Skip to content

Add skip_while condition for scalar mul#124

Open
tcoratger wants to merge 5 commits intozkcrypto:mainfrom
tcoratger:scalar-mul
Open

Add skip_while condition for scalar mul#124
tcoratger wants to merge 5 commits intozkcrypto:mainfrom
tcoratger:scalar-mul

Conversation

@tcoratger
Copy link
Copy Markdown

@tcoratger tcoratger commented Feb 20, 2024

During the multiplication of of G1/G2 by a scalar, the leading zeros can be skipped in the loop, because they induce unnecessary doubling calculations, giving always the identity value back before the first non zero element is reached in the rhs boolean array.

Skipping these useless calculations can reduce drastically the calculation costs, especially for small numbers.

Nashtare
Nashtare reviewed Feb 20, 2024
View reviewed changes
Copy link
Copy Markdown

@Nashtare Nashtare left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe such logic, while relevant to this library, should be in its own function, with the suffix var_time, as it goes against the expected constant-time implementation of the current scalar multiplication (which will naturally induce overhead).

Also such a bump in rust-toolchain should probably be made in a separate, distinct PR requiring a version bump.

@tcoratger
Copy link
Copy Markdown
Author

tcoratger commented Feb 20, 2024

I believe such logic, while relevant to this library, should be in its own function, with the suffix var_time, as it goes against the expected constant-time implementation of the current scalar multiplication (which will naturally induce overhead).

Also such a bump in rust-toolchain should probably be made in a separate, distinct PR requiring a version bump.

@Nashtare

  • Yes sorry for the bump, already submitted here: bump msrv to 1.64.0 #116, just cleaned up
  • About the logic I understand, but then you propose to add another separate function called multiply_vartime?
    • In my opinion that would be a bit of an implementation overhead, wouldn't it? especially since all the rest of the logic is exactly the same.
    • On sqrt or inv implementations, it's not constant time either, so is that really the problem here?

@Nashtare
Copy link
Copy Markdown

Nashtare commented Feb 20, 2024
edited
Loading

In my opinion that would be a bit of an implementation overhead, wouldn't it? especially since all the rest of the logic is exactly the same.

Having a distinction between constant-time VS variable-time for operations to be used in critical cryptographic scenarios is worth the overhead, trust me 🙂 Side-channels attacks do exist and can be devastating for a reason.

On sqrt or inv implementations, it's not constant time either, so is that really the problem here?

They are constant-time. The use of pow_vartime is fine in this context, because the exponent is hardcoded in both, effectively keeping them constant-time (see the note on pow_vartime method). Note that the README is emphasizing the constant-time operations support:

All operations are constant time unless explicitly noted.

@tcoratger
Copy link
Copy Markdown
Author

tcoratger commented Feb 20, 2024

In my opinion that would be a bit of an implementation overhead, wouldn't it? especially since all the rest of the logic is exactly the same.

Having a distinction between constant-time VS variable-time for operations to be used in critical cryptographic scenarios is worth the overhead, trust me 🙂 Side-channels attacks do exist and can be devastating for a reason.

On sqrt or inv implementations, it's not constant time either, so is that really the problem here?

They are constant-time. The use of pow_vartime is fine in this context, because the exponent is hardcoded in both, effectively keeping them constant-time (see the note on pow_vartime method). Note that the README is emphasizing the constant-time operations support:

All operations are constant time unless explicitly noted.

@Nashtare Ok I get your point. Just modified, tell me what you think about this, I can even add unit tests to cover this in parallel to const time implementation.

@Nashtare
Copy link
Copy Markdown

Nashtare commented Feb 20, 2024

Yeah unit tests to check consistency between the impls could be a nice add-on.
Note that I am not a maintainer of this library though, so I can't approve your PR.

@tcoratger
Copy link
Copy Markdown
Author

tcoratger commented Feb 20, 2024

@Nashtare Thanks for the review, unit tests are added where needed, waiting for a review/approval :)

@randombit
Copy link
Copy Markdown

randombit commented Mar 28, 2024

If you're going to make it variable time why not also remove the constant time conditional add? That will save, on average, half of the point addition steps.

tarcieri
tarcieri reviewed Apr 12, 2024
View reviewed changes
Comment thread src/g1.rs
.skip_while(|c| !bool::from(*c))
{
acc = acc.double();
acc = G1Projective::conditional_select(&acc, &(acc + self), bit);
Copy link
Copy Markdown

@tarcieri tarcieri Apr 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like you could just use a branch here, rather than conditional_select, since this is variable-time code?

Likewise you could use a bool instead of Choice, which will avoid subtle's memory barriers and should make the code easier for rustc to optimize.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@tarcieri tarcieri tarcieri left review comments

@Nashtare Nashtare Nashtare left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tcoratger @Nashtare @randombit @tarcieri