Tentative fix for #345 - constant-time scalar mul with endomorphism acceleration wrong result by mratsim · Pull Request #346 · mratsim/constantine

mratsim · 2024-01-18T23:24:56Z

This tentatively fixes #345 with the simple approach explained in #345 (comment) to add an extra bit to hold the decomposed miniscalars.

This will be kept as a fix if we can also relax the requirement for exact bit match for scalarMul_vartime when dispatching to endomorphism.

constantine/constantine/math/elliptic/ec_scalar_mul_vartime.nim

Lines 353 to 377 in dbd2630

    
           const L = scalBits.ceilDiv_vartime(M) + 1 
        
           let usedBits = scalar.limbs.getBits_LE_vartime() 
        
           when scalBits == EC.F.C.getCurveOrderBitwidth() and 
        
                EC.F.C.hasEndomorphismAcceleration(): 
        
             if usedBits >= L: 
        
               when EC.F is Fp: 
        
                 P.scalarMulEndo_minHammingWeight_windowed_vartime(scalar, window = 4) 
        
               elif EC.F is Fp2: 
        
                 P.scalarMulEndo_minHammingWeight_windowed_vartime(scalar, window = 3) 
        
               else: # Curves defined on Fp^m with m > 2 
        
                 {.error: "Unreachable".} 
        
               return 
        
           if 64 < usedBits: 
        
             # With a window of 5, we precompute 2^3 = 8 points 
        
             P.scalarMul_minHammingWeight_windowed_vartime(scalar, window = 5) 
        
           elif 16 < usedBits: 
        
             # With a window of 3, we precompute 2^1 = 2 points 
        
             P.scalarMul_minHammingWeight_windowed_vartime(scalar, window = 3) 
        
           elif 4 < usedBits: 
        
             P.scalarMul_doubleAdd_vartime(scalar) 
        
           else: 
        
             P.scalarMul_addchain_4bit_vartime(scalar)

In that case, we can remove the current way to handle negative mini-scalars by negating the curve point.

…alar decomposition instead of +1 sign bit

mratsim · 2024-01-20T11:02:33Z

constantine/math/elliptic/ec_endomorphism_accel.nim

-    when babai(F)[i][1]:
-      # prod_high_words works like logical right shift
-      # When negative, we should add 1 to properly round toward -infinity
-      alphas[i] += One


This is the main change. Papers that introduce the Babai's rounding unfortunately use shifts but do not go over the negative special case.

mratsim · 2024-01-20T11:16:13Z

Change of fix approach,

Adding an extra bit also on scalarMul_vartime fails, which suggest the issue is not in the bit length.

When developing endomorphism years ago, the papers didn't special-case Babai's rounding for negative scalars.

Now what's curious is that it has not trigger any error so far in Google Ossfuzz.

mratsim · 2024-01-20T14:10:29Z

The CI failure is due to some Nim upstream bug when declaring {.noInit.} variables in templates

Same issue as #332 (comment)

Besides removing the {.noInit.}, it may be that using inject solves the issue as well.

mratsim added 2 commits January 18, 2024 23:39

Tentative fix for #345

30398f7

scalarMul endomorphism: don't round towards -Infinity for negative sc…

173900f

…alar decomposition instead of +1 sign bit

mratsim commented Jan 20, 2024

View reviewed changes

workaround {.noInit.} mangling in templates

887e3c8

mratsim merged commit bc5faaa into master Jan 20, 2024

mratsim deleted the bug-345 branch January 20, 2024 18:39

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Tentative fix for #345 - constant-time scalar mul with endomorphism acceleration wrong result#346

Tentative fix for #345 - constant-time scalar mul with endomorphism acceleration wrong result#346
mratsim merged 3 commits intomasterfrom
bug-345

mratsim commented Jan 18, 2024

Uh oh!

mratsim Jan 20, 2024

Uh oh!

mratsim commented Jan 20, 2024

Uh oh!

mratsim commented Jan 20, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

	const L = scalBits.ceilDiv_vartime(M) + 1

	let usedBits = scalar.limbs.getBits_LE_vartime()

	when scalBits == EC.F.C.getCurveOrderBitwidth() and
	EC.F.C.hasEndomorphismAcceleration():
	if usedBits >= L:
	when EC.F is Fp:
	P.scalarMulEndo_minHammingWeight_windowed_vartime(scalar, window = 4)
	elif EC.F is Fp2:
	P.scalarMulEndo_minHammingWeight_windowed_vartime(scalar, window = 3)
	else: # Curves defined on Fp^m with m > 2
	{.error: "Unreachable".}
	return

	if 64 < usedBits:
	# With a window of 5, we precompute 2^3 = 8 points
	P.scalarMul_minHammingWeight_windowed_vartime(scalar, window = 5)
	elif 16 < usedBits:
	# With a window of 3, we precompute 2^1 = 2 points
	P.scalarMul_minHammingWeight_windowed_vartime(scalar, window = 3)
	elif 4 < usedBits:
	P.scalarMul_doubleAdd_vartime(scalar)
	else:
	P.scalarMul_addchain_4bit_vartime(scalar)

Uh oh!

Conversation

mratsim commented Jan 18, 2024

Uh oh!

mratsim Jan 20, 2024

Choose a reason for hiding this comment

Uh oh!

mratsim commented Jan 20, 2024

Uh oh!

mratsim commented Jan 20, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant