Preliminary wNAF support (#1714)

RustCrypto/group#12 included a workaround that allows curves with a big
endian `PrimeField::Repr` to be used for wNAF, by defining a separate
`PrimeField::to_le_repr` method which is always guaranteed to be little
endian. This may not be the permanent solution to this problem which
gets upstreamed, but it unblocks work for now.

This commit adds the relevant impls of `to_le_repr`, along with initial
`WnafGroup` impls to `ProjectivePoint` in `k256` and `primeorder`
(currently hardcoded to a fixed constant of `4` for now to unblock
additional work).

This also adds a `ProjectivePoint::wnaf` static method to obtain a
wNAF context for that particular curve group, feature-gated on `alloc`.

Finally, it adds a smoke test to `p256` which checks it against our
scalar multiplication test vectors, however it does not check any other
curves yet and probably should.

Author: tarcieri

Cargo.lock

@@ -18,7 +18,7 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-elliptic-curve = { version = "0.14.0-rc.29", features = ["sec1"] }
+elliptic-curve = { version = "0.14.0-rc.30", features = ["sec1"] }
 
 # optional dependencies
 belt-block = { version = "0.2.0-rc.3", optional = true }
@@ -38,7 +38,7 @@ signature = { version = "3.0.0-rc.10", optional = true }
 
 [dev-dependencies]
 criterion = "0.7"
-elliptic-curve = { version = "0.14.0-rc.29", default-features = false, features = ["dev"] }
+elliptic-curve = { version = "0.14.0-rc.30", default-features = false, features = ["dev"] }
 hex-literal = "1"
 primeorder = { version = "0.14.0-rc.8", features = ["dev"] }
 proptest = "1"

bignp256/Cargo.toml

@@ -14,7 +14,7 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-elliptic-curve = { version = "0.14.0-rc.29", default-features = false, features = ["sec1"] }
+elliptic-curve = { version = "0.14.0-rc.30", default-features = false, features = ["sec1"] }
 
 # optional dependencies
 ecdsa = { version = "0.17.0-rc.16", optional = true, default-features = false, features = ["der"] }
@@ -24,7 +24,7 @@ sha2 = { version = "0.11", optional = true, default-features = false }
 
 [dev-dependencies]
 criterion = "0.7"
-elliptic-curve = { version = "0.14.0-rc.29", default-features = false, features = ["dev"] }
+elliptic-curve = { version = "0.14.0-rc.30", default-features = false, features = ["dev"] }
 
 [features]
 default = ["pkcs8", "std"]

bp256/Cargo.toml

@@ -14,7 +14,7 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-elliptic-curve = { version = "0.14.0-rc.29", default-features = false, features = ["sec1"] }
+elliptic-curve = { version = "0.14.0-rc.30", default-features = false, features = ["sec1"] }
 
 # optional dependencies
 ecdsa = { version = "0.17.0-rc.16", optional = true, default-features = false, features = ["der"] }
@@ -24,7 +24,7 @@ sha2 = { version = "0.11", optional = true, default-features = false }
 
 [dev-dependencies]
 criterion = "0.7"
-elliptic-curve = { version = "0.14.0-rc.29", default-features = false, features = ["dev"] }
+elliptic-curve = { version = "0.14.0-rc.30", default-features = false, features = ["dev"] }
 
 [features]
 default = ["pkcs8", "std"]

bp384/Cargo.toml

@@ -16,7 +16,7 @@ This crate also includes signing and verifying of Ed448 signatures.
 """
 
 [dependencies]
-elliptic-curve = { version = "0.14.0-rc.29", features = ["arithmetic", "pkcs8"] }
+elliptic-curve = { version = "0.14.0-rc.30", features = ["arithmetic", "pkcs8"] }
 hash2curve = "0.14.0-rc.11"
 rand_core = { version = "0.10", default-features = false }
 sha3 = { version = "0.11", default-features = false }

ed448-goldilocks/Cargo.toml

@@ -15,7 +15,7 @@ rust-version = "1.85"
 
 [dependencies]
 digest = { version = "0.11" }
-elliptic-curve = { version = "0.14.0-rc.29", default-features = false, features = ["arithmetic"] }
+elliptic-curve = { version = "0.14.0-rc.30", default-features = false, features = ["arithmetic"] }
 
 [dev-dependencies]
 hex-literal = "1"

hash2curve/Cargo.toml

@@ -20,7 +20,7 @@ rust-version = "1.85"
 
 [dependencies]
 cpubits = "0.1"
-elliptic-curve = { version = "0.14.0-rc.29", default-features = false, features = ["sec1"] }
+elliptic-curve = { version = "0.14.0-rc.30", default-features = false, features = ["sec1"] }
 hash2curve = { version = "0.14.0-rc.11", optional = true }
 
 # optional dependencies

k256/Cargo.toml

@@ -28,14 +28,13 @@ use core::{
 };
 use elliptic_curve::{
     Generate,
-    bigint::{Odd, U256, modular::Retrieve},
+    bigint::{ArrayEncoding, Odd, U256, modular::Retrieve},
     ff::{self, Field, PrimeField},
     ops::Invert,
     rand_core::{TryCryptoRng, TryRng},
     subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption},
     zeroize::DefaultIsZeroes,
 };
-
 #[cfg(test)]
 use num_bigint::{BigUint, ToBigUint};
 
@@ -319,6 +318,10 @@ impl PrimeField for FieldElement {
         self.to_bytes()
     }
 
+    fn to_le_repr(&self) -> Self::Repr {
+        self.0.normalize().to_u256().to_le_byte_array()
+    }
+
     fn is_odd(&self) -> Choice {
         self.is_odd()
     }

k256/src/arithmetic/field.rs

@@ -24,7 +24,7 @@ use elliptic_curve::{
 };
 
 #[cfg(feature = "alloc")]
-use alloc::vec::Vec;
+use {alloc::vec::Vec, elliptic_curve::group::WnafGroup};
 
 #[rustfmt::skip]
 const ENDOMORPHISM_BETA: FieldElement = FieldElement::from_bytes_unchecked(&[
@@ -524,6 +524,15 @@ impl PrimeCurve for ProjectivePoint {
 
 impl PrimeGroup for ProjectivePoint {}
 
+#[cfg(feature = "alloc")]
+impl WnafGroup for ProjectivePoint {
+    fn recommended_wnaf_for_num_scalars(_num_scalars: usize) -> usize {
+        // TODO(tarcieri): provide a way for individual curves to configure this
+        // Returns a number between 2 and 22, inclusive.
+        4 // This seems to be a common starting point?
+    }
+}
+
 //
 // `core::ops` trait impls
 //

k256/src/arithmetic/projective.rs

@@ -310,6 +310,10 @@ impl PrimeField for Scalar {
         self.to_bytes()
     }
 
+    fn to_le_repr(&self) -> Self::Repr {
+        self.0.to_le_byte_array()
+    }
+
     fn is_odd(&self) -> Choice {
         self.0.is_odd().into()
     }