[Fix] bchec: Constant time field normalization #78
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| // Copyright (c) 2017 The btcsuite developers | ||
| // Copyright (c) 2017 Brent Perreault | ||
| // Use of this source code is governed by an ISC | ||
| // license that can be found in the LICENSE file. | ||
|
|
||
| package bchec | ||
|
|
||
| // constant_time.go provides constant time implementations of useful | ||
| // mathematical operations. In addition, these functions return integers, | ||
| // using 0 or 1 to represent false or true respectively, which is useful | ||
| // for writing logic in terms of bitwise operators | ||
|
|
||
| // References | ||
| // These functions are based on the sample implementation in | ||
| // golang.org/src/crypto/subtle/constant_time.go | ||
| // Here we have refactored these functions for uint32 arithmetic and | ||
| // to avoid extra shifts and casts | ||
|
|
||
| // Note - these use the sign bit of int32 internally. For that reason all | ||
| // of the inputs need to be less than 2^31 to avoid overflowing int32. | ||
| // These are intended for use internal to btcec. | ||
|
|
||
| // lessThanUint32 returns 1 if x < y and 0 otherwise. | ||
| // It works by checking the most significant bit, and then testing the | ||
| // rest of the bits by casting to int32 | ||
| func lessThanUint32(x, y uint32) uint32 { | ||
| diff := int32(x) - int32(y) | ||
|
There was a problem hiding this comment. All of the casts to/from There was a problem hiding this comment. I will try to update my branch in btcd accordingly |
||
| return uint32((diff >> 31) & 1) | ||
| } | ||
|
|
||
| // isZeroUint32 returns 1 if x == y and 0 otherwise. | ||
|
There was a problem hiding this comment. hmm mistaken comment should be like Therefore |
||
| func isZeroUint32(x uint32) uint32 { | ||
| x32 := int32(x) | ||
| return uint32((((x32 - 1) ^ x32) >> 31) & 1) | ||
|
There was a problem hiding this comment. I agree, the cast to int32 seems unnecessary and IMO technically "worse" since it assumes two's complement representation. OK yes two's complement is basically universal nowadays. :-) But isn't uint32 specified to be a modulo arithmetic type in go? If so then you don't need to bother about sign bits, this is just good clean mod-2^32 arithmetic. Also btw the final &1 seems to be unneeded in each case. (also, these are neat bit tricks, I like :-) This trick works because there are only two values for which, upon subtracting 1, the high bit is flipped: 0x80000000 and 0x00000000. Since you assume everything must be less than the first value, then it's good.) |
||
| } | ||
|
|
||
| // notZeroUint32 returns 1 if x != y and 0 otherwise. | ||
| func notZeroUint32(x uint32) uint32 { | ||
| x32 := int32(x) | ||
| return uint32((((-x32) | x32) >> 31) & 1) | ||
|
There was a problem hiding this comment. (this trick works because there is only one value which has a high bit of 0, both before and after negation: 0x00000000.) |
||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| // Copyright (c) 2017 The btcsuite developers | ||
| // Copyright (c) 2017 Brent Perreault | ||
| // Use of this source code is governed by an ISC | ||
| // license that can be found in the LICENSE file. | ||
|
|
||
| package bchec | ||
|
|
||
| import "testing" | ||
|
|
||
| func TestLessThanUint32(t *testing.T) { | ||
| tests := []struct { | ||
| x uint32 | ||
| y uint32 | ||
| a uint32 | ||
| }{ | ||
| {0, 1, 1}, | ||
| {2, 2, 0}, | ||
| {1 << 30, 1 << 30, 0}, | ||
| {17, 1 << 30, 1}, | ||
| {1 << 30, 0, 0}, | ||
| } | ||
|
|
||
| t.Logf("Running %d tests", len(tests)) | ||
| for i, test := range tests { | ||
| answer := lessThanUint32(test.x, test.y) | ||
| if test.a != answer { | ||
| t.Errorf("lessThanUint32 #%d wrong result\ngot: %v\n"+ | ||
| "want: %v", i, answer, test.a) | ||
| continue | ||
| } | ||
| } | ||
| } | ||
|
|
||
| func TestIsZeroUint32(t *testing.T) { | ||
| tests := []struct { | ||
| x uint32 | ||
| a uint32 | ||
| }{ | ||
| {1, 0}, | ||
| {0, 1}, | ||
| {1 << 30, 0}, | ||
| } | ||
|
|
||
| t.Logf("Running %d tests", len(tests)) | ||
| for i, test := range tests { | ||
| answer := isZeroUint32(test.x) | ||
| if test.a != answer { | ||
| t.Errorf("isZeroUint32 #%d wrong result\ngot: %v\n"+ | ||
| "want: %v", i, answer, test.a) | ||
| continue | ||
| } | ||
| } | ||
| } | ||
|
|
||
| func TestNotZeroUint32(t *testing.T) { | ||
| tests := []struct { | ||
| x uint32 | ||
| a uint32 | ||
| }{ | ||
| {1, 1}, | ||
| {0, 0}, | ||
| {1 << 30, 1}, | ||
| } | ||
|
|
||
| t.Logf("Running %d tests", len(tests)) | ||
| for i, test := range tests { | ||
| answer := notZeroUint32(test.x) | ||
| if test.a != answer { | ||
| t.Errorf("notZeroUint32 #%d wrong result\ngot: %v\n"+ | ||
| "want: %v", i, answer, test.a) | ||
| continue | ||
| } | ||
| } | ||
| } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -305,32 +305,11 @@ func (f *fieldVal) Normalize() *fieldVal { | |
| // following determines if either or these conditions are true and does | ||
| // the final reduction in constant time. | ||
| // | ||
| // Note that 'm' will be zero when neither of the aforementioned conditions | ||
| // are true and the value will not be changed when 'm' is zero. | ||
| m = isZeroUint32((t9 - fieldMSBMask) | (t2&t3&t4&t5&t6&t7&t8 - fieldBaseMask)) | ||
| m &= lessThanUint32(fieldBaseMask, (t0+977)>>fieldBase+t1+64) | ||
| m |= notZeroUint32(t9 >> fieldMSBBits) | ||
|
There was a problem hiding this comment. For reference, this seems to get done more simply in libsecp which also has an implementation of the same 10x26 field limbing: https://github.com/bitcoin-core/secp256k1/blob/0c774d89e61808d883b8f2df74462421491d59bb/src/field_10x26_impl.h#L66-L67 I have to admit I don't understand this deeply enough to know how either works. There was a problem hiding this comment. (for what it's worth, this PR is at least clearly identical to the code being modified, so there is nothing to worry about in terms of changed behaviour) There was a problem hiding this comment. OK I see now this is identical with libsecp... the two different meanings of 'm' was confusing me. The libsecp expression is still simpler, for example it takes advantage of the fact that And libsecp uses equality comparisons along with implicit bool -> int cast (i.e., in the assembly it calls There was a problem hiding this comment. Yes, the lack of bool->int cast is an unfortunate choice in golang when you want constant time math. This is as good as it gets and follows the standard patterns in crypto/subtle. It would be great to incorporate simplifications and improvements based on the libsecp implementation, modulo lack of above casts and different language standards for constants-as-variables. |
||
| t0 = t0 + m*977 | ||
| t1 = (t0 >> fieldBase) + t1 + (m << 6) | ||
| t0 = t0 & fieldBaseMask | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
BenchmarkFieldNormalizeWithCarryseems like a better name.Also, I'm not sure this provides much benefit since it doesn't automatically compare the timing against regular
BenchmarkFieldNormalize.