Reuse Edwards windowed scalar multiplication for Decaf

Author: daxpedda

ed448-goldilocks/src/curve/scalar_mul.rs

@@ -1,7 +1,5 @@
-pub(crate) mod double_and_add;
 // pub(crate) mod double_base;
 pub(crate) mod variable_base;
 pub(crate) mod window;
 
-pub(crate) use double_and_add::double_and_add;
 pub(crate) use variable_base::variable_base;

ed448-goldilocks/src/curve/scalar_mul/double_and_add.rs

@@ -1,11 +1,12 @@
 #![allow(non_snake_case)]
 
 use super::window::wnaf::LookupTable;
-use crate::EdwardsScalar;
+use crate::Scalar;
 use crate::curve::twedwards::{extended::ExtendedPoint, extensible::ExtensiblePoint};
+use crate::field::CurveWithScalar;
 use subtle::{Choice, ConditionallyNegatable};
 
-pub fn variable_base(point: &ExtendedPoint, s: &EdwardsScalar) -> ExtendedPoint {
+pub fn variable_base<C: CurveWithScalar>(point: &ExtendedPoint, s: &Scalar<C>) -> ExtendedPoint {
     let mut result = ExtensiblePoint::IDENTITY;
 
     // Recode Scalar
@@ -37,12 +38,30 @@ pub fn variable_base(point: &ExtendedPoint, s: &EdwardsScalar) -> ExtendedPoint
 #[cfg(test)]
 mod test {
     use super::*;
+    use crate::EdwardsScalar;
     use crate::TWISTED_EDWARDS_BASE_POINT;
-    use crate::curve::scalar_mul::double_and_add;
     use elliptic_curve::bigint::U448;
+    use subtle::ConditionallySelectable;
 
     #[test]
     fn test_scalar_mul() {
+        /// Traditional double and add algorithm
+        fn double_and_add(point: &ExtendedPoint, s_bits: [bool; 448]) -> ExtendedPoint {
+            let mut result = ExtendedPoint::IDENTITY;
+
+            // NB, we reverse here, so we are going from MSB to LSB
+            // XXX: Would be great if subtle had a From<u32> for Choice. But maybe that is not it's purpose?
+            for bit in s_bits.into_iter().rev() {
+                result = result.double();
+
+                let mut p = ExtendedPoint::IDENTITY;
+                p.conditional_assign(point, Choice::from(bit as u8));
+                result = result.add(&p);
+            }
+
+            result
+        }
+
         // XXX: In the future use known multiples from Sage in bytes form?
         let twisted_point = TWISTED_EDWARDS_BASE_POINT;
         let scalar = EdwardsScalar::new(U448::from_be_hex(

ed448-goldilocks/src/curve/scalar_mul/variable_base.rs

@@ -1,4 +1,5 @@
-use crate::{DecafAffinePoint, DecafScalar, curve::scalar_mul::double_and_add};
+use crate::curve::scalar_mul::variable_base;
+use crate::{DecafAffinePoint, DecafScalar};
 use core::{
     borrow::Borrow,
     iter::Sum,
@@ -13,8 +14,7 @@ impl Mul<&DecafScalar> for &DecafPoint {
     type Output = DecafPoint;
 
     fn mul(self, scalar: &DecafScalar) -> DecafPoint {
-        // XXX: We can do better than double and add
-        DecafPoint(double_and_add(&self.0, scalar.bits()))
+        DecafPoint(variable_base(&self.0, scalar))
     }
 }