EC: Scalar mul accepts scalar as field element as well as bigint (#370)

* EC: Scalar mul accepts scalar as field element as well as bigint * EC: add empty line at end of file
mratsim · Apr 30, 2024 · 5d743ad · 5d743ad
1 parent 0233c41
commit 5d743ad
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 19 deletions.
diff --git a/bindings/c_curve_decls.nim b/bindings/c_curve_decls.nim
@@ -392,9 +392,7 @@ template genBindings_EC_ShortW_NonAffine*(ECP, ECP_Aff, ScalarBig, ScalarField:
   func `ctt _ ECP _ scalar_mul_fr_coef`(
         P: var ECP, scalar: ScalarField) =
 
-    var big: ScalarBig # TODO: {.noInit.}
-    big.fromField(scalar)
-    P.scalarMul(big)
+    P.scalarMul(scalar)
 
   func `ctt _ ECP _ scalar_mul_big_coef_vartime`(
     P: var ECP, scalar: ScalarBig) =
@@ -404,9 +402,7 @@ template genBindings_EC_ShortW_NonAffine*(ECP, ECP_Aff, ScalarBig, ScalarField:
   func `ctt _ ECP _ scalar_mul_fr_coef_vartime`(
         P: var ECP, scalar: ScalarField) =
 
-    var big: ScalarBig # TODO: {.noInit.}
-    big.fromField(scalar)
-    P.scalarMul_vartime(big)
+    P.scalarMul_vartime(scalar)
 
   func `ctt _ ECP _ multi_scalar_mul_big_coefs_vartime`(
           r: var ECP,

diff --git a/constantine/ethereum_evm_precompiles.nim b/constantine/ethereum_evm_precompiles.nim
@@ -202,7 +202,7 @@ func eth_evm_ecmul*(r: var openArray[byte], inputs: openarray[byte]): CttEVMStat
                 Fr[BN254_Snarks].getR2modP().limbs,
                 Fr[BN254_Snarks].getNegInvModWord(),
                 Fr[BN254_Snarks].getSpareBits())
-    P.scalarMul_vartime(smod.toBig())
+    P.scalarMul_vartime(smod)
   else:
     P.scalarMul_vartime(s)
 

diff --git a/constantine/math/elliptic/ec_scalar_mul.nim b/constantine/math/elliptic/ec_scalar_mul.nim
@@ -227,10 +227,7 @@ func scalarMulGeneric*[EC](P: var EC, scalar: BigInt, window: static int = 5) =
   scalarCanonicalBE.marshal(scalar, bigEndian)                     # Export is constant-time
   P.scalarMulGeneric(scalarCanonicalBE, scratchSpace)
 
-func scalarMul*[EC](
-       P: var EC,
-       scalar: BigInt
-     ) {.inline.} =
+func scalarMul*[EC](P: var EC, scalar: BigInt) {.inline, meter.} =
   ## Elliptic Curve Scalar Multiplication
   ##
   ##   P <- [k] P
@@ -251,3 +248,15 @@ func scalarMul*[EC](
       {.error: "Unreachable".}
   else:
     scalarMulGeneric(P, scalar)
+
+func scalarMul*[EC](P: var EC, scalar: Fr) {.inline.} =
+  ## Elliptic Curve Scalar Multiplication
+  ##
+  ##   P <- [k] P
+  ##
+  ## This use endomorphism acceleration by default if available
+  ## Endomorphism acceleration requires:
+  ## - Cofactor to be cleared
+  ## - 0 <= scalar < curve order
+  ## Those will be assumed to maintain constant-time property
+  P.scalarMul(scalar.toBig())
diff --git a/constantine/math/elliptic/ec_scalar_mul_vartime.nim b/constantine/math/elliptic/ec_scalar_mul_vartime.nim
@@ -325,10 +325,7 @@ func scalarMulEndo_minHammingWeight_windowed_vartime*[scalBits: static int; EC](
       else:
         isInit = P.initNAF(tab[m], tabNaf[m], NafLen, i)
 
-func scalarMul_vartime*[scalBits; EC](
-       P: var EC,
-       scalar: BigInt[scalBits]
-     ) =
+func scalarMul_vartime*[scalBits; EC](P: var EC, scalar: BigInt[scalBits]) {.meter.} =
   ## Elliptic Curve Scalar Multiplication
   ##
   ##   P <- [k] P
@@ -374,4 +371,20 @@ func scalarMul_vartime*[scalBits; EC](
   elif 4 < usedBits:
     P.scalarMul_doubleAdd_vartime(scalar)
   else:
-    P.scalarMul_addchain_4bit_vartime(scalar)
+    P.scalarMul_addchain_4bit_vartime(scalar)
+
+func scalarMul_vartime*[EC](P: var EC, scalar: Fr) =
+  ## Elliptic Curve Scalar Multiplication
+  ##
+  ##   P <- [k] P
+  ##
+  ## This select the best algorithm depending on heuristics
+  ## and the scalar being multiplied.
+  ## The scalar MUST NOT be a secret as this does not use side-channel countermeasures
+  ##
+  ## This may use endomorphism acceleration.
+  ## As endomorphism acceleration requires:
+  ## - Cofactor to be cleared
+  ## - 0 <= scalar < curve order
+  ## Those conditions will be assumed.
+  P.scalarMul_vartime(scalar.toBig())
diff --git a/research/kzg/kzg_single_proofs.nim b/research/kzg/kzg_single_proofs.nim
@@ -66,14 +66,14 @@ proc checkProofSingle(
   var xG2, g2: G2
   g2.fromAffine(Generator2)
   xG2 = g2
-  xG2.scalarMul(x.toBig())
+  xG2.scalarMul(x)
 
   var s_minus_x: G2 # s is a secret coefficient from the trusted setup (? to be confirmed)
   s_minus_x.diff(kzg.secretG2[1], xG2)
 
   var yG1: G1
   yG1.fromAffine(Generator1)
-  yG1.scalarMul(y.toBig())
+  yG1.scalarMul(y)
 
   var commitment_minus_y: G1
   commitment_minus_y.diff(commitment, yG1)

diff --git a/research/kzg/polynomials.nim b/research/kzg/polynomials.nim
@@ -33,7 +33,7 @@ func linear_combination*(
   r.setInf()
   for i in 0 ..< points.len:
     var tmp = points[i]
-    tmp.scalarMul(coefs[i].toBig())
+    tmp.scalarMul(coefs[i])
     r += tmp
 
 func pair_verify*(