primeorder: add optimized implementation for LinearCombination (#1360)

daxpedda · web-flow · commit 5f27bb482fe5 · 2025-08-05T08:02:07.000-06:00
diff --git a/p256/tests/projective.rs b/p256/tests/projective.rs
@@ -3,17 +3,18 @@
 #![cfg(all(feature = "arithmetic", feature = "test-vectors"))]
 
 use elliptic_curve::{
-    BatchNormalize,
+    BatchNormalize, Group,
+    array::Array,
     group::{GroupEncoding, ff::PrimeField},
-    ops::ReduceNonZero,
+    ops::{LinearCombination, Reduce, ReduceNonZero},
     point::NonIdentity,
     sec1::{self, ToEncodedPoint},
 };
 use p256::{
     AffinePoint, FieldBytes, NonZeroScalar, ProjectivePoint, Scalar,
     test_vectors::group::{ADD_TEST_VECTORS, MUL_TEST_VECTORS},
 };
-use primeorder::{Double, test_projective_arithmetic};
+use primeorder::test_projective_arithmetic;
 use proptest::{prelude::any, prop_compose, proptest};
 
 test_projective_arithmetic!(
@@ -36,6 +37,18 @@ prop_compose! {
     }
 }
 
+prop_compose! {
+    fn projective()(bytes in any::<[u8; 32]>()) -> ProjectivePoint {
+        ProjectivePoint::mul_by_generator(&Scalar::reduce(&Array::from(bytes)))
+    }
+}
+
+prop_compose! {
+    fn scalar()(bytes in any::<[u8; 32]>()) -> Scalar {
+        Scalar::reduce(&Array::from(bytes))
+    }
+}
+
 // TODO: move to `primeorder::test_projective_arithmetic`.
 proptest! {
     #[test]
@@ -66,4 +79,29 @@ proptest! {
             assert_eq!(affine_point, point.to_affine());
         }
     }
+
+    #[test]
+    fn lincomb(
+        p1 in projective(),
+        s1 in scalar(),
+        p2 in projective(),
+        s2 in scalar(),
+    ) {
+        let reference = p1 * s1 + p2 * s2;
+        let test = ProjectivePoint::lincomb(&[(p1, s1), (p2, s2)]);
+        assert_eq!(reference, test);
+    }
+
+    #[test]
+    #[cfg(feature = "alloc")]
+    fn lincomb_alloc(
+        p1 in projective(),
+        s1 in scalar(),
+        p2 in projective(),
+        s2 in scalar(),
+    ) {
+        let reference = p1 * s1 + p2 * s2;
+        let test = ProjectivePoint::lincomb(vec![(p1, s1), (p2, s2)].as_slice());
+        assert_eq!(reference, test);
+    }
 }
diff --git a/primeorder/src/projective.rs b/primeorder/src/projective.rs
@@ -4,6 +4,7 @@
 
 use crate::{AffinePoint, Field, PrimeCurveParams, point_arithmetic::PointArithmetic};
 use core::{
+    array,
     borrow::Borrow,
     iter::Sum,
     ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign},
@@ -12,7 +13,7 @@ use elliptic_curve::{
     BatchNormalize, CurveGroup, Error, FieldBytes, FieldBytesSize, PrimeField, PublicKey, Result,
     Scalar,
     array::ArraySize,
-    bigint::ArrayEncoding,
+    bigint::{ArrayEncoding, ByteArray},
     group::{
         Group, GroupEncoding,
         prime::{PrimeCurve, PrimeGroup},
@@ -109,46 +110,10 @@ where
     where
         Self: Double,
     {
-        let k = Into::<C::Uint>::into(*k).to_le_byte_array();
+        let mut k = Into::<C::Uint>::into(*k).to_le_byte_array();
+        let mut pc = LookupTable::new(*self);
 
-        let mut pc = [Self::default(); 16];
-        pc[0] = Self::IDENTITY;
-        pc[1] = *self;
-
-        for i in 2..16 {
-            pc[i] = if i % 2 == 0 {
-                Double::double(&pc[i / 2])
-            } else {
-                pc[i - 1].add(self)
-            };
-        }
-
-        let mut q = Self::IDENTITY;
-        let mut pos = (<Scalar<C> as PrimeField>::NUM_BITS.div_ceil(8) * 8) as usize - 4;
-
-        loop {
-            let slot = (k[pos >> 3] >> (pos & 7)) & 0xf;
-
-            let mut t = ProjectivePoint::IDENTITY;
-
-            for i in 1..16 {
-                t.conditional_assign(
-                    &pc[i],
-                    Choice::from(((slot as usize ^ i).wrapping_sub(1) >> 8) as u8 & 1),
-                );
-            }
-
-            q = q.add(&t);
-
-            if pos == 0 {
-                break;
-            }
-
-            q = Double::double(&Double::double(&Double::double(&Double::double(&q))));
-            pos -= 4;
-        }
-
-        q
+        lincomb(array::from_mut(&mut k), array::from_mut(&mut pc))
     }
 }
 
@@ -403,15 +368,92 @@ where
     C: PrimeCurveParams,
     FieldBytes<C>: Copy,
 {
-    // TODO(tarcieri): optimized implementation
+    #[cfg(feature = "alloc")]
+    fn lincomb(points_and_scalars: &[(Self, Scalar<C>)]) -> Self {
+        let (mut ks, mut pcs): (Vec<_>, Vec<_>) = points_and_scalars
+            .iter()
+            .map(|(point, scalar)| {
+                (
+                    Into::<C::Uint>::into(*scalar).to_le_byte_array(),
+                    LookupTable::new(*point),
+                )
+            })
+            .unzip();
+
+        lincomb::<C>(&mut ks, &mut pcs)
+    }
 }
 
 impl<C, const N: usize> LinearCombination<[(Self, Scalar<C>); N]> for ProjectivePoint<C>
 where
     C: PrimeCurveParams,
     FieldBytes<C>: Copy,
 {
-    // TODO(tarcieri): optimized implementation
+    fn lincomb(points_and_scalars: &[(Self, Scalar<C>); N]) -> Self {
+        let mut ks: [_; N] = array::from_fn(|index| {
+            Into::<C::Uint>::into(points_and_scalars[index].1).to_le_byte_array()
+        });
+        let mut pcs: [_; N] = array::from_fn(|index| LookupTable::new(points_and_scalars[index].0));
+
+        lincomb::<C>(&mut ks, &mut pcs)
+    }
+}
+
+fn lincomb<C: PrimeCurveParams>(
+    ks: &mut [ByteArray<C::Uint>],
+    pcs: &mut [LookupTable<C>],
+) -> ProjectivePoint<C> {
+    let mut q = ProjectivePoint::IDENTITY;
+    let mut pos = (<Scalar<C> as PrimeField>::NUM_BITS.div_ceil(8) * 8) as usize - 4;
+
+    loop {
+        for (k, pc) in ks.iter().zip(pcs.iter()) {
+            let slot = (k[pos >> 3] >> (pos & 7)) & 0xf;
+            q = q.add(&pc.select(slot));
+        }
+
+        if pos == 0 {
+            break;
+        }
+
+        q = Double::double(&Double::double(&Double::double(&Double::double(&q))));
+        pos -= 4;
+    }
+
+    q
+}
+
+struct LookupTable<C: PrimeCurveParams>([ProjectivePoint<C>; 16]);
+
+impl<C: PrimeCurveParams> LookupTable<C> {
+    fn new(point: ProjectivePoint<C>) -> Self {
+        let mut pc = [ProjectivePoint::default(); 16];
+        pc[0] = ProjectivePoint::IDENTITY;
+        pc[1] = point;
+
+        for i in 2..16 {
+            pc[i] = if i % 2 == 0 {
+                Double::double(&pc[i / 2])
+            } else {
+                pc[i - 1].add(point)
+            };
+        }
+
+        Self(pc)
+    }
+
+    fn select(&self, slot: u8) -> ProjectivePoint<C> {
+        let mut t = ProjectivePoint::IDENTITY;
+
+        for i in 1..16 {
+            t.conditional_assign(
+                &self.0[i],
+                Choice::from(((slot as usize ^ i).wrapping_sub(1) >> 8) as u8 & 1),
+            );
+        }
+
+        t
+    }
 }
 
 impl<C> PrimeGroup for ProjectivePoint<C>
