Use modified divsteps with initial delta=1/2 for constant-time #906
Conversation
|
Concept ACK There's still this comment and the corresponding code: The docs and the code might be more readable without eta having two different meanings. Maybe try another name for the new eta? |
sipa
force-pushed
the
202012_safegcd_prime
branch
2 times, most recently
from
e9352ef
to
fb8112f
Compare
Fixed. There was an equivalent in modinv32 as well.
Renamed to zeta. |
|
FWIW I don't believe that it is necessary to wait for the Coq proof checked in "paranoid mode" to complete. OTOH, I estimate the check will probably be completed before this gets merged anyways, so it doesn't really matter. Edit: (23 days later) I no longer believe the check will be completed before this gets merged. |
|
@sipa Is this ready for review? |
|
@real-or-random I plan to add some more unit tests, but otherwise yes. |
sipa
force-pushed
the
202012_safegcd_prime
branch
2 times, most recently
from
968985c
to
4abc135
Compare
|
This PR is ready, I think. coqc is still running: |
sipa
force-pushed
the
202012_safegcd_prime
branch
2 times, most recently
from
aa77c81
to
0ca692f
Compare
|
Added a selection of randomly generated inputs (with generic modulus, and for field/scalar) as tests that trigger the largest/smallest d and e values at various points during the execution over a few billion runs. |
|
Update: |
|
Hm, I think I'm in favor of not waiting any longer for Coq... We have the bounds analysis plus the Coq proof in native mode. This should be more than enough to be confident in the algorithm. I'll try to review this soon. |
Instead of using eta=-delta, use zeta=-(delta+1/2) to represent delta. This variant only needs at most 590 iterations for 256-bit inputs rather than 724 (by convex hull bounds analysis).
sipa
force-pushed
the
202012_safegcd_prime
branch
from
0ca692f
to
be0609f
Compare
|
I'm not really planning to review this PR myself at this time. But I do ACK the 590 constant. I have actually very carefully reviewed those three digits. |
|
ACK be0609f |
|
crACK be0609f |
|
Posthumous update: the paranoid-mode Coq proof finished succesfully 3 hours before this got merged. |
|
For the record, the Coq runtime in paranoid-mode ended up being approximately 66 days. |
This updates the divsteps-based modular inverse code to use the modified version which starts with delta=1/2. For variable time, the delta=1 variant is still used as it appears to be faster.
See https://github.com/sipa/safegcd-bounds/tree/master/coq and https://medium.com/blockstream/a-formal-proof-of-safegcd-bounds-695e1735a348 for a proof of correctness of this variant.
TODO:
I'm still running the Coq proof verification for the 590 bound in non-native mode. It's unclear how long this will take.