primeorder: PrimeCurveParams::mul_by_generator_and_mul_add_vartime (#1759)

tarcieri · web-flow · commit 557cf798b56f · 2026-05-06T22:02:49.000-06:00
Adds a trait method that can be overridden to plug in variable-time linear combinations using precomputed wNAF for the basepoint which otherwise uses `lincomb_vartime` by default. When used in `p256` in combination with RustCrypto/traits#2405 which added `BasepointTableVartime::lincomb`, this results in a 25% speedup for ECDSA verification: ECDSA/P-256 (SHA-256)/verify time: [146.21 µs 147.14 µs 148.38 µs] change: [−25.356% −24.522% −23.756%] (p = 0.00 < 0.05) Performance has improved. Also applies the optimization to `p384`, `p521`, and `sm2`.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -27,4 +27,5 @@ hash2curve = { path = "hash2curve" }
 primefield = { path = "primefield" }
 primeorder = { path = "primeorder" }
 
+elliptic-curve = { git = "http://github.com/RustCrypto/traits.git" }
 rustcrypto-group = { git = "https://github.com/RustCrypto/group" }
diff --git a/p256/src/arithmetic.rs b/p256/src/arithmetic.rs
@@ -68,4 +68,13 @@ impl PrimeCurveParams for NistP256 {
     fn mul_by_generator_vartime(k: &Scalar) -> ProjectivePoint {
         tables::BASEPOINT_TABLE_VARTIME.mul(k)
     }
+
+    #[cfg(all(feature = "alloc", feature = "precomputed-tables"))]
+    fn mul_by_generator_and_mul_add_vartime(
+        a: &Scalar,
+        b_scalar: &Scalar,
+        b_point: &ProjectivePoint,
+    ) -> ProjectivePoint {
+        tables::BASEPOINT_TABLE_VARTIME.lincomb(a, &[(*b_point, *b_scalar)])
+    }
 }
diff --git a/p384/src/arithmetic.rs b/p384/src/arithmetic.rs
@@ -72,4 +72,13 @@ impl PrimeCurveParams for NistP384 {
     fn mul_by_generator_vartime(k: &Scalar) -> ProjectivePoint {
         tables::BASEPOINT_TABLE_VARTIME.mul(k)
     }
+
+    #[cfg(all(feature = "alloc", feature = "precomputed-tables"))]
+    fn mul_by_generator_and_mul_add_vartime(
+        a: &Scalar,
+        b_scalar: &Scalar,
+        b_point: &ProjectivePoint,
+    ) -> ProjectivePoint {
+        tables::BASEPOINT_TABLE_VARTIME.lincomb(a, &[(*b_point, *b_scalar)])
+    }
 }
diff --git a/p521/src/arithmetic.rs b/p521/src/arithmetic.rs
@@ -77,4 +77,13 @@ impl PrimeCurveParams for NistP521 {
     fn mul_by_generator_vartime(k: &Scalar) -> ProjectivePoint {
         tables::BASEPOINT_TABLE_VARTIME.mul(k)
     }
+
+    #[cfg(all(feature = "alloc", feature = "precomputed-tables"))]
+    fn mul_by_generator_and_mul_add_vartime(
+        a: &Scalar,
+        b_scalar: &Scalar,
+        b_point: &ProjectivePoint,
+    ) -> ProjectivePoint {
+        tables::BASEPOINT_TABLE_VARTIME.lincomb(a, &[(*b_point, *b_scalar)])
+    }
 }
diff --git a/primeorder/src/lib.rs b/primeorder/src/lib.rs
@@ -29,7 +29,7 @@ pub use elliptic_curve::{
 
 use elliptic_curve::{
     CurveArithmetic, Generate,
-    ops::{Invert, MulVartime},
+    ops::{Invert, LinearCombination, MulVartime},
     subtle::CtOption,
 };
 
@@ -73,6 +73,19 @@ pub trait PrimeCurveParams:
     fn mul_by_generator_vartime(k: &Scalar<Self>) -> ProjectivePoint<Self> {
         ProjectivePoint::GENERATOR.mul_vartime(k)
     }
+
+    /// Multiply `a` by the generator of the prime-order subgroup, adding the result to the point
+    /// `P` multiplied by the scalar `b`, i.e. compute `aG + bP`.
+    fn mul_by_generator_and_mul_add_vartime(
+        a: &Scalar<Self>,
+        b_scalar: &Scalar<Self>,
+        b_point: &ProjectivePoint<Self>,
+    ) -> ProjectivePoint<Self> {
+        ProjectivePoint::<Self>::lincomb_vartime(&[
+            (ProjectivePoint::GENERATOR, *a),
+            (*b_point, *b_scalar),
+        ])
+    }
 }
 
 /// Trait which allows curves to specify a variable-time basepoint table.
diff --git a/primeorder/src/projective.rs b/primeorder/src/projective.rs
@@ -970,16 +970,13 @@ where
         C::mul_by_generator_vartime(scalar)
     }
 
-    // When we're guaranteed *not* to have basepoint tables available (because they need `alloc`)
-    // use linear combinations for this computation, but they're slower when they are available
-    // TODO(tarcieri): `WnafBase::multiscalar_mul` w\ basepoint table when `alloc` *is* available
-    #[cfg(not(feature = "alloc"))]
+    #[inline]
     fn mul_by_generator_and_mul_add_vartime(
         a: &Self::Scalar,
         b_scalar: &Self::Scalar,
         b_point: &Self,
     ) -> Self {
-        Self::lincomb(&[(Self::GENERATOR, *a), (*b_point, *b_scalar)])
+        C::mul_by_generator_and_mul_add_vartime(a, b_scalar, b_point)
     }
 }
 
diff --git a/sm2/src/arithmetic.rs b/sm2/src/arithmetic.rs
@@ -68,4 +68,13 @@ impl PrimeCurveParams for Sm2 {
     fn mul_by_generator_vartime(k: &Scalar) -> ProjectivePoint {
         tables::BASEPOINT_TABLE_VARTIME.mul(k)
     }
+
+    #[cfg(all(feature = "alloc", feature = "precomputed-tables"))]
+    fn mul_by_generator_and_mul_add_vartime(
+        a: &Scalar,
+        b_scalar: &Scalar,
+        b_point: &ProjectivePoint,
+    ) -> ProjectivePoint {
+        tables::BASEPOINT_TABLE_VARTIME.lincomb(a, &[(*b_point, *b_scalar)])
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -68,4 +68,13 @@ impl PrimeCurveParams for NistP256 {`
`68`	`68`	`fn mul_by_generator_vartime(k: &Scalar) -> ProjectivePoint {`
`69`	`69`	`tables::BASEPOINT_TABLE_VARTIME.mul(k)`
`70`	`70`	`}`
	`71`	`+`
	`72`	`+ #[cfg(all(feature = "alloc", feature = "precomputed-tables"))]`
	`73`	`+ fn mul_by_generator_and_mul_add_vartime(`
	`74`	`+ a: &Scalar,`
	`75`	`+ b_scalar: &Scalar,`
	`76`	`+ b_point: &ProjectivePoint,`
	`77`	`+ ) -> ProjectivePoint {`
	`78`	`+ tables::BASEPOINT_TABLE_VARTIME.lincomb(a, &[(b_point, b_scalar)])`
	`79`	`+ }`
`71`	`80`	`}`
Original file line number	Diff line number	Diff line change
`@@ -72,4 +72,13 @@ impl PrimeCurveParams for NistP384 {`
`72`	`72`	`fn mul_by_generator_vartime(k: &Scalar) -> ProjectivePoint {`
`73`	`73`	`tables::BASEPOINT_TABLE_VARTIME.mul(k)`
`74`	`74`	`}`
	`75`	`+`
	`76`	`+ #[cfg(all(feature = "alloc", feature = "precomputed-tables"))]`
	`77`	`+ fn mul_by_generator_and_mul_add_vartime(`
	`78`	`+ a: &Scalar,`
	`79`	`+ b_scalar: &Scalar,`
	`80`	`+ b_point: &ProjectivePoint,`
	`81`	`+ ) -> ProjectivePoint {`
	`82`	`+ tables::BASEPOINT_TABLE_VARTIME.lincomb(a, &[(b_point, b_scalar)])`
	`83`	`+ }`
`75`	`84`	`}`
Original file line number	Diff line number	Diff line change
`@@ -77,4 +77,13 @@ impl PrimeCurveParams for NistP521 {`
`77`	`77`	`fn mul_by_generator_vartime(k: &Scalar) -> ProjectivePoint {`
`78`	`78`	`tables::BASEPOINT_TABLE_VARTIME.mul(k)`
`79`	`79`	`}`
	`80`	`+`
	`81`	`+ #[cfg(all(feature = "alloc", feature = "precomputed-tables"))]`
	`82`	`+ fn mul_by_generator_and_mul_add_vartime(`
	`83`	`+ a: &Scalar,`
	`84`	`+ b_scalar: &Scalar,`
	`85`	`+ b_point: &ProjectivePoint,`
	`86`	`+ ) -> ProjectivePoint {`
	`87`	`+ tables::BASEPOINT_TABLE_VARTIME.lincomb(a, &[(b_point, b_scalar)])`
	`88`	`+ }`
`80`	`89`	`}`
Original file line number	Diff line number	Diff line change
`@@ -970,16 +970,13 @@ where`
`970`	`970`	`C::mul_by_generator_vartime(scalar)`
`971`	`971`	`}`
`972`	`972`
`973`		- // When we're guaranteed not to have basepoint tables available (because they need `alloc`)
`974`		`- // use linear combinations for this computation, but they're slower when they are available`
`975`		- // TODO(tarcieri): `WnafBase::multiscalar_mul` w\ basepoint table when `alloc` is available
`976`		`- #[cfg(not(feature = "alloc"))]`
	`973`	`+ #[inline]`
`977`	`974`	`fn mul_by_generator_and_mul_add_vartime(`
`978`	`975`	`a: &Self::Scalar,`
`979`	`976`	`b_scalar: &Self::Scalar,`
`980`	`977`	`b_point: &Self,`
`981`	`978`	`) -> Self {`
`982`		`- Self::lincomb(&[(Self::GENERATOR, a), (b_point, *b_scalar)])`
	`979`	`+ C::mul_by_generator_and_mul_add_vartime(a, b_scalar, b_point)`
`983`	`980`	`}`
`984`	`981`	`}`
`985`	`982`