add more falcon tests

Rexicon226 · Rexicon226 · commit 5862a0f39398 · 2026-01-28T07:33:34.000-08:00
diff --git a/bench/main.zig b/bench/main.zig
@@ -222,7 +222,7 @@ const chacha = struct {
 const falcon = struct {
     const Falcon512 = zk.signatures.Falcon512;
 
-    const iterations = 100_000;
+    const iterations = 300_000;
     const warmup = 10_000;
 
     const signature_bytes: *const [666]u8 = &.{ 57, 22, 193, 37, 21, 37, 128, 147, 121, 153, 86, 54, 140, 223, 193, 130, 193, 202, 74, 52, 240, 119, 233, 36, 68, 22, 168, 196, 193, 63, 176, 202, 36, 30, 139, 122, 193, 113, 45, 40, 235, 11, 164, 166, 12, 198, 53, 151, 111, 248, 100, 105, 235, 37, 13, 107, 59, 184, 99, 146, 49, 176, 180, 89, 254, 175, 177, 124, 110, 228, 20, 223, 106, 108, 196, 205, 91, 109, 124, 211, 13, 81, 137, 174, 58, 72, 230, 113, 133, 50, 166, 188, 75, 219, 101, 207, 34, 72, 121, 152, 227, 249, 153, 222, 233, 148, 28, 76, 138, 105, 232, 184, 58, 55, 137, 188, 38, 34, 99, 112, 60, 20, 232, 106, 247, 93, 111, 38, 59, 193, 117, 126, 33, 80, 45, 69, 84, 132, 92, 48, 133, 147, 49, 150, 218, 185, 239, 222, 26, 217, 143, 40, 72, 27, 121, 87, 225, 75, 82, 200, 43, 28, 109, 147, 4, 238, 66, 70, 108, 90, 248, 203, 2, 72, 25, 90, 76, 235, 9, 167, 167, 255, 35, 247, 125, 123, 251, 222, 105, 40, 240, 60, 203, 203, 20, 181, 45, 105, 19, 38, 201, 70, 216, 190, 214, 117, 146, 204, 12, 150, 215, 33, 41, 90, 48, 233, 121, 219, 79, 2, 219, 235, 119, 133, 202, 133, 145, 157, 49, 187, 152, 254, 17, 73, 131, 36, 122, 86, 92, 141, 250, 12, 28, 179, 81, 134, 39, 150, 73, 29, 59, 205, 153, 55, 174, 21, 235, 131, 201, 207, 158, 198, 13, 249, 204, 82, 40, 153, 199, 22, 109, 255, 220, 163, 73, 228, 65, 227, 232, 194, 213, 11, 23, 118, 198, 149, 58, 70, 62, 68, 138, 190, 238, 204, 136, 146, 121, 220, 219, 205, 53, 173, 134, 32, 210, 220, 50, 240, 254, 39, 85, 37, 49, 16, 41, 168, 209, 19, 199, 209, 202, 53, 155, 73, 93, 161, 234, 190, 107, 85, 162, 95, 205, 49, 106, 26, 99, 150, 197, 36, 201, 161, 15, 78, 118, 38, 107, 96, 215, 124, 216, 36, 25, 176, 96, 217, 82, 224, 242, 54, 40, 115, 103, 84, 150, 78, 213, 84, 98, 167, 134, 114, 145, 226, 97, 58, 227, 160, 249, 41, 106, 227, 52, 223, 32, 63, 93, 138, 245, 229, 84, 251, 82, 235, 156, 255, 67, 132, 139, 236, 226, 139, 12, 165, 183, 96, 18, 90, 132, 246, 205, 156, 165, 195, 146, 67, 179, 132, 53, 243, 234, 180, 225, 15, 193, 27, 13, 126, 118, 166, 242, 150, 70, 21, 144, 68, 207, 119, 255, 167, 202, 236, 197, 80, 157, 103, 65, 174, 188, 231, 81, 53, 97, 5, 120, 33, 151, 116, 245, 100, 238, 193, 216, 235, 76, 189, 202, 73, 102, 72, 106, 28, 198, 53, 205, 230, 54, 191, 208, 117, 54, 153, 7, 247, 5, 63, 218, 12, 137, 47, 181, 94, 187, 173, 162, 209, 132, 209, 191, 53, 120, 168, 181, 249, 80, 50, 237, 136, 110, 77, 31, 82, 160, 128, 48, 144, 217, 129, 168, 165, 201, 83, 119, 17, 7, 216, 101, 127, 73, 3, 48, 92, 138, 221, 25, 228, 113, 163, 219, 108, 57, 138, 254, 228, 188, 236, 28, 124, 194, 12, 85, 65, 230, 61, 113, 70, 105, 31, 195, 125, 249, 205, 46, 239, 61, 157, 49, 180, 93, 204, 101, 241, 246, 89, 39, 93, 191, 123, 137, 181, 84, 101, 113, 47, 118, 239, 37, 97, 240, 70, 230, 173, 246, 113, 147, 230, 42, 229, 11, 221, 180, 142, 111, 26, 57, 142, 238, 77, 171, 160, 108, 82, 180, 17, 166, 252, 85, 154, 171, 119, 16, 209, 71, 158, 108, 38, 247, 235, 134, 109, 143, 29, 63, 104, 108, 142, 59, 253, 190, 70, 245, 119, 138, 245, 80, 217, 143, 28, 157, 82, 113, 186, 148, 116, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
diff --git a/src/signatures/falcon.zig b/src/signatures/falcon.zig
@@ -485,17 +485,9 @@ fn Falcon(N: u32) type {
         /// sensitive message. The downside of this approach is that it
         /// introduces a significant cost to verification performance.
         pub fn hashToPoint(msg: []const u8, r: *const [40]u8) Polynomial(N, Fq) {
-            // K <- ⌊2^16 / Q⌋
-            const K = (1 << 16) / Q;
-            const S = struct {
-                const lanes = 16;
-
-                const Mask = std.meta.Int(.unsigned, lanes);
-                const V = @Vector(lanes, u32);
-
-                extern fn @"llvm.x86.avx512.mask.compress.d.512"(V, V, Mask) V;
-                const compress = @"llvm.x86.avx512.mask.compress.d.512";
-            };
+            const K = (1 << 16) / Q; // K <- ⌊2^16 / Q⌋
+            const lanes = 16;
+            const V = @Vector(lanes, u32);
 
             var state: Shake256 = .init(.{});
             state.update(r);
@@ -508,7 +500,7 @@ fn Falcon(N: u32) type {
 
             // Worst case is that we're at N - 1 elements filled, and we will
             // then keep resampling S.lanes elements until mask > 0.
-            var coeffs: [N + S.lanes]Fq = undefined;
+            var coeffs: [N + lanes]Fq = undefined;
             var i: u32 = 0;
             while (i < N) {
                 if (offset >= sample.len) {
@@ -518,22 +510,29 @@ fn Falcon(N: u32) type {
 
                 if (comptime builtin.zig_backend == .stage2_llvm and
                     builtin.cpu.arch == .x86_64 and
+                    builtin.cpu.has(.x86, .avx512f) and
                     // It only makes sense to use the vpcompress strategy on targets like Zen 5
                     // where the performance of vpcompressd isn't hundreds of cycles (like it is on Zen 4).
-                    builtin.cpu.model == &std.Target.x86.cpu.znver5)
+                    builtin.cpu.model != &std.Target.x86.cpu.znver4)
                 {
-                    const Kv: S.V = @splat(K * Q);
-                    const Fv = Fq.Vector(S.lanes);
+                    const Kv: V = @splat(K * Q);
+                    const Fv = Fq.Vector(lanes);
+
+                    const S = struct {
+                        const Mask = std.meta.Int(.unsigned, lanes);
+                        extern fn @"llvm.x86.avx512.mask.compress.d.512"(V, V, Mask) V;
+                        const compress = @"llvm.x86.avx512.mask.compress.d.512";
+                    };
 
-                    var batch: S.V = undefined;
-                    inline for (0..S.lanes) |j| {
+                    var batch: V = undefined;
+                    inline for (0..lanes) |j| {
                         const idx = offset + j * 2;
                         batch[j] = (@as(u32, sample[idx]) << 8) | sample[idx + 1];
                     }
-                    offset += S.lanes * 2;
+                    offset += lanes * 2;
                     const mask: S.Mask = @bitCast(batch < Kv);
                     const compressed = S.compress(batch, @splat(0), mask);
-                    coeffs[i..][0..S.lanes].* = @bitCast(Fv.init(@intCast(compressed % Fv.Ql)));
+                    coeffs[i..][0..lanes].* = @bitCast(Fv.init(@intCast(compressed % Fv.Ql)));
                     i += @popCount(mask);
                 } else {
                     const t = (@as(u32, sample[offset]) << 8) | sample[offset + 1];
diff --git a/src/signatures/falcon/test.zig b/src/signatures/falcon/test.zig
@@ -2,6 +2,63 @@ const std = @import("std");
 const falcon = @import("../falcon.zig");
 
 const Falcon512 = falcon.Falcon512;
+const Pubkey = Falcon512.PublicKey;
+const Signature = Falcon512.Signature;
+
+const MESSAGE = "test message for pre-computed verification";
+const PUBKEY_BASE64 = "CV6ZIYJ17ttDNY6BY2L8laqhQqEQT0hhvZsBqe1NNeUj+c7ULeEiVl3FZwC0xqYFDh9uAJxQyM1eGQ3MeH9TzRTuCQiF0W21vlwR0R/Rt3ClEYJaopd4q5fnosNXxfOmS4pgBxLB2wgT7KLct2MOp+s1RClmOynIr54jA5YIrE0w/juE1Xmp3Yc3igsaJumDqBCUthmKQLaVa6+wKNNnAFtaNbHbuGhIQaC9edrcknM4dBlJzWp8YDIqxOHs3aou3+ljgHZjmGW3VYcgcf2TK8SRtVmQVHiCkQa2woZ204kRkXUIOuMRUmb8B+K53kALVjDJ2ZvTuKIukFqO0idUMmFzyO+K0vDBlMysF9yDGZ/Um1US+Hk6hyqpyFyz4J+hYhaD0vtK7Qf0UGsVU3GEcOLB9MWUCuxEkmQttxU4SbEFVtWy1M/BvU2AoPl0N8KlQbm5+IvrEA86UFfHHykhGBUYIpPdxiOmlvM5hlce6Q3UgB+dCuy61uUYD3yI3+Z/RSEaBWBQ92MCt9ImtyCVjiRNWaM53hlTSF+7t0AlVay5G/Lf0UOyEScNSaVe4GJTv9vxnxyaFL9c+4k03abAVFC9prS5lCDLGpnUqvGQGUemP9hG7eY3PWOqgB+DEHhVmkIU4ybJAHbPFL0BxubCO2MxW+mf+pyi2CQK7ypAH30ZtpQ3/Z2La45d6voM2n9s9hddXm1wjXnh5EXWv7mCKoXK2IExRbshnnAp+pJ5jEVYsFKB6IqRo4i+YRKuyU4EEXDVZSB9URRpkm6pMTlULvPmYMojEMAkVRt4Y7ZoyQNQIT5gs2hGUZ2+8jwT2KW7t7k1MhjeWC5uRmdrgyYGNfN609MlkQi7IIDgrwpF+8WrzemR5vcmySSVo3Hk9WjjrrnI3UjvLKSylRrJdgG9WMD3NE8RCjGRwWQoXzK4kPuBs1NnvX2ywDxhhYFwpKOQ338UcTg4lhhNpzzGmOGP3LXuxrCK5AGf+erwsJETJhWu5TcihpzmY/bgw76Vei9S7WVWqx0opviNhQbmzboQwQRxBX2Wewgmvz2I86pKfXgyJfQ7gOae0MrrGmDnkQ3W9ENhwrJ1G7fmofMrnnzFOVqbZJq9Wz2fnYmSY2c0URS9FmxUC5fGI5Kx01cZnyh6AxSGBnxATi/FR1lhKvx+NdsCM2pEIHC5ypFIiazAqIEC";
+const SIGNATURE_BASE64 = "OSCJBLuOJh5ASZPOMj7hL6Wvqs4nmwXV+xEGkRUkLiXgHaXqBjaayVwEYSQ6SDYKA5oi1aWzmx5uULs0Xw/l7+VsG58jhGL5NfkO0PPK9dH/R6HBhGamGPOqTW9Ye/0PeWUydbcRQ8XKWEV7IazO0+pmahhul7gSWcvZnJVbVf14e/UITCvmsXWnr1wQk0tMscaDPGwLvsr1MevbAzxUZlZ3SZ80D9YEyI1dQ5O6NrnpZlifJfgszEHXuRjtV6iCmNLBojckK0GCe/55ddEHKz/uLREPyXav5qM5jczwdjMq43qp50UshSHJzLtCY9LWfNpvp882VkCrXLEC/oQ0elIO2bXbhSYX+sev1t0qS0pNMtkmCFi/sHpNIUqr8Cazw7+MiZzUsTxHTRRjIKjhsdrEh6Oe0vi96h2d86iyGxo5TGZtNYg729HQnPRCFCEy1OHTPl6NL3s8VbyX7Ak/hqg2SDzy7pDofHSz9YNd4ftr5x9Cia+K3rVJZxm3M16c2NvNusblH5xpvGHUVKnJUZNlArhU3r3kW2eQZzqOoj5jOFC65kNxJm2yZUoA05Fq//oCT+sw1TDLrtJjKupDIIbhs4o1iIQCDMKVmFs1OiG5g/Kf5zMQE4f4huuiSn4dTsk9PArlGpvpnOLRiY+DUSRgHeKB7twZORI+qBoI2SnTwPhT+DE6WyM3VC13+i3VBVbNv9HNe3/rnBEa6ZtzZMtPnmQs2eZ26L83mcDONoxwvm/rsfKxNEoO7ivdBG3l52URskV5lbgbLNnfldnfn7eFkiCHikUl1m3INgiTiB83KnRauvYW4FWaDhs2xvX8qL7upp3mFnuH6cnGenXVFjFVcG5t0vm6YW/ObDyIkA==";
+
+fn getPubkey() Pubkey {
+    var buffer: [897]u8 = undefined;
+    std.base64.standard.Decoder.decode(&buffer, PUBKEY_BASE64) catch unreachable;
+    return Pubkey.fromBytes(&buffer) catch unreachable;
+}
+
+fn getSignature() Signature {
+    var buffer: [655]u8 = undefined;
+    std.base64.standard.Decoder.decode(&buffer, SIGNATURE_BASE64) catch unreachable;
+    return Signature.fromBytes(&buffer) catch unreachable;
+}
+
+test "verification succeeds" {
+    const pubkey = getPubkey();
+    const sig = getSignature();
+    try Falcon512.verify(MESSAGE, sig, pubkey);
+}
+
+test "wrong message fails" {
+    const pubkey = getPubkey();
+    const sig = getSignature();
+    try std.testing.expectError(
+        error.InvalidBound,
+        Falcon512.verify("wrong message", sig, pubkey),
+    );
+}
+
+test "wrong signature fails" {
+    const pubkey = getPubkey();
+    var sig = getSignature();
+
+    sig.s2.coeff[59] ^= 0xFF;
+
+    try std.testing.expectError(
+        error.InvalidBound,
+        Falcon512.verify(MESSAGE, sig, pubkey),
+    );
+}
+
+test "wrong pubkey fails" {
+    var pubkey = getPubkey();
+    const sig = getSignature();
+
+    pubkey.h.coeff[59].data ^= 0xFF;
+
+    try std.testing.expectError(
+        error.InvalidBound,
+        Falcon512.verify(MESSAGE, sig, pubkey),
+    );
+}
 
 test "512 test vector" {
     { // success case
