mratsim · Vindaar · Jul 12, 2024 · Aug 5, 2024 · Aug 13, 2024 · Aug 13, 2024
diff --git a/constantine.nimble b/constantine.nimble
@@ -556,6 +556,7 @@ const testDesc: seq[tuple[path: string, useGMP: bool]] = @[
   # Polynomials
   # ----------------------------------------------------------
   ("tests/math_polynomials/t_polynomials.nim", false),
+  ("tests/math_polynomials/t_finite_field_fft.nim", false),
 
   # Protocols
   # ----------------------------------------------------------
@@ -571,6 +572,9 @@ const testDesc: seq[tuple[path: string, useGMP: bool]] = @[
   # Proof systems
   # ----------------------------------------------------------
   ("tests/proof_systems/t_r1cs_parser.nim", false),
+  ("tests/proof_systems/t_wtns_parser.nim", false),
+  ("tests/proof_systems/t_zkey_parser.nim", false),
+  ("tests/proof_systems/t_groth16_prover.nim", false),
   ("tests/interactive_proofs/t_multilinear_extensions.nim", false),
 ]
 

diff --git a/constantine/math/arithmetic/finite_fields.nim b/constantine/math/arithmetic/finite_fields.nim
@@ -567,6 +567,19 @@ func pow_vartime*(a: var FF, exponent: openarray[byte]) =
     FF.getSpareBits()
   )
 
+func pow_vartime*(a: var FF, exponent: FF) =
+  ## Exponentiation modulo p
+  ## ``a``: a field element to be exponentiated
+  ## ``exponent``: a field element
+  ##
+  ## Warning ⚠️ :
+  ## This is an optimization for public exponent
+  ## Otherwise bits of the exponent can be retrieved with:
+  ## - memory access analysis
+  ## - power analysis
+  ## - timing analysis
+  a.pow_vartime(toBig exponent)
+
 func pow_squareMultiply_vartime(a: var FF, exponent: SomeUnsignedInt) {.tags:[VarTime], meter.} =
   ## **Variable-time** Exponentiation
   ##

diff --git a/constantine/math/arithmetic/finite_fields_square_root.nim b/constantine/math/arithmetic/finite_fields_square_root.nim
@@ -361,13 +361,13 @@ func invsqrt_if_square_vartime*[Name](r: var Fp[Name], a: Fp[Name]): SecretBool
 # Legendre symbol / Euler's Criterion / Kronecker's symbol
 # ------------------------------------------------------------
 
-func isSquare*(a: Fp): SecretBool =
+func isSquare*(a: FF): SecretBool =
   ## Returns true if ``a`` is a square (quadratic residue) in 𝔽p
   ##
   ## Assumes that the prime modulus ``p`` is public.
-  var aa {.noInit.}: Fp.getBigInt()
+  var aa {.noInit.}: FF.getBigInt()
   aa.fromField(a)
-  let symbol = legendre(aa.limbs, Fp.getModulus().limbs, aa.bits)
+  let symbol = legendre(aa.limbs, FF.getModulus().limbs, aa.bits)
   return not(symbol == MaxWord)
 
 {.pop.} # inline

diff --git a/constantine/math/elliptic/ec_scalar_mul_vartime.nim b/constantine/math/elliptic/ec_scalar_mul_vartime.nim
@@ -81,7 +81,7 @@ func scalarMul_addchain_4bit_vartime[EC](P: var EC, scalar: BigInt) {.tags:[VarT
   of 5:
     var t {.noInit.}: EC
     t.double(P)
-    t.double(P)
+    t.double()
     P ~+= t
   of 6:
     var t {.noInit.}: EC

diff --git a/constantine/math/elliptic/ec_shortweierstrass_jacobian.nim b/constantine/math/elliptic/ec_shortweierstrass_jacobian.nim
@@ -332,6 +332,8 @@ template sumImpl[F; G: static Subgroup](
 
   # if P or R were infinity points they would have spread 0 with Z₁Z₂
   block: # Infinity points
+    bind isNeutral
+    bind ccopy
     o.ccopy(Q, P.isNeutral())
     o.ccopy(P, Q.isNeutral())
 
@@ -1028,7 +1030,7 @@ func `~-`*(a: EC_ShortW_Jac, b: EC_ShortW_Aff): EC_ShortW_Jac {.noInit, inline.}
   ## This MUST NOT be used with secret data.
   ##
   ## This is highly VULNERABLE to timing attacks and power analysis attacks.]
-  ## 
+  ##
   ## Out-of-place functions SHOULD NOT be used in performance-critical subroutines as compilers
   ## tend to generate useless memory moves or have difficulties to minimize stack allocation
   ## and our types might be large (Fp12 ...)

diff --git a/constantine/math/io/io_ec.nim b/constantine/math/io/io_ec.nim
@@ -56,6 +56,31 @@ func toHex*[EC: EC_ShortW_Prj or EC_ShortW_Jac or EC_ShortW_Aff or EC_ShortW_Jac
   result.appendHex(aff.y)
   result &= "\n" & sp & ")"
 
+func toDecimal*[EC: EC_ShortW_Prj or EC_ShortW_Jac or EC_ShortW_Aff or EC_ShortW_JacExt](P: EC, indent: static int = 0): string =
+  ## Stringify an elliptic curve point to Hex
+  ## Note. Leading zeros are not removed.
+  ## Output as decimal.
+  ##
+  ## WARNING: NOT constant time!
+  ##
+  ## This proc output may change format in the future
+
+  var aff {.noInit.}: EC_ShortW_Aff[EC.F, EC.G]
+  when EC isnot EC_ShortW_Aff:
+    aff.affine(P)
+  else:
+    aff = P
+
+  const sp = spaces(indent)
+
+  result = sp & $EC & "(\n" & sp & "  x: "
+  result.add toDecimal(aff.x)
+  result &= ",\n" & sp & "  y: "
+  result.add toDecimal(aff.y)
+  result &= "\n" & sp & ")"
+
+
+
 func toHex*[EC: EC_TwEdw_Aff or EC_TwEdw_Prj](P: EC, indent: static int = 0): string =
   ## Stringify an elliptic curve point to Hex for Twisted Edwards Curve
   ## Note, leading zeros are not removed.

diff --git a/constantine/math/io/io_extfields.nim b/constantine/math/io/io_extfields.nim
@@ -52,6 +52,40 @@ func toHex*(f: ExtensionField, indent = 0, order: static Endianness = bigEndian)
   ##   - no leaks
   result.appendHex(f, indent, order)
 
+func appendDecimal*(accum: var string, f: Fp, indent = 0, order: static Endianness = bigEndian) =
+  accum.add toDecimal(f)
+
+func appendDecimal*(accum: var string, f: ExtensionField, indent = 0, order: static Endianness = bigEndian) =
+  ## Stringify a tower field element to hex.
+  ## Note. Leading zeros are not removed.
+  ## Result is prefixed with 0x
+  ##
+  ## Output will be padded with 0s to maintain constant-time.
+  ##
+  ## CT:
+  ##   - no leaks
+  accum.add static($f.typeof.genericHead() & '(')
+  staticFor i, 0, f.coords.len:
+    when i != 0:
+      accum.add ", "
+    accum.add "\n" & spaces(indent+2) & "c" & $i & ": "
+    when f is Fp2:
+      accum.appendDecimal(f.coords[i], order = order)
+    else:
+      accum.appendDecimal(f.coords[i], indent+2, order)
+  accum.add ")"
+
+func toDecimal*(f: ExtensionField, indent = 0, order: static Endianness = bigEndian): string =
+  ## Stringify a tower field element to hex.
+  ## Note. Leading zeros are not removed.
+  ## Result is prefixed with 0x
+  ##
+  ## Output will be padded with 0s to maintain constant-time.
+  ##
+  ## CT:
+  ##   - no leaks
+  result.appendDecimal(f, indent, order)
+
 func fromHex*(dst: var Fp2, c0, c1: string) =
   ## Convert 2 coordinates to an element of 𝔽p2
   ## with dst = c0 + β * c1

diff --git a/constantine/math/io/io_fields.nim b/constantine/math/io/io_fields.nim
@@ -116,7 +116,9 @@ func toDecimal*(f: FF): string =
   ## This function is NOT constant-time at the moment.
   f.toBig().toDecimal()
 
-func fromDecimal*(dst: var FF, decimalString: string) =
+{.pop.} # `fromDecimal` can raise `ValueError`
+
+func fromDecimal*(dst: var FF, decimalString: string) {.raises: [ValueError].} =
   ## Convert a decimal string. The input must be packed
   ## with no spaces or underscores.
   ## This assumes that bits and decimal length are **public.**
@@ -136,7 +138,7 @@ func fromDecimal*(dst: var FF, decimalString: string) =
   let raw {.noinit.} = fromDecimal(dst.mres.typeof, decimalString)
   dst.fromBig(raw)
 
-func fromDecimal*(T: type FF, hexString: string): T {.noInit.}=
+func fromDecimal*(T: type FF, hexString: string): T {.raises: [ValueError], noInit.}=
   ## Convert a decimal string. The input must be packed
   ## with no spaces or underscores.
   ## This assumes that bits and decimal length are **public.**

diff --git a/constantine/math/polynomials/fft.nim b/constantine/math/polynomials/fft.nim
@@ -98,7 +98,7 @@ func fft_internal[EC; bits: static int](
 
   for i in 0 ..< half:
     # FFT Butterfly
-    y_times_root   .scalarMul_vartime(output[i+half], rootsOfUnity[i])
+    y_times_root   .scalarMul_vartime(rootsOfUnity[i], output[i+half])
     output[i+half] .diff_vartime(output[i], y_times_root)
     output[i]      .sum_vartime(output[i], y_times_root)