Merge branch 'master' into fuzz-6-modexp-slow-2

benchmarks/bench_ec_g1_scalar_mul.nim

@@ -45,11 +45,11 @@ proc main() =
   staticFor i, 0, AvailableCurves.len:
     const curve = AvailableCurves[i]
     const bits = curve.getCurveOrderBitwidth()
-    scalarMulUnsafeDoubleAddBench(ECP_ShortW_Prj[Fp[curve], G1], bits, MulIters)
-    scalarMulUnsafeDoubleAddBench(ECP_ShortW_Jac[Fp[curve], G1], bits, MulIters)
+    scalarMulVartimeDoubleAddBench(ECP_ShortW_Prj[Fp[curve], G1], bits, MulIters)
+    scalarMulVartimeDoubleAddBench(ECP_ShortW_Jac[Fp[curve], G1], bits, MulIters)
     separator()
-    scalarMulUnsafeMinHammingWeightRecodingBench(ECP_ShortW_Prj[Fp[curve], G1], bits, MulIters)
-    scalarMulUnsafeMinHammingWeightRecodingBench(ECP_ShortW_Jac[Fp[curve], G1], bits, MulIters)
+    scalarMulVartimeMinHammingWeightRecodingBench(ECP_ShortW_Prj[Fp[curve], G1], bits, MulIters)
+    scalarMulVartimeMinHammingWeightRecodingBench(ECP_ShortW_Jac[Fp[curve], G1], bits, MulIters)
     separator()
     scalarMulGenericBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 2, MulIters)
     scalarMulGenericBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 3, MulIters)
@@ -60,16 +60,25 @@ proc main() =
     scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 4, MulIters)
     scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 5, MulIters)
     separator()
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 2, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 3, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 4, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 5, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 2, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 3, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 4, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 5, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 2, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 3, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 4, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 5, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 2, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 3, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 4, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 5, MulIters)
     separator()
     when bits >= 196: # All endomorphisms constants are below this threshold
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 2, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 3, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 4, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Prj[Fp[curve], G1], bits, window = 5, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 2, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 3, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 4, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Jac[Fp[curve], G1], bits, window = 5, MulIters)
+      separator()
       scalarMulEndo(      ECP_ShortW_Prj[Fp[curve], G1], bits, MulIters)
       scalarMulEndoWindow(ECP_ShortW_Prj[Fp[curve], G1], bits, MulIters)
       scalarMulEndo(      ECP_ShortW_Jac[Fp[curve], G1], bits, MulIters)

benchmarks/bench_ec_g2_scalar_mul.nim

@@ -46,11 +46,11 @@ proc main() =
   staticFor i, 0, AvailableCurves.len:
     const curve = AvailableCurves[i]
     const bits = curve.getCurveOrderBitwidth()
-    scalarMulUnsafeDoubleAddBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, MulIters)
-    scalarMulUnsafeDoubleAddBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, MulIters)
+    scalarMulVartimeDoubleAddBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, MulIters)
+    scalarMulVartimeDoubleAddBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, MulIters)
     separator()
-    scalarMulUnsafeMinHammingWeightRecodingBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, MulIters)
-    scalarMulUnsafeMinHammingWeightRecodingBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, MulIters)
+    scalarMulVartimeMinHammingWeightRecodingBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, MulIters)
+    scalarMulVartimeMinHammingWeightRecodingBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, MulIters)
     separator()
     scalarMulGenericBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 2, MulIters)
     scalarMulGenericBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 3, MulIters)
@@ -61,16 +61,25 @@ proc main() =
     scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 4, MulIters)
     scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 5, MulIters)
     separator()
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 2, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 3, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 4, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 5, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 2, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 3, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 4, MulIters)
-    scalarMulUnsafeWNAFBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 5, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 2, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 3, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 4, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 5, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 2, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 3, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 4, MulIters)
+    scalarMulVartimeWNAFBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 5, MulIters)
     separator()
     when bits >= 196: # All endomorphisms constants are below this threshold
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 2, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 3, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 4, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Prj[Fp2[curve], G2], bits, window = 5, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 2, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 3, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 4, MulIters)
+      scalarMulVartimeEndoWNAFBench(ECP_ShortW_Jac[Fp2[curve], G2], bits, window = 5, MulIters)
+      separator()
       scalarMulEndo(ECP_ShortW_Prj[Fp2[curve], G2], bits, MulIters)
       scalarMulEndo(ECP_ShortW_Jac[Fp2[curve], G2], bits, MulIters)
       separator()

benchmarks/bench_elliptic_template.nim

@@ -52,9 +52,9 @@ proc report(op, elliptic: string, start, stop: MonoTime, startClk, stopClk: int6
   let ns = inNanoseconds((stop-start) div iters)
   let throughput = 1e9 / float64(ns)
   when SupportsGetTicks:
-    echo &"{op:<68} {elliptic:<32} {throughput:>15.3f} ops/s {ns:>16} ns/op {(stopClk - startClk) div iters:>12} CPU cycles (approx)"
+    echo &"{op:<68} {elliptic:<36} {throughput:>15.3f} ops/s {ns:>16} ns/op {(stopClk - startClk) div iters:>12} CPU cycles (approx)"
   else:
-    echo &"{op:<68} {elliptic:<32} {throughput:>15.3f} ops/s {ns:>16} ns/op"
+    echo &"{op:<68} {elliptic:<36} {throughput:>15.3f} ops/s {ns:>16} ns/op"
 
 template bench*(op: string, EC: typedesc, iters: int, body: untyped): untyped =
   measure(iters, startTime, stopTime, startClk, stopClk, body)
@@ -74,8 +74,12 @@ proc addBench*(EC: typedesc, iters: int) =
     bench("EC Add vartime " & $EC.G, EC, iters):
       r.sum_vartime(P, Q)
   else:
-    bench("EC Add " & $EC.G, EC, iters):
-      r.sum(P, Q)
+    block:
+      bench("EC Add " & $EC.G, EC, iters):
+        r.sum(P, Q)
+    block:
+      bench("EC Add vartime " & $EC.G, EC, iters):
+        r.sum_vartime(P, Q)
 
 proc mixedAddBench*(EC: typedesc, iters: int) =
   var r {.noInit.}: EC
@@ -88,8 +92,12 @@ proc mixedAddBench*(EC: typedesc, iters: int) =
     bench("EC Mixed Addition vartime " & $EC.G, EC, iters):
       r.madd_vartime(P, Qaff)
   else:
-    bench("EC Mixed Addition " & $EC.G, EC, iters):
-      r.madd(P, Qaff)
+    block:
+      bench("EC Mixed Addition " & $EC.G, EC, iters):
+        r.madd(P, Qaff)
+    block:
+      bench("EC Mixed Addition vartime " & $EC.G, EC, iters):
+        r.madd_vartime(P, Qaff)
 
 proc doublingBench*(EC: typedesc, iters: int) =
   var r {.noInit.}: EC
@@ -175,39 +183,50 @@ proc scalarMulEndoWindow*(EC: typedesc, bits: static int, iters: int) =
     else:
       {.error: "Not implemented".}
 
-proc scalarMulUnsafeDoubleAddBench*(EC: typedesc, bits: static int, iters: int) =
+proc scalarMulVartimeDoubleAddBench*(EC: typedesc, bits: static int, iters: int) =
   var r {.noInit.}: EC
   var P = rng.random_unsafe(EC)
   P.clearCofactor()
 
   let exponent = rng.random_unsafe(BigInt[bits])
 
-  bench("EC ScalarMul " & $bits & "-bit " & $EC.G & " (unsafe reference DoubleAdd)", EC, iters):
+  bench("EC ScalarMul " & $bits & "-bit " & $EC.G & " (vartime reference DoubleAdd)", EC, iters):
     r = P
     r.scalarMul_doubleAdd_vartime(exponent)
 
-proc scalarMulUnsafeMinHammingWeightRecodingBench*(EC: typedesc, bits: static int, iters: int) =
+proc scalarMulVartimeMinHammingWeightRecodingBench*(EC: typedesc, bits: static int, iters: int) =
   var r {.noInit.}: EC
   var P = rng.random_unsafe(EC)
   P.clearCofactor()
 
   let exponent = rng.random_unsafe(BigInt[bits])
 
-  bench("EC ScalarMul " & $bits & "-bit " & $EC.G & " (unsafe min Hamming Weight recoding)", EC, iters):
+  bench("EC ScalarMul " & $bits & "-bit " & $EC.G & " (vartime min Hamming Weight recoding)", EC, iters):
     r = P
     r.scalarMul_minHammingWeight_vartime(exponent)
 
-proc scalarMulUnsafeWNAFBench*(EC: typedesc, bits, window: static int, iters: int) =
+proc scalarMulVartimeWNAFBench*(EC: typedesc, bits, window: static int, iters: int) =
   var r {.noInit.}: EC
   var P = rng.random_unsafe(EC)
   P.clearCofactor()
 
   let exponent = rng.random_unsafe(BigInt[bits])
 
-  bench("EC ScalarMul " & $bits & "-bit " & $EC.G & " (unsafe wNAF-" & $window & ")", EC, iters):
+  bench("EC ScalarMul " & $bits & "-bit " & $EC.G & " (vartime wNAF-" & $window & ")", EC, iters):
     r = P
     r.scalarMul_minHammingWeight_windowed_vartime(exponent, window)
 
+proc scalarMulVartimeEndoWNAFBench*(EC: typedesc, bits, window: static int, iters: int) =
+  var r {.noInit.}: EC
+  var P = rng.random_unsafe(EC)
+  P.clearCofactor()
+
+  let exponent = rng.random_unsafe(BigInt[bits])
+
+  bench("EC ScalarMul " & $bits & "-bit " & $EC.G & " (vartime endomorphism + wNAF-" & $window & ")", EC, iters):
+    r = P
+    r.scalarMulEndo_minHammingWeight_windowed_vartime(exponent, window)
+
 proc multiAddBench*(EC: typedesc, numPoints: int, useBatching: bool, iters: int) =
   var points = newSeq[ECP_ShortW_Aff[EC.F, EC.G]](numPoints)
 

benchmarks/bench_ethereum_bls_signatures.nim

@@ -36,16 +36,15 @@ proc demoKeyGen(): tuple[seckey: SecretKey, pubkey: PublicKey] =
   # The API for keygen is not ready in ethereum_bls_signatures
   let ikm = rng.random_byte_seq(32)
   doAssert cast[ptr BigInt[255]](result.seckey.addr)[].derive_master_secretKey(ikm)
-  let ok = result.pubkey.derive_pubkey(result.seckey)
-  doAssert ok == cttBLS_Success
+  result.pubkey.derive_pubkey(result.seckey)
 
 proc benchDeserPubkey*(iters: int) =
   let (sk, pk) = demoKeyGen()
   var pk_comp{.noInit.}: array[48, byte]
 
   # Serialize compressed
-  let ok = pk_comp.serialize_pubkey_compressed(pk)
-  doAssert ok == cttBLS_Success
+  let status = pk_comp.serialize_pubkey_compressed(pk)
+  doAssert status == cttCodecEcc_Success
 
   var pk2{.noInit.}: PublicKey
 
@@ -57,8 +56,8 @@ proc benchDeserPubkeyUnchecked*(iters: int) =
   var pk_comp{.noInit.}: array[48, byte]
 
   # Serialize compressed
-  let ok = pk_comp.serialize_pubkey_compressed(pk)
-  doAssert ok == cttBLS_Success
+  let status = pk_comp.serialize_pubkey_compressed(pk)
+  doAssert status == cttCodecEcc_Success
 
   var pk2{.noInit.}: PublicKey
 
@@ -73,12 +72,11 @@ proc benchDeserSig*(iters: int) =
     sig_comp{.noInit.}: array[96, byte]
     sig {.noInit.}: Signature
 
-  let status = sig.sign(sk, msg)
-  doAssert status == cttBLS_Success
+  sig.sign(sk, msg)
 
   # Serialize compressed
-  let ok = sig_comp.serialize_signature_compressed(sig)
-  doAssert ok == cttBLS_Success
+  let status = sig_comp.serialize_signature_compressed(sig)
+  doAssert status == cttCodecEcc_Success
 
   var sig2{.noInit.}: Signature
 
@@ -93,12 +91,11 @@ proc benchDeserSigUnchecked*(iters: int) =
     sig_comp{.noInit.}: array[96, byte]
     sig {.noInit.}: Signature
 
-  let status = sig.sign(sk, msg)
-  doAssert status == cttBLS_Success
+  sig.sign(sk, msg)
 
   # Serialize compressed
-  let ok = sig_comp.serialize_signature_compressed(sig)
-  doAssert ok == cttBLS_Success
+  let status = sig_comp.serialize_signature_compressed(sig)
+  doAssert status == cttCodecEcc_Success
 
   var sig2{.noInit.}: Signature
 
@@ -112,15 +109,14 @@ proc benchSign*(iters: int) =
   var sig: Signature
 
   bench("BLS signature", "BLS12_381 G2", iters):
-    let status = sig.sign(sk, msg)
+    sig.sign(sk, msg)
 
 proc benchVerify*(iters: int) =
   let (sk, pk) = demoKeyGen()
   let msg = "Mr F was here"
 
   var sig: Signature
-  let ok = sig.sign(sk, msg)
-  doAssert ok == cttBLS_Success
+  sig.sign(sk, msg)
 
   bench("BLS verification", "BLS12_381", iters):
     let valid = pk.verify(msg, sig)
@@ -136,8 +132,7 @@ proc benchFastAggregateVerify*(numKeys, iters: int) =
   for i in 0 ..< numKeys:
     let (sk, pk) = demoKeyGen()
     validators[i] = pk
-    let status = sigs[i].sign(sk, msg)
-    doAssert status == cttBLS_Success
+    sigs[i].sign(sk, msg)
 
   aggSig.aggregate_signatures_unstable_api(sigs)
 
@@ -155,8 +150,7 @@ proc benchVerifyMulti*(numSigs, iters: int) =
   for i in 0 ..< numSigs:
     let (sk, pk) = demoKeyGen()
     sha256.hash(hashedMsg, "msg" & $i)
-    let status = sig.sign(sk, hashedMsg)
-    doAssert status == cttBLS_Success
+    sig.sign(sk, hashedMsg)
     triplets.add (pk, hashedMsg, sig)
 
   bench("BLS verif of " & $numSigs & " msgs by "& $numSigs & " pubkeys", "BLS12_381", iters):
@@ -178,8 +172,7 @@ proc benchVerifyBatched*(numSigs, iters: int) =
   for i in 0 ..< numSigs:
     let (sk, pk) = demoKeyGen()
     sha256.hash(hashedMsg, "msg" & $i)
-    let status = sig.sign(sk, hashedMsg)
-    doAssert status == cttBLS_Success
+    sig.sign(sk, hashedMsg)
 
     pubkeys.add pk
     messages.add hashedMsg

benchmarks/bench_evm_modexp_dos.nim

@@ -5,7 +5,6 @@ import
   ../constantine/platforms/abstractions,
   ./platforms, ./bench_blueprint
 
-
 proc report(op: string, elapsedNs: int64, elapsedCycles: int64, iters: int) =
   let ns = elapsedNs div iters
   let cycles = elapsedCycles div iters

benchmarks/bench_powmod.nim

@@ -2,7 +2,8 @@ import
   ../constantine/math/arithmetic,
   ../constantine/math/io/[io_bigints, io_fields],
   ../constantine/math/config/curves,
-  ../constantine/platforms/[abstractions, codecs],
+  ../constantine/platforms/abstractions,
+  ../constantine/serialization/codecs,
   ../constantine/math_arbitrary_precision/arithmetic/bigints_views,
   ../helpers/prng_unsafe,
   ./platforms, ./bench_blueprint

bindings_generators/gen_bindings.nim

@@ -23,11 +23,11 @@ template genBindingsField*(Field: untyped) =
   else:
     {.push noconv, exportc,  raises: [].} # No exceptions allowed
 
-  func `ctt _ Field _ unmarshalBE`(dst: var Field, src: openarray[byte]) =
+  func `ctt _ Field _ unmarshalBE`(dst: var Field, src: openarray[byte]): bool =
     ## Deserialize
     unmarshalBE(dst, src)
 
-  func `ctt _ Field _ marshalBE`(dst: var openarray[byte], src: Field) =
+  func `ctt _ Field _ marshalBE`(dst: var openarray[byte], src: Field): bool =
     marshalBE(dst, src)
   # --------------------------------------------------------------------------------------
   func `ctt _ Field _ is_eq`(a, b: Field): SecretBool =

bindings_generators/gen_header.nim

@@ -68,6 +68,12 @@ typedef __UINT64_TYPE__  uint64_t;
 #else
 #include <stdint.h>
 #endif
+
+#if defined(__STDC_VERSION__) && __STDC_VERSION__>=199901
+# define bool _Bool
+#else
+# define bool unsigned char
+#endif
 """
 
 proc genCttBaseTypedef*(): string =
@@ -115,6 +121,7 @@ void ctt_{libName}_init_NimMain(void);"""
 # -------------------------------------------
 
 let TypeMap {.compileTime.} = newStringTable({
+  "bool": "bool",
   "SecretBool": "secret_bool",
   "SecretWord": "secret_word"
 })
@@ -201,7 +208,10 @@ macro collectBindings*(cBindingsStr: untyped, body: typed): untyped =
           var name = $paramDef[j]
           cBindings &= toCparam(name.split('`')[0], pType)
 
-      cBindings &= ");"
+      if fnDef.params[0].eqIdent"bool":
+        cBindings &= ") __attribute__((warn_unused_result));"
+      else:
+        cBindings &= ");"
 
   if defined(CTT_GENERATE_HEADERS):
     result = newConstStmt(cBindingsStr, newLit cBindings)