primeorder: PrimeCurveParams::mul_by_generator_and_mul_add_vartime

Adds a trait method that can be overridden to plug in variable-time
linear combinations using precomputed wNAF for the basepoint which
otherwise uses `lincomb_vartime` by default.

When used in `p256` in combination with RustCrypto/traits#2405 which
added `BasepointTableVartime::lincomb`, this results in a 25% speedup
for ECDSA verification:

    ECDSA/P-256 (SHA-256)/verify
        time:   [146.21 µs 147.14 µs 148.38 µs]
        change: [−25.356% −24.522% −23.756%] (p = 0.00 < 0.05)
        Performance has improved.

Author: tarcieri

Cargo.lock

@@ -27,4 +27,5 @@ hash2curve = { path = "hash2curve" }
 primefield = { path = "primefield" }
 primeorder = { path = "primeorder" }
 
+elliptic-curve = { git = "http://github.com/RustCrypto/traits.git" }
 rustcrypto-group = { git = "https://github.com/RustCrypto/group" }

Cargo.toml

@@ -68,4 +68,13 @@ impl PrimeCurveParams for NistP256 {
     fn mul_by_generator_vartime(k: &Scalar) -> ProjectivePoint {
         tables::BASEPOINT_TABLE_VARTIME.mul(k)
     }
+
+    #[cfg(all(feature = "alloc", feature = "precomputed-tables"))]
+    fn mul_by_generator_and_mul_add_vartime(
+        a: &elliptic_curve::Scalar<Self>,
+        b_scalar: &elliptic_curve::Scalar<Self>,
+        b_point: &primeorder::ProjectivePoint<Self>,
+    ) -> primeorder::ProjectivePoint<Self> {
+        tables::BASEPOINT_TABLE_VARTIME.lincomb(a, &[(*b_point, *b_scalar)])
+    }
 }

p256/src/arithmetic.rs

@@ -29,7 +29,7 @@ pub use elliptic_curve::{
 
 use elliptic_curve::{
     CurveArithmetic, Generate,
-    ops::{Invert, MulVartime},
+    ops::{Invert, LinearCombination, MulVartime},
     subtle::CtOption,
 };
 
@@ -73,6 +73,19 @@ pub trait PrimeCurveParams:
     fn mul_by_generator_vartime(k: &Scalar<Self>) -> ProjectivePoint<Self> {
         ProjectivePoint::GENERATOR.mul_vartime(k)
     }
+
+    /// Multiply `a` by the generator of the prime-order subgroup, adding the result to the point
+    /// `P` multiplied by the scalar `b`, i.e. compute `aG + bP`.
+    fn mul_by_generator_and_mul_add_vartime(
+        a: &Scalar<Self>,
+        b_scalar: &Scalar<Self>,
+        b_point: &ProjectivePoint<Self>,
+    ) -> ProjectivePoint<Self> {
+        ProjectivePoint::<Self>::lincomb_vartime(&[
+            (ProjectivePoint::GENERATOR, *a),
+            (*b_point, *b_scalar),
+        ])
+    }
 }
 
 /// Trait which allows curves to specify a variable-time basepoint table.

primeorder/src/lib.rs

@@ -970,16 +970,13 @@ where
         C::mul_by_generator_vartime(scalar)
     }
 
-    // When we're guaranteed *not* to have basepoint tables available (because they need `alloc`)
-    // use linear combinations for this computation, but they're slower when they are available
-    // TODO(tarcieri): `WnafBase::multiscalar_mul` w\ basepoint table when `alloc` *is* available
-    #[cfg(not(feature = "alloc"))]
+    #[inline]
     fn mul_by_generator_and_mul_add_vartime(
         a: &Self::Scalar,
         b_scalar: &Self::Scalar,
         b_point: &Self,
     ) -> Self {
-        Self::lincomb(&[(Self::GENERATOR, *a), (*b_point, *b_scalar)])
+        C::mul_by_generator_and_mul_add_vartime(a, b_scalar, b_point)
     }
 }