Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PrimeEC::ec_mult can produce incorrect results #1675

Closed
weaversa opened this issue May 31, 2024 · 4 comments · Fixed by #1701
Closed

PrimeEC::ec_mult can produce incorrect results #1675

weaversa opened this issue May 31, 2024 · 4 comments · Fixed by #1701
Labels
bug Something not working correctly priority For issues that should be solved sooner

Comments

@weaversa
Copy link
Collaborator 

Cryptol> :m PrimeEC
Loading module Cryptol
Loading module PrimeEC
PrimeEC> ec_mult`{13} 3 {x = 0, y = 0, z = 1}
{x = 0, y = 13, z = 1}
PrimeEC> :t ec_mult`{13}
ec_mult`{13} : Z 13 -> ProjectivePoint 13 -> ProjectivePoint 13
PrimeEC> ec_mult`{13} 3 {x = 0, y = 0, z = 1} : ProjectivePoint 13
{x = 0, y = 13, z = 1}
PrimeEC> {x = 0, y = 13, z = 1} : ProjectivePoint 13
[error] at <interactive>:334:13--334:15:
  • Unsolvable constraint:
      13 >= 14
        arising from
        use of literal or demoted expression
        at <interactive>:334:13--334:15

This is very strange behavior.
@yav yav added the bug Something not working correctly label May 31, 2024
@yav
Copy link
Member

yav commented May 31, 2024

The elements of ProjectivePair 13 are supposed to be Z 13, and 13 is clearly not a valid value of this type, so the first answer is incorrect. I am not sure if it is just missing a reduction, or the algorithm is incorrect, we'll need to investigate this. The code implementing it is here:

cryptol/src/Cryptol/PrimeEC.hs

Line 290 in 4afba5f

ec_mult :: PrimeModulus -> Integer -> ProjectivePoint -> ProjectivePoint

@RyanGlScott
Copy link
Contributor

Using the :sat command produces different results:

PrimeEC> :set prover=w4-z3
PrimeEC> :sat \x -> ec_mult`{13} 3 {x = 0, y = 0, z = 1} == x
[Warning] Uninterpreted functions used to represent Prime ECC operations.
Satisfiable
(\x -> ec_mult`{13} 3 {x = 0, y = 0, z = 1} == x)
  {x = 0, y = 0, z = 0}
  = True
(Total Elapsed Time: 0.030s, using "Z3")

PrimeEC> :set prover=w4-yices
PrimeEC> :sat \x -> ec_mult`{13} 3 {x = 0, y = 0, z = 1} == x
[Warning] Uninterpreted functions used to represent Prime ECC operations.
Satisfiable
(\x -> ec_mult`{13} 3 {x = 0, y = 0, z = 1} == x)
  {x = 2, y = 8, z = 11}
  = True
(Total Elapsed Time: 0.004s, using "Yices")

@weaversa
Copy link
Collaborator Author

@RyanGlScott That's because the function isn't symbolically executed, but rather uninterpreted. So, the SMT solver can say whatever it likes.

@mccleeary-galois
Copy link
Contributor

https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=e1b05e600bfcdeecf8555bc9948483c5fbbdd478

Adding this for an easy link for the source paper of the code in question.

@yav yav added the priority For issues that should be solved sooner label Jun 28, 2024
mccleeary-galois added a commit that referenced this issue Jul 10, 2024
@mccleeary-galois
Mod y variable by p in ec_sub
e1774d4 
It appears that a modulus was not happening in ec_sub that was causing the odd issue noted in #1675. This commit adds that modulus and fixes it.
This was referenced Jul 10, 2024
Merged
Open
mccleeary-galois added a commit that referenced this issue Jul 10, 2024
@mccleeary-galois
Merge pull request #1701 from GaloisInc/issue#1675
f5fa503 
Close Issue #1675
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something not working correctly priority For issues that should be solved sooner
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue#1675 GaloisInc/cryptol
4 participants
@yav @RyanGlScott @weaversa @mccleeary-galois