[Fix] bchec: Constant time field normalization #78
Conversation
zquestz
changed the title
|
I'm not really qualified to evaluate this one |
|
Obviously I approve 👍 |
|
Any chance @davecgh or @stevenroose can review this? I like the change but would love another set of eyes on this! |
|
@jimpo would love if you checked this out. |
There was a problem hiding this comment.
Nice work! Looks correct to me.
However, given that the constant_time routines have the same requirements as crypto/subtle (that all values are at most 31 bits) and the casts don't matter, I see no reason not to use crypto/subtle directly. I'd recommend something more like jimpo@c13c877.
| // BenchmarkFieldNormalize2 requires the evaluation of more involved logic in | ||
| // field.Normalize(). We should ensure the runtime is the same as in | ||
| // BenchmarkFieldNormalize | ||
| func BenchmarkFieldNormalize2(b *testing.B) { |
There was a problem hiding this comment.
nit: BenchmarkFieldNormalizeWithCarry seems like a better name.
Also, I'm not sure this provides much benefit since it doesn't automatically compare the timing against regular BenchmarkFieldNormalize.
| // BenchmarkFieldNormalize | ||
| func BenchmarkFieldNormalize2(b *testing.B) { | ||
| f := new(fieldVal) | ||
| f.n = [10]uint32{0x148f6, 0x3ffffc0, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x000007} |
There was a problem hiding this comment.
Might as well just construct the fieldVal directly: f := &fieldVal{ [10]uint32{...} }
| // It works by checking the most significant bit, and then testing the | ||
| // rest of the bits by casting to int32 | ||
| func lessThanUint32(x, y uint32) uint32 { | ||
| diff := int32(x) - int32(y) |
There was a problem hiding this comment.
All of the casts to/from int32 are useless. uint32s overflow/underflow in the exact same way.
There was a problem hiding this comment.
I will try to update my branch in btcd accordingly
| @@ -307,6 +307,16 @@ func TestNormalize(t *testing.T) { | |||
| [10]uint32{0x03fffc30, 0x03ffffc0, 0x03ffffff, 0x03ffffff, 0x03ffffff, 0x03ffffff, 0x03ffffff, 0x03ffffff, 0x07ffffff, 0x003fffff}, | |||
| [10]uint32{0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001}, | |||
| }, | |||
| // A more difficult branch for the Normalize logic | |||
There was a problem hiding this comment.
Better comment:
// Number less than P that satisfies two of the three overflow
// conditions for a field value of magnitude of 1 with value greater
// than P in all but the last word.
| [10]uint32{0x148f6, 0x3ffffc0, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x000007}, | ||
| [10]uint32{0x148f6, 0x3ffffc0, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x3ffffff, 0x000007}, | ||
| }, | ||
| // A test that would fail without the check t2&t3&t4&t5&t6&t7&t8 == fieldBaseMask before normalization |
There was a problem hiding this comment.
Better comment:
// Number less than P that satisfies two of the three overflow
// conditions for a field value of magnitude of 1 with value greater
// than P in all but the second to last word.
|
@jimpo I suspect re-writing the crypto/subtle functions in uint32 provides a non-negligible speedup, especially given that the casts I was doing were unnecessary. Also having a strict equality checker (LessThan) makes things more readable in this case I think, so I would still support writing the functions for this specific case here. I'll try to do a benchmark and update my btcd branch. |
|
Also thanks for the great reveiw @jimpo! |
|
Thanks for reviewing @jimpo ! |
cpacia
force-pushed
the
master
branch
3 times, most recently
from
59fd420 to
25c2c60
Compare
There was a problem hiding this comment.
Hiya, @zquestz suggested I do a drive-by review of this languishing PR.
(bear in mind: I'm more of a C++ programmer and have never used go)
| return uint32((diff >> 31) & 1) | ||
| } | ||
|
|
||
| // isZeroUint32 returns 1 if x == y and 0 otherwise. |
There was a problem hiding this comment.
hmm mistaken comment should be like // isZeroUint32 returns 1 if x == 0 and 0 otherwise.
Therefore y is zero (kidding).
| // isZeroUint32 returns 1 if x == y and 0 otherwise. | ||
| func isZeroUint32(x uint32) uint32 { | ||
| x32 := int32(x) | ||
| return uint32((((x32 - 1) ^ x32) >> 31) & 1) |
There was a problem hiding this comment.
I agree, the cast to int32 seems unnecessary and IMO technically "worse" since it assumes two's complement representation.
OK yes two's complement is basically universal nowadays. :-) But isn't uint32 specified to be a modulo arithmetic type in go? If so then you don't need to bother about sign bits, this is just good clean mod-2^32 arithmetic. Also btw the final &1 seems to be unneeded in each case.
(also, these are neat bit tricks, I like :-) This trick works because there are only two values for which, upon subtracting 1, the high bit is flipped: 0x80000000 and 0x00000000. Since you assume everything must be less than the first value, then it's good.)
| // notZeroUint32 returns 1 if x != y and 0 otherwise. | ||
| func notZeroUint32(x uint32) uint32 { | ||
| x32 := int32(x) | ||
| return uint32((((-x32) | x32) >> 31) & 1) |
There was a problem hiding this comment.
(this trick works because there is only one value which has a high bit of 0, both before and after negation: 0x00000000.)
| // are true and the value will not be changed when 'm' is zero. | ||
| m = isZeroUint32((t9 - fieldMSBMask) | (t2&t3&t4&t5&t6&t7&t8 - fieldBaseMask)) | ||
| m &= lessThanUint32(fieldBaseMask, (t0+977)>>fieldBase+t1+64) | ||
| m |= notZeroUint32(t9 >> fieldMSBBits) |
There was a problem hiding this comment.
For reference, this seems to get done more simply in libsecp which also has an implementation of the same 10x26 field limbing: https://github.com/bitcoin-core/secp256k1/blob/0c774d89e61808d883b8f2df74462421491d59bb/src/field_10x26_impl.h#L66-L67
I have to admit I don't understand this deeply enough to know how either works.
There was a problem hiding this comment.
(for what it's worth, this PR is at least clearly identical to the code being modified, so there is nothing to worry about in terms of changed behaviour)
There was a problem hiding this comment.
OK I see now this is identical with libsecp... the two different meanings of 'm' was confusing me.
The libsecp expression is still simpler, for example it takes advantage of the fact that t9 >> fieldMSBBits is surely either 0 or 1 at this point. You could do the same by making the final line to be m |= t9 >> fieldMSBBits.
And libsecp uses equality comparisons along with implicit bool -> int cast (i.e., in the assembly it calls cmp which just does a subtraction anyway but only uses the result to set flags, then sete casts the flag to an int). Unfortunately it looks like in go you might not have a simple bool->int cast so this is about as good as it gets?
There was a problem hiding this comment.
Yes, the lack of bool->int cast is an unfortunate choice in golang when you want constant time math. This is as good as it gets and follows the standard patterns in crypto/subtle.
It would be great to incorporate simplifications and improvements based on the libsecp implementation, modulo lack of above casts and different language standards for constants-as-variables.
|
@bmperrea ping ^ |
| // are true and the value will not be changed when 'm' is zero. | ||
| m = isZeroUint32((t9 - fieldMSBMask) | (t2&t3&t4&t5&t6&t7&t8 - fieldBaseMask)) | ||
| m &= lessThanUint32(fieldBaseMask, (t0+977)>>fieldBase+t1+64) | ||
| m |= notZeroUint32(t9 >> fieldMSBBits) |
There was a problem hiding this comment.
Yes, the lack of bool->int cast is an unfortunate choice in golang when you want constant time math. This is as good as it gets and follows the standard patterns in crypto/subtle.
It would be great to incorporate simplifications and improvements based on the libsecp implementation, modulo lack of above casts and different language standards for constants-as-variables.
| return uint32((diff >> 31) & 1) | ||
| } | ||
|
|
||
| // isZeroUint32 returns 1 if x == y and 0 otherwise. |
There was a problem hiding this comment.
hmm mistaken comment should be like // isZeroUint32 returns 1 if x == 0 and 0 otherwise.
Therefore y is zero (kidding).
|
Updated @markblundeberg ! @jimpo after benchmarking a bit using benchstat with |
|
Ping @zquestz ! |
|
Yeah new one seems OK also. |
zquestz
changed the title
Port of the work done by @bmperrea in btcsuite/btcd#1084
The current implementation of field.Normalize() has a timing vulnerability. This makes it constant time.