kris
/
SIDH_p751
1
0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
126 Revize
14 Větve
653 KiB
 
 
 
Strom: 70b81002a7
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „70b81002a7“
${ noResults }
SIDH_p751/p503/arith_test.go

342 řádky
8.4 KiB
Surový Blame Historie 

  1. package p503

  2. 

  3. import (

  4. 	. "github.com/cloudflare/p751sidh/internal/isogeny"

  5. 	"math/big"

  6. 	"testing"

  7. 	"testing/quick"

  8. )

  9. 

  10. //------------------------------------------------------------------------------

  11. // Extended Field

  12. //------------------------------------------------------------------------------

  13. 

  14. func TestOneFp2ToBytes(t *testing.T) {

  15. 	var x = P503_OneFp2

  16. 	var xBytes [2 * P503_Bytelen]byte

  17. 

  18. 	kCurveOps.Fp2ToBytes(xBytes[:], &x)

  19. 	if xBytes[0] != 1 {

  20. 		t.Error("Expected 1, got", xBytes[0])

  21. 	}

  22. 	for i := 1; i < 2*P503_Bytelen; i++ {

  23. 		if xBytes[i] != 0 {

  24. 			t.Error("Expected 0, got", xBytes[0])

  25. 		}

  26. 	}

  27. }

  28. 

  29. func TestFp2ElementToBytesRoundTrip(t *testing.T) {

  30. 	roundTrips := func(x GeneratedTestParams) bool {

  31. 		var xBytes [2 * P503_Bytelen]byte

  32. 		var xPrime Fp2Element

  33. 

  34. 		kCurveOps.Fp2ToBytes(xBytes[:], &x.ExtElem)

  35. 		kCurveOps.Fp2FromBytes(&xPrime, xBytes[:])

  36. 		return VartimeEqFp2(&xPrime, &x.ExtElem)

  37. 	}

  38. 

  39. 	if err := quick.Check(roundTrips, quickCheckConfig); err != nil {

  40. 		t.Error(err)

  41. 	}

  42. }

  43. 

  44. func TestFp2ElementMulDistributesOverAdd(t *testing.T) {

  45. 	mulDistributesOverAdd := func(x, y, z GeneratedTestParams) bool {

  46. 		// Compute t1 = (x+y)*z

  47. 		t1 := new(Fp2Element)

  48. 		kFieldOps.Add(t1, &x.ExtElem, &y.ExtElem)

  49. 		kFieldOps.Mul(t1, t1, &z.ExtElem)

  50. 

  51. 		// Compute t2 = x*z + y*z

  52. 		t2 := new(Fp2Element)

  53. 		t3 := new(Fp2Element)

  54. 		kFieldOps.Mul(t2, &x.ExtElem, &z.ExtElem)

  55. 		kFieldOps.Mul(t3, &y.ExtElem, &z.ExtElem)

  56. 		kFieldOps.Add(t2, t2, t3)

  57. 

  58. 		return VartimeEqFp2(t1, t2)

  59. 	}

  60. 

  61. 	if err := quick.Check(mulDistributesOverAdd, quickCheckConfig); err != nil {

  62. 		t.Error(err)

  63. 	}

  64. }

  65. 

  66. func TestFp2ElementMulIsAssociative(t *testing.T) {

  67. 	isAssociative := func(x, y, z GeneratedTestParams) bool {

  68. 		// Compute t1 = (x*y)*z

  69. 		t1 := new(Fp2Element)

  70. 		kFieldOps.Mul(t1, &x.ExtElem, &y.ExtElem)

  71. 		kFieldOps.Mul(t1, t1, &z.ExtElem)

  72. 

  73. 		// Compute t2 = (y*z)*x

  74. 		t2 := new(Fp2Element)

  75. 		kFieldOps.Mul(t2, &y.ExtElem, &z.ExtElem)

  76. 		kFieldOps.Mul(t2, t2, &x.ExtElem)

  77. 

  78. 		return VartimeEqFp2(t1, t2)

  79. 	}

  80. 

  81. 	if err := quick.Check(isAssociative, quickCheckConfig); err != nil {

  82. 		t.Error(err)

  83. 	}

  84. }

  85. 

  86. func TestFp2ElementSquareMatchesMul(t *testing.T) {

  87. 	sqrMatchesMul := func(x GeneratedTestParams) bool {

  88. 		// Compute t1 = (x*x)

  89. 		t1 := new(Fp2Element)

  90. 		kFieldOps.Mul(t1, &x.ExtElem, &x.ExtElem)

  91. 

  92. 		// Compute t2 = x^2

  93. 		t2 := new(Fp2Element)

  94. 		kFieldOps.Square(t2, &x.ExtElem)

  95. 

  96. 		return VartimeEqFp2(t1, t2)

  97. 	}

  98. 

  99. 	if err := quick.Check(sqrMatchesMul, quickCheckConfig); err != nil {

  100. 		t.Error(err)

  101. 	}

  102. }

  103. 

  104. func TestFp2ElementInv(t *testing.T) {

  105. 	inverseIsCorrect := func(x GeneratedTestParams) bool {

  106. 		z := new(Fp2Element)

  107. 		kFieldOps.Inv(z, &x.ExtElem)

  108. 

  109. 		// Now z = (1/x), so (z * x) * x == x

  110. 		kFieldOps.Mul(z, z, &x.ExtElem)

  111. 		kFieldOps.Mul(z, z, &x.ExtElem)

  112. 

  113. 		return VartimeEqFp2(z, &x.ExtElem)

  114. 	}

  115. 

  116. 	// This is more expensive; run fewer tests

  117. 	var quickCheckConfig = &quick.Config{MaxCount: (1 << (8 + quickCheckScaleFactor))}

  118. 	if err := quick.Check(inverseIsCorrect, quickCheckConfig); err != nil {

  119. 		t.Error(err)

  120. 	}

  121. }

  122. 

  123. func TestFp2ElementBatch3Inv(t *testing.T) {

  124. 	batchInverseIsCorrect := func(x1, x2, x3 GeneratedTestParams) bool {

  125. 		var x1Inv, x2Inv, x3Inv Fp2Element

  126. 		kFieldOps.Inv(&x1Inv, &x1.ExtElem)

  127. 		kFieldOps.Inv(&x2Inv, &x2.ExtElem)

  128. 		kFieldOps.Inv(&x3Inv, &x3.ExtElem)

  129. 

  130. 		var y1, y2, y3 Fp2Element

  131. 		kCurveOps.Fp2Batch3Inv(&x1.ExtElem, &x2.ExtElem, &x3.ExtElem, &y1, &y2, &y3)

  132. 

  133. 		return (VartimeEqFp2(&x1Inv, &y1) && VartimeEqFp2(&x2Inv, &y2) && VartimeEqFp2(&x3Inv, &y3))

  134. 	}

  135. 

  136. 	// This is more expensive; run fewer tests

  137. 	var quickCheckConfig = &quick.Config{MaxCount: (1 << (5 + quickCheckScaleFactor))}

  138. 	if err := quick.Check(batchInverseIsCorrect, quickCheckConfig); err != nil {

  139. 		t.Error(err)

  140. 	}

  141. }

  142. 

  143. //------------------------------------------------------------------------------

  144. // Prime Field

  145. //------------------------------------------------------------------------------

  146. 

  147. func TestPrimeFieldElementMulVersusBigInt(t *testing.T) {

  148. 	mulMatchesBigInt := func(x, y primeFieldElement) bool {

  149. 		z := new(primeFieldElement)

  150. 		z.Mul(&x, &y)

  151. 		check := new(big.Int)

  152. 		check.Mul(toBigInt(&x.A), toBigInt(&y.A))

  153. 		check.Mod(check, p503BigIntPrime)

  154. 		return check.Cmp(toBigInt(&z.A)) == 0

  155. 	}

  156. 

  157. 	if err := quick.Check(mulMatchesBigInt, quickCheckConfig); err != nil {

  158. 		t.Error(err)

  159. 	}

  160. }

  161. 

  162. func TestPrimeFieldElementP34VersusBigInt(t *testing.T) {

  163. 	var p34, _ = new(big.Int).SetString("3293960789226779345209813229049836260623046691894590999611415869258960983005190308379728727886506087902151787597521914245745576582754898490288559357951", 10)

  164. 	p34MatchesBigInt := func(x primeFieldElement) bool {

  165. 		z := new(primeFieldElement)

  166. 		z.P34(&x)

  167. 

  168. 		check := toBigInt(&x.A)

  169. 		check.Exp(check, p34, p503BigIntPrime)

  170. 

  171. 		return check.Cmp(toBigInt(&z.A)) == 0

  172. 	}

  173. 

  174. 	// This is more expensive; run fewer tests

  175. 	var quickCheckConfig = &quick.Config{MaxCount: (1 << (8 + quickCheckScaleFactor))}

  176. 	if err := quick.Check(p34MatchesBigInt, quickCheckConfig); err != nil {

  177. 		t.Error(err)

  178. 	}

  179. }

  180. 

  181. func TestPrimeFieldElementToBigInt(t *testing.T) {

  182. 	// Chosen so that p < xR < 2p

  183. 	x := primeFieldElement{A: FpElement{

  184. 		1, 1, 1, 1, 1, 1, 1, 36028797018963968,

  185. 	},

  186. 	}

  187. 	// Computed using Sage:

  188. 	// sage: p = 2^e2 * 3^e3 - 1

  189. 	// sage: R = 2^512

  190. 	// sage: from_radix_64 = lambda xs: sum((xi * (2**64)**i for i,xi in enumerate(xs)))

  191. 	// sage: xR = from_radix_64([1]*7 + [2^55])

  192. 	// sage: assert(p < xR)

  193. 	// sage: assert(xR < 2*p)

  194. 	// sage: (xR / R) % p

  195. 	xBig, _ := new(big.Int).SetString("9018685569593152305590037326062904046918870374552508285127709347526265324701162612011653377441752634975109935373869185819144129719824212073345315986301", 10)

  196. 	if xBig.Cmp(toBigInt(&x.A)) != 0 {

  197. 		t.Error("Expected", xBig, "found", toBigInt(&x.A))

  198. 	}

  199. }

  200. 

  201. func TestFpElementConditionalSwap(t *testing.T) {

  202. 	var one = FpElement{1, 1, 1, 1, 1, 1, 1, 1}

  203. 	var two = FpElement{2, 2, 2, 2, 2, 2, 2, 2}

  204. 

  205. 	var x = one

  206. 	var y = two

  207. 

  208. 	fp503ConditionalSwap(&x, &y, 0)

  209. 

  210. 	if !(x == one && y == two) {

  211. 		t.Error("Found", x, "expected", one)

  212. 	}

  213. 

  214. 	fp503ConditionalSwap(&x, &y, 1)

  215. 

  216. 	if !(x == two && y == one) {

  217. 		t.Error("Found", x, "expected", two)

  218. 	}

  219. }

  220. 

  221. func BenchmarkFp2ElementMul(b *testing.B) {

  222. 	z := &Fp2Element{A: bench_x, B: bench_y}

  223. 	w := new(Fp2Element)

  224. 

  225. 	for n := 0; n < b.N; n++ {

  226. 		kFieldOps.Mul(w, z, z)

  227. 	}

  228. }

  229. 

  230. func BenchmarkFp2ElementInv(b *testing.B) {

  231. 	z := &Fp2Element{A: bench_x, B: bench_y}

  232. 	w := new(Fp2Element)

  233. 

  234. 	for n := 0; n < b.N; n++ {

  235. 		kFieldOps.Inv(w, z)

  236. 	}

  237. }

  238. 

  239. func BenchmarkFp2ElementSquare(b *testing.B) {

  240. 	z := &Fp2Element{A: bench_x, B: bench_y}

  241. 	w := new(Fp2Element)

  242. 

  243. 	for n := 0; n < b.N; n++ {

  244. 		kFieldOps.Square(w, z)

  245. 	}

  246. }

  247. 

  248. func BenchmarkFp2ElementAdd(b *testing.B) {

  249. 	z := &Fp2Element{A: bench_x, B: bench_y}

  250. 	w := new(Fp2Element)

  251. 

  252. 	for n := 0; n < b.N; n++ {

  253. 		kFieldOps.Add(w, z, z)

  254. 	}

  255. }

  256. 

  257. func BenchmarkFp2ElementSub(b *testing.B) {

  258. 	z := &Fp2Element{A: bench_x, B: bench_y}

  259. 	w := new(Fp2Element)

  260. 

  261. 	for n := 0; n < b.N; n++ {

  262. 		kFieldOps.Sub(w, z, z)

  263. 	}

  264. }

  265. 

  266. func BenchmarkPrimeFieldElementMul(b *testing.B) {

  267. 	z := &primeFieldElement{A: bench_x}

  268. 	w := new(primeFieldElement)

  269. 

  270. 	for n := 0; n < b.N; n++ {

  271. 		w.Mul(z, z)

  272. 	}

  273. }

  274. 

  275. // --- field operation functions

  276. 

  277. func BenchmarkFp503Multiply(b *testing.B) {

  278. 	for n := 0; n < b.N; n++ {

  279. 		fp503Mul(&benchmarkFpElementX2, &bench_x, &bench_y)

  280. 	}

  281. }

  282. 

  283. func BenchmarkFp503MontgomeryReduce(b *testing.B) {

  284. 	z := bench_z

  285. 

  286. 	// This benchmark actually computes garbage, because

  287. 	// fp503MontgomeryReduce mangles its input, but since it's

  288. 	// constant-time that shouldn't matter for the benchmarks.

  289. 	for n := 0; n < b.N; n++ {

  290. 		fp503MontgomeryReduce(&benchmarkFpElement, &z)

  291. 	}

  292. }

  293. 

  294. func BenchmarkFp503AddReduced(b *testing.B) {

  295. 	for n := 0; n < b.N; n++ {

  296. 		fp503AddReduced(&benchmarkFpElement, &bench_x, &bench_y)

  297. 	}

  298. }

  299. 

  300. func BenchmarkFp503SubReduced(b *testing.B) {

  301. 	for n := 0; n < b.N; n++ {

  302. 		fp503SubReduced(&benchmarkFpElement, &bench_x, &bench_y)

  303. 	}

  304. }

  305. 

  306. func BenchmarkFp503ConditionalSwap(b *testing.B) {

  307. 	x, y := bench_x, bench_y

  308. 	for n := 0; n < b.N; n++ {

  309. 		fp503ConditionalSwap(&x, &y, 1)

  310. 		fp503ConditionalSwap(&x, &y, 0)

  311. 	}

  312. }

  313. 

  314. func BenchmarkFp503StrongReduce(b *testing.B) {

  315. 	x := bench_x

  316. 	for n := 0; n < b.N; n++ {

  317. 		fp503StrongReduce(&x)

  318. 	}

  319. }

  320. 

  321. func BenchmarkFp503AddLazy(b *testing.B) {

  322. 	var z FpElement

  323. 	x, y := bench_x, bench_y

  324. 	for n := 0; n < b.N; n++ {

  325. 		fp503AddLazy(&z, &x, &y)

  326. 	}

  327. }

  328. 

  329. func BenchmarkFp503X2AddLazy(b *testing.B) {

  330. 	x, y, z := bench_z, bench_z, bench_z

  331. 	for n := 0; n < b.N; n++ {

  332. 		fp503X2AddLazy(&x, &y, &z)

  333. 	}

  334. }

  335. 

  336. func BenchmarkFp503X2SubLazy(b *testing.B) {

  337. 	x, y, z := bench_z, bench_z, bench_z

  338. 	for n := 0; n < b.N; n++ {

  339. 		fp503X2SubLazy(&x, &y, &z)

  340. 	}

  341. }