-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use modified divsteps with initial delta=1/2 for constant-time #906
Use modified divsteps with initial delta=1/2 for constant-time #906
Conversation
Concept ACK There's still this comment and the corresponding code: The docs and the code might be more readable without eta having two different meanings. Maybe try another name for the new eta? |
e9352ef
to
fb8112f
Compare
Fixed. There was an equivalent in modinv32 as well.
Renamed to zeta. |
FWIW I don't believe that it is necessary to wait for the Coq proof checked in "paranoid mode" to complete. OTOH, I estimate the check will probably be completed before this gets merged anyways, so it doesn't really matter. Edit: (23 days later) I no longer believe the check will be completed before this gets merged. |
@sipa Is this ready for review? |
@real-or-random I plan to add some more unit tests, but otherwise yes. |
968985c
to
4abc135
Compare
This PR is ready, I think. coqc is still running:
|
aa77c81
to
0ca692f
Compare
Added a selection of randomly generated inputs (with generic modulus, and for field/scalar) as tests that trigger the largest/smallest d and e values at various points during the execution over a few billion runs. |
Update: |
Hm, I think I'm in favor of not waiting any longer for Coq... We have the bounds analysis plus the Coq proof in native mode. This should be more than enough to be confident in the algorithm. I'll try to review this soon. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK mod nit
Instead of using eta=-delta, use zeta=-(delta+1/2) to represent delta. This variant only needs at most 590 iterations for 256-bit inputs rather than 724 (by convex hull bounds analysis).
0ca692f
to
be0609f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK be0609f careful code review and some testing
I'm not really planning to review this PR myself at this time. But I do ACK the 590 constant. I have actually very carefully reviewed those three digits. |
ACK be0609f |
crACK be0609f |
Posthumous update: the paranoid-mode Coq proof finished succesfully 3 hours before this got merged. |
For the record, the Coq runtime in paranoid-mode ended up being approximately 66 days. |
This updates the divsteps-based modular inverse code to use the modified version which starts with delta=1/2. For variable time, the delta=1 variant is still used as it appears to be faster.
See https://github.com/sipa/safegcd-bounds/tree/master/coq and https://medium.com/blockstream/a-formal-proof-of-safegcd-bounds-695e1735a348 for a proof of correctness of this variant.
TODO:
I'm still running the Coq proof verification for the 590 bound in non-native mode. It's unclear how long this will take.