[WAR-489] DKG test mockup using Fp and sample tracing

src/fields/fp.rs

@@ -133,8 +133,7 @@ macro_rules! define_finite_prime_field {
 
         //special struct for const-time arithmetic on montgomery form integers mod p
         type $output = crypto_bigint::modular::ConstMontyForm<$mod_struct, { $mod_struct::LIMBS }>;
-        #[derive(Clone, Copy)] //to be used in const contexts
-        #[derive(Eq)]
+        #[derive(Clone, Copy, Eq)] //Clone and Copy to be used in const contexts
         /// This is the actual struct that serves as our finite field implementation, containing
         /// the modulus of the field, as well as the output type that contains the internal
         /// Montgomery arithmetic logic

src/groups/g2.rs

@@ -291,7 +291,16 @@ impl G2Projective {
             let mut rhs = b.endomorphism(); // ψ^2(xQ)
             let lhs = rhs + b + a; // ψ^2(xQ) + ψ(xQ) + (x+1)Q
             rhs = rhs.endomorphism().double() - lhs; // ψ^3(2xQ) - (ψ^2(xQ) + ψ(xQ) + (x+1)Q)
-            tracing::debug!(?x, ?y, ?z, ?a, ?b, ?lhs, ?rhs, "G2Projective::_g2projective_is_torsion_free");
+            tracing::debug!(
+                ?x,
+                ?y,
+                ?z,
+                ?a,
+                ?b,
+                ?lhs,
+                ?rhs,
+                "G2Projective::_g2projective_is_torsion_free"
+            );
 
             // we do two checks: one is to verify that the result is indeed a point at infinity,
             // but we need a second check to verify that it is OUR point at infinity, namely for

src/groups/group.rs

@@ -250,28 +250,34 @@ impl<const D: usize, const N: usize, F: FieldExtensionTrait<D, N>> GroupProjecti
         let t0 = self.y * self.y;
         let z3 = t0 + t0;
         let z3 = z3 + z3;
+        tracing::debug!(?t0, ?z3, "GroupProjective::double 1");
 
         let z3 = z3 + z3;
         let t1 = self.y * self.z;
         let t2 = self.z * self.z;
+        tracing::debug!(?z3, ?t1, ?t2, "GroupProjective::double 2");
 
         // the magic 3 below is an artifact directly from the algorithm itself,
         // see the main text in Ref (1) Alg. (9)
         let t2 = F::from(3) * F::curve_constant() * t2;
         let x3 = t2 * z3;
         let y3 = t0 + t2;
+        tracing::debug!(?t2, ?x3, ?y3, "GroupProjective::double 3");
 
         let z3 = t1 * z3;
         let t1 = t2 + t2;
         let t2 = t1 + t2;
+        tracing::debug!(?z3, ?t1, ?t2, "GroupProjective::double 3");
 
         let t0 = t0 - t2;
         let y3 = t0 * y3;
         let y3 = x3 + y3;
+        tracing::debug!(?t0, ?y3, "GroupProjective::double 4");
 
         let t1 = self.x * self.y;
         let x3 = t0 * t1;
         let x3 = x3 + x3;
+        tracing::debug!(?t1, ?x3, "GroupProjective::double 5");
         Self::conditional_select(
             &Self {
                 x: x3,
@@ -316,6 +322,7 @@ impl<const D: usize, const N: usize, F: FieldExtensionTrait<D, N>> ConstantTimeE
 
         let y0 = self.y * other.z;
         let y1 = other.y * self.z;
+        tracing::debug!(?x0, ?x1, ?y0, ?y1, "GroupProjective::ct_eq");
 
         let i_am_zero = self.z.is_zero();
         let you_are_zero = other.z.is_zero();
@@ -354,6 +361,7 @@ impl<'a, const D: usize, const N: usize, F: FieldExtensionTrait<D, N>>
         let inverse = arg.z.inv(); // this is either a good value or zero, see `inv` in `fp.rs`
         let x = arg.x * inverse;
         let y = arg.y * inverse;
+        tracing::debug!(?x, ?y, "GroupAffine::from(GroupProjective)");
 
         GroupAffine::conditional_select(
             &GroupAffine {
@@ -407,26 +415,32 @@ impl<'a, 'b, const D: usize, const N: usize, F: FieldExtensionTrait<D, N>>
         let t0 = self.x * other.x;
         let t1 = self.y * other.y;
         let t2 = self.z * other.z;
+        tracing::debug!(?t0, ?t1, ?t1, "GroupProjective::add 1");
 
         let t3 = self.x + self.y;
         let t4 = other.x + other.y;
         let t3 = t3 * t4;
+        tracing::debug!(?t3, ?t4, "GroupProjective::add 2");
 
         let t4 = t0 + t1;
         let t3 = t3 - t4;
         let t4 = self.y + self.z;
+        tracing::debug!(?t3, ?t4, "GroupProjective::add 3");
 
         let x3 = other.y + other.z;
         let t4 = t4 * x3;
         let x3 = t1 + t2;
+        tracing::debug!(?x3, ?t4, "GroupProjective::add 4");
 
         let t4 = t4 - x3;
         let x3 = self.x + self.z;
         let y3 = other.x + other.z;
+        tracing::debug!(?t4, ?x3, ?y3, "GroupProjective::add 5");
 
         let x3 = x3 * y3;
         let y3 = t0 + t2;
         let y3 = x3 - y3;
+        tracing::debug!(?x3, ?y3, "GroupProjective::add 6");
 
         // again, the magic 3 below is an artifact from the algorithm itself,
         // see the main text of Ref (1) Alg. (7) above
@@ -437,6 +451,7 @@ impl<'a, 'b, const D: usize, const N: usize, F: FieldExtensionTrait<D, N>>
         let z3 = t1 + t2;
         let t1 = t1 - t2;
         let y3 = F::from(3) * F::curve_constant() * y3;
+        tracing::debug!(?x3, ?t0, ?t2, ?z3, ?t1, ?y3, "GroupProjective::add 7");
 
         let x3 = t4 * y3;
         let t2 = t3 * t1;
@@ -449,6 +464,7 @@ impl<'a, 'b, const D: usize, const N: usize, F: FieldExtensionTrait<D, N>>
         let t0 = t0 * t3;
         let z3 = z3 * t4;
         let z3 = z3 + t0;
+        tracing::debug!(?x3, ?t2, ?y3, ?t1, ?t0, ?z3, "GroupProjective::add 8");
         Self::Output {
             x: x3,
             y: y3,

src/hasher.rs

@@ -85,6 +85,16 @@ pub trait Expander {
                     .map_err(|_e: TryFromSliceError| HashError::CastToField)?,
             );
             *f = Fp::new(scalar);
+            tracing::debug!(
+                ?i,
+                ?f,
+                ?tv,
+                ?bs,
+                ?cast_value,
+                ?modulus,
+                ?scalar,
+                "Expander::hash_to_field"
+            );
         }
         Ok(retval)
     }
@@ -135,6 +145,7 @@ impl<D: Default + FixedOutput + BlockSizeUser> Expander for XMDExpander<D> {
             &i2osp(self.dst_prime.len() as u64, 1)?,
         ]
         .concat();
+        tracing::debug!(?ell, ?dst_prime, "XMDExpander::expand_message");
         if 8 * b_in_bytes < 2 * self.security_param as usize
             || ell > 255
             || dst_prime.len() != self.dst_prime.len() + 1
@@ -155,6 +166,7 @@ impl<D: Default + FixedOutput + BlockSizeUser> Expander for XMDExpander<D> {
             .chain(dst_prime.iter())
             .finalize_fixed()
             .to_vec();
+        tracing::debug!(?z_pad, ?l_i_b_str, ?b_vals, "XMDExpander::expand_message");
 
         for i in 1..ell {
             let xored: Vec<u8> = b_0
@@ -169,6 +181,7 @@ impl<D: Default + FixedOutput + BlockSizeUser> Expander for XMDExpander<D> {
                 .cloned()
                 .collect();
             b_vals[i] = D::default().chain(b_i).finalize_fixed().to_vec();
+            tracing::debug!(?xored, b_vals_i = ?b_vals[i], "XMDExpander::expand_message");
         }
 
         Ok(b_vals.into_iter().flatten().take(len_in_bytes).collect())

src/pairing.rs

@@ -109,6 +109,7 @@ impl MillerLoopResult {
             let t1 = b.square();
             // Line 3
             let c0 = t1.residue_mul();
+            tracing::debug!(?t0, ?t1, ?c0, "MillerLoopResult::fp4_square");
             // Line 4
             let c0 = c0 + t0;
             // Line 5
@@ -130,6 +131,7 @@ impl MillerLoopResult {
             let mut z5 = f.0[1].0[2];
             // Line 9
             let (t0, t1) = fp4_square(z0, z1);
+            tracing::debug!(?t0, ?t1, "MillerLoopResult::cyclotonic_squared");
             // Line 13-22 for A
             z0 = t0 - z0;
             z0 = z0 + z0 + t0;
@@ -139,6 +141,7 @@ impl MillerLoopResult {
 
             let (mut t0, t1) = fp4_square(z2, z3);
             let (t2, t3) = fp4_square(z4, z5);
+            tracing::debug!(?t0, ?t1, ?t2, ?t3, "MillerLoopResult::cyclotonic_squared");
 
             // Lines 25-31, for C
             z4 = t0 - z4;
@@ -220,6 +223,30 @@ impl MillerLoopResult {
             let s = input.unitary_inverse();
             let t = s * l;
             let u = t.frobenius(3);
+            tracing::debug!(
+                ?a,
+                ?b,
+                ?c,
+                ?d,
+                ?e,
+                ?f,
+                ?g,
+                ?h,
+                ?i,
+                ?j,
+                ?k,
+                ?l,
+                ?m,
+                ?n,
+                ?o,
+                ?p,
+                ?q,
+                ?r,
+                ?s,
+                ?t,
+                ?u,
+                "MillerLoopResult::hard_part"
+            );
             u * r
         }
 
@@ -265,20 +292,24 @@ impl G2PreComputed {
             let c = &self.coeffs[idx];
             idx += 1;
             f = f.square().sparse_mul(c.0, c.1.scale(g1.y), c.2.scale(g1.x));
+            tracing::debug!(?idx, ?f, "G2PreComputed::miller_loop");
 
             if *i != 0 {
                 let c = &self.coeffs[idx];
                 idx += 1;
                 f = f.sparse_mul(c.0, c.1.scale(g1.y), c.2.scale(g1.x));
+                tracing::debug!(?idx, ?f, "G2PreComputed::miller_loop");
             }
         }
 
         let c = &self.coeffs[idx];
         idx += 1;
         f = f.sparse_mul(c.0, c.1.scale(g1.y), c.2.scale(g1.x));
+        tracing::debug!(?idx, ?f, "G2PreComputed::miller_loop");
 
         let c = &self.coeffs[idx];
         f = f.sparse_mul(c.0, c.1.scale(g1.y), c.2.scale(g1.x));
+        tracing::debug!(?idx, ?f, "G2PreComputed::miller_loop");
 
         MillerLoopResult(f)
     }
@@ -343,6 +374,7 @@ impl G2Projective {
         let h = d * f;
         let i = self.x * f;
         let j = self.z * g + h - (i + i);
+        tracing::debug!(?d, ?e, ?f, ?g, ?h, ?i, ?j, "G2Projective::addition_step");
 
         self.x = d * j;
         self.y = e * (i - j) - h * self.y;
@@ -366,6 +398,7 @@ impl G2Projective {
         let i = e - b;
         let j = self.x.square();
         let e_sq = e.square();
+        tracing::debug!(?f, ?g, ?h, ?i, ?j, ?e_sq, "G2Projective::doubling_step");
 
         self.x = a * (b - f);
         self.y = g.square() - (e_sq + e_sq + e_sq);
@@ -394,6 +427,7 @@ pub fn pairing(p: &G1Projective, q: &G2Projective) -> Gt {
     let q = G2Affine::conditional_select(q, &G2Affine::generator(), either_zero);
     let tmp = q.precompute().miller_loop(&p).0;
     let tmp = MillerLoopResult(Fp12::conditional_select(&tmp, &Fp12::one(), either_zero));
+    tracing::debug!(?p, ?q, ?tmp, "pairing");
     tmp.final_exponentiation()
 }
 
@@ -423,11 +457,13 @@ pub fn glued_miller_loop(g2_precomps: &[G2PreComputed], g1s: &[G1Affine]) -> Mil
             idx += 1;
         }
     }
+    tracing::debug!(?f, "glued_miller_loop 1");
 
     for (g2_precompute, g1) in g2_precomps.iter().zip(g1s.iter()) {
         let c = &g2_precompute.coeffs[idx];
         f = f.sparse_mul(c.0, c.1.scale(g1.y), c.2.scale(g1.x));
     }
+    tracing::debug!(?f, "glued_miller_loop 2");
     idx += 1;
     for (g2_precompute, g1) in g2_precomps.iter().zip(g1s.iter()) {
         let c = &g2_precompute.coeffs[idx];

src/svdw.rs

@@ -161,6 +161,24 @@ impl SvdWTrait for SvdW {
         };
         let e3 = Choice::from((bool::from(u.sgn0()) == bool::from(y.sgn0())) as u8);
         let y = cmov(&(-y), &y, &e3); // Select correct sign of y;
+        tracing::debug!(
+            ?tv1,
+            ?tv2,
+            ?tv3,
+            ?tv4,
+            ?x1,
+            ?gx1,
+            ?e1,
+            ?x2,
+            ?gx2,
+            ?e2,
+            ?x3,
+            ?x,
+            ?gx,
+            ?y,
+            ?e3,
+            "SvdW::unchecked_map_to_point"
+        );
         Ok([x, y])
     }
 }