Implement BatchNormalize for EdwardsPoint

Author: daxpedda

ed448-goldilocks/README.md

@@ -29,7 +29,7 @@ assert_eq!(public_key, EdwardsPoint::GENERATOR + EdwardsPoint::GENERATOR);
 
 let secret_key = EdwardsScalar::try_from_rng(&mut OsRng).unwrap();
 let public_key = EdwardsPoint::GENERATOR * &secret_key;
-let compressed_public_key = public_key.compress();
+let compressed_public_key = public_key.to_affine().compress();
 
 assert_eq!(compressed_public_key.to_bytes().len(), 57);
 
@@ -38,12 +38,12 @@ let input = hex_literal::hex!("c8c6c8f584e0c25efdb6af5ad234583c56dedd7c33e0c8934
 let expected_scalar = EdwardsScalar::from_canonical_bytes(&input.into()).unwrap();
 assert_eq!(hashed_scalar, expected_scalar);
 
-let hashed_point = Ed448::hash_from_bytes::<ExpandMsgXof<Shake256>>(&[b"test"], &[b"edwards448_XOF:SHAKE256_ELL2_RO_"]).unwrap();
+let hashed_point = Ed448::hash_from_bytes::<ExpandMsgXof<Shake256>>(&[b"test"], &[b"edwards448_XOF:SHAKE256_ELL2_RO_"]).unwrap().to_affine();
 let expected = hex_literal::hex!("d15c4427b5c5611a53593c2be611fd3635b90272d331c7e6721ad3735e95dd8b9821f8e4e27501ce01aa3c913114052dce2e91e8ca050f4980");
 let expected_point = CompressedEdwardsY(expected).decompress().unwrap();
 assert_eq!(hashed_point, expected_point);
 
-let hashed_point = EdwardsPoint::hash_with_defaults(b"test");
+let hashed_point = EdwardsPoint::hash_with_defaults(b"test").to_affine();
 assert_eq!(hashed_point, expected_point);
 ```
 

ed448-goldilocks/src/edwards/extended.rs

@@ -7,10 +7,10 @@ use crate::edwards::affine::PointBytes;
 use crate::field::FieldElement;
 use crate::*;
 use elliptic_curve::{
-    CurveGroup, Error,
+    BatchNormalize, CurveGroup, Error,
     array::Array,
     group::{Group, GroupEncoding, cofactor::CofactorGroup, prime::PrimeGroup},
-    ops::LinearCombination,
+    ops::{BatchInvert, LinearCombination},
     point::NonIdentity,
 };
 use hash2curve::ExpandMsgXof;
@@ -293,6 +293,14 @@ impl CurveGroup for EdwardsPoint {
     fn to_affine(&self) -> AffinePoint {
         self.to_affine()
     }
+
+    #[cfg(feature = "alloc")]
+    #[inline]
+    fn batch_normalize(projective: &[Self], affine: &mut [Self::AffineRepr]) {
+        assert_eq!(projective.len(), affine.len());
+        let mut zs = alloc::vec![FieldElement::ONE; projective.len()];
+        batch_normalize_generic(projective, zs.as_mut_slice(), affine);
+    }
 }
 
 impl EdwardsPoint {
@@ -674,11 +682,76 @@ impl<'de> serdect::serde::Deserialize<'de> for EdwardsPoint {
 
 impl elliptic_curve::zeroize::DefaultIsZeroes for EdwardsPoint {}
 
+impl<const N: usize> BatchNormalize<[EdwardsPoint; N]> for EdwardsPoint {
+    type Output = [<Self as CurveGroup>::AffineRepr; N];
+
+    #[inline]
+    fn batch_normalize(points: &[Self; N]) -> [<Self as CurveGroup>::AffineRepr; N] {
+        let zs = [FieldElement::ONE; N];
+        let mut affine_points = [AffinePoint::IDENTITY; N];
+        batch_normalize_generic(points, zs, &mut affine_points);
+        affine_points
+    }
+}
+
+#[cfg(feature = "alloc")]
+impl BatchNormalize<[EdwardsPoint]> for EdwardsPoint {
+    type Output = Vec<<Self as CurveGroup>::AffineRepr>;
+
+    #[inline]
+    fn batch_normalize(points: &[Self]) -> Vec<<Self as CurveGroup>::AffineRepr> {
+        use alloc::vec;
+
+        let mut zs = vec![FieldElement::ONE; points.len()];
+        let mut affine_points = vec![AffinePoint::IDENTITY; points.len()];
+        batch_normalize_generic(points, zs.as_mut_slice(), &mut affine_points);
+        affine_points
+    }
+}
+
+/// Generic implementation of batch normalization.
+fn batch_normalize_generic<P, Z, I, O>(points: &P, mut zs: Z, out: &mut O)
+where
+    FieldElement: BatchInvert<Z, Output = CtOption<I>>,
+    P: AsRef<[EdwardsPoint]> + ?Sized,
+    Z: AsMut<[FieldElement]>,
+    I: AsRef<[FieldElement]>,
+    O: AsMut<[AffinePoint]> + ?Sized,
+{
+    let points = points.as_ref();
+    let out = out.as_mut();
+
+    for (i, point) in points.iter().enumerate() {
+        // Even a single zero value will fail inversion for the entire batch.
+        // Put a dummy value (above `FieldElement::ONE`) so inversion succeeds
+        // and treat that case specially later-on.
+        zs.as_mut()[i].conditional_assign(&point.Z, !point.Z.ct_eq(&FieldElement::ZERO));
+    }
+
+    // This is safe to unwrap since we assured that all elements are non-zero
+    let zs_inverses = <FieldElement as BatchInvert<Z>>::batch_invert(zs)
+        .expect("all elements should be non-zero");
+
+    for i in 0..out.len() {
+        // If the `z` coordinate is non-zero, we can use it to invert;
+        // otherwise it defaults to the `IDENTITY` value.
+        out[i] = AffinePoint::conditional_select(
+            &AffinePoint {
+                x: points[i].X * zs_inverses.as_ref()[i],
+                y: points[i].Y * zs_inverses.as_ref()[i],
+            },
+            &AffinePoint::IDENTITY,
+            points[i].Z.ct_eq(&FieldElement::ZERO),
+        );
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
     use elliptic_curve::Field;
     use hex_literal::hex;
+    use rand_core::OsRng;
 
     fn hex_to_field(hex: &'static str) -> FieldElement {
         assert_eq!(hex.len(), 56 * 2);
@@ -973,4 +1046,33 @@ mod tests {
 
         assert_eq!(computed_commitment, expected_commitment);
     }
+
+    #[test]
+    fn batch_normalize() {
+        let points: [EdwardsPoint; 2] = [
+            EdwardsPoint::try_from_rng(&mut OsRng).unwrap(),
+            EdwardsPoint::try_from_rng(&mut OsRng).unwrap(),
+        ];
+
+        let affine_points = <EdwardsPoint as BatchNormalize<_>>::batch_normalize(&points);
+
+        for (point, affine_point) in points.into_iter().zip(affine_points) {
+            assert_eq!(affine_point, point.to_affine());
+        }
+    }
+
+    #[test]
+    #[cfg(feature = "alloc")]
+    fn batch_normalize_alloc() {
+        let points = alloc::vec![
+            EdwardsPoint::try_from_rng(&mut OsRng).unwrap(),
+            EdwardsPoint::try_from_rng(&mut OsRng).unwrap(),
+        ];
+
+        let affine_points = <EdwardsPoint as BatchNormalize<_>>::batch_normalize(points.as_slice());
+
+        for (point, affine_point) in points.into_iter().zip(affine_points) {
+            assert_eq!(affine_point, point.to_affine());
+        }
+    }
 }

ed448-goldilocks/src/field/element.rs

@@ -1,22 +1,29 @@
 use core::fmt::{self, Debug, Display, Formatter, LowerHex, UpperHex};
+use core::iter::{Product, Sum};
 use core::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign};
 
-use super::ConstMontyType;
+use super::{ConstMontyType, MODULUS};
 use crate::{
     AffinePoint, Decaf448, DecafPoint, Ed448, EdwardsPoint,
     curve::twedwards::extended::ExtendedPoint as TwistedExtendedPoint,
 };
 use elliptic_curve::{
+    Field,
     array::Array,
     bigint::{
         Integer, NonZero, U448, U704,
         consts::{U56, U84, U88},
+        modular::ConstMontyParams,
     },
     group::cofactor::CofactorGroup,
     zeroize::DefaultIsZeroes,
 };
 use hash2curve::{FromOkm, MapToCurve};
-use subtle::{Choice, ConditionallyNegatable, ConditionallySelectable, ConstantTimeEq};
+use rand_core::TryRngCore;
+use subtle::{
+    Choice, ConditionallyNegatable, ConditionallySelectable, ConstantTimeEq, ConstantTimeLess,
+    CtOption,
+};
 
 #[derive(Clone, Copy, Default)]
 pub struct FieldElement(pub(crate) ConstMontyType);
@@ -225,6 +232,68 @@ impl MapToCurve for Decaf448 {
     }
 }
 
+impl Sum for FieldElement {
+    fn sum<I: Iterator<Item = Self>>(iter: I) -> Self {
+        iter.reduce(Add::add).unwrap_or(Self::ZERO)
+    }
+}
+
+impl<'a> Sum<&'a FieldElement> for FieldElement {
+    fn sum<I: Iterator<Item = &'a FieldElement>>(iter: I) -> Self {
+        iter.copied().sum()
+    }
+}
+
+impl Product for FieldElement {
+    fn product<I: Iterator<Item = Self>>(iter: I) -> Self {
+        iter.reduce(Mul::mul).unwrap_or(Self::ONE)
+    }
+}
+
+impl<'a> Product<&'a FieldElement> for FieldElement {
+    fn product<I: Iterator<Item = &'a Self>>(iter: I) -> Self {
+        iter.copied().product()
+    }
+}
+
+impl Field for FieldElement {
+    const ZERO: Self = Self::ZERO;
+    const ONE: Self = Self::ONE;
+
+    fn try_from_rng<R: TryRngCore + ?Sized>(rng: &mut R) -> Result<Self, R::Error> {
+        let mut bytes = [0; 56];
+
+        loop {
+            rng.try_fill_bytes(&mut bytes)?;
+            if let Some(fe) = Self::from_repr(&bytes).into() {
+                return Ok(fe);
+            }
+        }
+    }
+
+    fn square(&self) -> Self {
+        self.square()
+    }
+
+    fn double(&self) -> Self {
+        self.double()
+    }
+
+    fn invert(&self) -> CtOption<Self> {
+        CtOption::from(self.0.invert()).map(Self)
+    }
+
+    fn sqrt(&self) -> CtOption<Self> {
+        let sqrt = self.sqrt();
+        CtOption::new(sqrt, sqrt.square().ct_eq(self))
+    }
+
+    fn sqrt_ratio(num: &Self, div: &Self) -> (Choice, Self) {
+        let (result, is_square) = Self::sqrt_ratio(num, div);
+        (is_square, result)
+    }
+}
+
 impl FieldElement {
     pub const A_PLUS_TWO_OVER_FOUR: Self = Self(ConstMontyType::new(&U448::from_be_hex(
         "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000098aa",
@@ -315,6 +384,12 @@ impl FieldElement {
         Self(ConstMontyType::new(&U448::from_le_slice(bytes)))
     }
 
+    pub fn from_repr(bytes: &[u8; 56]) -> CtOption<Self> {
+        let integer = U448::from_le_slice(bytes);
+        let is_some = integer.ct_lt(MODULUS::PARAMS.modulus());
+        CtOption::new(Self(ConstMontyType::new(&integer)), is_some)
+    }
+
     pub fn double(&self) -> Self {
         Self(self.0.double())
     }