ed25519: review add in avx512

Author: 0x0ece

src/ballet/ed25519/avx512/fd_curve25519.h

@@ -97,8 +97,12 @@ fd_ed25519_point_neg( fd_ed25519_point_t *       r,
   _p03 = wwl( 8796093022189L, 8796093022189L, 8796093022189L, 8796093022189L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L );
   _p14 = wwl( 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L );
   _p25 = wwl( 8796093022207L, 8796093022207L, 8796093022207L, 8796093022207L, 1099511627775L, 1099511627775L, 1099511627775L, 1099511627775L );
-  FD_R43X6_QUAD_LANE_SUB_FAST( r->P, a->P, 1,0,0,1, _p, a->P );
-  FD_R43X6_QUAD_FOLD_UNSIGNED( r->P, r->P );
+  // FD_R43X6_QUAD_LANE_SUB_FAST( r->P, a->P, 1,0,0,1, _p, a->P );
+  // FD_R43X6_QUAD_FOLD_UNSIGNED( r->P, r->P );
+  int _mask = 0x99; /* 1001 1001 */
+  r->P03 = wwv_sub_if( _mask, _p03, a->P03, a->P03 );
+  r->P14 = wwv_sub_if( _mask, _p14, a->P14, a->P14 );
+  r->P25 = wwv_sub_if( _mask, _p25, a->P25, a->P25 );
   return r;
 }
 

src/ballet/ed25519/avx512/fd_f25519.h

@@ -96,7 +96,8 @@ fd_f25519_mul_121666( fd_f25519_t * r,
 
 /* fd_f25519_frombytes deserializes a 32-byte buffer buf into a
    fd_f25519_t element r, and returns r.
-   buf is in little endian form, according to RFC 8032. */
+   buf is in little endian form, we accept non-canonical elements
+   unlike RFC 8032. */
 FD_25519_INLINE fd_f25519_t *
 fd_f25519_frombytes( fd_f25519_t * r,
                      uchar const   buf[ 32 ] ) {
@@ -110,7 +111,8 @@ fd_f25519_frombytes( fd_f25519_t * r,
 
 /* fd_f25519_tobytes serializes a fd_f25519_t element a into
    a 32-byte buffer out, and returns out.
-   out is in little endian form, according to RFC 8032. */
+   out is in little endian form, according to RFC 8032
+   (we don't output non-canonical elements). */
 FD_25519_INLINE uchar *
 fd_f25519_tobytes( uchar               out[ 32 ],
                    fd_f25519_t const * a ) {

src/ballet/ed25519/avx512/fd_r43x6_ge.h

@@ -125,15 +125,19 @@ fd_r43x6_ge_is_eq( wwl_t X03, wwl_t X14, wwl_t X25,
     FD_R43X6_QUAD_PERMUTE      ( _tb, 1,0,2,3, P2 );            /* _tb = (Y2,   X2,   Z2,   T2   ), s61|s61|s61|s61 */ \
     FD_R43X6_QUAD_LANE_SUB_FAST( _ta, _ta, 1,0,0,0, _ta, P1 );  /* _ta = (Y1-X1,X1,   Z1,   T1   ), s62|s61|s61|s61 */ \
     FD_R43X6_QUAD_LANE_SUB_FAST( _tb, _tb, 1,0,0,0, _tb, P2 );  /* _tb = (Y2-X2,X2,   Z2,   T2   ), s62|s61|s61|s61 */ \
-    FD_R43X6_QUAD_LANE_ADD_FAST( _ta, _ta, 0,1,1,0, _ta, P1 );  /* _ta = (Y1-X1,Y1+X1,Z1*2, T1   ), s62|s62|s61|s61 */ \
+    FD_R43X6_QUAD_LANE_ADD_FAST( _ta, _ta, 0,1,1,0, _ta, P1 );  /* _ta = (Y1-X1,Y1+X1,Z1*2, T1   ), s62|s62|s62|s61 */ \
     FD_R43X6_QUAD_LANE_ADD_FAST( _tb, _tb, 0,1,0,0, _tb, P2 );  /* _tb = (Y2-X2,Y2+X2,Z2,   T2   ), s62|s62|s61|s61 */ \
-    FD_R43X6_QUAD_MUL_FAST     ( _ta, _ta, _tb );               /* _ta = (A,    B,    D,    C    ), u62|u62|u62|u62 */ \
-    FD_R43X6_QUAD_FOLD_UNSIGNED( _ta, _ta );                    /* _ta = (Y1-X1,Y1+X1,Z1*2, T1*2d), u44|u44|u44|u44 */ \
+    FD_R43X6_QUAD_FOLD_SIGNED  ( _ta, _ta );                    /* _ta = (Y1-X1,Y1+X1,Z1*2, T1   ), u44|u44|u44|u44 */ \
+    FD_R43X6_QUAD_FOLD_SIGNED  ( _tb, _tb );                    /* _tb = (Y2-X2,Y2+X2,Z2,   T2   ), u44|u44|u44|u44 */ \
     FD_R43X6_QUAD_MUL_FAST     ( _ta, _ta, _1112d );            /* _ta = (Y1-X1,Y1+X1,Z1*2, T1*2d), u62|u62|u62|u62 */ \
+    FD_R43X6_QUAD_FOLD_UNSIGNED( _ta, _ta );                    /* _ta = (Y1-X1,Y1+X1,Z1*2, T1*2d), u44|u44|u44|u44 */ \
+    FD_R43X6_QUAD_MUL_FAST     ( _ta, _ta, _tb );               /* _ta = (A,    B,    D,    C    ), u62|u62|u62|u62 */ \
+    /* the next line can't be removed because in 3 lines we'd get s62|u63|u63|s62 and that's not ok for fold_signed */ \
     FD_R43X6_QUAD_FOLD_UNSIGNED( _ta, _ta );                    /* _ta = (A,    B,    D,    C    ), u44|u44|u44|u44 */ \
-    FD_R43X6_QUAD_PERMUTE      ( _tb, 1,0,3,2, _ta );           /* _tb = (B,    A,    C,    D    ), u62|u62|u62|u62 */ \
-    FD_R43X6_QUAD_LANE_SUB_FAST( _tb, _tb, 1,0,0,1, _tb, _ta ); /* _tb = (E,    A,    C,    F    ), s62|u62|u62|s62 */ \
-    FD_R43X6_QUAD_LANE_ADD_FAST( _tb, _tb, 0,1,1,0, _tb, _ta ); /* _tb = (E,    H,    G,    F    ), s62|u63|u63|s62 */ \
+    FD_R43X6_QUAD_PERMUTE      ( _tb, 1,0,3,2, _ta );           /* _tb = (B,    A,    C,    D    ), u44|u44|u44|u44 */ \
+    FD_R43X6_QUAD_LANE_SUB_FAST( _tb, _tb, 1,0,0,1, _tb, _ta ); /* _tb = (E,    A,    C,    F    ), s44|u44|u44|s44 */ \
+    FD_R43X6_QUAD_LANE_ADD_FAST( _tb, _tb, 0,1,1,0, _tb, _ta ); /* _tb = (E,    H,    G,    F    ), s44|u45|u45|s44 */ \
+    FD_R43X6_QUAD_FOLD_SIGNED  ( _tb, _tb );                    /* _tb = (E,    H,    G,    F    ), u44|u44|u44|u44 */ \
     FD_R43X6_QUAD_PERMUTE      ( _ta, 0,2,2,0, _tb );           /* _ta = (E,    G,    G,    E    ), u44|u44|u44|u44 */ \
     FD_R43X6_QUAD_PERMUTE      ( _tb, 3,1,3,1, _tb );           /* _tb = (F,    H,    F,    H    ), u44|u44|u44|u44 */ \
     FD_R43X6_QUAD_MUL_FAST     ( _ta, _ta, _tb );               /* _ta = (X3,   Y3,   Z3,   T3   ), u62|u62|u62|u62 */ \

src/ballet/ed25519/fd_curve25519.h

@@ -179,15 +179,15 @@ fd_ed25519_multi_scalar_mul_base( fd_ed25519_point_t *     r,
 
 /* fd_ed25519_point_frombytes deserializes a 32-byte buffer buf into a
    point r, and returns r (on success, NULL on error).
-   buf is in little endian form, according to RFC 8032.
+   buf is in little endian form, we accept non-canonical points unlike RFC 8032.
    Cost: 1sqrt ~= 1inv ~= 250mul */
 fd_ed25519_point_t *
 fd_ed25519_point_frombytes( fd_ed25519_point_t * r,
                             uchar const          buf[ 32 ] );
 
 /* fd_ed25519_point_frombytes_2x deserializes 2x 32-byte buffers buf1, buf2
    resp. into points r1, r2, and returns r.
-   buf1, buf2 are in little endian form, according to RFC 8032.
+   buf1, buf2 are in little endian form, we accept non-canonical points unlike RFC 8032.
    It returns 0 on success, 1 or 2 on failure.
    Cost: 2sqrt (executed concurrently if possible) */
 int
@@ -208,7 +208,8 @@ fd_ed25519_point_validate(uchar const buf[ 32 ] ) {
 
 /* fd_ed25519_point_tobytes serializes a point a into
    a 32-byte buffer out, and returns out.
-   out is in little endian form, according to RFC 8032. */
+   out is in little endian form, according to RFC 8032
+   (we don't output non-canonical points). */
 uchar *
 fd_ed25519_point_tobytes( uchar                      out[ 32 ],
                           fd_ed25519_point_t const * a );

src/ballet/ed25519/fd_f25519.h

@@ -94,14 +94,16 @@ fd_f25519_mul_121666( fd_f25519_t *       r,
 
 /* fd_f25519_frombytes deserializes a 32-byte buffer buf into a
    fd_f25519_t element r, and returns r.
-   buf is in little endian form, according to RFC 8032. */
+   buf is in little endian form, we accept non-canonical elements
+   unlike RFC 8032. */
 fd_f25519_t *
 fd_f25519_frombytes( fd_f25519_t * r,
                      uchar const   buf[ 32 ] );
 
 /* fd_f25519_tobytes serializes a fd_f25519_t element a into
    a 32-byte buffer out, and returns out.
-   out is in little endian form, according to RFC 8032. */
+   out is in little endian form, according to RFC 8032
+   (we don't output non-canonical elements). */
 uchar *
 fd_f25519_tobytes( uchar               out[ 32 ],
                    fd_f25519_t const * a );

src/ballet/ed25519/ref/fd_f25519.h

@@ -107,7 +107,8 @@ fd_f25519_mul_121666( fd_f25519_t * r,
 
 /* fd_f25519_frombytes deserializes a 32-byte buffer buf into a
    fd_f25519_t element r, and returns r.
-   buf is in little endian form, according to RFC 8032. */
+   buf is in little endian form, we accept non-canonical elements
+   unlike RFC 8032. */
 FD_25519_INLINE fd_f25519_t *
 fd_f25519_frombytes( fd_f25519_t * r,
                      uchar const   buf[ 32 ] ) {
@@ -117,7 +118,8 @@ fd_f25519_frombytes( fd_f25519_t * r,
 
 /* fd_f25519_tobytes serializes a fd_f25519_t element a into
    a 32-byte buffer out, and returns out.
-   out is in little endian form, according to RFC 8032. */
+   out is in little endian form, according to RFC 8032
+   (we don't output non-canonical elements). */
 FD_25519_INLINE uchar *
 fd_f25519_tobytes( uchar               out[ 32 ],
                    fd_f25519_t const * a ) {

src/ballet/ed25519/test_ed25519.c

@@ -701,6 +701,10 @@ test_point_validate( FD_PARAM_UNUSED fd_rng_t * rng ) {
   fd_hex_decode( buf, "f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f", 32 );
   FD_TEST_CUSTOM( fd_ed25519_point_validate( buf ), "fd_ed25519_point_validate(01..00)" );
 
+  // non-canonical points are accepted
+  fd_hex_decode( buf, "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", 32 );
+  FD_TEST_CUSTOM( fd_ed25519_point_validate( buf ), "fd_ed25519_point_validate(ff..ff)" );
+
   /* negative tests */
 
   fd_hex_decode( buf, "0200000000000000000000000000000000000000000000000000000000000000", 32 );
@@ -710,6 +714,50 @@ test_point_validate( FD_PARAM_UNUSED fd_rng_t * rng ) {
   FD_TEST_CUSTOM( !fd_ed25519_point_validate( buf ), "!fd_ed25519_point_validate(02..00)" );
 }
 
+static void
+test_point_frombytes( FD_PARAM_UNUSED fd_rng_t * rng ) {
+  uchar _bufa[32]; uchar * bufa = _bufa;
+  uchar _bufr[32]; uchar * bufr = _bufr;
+  uchar _bufx[32]; uchar * bufx = _bufx;
+  uchar _bufy[32]; uchar * bufy = _bufy;
+
+  fd_f25519_t x[1], y[1], z[1], t[1];
+  fd_ed25519_point_t a[1];
+
+  {
+    fd_hex_decode( bufa, "ffffffffffff0100fffffffffffffffffffffffffffdffffffffffffffffffff", 32 );
+    fd_hex_decode( bufx, "3d0f773c2d26e69aa19258013f0bb4eb72a8db858498e6c802089ca8972b101b", 32 );
+    fd_hex_decode( bufy, "ffffffffffff0100fffffffffffffffffffffffffffdffffffffffffffffff7f", 32 );
+
+    FD_TEST( fd_ed25519_point_frombytes( a, bufa ) );
+
+    fd_ed25519_point_tobytes( bufr, a );
+    FD_TEST( fd_memeq( bufr, bufa, 32UL ) );
+
+    fd_ed25519_point_to( x, y, z, t, a );
+    fd_f25519_tobytes( bufr, x );
+    FD_TEST( fd_memeq( bufr, bufx, 32UL ) );
+    fd_f25519_tobytes( bufr, y );
+    FD_TEST( fd_memeq( bufr, bufy, 32UL ) );
+  }
+  {
+    fd_hex_decode( bufa, "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", 32 );
+    fd_hex_decode( bufx, "c50fe3127abac974ddd36f74e8988d7fe71cfc79d15fce531b42ccafd973d348", 32 );
+    fd_hex_decode( bufy, "1200000000000000000000000000000000000000000000000000000000000000", 32 );
+
+    FD_TEST( fd_ed25519_point_frombytes( a, bufa ) );
+
+    fd_ed25519_point_tobytes( bufr, a );
+    FD_TEST( !fd_memeq( bufr, bufa, 32UL ) ); // non-canonical
+
+    fd_ed25519_point_to( x, y, z, t, a );
+    fd_f25519_tobytes( bufr, x );
+    FD_TEST( fd_memeq( bufr, bufx, 32UL ) );
+    fd_f25519_tobytes( bufr, y );
+    FD_TEST( fd_memeq( bufr, bufy, 32UL ) );
+  }
+}
+
 static void
 test_point_sub( fd_rng_t * rng FD_PARAM_UNUSED ) {
   uchar _bufa[32]; uchar * bufa = _bufa;
@@ -764,6 +812,31 @@ test_point_sub( fd_rng_t * rng FD_PARAM_UNUSED ) {
     fd_ed25519_point_sub( r, a, b );
     fd_ed25519_point_tobytes( bufr, r );
 
+    FD_TEST( fd_memeq( bufr, bufe, 32UL ) );
+  }
+  {
+    // this failed sub, non-canonical point
+    fd_hex_decode( bufa, "0100000000000000000000000000000000b90000000000000000000000000080", 32 );
+    fd_hex_decode( bufb, "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", 32 );
+    fd_hex_decode( bufe, "39b4ef21660663d8955e024b1a7d921cf76b6300dbd94827d47ec62829a7dddc", 32 );
+
+    FD_TEST( fd_ed25519_point_frombytes( a, bufa ) );
+    FD_TEST( fd_ed25519_point_frombytes( b, bufb ) );
+
+    FD_TEST( fd_ed25519_point_frombytes( e, bufe ) );
+    {
+      fd_ed25519_point_tobytes( bufr, a );
+      FD_TEST( fd_memeq( bufr, bufa, 32UL ) );
+      fd_ed25519_point_tobytes( bufr, b );
+      FD_TEST( !fd_memeq( bufr, bufb, 32UL ) ); // non-canonical
+    }
+
+    fd_ed25519_point_sub( r, a, b );
+    fd_ed25519_point_tobytes( bufr, r );
+
+    // FD_LOG_HEXDUMP_WARNING(( "bufr", bufr, 32 ));
+    // FD_LOG_HEXDUMP_WARNING(( "bufe", bufe, 32 ));
+
     FD_TEST( fd_memeq( bufr, bufe, 32UL ) );
   }
 }
@@ -1225,6 +1298,7 @@ main( int     argc,
   test_affine_is_small_order ( rng );
 
   test_point_validate( rng );
+  test_point_frombytes( rng );
   test_point_sub( rng );
 
   test_sc_validate  ( rng );