Final reorg and tests

Consensys · Jan 1, 2020 · c64b028 · c64b028
1 parent ebb3e47
commit c64b028
Show file tree

Hide file tree

Showing 18 changed files with 588 additions and 256 deletions.
diff --git a/util/src/jmh/java/tech/pegasys/artemis/util/bench/BenchBLS.java b/util/src/jmh/java/tech/pegasys/artemis/util/bench/BenchBLS.java
@@ -47,7 +47,7 @@ public void setup() {
 
   @Benchmark
   public void hashToCurve(Blackhole blackhole) {
-    G2Point result = hashToCurve.hashToG2(message, suite);
+    G2Point result = new G2Point(hashToCurve.hashToG2(message, suite));
     blackhole.consume(result);
   }
 }
diff --git a/util/src/main/java/tech/pegasys/artemis/util/hashToG2/Affine.java b/util/src/main/java/tech/pegasys/artemis/util/hashToG2/Affine.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2020 ConsenSys AG.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package tech.pegasys.artemis.util.hashToG2;
+
+import org.apache.milagro.amcl.BLS381.ECP2;
+
+public class Affine {
+
+  /**
+   * Convert from Jacobian to Milagro ECP2 by applying the affine transformation.
+   *
+   * @return the ECP2 point corresponding to this Jacobian point
+   */
+  public static ECP2 jacobianToAffine(JacobianPoint p) {
+    JacobianPoint q = p.toAffine();
+    return new ECP2(q.getX().getFp2(), q.getY().getFp2());
+  }
+
+  /**
+   * Convert from Milagro ECP2 to Jacobian by setting the z-coord to 1.
+   *
+   * <p>The getters for the ECP2 point ensure that the affine transformation is applied before
+   * conversion.
+   *
+   * @return the Jacobian point corresponding to this ECP2 point
+   */
+  public static JacobianPoint affineToJacobian(ECP2 p) {
+    return new JacobianPoint(
+        new FP2Immutable(p.getX()), new FP2Immutable(p.getY()), FP2Immutable.ONE);
+  }
+}
diff --git a/util/src/main/java/tech/pegasys/artemis/util/hashToG2/Chains.java b/util/src/main/java/tech/pegasys/artemis/util/hashToG2/Chains.java
@@ -25,9 +25,6 @@ class Chains {
    * <p>Based on bint2__chains.h in the C reference code. Bos-Coster (win=4) : 895 links, 17
    * variables. This is significantly faster than calculating exponentiation directly.
    *
-   * <p>Note that all the overhead from continually wrapping and unwrapping the FP2Immutable types
-   * is mostly optimised away by the compiler.
-   *
    * @param t0 The element to be raised to the power of (P ^ 2 - 9) / 16
    * @return t0 ^ ((P ^ 2 - 9) / 16)
    */
@@ -770,6 +767,106 @@ static JacobianPoint h2Chain(JacobianPoint t0) {
     return t1;
   }
 
+  /**
+   * Addition chain for multiplication by the G2 group order.
+   *
+   * <p>Used for the G2 subgroup membership test.
+   *
+   * @param t0 The multiplicand
+   * @return The result of multiplying by the G2 group order
+   */
+  static JacobianPoint qChain(JacobianPoint t0) {
+    JacobianPoint t1, t2, t3, t4, t5, t6, t7, t8, t9, t10, t11, t12, t13, t14, t15, t16;
+
+    t2 = t0.dbl();
+    t4 = t2.dbl();
+    t3 = t4.add(t2);
+    t5 = t3.dbl();
+    t1 = t5.add(t3);
+    t13 = t1.add(t0);
+    t10 = t13.add(t2);
+    t11 = t10.add(t3);
+    t16 = t11.add(t2);
+    t2 = t13.add(t5);
+    t12 = t10.add(t5);
+    t9 = t10.add(t1);
+    t7 = t16.add(t5);
+    t5 = t11.add(t1);
+    t6 = t16.add(t1);
+    t15 = t12.add(t1);
+    t4 = t15.add(t4);
+    t14 = t9.add(t1);
+    t8 = t4.add(t3);
+    t3 = t5.add(t1);
+    t1 =
+        t14.dbl()
+            .dbls(5)
+            .add(t8)
+            .dbls(6)
+            .add(t5)
+            .dbls(7)
+            .add(t16)
+            .dbls(6)
+            .add(t13)
+            .dbls(8)
+            .add(t7)
+            .dbls(6)
+            .add(t9)
+            .dbls(7)
+            .add(t6)
+            .dbls(5)
+            .add(t10)
+            .dbls(3)
+            .add(t0)
+            .dbls(11)
+            .add(t15)
+            .dbls(8)
+            .add(t14)
+            .dbls(5)
+            .add(t11)
+            .dbls(8)
+            .add(t0)
+            .dbls(12)
+            .add(t13)
+            .dbls(7)
+            .add(t12)
+            .dbls(5)
+            .add(t11)
+            .dbls(13)
+            .add(t10)
+            .dbls(7)
+            .add(t9)
+            .dbls(7)
+            .add(t8)
+            .dbls(6)
+            .add(t7)
+            .dbls(14)
+            .add(t6)
+            .dbls(6)
+            .add(t3)
+            .dbls(5)
+            .add(t2)
+            .dbls(8)
+            .add(t5)
+            .dbls(6)
+            .add(t3)
+            .dbls(6)
+            .add(t4)
+            .dbls(6)
+            .add(t3)
+            .dbls(6)
+            .add(t3)
+            .dbls(6)
+            .add(t3)
+            .dbls(6)
+            .add(t3)
+            .dbls(5)
+            .add(t2)
+            .dbls(32)
+            .add(t0);
+    return t1;
+  }
+
   /**
    * Addition chain for multiplication by 0xd201000000010000 == -x, the BLS parameter.
    *

diff --git a/util/src/main/java/tech/pegasys/artemis/util/hashToG2/Consts.java b/util/src/main/java/tech/pegasys/artemis/util/hashToG2/Consts.java
@@ -0,0 +1,123 @@
+/*
+ * Copyright 2020 ConsenSys AG.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package tech.pegasys.artemis.util.hashToG2;
+
+import static tech.pegasys.artemis.util.hashToG2.Util.fpFromHex;
+import static tech.pegasys.artemis.util.hashToG2.Util.negate;
+
+import org.apache.milagro.amcl.BLS381.FP;
+
+/** Constants used by the Helper class. */
+class Consts {
+
+  // These are eighth-roots of unity
+  private static final FP RV1 =
+      fpFromHex(
+          "0x06af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09");
+  static final FP2Immutable[] ROOTS_OF_UNITY = {
+    new FP2Immutable(new FP(1), new FP(0)),
+    new FP2Immutable(new FP(0), new FP(1)),
+    new FP2Immutable(RV1, RV1),
+    new FP2Immutable(RV1, negate(RV1))
+  };
+
+  // 3-isogenous curve parameters
+  static final FP2Immutable Ell2p_a = new FP2Immutable(new FP(0), new FP(240));
+  static final FP2Immutable Ell2p_b = new FP2Immutable(new FP(1012), new FP(1012));
+
+  // Distinguished non-square in Fp2 for SWU map
+  static final FP2Immutable xi_2 = new FP2Immutable(new FP(-2), new FP(-1));
+  static final FP2Immutable xi_2Pow2 = xi_2.sqr();
+  static final FP2Immutable xi_2Pow3 = xi_2Pow2.mul(xi_2);
+
+  // Eta values, used for computing sqrt(g(X1(t)))
+  private static final FP ev1 =
+      fpFromHex(
+          "0x0699be3b8c6870965e5bf892ad5d2cc7b0e85a117402dfd83b7f4a947e02d978498255a2aaec0ac627b5afbdf1bf1c90");
+  private static final FP ev2 =
+      fpFromHex(
+          "0x08157cd83046453f5dd0972b6e3949e4288020b5b8a9cc99ca07e27089a2ce2436d965026adad3ef7baba37f2183e9b5");
+  private static final FP ev3 =
+      fpFromHex(
+          "0x0ab1c2ffdd6c253ca155231eb3e71ba044fd562f6f72bc5bad5ec46a0b7a3b0247cf08ce6c6317f40edbc653a72dee17");
+  private static final FP ev4 =
+      fpFromHex(
+          "0x0aa404866706722864480885d68ad0ccac1967c7544b447873cc37e0181271e006df72162a3d3e0287bf597fbf7f8fc1");
+  static final FP2Immutable[] etas = {
+    new FP2Immutable(ev1, ev2),
+    new FP2Immutable(negate(ev2), ev1),
+    new FP2Immutable(ev3, ev4),
+    new FP2Immutable(negate(ev4), ev3)
+  };
+
+  // Coefficients for the 3-isogeny map from Ell2' to Ell2
+  private static final FP2Immutable[] XNUM = {
+    new FP2Immutable(
+        "0x05c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6",
+        "0x05c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6"),
+    new FP2Immutable(
+        "0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+        "0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71a"),
+    new FP2Immutable(
+        "0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71e",
+        "0x08ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38d"),
+    new FP2Immutable(
+        "0x171d6541fa38ccfaed6dea691f5fb614cb14b4e7f4e810aa22d6108f142b85757098e38d0f671c7188e2aaaaaaaa5ed1",
+        "0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+  };
+
+  private static final FP2Immutable[] XDEN = {
+    new FP2Immutable(
+        "0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+        "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa63"),
+    new FP2Immutable(
+        "0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c",
+        "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa9f"),
+    new FP2Immutable(
+        "0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
+        "0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+  };
+
+  private static final FP2Immutable[] YNUM = {
+    new FP2Immutable(
+        "0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706",
+        "0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706"),
+    new FP2Immutable(
+        "0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+        "0x05c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97be"),
+    new FP2Immutable(
+        "0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71c",
+        "0x08ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38f"),
+    new FP2Immutable(
+        "0x124c9ad43b6cf79bfbf7043de3811ad0761b0f37a1e26286b0e977c69aa274524e79097a56dc4bd9e1b371c71c718b10",
+        "0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+  };
+
+  private static final FP2Immutable[] YDEN = {
+    new FP2Immutable(
+        "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb",
+        "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb"),
+    new FP2Immutable(
+        "0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+        "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa9d3"),
+    new FP2Immutable(
+        "0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012",
+        "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa99"),
+    new FP2Immutable(
+        "0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
+        "0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+  };
+
+  static final FP2Immutable[][] map_coeffs = {XNUM, XDEN, YNUM, YDEN};
+}
diff --git a/util/src/main/java/tech/pegasys/artemis/util/hashToG2/DBIGExtended.java b/util/src/main/java/tech/pegasys/artemis/util/hashToG2/DBIGExtended.java
@@ -19,7 +19,7 @@
 import org.apache.milagro.amcl.BLS381.DBIG;
 
 /** Extend Milagro's DBIG class to add a couple of useful methods. */
-public class DBIGExtended extends DBIG {
+class DBIGExtended extends DBIG {
 
   /**
    * Construct from a DBIG

diff --git a/util/src/main/java/tech/pegasys/artemis/util/hashToG2/FP2Immutable.java b/util/src/main/java/tech/pegasys/artemis/util/hashToG2/FP2Immutable.java
@@ -26,10 +26,10 @@
  * highly mutable. As a benefit, this class allows us to chain field operations nicely - this makes
  * dealing with Milagro much less tiresome.
  *
- * <p>However, this does involve many more memory copies. For now, the coding convenience outweighs
- * any performance concerns. We can optimise later if it is a problem.
+ * <p>The compiler seems to do a decent job of handling the continual wrapping and unwrapping in
+ * practice.
  */
-public final class FP2Immutable {
+final class FP2Immutable {
 
   static final FP2Immutable ZERO = new FP2Immutable(0);
   static final FP2Immutable ONE = new FP2Immutable(1);