Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implementation of new (draft) hash-to-G2 #898

Merged
merged 43 commits into from
Jan 9, 2020
Merged

Implementation of new (draft) hash-to-G2 #898

merged 43 commits into from
Jan 9, 2020

Conversation

benjaminion
Copy link
Contributor

@benjaminion benjaminion commented Sep 16, 2019
edited
Loading

PR Description

This is a Java implementation of the new IETF (draft) standard hash-to-curve method for Ethereum 2.0. The underlying library is Milagro AMCL 1.4, though there is lots that I ended up adding to this.

References:

This code is based on the reference implementations in Python and C, and test vectors are taken from there. My implementation is not constant-time, but that should not be a problem for Eth2 use cases (all hashed messages are public information).

Status

A complete implementation of the new hash-to-curve standard as of 31/12/2019

Performance

(Based on an outdated version)

On my Linux VM

  • The Python reference code ~ 200ms per hash
  • The C reference code ~ 1.0ms per hash (doesn't include the transformation to affine representation, and shortcuts the initial SHA256)
  • This code ~ 2.9ms per hash

Here's a flame graph (it's interactive - click on the bars to zoom in). I'm struggling to see much room for further improvement.

TODO

Nothing more here. Note that a wider BLS refactor is underway: #1080

@benjaminion benjaminion force-pushed the bls-standard branch 2 times, most recently from 1b5fdda to 598dc8a Compare September 20, 2019 17:46
@benjaminion benjaminion force-pushed the bls-standard branch 2 times, most recently from a4e9cb1 to 9229da0 Compare October 14, 2019 16:31
@benjaminion benjaminion force-pushed the bls-standard branch 4 times, most recently from 1694bf9 to ea6ed07 Compare October 21, 2019 19:11
mkalinin
mkalinin reviewed Nov 12, 2019
View reviewed changes
Copy link

@mkalinin mkalinin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work is done here! 👍

It might worth to decompose Helper class to increase readability. For instance, HKDF primitives could be extracted and raising to a power of (P ^ 2 - 9) / 16 could, also, be placed separately.

@benjaminion
Copy link
Contributor Author

Have re-organised things a little after @mkalinin's comment. There is now an IetfTools class, and I've moved the cumbersome addition chains out into a separate class. This is better 😄

@benjaminion benjaminion marked this pull request as ready for review January 1, 2020 17:19
@shahankhatch
Copy link
Contributor

Nice, clean, with lots of comments. LGTM.

mbaxter
mbaxter approved these changes Jan 6, 2020
View reviewed changes
Copy link
Contributor

@mbaxter mbaxter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :D

util/src/main/java/tech/pegasys/artemis/util/hashToG2/hashToCurve.java Outdated
* purposes of hashing to G2 within Ethereum I believe that this is of no consequence, since all the
* input information is publicly known.
*/
public class hashToCurve {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
public class hashToCurve {
public class HashToCurve {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

util/src/main/java/tech/pegasys/artemis/util/hashToG2/hashToCurve.java Outdated
JacobianPoint p = iso3(q0.add(q1));

if (!onCurveG2(p)) {
throw new RuntimeException("hashToCurve failed for unknown reasons.");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a sanity-check type exception - i.e. we don't expect this to ever get thrown? If so, might be worth adding a comment or updating the message to indicate there's a bug.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

assert onCurveG2(p), probably?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, making it an assert is perfect. It's an expensive check that we expect never to fail, so better to avoid it if we can. If it does fail then there's a bug.

mkalinin
mkalinin approved these changes Jan 8, 2020
View reviewed changes
Copy link

@mkalinin mkalinin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@benjaminion
Fix error found in fuzz testing
167d58f
@benjaminion
Add defensive checks to HKDF_Expand
8480660
@benjaminion
Fix BouncyCastle issue tat was slowing things down
a142bf2
@benjaminion
Add JMH benchmark for new hashToCurve
8b2984f
@benjaminion
Improve FP2Immutable's equals method
888d3e2
@benjaminion
Remove JMH plugin version to keep Spotless happy
f6a6adf
@benjaminion
Use addition chain for the massive exponentiation
d087576
@benjaminion
Reinstate comments in addChain
dbe97e8 
Spotless is terrible at handling structured commenting. For this reason we have
changed from trailing comments to separate line comments, and we use C-style
/* ... */ in order to keep Spotless from mangling things further.
@benjaminion
Remove now redundant benchmark code
5e161d0
@benjaminion
Introduce scalar multiplication for field elements
6e1def9
@benjaminion
Make BigInteger modulus static final
b3475c7
@benjaminion
Replace BigInteger use with Milagro's DBIG
1126472
@benjaminion
Refactor Frobenius shortcuts for a big speedup
941fb62 
Using field points (FP types) rather than BIGs means that Montgomery reduction is used
for the modulo operation which leads to a significant speedup.
@benjaminion
Favour FP over BIG where it makes sense
443b39d
@benjaminion
Minor tidy up
c06c780
@benjaminion
Micro-optimise some expressions for a few percent extra speed
c72c6cf
@benjaminion
Update to latest spec and test cases
347ef61
@benjaminion
spotlessApply
59ec114
@benjaminion
Final reorg and tests
bda1822
@benjaminion
Improve conversion between ECP2 and Jacobian points
ca4f055
@benjaminion
Typo
a7af808
@benjaminion
Improve a couple of tests
9d83d1d
@benjaminion
Add reference comment on sgn0 function
ec7d9e3
@benjaminion
Typo
3cf8c29
@benjaminion
Expand comment on the GLV patent workaround
01ebc2f
@benjaminion
Use asserts in hashToG2, capitalise class HashToCurve
059a4d7
@benjaminion
SpotlessApply...
b5d256d
@benjaminion benjaminion merged commit e927d9b into Consensys:master Jan 9, 2020
@benjaminion benjaminion deleted the bls-standard branch May 11, 2020 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbaxter mbaxter mbaxter approved these changes

@mkalinin mkalinin mkalinin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@benjaminion @shahankhatch @mbaxter @mkalinin