Use vartime impl to accelerate the BN254 EVM precompiles

mratsim · Sep 4, 2023 · 4e0ca43 · 4e0ca43
1 parent b9c911b
commit 4e0ca43
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 13 deletions.
diff --git a/constantine/ethereum_evm_precompiles.nim b/constantine/ethereum_evm_precompiles.nim
@@ -55,7 +55,7 @@ func parseRawUint(
   return cttEVM_Success
 
 func fromRawCoords(
-       dst: var ECP_ShortW_Prj[Fp[BN254_Snarks], G1],
+       dst: var ECP_ShortW_Jac[Fp[BN254_Snarks], G1],
        x, y: openarray[byte]): CttEVMStatus =
 
   # Deserialization
@@ -122,7 +122,7 @@ func eth_evm_ecadd*(r: var openArray[byte], inputs: openarray[byte]): CttEVMStat
   var padded: array[128, byte]
   padded.rawCopy(0, inputs, 0, min(inputs.len, 128))
 
-  var P{.noInit.}, Q{.noInit.}, R{.noInit.}: ECP_ShortW_Prj[Fp[BN254_Snarks], G1]
+  var P{.noInit.}, Q{.noInit.}, R{.noInit.}: ECP_ShortW_Jac[Fp[BN254_Snarks], G1]
 
   let statusP = P.fromRawCoords(
     x = padded.toOpenArray(0, 31),
@@ -135,7 +135,7 @@ func eth_evm_ecadd*(r: var openArray[byte], inputs: openarray[byte]): CttEVMStat
   if statusQ != cttEVM_Success:
     return statusQ
 
-  R.sum(P, Q)
+  R.sum_vartime(P, Q)
   var aff{.noInit.}: ECP_ShortW_Aff[Fp[BN254_Snarks], G1]
   aff.affine(R)
 
@@ -176,7 +176,7 @@ func eth_evm_ecmul*(r: var openArray[byte], inputs: openarray[byte]): CttEVMStat
   var padded: array[128, byte]
   padded.rawCopy(0, inputs, 0, min(inputs.len, 128))
 
-  var P{.noInit.}: ECP_ShortW_Prj[Fp[BN254_Snarks], G1]
+  var P{.noInit.}: ECP_ShortW_Jac[Fp[BN254_Snarks], G1]
 
   let statusP = P.fromRawCoords(
     x = padded.toOpenArray(0, 31),
@@ -202,9 +202,9 @@ func eth_evm_ecmul*(r: var openArray[byte], inputs: openarray[byte]): CttEVMStat
                 Fr[BN254_Snarks].getR2modP().limbs,
                 Fr[BN254_Snarks].getNegInvModWord(),
                 Fr[BN254_Snarks].getSpareBits())
-    P.scalarMul(smod.toBig())
+    P.scalarMul_vartime(smod.toBig())
   else:
-    P.scalarMul(s)
+    P.scalarMul_vartime(s)
 
   var aff{.noInit.}: ECP_ShortW_Aff[Fp[BN254_Snarks], G1]
   aff.affine(P)
@@ -217,7 +217,7 @@ func subgroupCheck(P: ECP_ShortW_Aff[Fp2[BN254_Snarks], G2]): bool =
   ## A point may be on a curve but in case the curve has a cofactor != 1
   ## that point may not be in the correct cyclic subgroup.
   ## If we are on the subgroup of order r then [r]P = 0
-  var Q{.noInit.}: ECP_ShortW_Prj[Fp2[BN254_Snarks], G2]
+  var Q{.noInit.}: ECP_ShortW_Jac[Fp2[BN254_Snarks], G2]
   Q.fromAffine(P)
   return bool(Q.isInSubgroup())
 

diff --git a/constantine/math/ec_shortweierstrass.nim b/constantine/math/ec_shortweierstrass.nim
@@ -19,11 +19,11 @@ import
     ec_shortweierstrass_jacobian,
     ec_shortweierstrass_projective,
     ec_shortweierstrass_batch_ops,
-    ec_scalar_mul
+    ec_scalar_mul, ec_scalar_mul_vartime
   ]
 
 export ec_shortweierstrass_affine, ec_shortweierstrass_jacobian, ec_shortweierstrass_projective,
-       ec_shortweierstrass_batch_ops, ec_scalar_mul
+       ec_shortweierstrass_batch_ops, ec_scalar_mul, ec_scalar_mul_vartime
 
 type ECP_ShortW*[F; G: static Subgroup] = ECP_ShortW_Aff[F, G] | ECP_ShortW_Jac[F, G] | ECP_ShortW_Prj[F, G]
 

diff --git a/constantine/math/elliptic/ec_scalar_mul_vartime.nim b/constantine/math/elliptic/ec_scalar_mul_vartime.nim
@@ -8,10 +8,13 @@
 
 import
   # Internals
+  ./ec_shortweierstrass_affine,
+  ./ec_shortweierstrass_jacobian,
+  ./ec_shortweierstrass_projective,
   ./ec_endomorphism_accel,
+  ./ec_shortweierstrass_batch_ops,
   ../arithmetic,
   ../extension_fields,
-  ../ec_shortweierstrass,
   ../io/io_bigints,
   ../constants/zoo_endomorphisms,
   ../isogenies/frobenius,
@@ -30,9 +33,9 @@ iterator unpackBE(scalarByte: byte): bool =
 
 # Variable-time scalar multiplication
 # ------------------------------------------------------------------------------
-template `+=`[F; G: static Subgroup](P: var ECP_ShortW[F, G], Q: ECP_ShortW_Aff[F, G]) =
+template `+=`[F; G: static Subgroup](P: var (ECP_ShortW_Jac[F, G] or ECP_ShortW_Prj[F, G]), Q: ECP_ShortW_Aff[F, G]) =
   P.madd_vartime(P, Q)
-template `-=`[F; G: static Subgroup](P: var ECP_ShortW[F, G], Q: ECP_ShortW_Aff[F, G]) =
+template `-=`[F; G: static Subgroup](P: var (ECP_ShortW_Jac[F, G] or ECP_ShortW_Prj[F, G]), Q: ECP_ShortW_Aff[F, G]) =
   P.msub_vartime(P, Q)
 
 func scalarMul_doubleAdd_vartime*[EC](P: var EC, scalar: BigInt) {.tags:[VarTime].} =
@@ -334,7 +337,7 @@ func scalarMulEndo_minHammingWeight_windowed_vartime*[scalBits: static int; EC](
 func scalarMul_vartime*[scalBits; EC](
        P: var EC,
        scalar: BigInt[scalBits]
-     ) {.inline.} =
+     ) =
   ## Elliptic Curve Scalar Multiplication
   ##
   ##   P <- [k] P