fcmp++ crypto: compare normalized fe byte reprs

j-berman · j-berman · commit b36662a84e26 · 2025-04-18T13:16:28.000-07:00
diff --git a/src/fcmp_pp/fcmp_pp_crypto.cpp b/src/fcmp_pp/fcmp_pp_crypto.cpp
@@ -51,6 +51,17 @@
 //     printf("\n");
 // }
 
+static bool fe_compare(const fe a, const fe b)
+{
+    unsigned char a_bytes[32];
+    unsigned char b_bytes[32];
+
+    fe_tobytes(a_bytes, a);
+    fe_tobytes(b_bytes, b);
+
+    return memcmp(a_bytes, b_bytes, sizeof(a_bytes)) == 0;
+}
+
 static bool sqrt_ext(fe y, const fe x)
 {
     fe y_res;
@@ -67,7 +78,7 @@ static bool sqrt_ext(fe y, const fe x)
     fe c;
     fe_mul(c, x2, b_sq);
 
-    if (memcmp(c, fe_one, sizeof(fe)) == 0 || memcmp(c, fe_m1, sizeof(fe)) == 0)
+    if (fe_compare(c, fe_one) || fe_compare(c, fe_m1))
     {
         fe_0(c);
         c[0] = 3;
@@ -85,7 +96,7 @@ static bool sqrt_ext(fe y, const fe x)
 
     fe y_sq;
     fe_sq(y_sq, y_res);
-    bool r = memcmp(x, y_sq, sizeof(fe)) == 0;
+    bool r = fe_compare(x, y_sq);
 
     fe_copy(y, y_res);
     return r;
@@ -127,7 +138,7 @@ static void inv_psi1(fe e_out, fe u_out, fe w_out, const fe e, const fe u, const
         fe neg_u_dbl;
         fe_dbl(neg_u_dbl, u);
         fe_neg(neg_u_dbl, neg_u_dbl);
-        if (memcmp(tt_sq, neg_u_dbl, sizeof(fe)) == 0) {
+        if (fe_compare(tt_sq, neg_u_dbl)) {
             fe_mul(tt, tt, fe_sqrtm1);
         }
 
@@ -221,7 +232,7 @@ static bool check_e_u_w(const fe e, const fe u, const fe w)
     fe_add(sum, sum, B_mul_e_sq_sq);
     fe_reduce(sum, sum);
 
-    if (memcmp(u_w_sq, sum, sizeof(fe)) != 0) {
+    if (!fe_compare(u_w_sq, sum)) {
         return false;
     }
 
diff --git a/tests/unit_tests/crypto.cpp b/tests/unit_tests/crypto.cpp
@@ -474,17 +474,43 @@ TEST(Crypto, fe_constants)
   ASSERT_TRUE(memcmp(fe_sqrtm1,  sqrtm1,      sizeof(fe)) == 0);
 }
 
-TEST(Crypto, torsion_check_pass)
+TEST(Crypto, torsion_check_pass_random)
 {
-  const cryptonote::keypair kp = cryptonote::keypair::generate(hw::get_device("default"));
-  ge_p3 x;
-  ASSERT_EQ(ge_frombytes_vartime(&x, (const unsigned char*)kp.pub.data), 0);
-  const rct::key k = rct::pk2rct(kp.pub);
-  ASSERT_TRUE(rct::isInMainSubgroup(k));
-  ASSERT_FALSE(fcmp_pp::mul8_is_identity(x));
-  ASSERT_TRUE(fcmp_pp::torsion_check_vartime(x));
-  const rct::key cleared = fcmp_pp::clear_torsion(x);
-  ASSERT_EQ(k, cleared);
+  for (int i = 0; i < 1000; ++i)
+  {
+    const cryptonote::keypair kp = cryptonote::keypair::generate(hw::get_device("default"));
+    ge_p3 x;
+    ASSERT_EQ(ge_frombytes_vartime(&x, (const unsigned char*)kp.pub.data), 0);
+    const rct::key k = rct::pk2rct(kp.pub);
+    ASSERT_TRUE(rct::isInMainSubgroup(k));
+    ASSERT_FALSE(fcmp_pp::mul8_is_identity(x));
+    ASSERT_TRUE(fcmp_pp::torsion_check_vartime(x));
+    const rct::key cleared = fcmp_pp::clear_torsion(x);
+    ASSERT_EQ(k, cleared);
+  }
+}
+
+TEST(Crypto, torsion_check_pass_hardcoded)
+{
+  static constexpr const char *torsion_free_points[] = {
+    // Fails in check_e_u_w without correctly implemented fe_compare
+    "785eda585dca4f3d27976106008ccfbca13146c8b21b8c7e4909032639a776e1",
+    // Fails in inv_psi2 without correctly implemented fe_compare
+    "9a7b10563aa266032cd075f4e347f348a3841ae4f41572633351a97dd44066b4"
+  };
+
+  for (const auto point : torsion_free_points)
+  {
+    rct::key k;
+    epee::string_tools::hex_to_pod(point, k);
+    ge_p3 x;
+    ASSERT_EQ(ge_frombytes_vartime(&x, k.bytes), 0);
+    ASSERT_TRUE(rct::isInMainSubgroup(k));
+    ASSERT_FALSE(fcmp_pp::mul8_is_identity(x));
+    ASSERT_TRUE(fcmp_pp::torsion_check_vartime(x));
+    const rct::key cleared = fcmp_pp::clear_torsion(x);
+    ASSERT_EQ(k, cleared);
+  }
 }
 
 TEST(Crypto, torsion_check_torsioned_point)
