Compute Ed448 scalar multiplication in untwisted form

Author: daxpedda

ed448-goldilocks/src/edwards.rs

@@ -11,7 +11,9 @@
 /// If this is a problem, one can use a different isogeny strategy (Decaf)
 pub(crate) mod affine;
 pub(crate) mod extended;
+mod mul;
 mod scalar;
 pub use affine::AffinePoint;
 pub use extended::{CompressedEdwardsY, EdwardsPoint};
+use mul::scalar_mul;
 pub use scalar::{EdwardsScalar, EdwardsScalarBytes, WideEdwardsScalarBytes};

ed448-goldilocks/src/edwards/extended.rs

@@ -3,7 +3,7 @@ use core::fmt::{Display, Formatter, LowerHex, Result as FmtResult, UpperHex};
 use core::iter::Sum;
 use core::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign};
 
-use crate::curve::scalar_mul::variable_base;
+use super::scalar_mul;
 use crate::curve::twedwards::extensible::ExtensiblePoint as TwistedExtensiblePoint;
 use crate::field::FieldElement;
 use crate::*;
@@ -543,40 +543,7 @@ impl EdwardsPoint {
 
     /// Generic scalar multiplication to compute s*P
     pub fn scalar_mul(&self, scalar: &EdwardsScalar) -> Self {
-        // Compute floor(s/4)
-        let mut scalar_div_four = *scalar;
-        scalar_div_four.div_by_four();
-
-        // Use isogeny and dual isogeny to compute phi^-1((s/4) * phi(P))
-        let partial_result =
-            variable_base(&self.to_twisted().to_extended(), &scalar_div_four).to_untwisted();
-        // Add partial result to (scalar mod 4) * P
-        partial_result.add(&self.scalar_mod_four(scalar))
-    }
-
-    /// Returns (scalar mod 4) * P in constant time
-    pub(crate) fn scalar_mod_four(&self, scalar: &EdwardsScalar) -> Self {
-        // Compute compute (scalar mod 4)
-        let s_mod_four = scalar[0] & 3;
-
-        // Compute all possible values of (scalar mod 4) * P
-        let zero_p = EdwardsPoint::IDENTITY;
-        let one_p = self;
-        let two_p = one_p.double();
-        let three_p = two_p.add(self);
-
-        // Under the reasonable assumption that `==` is constant time
-        // Then the whole function is constant time.
-        // This should be cheaper than calling double_and_add or a scalar mul operation
-        // as the number of possibilities are so small.
-        // XXX: This claim has not been tested (although it sounds intuitive to me)
-        let mut result = EdwardsPoint::IDENTITY;
-        result.conditional_assign(&zero_p, Choice::from((s_mod_four == 0) as u8));
-        result.conditional_assign(one_p, Choice::from((s_mod_four == 1) as u8));
-        result.conditional_assign(&two_p, Choice::from((s_mod_four == 2) as u8));
-        result.conditional_assign(&three_p, Choice::from((s_mod_four == 3) as u8));
-
-        result
+        scalar_mul(self, scalar)
     }
 
     /// Standard compression; store Y and sign of X

ed448-goldilocks/src/edwards/mul.rs

@@ -0,0 +1,119 @@
+use super::{EdwardsPoint, EdwardsScalar};
+use crate::field::FieldElement;
+use subtle::{Choice, ConditionallyNegatable, ConditionallySelectable, ConstantTimeEq};
+
+pub(super) fn scalar_mul(point: &EdwardsPoint, scalar: &EdwardsScalar) -> EdwardsPoint {
+    let mut result = ExtensiblePoint::IDENTITY;
+
+    // Recode Scalar
+    let scalar = scalar.to_radix_16();
+
+    let lookup = LookupTable::from(point);
+
+    for i in (0..113).rev() {
+        result = result.double();
+        result = result.double();
+        result = result.double();
+        result = result.double();
+
+        // The mask is the top bit, will be 1 for negative numbers, 0 for positive numbers
+        let mask = scalar[i] >> 7;
+        let sign = mask & 0x1;
+        // Use the mask to get the absolute value of scalar
+        let abs_value = ((scalar[i] + mask) ^ mask) as u32;
+
+        let mut neg_P = lookup.select(abs_value);
+        neg_P.conditional_negate(Choice::from((sign) as u8));
+
+        result = (EdwardsPoint::from(result) + neg_P).into();
+    }
+
+    result.into()
+}
+
+struct ExtensiblePoint {
+    X: FieldElement,
+    Y: FieldElement,
+    Z: FieldElement,
+    T1: FieldElement,
+    T2: FieldElement,
+}
+
+impl ExtensiblePoint {
+    const IDENTITY: ExtensiblePoint = ExtensiblePoint {
+        X: FieldElement::ZERO,
+        Y: FieldElement::ONE,
+        Z: FieldElement::ONE,
+        T1: FieldElement::ZERO,
+        T2: FieldElement::ONE,
+    };
+
+    fn double(&self) -> Self {
+        let A = self.X.square();
+        let B = self.Y.square();
+        let C = self.Z.square().double();
+        let D = A;
+        let E = (self.X + self.Y).square() - A - B;
+        let G = D + B;
+        let F = G - C;
+        let H = D - B;
+        Self {
+            X: E * F,
+            Y: G * H,
+            Z: F * G,
+            T1: E,
+            T2: H,
+        }
+    }
+}
+
+impl From<ExtensiblePoint> for EdwardsPoint {
+    fn from(value: ExtensiblePoint) -> Self {
+        Self {
+            X: value.X,
+            Y: value.Y,
+            Z: value.Z,
+            T: value.T1 * value.T2,
+        }
+    }
+}
+
+impl From<EdwardsPoint> for ExtensiblePoint {
+    fn from(value: EdwardsPoint) -> Self {
+        Self {
+            X: value.X,
+            Y: value.Y,
+            Z: value.Z,
+            T1: value.T,
+            T2: FieldElement::ONE,
+        }
+    }
+}
+
+pub struct LookupTable([EdwardsPoint; 8]);
+
+/// Precomputes odd multiples of the point passed in
+impl From<&EdwardsPoint> for LookupTable {
+    fn from(P: &EdwardsPoint) -> LookupTable {
+        let mut table = [*P; 8];
+
+        for i in 1..8 {
+            table[i] = P + table[i - 1];
+        }
+
+        LookupTable(table)
+    }
+}
+
+impl LookupTable {
+    /// Selects a projective niels point from a lookup table in constant time
+    pub fn select(&self, index: u32) -> EdwardsPoint {
+        let mut result = EdwardsPoint::IDENTITY;
+
+        for i in 1..9 {
+            let swap = index.ct_eq(&(i as u32));
+            result.conditional_assign(&self.0[i - 1], swap);
+        }
+        result
+    }
+}

ed448-goldilocks/src/field/scalar.rs

@@ -666,13 +666,6 @@ impl<C: CurveWithScalar> Scalar<C> {
         self.scalar.is_zero()
     }
 
-    /// Divides a scalar by four without reducing mod p
-    /// This is used in the 2-isogeny when mapping points from Ed448-Goldilocks
-    /// to Twisted-Goldilocks
-    pub(crate) fn div_by_four(&mut self) {
-        self.scalar >>= 2;
-    }
-
     // This method was modified from Curve25519-Dalek codebase. [scalar.rs]
     // We start with 14 u32s and convert them to 56 u8s.
     // We then use the code copied from Dalek to convert the 56 u8s to radix-16 and re-center the coefficients to be between [-16,16)