Fix findings from Dmitry's review

bindings/java/build.gradle

@@ -2,7 +2,7 @@ plugins {
     id "application"
     id "java-test-fixtures"
     id "me.champeau.jmh" version "0.7.0"
-    id "com.diffplug.spotless" version "6.17.0"
+    id "com.diffplug.spotless" version "6.25.0"
 }
 
 repositories {
@@ -45,4 +45,4 @@ spotless {
 
 test {
     useJUnitPlatform()
-}
+}

bindings/java/src/main/java/ethereum/ckzg4844/CKZG4844JNI.java

@@ -47,28 +47,40 @@ public static void loadNativeLibrary() {
   public static final BigInteger BLS_MODULUS =
       new BigInteger(
           "52435875175126190479447740508185965837690552500527637822603658699938581184513");
+
   /** The number of bytes in a g1 point. */
   protected static final int BYTES_PER_G1 = 48;
+
   /** The number of bytes in a g2 point. */
   protected static final int BYTES_PER_G2 = 96;
+
   /** The number of bytes in a BLS scalar field element. */
   public static final int BYTES_PER_FIELD_ELEMENT = 32;
+
   /** The number of bits in a BLS scalar field element. */
   protected static final int BITS_PER_FIELD_ELEMENT = 255;
+
   /** The number of field elements in a blob. */
   public static final int FIELD_ELEMENTS_PER_BLOB = 4096;
+
   /** The number of field elements in an extended blob. */
   protected static final int FIELD_ELEMENTS_PER_EXT_BLOB = FIELD_ELEMENTS_PER_BLOB * 2;
+
   /** The number of field elements in a cell. */
   public static final int FIELD_ELEMENTS_PER_CELL = 64;
+
   /** The number of bytes in a KZG commitment. */
   public static final int BYTES_PER_COMMITMENT = 48;
+
   /** The number of bytes in a KZG proof. */
   public static final int BYTES_PER_PROOF = 48;
+
   /** The number of bytes in a blob. */
   public static final int BYTES_PER_BLOB = FIELD_ELEMENTS_PER_BLOB * BYTES_PER_FIELD_ELEMENT;
+
   /** The number of bytes in a single cell. */
   public static final int BYTES_PER_CELL = BYTES_PER_FIELD_ELEMENT * FIELD_ELEMENTS_PER_CELL;
+
   /** The number of cells in an extended blob. */
   public static final int CELLS_PER_EXT_BLOB =
       FIELD_ELEMENTS_PER_EXT_BLOB / FIELD_ELEMENTS_PER_CELL;

bindings/python/README.md

@@ -7,7 +7,7 @@ This directory contains Python bindings for the C-KZG-4844 library.
 These bindings require `python3`, `PyYAML` and `make`.
 ```
 sudo apt install python3 python3-pip
-python3 -m pip install PyYAML
+python3 -m pip install build PyYAML
 ```
 
 ## Build & test

src/common/bytes.c

@@ -27,8 +27,8 @@
  * @remark The output format is big-endian.
  */
 void bytes_from_uint64(uint8_t out[8], uint64_t n) {
-    for (int i = 7; i >= 0; i--) {
-        out[i] = n & 0xFF;
+    for (size_t i = 0; i < 8; i++) {
+        out[7 - i] = n & 0xFF;
         n >>= 8;
     }
 }

src/eip4844/eip4844.c

@@ -25,7 +25,7 @@
 
 #include <assert.h> /* For assert */
 #include <stdlib.h> /* For NULL */
-#include <string.h> /* For memcpy */
+#include <string.h> /* For memcpy & strlen */
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////
 // Macros
@@ -81,20 +81,17 @@ static bool fr_is_zero(const fr_t *p) {
  * @param[in]   a   A vector of field elements, length `len`
  * @param[in]   len The number of field elements
  *
- * @remark This function only supports len > 0.
  * @remark This function does NOT support in-place computation.
  * @remark Return C_KZG_BADARGS if a zero is found in the input. In this case,
  *         the `out` output array has already been mutated.
  */
-static C_KZG_RET fr_batch_inv(fr_t *out, const fr_t *a, int len) {
-    int i;
-
+static C_KZG_RET fr_batch_inv(fr_t *out, const fr_t *a, size_t len) {
     assert(len > 0);
     assert(a != out);
 
     fr_t accumulator = FR_ONE;
 
-    for (i = 0; i < len; i++) {
+    for (size_t i = 0; i < len; i++) {
         out[i] = accumulator;
         blst_fr_mul(&accumulator, &accumulator, &a[i]);
     }
@@ -106,9 +103,10 @@ static C_KZG_RET fr_batch_inv(fr_t *out, const fr_t *a, int len) {
 
     blst_fr_eucl_inverse(&accumulator, &accumulator);
 
-    for (i = len - 1; i >= 0; i--) {
-        blst_fr_mul(&out[i], &out[i], &accumulator);
-        blst_fr_mul(&accumulator, &accumulator, &a[i]);
+    for (size_t i = len; i > 0; i--) {
+        size_t index = i - 1;
+        blst_fr_mul(&out[index], &out[index], &accumulator);
+        blst_fr_mul(&accumulator, &accumulator, &a[index]);
     }
 
     return C_KZG_OK;
@@ -612,6 +610,9 @@ static C_KZG_RET compute_r_powers_for_verify_kzg_proof_batch(
     /* Pointer tracking `bytes` for writing on top of it */
     uint8_t *offset = bytes;
 
+    /* Ensure that the domain string is the correct length */
+    assert(strlen(RANDOM_CHALLENGE_DOMAIN_VERIFY_BLOB_KZG_PROOF_BATCH) == DOMAIN_STR_LENGTH);
+
     /* Copy domain separator */
     memcpy(offset, RANDOM_CHALLENGE_DOMAIN_VERIFY_BLOB_KZG_PROOF_BATCH, DOMAIN_STR_LENGTH);
     offset += DOMAIN_STR_LENGTH;

src/eip7594/cell.c

@@ -26,7 +26,7 @@
  */
 void print_cell(const Cell *cell) {
     for (size_t i = 0; i < FIELD_ELEMENTS_PER_CELL; i++) {
-        const Bytes32 *field = (const Bytes32 *)&cell->bytes[i * BYTES_PER_FIELD_ELEMENT];
-        print_bytes32(field);
+        const Bytes32 *field_element = (const Bytes32 *)&cell->bytes[i * BYTES_PER_FIELD_ELEMENT];
+        print_bytes32(field_element);
     }
 }

src/eip7594/eip7594.c

@@ -25,7 +25,7 @@
 #include "eip7594/recovery.h"
 
 #include <assert.h> /* For assert */
-#include <string.h> /* For memcpy */
+#include <string.h> /* For memcpy & strlen */
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////
 // Macros
@@ -41,6 +41,23 @@
 /** The domain separator for verify_cell_kzg_proof_batch's random challenge. */
 static const char *RANDOM_CHALLENGE_DOMAIN_VERIFY_CELL_KZG_PROOF_BATCH = "RCKZGCBATCH__V1_";
 
+/**
+ * This is a precomputed map of cell index to reverse-bits-limited cell index.
+ *
+ * for (size_t i = 0; i < CELLS_PER_EXT_BLOB; i++)
+ *   printf("%#04llx,\n", reverse_bits_limited(CELLS_PER_EXT_BLOB, i));
+ */
+static const uint64_t CELL_INDICES_RBL[CELLS_PER_EXT_BLOB] = {
+    0x00, 0x40, 0x20, 0x60, 0x10, 0x50, 0x30, 0x70, 0x08, 0x48, 0x28, 0x68, 0x18, 0x58, 0x38, 0x78,
+    0x04, 0x44, 0x24, 0x64, 0x14, 0x54, 0x34, 0x74, 0x0c, 0x4c, 0x2c, 0x6c, 0x1c, 0x5c, 0x3c, 0x7c,
+    0x02, 0x42, 0x22, 0x62, 0x12, 0x52, 0x32, 0x72, 0x0a, 0x4a, 0x2a, 0x6a, 0x1a, 0x5a, 0x3a, 0x7a,
+    0x06, 0x46, 0x26, 0x66, 0x16, 0x56, 0x36, 0x76, 0x0e, 0x4e, 0x2e, 0x6e, 0x1e, 0x5e, 0x3e, 0x7e,
+    0x01, 0x41, 0x21, 0x61, 0x11, 0x51, 0x31, 0x71, 0x09, 0x49, 0x29, 0x69, 0x19, 0x59, 0x39, 0x79,
+    0x05, 0x45, 0x25, 0x65, 0x15, 0x55, 0x35, 0x75, 0x0d, 0x4d, 0x2d, 0x6d, 0x1d, 0x5d, 0x3d, 0x7d,
+    0x03, 0x43, 0x23, 0x63, 0x13, 0x53, 0x33, 0x73, 0x0b, 0x4b, 0x2b, 0x6b, 0x1b, 0x5b, 0x3b, 0x7b,
+    0x07, 0x47, 0x27, 0x67, 0x17, 0x57, 0x37, 0x77, 0x0f, 0x4f, 0x2f, 0x6f, 0x1f, 0x5f, 0x3f, 0x7f,
+};
+
 ////////////////////////////////////////////////////////////////////////////////////////////////////
 // Compute
 ////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -90,9 +107,9 @@ C_KZG_RET compute_cells_and_kzg_proofs(
     ret = poly_lagrange_to_monomial(poly_monomial, poly_lagrange, FIELD_ELEMENTS_PER_BLOB, s);
     if (ret != C_KZG_OK) goto out;
 
-    /* Ensure the upper half of the field elements are zero */
+    /* Ensure the upper half of the field elements are still zero */
     for (size_t i = FIELD_ELEMENTS_PER_BLOB; i < FIELD_ELEMENTS_PER_EXT_BLOB; i++) {
-        poly_monomial[i] = FR_ZERO;
+        assert(fr_equal(&poly_monomial[i], &FR_ZERO));
     }
 
     if (cells != NULL) {
@@ -123,8 +140,8 @@ C_KZG_RET compute_cells_and_kzg_proofs(
         ret = new_g1_array(&proofs_g1, CELLS_PER_EXT_BLOB);
         if (ret != C_KZG_OK) goto out;
 
-        /* Compute the proofs, provide only the first half */
-        ret = compute_fk20_proofs(proofs_g1, poly_monomial, FIELD_ELEMENTS_PER_BLOB, s);
+        /* Compute the proofs, only uses the first half of the polynomial */
+        ret = compute_fk20_cell_proofs(proofs_g1, poly_monomial, s);
         if (ret != C_KZG_OK) goto out;
 
         /* Bit-reverse the proofs */
@@ -159,6 +176,7 @@ C_KZG_RET compute_cells_and_kzg_proofs(
  * @param[in]   num_cells           The number of available cells provided
  * @param[in]   s                   The trusted setup
  *
+ * @remark At least 50% of CELLS_PER_EXT_BLOB cells must be provided.
  * @remark Recovery is faster if there are fewer missing cells.
  * @remark If recovered_proofs is NULL, they will not be recomputed.
  */
@@ -259,10 +277,8 @@ C_KZG_RET recover_cells_and_kzg_proofs(
         );
         if (ret != C_KZG_OK) goto out;
 
-        /* Compute the proofs, provide only the first half */
-        ret = compute_fk20_proofs(
-            recovered_proofs_g1, recovered_cells_fr, FIELD_ELEMENTS_PER_BLOB, s
-        );
+        /* Compute the proofs, only uses the first half of the polynomial */
+        ret = compute_fk20_cell_proofs(recovered_proofs_g1, recovered_cells_fr, s);
         if (ret != C_KZG_OK) goto out;
 
         /* Bit-reverse the proofs */
@@ -399,6 +415,9 @@ static C_KZG_RET compute_r_powers_for_verify_cell_kzg_proof_batch(
     /* Pointer tracking `bytes` for writing on top of it */
     uint8_t *offset = bytes;
 
+    /* Ensure that the domain string is the correct length */
+    assert(strlen(RANDOM_CHALLENGE_DOMAIN_VERIFY_CELL_KZG_PROOF_BATCH) == DOMAIN_STR_LENGTH);
+
     /* Copy domain separator */
     memcpy(offset, RANDOM_CHALLENGE_DOMAIN_VERIFY_CELL_KZG_PROOF_BATCH, DOMAIN_STR_LENGTH);
     offset += DOMAIN_STR_LENGTH;
@@ -517,9 +536,9 @@ static C_KZG_RET compute_weighted_sum_of_commitments(
  * This function computes `RLI = [sum_k r^k interpolation_poly_k(s)]` from the spec.
  *
  * @param[out]  commitment_out  Commitment to the aggregated interpolation poly
- * @param[in]   r_powers        Precomputed powers of the random challenge
- * @param[in]   cell_indices    Indices of the cells
- * @param[in]   cells           Array of cells
+ * @param[in]   r_powers        Precomputed powers of the random challenge, length `num_cells`
+ * @param[in]   cell_indices    Indices of the cells, length `num_cells`
+ * @param[in]   cells           Array of cells, length `num_cells`
  * @param[in]   num_cells       Number of cells
  * @param[in]   s               The trusted setup
  */
@@ -648,10 +667,8 @@ static C_KZG_RET compute_commitment_to_aggregated_interpolation_poly(
         if (ret != C_KZG_OK) goto out;
 
         /* Now divide by the coset shift factor */
-        uint64_t pos = reverse_bits_limited(CELLS_PER_EXT_BLOB, i);
-        fr_t inv_coset_factor;
-        blst_fr_eucl_inverse(&inv_coset_factor, &s->roots_of_unity[pos]);
-        shift_poly(column_interpolation_poly, FIELD_ELEMENTS_PER_CELL, &inv_coset_factor);
+        uint64_t pos = -CELL_INDICES_RBL[i] % FIELD_ELEMENTS_PER_EXT_BLOB;
+        shift_poly(column_interpolation_poly, FIELD_ELEMENTS_PER_CELL, &s->roots_of_unity[pos]);
 
         /* Update the aggregated poly */
         for (size_t k = 0; k < FIELD_ELEMENTS_PER_CELL; k++) {
@@ -709,11 +726,11 @@ static C_KZG_RET computed_weighted_sum_of_proofs(
     if (ret != C_KZG_OK) goto out;
 
     for (uint64_t i = 0; i < num_cells; i++) {
-        uint64_t pos = reverse_bits_limited(CELLS_PER_EXT_BLOB, cell_indices[i]);
-        fr_t coset_factor = s->roots_of_unity[pos];
-        // Compute h_k^n, with h_k and n as in the spec.
-        fr_pow(&coset_factor_pow, &coset_factor, FIELD_ELEMENTS_PER_CELL);
-        // Scale the power of r by h_k^n
+        /* Compute h_k^n, with h_k and n as in the spec */
+        uint64_t pos = CELL_INDICES_RBL[cell_indices[i]];
+        coset_factor_pow = s->roots_of_unity[pos * FIELD_ELEMENTS_PER_CELL];
+
+        /* Scale the power of r by h_k^n */
         blst_fr_mul(&weighted_powers_of_r[i], &r_powers[i], &coset_factor_pow);
     }
 
@@ -728,10 +745,10 @@ static C_KZG_RET computed_weighted_sum_of_proofs(
  * Given some cells, verify that their proofs are valid.
  *
  * @param[out]  ok                  True if the proofs are valid
- * @param[in]   commitments_bytes   The commitments for the cells
- * @param[in]   cell_indices        The cell indices for the cells
- * @param[in]   cells               The cells to check
- * @param[in]   proofs_bytes        The proofs for the cells
+ * @param[in]   commitments_bytes   The commitments for the cells, length `num_cells`
+ * @param[in]   cell_indices        The indices for the cells, length `num_cells`
+ * @param[in]   cells               The cells to check, length `num_cells`
+ * @param[in]   proofs_bytes        The proofs for the cells, length `num_cells`
  * @param[in]   num_cells           The number of cells provided
  * @param[in]   s                   The trusted setup
  */
@@ -854,6 +871,7 @@ C_KZG_RET verify_cell_kzg_proof_batch(
     );
     if (ret != C_KZG_OK) goto out;
 
+    /* Subtract commitment from sum by adding the negated commitment */
     blst_p1_cneg(&interpolation_poly_commit, true);
     blst_p1_add(&final_g1_sum, &final_g1_sum, &interpolation_poly_commit);