perf: switch SW_EC to projective coordinates - guest-libs (INT-6136)

Update k256, p256, and pairing guest libraries to use projective
coordinates:
- Add z coordinate to all point generators (z=1)
- Normalize before extracting affine coordinates (x_be_bytes, y_be_bytes,
  AffineCoordinates, ToEncodedPoint, to_affine)
- Use cross-multiplication for projective ConstantTimeEq
- Select all 3 coordinates in ConditionallySelectable
- Remove DefaultIsZeroes (identity is (0,1,0), not all zeros)
- Switch G2 pairing modules from impl_sw_affine! to impl_sw_proj!
- Add .normalize() in tests before comparing to known affine values

Author: Tuanlinh12312

guest-libs/k256/src/internal.rs

@@ -1,4 +1,4 @@
-use core::ops::{Add, Neg};
+use core::ops::Add;
 
 use hex_literal::hex;
 use openvm_algebra_guest::IntMod;
@@ -41,6 +41,7 @@ impl CyclicGroup for Secp256k1Point {
         y: Secp256k1Coord::from_const_bytes(hex!(
             "B8D410FB8FD0479C195485A648B417FDA808110EFCFBA45D65C4A32677DA3A48"
         )),
+        z: Secp256k1Coord::from_const_u8(1),
     };
     const NEG_GENERATOR: Self = Secp256k1Point {
         x: Secp256k1Coord::from_const_bytes(hex!(
@@ -49,6 +50,7 @@ impl CyclicGroup for Secp256k1Point {
         y: Secp256k1Coord::from_const_bytes(hex!(
             "7727EF046F2FB863E6AB7A59B74BE80257F7EEF103045BA29A3B5CD98825C5B7"
         )),
+        z: Secp256k1Coord::from_const_u8(1),
     };
 }
 
@@ -74,10 +76,12 @@ impl IntrinsicCurve for Secp256k1 {
 
 impl Secp256k1Point {
     pub fn x_be_bytes(&self) -> [u8; 32] {
-        <Self as WeierstrassPoint>::x(self).to_be_bytes()
+        let n = self.normalize();
+        <Self as WeierstrassPoint>::x(&n).to_be_bytes()
     }
 
     pub fn y_be_bytes(&self) -> [u8; 32] {
-        <Self as WeierstrassPoint>::y(self).to_be_bytes()
+        let n = self.normalize();
+        <Self as WeierstrassPoint>::y(&n).to_be_bytes()
     }
 }

guest-libs/k256/src/point.rs

@@ -10,7 +10,6 @@ use elliptic_curve::{
     rand_core::RngCore,
     sec1::{FromEncodedPoint, ToEncodedPoint},
     subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption},
-    zeroize::DefaultIsZeroes,
     FieldBytesEncoding,
 };
 use openvm_algebra_guest::IntMod;
@@ -42,11 +41,13 @@ impl AffineCoordinates for Secp256k1Point {
     type FieldRepr = FieldBytes;
 
     fn x(&self) -> FieldBytes {
-        *FieldBytes::from_slice(&<Self as WeierstrassPoint>::x(self).to_be_bytes())
+        let n = self.normalize();
+        *FieldBytes::from_slice(&<Self as WeierstrassPoint>::x(&n).to_be_bytes())
     }
 
     fn y_is_odd(&self) -> Choice {
-        (self.y().as_le_bytes()[0] & 1).into()
+        let n = self.normalize();
+        (n.y().as_le_bytes()[0] & 1).into()
     }
 }
 
@@ -58,21 +59,26 @@ impl ConditionallySelectable for Secp256k1Point {
         b: &Secp256k1Point,
         choice: Choice,
     ) -> Secp256k1Point {
-        Secp256k1Point::from_xy_unchecked(
+        Secp256k1Point::from_xyz_unchecked(
             Secp256k1Coord::conditional_select(
                 <Self as WeierstrassPoint>::x(a),
                 <Self as WeierstrassPoint>::x(b),
                 choice,
             ),
             Secp256k1Coord::conditional_select(a.y(), b.y(), choice),
+            Secp256k1Coord::conditional_select(a.z(), b.z(), choice),
         )
     }
 }
 
 impl ConstantTimeEq for Secp256k1Point {
     fn ct_eq(&self, other: &Secp256k1Point) -> Choice {
-        <Self as WeierstrassPoint>::x(self).ct_eq(<Self as WeierstrassPoint>::x(other))
-            & self.y().ct_eq(other.y())
+        // Projective equivalence: (X1*Z2 == X2*Z1) && (Y1*Z2 == Y2*Z1)
+        let x1z2 = <Self as WeierstrassPoint>::x(self) * other.z();
+        let x2z1 = <Self as WeierstrassPoint>::x(other) * self.z();
+        let y1z2 = self.y() * other.z();
+        let y2z1 = other.y() * self.z();
+        x1z2.ct_eq(&x2z1) & y1z2.ct_eq(&y2z1)
     }
 }
 
@@ -82,8 +88,6 @@ impl Default for Secp256k1Point {
     }
 }
 
-impl DefaultIsZeroes for Secp256k1Point {}
-
 impl Sum for Secp256k1Point {
     fn sum<I: Iterator<Item = Self>>(iter: I) -> Self {
         iter.fold(<Self as WeierstrassPoint>::IDENTITY, |a, b| a + b)
@@ -161,7 +165,7 @@ impl elliptic_curve::group::Curve for Secp256k1Point {
     type AffineRepr = Secp256k1Point;
 
     fn to_affine(&self) -> Secp256k1Point {
-        *self
+        self.normalize()
     }
 }
 
@@ -216,10 +220,11 @@ impl FromEncodedPoint<Secp256k1> for Secp256k1Point {
 
 impl ToEncodedPoint<Secp256k1> for Secp256k1Point {
     fn to_encoded_point(&self, compress: bool) -> EncodedPoint {
+        let n = self.normalize();
         EncodedPoint::conditional_select(
             &EncodedPoint::from_affine_coordinates(
-                &<Self as WeierstrassPoint>::x(self).to_be_bytes().into(),
-                &<Self as WeierstrassPoint>::y(self).to_be_bytes().into(),
+                &<Self as WeierstrassPoint>::x(&n).to_be_bytes().into(),
+                &<Self as WeierstrassPoint>::y(&n).to_be_bytes().into(),
                 compress,
             ),
             &EncodedPoint::identity(),

guest-libs/k256/tests/lib.rs

@@ -303,23 +303,25 @@ mod host_tests {
 
         // Generic add can handle equal or unequal points.
         #[allow(clippy::op_ref)]
-        let p3 = &p1 + &p2;
+        let p3 = (&p1 + &p2).normalize();
         if p3.x() != &x3 || p3.y() != &y3 {
             panic!();
         }
         #[allow(clippy::op_ref)]
-        let p4 = &p2 + &p2;
+        let p4 = (&p2 + &p2).normalize();
         if p4.x() != &x4 || p4.y() != &y4 {
             panic!();
         }
 
         // Add assign and double assign
         p1 += &p2;
-        if p1.x() != &x3 || p1.y() != &y3 {
+        let p1n = p1.normalize();
+        if p1n.x() != &x3 || p1n.y() != &y3 {
             panic!();
         }
         p2.double_assign();
-        if p2.x() != &x4 || p2.y() != &y4 {
+        let p2n = p2.normalize();
+        if p2n.x() != &x4 || p2n.y() != &y4 {
             panic!();
         }
 
@@ -333,7 +335,7 @@ mod host_tests {
         let y5 = Secp256k1Coord::from_le_bytes_unchecked(&hex!(
             "9E272F746DA7BED171E522610212B6AEEAAFDB2AD9F4B530B8E1B27293B19B2C"
         ));
-        let result = msm(&[scalar], &[p1]);
+        let result = msm(&[scalar], &[p1]).normalize();
         if result.x() != &x5 || result.y() != &y5 {
             panic!();
         }

guest-libs/p256/src/internal.rs

@@ -1,4 +1,4 @@
-use core::ops::{Add, Neg};
+use core::ops::Add;
 
 use hex_literal::hex;
 use openvm_algebra_guest::IntMod;
@@ -42,6 +42,7 @@ impl CyclicGroup for P256Point {
         y: P256Coord::from_const_bytes(hex!(
             "f551bf376840b6cbce5e316b5733ce2b169e0f7c4aebe78e9b7f1afee242e34f"
         )),
+        z: P256Coord::from_const_u8(1),
     };
     const NEG_GENERATOR: Self = P256Point {
         x: P256Coord::from_const_bytes(hex!(
@@ -50,6 +51,7 @@ impl CyclicGroup for P256Point {
         y: P256Coord::from_const_bytes(hex!(
             "0aae40c897bf493431a1ce94a9cc31d4e961f083b51418716580e5011cbd1cb0"
         )),
+        z: P256Coord::from_const_u8(1),
     };
 }
 
@@ -74,10 +76,12 @@ impl IntrinsicCurve for NistP256 {
 
 impl P256Point {
     pub fn x_be_bytes(&self) -> [u8; 32] {
-        <Self as WeierstrassPoint>::x(self).to_be_bytes()
+        let n = self.normalize();
+        <Self as WeierstrassPoint>::x(&n).to_be_bytes()
     }
 
     pub fn y_be_bytes(&self) -> [u8; 32] {
-        <Self as WeierstrassPoint>::y(self).to_be_bytes()
+        let n = self.normalize();
+        <Self as WeierstrassPoint>::y(&n).to_be_bytes()
     }
 }

guest-libs/p256/src/point.rs

@@ -10,7 +10,6 @@ use elliptic_curve::{
     rand_core::RngCore,
     sec1::{FromEncodedPoint, ToEncodedPoint},
     subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption},
-    zeroize::DefaultIsZeroes,
     FieldBytesEncoding,
 };
 use openvm_algebra_guest::IntMod;
@@ -42,33 +41,40 @@ impl AffineCoordinates for P256Point {
     type FieldRepr = FieldBytes;
 
     fn x(&self) -> FieldBytes {
-        *FieldBytes::from_slice(&<Self as WeierstrassPoint>::x(self).to_be_bytes())
+        let n = self.normalize();
+        *FieldBytes::from_slice(&<Self as WeierstrassPoint>::x(&n).to_be_bytes())
     }
 
     fn y_is_odd(&self) -> Choice {
-        (self.y().as_le_bytes()[0] & 1).into()
+        let n = self.normalize();
+        (n.y().as_le_bytes()[0] & 1).into()
     }
 }
 
 impl Copy for P256Point {}
 
 impl ConditionallySelectable for P256Point {
     fn conditional_select(a: &P256Point, b: &P256Point, choice: Choice) -> P256Point {
-        P256Point::from_xy_unchecked(
+        P256Point::from_xyz_unchecked(
             P256Coord::conditional_select(
                 <Self as WeierstrassPoint>::x(a),
                 <Self as WeierstrassPoint>::x(b),
                 choice,
             ),
             P256Coord::conditional_select(a.y(), b.y(), choice),
+            P256Coord::conditional_select(a.z(), b.z(), choice),
         )
     }
 }
 
 impl ConstantTimeEq for P256Point {
     fn ct_eq(&self, other: &P256Point) -> Choice {
-        <Self as WeierstrassPoint>::x(self).ct_eq(<Self as WeierstrassPoint>::x(other))
-            & self.y().ct_eq(other.y())
+        // Projective equivalence: (X1*Z2 == X2*Z1) && (Y1*Z2 == Y2*Z1)
+        let x1z2 = <Self as WeierstrassPoint>::x(self) * other.z();
+        let x2z1 = <Self as WeierstrassPoint>::x(other) * self.z();
+        let y1z2 = self.y() * other.z();
+        let y2z1 = other.y() * self.z();
+        x1z2.ct_eq(&x2z1) & y1z2.ct_eq(&y2z1)
     }
 }
 
@@ -78,8 +84,6 @@ impl Default for P256Point {
     }
 }
 
-impl DefaultIsZeroes for P256Point {}
-
 impl Sum for P256Point {
     fn sum<I: Iterator<Item = Self>>(iter: I) -> Self {
         iter.fold(<Self as WeierstrassPoint>::IDENTITY, |a, b| a + b)
@@ -157,7 +161,7 @@ impl elliptic_curve::group::Curve for P256Point {
     type AffineRepr = P256Point;
 
     fn to_affine(&self) -> P256Point {
-        *self
+        self.normalize()
     }
 }
 
@@ -211,10 +215,11 @@ impl FromEncodedPoint<NistP256> for P256Point {
 
 impl ToEncodedPoint<NistP256> for P256Point {
     fn to_encoded_point(&self, compress: bool) -> EncodedPoint {
+        let n = self.normalize();
         EncodedPoint::conditional_select(
             &EncodedPoint::from_affine_coordinates(
-                &<Self as WeierstrassPoint>::x(self).to_be_bytes().into(),
-                &<Self as WeierstrassPoint>::y(self).to_be_bytes().into(),
+                &<Self as WeierstrassPoint>::x(&n).to_be_bytes().into(),
+                &<Self as WeierstrassPoint>::y(&n).to_be_bytes().into(),
                 compress,
             ),
             &EncodedPoint::identity(),

guest-libs/p256/tests/lib.rs

@@ -287,18 +287,20 @@ mod host_tests {
 
         // Generic add can handle equal or unequal points.
         #[allow(clippy::op_ref)]
-        let p3 = &p1 + &p2;
+        let p3 = (&p1 + &p2).normalize();
         #[allow(clippy::op_ref)]
-        let p4 = &p2 + &p2;
+        let p4 = (&p2 + &p2).normalize();
 
         // Add assign and double assign
         let mut sum = P256Point::from_xy(x1, y1).unwrap();
         sum += &p2;
+        let sum = sum.normalize();
         if sum.x() != p3.x() || sum.y() != p3.y() {
             panic!();
         }
         let mut double = P256Point::from_xy(x2, y2).unwrap();
         double.double_assign();
+        let double = double.normalize();
         if double.x() != p4.x() || double.y() != p4.y() {
             panic!();
         }
@@ -307,8 +309,8 @@ mod host_tests {
         let p1 = P256Point::from_xy(x1, y1).unwrap();
         let scalar = P256Scalar::from_u32(3);
         #[allow(clippy::op_ref)]
-        let p2 = &p1.double() + &p1;
-        let result = msm(&[scalar], &[p1]);
+        let p2 = (&p1.double() + &p1).normalize();
+        let result = msm(&[scalar], &[p1]).normalize();
         if result.x() != p2.x() || result.y() != p2.y() {
             panic!();
         }

guest-libs/pairing/src/bls12_381/mod.rs

@@ -1,7 +1,5 @@
 extern crate alloc;
 
-use core::ops::Neg;
-
 use openvm_algebra_guest::IntMod;
 use openvm_algebra_moduli_macros::moduli_declare;
 use openvm_ecc_guest::weierstrass::{CyclicGroup, Group, IntrinsicCurve};
@@ -53,6 +51,7 @@ impl CyclicGroup for G1Affine {
         y: Bls12_381Fp::from_const_bytes(hex!(
             "E1E7C5462923AA0CE48A88A244C73CD0EDB3042CCB18DB00F60AD0D595E0F5FCE48A1D74ED309EA0F1A0AAE381F4B308"
         )),
+        z: Bls12_381Fp::from_const_u8(1),
     };
     const NEG_GENERATOR: Self = G1Affine {
         x: Bls12_381Fp::from_const_bytes(hex!(
@@ -61,6 +60,7 @@ impl CyclicGroup for G1Affine {
         y: Bls12_381Fp::from_const_bytes(hex!(
             "CAC239B9D6DC54AD1B75CB0EBA386F4E3642ACCAD5B95566C907B51DEF6A8167F2212ECFC8767DAAA845D555681D4D11"
         )),
+        z: Bls12_381Fp::from_const_u8(1),
     };
 }
 
@@ -80,14 +80,13 @@ impl IntrinsicCurve for Bls12_381 {
 mod g2 {
     use openvm_algebra_guest::Field;
     use openvm_ecc_guest::weierstrass::{
-        impl_sw_affine, impl_sw_group_ops, weierstrass::WeierstrassPoint, AffinePoint, Group,
+        impl_sw_group_ops, impl_sw_proj, weierstrass::WeierstrassPoint, Group,
     };
 
     use super::{Fp, Fp2};
 
-    const THREE: Fp2 = Fp2::new(Fp::from_const_u8(3), Fp::ZERO);
     const B: Fp2 = Fp2::new(Fp::from_const_u8(4), Fp::from_const_u8(4));
-    impl_sw_affine!(G2Affine, Fp2, THREE, B);
+    impl_sw_proj!(G2Affine, Fp2, B);
     impl_sw_group_ops!(G2Affine, Fp2);
 }
 

guest-libs/pairing/src/bls12_381/tests.rs

@@ -256,7 +256,10 @@ fn test_bls12381_g2_affine() {
             (expected_neg, r_neg),
             (expected_double, r_double),
         ] {
-            assert_eq!(convert_g2_affine_halo2_to_openvm(expected), actual);
+            assert_eq!(
+                convert_g2_affine_halo2_to_openvm(expected),
+                actual.normalize()
+            );
         }
     }
 }