Skip to content

Commit c95895e

Browse files
tarcieritarcieri
committed
k256: use PrimeField::pow_vartime when computing Scalar::sqrt
I had previously attempted to do this in #400 but had trouble tracking down why it wasn't working. It seems the lower two limbs were shifted shifted 8-bits, i.e. a copy-paste error from Sage. I computed the correct limbs using `ff_derive`, and the tests now pass.
1 parent 616b20c commit c95895e

File tree

2 files changed

+8
-333
lines changed

2 files changed

+8
-333
lines changed

k256/src/arithmetic/scalar.rs

Lines changed: 7 additions & 333 deletions
Original file line numberDiff line numberDiff line change
@@ -113,339 +113,13 @@ impl Field for Scalar {
113113
/// https://eprint.iacr.org/2012/685.pdf (page 12, algorithm 5)
114114
#[allow(clippy::many_single_char_names)]
115115
fn sqrt(&self) -> CtOption<Self> {
116-
// TODO(tarcieri): replace with `self.pow((t - 1) >> 1)`
117-
let w = {
118-
let t0 = self;
119-
let t1 = t0.square();
120-
let t2 = t1 * t0;
121-
let t3 = t1.square();
122-
let t4 = t3.square();
123-
let t5 = t4 * t2;
124-
let t6 = t5 * t3;
125-
let t7 = t6.square();
126-
let t8 = t7 * t6;
127-
let t9 = t8.square();
128-
let t10 = t9 * t6;
129-
let t11 = t10 * t5;
130-
let t12 = t11 * t6;
131-
let t13 = t12.square();
132-
let t14 = t13 * t11;
133-
let t15 = t14.square();
134-
let t16 = t15 * t12;
135-
let t17 = t16.square();
136-
let t18 = t17 * t16;
137-
let t19 = t18.square();
138-
let t21 = t19.square();
139-
let t22 = t21 * t16;
140-
let t23 = t22 * t14;
141-
let t24 = t23 * t16;
142-
let t25 = t24.square();
143-
let t26 = t25 * t23;
144-
let t27 = t26 * t24;
145-
let t28 = t27.square();
146-
let t29 = t28 * t27;
147-
let t30 = t29.square();
148-
let t31 = t30 * t28;
149-
let t32 = t31.square();
150-
let t33 = t32.square();
151-
let t34 = t33 * t29;
152-
let t35 = t34 * t26;
153-
let t36 = t35 * t27;
154-
let t37 = t36.square();
155-
let t38 = t37.square();
156-
let t39 = t38 * t36;
157-
let t40 = t39.square();
158-
let t41 = t40.square();
159-
let t43 = t41 * t35;
160-
let t44 = t43 * t36;
161-
let t45 = t44.square();
162-
let t46 = t45 * t43;
163-
let t47 = t46 * t44;
164-
let t48 = t47.square();
165-
let t49 = t48 * t46;
166-
let t50 = t49.square();
167-
let t51 = t50 * t49;
168-
let t52 = t51.square();
169-
let t53 = t52 * t50;
170-
let t54 = t53.square();
171-
let t55 = t54.square();
172-
let t56 = t55 * t51;
173-
let t57 = t56 * t47;
174-
let t58 = t57.square();
175-
let t59 = t58.square();
176-
let t60 = t59 * t57;
177-
let t61 = t60 * t49;
178-
let t62 = t61.square();
179-
let t63 = t62.square();
180-
let t64 = t63.square();
181-
let t65 = t64 * t61;
182-
let t66 = t65 * t57;
183-
let t67 = t66.square();
184-
let t68 = t67.square();
185-
let t69 = t68 * t67;
186-
let t70 = t69.square();
187-
let t71 = t70 * t67;
188-
let t72 = t71 * t66;
189-
let t73 = t72.square();
190-
let t74 = t73.square();
191-
let t75 = t74 * t67;
192-
let t76 = t75 * t61;
193-
let t77 = t76 * t66;
194-
let t78 = t77.square();
195-
let t79 = t78.square();
196-
let t80 = t79 * t77;
197-
let t81 = t80 * t76;
198-
let t82 = t81.square();
199-
let t83 = t82 * t77;
200-
let t84 = t83.square();
201-
let t85 = t84.square();
202-
let t87 = t85.square();
203-
let t88 = t87.square();
204-
let t89 = t88 * t84;
205-
let t90 = t89 * t81;
206-
let t91 = t90.square();
207-
let t92 = t91 * t83;
208-
let t93 = t92.square();
209-
let t94 = t93 * t92;
210-
let t95 = t94.square();
211-
let t96 = t95 * t92;
212-
let t97 = t96.square();
213-
let t99 = t97.square();
214-
let t100 = t99.square();
215-
let t101 = t100.square();
216-
let t103 = t101 * t90;
217-
let t104 = t103.square();
218-
let t105 = t104.square();
219-
let t106 = t105.square();
220-
let t107 = t106 * t103;
221-
let t108 = t107 * t92;
222-
let t109 = t108.square();
223-
let t110 = t109 * t103;
224-
let t111 = t110.square();
225-
let t112 = t111.square();
226-
let t113 = t112.square();
227-
let t114 = t113 * t110;
228-
let t115 = t114 * t108;
229-
let t116 = t115 * t110;
230-
let t117 = t116.square();
231-
let t118 = t117.square();
232-
let t119 = t118 * t116;
233-
let t120 = t119 * t115;
234-
let t121 = t120.square();
235-
let t122 = t121 * t116;
236-
let t123 = t122 * t120;
237-
let t124 = t123.square();
238-
let t125 = t124 * t123;
239-
let t126 = t125.square();
240-
let t128 = t126.square();
241-
let t130 = t128 * t122;
242-
let t131 = t130 * t123;
243-
let t132 = t131.square();
244-
let t133 = t132.square();
245-
let t134 = t133.square();
246-
let t135 = t134 * t131;
247-
let t136 = t135.square();
248-
let t137 = t136.square();
249-
let t138 = t137.square();
250-
let t139 = t138 * t132;
251-
let t140 = t139 * t130;
252-
let t141 = t140 * t131;
253-
let t142 = t141.square();
254-
let t143 = t142.square();
255-
let t144 = t143 * t141;
256-
let t145 = t144 * t140;
257-
let t146 = t145.square();
258-
let t147 = t146 * t145;
259-
let t148 = t147.square();
260-
let t149 = t148 * t145;
261-
let t150 = t149 * t141;
262-
let t151 = t150.square();
263-
let t152 = t151 * t145;
264-
let t153 = t152 * t150;
265-
let t154 = t153.square();
266-
let t155 = t154 * t153;
267-
let t156 = t155.square();
268-
let t157 = t156 * t153;
269-
let t158 = t157 * t152;
270-
let t159 = t158 * t153;
271-
let t160 = t159.square();
272-
let t161 = t160 * t159;
273-
let t162 = t161 * t158;
274-
let t163 = t162 * t159;
275-
let t164 = t163.square();
276-
let t165 = t164 * t163;
277-
let t166 = t165 * t162;
278-
let t167 = t166 * t163;
279-
let t168 = t167.square();
280-
let t169 = t168.square();
281-
let t170 = t169 * t167;
282-
let t171 = t170.square();
283-
let t173 = t171 * t166;
284-
let t174 = t173 * t167;
285-
let t175 = t174.square();
286-
let t176 = t175 * t174;
287-
let t177 = t176.square();
288-
let t178 = t177 * t174;
289-
let t179 = t178.square();
290-
let t180 = t179.square();
291-
let t182 = t180 * t173;
292-
let t183 = t182.square();
293-
let t184 = t183 * t182;
294-
let t185 = t184 * t174;
295-
let t186 = t185 * t182;
296-
let t187 = t186 * t185;
297-
let t188 = t187 * t186;
298-
let t189 = t188.square();
299-
let t190 = t189 * t188;
300-
let t191 = t190.square();
301-
let t192 = t191 * t188;
302-
let t193 = t192 * t187;
303-
let t194 = t193.square();
304-
let t195 = t194 * t188;
305-
let t196 = t195.square();
306-
let t197 = t196.square();
307-
let t198 = t197 * t193;
308-
let t199 = t198.square();
309-
let t200 = t199.square();
310-
let t201 = t200 * t198;
311-
let t202 = t201 * t195;
312-
let t203 = t202.square();
313-
let t204 = t203.square();
314-
let t205 = t204 * t202;
315-
let t206 = t205 * t198;
316-
let t207 = t206 * t202;
317-
let t208 = t207 * t206;
318-
let t209 = t208 * t207;
319-
let t210 = t209.square();
320-
let t211 = t210 * t208;
321-
let t212 = t211.square();
322-
let t213 = t212 * t209;
323-
let t214 = t213.square();
324-
let t215 = t214.square();
325-
let t216 = t215.square();
326-
let t217 = t216.square();
327-
let t218 = t217.square();
328-
let t219 = t218.square();
329-
let t220 = t219.square();
330-
let t221 = t220.square();
331-
let t222 = t221.square();
332-
let t223 = t222.square();
333-
let t224 = t223.square();
334-
let t225 = t224.square();
335-
let t226 = t225.square();
336-
let t227 = t226.square();
337-
let t228 = t227.square();
338-
let t229 = t228.square();
339-
let t230 = t229.square();
340-
let t231 = t230.square();
341-
let t232 = t231.square();
342-
let t233 = t232.square();
343-
let t234 = t233.square();
344-
let t235 = t234.square();
345-
let t236 = t235.square();
346-
let t237 = t236.square();
347-
let t238 = t237.square();
348-
let t239 = t238.square();
349-
let t240 = t239.square();
350-
let t241 = t240.square();
351-
let t242 = t241.square();
352-
let t243 = t242.square();
353-
let t244 = t243.square();
354-
let t245 = t244.square();
355-
let t246 = t245.square();
356-
let t247 = t246.square();
357-
let t248 = t247.square();
358-
let t249 = t248.square();
359-
let t250 = t249.square();
360-
let t251 = t250.square();
361-
let t252 = t251.square();
362-
let t253 = t252.square();
363-
let t254 = t253.square();
364-
let t255 = t254.square();
365-
let t256 = t255.square();
366-
let t257 = t256.square();
367-
let t258 = t257.square();
368-
let t259 = t258.square();
369-
let t260 = t259.square();
370-
let t261 = t260.square();
371-
let t262 = t261.square();
372-
let t263 = t262.square();
373-
let t264 = t263.square();
374-
let t265 = t264.square();
375-
let t266 = t265.square();
376-
let t267 = t266.square();
377-
let t268 = t267.square();
378-
let t269 = t268.square();
379-
let t270 = t269.square();
380-
let t271 = t270.square();
381-
let t272 = t271.square();
382-
let t273 = t272.square();
383-
let t274 = t273.square();
384-
let t275 = t274.square();
385-
let t276 = t275.square();
386-
let t277 = t276.square();
387-
let t278 = t277.square();
388-
let t279 = t278.square();
389-
let t280 = t279.square();
390-
let t281 = t280.square();
391-
let t282 = t281.square();
392-
let t283 = t282.square();
393-
let t284 = t283.square();
394-
let t285 = t284.square();
395-
let t286 = t285.square();
396-
let t287 = t286.square();
397-
let t288 = t287.square();
398-
let t289 = t288.square();
399-
let t290 = t289.square();
400-
let t291 = t290.square();
401-
let t292 = t291.square();
402-
let t293 = t292.square();
403-
let t294 = t293.square();
404-
let t295 = t294.square();
405-
let t296 = t295.square();
406-
let t297 = t296.square();
407-
let t298 = t297.square();
408-
let t299 = t298.square();
409-
let t300 = t299.square();
410-
let t301 = t300.square();
411-
let t302 = t301.square();
412-
let t303 = t302.square();
413-
let t304 = t303.square();
414-
let t305 = t304.square();
415-
let t306 = t305.square();
416-
let t307 = t306.square();
417-
let t308 = t307.square();
418-
let t309 = t308.square();
419-
let t310 = t309.square();
420-
let t311 = t310.square();
421-
let t312 = t311.square();
422-
let t313 = t312.square();
423-
let t314 = t313.square();
424-
let t315 = t314.square();
425-
let t316 = t315.square();
426-
let t317 = t316.square();
427-
let t318 = t317.square();
428-
let t319 = t318.square();
429-
let t320 = t319.square();
430-
let t321 = t320.square();
431-
let t322 = t321.square();
432-
let t323 = t322.square();
433-
let t324 = t323.square();
434-
let t325 = t324.square();
435-
let t326 = t325.square();
436-
let t327 = t326.square();
437-
let t328 = t327.square();
438-
let t329 = t328.square();
439-
let t330 = t329.square();
440-
let t331 = t330.square();
441-
let t332 = t331.square();
442-
let t333 = t332.square();
443-
let t334 = t333.square();
444-
let t335 = t334.square();
445-
let t336 = t335.square();
446-
let t337 = t336.square();
447-
t337 * t211
448-
};
116+
// Note: `pow_vartime` is constant-time with respect to `self`
117+
let w = self.pow_vartime(&[
118+
0x777fa4bd19a06c82,
119+
0xfd755db9cd5e9140,
120+
0xffffffffffffffff,
121+
0x1ffffffffffffff,
122+
]);
449123

450124
let mut v = Self::S;
451125
let mut x = *self * w;

p256/src/arithmetic/scalar.rs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,6 +151,7 @@ impl Field for Scalar {
151151
/// https://eprint.iacr.org/2012/685.pdf (page 12, algorithm 5)
152152
#[allow(clippy::many_single_char_names)]
153153
fn sqrt(&self) -> CtOption<Self> {
154+
// Note: `pow_vartime` is constant-time with respect to `self`
154155
let w = self.pow_vartime(&[
155156
0x279dce5617e3192a,
156157
0xfde737d56d38bcf4,

0 commit comments

Comments
 (0)