Use vartime impl to accelerate the BN254 EVM precompiles

2025-01-15 21:44:15 +00:00 · 2023-09-05 01:02:01 +02:00 · 2023-09-05 01:02:01 +02:00 · 4e0ca43af1
commit 4e0ca43af1
parent b9c911ba37
3 changed files with 16 additions and 13 deletions
--- a/constantine/ethereum_evm_precompiles.nim
+++ b/constantine/ethereum_evm_precompiles.nim
@ -55,7 +55,7 @@ func parseRawUint(
  return cttEVM_Success

 func fromRawCoords(
-       dst: var ECP_ShortW_Prj[Fp[BN254_Snarks], G1],
+       dst: var ECP_ShortW_Jac[Fp[BN254_Snarks], G1],
       x, y: openarray[byte]): CttEVMStatus =

  # Deserialization
@ -122,7 +122,7 @@ func eth_evm_ecadd*(r: var openArray[byte], inputs: openarray[byte]): CttEVMStat
  var padded: array[128, byte]
  padded.rawCopy(0, inputs, 0, min(inputs.len, 128))

-  var P{.noInit.}, Q{.noInit.}, R{.noInit.}: ECP_ShortW_Prj[Fp[BN254_Snarks], G1]
+  var P{.noInit.}, Q{.noInit.}, R{.noInit.}: ECP_ShortW_Jac[Fp[BN254_Snarks], G1]

  let statusP = P.fromRawCoords(
    x = padded.toOpenArray(0, 31),
@ -135,7 +135,7 @@ func eth_evm_ecadd*(r: var openArray[byte], inputs: openarray[byte]): CttEVMStat
  if statusQ != cttEVM_Success:
    return statusQ

-  R.sum(P, Q)
+  R.sum_vartime(P, Q)
  var aff{.noInit.}: ECP_ShortW_Aff[Fp[BN254_Snarks], G1]
  aff.affine(R)

@ -176,7 +176,7 @@ func eth_evm_ecmul*(r: var openArray[byte], inputs: openarray[byte]): CttEVMStat
  var padded: array[128, byte]
  padded.rawCopy(0, inputs, 0, min(inputs.len, 128))

-  var P{.noInit.}: ECP_ShortW_Prj[Fp[BN254_Snarks], G1]
+  var P{.noInit.}: ECP_ShortW_Jac[Fp[BN254_Snarks], G1]

  let statusP = P.fromRawCoords(
    x = padded.toOpenArray(0, 31),
@ -202,9 +202,9 @@ func eth_evm_ecmul*(r: var openArray[byte], inputs: openarray[byte]): CttEVMStat
                Fr[BN254_Snarks].getR2modP().limbs,
                Fr[BN254_Snarks].getNegInvModWord(),
                Fr[BN254_Snarks].getSpareBits())
-    P.scalarMul(smod.toBig())
+    P.scalarMul_vartime(smod.toBig())
  else:
-    P.scalarMul(s)
+    P.scalarMul_vartime(s)

  var aff{.noInit.}: ECP_ShortW_Aff[Fp[BN254_Snarks], G1]
  aff.affine(P)
@ -217,7 +217,7 @@ func subgroupCheck(P: ECP_ShortW_Aff[Fp2[BN254_Snarks], G2]): bool =
  ## A point may be on a curve but in case the curve has a cofactor != 1
  ## that point may not be in the correct cyclic subgroup.
  ## If we are on the subgroup of order r then [r]P = 0
-  var Q{.noInit.}: ECP_ShortW_Prj[Fp2[BN254_Snarks], G2]
+  var Q{.noInit.}: ECP_ShortW_Jac[Fp2[BN254_Snarks], G2]
  Q.fromAffine(P)
  return bool(Q.isInSubgroup())

--- a/constantine/math/ec_shortweierstrass.nim
+++ b/constantine/math/ec_shortweierstrass.nim
@ -19,11 +19,11 @@ import
    ec_shortweierstrass_jacobian,
    ec_shortweierstrass_projective,
    ec_shortweierstrass_batch_ops,
-    ec_scalar_mul
+    ec_scalar_mul, ec_scalar_mul_vartime
  ]

 export ec_shortweierstrass_affine, ec_shortweierstrass_jacobian, ec_shortweierstrass_projective,
-       ec_shortweierstrass_batch_ops, ec_scalar_mul
+       ec_shortweierstrass_batch_ops, ec_scalar_mul, ec_scalar_mul_vartime

 type ECP_ShortW*[F; G: static Subgroup] = ECP_ShortW_Aff[F, G] | ECP_ShortW_Jac[F, G] | ECP_ShortW_Prj[F, G]

--- a/constantine/math/elliptic/ec_scalar_mul_vartime.nim
+++ b/constantine/math/elliptic/ec_scalar_mul_vartime.nim
@ -8,10 +8,13 @@

 import
  # Internals
+  ./ec_shortweierstrass_affine,
+  ./ec_shortweierstrass_jacobian,
+  ./ec_shortweierstrass_projective,
  ./ec_endomorphism_accel,
+  ./ec_shortweierstrass_batch_ops,
  ../arithmetic,
  ../extension_fields,
-  ../ec_shortweierstrass,
  ../io/io_bigints,
  ../constants/zoo_endomorphisms,
  ../isogenies/frobenius,
@ -30,9 +33,9 @@ iterator unpackBE(scalarByte: byte): bool =

 # Variable-time scalar multiplication
 # ------------------------------------------------------------------------------
-template `+=`[F; G: static Subgroup](P: var ECP_ShortW[F, G], Q: ECP_ShortW_Aff[F, G]) =
+template `+=`[F; G: static Subgroup](P: var (ECP_ShortW_Jac[F, G] or ECP_ShortW_Prj[F, G]), Q: ECP_ShortW_Aff[F, G]) =
  P.madd_vartime(P, Q)
-template `-=`[F; G: static Subgroup](P: var ECP_ShortW[F, G], Q: ECP_ShortW_Aff[F, G]) =
+template `-=`[F; G: static Subgroup](P: var (ECP_ShortW_Jac[F, G] or ECP_ShortW_Prj[F, G]), Q: ECP_ShortW_Aff[F, G]) =
  P.msub_vartime(P, Q)

 func scalarMul_doubleAdd_vartime*[EC](P: var EC, scalar: BigInt) {.tags:[VarTime].} =
@ -334,7 +337,7 @@ func scalarMulEndo_minHammingWeight_windowed_vartime*[scalBits: static int; EC](
 func scalarMul_vartime*[scalBits; EC](
       P: var EC,
       scalar: BigInt[scalBits]
-     ) {.inline.} =
+     ) =
  ## Elliptic Curve Scalar Multiplication
  ##
  ##   P <- [k] P