_t *m, size_t mlen, const uint8_t *pk)
-{
+    const uint8_t *sig,
+    size_t siglen,
+    const uint8_t *m,
+    size_t mlen,
+    const uint8_t *pk
+) {
     if (siglen < 1 + NONCELEN)
     {
         return -1;
@@ -382,6 +398,5 @@ int PQCLEAN_FALCON512_CLEAN_crypto_sign_verify_rpo(
     {
         return -1;
     }
-    return do_verify(sig + 1,
-                     sig + 1 + NONCELEN, siglen - 1 - NONCELEN, m, mlen, pk);
+    return do_verify(sig + 1, sig + 1 + NONCELEN, siglen - 1 - NONCELEN, m, mlen, pk);
 }

src/dsa/rpo_falcon512/falcon_c/rpo.c

@@ -14,7 +14,7 @@
 #define M 12289
 
 // From https://github.com/ncw/iprime/blob/master/mod_math_noasm.go
-uint64_t add_mod_p(uint64_t a, uint64_t b)
+static uint64_t add_mod_p(uint64_t a, uint64_t b)
 {
     a = P - a;
     uint64_t res = b - a;
@@ -23,7 +23,7 @@ uint64_t add_mod_p(uint64_t a, uint64_t b)
     return res;
 }
 
-uint64_t sub_mod_p(uint64_t a, uint64_t b)
+static uint64_t sub_mod_p(uint64_t a, uint64_t b)
 {
     uint64_t r = a - b;
     if (a < b)
@@ -31,7 +31,7 @@ uint64_t sub_mod_p(uint64_t a, uint64_t b)
     return r;
 }
 
-uint64_t reduce_mod_p(uint64_t b, uint64_t a)
+static uint64_t reduce_mod_p(uint64_t b, uint64_t a)
 {
     uint32_t d = b >> 32,
              c = b;
@@ -43,7 +43,7 @@ uint64_t reduce_mod_p(uint64_t b, uint64_t a)
     return a;
 }
 
-uint64_t mult_mod_p(uint64_t x, uint64_t y)
+static uint64_t mult_mod_p(uint64_t x, uint64_t y)
 {
     uint32_t a = x,
              b = x >> 32,
@@ -85,7 +85,7 @@ static const uint64_t NUM_ROUNDS = 7;
 /*
  * MDS matrix
  */
-const uint64_t MDS[12][12] = {
+static const uint64_t MDS[12][12] = {
     {  7, 23,  8, 26, 13, 10,  9,  7,  6, 22, 21,  8 },
     {  8,  7, 23,  8, 26, 13, 10,  9,  7,  6, 22, 21 },
     { 21,  8,  7, 23,  8, 26, 13, 10,  9,  7,  6, 22 },
@@ -103,7 +103,7 @@ const uint64_t MDS[12][12] = {
 /*
  * Round constants.
  */
-const uint64_t ARK1[7][12] = {
+static const uint64_t ARK1[7][12] = {
     {
         5789762306288267392ULL,
         6522564764413701783ULL,
@@ -304,7 +304,7 @@ const uint64_t ARK2[7][12] = {
     },
 };
 
-void apply_sbox(uint64_t *const state)
+static void apply_sbox(uint64_t *const state)
 {
     for (uint64_t i = 0; i < STATE_WIDTH; i++)
     {
@@ -315,7 +315,7 @@ void apply_sbox(uint64_t *const state)
     }
 }
 
-void apply_mds(uint64_t *state)
+static void apply_mds(uint64_t *state)
 {
     uint64_t res[STATE_WIDTH];
     for (uint64_t i = 0; i < STATE_WIDTH; i++)
@@ -336,7 +336,7 @@ void apply_mds(uint64_t *state)
     }
 }
 
-void apply_constants(uint64_t *const state, const uint64_t *ark)
+static void apply_constants(uint64_t *const state, const uint64_t *ark)
 {
     for (uint64_t i = 0; i < STATE_WIDTH; i++)
     {
@@ -344,7 +344,7 @@ void apply_constants(uint64_t *const state, const uint64_t *ark)
     }
 }
 
-void exp_acc(const uint64_t m, const uint64_t *base, const uint64_t *tail, uint64_t *const res)
+static  void exp_acc(const uint64_t m, const uint64_t *base, const uint64_t *tail, uint64_t *const res)
 {
     for (uint64_t i = 0; i < m; i++)
     {
@@ -367,7 +367,7 @@ void exp_acc(const uint64_t m, const uint64_t *base, const uint64_t *tail, uint6
     }
 }
 
-void apply_inv_sbox(uint64_t *const state)
+static void apply_inv_sbox(uint64_t *const state)
 {
     uint64_t t1[STATE_WIDTH];
     for (uint64_t i = 0; i < STATE_WIDTH; i++)
@@ -435,7 +435,7 @@ void apply_inv_sbox(uint64_t *const state)
     }
 }
 
-void apply_round(uint64_t *const state, const uint64_t round)
+static void apply_round(uint64_t *const state, const uint64_t round)
 {
     apply_mds(state);
     apply_constants(state, ARK1[round]);
@@ -579,4 +579,4 @@ void PQCLEAN_FALCON512_CLEAN_hash_to_point_rpo(rpo128_context *rc, uint16_t *x,
         *x++ = (uint16_t)w;
         n--;
     }
-}
+}

src/dsa/rpo_falcon512/ffi.rs

@@ -3,6 +3,7 @@ use libc::c_int;
 // C IMPLEMENTATION INTERFACE
 // ================================================================================================
 
+#[link(name = "rpo_falcon512", kind = "static")]
 extern "C" {
     /// Generate a new key pair. Public key goes into pk[], private key in sk[].
     /// Key sizes are exact (in bytes):
@@ -97,19 +98,18 @@ pub struct Rpo128Context {
 mod tests {
     use super::*;
     use crate::dsa::rpo_falcon512::{NONCE_LEN, PK_LEN, SIG_LEN, SK_LEN};
-    use rand::Rng;
+    use rand_utils::{rand_array, rand_value, rand_vector};
 
     #[test]
     fn falcon_ffi() {
         unsafe {
-            let mut rng = rand::thread_rng();
+            //let mut rng = rand::thread_rng();
 
             // --- generate a key pair from a seed ----------------------------
 
             let mut pk = [0u8; PK_LEN];
             let mut sk = [0u8; SK_LEN];
-            let seed: [u8; NONCE_LEN] =
-                (0..NONCE_LEN).map(|_| rng.gen()).collect::<Vec<u8>>().try_into().unwrap();
+            let seed: [u8; NONCE_LEN] = rand_array();
 
             assert_eq!(
                 0,
@@ -122,8 +122,8 @@ mod tests {
 
             // --- sign a message and make sure it verifies -------------------
 
-            let mlen: usize = rng.gen::<u16>() as usize;
-            let msg: Vec<u8> = (0..mlen).map(|_| rng.gen()).collect();
+            let mlen: usize = rand_value::<u16>() as usize;
+            let msg: Vec<u8> = rand_vector(mlen);
             let mut detached_sig = [0u8; NONCE_LEN + SIG_LEN];
             let mut siglen = 0;
 

src/hash/rpo/mod.rs

@@ -10,7 +10,7 @@ use mds_freq::mds_multiply_freq;
 #[cfg(test)]
 mod tests;
 
-#[cfg(feature = "arch-arm64-sve")]
+#[cfg(all(target_feature = "sve", feature = "sve"))]
 #[link(name = "rpo_sve", kind = "static")]
 extern "C" {
     fn add_constants_and_apply_sbox(
@@ -375,7 +375,7 @@ impl Rpo256 {
     // --------------------------------------------------------------------------------------------
 
     #[inline(always)]
-    #[cfg(feature = "arch-arm64-sve")]
+    #[cfg(all(target_feature = "sve", feature = "sve"))]
     fn optimized_add_constants_and_apply_sbox(
         state: &mut [Felt; STATE_WIDTH],
         ark: &[Felt; STATE_WIDTH],
@@ -386,7 +386,7 @@ impl Rpo256 {
     }
 
     #[inline(always)]
-    #[cfg(not(feature = "arch-arm64-sve"))]
+    #[cfg(not(all(target_feature = "sve", feature = "sve")))]
     fn optimized_add_constants_and_apply_sbox(
         _state: &mut [Felt; STATE_WIDTH],
         _ark: &[Felt; STATE_WIDTH],
@@ -395,7 +395,7 @@ impl Rpo256 {
     }
 
     #[inline(always)]
-    #[cfg(feature = "arch-arm64-sve")]
+    #[cfg(all(target_feature = "sve", feature = "sve"))]
     fn optimized_add_constants_and_apply_inv_sbox(
         state: &mut [Felt; STATE_WIDTH],
         ark: &[Felt; STATE_WIDTH],
@@ -409,7 +409,7 @@ impl Rpo256 {
     }
 
     #[inline(always)]
-    #[cfg(not(feature = "arch-arm64-sve"))]
+    #[cfg(not(all(target_feature = "sve", feature = "sve")))]
     fn optimized_add_constants_and_apply_inv_sbox(
         _state: &mut [Felt; STATE_WIDTH],
         _ark: &[Felt; STATE_WIDTH],

src/main.rs

@@ -31,23 +31,23 @@ pub fn benchmark_tsmt() {
     let tree_size = args.size;
 
     // prepare the `leaves` vector for tree creation
-    let mut leaves = Vec::new();
+    let mut entries = Vec::new();
     for i in 0..tree_size {
         let key = rand_value::<RpoDigest>();
         let value = [ONE, ONE, ONE, Felt::new(i)];
-        leaves.push((key, value));
+        entries.push((key, value));
     }
 
-    let mut tree = construction(leaves, tree_size).unwrap();
+    let mut tree = construction(entries, tree_size).unwrap();
     insertion(&mut tree, tree_size).unwrap();
     proof_generation(&mut tree, tree_size).unwrap();
 }
 
 /// Runs the construction benchmark for the Tiered SMT, returning the constructed tree.
-pub fn construction(leaves: Vec<(RpoDigest, Word)>, size: u64) -> Result<TieredSmt, MerkleError> {
+pub fn construction(entries: Vec<(RpoDigest, Word)>, size: u64) -> Result<TieredSmt, MerkleError> {
     println!("Running a construction benchmark:");
     let now = Instant::now();
-    let tree = TieredSmt::with_leaves(leaves)?;
+    let tree = TieredSmt::with_entries(entries)?;
     let elapsed = now.elapsed();
     println!(
         "Constructed a TSMT with {} key-value pairs in {:.3} seconds",

src/merkle/tiered_smt/mod.rs

@@ -73,7 +73,7 @@ impl TieredSmt {
     ///
     /// # Errors
     /// Returns an error if the provided entries contain multiple values for the same key.
-    pub fn with_leaves<R, I>(entries: R) -> Result<Self, MerkleError>
+    pub fn with_entries<R, I>(entries: R) -> Result<Self, MerkleError>
     where
         R: IntoIterator<IntoIter = I>,
         I: Iterator<Item = (RpoDigest, Word)> + ExactSizeIterator,