-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add BLS Elliptic Curve support in Cryptol #14
base: main
Are you sure you want to change the base?
Changes from 1 commit
51b9b45
68ca478
b23d4fb
ed6f745
707624a
52f42d0
23d1df8
e27b3e9
3252d32
96a76a5
1750405
5aa3ce5
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
/** | ||
* The module contains functions that perform BLS operations. | ||
* @see https://github.com/ethereum/consensus-specs/blob/dev/specs/deneb/polynomial-commitments.md#bls12-381-helpers | ||
*/ | ||
module Spec::BlsHelpers where | ||
|
||
import Common::Utils | ||
|
||
/** | ||
* BLS field elements are 256-bits long. | ||
* @see https://github.com/ethereum/consensus-specs/blob/dev/specs/deneb/polynomial-commitments.md#custom-types | ||
*/ | ||
type BlsFieldSize = 256 | ||
type BlsFieldElement = [BlsFieldSize] | ||
|
||
/** | ||
* Specified by the consensus-specs. | ||
* @see https://github.com/ethereum/consensus-specs/blob/dev/specs/deneb/polynomial-commitments.md#constants | ||
*/ | ||
BLS_MODULUS : BlsFieldElement | ||
BLS_MODULUS = 52435875175126190479447740508185965837690552500527637822603658699938581184513 | ||
|
||
NEGATIVE_ONE : BlsFieldElement | ||
NEGATIVE_ONE = -1 | ||
|
||
/** | ||
* Compute the modular inverse of x | ||
* i.e. return y such that x * y % BLS_MODULUS == 1 | ||
* Precondition: x != 0 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. todo: specifically, |
||
* @see https://github.com/ethereum/consensus-specs/blob/dev/specs/deneb/polynomial-commitments.md#bls_modular_inverse | ||
*/ | ||
bls_modular_inverse : BlsFieldElement -> BlsFieldElement | ||
bls_modular_inverse x = pow`{BlsFieldSize} x NEGATIVE_ONE BLS_MODULUS | ||
|
||
/** | ||
* Divide two field elements: x by y | ||
* @see https://github.com/ethereum/consensus-specs/blob/dev/specs/deneb/polynomial-commitments.md#div | ||
*/ | ||
bls_div : BlsFieldElement -> BlsFieldElement -> BlsFieldElement | ||
bls_div x y = (x * (bls_modular_inverse y)) % BLS_MODULUS | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. todo: I'm worried about overflow here, too. Here's an implementation of mod mul in cryptol specs, that uses an extension like I mentioned to do safe multiplication and mod. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think you're running into this because of a language difference between Python's happily expandable integers and Cryptol's extremely fixed-width ones, so there will be some discrepancy between the spec and your implementation. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, you are 💯% correct. I'll fix these. |
||
|
||
/* | ||
* =============== | ||
* Unit test suite | ||
* =============== | ||
*/ | ||
|
||
/** | ||
* Unit tests for `bls_modular_inverse`. | ||
* ```repl | ||
* :prove test_bls_modular_inverse 1 1 | ||
* :prove test_bls_modular_inverse 2 0 | ||
* :prove test_bls_modular_inverse 3 0x36bd0357810d2d627770d2a2a108d2a556ed06a7aaac4eabaaaaaaabaaaaaaaa | ||
* ``` | ||
* NOTE: we just chose the last value at "random" | ||
*/ | ||
test_bls_modular_inverse : BlsFieldElement -> BlsFieldElement -> Bit | ||
property test_bls_modular_inverse x expectedY = | ||
bls_modular_inverse x == expectedY | ||
|
||
/** | ||
* Unit tests for `bls_modular_inverse`. | ||
* ```repl | ||
* :prove test_bls_div 1 2 0 | ||
* :prove test_bls_div 13 1 13 | ||
* :prove test_bls_div 57 13 0x15eaf636af000c906a5000958036c58484dfe5d59d8b7c9e89d89d8ad89d89dc | ||
* ``` | ||
* NOTE: we just chose the last value at "random" | ||
*/ | ||
test_bls_div : BlsFieldElement -> BlsFieldElement -> BlsFieldElement -> Bit | ||
property test_bls_div x y expected = | ||
bls_div x y == expected |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: BLS field elements are in the integers mod group w.r.t. the BLS modulus, right? Did you consider using Cryptol's integer mod group
Z
? I have a vague sense that it makes the SMT constraints a bit messier but it might simplify some of the code in here.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just learned about
Z
. I had previously missed it in the manual.