-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Overhaul traits #16
Comments
Let's use this github issue to argue over how the trait should look. I'll start.
|
|
Should there be a |
|
|
Updates:
|
I have some questions wrt Currently a lot of curve implementations use 64 bit for the actual internal representation even on 32 bit platforms, but specify a What's the idea behind this? Is this forward compatibility for a future where the internal logic is actually 32 bit on 32 bit platforms? (Edit: this is possibly the wrong place to ask, perhaps I should ask in https://github.com/RustCrypto/elliptic-curves instead?) |
I believe that's a restriction of https://github.com/RustCrypto/elliptic-curves/blob/ebb7fe9/p256/src/arithmetic/scalar.rs#L828-L840 The However, nothing in either of those crates or the downstream consumers thereof is leveraging the bits representation anyway, so I think it'd be helpful to at least make it optional as proposed in #42. It would allow us to get rid of 5 otherwise superfluous dependencies (which were implicated in some recent breakages which were tough for downstream users to sort out. |
Ah, thanks for the pointer, I would not have guessed that. For future reference, this is the limitation: (Edit: removed questioning of this limitation in bitvec. Apparently it's because it needs the components to be naturally aligned because of pointer encoding tricks it uses to permit bit references, and on 32 bit systems 64 bit values do not have 64 bit alignment.) Agree on dropping bitvec as a required dependency, though it leaves me back at square one wrt getting anything resembling a defined endianness out of scalars. Can we please just have |
I've spent some more time looking at the bitvec crate, and the more I look at it the less I think it's appropriate for
It's possible I've misunderstood something by the way, in which case I apologize. I'm putting this up here for discussion (because it's very relevant to the API), as well as to check whether my understanding is accurate. All in all the natural solution seems the APIs I describe in my previous comment, which all work on bytes directly. Fixed length bytes arrays with known endianness can easily be ingested by any other library, whether bigint or bitvec and are the basic unit in all cryptographic protocols which don't already work in the field's customary internal representation (for those you don't need any conversion anyway). Again, I may be missing something, please correct me if I'm wrong. |
I feel like the above comment may benefit from a TLDR, so:
All of these concerns are in addition to it being a troublesome dependency like @tarcieri mentioned. My proposal is to add functions which convert to and from fixed size byte buffers in big and little endian byte order, using the existing |
We used to have (the equivalent of) these, and removed them. The reason we removed them is because they almost caused us to deploy a mixed-endianness protocol (different endianness at byte- and bit-level) to a ~$2B ecosystem. IMHO it is a mistake to attempt to encode field elements generically with a specific endianness. Putting aside the potential for accidental misuse (per above), it enables different users to serialize field elements in potentially-undetectably incompatible ways on disk, which is a nightmare comparable to ASN.1 encodings of curve points. I don't believe that we should enable this kind of unsafety in generic protocols. If you need to know the endianness of an encoding, I think it is perfectly fine to require that you know concretely the field you are operating on (at which point you can do what you want). The main reason that |
This confusion is part of my above reasoning: this API has everything to do with endianness! The types that Bit endianness is a terrible thing to need to care about, but unfortunately we do need to care about it inside arithmetic circuits (where the native word is a field element rather than a byte). |
And to cap, the main reason that |
This is a sub-task of zcash/librustzcash#41. We can discuss the trait refactor specifically here.
The current plan (as of 2020-09-04):
ff::Field
to follow the currentbls12_381
andjubjub
APIs.ff::Field
orff::PrimeField
.ff::PrimeFieldRepr
.Addff::PrimeField::ReprEndianness
typeff::Field::frobenius_map
ff::SqrtField
ff::PrimeField::ReprBits
type (replacingff::PrimeField::ReprEndianness
)The text was updated successfully, but these errors were encountered: