secp256k1: Refactor constant time selection function.#3711
Open
davecgh wants to merge 7 commits into
Open
Conversation
Introduce FieldVal64, an alternative secp256k1 field element that packs the value into four uint64 limbs (base 2^64) and stays fully reduced after every operation. AI-assisted: developed with the help of an AI coding assistant; all code reviewed and tested by the author.
Add a test suite for FieldVal64 mirroring the existing FieldVal tests: serialization round-trips, arithmetic (add, negate, multiply, square), normalization, inverse, square root, and the bit predicates, plus randomized checks. Cases that only apply to the unnormalized FieldVal representation are adjusted since FieldVal64 is always fully reduced. AI-assisted: developed with the help of an AI coding assistant; all code reviewed and tested by the author.
Add micro-benchmarks for the FieldVal64 multiply, square, inverse, and related operations to track the pure Go performance. AI-assisted: developed with the help of an AI coding assistant; all code reviewed and tested by the author.
Reorder methods to mirror field.go and tidy the exported doc comments so the two field backends stay consistent. Drop Normalize and magnitude tracking since FieldVal64 is always fully reduced, add MulBy2, MulBy3, MulBy4, and MulBy8 for the common small-constant multiplications, and back them with a generic MulInt. Rework the edge-case tests to exercise the 4x64 limbs rather than the 10x26 word boundaries inherited from FieldVal, remove the inconsistent TestField64ReductionCarry, and ensure the operations remain constant time, along with assorted small fixes.
The various functions for comparing in constant time are no longer limited to only being used in mod n scalars, so move them into their own file.
This introduces a new function for selecting between two uint64s in constant time and modifies code that manually performs the selection to make use of the function to improve readability. The function gets inlined, so there is no loss of performance. The order of the condition is also reversed to match the typical hardware intrinsic which also resembles the ternary operator.
This adds a test for the new constantTimeSelect64 function to help ensure proper behavior.
davecgh
force-pushed
the
secp256k1_consttimesel
branch
from
5877379 to
207a977
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This requires #3708.
This introduces a new function for selecting between two uint64s in constant time and modifies code that manually performs the selection to make use of the function to improve readability along with tests to ensure proper functionality. The function gets inlined, so there is no loss of performance.
The order of the condition is also reversed to match the typical hardware intrinsic which also resembles the ternary operator.
It also separates out the various other functions for comparing in constant time to a separate file since they are no longer limited to only being used in mod n scalars.