feat(𝔾ₜ constant-time exponentiation): generalize ec_endomorphism_acc…

…el to elliptic curve and 𝔾ₜ
mratsim · Jul 15, 2024 · 776e906 · 776e906
1 parent d8721a1
commit 776e906
Show file tree

Hide file tree

Showing 70 changed files with 375 additions and 393 deletions.
diff --git a/benchmarks/bench_ec_g1_scalar_mul.nim b/benchmarks/bench_ec_g1_scalar_mul.nim
@@ -8,11 +8,9 @@
 
 import
   # Internals
-  constantine/named/algebras,
+  constantine/named/[algebras, zoo_endomorphisms],
   constantine/math/arithmetic,
-  constantine/math/elliptic/[
-    ec_shortweierstrass_projective,
-    ec_shortweierstrass_jacobian],
+  constantine/math/ec_shortweierstrass,
   # Helpers
   ./bench_elliptic_template
 
@@ -69,7 +67,7 @@ proc main() =
     scalarMulVartimeWNAFBench(EC_ShortW_Jac[Fp[curve], G1], bits, window = 4, MulIters)
     scalarMulVartimeWNAFBench(EC_ShortW_Jac[Fp[curve], G1], bits, window = 5, MulIters)
     separator()
-    when bits >= 196: # All endomorphisms constants are below this threshold
+    when bits >= EndomorphismThreshold: # All endomorphisms constants are below this threshold
       scalarMulVartimeEndoWNAFBench(EC_ShortW_Prj[Fp[curve], G1], bits, window = 2, MulIters)
       scalarMulVartimeEndoWNAFBench(EC_ShortW_Prj[Fp[curve], G1], bits, window = 3, MulIters)
       scalarMulVartimeEndoWNAFBench(EC_ShortW_Prj[Fp[curve], G1], bits, window = 4, MulIters)

diff --git a/benchmarks/bench_ec_g2.nim b/benchmarks/bench_ec_g2.nim
@@ -11,10 +11,7 @@ import
   constantine/named/algebras,
   constantine/math/arithmetic,
   constantine/math/extension_fields,
-  constantine/math/elliptic/[
-    ec_shortweierstrass_projective,
-    ec_shortweierstrass_jacobian,
-    ec_shortweierstrass_jacobian_extended],
+  constantine/math/ec_shortweierstrass,
   # Helpers
   ./bench_elliptic_template,
   # Standard library

diff --git a/benchmarks/bench_ec_g2_scalar_mul.nim b/benchmarks/bench_ec_g2_scalar_mul.nim
@@ -8,12 +8,10 @@
 
 import
   # Internals
-  constantine/named/algebras,
+  constantine/named/[algebras, zoo_endomorphisms],
   constantine/math/arithmetic,
   constantine/math/extension_fields,
-  constantine/math/elliptic/[
-    ec_shortweierstrass_projective,
-    ec_shortweierstrass_jacobian],
+  constantine/math/ec_shortweierstrass,
   # Helpers
   ./bench_elliptic_template
 
@@ -68,7 +66,7 @@ proc main() =
     scalarMulVartimeWNAFBench(EC_ShortW_Jac[Fp2[curve], G2], bits, window = 4, MulIters)
     scalarMulVartimeWNAFBench(EC_ShortW_Jac[Fp2[curve], G2], bits, window = 5, MulIters)
     separator()
-    when bits >= 196: # All endomorphisms constants are below this threshold
+    when bits >= EndomorphismThreshold: # All endomorphisms constants are below this threshold
       scalarMulVartimeEndoWNAFBench(EC_ShortW_Prj[Fp2[curve], G2], bits, window = 2, MulIters)
       scalarMulVartimeEndoWNAFBench(EC_ShortW_Prj[Fp2[curve], G2], bits, window = 3, MulIters)
       scalarMulVartimeEndoWNAFBench(EC_ShortW_Prj[Fp2[curve], G2], bits, window = 4, MulIters)

diff --git a/benchmarks/bench_ec_msm_bandersnatch.nim b/benchmarks/bench_ec_msm_bandersnatch.nim
@@ -10,7 +10,7 @@ import
   # Internals
   constantine/named/algebras,
   constantine/math/arithmetic,
-  constantine/math/elliptic/ec_twistededwards_projective,
+  constantine/math/ec_twistededwards,
   # Helpers
   helpers/prng_unsafe,
   ./bench_elliptic_parallel_template

diff --git a/benchmarks/bench_ec_msm_bls12_381_g1.nim b/benchmarks/bench_ec_msm_bls12_381_g1.nim
@@ -10,9 +10,7 @@ import
   # Internals
   constantine/named/algebras,
   constantine/math/arithmetic,
-  constantine/math/elliptic/[
-    ec_shortweierstrass_projective,
-    ec_shortweierstrass_jacobian],
+  constantine/math/ec_shortweierstrass,
   # Helpers
   helpers/prng_unsafe,
   ./bench_elliptic_parallel_template

diff --git a/benchmarks/bench_ec_msm_bls12_381_g2.nim b/benchmarks/bench_ec_msm_bls12_381_g2.nim
@@ -10,9 +10,7 @@ import
   # Internals
   constantine/named/algebras,
   constantine/math/extension_fields,
-  constantine/math/elliptic/[
-    ec_shortweierstrass_projective,
-    ec_shortweierstrass_jacobian],
+  constantine/math/ec_shortweierstrass,
   # Helpers
   helpers/prng_unsafe,
   ./bench_elliptic_parallel_template

diff --git a/benchmarks/bench_ec_msm_bn254_snarks_g1.nim b/benchmarks/bench_ec_msm_bn254_snarks_g1.nim
@@ -10,9 +10,7 @@ import
   # Internals
   constantine/named/algebras,
   constantine/math/arithmetic,
-  constantine/math/elliptic/[
-    ec_shortweierstrass_projective,
-    ec_shortweierstrass_jacobian],
+  constantine/math/ec_shortweierstrass,
   # Helpers
   ./bench_elliptic_parallel_template
 

diff --git a/benchmarks/bench_ec_msm_pasta.nim b/benchmarks/bench_ec_msm_pasta.nim
@@ -10,9 +10,7 @@ import
   # Internals
   constantine/named/algebras,
   constantine/math/arithmetic,
-  constantine/math/elliptic/[
-    ec_shortweierstrass_projective,
-    ec_shortweierstrass_jacobian],
+  constantine/math/ec_shortweierstrass,
   # Helpers
   helpers/prng_unsafe,
   ./bench_elliptic_parallel_template

diff --git a/benchmarks/bench_elliptic_template.nim b/benchmarks/bench_elliptic_template.nim
@@ -24,7 +24,7 @@ import
     ec_shortweierstrass_jacobian,
     ec_shortweierstrass_jacobian_extended,
     ec_shortweierstrass_batch_ops,
-    ec_scalar_mul, ec_endomorphism_accel],
+    ec_scalar_mul],
     constantine/named/zoo_subgroups,
   # Helpers
   helpers/prng_unsafe,
@@ -210,7 +210,7 @@ proc scalarMulVartimeMinHammingWeightRecodingBench*(EC: typedesc, bits: static i
 
   bench("EC ScalarMul " & $bits & "-bit " & $EC.G & " (vartime min Hamming Weight recoding)", EC, iters):
     r = P
-    r.scalarMul_minHammingWeight_vartime(exponent)
+    r.scalarMul_jy00_vartime(exponent)
 
 proc scalarMulVartimeWNAFBench*(EC: typedesc, bits, window: static int, iters: int) =
   var r {.noInit.}: EC
@@ -221,7 +221,7 @@ proc scalarMulVartimeWNAFBench*(EC: typedesc, bits, window: static int, iters: i
 
   bench("EC ScalarMul " & $bits & "-bit " & $EC.G & " (vartime wNAF-" & $window & ")", EC, iters):
     r = P
-    r.scalarMul_minHammingWeight_windowed_vartime(exponent, window)
+    r.scalarMul_wNAF_vartime(exponent, window)
 
 proc scalarMulVartimeEndoWNAFBench*(EC: typedesc, bits, window: static int, iters: int) =
   var r {.noInit.}: EC
@@ -232,7 +232,7 @@ proc scalarMulVartimeEndoWNAFBench*(EC: typedesc, bits, window: static int, iter
 
   bench("EC ScalarMul " & $bits & "-bit " & $EC.G & " (vartime endomorphism + wNAF-" & $window & ")", EC, iters):
     r = P
-    r.scalarMulEndo_minHammingWeight_windowed_vartime(exponent, window)
+    r.scalarMulEndo_wNAF_vartime(exponent, window)
 
 proc subgroupCheckBench*(EC: typedesc, iters: int) =
   var P = rng.random_unsafe(EC)
@@ -251,7 +251,7 @@ proc subgroupCheckScalarMulVartimeEndoWNAFBench*(EC: typedesc, bits, window: sta
   bench("EC subgroup check + ScalarMul " & $bits & "-bit " & $EC.G & " (vartime endo + wNAF-" & $window & ")", EC, iters):
     r = P
     discard r.isInSubgroup()
-    r.scalarMulEndo_minHammingWeight_windowed_vartime(exponent, window)
+    r.scalarMulEndo_wNAF_vartime(exponent, window)
 
 proc multiAddBench*(EC: typedesc, numPoints: int, useBatching: bool, iters: int) =
   var points = newSeq[EC_ShortW_Aff[EC.F, EC.G]](numPoints)

diff --git a/benchmarks/bench_eth_eip2537_subgroup_checks_impact.nim b/benchmarks/bench_eth_eip2537_subgroup_checks_impact.nim
@@ -11,7 +11,7 @@ import
   constantine/named/algebras,
   constantine/math/arithmetic,
   constantine/math/extension_fields,
-  constantine/math/elliptic/ec_shortweierstrass_jacobian,
+  constantine/math/ec_shortweierstrass,
   # Helpers
   ./bench_elliptic_template
 

diff --git a/benchmarks/bench_gt.nim b/benchmarks/bench_gt.nim
@@ -49,7 +49,7 @@ proc main() =
     powVartimeBench(Fp12[curve], window = 4, ExpIters)
     separator()
     gtExp_sqrmul_vartimeBench(Fp12[curve], ExpIters)
-    gtExp_minHammingWeight_vartimeBench(Fp12[curve], ExpIters)
+    gtExp_jy00_vartimeBench(Fp12[curve], ExpIters)
     separator()
     gtExp_wNAF_vartimeBench(Fp12[curve], window = 2, ExpIters)
     gtExp_wNAF_vartimeBench(Fp12[curve], window = 3, ExpIters)

diff --git a/benchmarks/bench_gt_template.nim b/benchmarks/bench_gt_template.nim
@@ -145,23 +145,23 @@ proc gtExp_sqrmul_vartimeBench*(T: typedesc, iters: int) =
   bench("𝔾ₜ Exponentiation " & $exponent.bits & "-bit (cyclotomic square-multiply, vartime)", T, iters):
     r.gtExp_sqrmul_vartime(x, exponent)
 
-proc gtExp_minHammingWeight_vartimeBench*(T: typedesc, iters: int) =
+proc gtExp_jy00_vartimeBench*(T: typedesc, iters: int) =
   let x = rng.random_gt(T)
   let exponent = rng.random_unsafe(BigInt[Fr[T.Name].bits()])
   var r {.noInit.}: T
   bench("𝔾ₜ Exponentiation " & $exponent.bits & "-bit (signed recoding, vartime)", T, iters):
-    r.gtExp_minHammingWeight_vartime(x, exponent)
+    r.gtExp_jy00_vartime(x, exponent)
 
 proc gtExp_wNAF_vartimeBench*(T: typedesc, window: static int, iters: int) =
   let x = rng.random_gt(T)
   let exponent = rng.random_unsafe(BigInt[Fr[T.Name].bits()])
   var r {.noInit.}: T
   bench("𝔾ₜ Exponentiation " & $exponent.bits & "-bit (wNAF-" & $window & ", vartime)", T, iters):
-    r.gtExp_minHammingWeight_windowed_vartime(x, exponent, window)
+    r.gtExp_wNAF_vartime(x, exponent, window)
 
 proc gtExp_endo_wNAF_vartimeBench*(T: typedesc, window: static int, iters: int) =
   let x = rng.random_gt(T)
   let exponent = rng.random_unsafe(BigInt[Fr[T.Name].bits()])
   var r {.noInit.}: T
   bench("𝔾ₜ Exponentiation " & $exponent.bits & "-bit (endomorphism, wNAF-" & $window & ", vartime)", T, iters):
-    r.gtExpEndo_minHammingWeight_windowed_vartime(x, exponent, window)
+    r.gtExpEndo_wNAF_vartime(x, exponent, window)
diff --git a/benchmarks/bench_summary_bls12_377.nim b/benchmarks/bench_summary_bls12_377.nim
@@ -6,13 +6,7 @@
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 
-import
-  # Internals
-  constantine/named/algebras,
-  constantine/math/arithmetic,
-  constantine/math/extension_fields,
-  # Helpers
-  ./bench_summary_template
+import ./bench_summary_template
 
 # ############################################################
 #

diff --git a/benchmarks/bench_summary_bls12_381.nim b/benchmarks/bench_summary_bls12_381.nim
@@ -6,13 +6,7 @@
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 
-import
-  # Internals
-  constantine/named/algebras,
-  constantine/math/arithmetic,
-  constantine/math/extension_fields,
-  # Helpers
-  ./bench_summary_template
+import ./bench_summary_template
 
 # ############################################################
 #

diff --git a/benchmarks/bench_summary_bn254_nogami.nim b/benchmarks/bench_summary_bn254_nogami.nim
@@ -6,13 +6,7 @@
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 
-import
-  # Internals
-  constantine/named/algebras,
-  constantine/math/arithmetic,
-  constantine/math/extension_fields,
-  # Helpers
-  ./bench_summary_template
+import ./bench_summary_template
 
 # ############################################################
 #

diff --git a/benchmarks/bench_summary_bn254_snarks.nim b/benchmarks/bench_summary_bn254_snarks.nim
@@ -6,13 +6,7 @@
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 
-import
-  # Internals
-  constantine/named/algebras,
-  constantine/math/arithmetic,
-  constantine/math/extension_fields,
-  # Helpers
-  ./bench_summary_template
+import ./bench_summary_template
 
 # ############################################################
 #

diff --git a/benchmarks/bench_summary_pasta.nim b/benchmarks/bench_summary_pasta.nim
@@ -6,13 +6,7 @@
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 
-import
-  # Internals
-  constantine/named/algebras,
-  constantine/math/arithmetic,
-  constantine/math/extension_fields,
-  # Helpers
-  ./bench_summary_template
+import ./bench_summary_template
 
 # ############################################################
 #

diff --git a/benchmarks/bench_summary_template.nim b/benchmarks/bench_summary_template.nim
@@ -17,11 +17,7 @@ import
   constantine/platforms/abstractions,
   constantine/named/algebras,
   constantine/math/[arithmetic, extension_fields],
-  constantine/math/elliptic/[
-    ec_shortweierstrass_affine,
-    ec_shortweierstrass_projective,
-    ec_shortweierstrass_jacobian,
-    ec_scalar_mul, ec_scalar_mul_vartime, ec_endomorphism_accel],
+  constantine/math/ec_shortweierstrass,
   constantine/named/zoo_subgroups,
   constantine/math/pairings/[
     cyclotomic_subgroups,
@@ -36,8 +32,9 @@ import
   ./bench_blueprint
 
 export
-  ec_shortweierstrass_projective,
-  ec_shortweierstrass_jacobian
+  algebras,
+  arithmetic, extension_fields,
+  ec_shortweierstrass
 
 export abstractions # generic sandwich on SecretBool and SecretBool in Jacobian sum
 export zoo_pairings # generic sandwich https://github.com/nim-lang/Nim/issues/11225

diff --git a/constantine/boolean_hypercube/multilinear_extensions.nim b/constantine/boolean_hypercube/multilinear_extensions.nim
@@ -120,7 +120,7 @@ func evalMultilinearExtensionAt_BE[F](
   # e ∈ {0,1}ˢ hence each factor is either:
   # (1-xᵢ) or xᵢ
   #
-  # See the algorithm in ec_endomorphism_accel to build
+  # See the algorithm in split_scalars to build
   # a binary lookup table for O(n) evaluations
   #
   # Algorithm:
@@ -231,7 +231,7 @@ func evalMultilinearExtensionAt_LE[F](
   # e ∈ {0,1}ˢ hence each factor is either:
   # (1-xᵢ) or xᵢ
   #
-  # See the algorithm in ec_endomorphism_accel to build
+  # See the algorithm in split_scalars to build
   # a binary lookup table for O(n) evaluations
   #
   # Algorithm:

diff --git a/constantine/lowlevel_extension_fields.nim b/constantine/lowlevel_extension_fields.nim
@@ -9,7 +9,7 @@
 import
     ./platforms/abstractions,
     ./named/algebras,
-    ./math/isogenies/frobenius,
+    ./math/endomorphisms/frobenius,
     ./math/extension_fields,
     ./math/io/io_extfields
 

diff --git a/constantine/lowlevel_pairing_curves.nim b/constantine/lowlevel_pairing_curves.nim
@@ -10,7 +10,7 @@ import
     ./platforms/abstractions,
     ./named/algebras,
     ./named/zoo_pairings,
-    ./math/isogenies/frobenius,
+    ./math/endomorphisms/frobenius,
     ./math/pairings/[
       cyclotomic_subgroups,
       lines_eval,

diff --git a/constantine/math/arithmetic/bigints.nim b/constantine/math/arithmetic/bigints.nim
@@ -602,6 +602,10 @@ iterator recoding_l2r_signed_vartime*[bits: static int](a: BigInt[bits]): int8 =
   ##
   ## ⚠️ While the recoding is constant-time,
   ##   usage of this recoding is intended vartime
+  ##
+  ## - Optimal Left-to-Right Binary Signed-Digit Recoding
+  ##   Joye, Yen, 2000
+  ##   https://marcjoye.github.io/papers/JY00sd2r.pdf
 
   # As the caller is copy-pasted at each yield
   # we rework the algorithm so that we have a single yield point
@@ -610,7 +614,7 @@ iterator recoding_l2r_signed_vartime*[bits: static int](a: BigInt[bits]): int8 =
   var bi, bi1, ri, ri1, ri2: int8
 
   var i = bits
-  while true:     # JY00 outputs at mots bits+1 digits
+  while true:     # JY00 outputs at most bits+1 digits
     if i == bits: # We rely on compiler to hoist this branch out of the loop.
       ri = 0
       ri1 = int8 a.bit(bits-1)

diff --git a/constantine/math/ec_shortweierstrass.nim b/constantine/math/ec_shortweierstrass.nim
@@ -17,6 +17,7 @@ import
   elliptic/[
     ec_shortweierstrass_affine,
     ec_shortweierstrass_jacobian,
+    ec_shortweierstrass_jacobian_extended,
     ec_shortweierstrass_projective,
     ec_shortweierstrass_batch_ops,
     ec_scalar_mul, ec_scalar_mul_vartime,
@@ -25,6 +26,7 @@ import
   ../named/zoo_generators
 
 export ec_shortweierstrass_affine, ec_shortweierstrass_jacobian, ec_shortweierstrass_projective,
+       ec_shortweierstrass_jacobian_extended,
        ec_shortweierstrass_batch_ops, ec_scalar_mul, ec_scalar_mul_vartime,
        ec_multi_scalar_mul
 

diff --git a/constantine/math/elliptic/ec_multi_scalar_mul.nim b/constantine/math/elliptic/ec_multi_scalar_mul.nim
@@ -8,7 +8,7 @@
 
 import constantine/named/algebras,
        ./ec_multi_scalar_mul_scheduler,
-       ./ec_endomorphism_accel,
+       constantine/math/endomorphisms/split_scalars,
        constantine/math/extension_fields,
        constantine/named/zoo_endomorphisms,
        constantine/platforms/abstractions

diff --git a/constantine/math/elliptic/ec_multi_scalar_mul_parallel.nim b/constantine/math/elliptic/ec_multi_scalar_mul_parallel.nim
@@ -9,7 +9,7 @@
 import constantine/named/algebras,
        ./ec_multi_scalar_mul_scheduler,
        ./ec_multi_scalar_mul,
-       ./ec_endomorphism_accel,
+       constantine/math/endomorphisms/split_scalars,
        constantine/math/extension_fields,
        constantine/named/zoo_endomorphisms,
        ../../threadpool/[threadpool, partitioners]