Add allocation-free MultiscalarMul method

Author: daxpedda

curve25519-dalek/benches/dalek_benchmarks.rs

@@ -139,7 +139,7 @@ mod multiscalar_benches {
                     // rerandomize the scalars for every call just in case.
                     b.iter_batched(
                         || construct_scalars(size),
-                        |scalars| EdwardsPoint::multiscalar_mul(&scalars, &points),
+                        |scalars| EdwardsPoint::multiscalar_alloc_mul(&scalars, &points),
                         BatchSize::SmallInput,
                     );
                 },

curve25519-dalek/src/backend/mod.rs

@@ -36,6 +36,7 @@
 
 use crate::EdwardsPoint;
 use crate::Scalar;
+use crate::traits::MultiscalarMul;
 
 pub mod serial;
 
@@ -191,30 +192,51 @@ impl VartimePrecomputedStraus {
     }
 }
 
+#[allow(missing_docs)]
+pub fn straus_multiscalar_mul<const N: usize>(
+    scalars: &[Scalar; N],
+    points: &[EdwardsPoint; N],
+) -> EdwardsPoint {
+    match get_selected_backend() {
+        #[cfg(curve25519_dalek_backend = "simd")]
+        BackendKind::Avx2 => {
+            vector::scalar_mul::straus::spec_avx2::Straus::multiscalar_mul(scalars, points)
+        }
+        #[cfg(all(curve25519_dalek_backend = "unstable_avx512", nightly))]
+        BackendKind::Avx512 => {
+            vector::scalar_mul::straus::spec_avx512ifma_avx512vl::Straus::multiscalar_mul(
+                scalars, points,
+            )
+        }
+        BackendKind::Serial => serial::scalar_mul::straus::Straus::multiscalar_mul(scalars, points),
+    }
+}
+
 #[allow(missing_docs)]
 #[cfg(feature = "alloc")]
-pub fn straus_multiscalar_mul<I, J>(scalars: I, points: J) -> EdwardsPoint
+pub fn straus_multiscalar_alloc_mul<I, J>(scalars: I, points: J) -> EdwardsPoint
 where
     I: IntoIterator,
     I::Item: core::borrow::Borrow<Scalar>,
     J: IntoIterator,
     J::Item: core::borrow::Borrow<EdwardsPoint>,
 {
-    use crate::traits::MultiscalarMul;
-
     match get_selected_backend() {
         #[cfg(curve25519_dalek_backend = "simd")]
         BackendKind::Avx2 => {
-            vector::scalar_mul::straus::spec_avx2::Straus::multiscalar_mul::<I, J>(scalars, points)
+            vector::scalar_mul::straus::spec_avx2::Straus::multiscalar_alloc_mul::<I, J>(
+                scalars, points,
+            )
         }
         #[cfg(all(curve25519_dalek_backend = "unstable_avx512", nightly))]
         BackendKind::Avx512 => {
-            vector::scalar_mul::straus::spec_avx512ifma_avx512vl::Straus::multiscalar_mul::<I, J>(
-                scalars, points,
-            )
+            vector::scalar_mul::straus::spec_avx512ifma_avx512vl::Straus::multiscalar_alloc_mul::<
+                I,
+                J,
+            >(scalars, points)
         }
         BackendKind::Serial => {
-            serial::scalar_mul::straus::Straus::multiscalar_mul::<I, J>(scalars, points)
+            serial::scalar_mul::straus::Straus::multiscalar_alloc_mul::<I, J>(scalars, points)
         }
     }
 }

curve25519-dalek/src/backend/serial/scalar_mul/mod.rs

@@ -23,7 +23,6 @@ pub mod variable_base;
 #[allow(missing_docs)]
 pub mod vartime_double_base;
 
-#[cfg(feature = "alloc")]
 pub mod straus;
 
 #[cfg(feature = "alloc")]

curve25519-dalek/src/backend/serial/scalar_mul/straus.rs

@@ -13,15 +13,20 @@
 
 #![allow(non_snake_case)]
 
+#[cfg(feature = "alloc")]
 use alloc::vec::Vec;
 
+#[cfg(feature = "alloc")]
 use core::borrow::Borrow;
-use core::cmp::Ordering;
 
+use crate::backend::serial::curve_models::ProjectiveNielsPoint;
 use crate::edwards::EdwardsPoint;
 use crate::scalar::Scalar;
+use crate::traits::Identity;
 use crate::traits::MultiscalarMul;
+#[cfg(feature = "alloc")]
 use crate::traits::VartimeMultiscalarMul;
+use crate::window::LookupTable;
 
 /// Perform multiscalar multiplication by the interleaved window
 /// method, also known as Straus' method (since it was apparently
@@ -49,68 +54,26 @@ pub struct Straus {}
 impl MultiscalarMul for Straus {
     type Point = EdwardsPoint;
 
-    /// Constant-time Straus using a fixed window of size \\(4\\).
-    ///
-    /// Our goal is to compute
-    /// \\[
-    /// Q = s_1 P_1 + \cdots + s_n P_n.
-    /// \\]
-    ///
-    /// For each point \\( P_i \\), precompute a lookup table of
-    /// \\[
-    /// P_i, 2P_i, 3P_i, 4P_i, 5P_i, 6P_i, 7P_i, 8P_i.
-    /// \\]
-    ///
-    /// For each scalar \\( s_i \\), compute its radix-\\(2^4\\)
-    /// signed digits \\( s_{i,j} \\), i.e.,
-    /// \\[
-    ///    s_i = s_{i,0} + s_{i,1} 16^1 + ... + s_{i,63} 16^{63},
-    /// \\]
-    /// with \\( -8 \leq s_{i,j} < 8 \\).  Since \\( 0 \leq |s_{i,j}|
-    /// \leq 8 \\), we can retrieve \\( s_{i,j} P_i \\) from the
-    /// lookup table with a conditional negation: using signed
-    /// digits halves the required table size.
-    ///
-    /// Then as in the single-base fixed window case, we have
-    /// \\[
-    /// \begin{aligned}
-    /// s_i P_i &= P_i (s_{i,0} +     s_{i,1} 16^1 + \cdots +     s_{i,63} 16^{63})   \\\\
-    /// s_i P_i &= P_i s_{i,0} + P_i s_{i,1} 16^1 + \cdots + P_i s_{i,63} 16^{63}     \\\\
-    /// s_i P_i &= P_i s_{i,0} + 16(P_i s_{i,1} + 16( \cdots +16P_i s_{i,63})\cdots )
-    /// \end{aligned}
-    /// \\]
-    /// so each \\( s_i P_i \\) can be computed by alternately adding
-    /// a precomputed multiple \\( P_i s_{i,j} \\) of \\( P_i \\) and
-    /// repeatedly doubling.
-    ///
-    /// Now consider the two-dimensional sum
-    /// \\[
-    /// \begin{aligned}
-    /// s\_1 P\_1 &=& P\_1 s\_{1,0} &+& 16 (P\_1 s\_{1,1} &+& 16 ( \cdots &+& 16 P\_1 s\_{1,63}&) \cdots ) \\\\
-    ///     +     & &      +        & &      +            & &             & &     +            &           \\\\
-    /// s\_2 P\_2 &=& P\_2 s\_{2,0} &+& 16 (P\_2 s\_{2,1} &+& 16 ( \cdots &+& 16 P\_2 s\_{2,63}&) \cdots ) \\\\
-    ///     +     & &      +        & &      +            & &             & &     +            &           \\\\
-    /// \vdots    & &  \vdots       & &   \vdots          & &             & &  \vdots          &           \\\\
-    ///     +     & &      +        & &      +            & &             & &     +            &           \\\\
-    /// s\_n P\_n &=& P\_n s\_{n,0} &+& 16 (P\_n s\_{n,1} &+& 16 ( \cdots &+& 16 P\_n s\_{n,63}&) \cdots )
-    /// \end{aligned}
-    /// \\]
-    /// The sum of the left-hand column is the result \\( Q \\); by
-    /// computing the two-dimensional sum on the right column-wise,
-    /// top-to-bottom, then right-to-left, we need to multiply by \\(
-    /// 16\\) only once per column, sharing the doublings across all
-    /// of the input points.
-    fn multiscalar_mul<I, J>(scalars: I, points: J) -> EdwardsPoint
+    fn multiscalar_mul<const N: usize>(
+        scalars: &[Scalar; N],
+        points: &[EdwardsPoint; N],
+    ) -> EdwardsPoint {
+        let lookup_tables: [_; N] =
+            core::array::from_fn(|index| LookupTable::<ProjectiveNielsPoint>::from(&points[index]));
+
+        let scalar_digits: [_; N] = core::array::from_fn(|index| scalars[index].as_radix_16());
+
+        multiscalar_mul(&scalar_digits, &lookup_tables)
+    }
+
+    #[cfg(feature = "alloc")]
+    fn multiscalar_alloc_mul<I, J>(scalars: I, points: J) -> EdwardsPoint
     where
         I: IntoIterator,
         I::Item: Borrow<Scalar>,
         J: IntoIterator,
         J::Item: Borrow<EdwardsPoint>,
     {
-        use crate::backend::serial::curve_models::ProjectiveNielsPoint;
-        use crate::traits::Identity;
-        use crate::window::LookupTable;
-
         let lookup_tables: Vec<_> = points
             .into_iter()
             .map(|point| LookupTable::<ProjectiveNielsPoint>::from(point.borrow()))
@@ -125,25 +88,86 @@ impl MultiscalarMul for Straus {
             .map(|s| s.borrow().as_radix_16())
             .collect();
 
-        let mut Q = EdwardsPoint::identity();
-        for j in (0..64).rev() {
-            Q = Q.mul_by_pow_2(4);
-            let it = scalar_digits.iter().zip(lookup_tables.iter());
-            for (s_i, lookup_table_i) in it {
-                // R_i = s_{i,j} * P_i
-                let R_i = lookup_table_i.select(s_i[j]);
-                // Q = Q + R_i
-                Q = (&Q + &R_i).as_extended();
-            }
-        }
+        let Q = multiscalar_mul(&scalar_digits, &lookup_tables);
 
         #[cfg(feature = "zeroize")]
-        zeroize::Zeroize::zeroize(&mut scalar_digits);
+        zeroize::Zeroize::zeroize(&mut scalar_digits.iter_mut());
 
         Q
     }
 }
 
+/// Constant-time Straus using a fixed window of size \\(4\\).
+///
+/// Our goal is to compute
+/// \\[
+/// Q = s_1 P_1 + \cdots + s_n P_n.
+/// \\]
+///
+/// For each point \\( P_i \\), precompute a lookup table of
+/// \\[
+/// P_i, 2P_i, 3P_i, 4P_i, 5P_i, 6P_i, 7P_i, 8P_i.
+/// \\]
+///
+/// For each scalar \\( s_i \\), compute its radix-\\(2^4\\)
+/// signed digits \\( s_{i,j} \\), i.e.,
+/// \\[
+///    s_i = s_{i,0} + s_{i,1} 16^1 + ... + s_{i,63} 16^{63},
+/// \\]
+/// with \\( -8 \leq s_{i,j} < 8 \\).  Since \\( 0 \leq |s_{i,j}|
+/// \leq 8 \\), we can retrieve \\( s_{i,j} P_i \\) from the
+/// lookup table with a conditional negation: using signed
+/// digits halves the required table size.
+///
+/// Then as in the single-base fixed window case, we have
+/// \\[
+/// \begin{aligned}
+/// s_i P_i &= P_i (s_{i,0} +     s_{i,1} 16^1 + \cdots +     s_{i,63} 16^{63})   \\\\
+/// s_i P_i &= P_i s_{i,0} + P_i s_{i,1} 16^1 + \cdots + P_i s_{i,63} 16^{63}     \\\\
+/// s_i P_i &= P_i s_{i,0} + 16(P_i s_{i,1} + 16( \cdots +16P_i s_{i,63})\cdots )
+/// \end{aligned}
+/// \\]
+/// so each \\( s_i P_i \\) can be computed by alternately adding
+/// a precomputed multiple \\( P_i s_{i,j} \\) of \\( P_i \\) and
+/// repeatedly doubling.
+///
+/// Now consider the two-dimensional sum
+/// \\[
+/// \begin{aligned}
+/// s\_1 P\_1 &=& P\_1 s\_{1,0} &+& 16 (P\_1 s\_{1,1} &+& 16 ( \cdots &+& 16 P\_1 s\_{1,63}&) \cdots ) \\\\
+///     +     & &      +        & &      +            & &             & &     +            &           \\\\
+/// s\_2 P\_2 &=& P\_2 s\_{2,0} &+& 16 (P\_2 s\_{2,1} &+& 16 ( \cdots &+& 16 P\_2 s\_{2,63}&) \cdots ) \\\\
+///     +     & &      +        & &      +            & &             & &     +            &           \\\\
+/// \vdots    & &  \vdots       & &   \vdots          & &             & &  \vdots          &           \\\\
+///     +     & &      +        & &      +            & &             & &     +            &           \\\\
+/// s\_n P\_n &=& P\_n s\_{n,0} &+& 16 (P\_n s\_{n,1} &+& 16 ( \cdots &+& 16 P\_n s\_{n,63}&) \cdots )
+/// \end{aligned}
+/// \\]
+/// The sum of the left-hand column is the result \\( Q \\); by
+/// computing the two-dimensional sum on the right column-wise,
+/// top-to-bottom, then right-to-left, we need to multiply by \\(
+/// 16\\) only once per column, sharing the doublings across all
+/// of the input points.
+fn multiscalar_mul(
+    scalar_digits: &[[i8; 64]],
+    lookup_tables: &[LookupTable<ProjectiveNielsPoint>],
+) -> EdwardsPoint {
+    let mut Q = EdwardsPoint::identity();
+    for j in (0..64).rev() {
+        Q = Q.mul_by_pow_2(4);
+        let it = scalar_digits.iter().zip(lookup_tables.iter());
+        for (s_i, lookup_table_i) in it {
+            // R_i = s_{i,j} * P_i
+            let R_i = lookup_table_i.select(s_i[j]);
+            // Q = Q + R_i
+            Q = (&Q + &R_i).as_extended();
+        }
+    }
+
+    Q
+}
+
+#[cfg(feature = "alloc")]
 impl VartimeMultiscalarMul for Straus {
     type Point = EdwardsPoint;
 
@@ -167,6 +191,7 @@ impl VartimeMultiscalarMul for Straus {
         };
         use crate::traits::Identity;
         use crate::window::NafLookupTable5;
+        use core::cmp::Ordering;
 
         let nafs: Vec<_> = scalars
             .into_iter()

curve25519-dalek/src/backend/vector/scalar_mul/mod.rs

@@ -18,7 +18,6 @@ pub mod variable_base;
 pub mod vartime_double_base;
 
 #[allow(missing_docs)]
-#[cfg(feature = "alloc")]
 pub mod straus;
 
 #[allow(missing_docs)]