New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Falcon Post Quantum Digital Signature Verification, in Miden Assembly #369
Conversation
…ion of Falcon signature Signed-off-by: Anjan Roy <hello@itzmeanjan.in>
Signed-off-by: Anjan Roy <hello@itzmeanjan.in>
This implementation has some assumptions about input state ( more concretely how input is provided to verification routine ), which can be understood by go through comments accompanying the implementation assembly. Signed-off-by: Anjan Roy <hello@itzmeanjan.in>
…degree 512 This optimization gain is achieved by using `loadw.mem` instead of `pushw.mem` instruction. Signed-off-by: Anjan Roy <hello@itzmeanjan.in>
…oopifying repetitive instructions This increases cost of signature verification by 1762 VM cycles Signed-off-by: Anjan Roy <hello@itzmeanjan.in>
Signed-off-by: Anjan Roy <hello@itzmeanjan.in>
…ory address ) when normalizing a degree-512 polynomial Some unnecessary stack push operations are skipped. Signed-off-by: Anjan Roy <hello@itzmeanjan.in>
…ng to pointer based interface Pointer based interface denotes traversing memory using pointer arithmetic ( i.e. applying `INCR` instruction on previous memory address to compute next absolute memory address ). Cost of signature verification: 347,649 cycles Signed-off-by: Anjan Roy <hello@itzmeanjan.in>
|
At commit 23aad20, cost of Falcon512 signature verification: 347,649 cycles. |
Signed-off-by: Anjan Roy <hello@itzmeanjan.in>
…w API, avoiding some memcpy(s) Cost of signature verification is 337,402 cycles. Signed-off-by: Anjan Roy <hello@itzmeanjan.in>
|
At commit 562425b, cost of signature verification is 337,402 cycles. |
…cal memory indexing order This commit is due to rebasing from `next`. Signed-off-by: Anjan Roy <hello@itzmeanjan.in>
|
Commit 17882bb includes latest from |
stdlib/asm/crypto/dsa/falcon.masm
Outdated
| # Expected stack state : | ||
| # | ||
| # [f_addr0, f_addr1, ..., f_addr126, f_addr127, g_addr0, g_addr1, ..., g_addr126, g_addr127, | ||
| # h_addr0, h_addr1, ..., h_addr126, h_addr127, k_addr0, k_addr1, ..., k_addr126, k_addr127, ...] | 512 absolute memory addresses |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this comment still accurate? I thought we are providing just starting addresses via the stack (e.g., f_start_addr) rather than consecutive addresses.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Signed-off-by: Anjan Roy <hello@itzmeanjan.in>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All looks good! Thank you!
This PR implements Falcon-512 PQ DSA, in Miden Assembly, with following assumptions
f.ghkis supplied as input to program, which is actually decompressed signature, just that each coefficient is represented as absolute value ( sign bit is ignored )If signature verification fails, program execution should stop, due to assertion failure, which checks whether norm of signature is small enough or not.
Note, this PR needs to be reviewed after PR #349 , #368 ( in order appearing ) are reviewed & merged
Cost of signature verification at 7357b77, 335399 cycles