Update Falcon verification to use horner_eval_base
#1661
Conversation
stdlib/tests/crypto/falcon.rs
Outdated
| #[test] | ||
| fn test_falcon512_probabilistic_product_failure() { | ||
| // Create a polynomial pi that is not equal to h * s2. | ||
| // create a polynomial pi that is not equal to h * s2. |
There was a problem hiding this comment.
The random_coefficients use rng - can we either fix a seed, or generate those coefficients deterministically?
| adv_push.2 | ||
| dup.1 dup.1 ext2inv | ||
| push.0.0 | ||
| loc_storew.4 |
There was a problem hiding this comment.
nit: can we add the state of the stack after this block?
| @@ -218,182 +207,83 @@ export.load_h_s2_and_product.4 | |||
| push.M u32lt assert | |||
| push.M u32lt assert | |||
|
|
|||
| horner_eval_base | |||
There was a problem hiding this comment.
can we also add some comments for the state of the stack in this loop? It's quite hard to follow
There was a problem hiding this comment.
I ran the miden-base tests on top of this branch, and I'm getting some NotU32 errors (for example, with the scripts::p2id::prove_consume_multiple_notes test).
Would be good to make sure the bus works fine too after we fix those (and #1664 might be useful if there's a bug there)
There was a problem hiding this comment.
My bad, miden-base reimplements the dsa::falcon_sign method which was updated in this PR. After updating it, all tests pass.
I also confirmed that the bus is fixed with this PR, which confirms the findings of #1664 that rcombbase was the problem.
Al-Kindi-0
force-pushed
the
al-introduce-horner-eval-ops
branch
from
cec1812 to
6fcd075
Compare
| padw | ||
|
|
||
| # For mem_stream | ||
| # 5) Load s2 and evaluate at tau_inv (Due to the final norm test we do not need to range check the s2 coefficients) |
There was a problem hiding this comment.
Do we explain somewhere in more detail why doing the final norm testing means no meed to range-check s2 coefficients?
There was a problem hiding this comment.
I spent some time investigating this and it seems that the argument justifying this comment no longer holds. I think this is a result of the recent changes or maybe even earlier.
Looking at the norm_sq procedure too, we are doing there a u32lt which would have undefined behavior if the input is not already checked to be a u32, so we should at least have a u32 check on the coefficients of s2.
I have now added bound checks on the coefficients of s2 similar to those on h.
This has unfortunately led to an increase in the number of cycles, the current cycle count is just shy of 60000 cycles. We can comeback to this to see if we can optimize these checks.
There was a problem hiding this comment.
Makes sense! Yeah - let's create an issue to figure out if we can do this range checking more efficiently somehow.
There was a problem hiding this comment.
Created one here #1672
|
One other thing, before merging this PR we'd need to update |
Al-Kindi-0
force-pushed
the
al-introduce-horner-eval-ops
branch
from
6fcd075 to
3402f34
Compare
Indeed, we have now changed how and what advice is provided for the signature. |
Al-Kindi-0
force-pushed
the
al-update-falcon-with-horner
branch
2 times, most recently
from
66cfab3 to
4c3f3a4
Compare
| @@ -8,11 +10,13 @@ use crate::ExecutionError; | |||
| /// vector of values to be pushed onto the advice stack. | |||
| /// The values are the ones required for a Falcon signature verification inside the VM and they are: | |||
There was a problem hiding this comment.
nit: let's add a newline above this line.
processor/src/host/dsa.rs
Outdated
| /// 4. The challenge point at which we evaluate the three aforementioned polynomials to check the | ||
| /// product relationship. |
There was a problem hiding this comment.
Doesn't the challenge point come first? I think we should lay this out the way it is laid out in the returned vector (and probably make this explicit in the comments). This way, we'll know that the first 2 elements of the returned vector are the challenge point, the next 512 are the
There was a problem hiding this comment.
Agreed, changed it now
| # 2. 4..8 the inverse of the evaluation point tau as [tau_inv0, tau_inv1, 0, 0], | ||
| # 3. 8..12 the evaluation point tau as [tau0, tau1, 0, 0], |
There was a problem hiding this comment.
Why not store them next to each other - e.g., as [tau_inv0, tau_inv1, tau0, tau1]? Or does this create complications somehow?
There was a problem hiding this comment.
it is mentally easier to store them in separate words but no other reason than that.
Changed it now to store both in the same word as well as updated the code to take that into account.
| exec.load_h_s2_and_product | ||
| #=> [tau1, tau0, tau_ptr, MSG, NONCE1, NONCE1, ...] (Cycles: 5050) | ||
| #=> [MSG, ...] (Cycles: 6780) |
There was a problem hiding this comment.
Question: why does this say "6780" cycles while cycle count for load_h_s2_and_product procedure says "4430"?
There was a problem hiding this comment.
Forgot to update the cycle count there. Updated now
| #! - h_i are the coefficients of the expanded public key polynomial. | ||
| #! - s2_i are the coefficients of the signature polynomial. | ||
| #! - pi_i are the coefficients of `h * s2` in Z_Q[x] where Q is the Miden VM prime. | ||
| #! - nonce_i are field elements representing the nonce associated to the signature. |
There was a problem hiding this comment.
Should we also describe what "tau" is here?
There was a problem hiding this comment.
Added a short description
| ## a) Set up the accumulator for `horner_eval_base` and the memory pointers | ||
| push.0.0 | ||
| locaddr.4 | ||
| movup.3 |
There was a problem hiding this comment.
Could we add stack state after this instruction?
| adv_push.2 | ||
| dup.1 dup.1 ext2inv | ||
| push.0.0 | ||
| loc_storew.4 |
There was a problem hiding this comment.
Could we add stack state after this instruction?
| u32overflowing_sub.M assert drop | ||
| u32overflowing_sub.M assert drop | ||
|
|
||
| horner_eval_base | ||
|
|
||
| hperm | ||
| end |
There was a problem hiding this comment.
Could we add stack state after this loop?
|
|
||
| ## a) Reset the accumulator, update the pointers and set up the state of the hasher | ||
| push.0 movdn.6 | ||
| push.0 movdn.6 | ||
| padw padw |
There was a problem hiding this comment.
Could we add stack state after this instruction?
Sure thing, will open one soon |
Al-Kindi-0
force-pushed
the
al-update-falcon-with-horner
branch
from
a037d70 to
f330f6c
Compare
As the title says. The current cycle count is around
57500cycles.