-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use tighter loose bounds #799
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I transcribed the new curve25519 bounds into the asserts in our code and the tests still passed. I probably am not able to provide useful review beyond that. :-)
3f7b69b
to
e47f7bb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes to Tests/
aren't too important because I've now completely deleted Tests/
in my branch (bedrock2_interface
) and replaced it with a new thing. It might be a new form of headache now (but hopefully not, I think it's actually just left as computation of is_tighter_than_bool
), but I'll consider that my problem.
We now compute the loose bounds by recording the number of additions and/or balanced subtractions we want to be able to do in a row before we need to multiply and carry. Note that balanced subtraction always takes a bit more overhead than addition. This is a more conservative variant of mit-plv#799 that doesn't actually change the bounds, and makes the senuine change of mit-plv#799 easier to see, namely, reducing `headspace_add_count` from `2` to `1`.
We now compute the loose bounds by recording the number of additions and/or balanced subtractions we want to be able to do in a row before we need to multiply and carry. Note that balanced subtraction always takes a bit more overhead than addition. This is a more conservative variant of mit-plv#799 that doesn't actually change the bounds, and makes the genuine change of mit-plv#799 easier to see, namely, reducing `headspace_add_count` from `2` to `1`.
e47f7bb
to
71a03a6
Compare
We now compute the loose bounds by recording the number of additions and/or balanced subtractions we want to be able to do in a row before we need to multiply and carry. Note that balanced subtraction always takes a bit more overhead than addition. This is a more conservative variant of mit-plv#799 that doesn't actually change the bounds, and makes the genuine change of mit-plv#799 easier to see, namely, reducing `headspace_add_count` from `2` to `1`.
We now compute the loose bounds by recording the number of additions and/or balanced subtractions we want to be able to do in a row before we need to multiply and carry. Note that balanced subtraction always takes a bit more overhead than addition. This is a more conservative variant of #799 that doesn't actually change the bounds, and makes the genuine change of #799 easier to see, namely, reducing `headspace_add_count` from `2` to `1`.
71a03a6
to
a0a02d2
Compare
We now compute the loose bounds to be as tight as possible given the tight bounds: they are the tightest bounds that will let us add two tightly-bounded field elements, and will also let us subtract two tightly-bounded field elements (with balance), without needing to carry. This is probably required for having 32-bit p448 work, but even with this, p448 is still not working; see mit-plv#797. Seems worth merging anyway.
a0a02d2
to
25b497c
Compare
I came here while reading #797 which I'm interested in. I understand this does not bring fiat-crypto to p448-32, but already goes some way. I was wondering (since this has multiple positive reviews) what is missing to get this PR merged (apart from a rebase)? |
My impression from #797 (comment) was that determining headroom is more complicated than just "how many additions / subtractions do you want to be able to do in a row without carrying?" and hence the one-line change here (changing I think the thing standing in the way of merging a PR like this is having an understanding of what the right interface to present here is. Should we compute the loose bounds by asking people to specify how many additions they'd like to perform in a row (and encode it somehow in the types so that users can in fact perform that many additions in a row)? It's not clear to me what the landscape looks like around choosing bounds. If it's useful to you, I'm happy to make |
Thanks for your explanation @JasonGross. Indeed that sounds like this PR may not be relevant for the p448-32 goal. I'll read up on #797 to figure out the missing bits and pieces when I find enough time and headroom. |
We now compute the loose bounds to be as tight as possible given the
tight bounds: they are the tightest bounds that will let us add two
tightly-bounded field elements, and will also let us subtract two
tightly-bounded field elements (with balance), without needing to carry.
This is probably required for having 32-bit p448 work, but even with
this, p448 is still not working; see
#797. Seems worth merging
anyway.
@andres-erbsen @davidben please review either the changes in the bounds in the comments, or the changes in the definition of
loose_upperbounds
insrc/UnsaturatedSolinasHeuristics.v
, or both.@jadephilipoom Please review my changes to your proof of
loose_bounds_within_base_access_sizes
insrc/Bedrock/Tests/Proofs/X25519_64.v
(the upper bounds are no longerrepeat r n
, so I had to use a lemma about relaxing them, and then relaxed them to the repetition of the max element).