WIP Group verification #1032
Closed
WIP Group verification #1032
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Removing _normalize_weak from several group add methods gives 2-3% speedup across major benchmarks (64 bit). |
|
Originally conceived many years ago now: #159 . |
peterdettman
force-pushed
the
group_verify
branch
from
085dbf9
to
6d185f8
Compare
peterdettman
force-pushed
the
group_verify
branch
from
6d185f8
to
e90f4ac
Compare
peterdettman
force-pushed
the
group_verify
branch
from
e90f4ac
to
e5a3f68
Compare
|
Rebased and added some missing verify calls. I've noted that there are several places where code directly manipulates the fields of group elements without calling a group method to do so. So the group structs are a bit too "open" at the moment. It should be possible to add suitable methods so that the group structs act more like abstract data types, and in particular so that we have a definite boundary at which to be able to place VERIFY calls in relation to group internals. |
peterdettman
force-pushed
the
group_verify
branch
from
e5a3f68
to
944622a
Compare
peterdettman
force-pushed
the
group_verify
branch
from
944622a
to
0a82084
Compare
|
@peterdettman This has "WIP" in the title but it looks pretty mature already. Can you comment on the status? |
|
@real-or-random See my previous comment; basically there are still quite a few unguarded local operations on group structs (i.e. not abstracted as group methods). These are not too difficult to track down comprehensively, but it occurs to me that, even once committed, we might need to allow some time for the abstraction to sink in to developers' minds before trying to exploit it (as per the "Save _normalize_weak..." commit) - there might be some backsliding. We could discuss ways of enforcing the abstraction in the language (or tooling), but the field implementations are in the same boat and just rely on "it being understood". |
|
A notion of group verification was introduced through #1299. The later commits here will need to be redone on top of that. |
theStack
added a commit
to theStack/secp256k1
that referenced
this pull request
Jun 15, 2023
The group element checks `secp256k1_{ge,gej}_verify` have first been
implemented and added in commit f202667
(PR bitcoin-core#1299). This commit adds additional verification calls in group
functions, to match the ones that were originally proposed in commit
09dbba5 of WIP-PR bitcoin-core#1032 (which is
obviously not rebased on bitcoin-core#1299 yet).
Co-authored-by: Peter Dettman <peter.dettman@gmail.com>
theStack
added a commit
to theStack/secp256k1
that referenced
this pull request
Jun 27, 2023
The group element checks `secp256k1_{ge,gej}_verify` have first been
implemented and added in commit f202667
(PR bitcoin-core#1299). This commit adds additional verification calls in group
functions, to match the ones that were originally proposed in commit
09dbba5 of WIP-PR bitcoin-core#1032 (which is
obviously not rebased on bitcoin-core#1299 yet).
Co-authored-by: Peter Dettman <peter.dettman@gmail.com>
|
Closing in favor of #1348 |
theStack
added a commit
to theStack/secp256k1
that referenced
this pull request
Jul 10, 2023
The group element checks `secp256k1_{ge,gej}_verify` have first been
implemented and added in commit f202667
(PR bitcoin-core#1299). This commit adds additional verification calls in group
functions, to match the ones that were originally proposed in commit
09dbba5 of WIP-PR bitcoin-core#1032 (which is
obviously not rebased on bitcoin-core#1299 yet).
Co-authored-by: Peter Dettman <peter.dettman@gmail.com>
theStack
added a commit
to theStack/secp256k1
that referenced
this pull request
Jul 14, 2023
The group element checks `secp256k1_{ge,gej}_verify` have first been
implemented and added in commit f202667
(PR bitcoin-core#1299). This commit adds additional verification calls in group
functions, to match the ones that were originally proposed in commit
09dbba5 of WIP-PR bitcoin-core#1032 (which is
obviously not rebased on bitcoin-core#1299 yet).
Co-authored-by: Peter Dettman <peter.dettman@gmail.com>
theStack
added a commit
to theStack/secp256k1
that referenced
this pull request
Jul 14, 2023
The group element checks `secp256k1_{ge,gej}_verify` have first been
implemented and added in commit f202667
(PR bitcoin-core#1299). This commit adds additional verification calls in group
functions, to match the ones that were originally proposed in commit
09dbba5 of WIP-PR bitcoin-core#1032 (which is
obviously not rebased on bitcoin-core#1299 yet).
Also, for easier review, all functions handling group elements are
structured in the following wasy for easier review (idea suggested by
Tim Ruffing):
- on entry, verify all input ge, gej (and fe)
- empty line
- actual function body
- empty line
- on exit, verify all output ge, gej
Co-authored-by: Peter Dettman <peter.dettman@gmail.com>
Co-authored-by: Tim Ruffing <crypto@timruffing.de>
theStack
added a commit
to theStack/secp256k1
that referenced
this pull request
Jul 15, 2023
The group element checks `secp256k1_{ge,gej}_verify` have first been
implemented and added in commit f202667
(PR bitcoin-core#1299). This commit adds additional verification calls in group
functions, to match the ones that were originally proposed in commit
09dbba5 of WIP-PR bitcoin-core#1032 (which is
obviously not rebased on bitcoin-core#1299 yet).
Also, for easier review, all functions handling group elements are
structured in the following wasy for easier review (idea suggested by
Tim Ruffing):
- on entry, verify all input ge, gej (and fe)
- empty line
- actual function body
- empty line
- on exit, verify all output ge, gej
Co-authored-by: Peter Dettman <peter.dettman@gmail.com>
Co-authored-by: Tim Ruffing <crypto@timruffing.de>
theStack
added a commit
to theStack/secp256k1
that referenced
this pull request
Jul 22, 2023
The group element checks `secp256k1_{ge,gej}_verify` have first been
implemented and added in commit f202667
(PR bitcoin-core#1299). This commit adds additional verification calls in group
functions, to match the ones that were originally proposed in commit
09dbba5 of WIP-PR bitcoin-core#1032 (which is
obviously not rebased on bitcoin-core#1299 yet).
Also, for easier review, all functions handling group elements are
structured in the following wasy for easier review (idea suggested by
Tim Ruffing):
- on entry, verify all input ge, gej (and fe)
- empty line
- actual function body
- empty line
- on exit, verify all output ge, gej
Co-authored-by: Peter Dettman <peter.dettman@gmail.com>
Co-authored-by: Tim Ruffing <crypto@timruffing.de>
real-or-random
added a commit
that referenced
this pull request
Aug 16, 2023
…s in group add methods (revival of #1032) b7c685e Save _normalize_weak calls in group add methods (Peter Dettman) c83afa6 Tighten group magnitude limits (Peter Dettman) 173e8d0 Implement current magnitude assumptions (Peter Dettman) 49afd2f Take use of _fe_verify_magnitude in field_impl.h (Sebastian Falbesoner) 4e9661f Add _fe_verify_magnitude (no-op unless VERIFY is enabled) (Peter Dettman) 690b0fc add missing group element invariant checks (Sebastian Falbesoner) Pull request description: This PR picks up #1032 by peterdettman. It's essentially a rebase on master; the original first commit (09dbba5) which introduced group verification methods has mostly been replaced by PR #1299 (commit f202667) and what remains now is only adding a few missing checks at some places. The remaining commits are unchanged, though some (easy-to-solve) conflicts appeared through cherry-picking. The last commit which actually removes the `normalize_weak` calls is obviously the critical one and needs the most attention for review. ACKs for top commit: sipa: utACK b7c685e real-or-random: ACK b7c685e jonasnick: ACK b7c685e Tree-SHA512: f15167eff7ef6ed971c726a4d738de9a15be95b0c947d7e38329e7b16656202b7113497d36625304e784866349f2293f6f1d8cb97df35393af9ea465a4156da3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Sets up pre- and post- method verification of _ge and _gej group elements. At the moment, this is concerned mainly with imposing a tighter limit (than the default) on the magnitudes of field elements x, y (,z).
Having guarantees about the magnitudes in input group elements can let us avoid some of the normalization calls needed at the start of several group addition methods, and perhaps e.g. use an alternative double algorithm. There may be a trade-off between the effort needed to get outputs to meet lower limits vs the benefits that provides to other methods.