[WIP] Initial MulVartime impls

Companion PR to RustCrypto/traits#2379

This adds initial impls of the `MulVartime` trait which are required by
the bounds added in the PR above.

These don't yet use variable-time implementations as noted in the TODOs,
however the idea is we can opportunistically plug in wNAF when the
`alloc` feature is enabled. However, actually implementing that has been
saved for a follow-up.

This also adds an impl of the new `PointWithBasepointTable` to `k256`,
which makes the table accessible in a generic context.

Author: tarcieri

Cargo.lock

@@ -26,3 +26,5 @@ ed448-goldilocks = { path = "ed448-goldilocks" }
 hash2curve = { path = "hash2curve" }
 primefield = { path = "primefield" }
 primeorder = { path = "primeorder" }
+
+elliptic-curve = { git = "https://github.com/RustCrypto/traits" }

Cargo.toml

@@ -4,11 +4,11 @@
 
 use super::{CURVE_EQUATION_B, FieldElement, ProjectivePoint};
 use crate::{CompressedPoint, FieldBytes, PublicKey, Scalar, Sec1Point, Secp256k1};
-use core::ops::{Mul, Neg};
 use elliptic_curve::{
     Error, Generate, Result, ctutils,
     ff::PrimeField,
     group::{GroupEncoding, prime::PrimeCurveAffine},
+    ops::{Mul, MulVartime, Neg},
     point::{AffineCoordinates, DecompactPoint, DecompressPoint, NonIdentity},
     rand_core::{TryCryptoRng, TryRng},
     sec1::{self, FromSec1Point, ToSec1Point},
@@ -233,6 +233,18 @@ impl Mul<&Scalar> for AffinePoint {
     }
 }
 
+impl MulVartime<Scalar> for AffinePoint {
+    fn mul_vartime(self, scalar: Scalar) -> ProjectivePoint {
+        ProjectivePoint::from(self).mul_vartime(scalar)
+    }
+}
+
+impl MulVartime<&Scalar> for AffinePoint {
+    fn mul_vartime(self, scalar: &Scalar) -> ProjectivePoint {
+        ProjectivePoint::from(self).mul_vartime(scalar)
+    }
+}
+
 impl Neg for AffinePoint {
     type Output = AffinePoint;
 

k256/src/arithmetic/affine.rs

@@ -38,16 +38,25 @@ use crate::arithmetic::{
     ProjectivePoint,
     scalar::{Scalar, WideScalar},
 };
+use elliptic_curve::{
+    ops::{LinearCombination, Mul, MulAssign, MulVartime},
+    scalar::IsHigh,
+    subtle::ConditionallySelectable,
+};
 
-use core::ops::{Mul, MulAssign};
-use elliptic_curve::{ops::LinearCombination, scalar::IsHigh, subtle::ConditionallySelectable};
+#[cfg(feature = "precomputed-tables")]
+use elliptic_curve::point::PointWithBasepointTable;
 
-/// Lookup table for multiples of a given point.
-type LookupTable = elliptic_curve::point::LookupTable<ProjectivePoint>;
+/// Window size for the basepoint table.
+#[cfg(feature = "precomputed-tables")]
+const WINDOW_SIZE: usize = 33;
 
 /// Basepoint table for multiples of secp256k1's generator.
 #[cfg(feature = "precomputed-tables")]
-type BasepointTable = elliptic_curve::point::BasepointTable<ProjectivePoint, 33>;
+type BasepointTable = elliptic_curve::point::BasepointTable<ProjectivePoint, WINDOW_SIZE>;
+
+/// Lookup table for multiples of a given point.
+type LookupTable = elliptic_curve::point::LookupTable<ProjectivePoint>;
 
 const MINUS_LAMBDA: Scalar = Scalar::from_bytes_unchecked(&[
     0xac, 0x9c, 0x52, 0xb3, 0x3f, 0xa3, 0xcf, 0x1f, 0x5a, 0xd9, 0xe3, 0xfd, 0x77, 0xed, 0x9b, 0xa4,
@@ -319,6 +328,11 @@ fn lincomb(
 #[cfg(feature = "precomputed-tables")]
 static BASEPOINT_TABLE: BasepointTable = BasepointTable::new();
 
+#[cfg(feature = "precomputed-tables")]
+impl PointWithBasepointTable<WINDOW_SIZE> for ProjectivePoint {
+    const BASEPOINT_TABLE: &'static BasepointTable = &BASEPOINT_TABLE;
+}
+
 impl ProjectivePoint {
     /// Calculates `k * G`, where `G` is the generator.
     #[cfg(not(feature = "precomputed-tables"))]
@@ -375,6 +389,27 @@ impl Mul<&Scalar> for ProjectivePoint {
     }
 }
 
+impl MulVartime<Scalar> for ProjectivePoint {
+    fn mul_vartime(self, other: Scalar) -> ProjectivePoint {
+        // TODO(tarcieri): actual vartime implementation (i.e. wNAF)
+        mul(&self, &other)
+    }
+}
+
+impl MulVartime<&Scalar> for &ProjectivePoint {
+    fn mul_vartime(self, other: &Scalar) -> ProjectivePoint {
+        // TODO(tarcieri): actual vartime implementation (i.e. wNAF)
+        mul(self, other)
+    }
+}
+
+impl MulVartime<&Scalar> for ProjectivePoint {
+    // TODO(tarcieri): actual vartime implementation (i.e. wNAF)
+    fn mul_vartime(self, other: &Scalar) -> ProjectivePoint {
+        mul(&self, other)
+    }
+}
+
 impl MulAssign<Scalar> for ProjectivePoint {
     fn mul_assign(&mut self, rhs: Scalar) {
         *self = mul(self, &rhs);

k256/src/arithmetic/mul.rs

@@ -1,19 +1,16 @@
 //! Scalar field arithmetic.
 
-use crate::{
-    FieldBytes, NonZeroScalar, ORDER, ORDER_HEX, Secp256k1, WideBytes,
-    arithmetic::{AffinePoint, ProjectivePoint},
-};
-use core::{
-    iter::{Product, Sum},
-    ops::{Add, AddAssign, Mul, MulAssign, Neg, Shr, ShrAssign, Sub, SubAssign},
-};
+use crate::{FieldBytes, NonZeroScalar, ORDER, ORDER_HEX, Secp256k1, WideBytes};
+use core::iter::{Product, Sum};
 use elliptic_curve::{
     Curve, Error, Generate, ScalarValue,
     bigint::{ArrayEncoding, Limb, U256, U512, Word, cpubits, modular::Retrieve},
     ctutils,
     ff::{self, Field, FromUniformBytes, PrimeField},
-    ops::{Invert, Reduce, ReduceNonZero},
+    ops::{
+        Add, AddAssign, Invert, Mul, MulAssign, Neg, Reduce, ReduceNonZero, Shr, ShrAssign, Sub,
+        SubAssign,
+    },
     rand_core::{CryptoRng, TryCryptoRng, TryRng},
     scalar::{FromUintUnchecked, IsHigh},
     subtle::{
@@ -615,77 +612,7 @@ impl Mul<&Scalar> for Scalar {
     }
 }
 
-impl Mul<AffinePoint> for Scalar {
-    type Output = ProjectivePoint;
-
-    #[inline]
-    fn mul(self, rhs: AffinePoint) -> ProjectivePoint {
-        rhs * self
-    }
-}
-
-impl Mul<&AffinePoint> for Scalar {
-    type Output = ProjectivePoint;
-
-    #[inline]
-    fn mul(self, rhs: &AffinePoint) -> ProjectivePoint {
-        *rhs * self
-    }
-}
-
-impl Mul<AffinePoint> for &Scalar {
-    type Output = ProjectivePoint;
-
-    #[inline]
-    fn mul(self, rhs: AffinePoint) -> ProjectivePoint {
-        rhs * self
-    }
-}
-
-impl Mul<&AffinePoint> for &Scalar {
-    type Output = ProjectivePoint;
-
-    #[inline]
-    fn mul(self, rhs: &AffinePoint) -> ProjectivePoint {
-        *rhs * self
-    }
-}
-
-impl Mul<ProjectivePoint> for Scalar {
-    type Output = ProjectivePoint;
-
-    #[inline]
-    fn mul(self, rhs: ProjectivePoint) -> ProjectivePoint {
-        rhs * self
-    }
-}
-
-impl Mul<&ProjectivePoint> for Scalar {
-    type Output = ProjectivePoint;
-
-    #[inline]
-    fn mul(self, rhs: &ProjectivePoint) -> ProjectivePoint {
-        rhs * &self
-    }
-}
-
-impl Mul<ProjectivePoint> for &Scalar {
-    type Output = ProjectivePoint;
-
-    #[inline]
-    fn mul(self, rhs: ProjectivePoint) -> ProjectivePoint {
-        rhs * self
-    }
-}
-
-impl Mul<&ProjectivePoint> for &Scalar {
-    type Output = ProjectivePoint;
-
-    #[inline]
-    fn mul(self, rhs: &ProjectivePoint) -> ProjectivePoint {
-        rhs * self
-    }
-}
+elliptic_curve::scalar_mul_impls!(Secp256k1, Scalar);
 
 impl MulAssign<Scalar> for Scalar {
     fn mul_assign(&mut self, rhs: Scalar) {

k256/src/arithmetic/scalar.rs

@@ -3,16 +3,14 @@
 #![allow(clippy::op_ref)]
 
 use crate::{PrimeCurveParams, ProjectivePoint};
-use core::{
-    borrow::Borrow,
-    ops::{Mul, Neg},
-};
+use core::borrow::Borrow;
 use elliptic_curve::{
     Error, FieldBytes, FieldBytesEncoding, FieldBytesSize, Generate, PublicKey, Result, Scalar,
     array::ArraySize,
     ctutils::{self, CtGt as _, CtSelect as _},
     ff::{Field, PrimeField},
     group::{GroupEncoding, prime::PrimeCurveAffine},
+    ops::{Mul, MulVartime, Neg},
     point::{AffineCoordinates, DecompactPoint, DecompressPoint, Double, NonIdentity},
     rand_core::{TryCryptoRng, TryRng},
     sec1::{
@@ -528,6 +526,30 @@ where
     }
 }
 
+impl<C, S> MulVartime<S> for AffinePoint<C>
+where
+    C: PrimeCurveParams,
+    S: Borrow<Scalar<C>>,
+    ProjectivePoint<C>: Double,
+{
+    #[inline]
+    fn mul_vartime(self, scalar: S) -> ProjectivePoint<C> {
+        ProjectivePoint::<C>::from(self).mul_vartime(scalar)
+    }
+}
+
+impl<C, S> MulVartime<S> for &AffinePoint<C>
+where
+    C: PrimeCurveParams,
+    S: Borrow<Scalar<C>>,
+    ProjectivePoint<C>: Double,
+{
+    #[inline]
+    fn mul_vartime(self, scalar: S) -> ProjectivePoint<C> {
+        ProjectivePoint::<C>::from(self).mul_vartime(scalar)
+    }
+}
+
 impl<C> Neg for AffinePoint<C>
 where
     C: PrimeCurveParams,

primeorder/src/affine.rs

@@ -3,12 +3,7 @@
 #![allow(clippy::needless_range_loop, clippy::op_ref)]
 
 use crate::{AffinePoint, Field, PrimeCurveParams, point_arithmetic::PointArithmetic};
-use core::{
-    array,
-    borrow::Borrow,
-    iter::Sum,
-    ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign},
-};
+use core::{array, borrow::Borrow, iter::Sum};
 use elliptic_curve::{
     BatchNormalize, CurveGroup, Error, FieldBytes, FieldBytesSize, Generate, PrimeField, PublicKey,
     Result, Scalar,
@@ -20,7 +15,10 @@ use elliptic_curve::{
         cofactor::CofactorGroup,
         prime::{PrimeCurve, PrimeGroup},
     },
-    ops::{BatchInvert, LinearCombination},
+    ops::{
+        Add, AddAssign, BatchInvert, LinearCombination, Mul, MulAssign, MulVartime, Neg, Sub,
+        SubAssign,
+    },
     point::{Double, NonIdentity},
     rand_core::{TryCryptoRng, TryRng},
     sec1::{
@@ -120,6 +118,15 @@ where
         lincomb(array::from_mut(&mut k), array::from_mut(&mut pc))
     }
 
+    /// Returns `[k] self` computed in variable time.
+    fn mul_vartime(&self, k: &Scalar<C>) -> Self
+    where
+        Self: Double,
+    {
+        // TODO(tarcieri): use wNAF for variable-time scalar multiplication when available
+        self.mul(k)
+    }
+
     /// Obtain a wNAF context for this group.
     #[cfg(feature = "alloc")]
     pub fn wnaf() -> Wnaf<(), Vec<Self>, Vec<i64>>
@@ -890,6 +897,38 @@ where
     }
 }
 
+impl<C, S> MulVartime<S> for ProjectivePoint<C>
+where
+    Self: Double,
+    C: PrimeCurveParams,
+    S: Borrow<Scalar<C>>,
+{
+    fn mul_vartime(self, scalar: S) -> Self {
+        ProjectivePoint::mul_vartime(&self, scalar.borrow())
+    }
+}
+
+impl<C, S> MulVartime<S> for &ProjectivePoint<C>
+where
+    Self: Double,
+    C: PrimeCurveParams,
+    S: Borrow<Scalar<C>>,
+{
+    fn mul_vartime(self, scalar: S) -> ProjectivePoint<C> {
+        ProjectivePoint::mul_vartime(self, scalar.borrow())
+    }
+}
+
+impl<C> MulVartime<&Scalar<C>> for &ProjectivePoint<C>
+where
+    C: PrimeCurveParams,
+    ProjectivePoint<C>: Double,
+{
+    fn mul_vartime(self, scalar: &Scalar<C>) -> ProjectivePoint<C> {
+        ProjectivePoint::mul_vartime(self, scalar)
+    }
+}
+
 impl<C, S> MulAssign<S> for ProjectivePoint<C>
 where
     Self: Double,