From a9d46282f5660dfb7e3850ef957fe884089daeda Mon Sep 17 00:00:00 2001 From: Aaryamann Challani <43716372+rymnc@users.noreply.github.com> Date: Wed, 27 Nov 2024 00:52:36 +0530 Subject: [PATCH] fix(vartime_double_base): remove usage of alloc (#9) * fix: remove usage of alloc * chore: suggestions from review Co-authored-by: N --------- Co-authored-by: N --- .../serial/scalar_mul/variable_base.rs | 2 -- .../serial/scalar_mul/vartime_double_base.rs | 10 +++++---- curve25519-dalek/src/scalar.rs | 21 +++++++++++++------ 3 files changed, 21 insertions(+), 12 deletions(-) diff --git a/curve25519-dalek/src/backend/serial/scalar_mul/variable_base.rs b/curve25519-dalek/src/backend/serial/scalar_mul/variable_base.rs index 73cda84a7..dfee346c2 100644 --- a/curve25519-dalek/src/backend/serial/scalar_mul/variable_base.rs +++ b/curve25519-dalek/src/backend/serial/scalar_mul/variable_base.rs @@ -5,8 +5,6 @@ use crate::edwards::EdwardsPoint; use crate::scalar::Scalar; use crate::traits::Identity; use crate::window::LookupTable; -use alloc::vec::Vec; -use crate::constants::ED25519_BASEPOINT_POINT; #[cfg(not(all(target_os = "zkvm", target_vendor = "succinct")))] /// Perform constant-time, variable-base scalar multiplication. diff --git a/curve25519-dalek/src/backend/serial/scalar_mul/vartime_double_base.rs b/curve25519-dalek/src/backend/serial/scalar_mul/vartime_double_base.rs index c7df953f8..1015e4508 100644 --- a/curve25519-dalek/src/backend/serial/scalar_mul/vartime_double_base.rs +++ b/curve25519-dalek/src/backend/serial/scalar_mul/vartime_double_base.rs @@ -18,9 +18,11 @@ use crate::edwards::EdwardsPoint; use crate::scalar::Scalar; use crate::traits::Identity; use crate::window::NafLookupTable5; -use alloc::vec::Vec; + +#[cfg(not(feature = "precomputed-tables"))] use crate::constants::ED25519_BASEPOINT_POINT; + #[cfg(not(all(target_os = "zkvm", target_vendor = "succinct")))] /// Compute \\(aA + bB\\) in variable time, where \\(B\\) is the Ed25519 basepoint. pub fn mul(a: &Scalar, A: &EdwardsPoint, b: &Scalar) -> EdwardsPoint { @@ -84,15 +86,15 @@ use sp1_lib::{ed25519::Ed25519AffinePoint, utils::AffinePoint}; pub fn mul(a: &Scalar, A: &EdwardsPoint, b: &Scalar) -> EdwardsPoint { let A: Ed25519AffinePoint = (*A).into(); - let a_bits = a.bits_le().collect::>(); - let b_bits = b.bits_le().collect::>(); + let a_bits = a.bits_le_array(); + let b_bits = b.bits_le_array(); // Note: The base point is the identity point. let res = AffinePoint::multi_scalar_multiplication( &a_bits, A, &b_bits, - ED25519_BASEPOINT_POINT.into(), + crate::constants::ED25519_BASEPOINT_POINT.into(), ) .unwrap(); res.into() diff --git a/curve25519-dalek/src/scalar.rs b/curve25519-dalek/src/scalar.rs index 6afd74eef..7d2dc816f 100644 --- a/curve25519-dalek/src/scalar.rs +++ b/curve25519-dalek/src/scalar.rs @@ -836,14 +836,23 @@ impl Scalar { ret } + fn get_bit_le(&self, i: usize) -> bool { + ((self.bytes[i >> 3] >> (i & 7)) & 1u8) == 1 + } + /// Get the bits of the scalar, in little-endian order pub(crate) fn bits_le(&self) -> impl DoubleEndedIterator + '_ { - (0..256).map(|i| { - // As i runs from 0..256, the bottom 3 bits index the bit, while the upper bits index - // the byte. Since self.bytes is little-endian at the byte level, this iterator is - // little-endian on the bit level - ((self.bytes[i >> 3] >> (i & 7)) & 1u8) == 1 - }) + (0..256).map(move |i| self.get_bit_le(i)) + } + + /// Get the bits of the scalar, in little-endian order, as an array + #[cfg(all(target_os = "zkvm", target_vendor = "succinct"))] + pub(crate) fn bits_le_array(&self) -> [bool; 256] { + let mut bits = [false; 256]; + for i in 0..256 { + bits[i] = self.get_bit_le(i); + } + bits } /// Compute a width-\\(w\\) "Non-Adjacent Form" of this scalar.