diff --git a/CHANGELOG.md b/CHANGELOG.md index 922fa9d0b..a33769660 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ - Added `miden_core::mast::MastForest::advice_map` to load it into the advice provider before the `MastForest` execution (#1574). - Optimized the computation of the DEEP queries in the recursive verifier (#1594). - Added validity checks for the inputs to the recursive verifier (#1596). +- Improved Falcon signiture verification (#1623). ## 0.11.0 (2024-11-04) diff --git a/core/src/debuginfo/source_file.rs b/core/src/debuginfo/source_file.rs index 2f7fc69f7..9b750a6e0 100644 --- a/core/src/debuginfo/source_file.rs +++ b/core/src/debuginfo/source_file.rs @@ -515,7 +515,7 @@ impl SourceContent { /// /// Returns `None` if the given index is out of bounds pub fn line_start(&self, line_index: LineIndex) -> Option { - self.line_starts.get(line_index.to_usize()).copied().map(ByteIndex::from) + self.line_starts.get(line_index.to_usize()).copied() } /// Returns the index of the last line in this file diff --git a/stdlib/asm/crypto/dsa/rpo_falcon512.masm b/stdlib/asm/crypto/dsa/rpo_falcon512.masm index 5b1b479ec..fd621ae2a 100644 --- a/stdlib/asm/crypto/dsa/rpo_falcon512.masm +++ b/stdlib/asm/crypto/dsa/rpo_falcon512.masm @@ -8,6 +8,7 @@ const.J=77321994752 const.M=12289 const.M_HALF=6144 # (M-1) / 2 const.SQUARE_NORM_BOUND=34034726 +const.MEMORY_POINTER_OFFSET_OF_HASH_TO_POINT_POLY_FROM_PRODUCT_POLY=1281 # MODULAR REDUCTION FALCON PRIME # ============================================================================================= @@ -535,7 +536,7 @@ export.compute_s1_norm_sq # load the next four c_i padw - dup.12 add.1281 + dup.12 add.MEMORY_POINTER_OFFSET_OF_HASH_TO_POINT_POLY_FROM_PRODUCT_POLY mem_loadw #=> [C, PI_{i+512}, PI, pi_ptr, ...] @@ -626,21 +627,28 @@ export.compute_s2_norm_sq padw dup.4 mem_loadw + # => [c3, c2, c1, c0, s2_ptr, ...] where ci are coefficients of s2 exec.norm_sq swap + # => [c2, norm_sq(c3), c1, c0, s2_ptr, ...] exec.norm_sq add swap + # => [c1, norm_sq(c2) + norm_sq(c3), c0, s2_ptr, ...] exec.norm_sq add swap + # => [c0, norm_sq(c1) + norm_sq(c2) + norm_sq(c3), s2_ptr, ...] exec.norm_sq add + # => [norm_sq(c0) + norm_sq(c1) + norm_sq(c2) + norm_sq(c3), s2_ptr, ...] swap add.1 + # => [s2_ptr + 1, norm_sq(c0) + norm_sq(c1) + norm_sq(c2) + norm_sq(c3), ...] end drop + # (512 / 4) - 1 = 127 additions are needed repeat.127 add end diff --git a/stdlib/tests/crypto/falcon.rs b/stdlib/tests/crypto/falcon.rs index 18b586eeb..a61649e84 100644 --- a/stdlib/tests/crypto/falcon.rs +++ b/stdlib/tests/crypto/falcon.rs @@ -85,10 +85,12 @@ fn test_falcon512_diff_mod_q() { exec.rpo_falcon512::diff_mod_q end "; - let v = rand::thread_rng().gen_range(0..Felt::MODULUS); + let v = Felt::MODULUS - 1; let (v_lo, v_hi) = (v as u32, v >> 32); - let w = rand::thread_rng().gen_range(0..J); - let u = rand::thread_rng().gen_range(0..J); + + // test largest possible value given v + let w = J - 1; + let u = 0; let test1 = build_test!(source, &[v_lo as u64, v_hi as u64, w + J, u]); @@ -100,6 +102,21 @@ fn test_falcon512_diff_mod_q() { assert_eq!(expanded_answer, i128::try_from(simplified_answer).unwrap()); test1.expect_stack(&[simplified_answer as u64]); + + // test smallest possible value given v + let w = 0; + let u = J - 1; + + let test2 = build_test!(source, &[v_lo as u64, v_hi as u64, w + J, u]); + + // Calculating (v - (u + (- w % q) % q) % q) should be the same as (v + w + J - u) % q. + let expanded_answer = (v as i128 + - ((u as i64 + -(w as i64).rem_euclid(M as i64)).rem_euclid(M as i64) as i128)) + .rem_euclid(M as i128); + let simplified_answer = (v as i128 + w as i128 + J as i128 - u as i128).rem_euclid(M as i128); + assert_eq!(expanded_answer, i128::try_from(simplified_answer).unwrap()); + + test2.expect_stack(&[simplified_answer as u64]); } proptest! {