From 4e0ca43af1c719e6fa91e1e5c7ea821039b79b9f Mon Sep 17 00:00:00 2001 From: Mamy Ratsimbazafy Date: Tue, 5 Sep 2023 01:02:01 +0200 Subject: [PATCH] Use vartime impl to accelerate the BN254 EVM precompiles --- constantine/ethereum_evm_precompiles.nim | 14 +++++++------- constantine/math/ec_shortweierstrass.nim | 4 ++-- .../math/elliptic/ec_scalar_mul_vartime.nim | 11 +++++++---- 3 files changed, 16 insertions(+), 13 deletions(-) diff --git a/constantine/ethereum_evm_precompiles.nim b/constantine/ethereum_evm_precompiles.nim index 8768637..9f2126e 100644 --- a/constantine/ethereum_evm_precompiles.nim +++ b/constantine/ethereum_evm_precompiles.nim @@ -55,7 +55,7 @@ func parseRawUint( return cttEVM_Success func fromRawCoords( - dst: var ECP_ShortW_Prj[Fp[BN254_Snarks], G1], + dst: var ECP_ShortW_Jac[Fp[BN254_Snarks], G1], x, y: openarray[byte]): CttEVMStatus = # Deserialization @@ -122,7 +122,7 @@ func eth_evm_ecadd*(r: var openArray[byte], inputs: openarray[byte]): CttEVMStat var padded: array[128, byte] padded.rawCopy(0, inputs, 0, min(inputs.len, 128)) - var P{.noInit.}, Q{.noInit.}, R{.noInit.}: ECP_ShortW_Prj[Fp[BN254_Snarks], G1] + var P{.noInit.}, Q{.noInit.}, R{.noInit.}: ECP_ShortW_Jac[Fp[BN254_Snarks], G1] let statusP = P.fromRawCoords( x = padded.toOpenArray(0, 31), @@ -135,7 +135,7 @@ func eth_evm_ecadd*(r: var openArray[byte], inputs: openarray[byte]): CttEVMStat if statusQ != cttEVM_Success: return statusQ - R.sum(P, Q) + R.sum_vartime(P, Q) var aff{.noInit.}: ECP_ShortW_Aff[Fp[BN254_Snarks], G1] aff.affine(R) @@ -176,7 +176,7 @@ func eth_evm_ecmul*(r: var openArray[byte], inputs: openarray[byte]): CttEVMStat var padded: array[128, byte] padded.rawCopy(0, inputs, 0, min(inputs.len, 128)) - var P{.noInit.}: ECP_ShortW_Prj[Fp[BN254_Snarks], G1] + var P{.noInit.}: ECP_ShortW_Jac[Fp[BN254_Snarks], G1] let statusP = P.fromRawCoords( x = padded.toOpenArray(0, 31), @@ -202,9 +202,9 @@ func eth_evm_ecmul*(r: var openArray[byte], inputs: openarray[byte]): CttEVMStat Fr[BN254_Snarks].getR2modP().limbs, Fr[BN254_Snarks].getNegInvModWord(), Fr[BN254_Snarks].getSpareBits()) - P.scalarMul(smod.toBig()) + P.scalarMul_vartime(smod.toBig()) else: - P.scalarMul(s) + P.scalarMul_vartime(s) var aff{.noInit.}: ECP_ShortW_Aff[Fp[BN254_Snarks], G1] aff.affine(P) @@ -217,7 +217,7 @@ func subgroupCheck(P: ECP_ShortW_Aff[Fp2[BN254_Snarks], G2]): bool = ## A point may be on a curve but in case the curve has a cofactor != 1 ## that point may not be in the correct cyclic subgroup. ## If we are on the subgroup of order r then [r]P = 0 - var Q{.noInit.}: ECP_ShortW_Prj[Fp2[BN254_Snarks], G2] + var Q{.noInit.}: ECP_ShortW_Jac[Fp2[BN254_Snarks], G2] Q.fromAffine(P) return bool(Q.isInSubgroup()) diff --git a/constantine/math/ec_shortweierstrass.nim b/constantine/math/ec_shortweierstrass.nim index 2ff74f3..4ed14a7 100644 --- a/constantine/math/ec_shortweierstrass.nim +++ b/constantine/math/ec_shortweierstrass.nim @@ -19,11 +19,11 @@ import ec_shortweierstrass_jacobian, ec_shortweierstrass_projective, ec_shortweierstrass_batch_ops, - ec_scalar_mul + ec_scalar_mul, ec_scalar_mul_vartime ] export ec_shortweierstrass_affine, ec_shortweierstrass_jacobian, ec_shortweierstrass_projective, - ec_shortweierstrass_batch_ops, ec_scalar_mul + ec_shortweierstrass_batch_ops, ec_scalar_mul, ec_scalar_mul_vartime type ECP_ShortW*[F; G: static Subgroup] = ECP_ShortW_Aff[F, G] | ECP_ShortW_Jac[F, G] | ECP_ShortW_Prj[F, G] diff --git a/constantine/math/elliptic/ec_scalar_mul_vartime.nim b/constantine/math/elliptic/ec_scalar_mul_vartime.nim index ebe46e7..fcc44b4 100644 --- a/constantine/math/elliptic/ec_scalar_mul_vartime.nim +++ b/constantine/math/elliptic/ec_scalar_mul_vartime.nim @@ -8,10 +8,13 @@ import # Internals + ./ec_shortweierstrass_affine, + ./ec_shortweierstrass_jacobian, + ./ec_shortweierstrass_projective, ./ec_endomorphism_accel, + ./ec_shortweierstrass_batch_ops, ../arithmetic, ../extension_fields, - ../ec_shortweierstrass, ../io/io_bigints, ../constants/zoo_endomorphisms, ../isogenies/frobenius, @@ -30,9 +33,9 @@ iterator unpackBE(scalarByte: byte): bool = # Variable-time scalar multiplication # ------------------------------------------------------------------------------ -template `+=`[F; G: static Subgroup](P: var ECP_ShortW[F, G], Q: ECP_ShortW_Aff[F, G]) = +template `+=`[F; G: static Subgroup](P: var (ECP_ShortW_Jac[F, G] or ECP_ShortW_Prj[F, G]), Q: ECP_ShortW_Aff[F, G]) = P.madd_vartime(P, Q) -template `-=`[F; G: static Subgroup](P: var ECP_ShortW[F, G], Q: ECP_ShortW_Aff[F, G]) = +template `-=`[F; G: static Subgroup](P: var (ECP_ShortW_Jac[F, G] or ECP_ShortW_Prj[F, G]), Q: ECP_ShortW_Aff[F, G]) = P.msub_vartime(P, Q) func scalarMul_doubleAdd_vartime*[EC](P: var EC, scalar: BigInt) {.tags:[VarTime].} = @@ -334,7 +337,7 @@ func scalarMulEndo_minHammingWeight_windowed_vartime*[scalBits: static int; EC]( func scalarMul_vartime*[scalBits; EC]( P: var EC, scalar: BigInt[scalBits] - ) {.inline.} = + ) = ## Elliptic Curve Scalar Multiplication ## ## P <- [k] P