Skip to content

Commit 5862a0f

Browse files
committed
add more falcon tests
1 parent 8676a35 commit 5862a0f

File tree

3 files changed

+76
-20
lines changed

3 files changed

+76
-20
lines changed

bench/main.zig

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -222,7 +222,7 @@ const chacha = struct {
222222
const falcon = struct {
223223
const Falcon512 = zk.signatures.Falcon512;
224224

225-
const iterations = 100_000;
225+
const iterations = 300_000;
226226
const warmup = 10_000;
227227

228228
const signature_bytes: *const [666]u8 = &.{ 57, 22, 193, 37, 21, 37, 128, 147, 121, 153, 86, 54, 140, 223, 193, 130, 193, 202, 74, 52, 240, 119, 233, 36, 68, 22, 168, 196, 193, 63, 176, 202, 36, 30, 139, 122, 193, 113, 45, 40, 235, 11, 164, 166, 12, 198, 53, 151, 111, 248, 100, 105, 235, 37, 13, 107, 59, 184, 99, 146, 49, 176, 180, 89, 254, 175, 177, 124, 110, 228, 20, 223, 106, 108, 196, 205, 91, 109, 124, 211, 13, 81, 137, 174, 58, 72, 230, 113, 133, 50, 166, 188, 75, 219, 101, 207, 34, 72, 121, 152, 227, 249, 153, 222, 233, 148, 28, 76, 138, 105, 232, 184, 58, 55, 137, 188, 38, 34, 99, 112, 60, 20, 232, 106, 247, 93, 111, 38, 59, 193, 117, 126, 33, 80, 45, 69, 84, 132, 92, 48, 133, 147, 49, 150, 218, 185, 239, 222, 26, 217, 143, 40, 72, 27, 121, 87, 225, 75, 82, 200, 43, 28, 109, 147, 4, 238, 66, 70, 108, 90, 248, 203, 2, 72, 25, 90, 76, 235, 9, 167, 167, 255, 35, 247, 125, 123, 251, 222, 105, 40, 240, 60, 203, 203, 20, 181, 45, 105, 19, 38, 201, 70, 216, 190, 214, 117, 146, 204, 12, 150, 215, 33, 41, 90, 48, 233, 121, 219, 79, 2, 219, 235, 119, 133, 202, 133, 145, 157, 49, 187, 152, 254, 17, 73, 131, 36, 122, 86, 92, 141, 250, 12, 28, 179, 81, 134, 39, 150, 73, 29, 59, 205, 153, 55, 174, 21, 235, 131, 201, 207, 158, 198, 13, 249, 204, 82, 40, 153, 199, 22, 109, 255, 220, 163, 73, 228, 65, 227, 232, 194, 213, 11, 23, 118, 198, 149, 58, 70, 62, 68, 138, 190, 238, 204, 136, 146, 121, 220, 219, 205, 53, 173, 134, 32, 210, 220, 50, 240, 254, 39, 85, 37, 49, 16, 41, 168, 209, 19, 199, 209, 202, 53, 155, 73, 93, 161, 234, 190, 107, 85, 162, 95, 205, 49, 106, 26, 99, 150, 197, 36, 201, 161, 15, 78, 118, 38, 107, 96, 215, 124, 216, 36, 25, 176, 96, 217, 82, 224, 242, 54, 40, 115, 103, 84, 150, 78, 213, 84, 98, 167, 134, 114, 145, 226, 97, 58, 227, 160, 249, 41, 106, 227, 52, 223, 32, 63, 93, 138, 245, 229, 84, 251, 82, 235, 156, 255, 67, 132, 139, 236, 226, 139, 12, 165, 183, 96, 18, 90, 132, 246, 205, 156, 165, 195, 146, 67, 179, 132, 53, 243, 234, 180, 225, 15, 193, 27, 13, 126, 118, 166, 242, 150, 70, 21, 144, 68, 207, 119, 255, 167, 202, 236, 197, 80, 157, 103, 65, 174, 188, 231, 81, 53, 97, 5, 120, 33, 151, 116, 245, 100, 238, 193, 216, 235, 76, 189, 202, 73, 102, 72, 106, 28, 198, 53, 205, 230, 54, 191, 208, 117, 54, 153, 7, 247, 5, 63, 218, 12, 137, 47, 181, 94, 187, 173, 162, 209, 132, 209, 191, 53, 120, 168, 181, 249, 80, 50, 237, 136, 110, 77, 31, 82, 160, 128, 48, 144, 217, 129, 168, 165, 201, 83, 119, 17, 7, 216, 101, 127, 73, 3, 48, 92, 138, 221, 25, 228, 113, 163, 219, 108, 57, 138, 254, 228, 188, 236, 28, 124, 194, 12, 85, 65, 230, 61, 113, 70, 105, 31, 195, 125, 249, 205, 46, 239, 61, 157, 49, 180, 93, 204, 101, 241, 246, 89, 39, 93, 191, 123, 137, 181, 84, 101, 113, 47, 118, 239, 37, 97, 240, 70, 230, 173, 246, 113, 147, 230, 42, 229, 11, 221, 180, 142, 111, 26, 57, 142, 238, 77, 171, 160, 108, 82, 180, 17, 166, 252, 85, 154, 171, 119, 16, 209, 71, 158, 108, 38, 247, 235, 134, 109, 143, 29, 63, 104, 108, 142, 59, 253, 190, 70, 245, 119, 138, 245, 80, 217, 143, 28, 157, 82, 113, 186, 148, 116, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };

src/signatures/falcon.zig

Lines changed: 18 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -485,17 +485,9 @@ fn Falcon(N: u32) type {
485485
/// sensitive message. The downside of this approach is that it
486486
/// introduces a significant cost to verification performance.
487487
pub fn hashToPoint(msg: []const u8, r: *const [40]u8) Polynomial(N, Fq) {
488-
// K <- ⌊2^16 / Q⌋
489-
const K = (1 << 16) / Q;
490-
const S = struct {
491-
const lanes = 16;
492-
493-
const Mask = std.meta.Int(.unsigned, lanes);
494-
const V = @Vector(lanes, u32);
495-
496-
extern fn @"llvm.x86.avx512.mask.compress.d.512"(V, V, Mask) V;
497-
const compress = @"llvm.x86.avx512.mask.compress.d.512";
498-
};
488+
const K = (1 << 16) / Q; // K <- ⌊2^16 / Q⌋
489+
const lanes = 16;
490+
const V = @Vector(lanes, u32);
499491

500492
var state: Shake256 = .init(.{});
501493
state.update(r);
@@ -508,7 +500,7 @@ fn Falcon(N: u32) type {
508500

509501
// Worst case is that we're at N - 1 elements filled, and we will
510502
// then keep resampling S.lanes elements until mask > 0.
511-
var coeffs: [N + S.lanes]Fq = undefined;
503+
var coeffs: [N + lanes]Fq = undefined;
512504
var i: u32 = 0;
513505
while (i < N) {
514506
if (offset >= sample.len) {
@@ -518,22 +510,29 @@ fn Falcon(N: u32) type {
518510

519511
if (comptime builtin.zig_backend == .stage2_llvm and
520512
builtin.cpu.arch == .x86_64 and
513+
builtin.cpu.has(.x86, .avx512f) and
521514
// It only makes sense to use the vpcompress strategy on targets like Zen 5
522515
// where the performance of vpcompressd isn't hundreds of cycles (like it is on Zen 4).
523-
builtin.cpu.model == &std.Target.x86.cpu.znver5)
516+
builtin.cpu.model != &std.Target.x86.cpu.znver4)
524517
{
525-
const Kv: S.V = @splat(K * Q);
526-
const Fv = Fq.Vector(S.lanes);
518+
const Kv: V = @splat(K * Q);
519+
const Fv = Fq.Vector(lanes);
520+
521+
const S = struct {
522+
const Mask = std.meta.Int(.unsigned, lanes);
523+
extern fn @"llvm.x86.avx512.mask.compress.d.512"(V, V, Mask) V;
524+
const compress = @"llvm.x86.avx512.mask.compress.d.512";
525+
};
527526

528-
var batch: S.V = undefined;
529-
inline for (0..S.lanes) |j| {
527+
var batch: V = undefined;
528+
inline for (0..lanes) |j| {
530529
const idx = offset + j * 2;
531530
batch[j] = (@as(u32, sample[idx]) << 8) | sample[idx + 1];
532531
}
533-
offset += S.lanes * 2;
532+
offset += lanes * 2;
534533
const mask: S.Mask = @bitCast(batch < Kv);
535534
const compressed = S.compress(batch, @splat(0), mask);
536-
coeffs[i..][0..S.lanes].* = @bitCast(Fv.init(@intCast(compressed % Fv.Ql)));
535+
coeffs[i..][0..lanes].* = @bitCast(Fv.init(@intCast(compressed % Fv.Ql)));
537536
i += @popCount(mask);
538537
} else {
539538
const t = (@as(u32, sample[offset]) << 8) | sample[offset + 1];

src/signatures/falcon/test.zig

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,63 @@ const std = @import("std");
22
const falcon = @import("../falcon.zig");
33

44
const Falcon512 = falcon.Falcon512;
5+
const Pubkey = Falcon512.PublicKey;
6+
const Signature = Falcon512.Signature;
7+
8+
const MESSAGE = "test message for pre-computed verification";
9+
const PUBKEY_BASE64 = "CV6ZIYJ17ttDNY6BY2L8laqhQqEQT0hhvZsBqe1NNeUj+c7ULeEiVl3FZwC0xqYFDh9uAJxQyM1eGQ3MeH9TzRTuCQiF0W21vlwR0R/Rt3ClEYJaopd4q5fnosNXxfOmS4pgBxLB2wgT7KLct2MOp+s1RClmOynIr54jA5YIrE0w/juE1Xmp3Yc3igsaJumDqBCUthmKQLaVa6+wKNNnAFtaNbHbuGhIQaC9edrcknM4dBlJzWp8YDIqxOHs3aou3+ljgHZjmGW3VYcgcf2TK8SRtVmQVHiCkQa2woZ204kRkXUIOuMRUmb8B+K53kALVjDJ2ZvTuKIukFqO0idUMmFzyO+K0vDBlMysF9yDGZ/Um1US+Hk6hyqpyFyz4J+hYhaD0vtK7Qf0UGsVU3GEcOLB9MWUCuxEkmQttxU4SbEFVtWy1M/BvU2AoPl0N8KlQbm5+IvrEA86UFfHHykhGBUYIpPdxiOmlvM5hlce6Q3UgB+dCuy61uUYD3yI3+Z/RSEaBWBQ92MCt9ImtyCVjiRNWaM53hlTSF+7t0AlVay5G/Lf0UOyEScNSaVe4GJTv9vxnxyaFL9c+4k03abAVFC9prS5lCDLGpnUqvGQGUemP9hG7eY3PWOqgB+DEHhVmkIU4ybJAHbPFL0BxubCO2MxW+mf+pyi2CQK7ypAH30ZtpQ3/Z2La45d6voM2n9s9hddXm1wjXnh5EXWv7mCKoXK2IExRbshnnAp+pJ5jEVYsFKB6IqRo4i+YRKuyU4EEXDVZSB9URRpkm6pMTlULvPmYMojEMAkVRt4Y7ZoyQNQIT5gs2hGUZ2+8jwT2KW7t7k1MhjeWC5uRmdrgyYGNfN609MlkQi7IIDgrwpF+8WrzemR5vcmySSVo3Hk9WjjrrnI3UjvLKSylRrJdgG9WMD3NE8RCjGRwWQoXzK4kPuBs1NnvX2ywDxhhYFwpKOQ338UcTg4lhhNpzzGmOGP3LXuxrCK5AGf+erwsJETJhWu5TcihpzmY/bgw76Vei9S7WVWqx0opviNhQbmzboQwQRxBX2Wewgmvz2I86pKfXgyJfQ7gOae0MrrGmDnkQ3W9ENhwrJ1G7fmofMrnnzFOVqbZJq9Wz2fnYmSY2c0URS9FmxUC5fGI5Kx01cZnyh6AxSGBnxATi/FR1lhKvx+NdsCM2pEIHC5ypFIiazAqIEC";
10+
const SIGNATURE_BASE64 = "OSCJBLuOJh5ASZPOMj7hL6Wvqs4nmwXV+xEGkRUkLiXgHaXqBjaayVwEYSQ6SDYKA5oi1aWzmx5uULs0Xw/l7+VsG58jhGL5NfkO0PPK9dH/R6HBhGamGPOqTW9Ye/0PeWUydbcRQ8XKWEV7IazO0+pmahhul7gSWcvZnJVbVf14e/UITCvmsXWnr1wQk0tMscaDPGwLvsr1MevbAzxUZlZ3SZ80D9YEyI1dQ5O6NrnpZlifJfgszEHXuRjtV6iCmNLBojckK0GCe/55ddEHKz/uLREPyXav5qM5jczwdjMq43qp50UshSHJzLtCY9LWfNpvp882VkCrXLEC/oQ0elIO2bXbhSYX+sev1t0qS0pNMtkmCFi/sHpNIUqr8Cazw7+MiZzUsTxHTRRjIKjhsdrEh6Oe0vi96h2d86iyGxo5TGZtNYg729HQnPRCFCEy1OHTPl6NL3s8VbyX7Ak/hqg2SDzy7pDofHSz9YNd4ftr5x9Cia+K3rVJZxm3M16c2NvNusblH5xpvGHUVKnJUZNlArhU3r3kW2eQZzqOoj5jOFC65kNxJm2yZUoA05Fq//oCT+sw1TDLrtJjKupDIIbhs4o1iIQCDMKVmFs1OiG5g/Kf5zMQE4f4huuiSn4dTsk9PArlGpvpnOLRiY+DUSRgHeKB7twZORI+qBoI2SnTwPhT+DE6WyM3VC13+i3VBVbNv9HNe3/rnBEa6ZtzZMtPnmQs2eZ26L83mcDONoxwvm/rsfKxNEoO7ivdBG3l52URskV5lbgbLNnfldnfn7eFkiCHikUl1m3INgiTiB83KnRauvYW4FWaDhs2xvX8qL7upp3mFnuH6cnGenXVFjFVcG5t0vm6YW/ObDyIkA==";
11+
12+
fn getPubkey() Pubkey {
13+
var buffer: [897]u8 = undefined;
14+
std.base64.standard.Decoder.decode(&buffer, PUBKEY_BASE64) catch unreachable;
15+
return Pubkey.fromBytes(&buffer) catch unreachable;
16+
}
17+
18+
fn getSignature() Signature {
19+
var buffer: [655]u8 = undefined;
20+
std.base64.standard.Decoder.decode(&buffer, SIGNATURE_BASE64) catch unreachable;
21+
return Signature.fromBytes(&buffer) catch unreachable;
22+
}
23+
24+
test "verification succeeds" {
25+
const pubkey = getPubkey();
26+
const sig = getSignature();
27+
try Falcon512.verify(MESSAGE, sig, pubkey);
28+
}
29+
30+
test "wrong message fails" {
31+
const pubkey = getPubkey();
32+
const sig = getSignature();
33+
try std.testing.expectError(
34+
error.InvalidBound,
35+
Falcon512.verify("wrong message", sig, pubkey),
36+
);
37+
}
38+
39+
test "wrong signature fails" {
40+
const pubkey = getPubkey();
41+
var sig = getSignature();
42+
43+
sig.s2.coeff[59] ^= 0xFF;
44+
45+
try std.testing.expectError(
46+
error.InvalidBound,
47+
Falcon512.verify(MESSAGE, sig, pubkey),
48+
);
49+
}
50+
51+
test "wrong pubkey fails" {
52+
var pubkey = getPubkey();
53+
const sig = getSignature();
54+
55+
pubkey.h.coeff[59].data ^= 0xFF;
56+
57+
try std.testing.expectError(
58+
error.InvalidBound,
59+
Falcon512.verify(MESSAGE, sig, pubkey),
60+
);
61+
}
562

663
test "512 test vector" {
764
{ // success case

0 commit comments

Comments
 (0)