Constant-time APIs for ff::Field::[invert, sqrt]#191
Conversation
WARNING: THIS IS NOT ACTUALLY CONSTANT TIME YET! The jubjub and bls12_381 crates will replace our constant-time usages, but we NEED to fix ff_derive because other users will expect it to implement the Field trait correctly.
WARNING: THIS IS NOT FULLY CONSTANT TIME YET! This will be fixed once we migrate to the jubjub and bls12_381 crates.
|
|
||
| fn inverse(&self) -> Option<Self> { | ||
| /// WARNING: THIS IS NOT ACTUALLY CONSTANT TIME YET! | ||
| /// TODO: Make this constant-time. |
There was a problem hiding this comment.
This will likely require inlining addition-chain finding into the proc macro.
There was a problem hiding this comment.
That sounds beautiful! If only I could stand how many dependencies proc-macro wants to bring in.
There was a problem hiding this comment.
Don't need to worry about proc-macro dependencies if your crate itself is a procedural macro 🙃
| let gamma_inverse = gamma.inverse().ok_or(SynthesisError::UnexpectedIdentity)?; | ||
| let delta_inverse = delta.inverse().ok_or(SynthesisError::UnexpectedIdentity)?; | ||
| let gamma_inverse = { | ||
| let inverse = gamma.invert(); |
There was a problem hiding this comment.
I wonder if there should be an impl From<Option<T>> for CtOption<T> in subtle...
There was a problem hiding this comment.
I think that makes it too easy to slip out of constant-time-ness, which could lead to subtle bugs. I'm rather partial to the fact that if you want to leave that domain, it needs to be noisy. It would definitely be nice to have it be easier than it currently is; it should be possible to do that while still being noisy.
|
This does not affect consensus directly, and the existing test coverage is sufficient to ensure compatibility. This will also all be audited before landing in master. |
str4d
added
the
S-scratching-an-itch
Keystone multi-bundle UX improvements and account-scoped note filtering
2 participants
The
pairing::bls12_381andzcash_primitives::jubjubimplementations are not constant-time, but will be replaced by thebls12_381andjubjubimplementations which are.The
ff_deriveimplementation ofsqrtis constant-time (having been ported frombls12_381::Scalar), but theinvertimplementation is not constant-time yet.Part of #159.