Default to constant time. Make Marshal() vartime instead

2020-09-10 21:01:05 +03:00 · 2020-09-10 21:01:05 +03:00 · 8d5020a5e5
parent 92e7fe311b
commit 8d5020a5e5
10 changed files with 49 additions and 23 deletions
--- a/core/vm/contracts.go
+++ b/core/vm/contracts.go
@ -338,7 +338,7 @@ func runBn256Add(input []byte) ([]byte, error) {
 	}
 	res := new(bn256.G1)
 	res.Add(x, y)
-	return res.Marshal(), nil
+	return res.MarshalVariableTime(), nil
 }

 // bn256Add implements a native elliptic curve point addition conforming to
@ -376,7 +376,7 @@ func runBn256ScalarMul(input []byte) ([]byte, error) {
 	}
 	res := new(bn256.G1)
 	res.ScalarMult(p, new(big.Int).SetBytes(getData(input, 64, 32)))
-	return res.Marshal(), nil
+	return res.MarshalVariableTime(), nil
 }

 // bn256ScalarMulIstanbul implements a native elliptic curve scalar
--- a/crypto/bn256/cloudflare/bn256.go
+++ b/crypto/bn256/cloudflare/bn256.go
@ -119,6 +119,32 @@ func (e *G1) Marshal() []byte {
 	return ret
 }

+// Marshal converts e to a byte slice.
+// Uses variable time algorithms for inversion
+// for transformation to affine coordinates
+func (e *G1) MarshalVariableTime() []byte {
+	// Each value is a 256-bit number.
+	const numBytes = 256 / 8
+
+	if e.p == nil {
+		e.p = &curvePoint{}
+	}
+
+	e.p.MakeAffineVariableTime()
+	ret := make([]byte, numBytes*2)
+	if e.p.IsInfinity() {
+		return ret
+	}
+	temp := &gfP{}
+
+	montDecode(temp, &e.p.x)
+	temp.Marshal(ret)
+	montDecode(temp, &e.p.y)
+	temp.Marshal(ret[numBytes:])
+
+	return ret
+}
+
 // Unmarshal sets e to the result of converting the output of Marshal back into
 // a group element and then returns e.
 func (e *G1) Unmarshal(m []byte) ([]byte, error) {
@ -236,7 +262,7 @@ func (e *G2) Marshal() []byte {
 		e.p = &twistPoint{}
 	}

-	e.p.MakeAffineConstantTime()
+	e.p.MakeAffine()
 	ret := make([]byte, numBytes*4)
 	if e.p.IsInfinity() {
 		return ret
--- a/crypto/bn256/cloudflare/bn256_test.go
+++ b/crypto/bn256/cloudflare/bn256_test.go
@ -99,7 +99,7 @@ func TestBinaryEAA(t *testing.T) {
 			t.Fatal(err)
 		}
 		tmpLittleFermat := &gfP{}
-		tmpLittleFermat.InvertConstantTime(&Ga.p.x)
+		tmpLittleFermat.Invert(&Ga.p.x)

 		tmpBinaryEAA := &gfP{}
 		tmpBinaryEAA.InvertVariableTime(&Ga.p.x)
@ -127,7 +127,7 @@ func BenchmarkLittleFermatInversion(b *testing.B) {

 	tmp := &gfP{}
 	for i := 0; i < b.N; i++ {
-		tmp.InvertConstantTime(&el)
+		tmp.Invert(&el)
 	}
 }

--- a/crypto/bn256/cloudflare/curve.go
+++ b/crypto/bn256/cloudflare/curve.go
@ -206,7 +206,7 @@ func (c *curvePoint) Mul(a *curvePoint, scalar *big.Int) {
 	c.Set(sum)
 }

-func (c *curvePoint) MakeAffine() {
+func (c *curvePoint) MakeAffineVariableTime() {
 	if c.z == *newGFp(1) {
 		return
 	} else if c.z == *newGFp(0) {
@ -230,7 +230,7 @@ func (c *curvePoint) MakeAffine() {
 	c.t = *newGFp(1)
 }

-func (c *curvePoint) MakeAffineConstantTime() {
+func (c *curvePoint) MakeAffine() {
 	if c.z == *newGFp(1) {
 		return
 	} else if c.z == *newGFp(0) {
@ -241,7 +241,7 @@ func (c *curvePoint) MakeAffineConstantTime() {
 	}

 	zInv := &gfP{}
-	zInv.InvertConstantTime(&c.z)
+	zInv.Invert(&c.z)

 	t, zInv2 := &gfP{}, &gfP{}
 	gfpMul(t, &c.y, zInv)
--- a/crypto/bn256/cloudflare/gfp.go
+++ b/crypto/bn256/cloudflare/gfp.go
@ -31,7 +31,7 @@ func (e *gfP) Set(f *gfP) {
 	e[3] = f[3]
 }

-func (e *gfP) InvertConstantTime(f *gfP) {
+func (e *gfP) Invert(f *gfP) {
 	bits := [4]uint64{0x3c208c16d87cfd45, 0x97816a916871ca8d, 0xb85045b68181585d, 0x30644e72e131a029}

 	sum, power := &gfP{}, &gfP{}
@ -82,7 +82,7 @@ func montEncode(c, a *gfP) { gfpMul(c, a, r2) }
 func montDecode(c, a *gfP) { gfpMul(c, a, &gfP{1}) }

 func isZero(a *gfP) bool {
-	return a[0] == 0 && a[1] == 0 && a[2] == 0 && a[3] == 0
+	return (a[0] | a[1] | a[2] | a[3]) == 0
 }

 func isEven(a *gfP) bool {
--- a/crypto/bn256/cloudflare/gfp12.go
+++ b/crypto/bn256/cloudflare/gfp12.go
@ -159,7 +159,7 @@ func (e *gfP12) InvertVariableTime(a *gfP12) *gfP12 {
 	return e
 }

-func (e *gfP12) InvertConstantTime(a *gfP12) *gfP12 {
+func (e *gfP12) Invert(a *gfP12) *gfP12 {
 	// See "Implementing cryptographic pairings", M. Scott, section 3.2.
 	// ftp://136.206.11.249/pub/crypto/pairings.pdf
 	t1, t2 := &gfP6{}, &gfP6{}
@ -167,7 +167,7 @@ func (e *gfP12) InvertConstantTime(a *gfP12) *gfP12 {
 	t1.Square(&a.x)
 	t2.Square(&a.y)
 	t1.MulTau(t1).Sub(t2, t1)
-	t2.InvertConstantTime(t1)
+	t2.Invert(t1)

 	e.x.Neg(&a.x)
 	e.y.Set(&a.y)
--- a/crypto/bn256/cloudflare/gfp2.go
+++ b/crypto/bn256/cloudflare/gfp2.go
@ -155,7 +155,7 @@ func (e *gfP2) InvertVariableTime(a *gfP2) *gfP2 {
 	return e
 }

-func (e *gfP2) InvertConstantTime(a *gfP2) *gfP2 {
+func (e *gfP2) Invert(a *gfP2) *gfP2 {
 	// See "Implementing cryptographic pairings", M. Scott, section 3.2.
 	// ftp://136.206.11.249/pub/crypto/pairings.pdf
 	t1, t2 := &gfP{}, &gfP{}
@ -164,7 +164,7 @@ func (e *gfP2) InvertConstantTime(a *gfP2) *gfP2 {
 	gfpAdd(t1, t1, t2)

 	inv := &gfP{}
-	inv.InvertConstantTime(t1)
+	inv.Invert(t1)

 	gfpNeg(t1, &a.x)

--- a/crypto/bn256/cloudflare/gfp6.go
+++ b/crypto/bn256/cloudflare/gfp6.go
@ -168,7 +168,7 @@ func (e *gfP6) Square(a *gfP6) *gfP6 {
 	return e
 }

-func (e *gfP6) InvertConstantTime(a *gfP6) *gfP6 {
+func (e *gfP6) Invert(a *gfP6) *gfP6 {
 	// See "Implementing cryptographic pairings", M. Scott, section 3.2.
 	// ftp://136.206.11.249/pub/crypto/pairings.pdf

@ -204,7 +204,7 @@ func (e *gfP6) InvertConstantTime(a *gfP6) *gfP6 {
 	t1.Mul(B, &a.x).MulXi(t1)
 	F.Add(F, t1)

-	F.InvertVariableTime(F)
+	F.Invert(F)

 	e.x.Mul(C, F)
 	e.y.Mul(B, F)
@ -248,7 +248,7 @@ func (e *gfP6) InvertVariableTime(a *gfP6) *gfP6 {
 	t1.Mul(B, &a.x).MulXi(t1)
 	F.Add(F, t1)

-	F.InvertConstantTime(F)
+	F.InvertVariableTime(F)

 	e.x.Mul(C, F)
 	e.y.Mul(B, F)
--- a/crypto/bn256/cloudflare/optate.go
+++ b/crypto/bn256/cloudflare/optate.go
@ -124,7 +124,7 @@ func miller(q *twistPoint, p *curvePoint) *gfP12 {

 	aAffine := &twistPoint{}
 	aAffine.Set(q)
-	aAffine.MakeAffineConstantTime()
+	aAffine.MakeAffine()

 	bAffine := &curvePoint{}
 	bAffine.Set(p)
@ -217,7 +217,7 @@ func finalExponentiation(in *gfP12) *gfP12 {
 	t1.y.Set(&in.y)

 	inv := &gfP12{}
-	inv.InvertConstantTime(in)
+	inv.Invert(in)
 	t1.Mul(t1, inv)

 	t2 := (&gfP12{}).FrobeniusP2(t1)
--- a/crypto/bn256/cloudflare/twist.go
+++ b/crypto/bn256/cloudflare/twist.go
@ -31,7 +31,7 @@ var twistGen = &twistPoint{
 }

 func (c *twistPoint) String() string {
-	c.MakeAffineConstantTime()
+	c.MakeAffine()
 	x, y := gfP2Decode(&c.x), gfP2Decode(&c.y)
 	return "(" + x.String() + ", " + y.String() + ")"
 }
@ -45,7 +45,7 @@ func (c *twistPoint) Set(a *twistPoint) {

 // IsOnCurve returns true iff c is on the curve.
 func (c *twistPoint) IsOnCurve() bool {
-	c.MakeAffineConstantTime()
+	c.MakeAffine()
 	if c.IsInfinity() {
 		return true
 	}
@ -196,7 +196,7 @@ func (c *twistPoint) MakeAffineVariableTime() {
 	c.t.SetOne()
 }

-func (c *twistPoint) MakeAffineConstantTime() {
+func (c *twistPoint) MakeAffine() {
 	if c.z.IsOne() {
 		return
 	} else if c.z.IsZero() {
@ -206,7 +206,7 @@ func (c *twistPoint) MakeAffineConstantTime() {
 		return
 	}

-	zInv := (&gfP2{}).InvertConstantTime(&c.z)
+	zInv := (&gfP2{}).Invert(&c.z)
 	t := (&gfP2{}).Mul(&c.y, zInv)
 	zInv2 := (&gfP2{}).Square(zInv)
 	c.y.Mul(t, zInv2)