feat(precompiles): implement montgomery arithmetic

1. implement montgomery arithmetic
2. add tests from go-ethereum

Author: AllFi

.gitignore

@@ -36,6 +36,7 @@ src/test/java/org/tron/consensus2
 src/main/java/META-INF/
 src/main/resources/META-INF/
 /bin/
+bin
 
 # Eclipse IDE specific files and folders
 /.project

build.gradle

@@ -52,6 +52,7 @@ subprojects {
         compile group: 'org.apache.commons', name: 'commons-math', version: '2.2'
         compile "org.apache.commons:commons-collections4:4.1"
         compile group: 'joda-time', name: 'joda-time', version: '2.3'
+        implementation 'javax.annotation:javax.annotation-api:1.3.2' 
 
     }
 

crypto/src/main/java/org/tron/common/crypto/zksnark/BN128.java

@@ -220,21 +220,6 @@ public boolean isZero() {
     return z.isZero();
   }
 
-  protected boolean isValid() {
-
-    // check whether coordinates belongs to the Field
-    if (!x.isValid() || !y.isValid() || !z.isValid()) {
-      return false;
-    }
-
-    // check whether point is on the curve
-    if (!isOnCurve()) {
-      return false;
-    }
-
-    return true;
-  }
-
   @Override
   public String toString() {
     return String.format("(%s; %s; %s)", x.toString(), y.toString(), z.toString());

crypto/src/main/java/org/tron/common/crypto/zksnark/BN128Fp.java

@@ -47,6 +47,11 @@ public static BN128<Fp> create(byte[] xx, byte[] yy) {
     Fp x = Fp.create(xx);
     Fp y = Fp.create(yy);
 
+    if (x == null || y == null) {
+      // It means that one or both coordinates are not elements of Fp
+      return null;
+    }
+
     // check for point at infinity
     if (x.isZero() && y.isZero()) {
       return ZERO;
@@ -55,7 +60,7 @@ public static BN128<Fp> create(byte[] xx, byte[] yy) {
     BN128<Fp> p = new BN128Fp(x, y, Fp._1);
 
     // check whether point is a valid one
-    if (p.isValid()) {
+    if (p.isOnCurve()) {
       return p;
     } else {
       return null;

crypto/src/main/java/org/tron/common/crypto/zksnark/BN128Fp2.java

@@ -52,6 +52,11 @@ public static BN128<Fp2> create(byte[] aa, byte[] bb, byte[] cc, byte[] dd) {
     Fp2 x = Fp2.create(aa, bb);
     Fp2 y = Fp2.create(cc, dd);
 
+    if (x == null || y == null) {
+      // It means that one or both coordinates are not elements of Fp
+      return null;
+    }
+
     // check for point at infinity
     if (x.isZero() && y.isZero()) {
       return ZERO;
@@ -60,7 +65,7 @@ public static BN128<Fp2> create(byte[] aa, byte[] bb, byte[] cc, byte[] dd) {
     BN128<Fp2> p = new BN128Fp2(x, y, Fp2._1);
 
     // check whether point is a valid one
-    if (p.isValid()) {
+    if (p.isOnCurve()) {
       return p;
     } else {
       return null;

crypto/src/main/java/org/tron/common/crypto/zksnark/Field.java

@@ -40,6 +40,4 @@ interface Field<T> {
   T negate();
 
   boolean isZero();
-
-  boolean isValid();
 }

crypto/src/main/java/org/tron/common/crypto/zksnark/Fp.java

@@ -17,24 +17,68 @@
  */
 package org.tron.common.crypto.zksnark;
 
-import static org.tron.common.crypto.zksnark.Params.P;
-
 import java.math.BigInteger;
 
 /**
  * Arithmetic in F_p, p = 21888242871839275222246405745257275088696311157297823662689037894645226208583
- *
+ * This class stores elements of F_p in the Montgomery form: a*r mod p.
+ * 
  * @author Mikhail Kalinin
  * @since 01.09.2017
  */
 public class Fp implements Field<Fp> {
+  /**
+   * "p" field parameter of F_p, F_p2, F_p6 and F_p12
+   */
+  static final BigInteger P = new BigInteger(
+      "21888242871839275222246405745257275088696311157297823662689037894645226208583");
 
-  static final Fp ZERO = new Fp(BigInteger.ZERO);
-  static final Fp _1 = new Fp(BigInteger.ONE);
-  static final Fp NON_RESIDUE = new Fp(new BigInteger(
+  /**
+   * This value is equal to 2^256. It should be greater than {@link #P} and coprime to it.
+   * Field elements are represented in Montgomery form as a*{@link #REDUCER} mod {@link #P}. 
+   * This specific value of {@link #REDUCER} is selected to facilitate efficient division 
+   * by {@link #REDUCER} through simple shifting.
+   */
+  static final BigInteger REDUCER = new BigInteger(
+    "115792089237316195423570985008687907853269984665640564039457584007913129639936");
+
+  /**
+   * The number of bits in the {@link #REDUCER} value.
+   */
+  static final int REDUCER_BITS = 256;
+
+  /**
+   * A precomputed value of {@link #REDUCER}^2 mod {@link #P}.
+   */
+  static final BigInteger REDUCER_SQUARED = new BigInteger(
+    "3096616502983703923843567936837374451735540968419076528771170197431451843209");
+
+  /**
+   * A precomputed value of {@link #REDUCER}^3 mod {@link #P}.
+   */
+  static final BigInteger REDUCER_CUBED = new BigInteger(
+    "14921786541159648185948152738563080959093619838510245177710943249661917737183");
+
+  /**
+   * A precomputed value of -{@link #P}^{-1} mod {@link #REDUCER}.
+   */
+  static final BigInteger FACTOR = new BigInteger(
+    "111032442853175714102588374283752698368366046808579839647964533820976443843465");
+
+  /**
+   * The MASK value is set to 2^256 - 1 and is utilized to replace the operation % 2^256
+   * with a bitwise AND using this value. This choice ensures that only the lower 256 bits
+   * of a result are retained, effectively simulating the modulus operation.
+   */
+  static final BigInteger MASK = new BigInteger(
+    "115792089237316195423570985008687907853269984665640564039457584007913129639935");
+
+  static final Fp ZERO = Fp.create(BigInteger.ZERO);
+  static final Fp _1 = Fp.create(BigInteger.ONE);
+  static final Fp NON_RESIDUE = Fp.create(new BigInteger(
       "21888242871839275222246405745257275088696311157297823662689037894645226208582"));
 
-  static final Fp _2_INV = new Fp(BigInteger.valueOf(2).modInverse(P));
+  static final Fp _2_INV = Fp.create(BigInteger.valueOf(2).modInverse(P));
 
   BigInteger v;
 
@@ -43,41 +87,52 @@ public class Fp implements Field<Fp> {
   }
 
   static Fp create(byte[] v) {
-    return new Fp(new BigInteger(1, v));
+    BigInteger value = new BigInteger(1, v);
+    if (value.compareTo(P) >= 0) {
+      // Only the values less than P are valid
+      return null;
+    }
+    return new Fp(toMontgomery(value));
   }
 
   static Fp create(BigInteger v) {
-    return new Fp(v);
+    if (v.compareTo(P) >= 0) {
+      // Only the values less than P are valid
+      return null;
+    }
+    return new Fp(toMontgomery(v));
   }
 
   @Override
   public Fp add(Fp o) {
-    return new Fp(this.v.add(o.v).mod(P));
+    BigInteger r = v.add(o.v);
+    return new Fp(r.compareTo(P) < 0 ? r : r.subtract(P));
   }
 
   @Override
   public Fp mul(Fp o) {
-    return new Fp(this.v.multiply(o.v).mod(P));
+    return new Fp(redc(v.multiply(o.v)));
   }
 
   @Override
   public Fp sub(Fp o) {
-    return new Fp(this.v.subtract(o.v).mod(P));
+    BigInteger r = v.subtract(o.v);
+    return new Fp(r.compareTo(BigInteger.ZERO) < 0 ? r.add(P) : r);
   }
 
   @Override
   public Fp squared() {
-    return new Fp(v.multiply(v).mod(P));
+    return new Fp(redc(v.multiply(v)));
   }
 
   @Override
   public Fp dbl() {
-    return new Fp(v.add(v).mod(P));
+    return add(this);
   }
 
   @Override
   public Fp inverse() {
-    return new Fp(v.modInverse(P));
+    return new Fp(redc(v.modInverse(P).multiply(REDUCER_CUBED)));
   }
 
   @Override
@@ -90,20 +145,12 @@ public boolean isZero() {
     return v.compareTo(BigInteger.ZERO) == 0;
   }
 
-  /**
-   * Checks if provided value is a valid Fp member
-   */
-  @Override
-  public boolean isValid() {
-    return v.compareTo(P) < 0;
-  }
-
   Fp2 mul(Fp2 o) {
     return new Fp2(o.a.mul(this), o.b.mul(this));
   }
 
   public byte[] bytes() {
-    return v.toByteArray();
+    return fromMontgomery(v).toByteArray();
   }
 
   @Override
@@ -129,4 +176,36 @@ public int hashCode() {
   public String toString() {
     return v.toString();
   }
+
+  /**
+   * Converts a value in normal representation to Montgomery form.
+   * 
+   * @param n value in normal form
+   * @return value in Montgomery form
+   */
+  private static BigInteger toMontgomery(BigInteger n) {
+    return redc(n.multiply(REDUCER_SQUARED));
+  }
+
+  /**
+   * Converts a value in Montgomery form to a normal representation.
+   * 
+   * @param n value in Montgomery form
+   * @return value in normal form
+   */
+  private static BigInteger fromMontgomery(BigInteger n) {
+    return redc(n);
+  }
+
+  /**
+   * Montgomery reduction; given a value x, computes x*{@link #REDUCER}^{-1} mod {@link #P}
+   * 
+   * @param x value to reduce
+   * @return x*{@link #REDUCER}^{-1} mod {@link #P}
+   */
+  private static BigInteger redc(BigInteger x)  {
+    BigInteger temp = x.multiply(FACTOR).and(MASK);
+    BigInteger reduced = temp.multiply(P).add(x).shiftRight(REDUCER_BITS);
+    return reduced.compareTo(P) < 0 ? reduced : reduced.subtract(P);
+  }
 }

crypto/src/main/java/org/tron/common/crypto/zksnark/Fp12.java

@@ -36,53 +36,53 @@ class Fp12 implements Field<Fp12> {
   static final Fp12 _1 = new Fp12(Fp6._1, Fp6.ZERO);
   static final Fp2[] FROBENIUS_COEFFS_B = new Fp2[]{
 
-      new Fp2(BigInteger.ONE,
+      Fp2.create(BigInteger.ONE,
           BigInteger.ZERO),
 
-      new Fp2(new BigInteger(
+      Fp2.create(new BigInteger(
           "8376118865763821496583973867626364092589906065868298776909617916018768340080"),
           new BigInteger(
               "16469823323077808223889137241176536799009286646108169935659301613961712198316")),
 
-      new Fp2(new BigInteger(
+      Fp2.create(new BigInteger(
           "21888242871839275220042445260109153167277707414472061641714758635765020556617"),
           BigInteger.ZERO),
 
-      new Fp2(new BigInteger(
+      Fp2.create(new BigInteger(
           "11697423496358154304825782922584725312912383441159505038794027105778954184319"),
           new BigInteger(
               "303847389135065887422783454877609941456349188919719272345083954437860409601")),
 
-      new Fp2(new BigInteger(
+      Fp2.create(new BigInteger(
           "21888242871839275220042445260109153167277707414472061641714758635765020556616"),
           BigInteger.ZERO),
 
-      new Fp2(new BigInteger(
+      Fp2.create(new BigInteger(
           "3321304630594332808241809054958361220322477375291206261884409189760185844239"),
           new BigInteger(
               "5722266937896532885780051958958348231143373700109372999374820235121374419868")),
 
-      new Fp2(new BigInteger(
+      Fp2.create(new BigInteger(
           "21888242871839275222246405745257275088696311157297823662689037894645226208582"),
           BigInteger.ZERO),
 
-      new Fp2(new BigInteger(
+      Fp2.create(new BigInteger(
           "13512124006075453725662431877630910996106405091429524885779419978626457868503"),
           new BigInteger(
               "5418419548761466998357268504080738289687024511189653727029736280683514010267")),
 
-      new Fp2(new BigInteger("2203960485148121921418603742825762020974279258880205651966"),
+      Fp2.create(new BigInteger("2203960485148121921418603742825762020974279258880205651966"),
           BigInteger.ZERO),
 
-      new Fp2(new BigInteger(
+      Fp2.create(new BigInteger(
           "10190819375481120917420622822672549775783927716138318623895010788866272024264"),
           new BigInteger(
               "21584395482704209334823622290379665147239961968378104390343953940207365798982")),
 
-      new Fp2(new BigInteger("2203960485148121921418603742825762020974279258880205651967"),
+      Fp2.create(new BigInteger("2203960485148121921418603742825762020974279258880205651967"),
           BigInteger.ZERO),
 
-      new Fp2(new BigInteger(
+      Fp2.create(new BigInteger(
           "18566938241244942414004596690298913868373833782006617400804628704885040364344"),
           new BigInteger(
               "16165975933942742336466353786298926857552937457188450663314217659523851788715"))
@@ -233,11 +233,6 @@ public boolean isZero() {
     return this.equals(ZERO);
   }
 
-  @Override
-  public boolean isValid() {
-    return a.isValid() && b.isValid();
-  }
-
   Fp12 frobeniusMap(int power) {
 
     Fp6 ra = a.frobeniusMap(power);