Merge pull request #26 from zkcrypto/bls12-381-scalar

Replace Fq implementation with bls12_381::Scalar

.github/workflows/ci.yml

@@ -11,7 +11,7 @@ jobs:
       - uses: actions/checkout@v1
       - uses: actions-rs/toolchain@v1
         with:
-          toolchain: 1.33.0
+          toolchain: 1.36.0
           override: true
 
       # Ensure all code has been formatted with rustfmt
@@ -33,7 +33,7 @@ jobs:
       - uses: actions/checkout@v1
       - uses: actions-rs/toolchain@v1
         with:
-          toolchain: 1.33.0
+          toolchain: 1.36.0
           override: true
       - name: cargo fetch
         uses: actions-rs/cargo@v1
@@ -58,7 +58,7 @@ jobs:
       - uses: actions/checkout@v1
       - uses: actions-rs/toolchain@v1
         with:
-          toolchain: 1.33.0
+          toolchain: 1.36.0
           override: true
       - run: rustup target add thumbv6m-none-eabi
       - name: cargo fetch

Cargo.toml

@@ -13,8 +13,8 @@ repository = "https://github.com/zkcrypto/jubjub"
 version = "0.2.0"
 edition = "2018"
 
-[dependencies.byteorder]
-version = "1"
+[dependencies.bls12_381]
+version = "0.1"
 default-features = false
 
 [dependencies.subtle]
@@ -22,11 +22,11 @@ version = "^2.2.1"
 default-features = false
 
 [dev-dependencies.rand_core]
-version = "0.4"
+version = "0.5"
 default-features = false
 
 [dev-dependencies.rand_xorshift]
-version = "0.1"
+version = "0.2"
 default-features = false
 
 [features]

README.md

@@ -8,7 +8,7 @@
 This is a pure Rust implementation of the Jubjub elliptic curve group and its associated fields.
 
 * **This implementation has not been reviewed or audited. Use at your own risk.**
-* This implementation targets Rust `1.33` or later.
+* This implementation targets Rust `1.36` or later.
 * All operations are constant time unless explicitly noted.
 
 ## Features

src/fr.rs

@@ -1,7 +1,7 @@
+use core::convert::TryInto;
 use core::fmt;
 use core::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign};
 
-use byteorder::{ByteOrder, LittleEndian};
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
 
 use crate::util::{adc, mac, sbb};
@@ -107,6 +107,7 @@ impl<'a, 'b> Sub<&'b Fr> for &'a Fr {
 impl<'a, 'b> Add<&'b Fr> for &'a Fr {
     type Output = Fr;
 
+    #[allow(clippy::suspicious_arithmetic_impl)]
     #[inline]
     fn add(self, rhs: &'b Fr) -> Fr {
         let (d0, carry) = adc(self.0[0], rhs.0[0], 0);
@@ -192,10 +193,10 @@ impl Fr {
     pub fn from_bytes(bytes: &[u8; 32]) -> CtOption<Fr> {
         let mut tmp = Fr([0, 0, 0, 0]);
 
-        tmp.0[0] = LittleEndian::read_u64(&bytes[0..8]);
-        tmp.0[1] = LittleEndian::read_u64(&bytes[8..16]);
-        tmp.0[2] = LittleEndian::read_u64(&bytes[16..24]);
-        tmp.0[3] = LittleEndian::read_u64(&bytes[24..32]);
+        tmp.0[0] = u64::from_le_bytes(bytes[0..8].try_into().unwrap());
+        tmp.0[1] = u64::from_le_bytes(bytes[8..16].try_into().unwrap());
+        tmp.0[2] = u64::from_le_bytes(bytes[16..24].try_into().unwrap());
+        tmp.0[3] = u64::from_le_bytes(bytes[24..32].try_into().unwrap());
 
         // Try to subtract the modulus
         let (_, borrow) = sbb(tmp.0[0], MODULUS.0[0], 0);
@@ -223,10 +224,10 @@ impl Fr {
         let tmp = Fr::montgomery_reduce(self.0[0], self.0[1], self.0[2], self.0[3], 0, 0, 0, 0);
 
         let mut res = [0; 32];
-        LittleEndian::write_u64(&mut res[0..8], tmp.0[0]);
-        LittleEndian::write_u64(&mut res[8..16], tmp.0[1]);
-        LittleEndian::write_u64(&mut res[16..24], tmp.0[2]);
-        LittleEndian::write_u64(&mut res[24..32], tmp.0[3]);
+        res[0..8].copy_from_slice(&tmp.0[0].to_le_bytes());
+        res[8..16].copy_from_slice(&tmp.0[1].to_le_bytes());
+        res[16..24].copy_from_slice(&tmp.0[2].to_le_bytes());
+        res[24..32].copy_from_slice(&tmp.0[3].to_le_bytes());
 
         res
     }
@@ -235,14 +236,14 @@ impl Fr {
     /// an element of Fr by reducing modulo r.
     pub fn from_bytes_wide(bytes: &[u8; 64]) -> Fr {
         Fr::from_u512([
-            LittleEndian::read_u64(&bytes[0..8]),
-            LittleEndian::read_u64(&bytes[8..16]),
-            LittleEndian::read_u64(&bytes[16..24]),
-            LittleEndian::read_u64(&bytes[24..32]),
-            LittleEndian::read_u64(&bytes[32..40]),
-            LittleEndian::read_u64(&bytes[40..48]),
-            LittleEndian::read_u64(&bytes[48..56]),
-            LittleEndian::read_u64(&bytes[56..64]),
+            u64::from_le_bytes(bytes[0..8].try_into().unwrap()),
+            u64::from_le_bytes(bytes[8..16].try_into().unwrap()),
+            u64::from_le_bytes(bytes[16..24].try_into().unwrap()),
+            u64::from_le_bytes(bytes[24..32].try_into().unwrap()),
+            u64::from_le_bytes(bytes[32..40].try_into().unwrap()),
+            u64::from_le_bytes(bytes[40..48].try_into().unwrap()),
+            u64::from_le_bytes(bytes[48..56].try_into().unwrap()),
+            u64::from_le_bytes(bytes[56..64].try_into().unwrap()),
         ])
     }
 

src/lib.rs

@@ -33,9 +33,8 @@ use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
 #[macro_use]
 mod util;
 
-mod fq;
 mod fr;
-pub use fq::Fq;
+pub use bls12_381::Scalar as Fq;
 pub use fr::Fr;
 
 const FR_MODULUS_BYTES: [u8; 32] = [
@@ -453,9 +452,9 @@ impl AffinePoint {
     /// for use in multiple additions.
     pub const fn to_niels(&self) -> AffineNielsPoint {
         AffineNielsPoint {
-            v_plus_u: self.v.field_add(&self.u),
-            v_minus_u: self.v.subtract(&self.u),
-            t2d: self.u.multiply(&self.v).multiply(&EDWARDS_D2),
+            v_plus_u: Fq::add(&self.v, &self.u),
+            v_minus_u: Fq::sub(&self.v, &self.u),
+            t2d: Fq::mul(&Fq::mul(&self.u, &self.v), &EDWARDS_D2),
         }
     }
 
@@ -660,6 +659,7 @@ impl_binops_multiplicative!(ExtendedPoint, Fr);
 impl<'a, 'b> Add<&'b ExtendedNielsPoint> for &'a ExtendedPoint {
     type Output = ExtendedPoint;
 
+    #[allow(clippy::suspicious_arithmetic_impl)]
     fn add(self, other: &'b ExtendedNielsPoint) -> ExtendedPoint {
         // We perform addition in the extended coordinates. Here we use
         // a formula presented by Hisil, Wong, Carter and Dawson in
@@ -698,6 +698,7 @@ impl<'a, 'b> Add<&'b ExtendedNielsPoint> for &'a ExtendedPoint {
 impl<'a, 'b> Sub<&'b ExtendedNielsPoint> for &'a ExtendedPoint {
     type Output = ExtendedPoint;
 
+    #[allow(clippy::suspicious_arithmetic_impl)]
     fn sub(self, other: &'b ExtendedNielsPoint) -> ExtendedPoint {
         let a = (&self.v - &self.u) * &other.v_plus_u;
         let b = (&self.v + &self.u) * &other.v_minus_u;
@@ -719,6 +720,7 @@ impl_binops_additive!(ExtendedPoint, ExtendedNielsPoint);
 impl<'a, 'b> Add<&'b AffineNielsPoint> for &'a ExtendedPoint {
     type Output = ExtendedPoint;
 
+    #[allow(clippy::suspicious_arithmetic_impl)]
     fn add(self, other: &'b AffineNielsPoint) -> ExtendedPoint {
         // This is identical to the addition formula for `ExtendedNielsPoint`,
         // except we can assume that `other.z` is one, so that we perform
@@ -744,6 +746,7 @@ impl<'a, 'b> Add<&'b AffineNielsPoint> for &'a ExtendedPoint {
 impl<'a, 'b> Sub<&'b AffineNielsPoint> for &'a ExtendedPoint {
     type Output = ExtendedPoint;
 
+    #[allow(clippy::suspicious_arithmetic_impl)]
     fn sub(self, other: &'b AffineNielsPoint) -> ExtendedPoint {
         let a = (&self.v - &self.u) * &other.v_plus_u;
         let b = (&self.v + &self.u) * &other.v_minus_u;
@@ -943,17 +946,17 @@ fn test_extended_niels_point_identity() {
 #[test]
 fn test_assoc() {
     let p = ExtendedPoint::from(AffinePoint {
-        u: Fq([
-            0xc0115cb656ae4839,
-            0x623dc3ff81d64c26,
-            0x5868e739b5794f2c,
-            0x23bd4fbb18d39c9c,
+        u: Fq::from_raw([
+            0x81c571e5d883cfb0,
+            0x049f7a686f147029,
+            0xf539c860bc3ea21f,
+            0x4284715b7ccc8162,
         ]),
-        v: Fq([
-            0x7588ee6d6dd40deb,
-            0x9d6d7a23ebdb7c4c,
-            0x46462e26d4edb8c7,
-            0x10b4c1517ca82e9b,
+        v: Fq::from_raw([
+            0xbf096275684bb8ca,
+            0xc7ba245890af256d,
+            0x59119f3e86380eb0,
+            0x3793de182f9fb1d2,
         ]),
     })
     .mul_by_cofactor();
@@ -969,17 +972,17 @@ fn test_assoc() {
 #[test]
 fn test_batch_normalize() {
     let mut p = ExtendedPoint::from(AffinePoint {
-        u: Fq([
-            0xc0115cb656ae4839,
-            0x623dc3ff81d64c26,
-            0x5868e739b5794f2c,
-            0x23bd4fbb18d39c9c,
+        u: Fq::from_raw([
+            0x81c571e5d883cfb0,
+            0x049f7a686f147029,
+            0xf539c860bc3ea21f,
+            0x4284715b7ccc8162,
         ]),
-        v: Fq([
-            0x7588ee6d6dd40deb,
-            0x9d6d7a23ebdb7c4c,
-            0x46462e26d4edb8c7,
-            0x10b4c1517ca82e9b,
+        v: Fq::from_raw([
+            0xbf096275684bb8ca,
+            0xc7ba245890af256d,
+            0x59119f3e86380eb0,
+            0x3793de182f9fb1d2,
         ]),
     })
     .mul_by_cofactor();
@@ -1204,17 +1207,17 @@ fn test_mul_consistency() {
     ]);
     assert_eq!(a * b, c);
     let p = ExtendedPoint::from(AffinePoint {
-        u: Fq([
-            0xc0115cb656ae4839,
-            0x623dc3ff81d64c26,
-            0x5868e739b5794f2c,
-            0x23bd4fbb18d39c9c,
+        u: Fq::from_raw([
+            0x81c571e5d883cfb0,
+            0x049f7a686f147029,
+            0xf539c860bc3ea21f,
+            0x4284715b7ccc8162,
         ]),
-        v: Fq([
-            0x7588ee6d6dd40deb,
-            0x9d6d7a23ebdb7c4c,
-            0x46462e26d4edb8c7,
-            0x10b4c1517ca82e9b,
+        v: Fq::from_raw([
+            0xbf096275684bb8ca,
+            0xc7ba245890af256d,
+            0x59119f3e86380eb0,
+            0x3793de182f9fb1d2,
         ]),
     })
     .mul_by_cofactor();