Merge pull request #181 from zcash/sinsemilla-moar-speed

More Sinsemilla optimisations
2021-08-13 14:27:02 +01:00 · 2021-08-13 14:27:02 +01:00 · 63ca0aaf32
parent 5f0c3b3585 4e33fe7aec
commit 63ca0aaf32
2 changed files with 38 additions and 12 deletions
--- a/src/primitives/sinsemilla.rs
+++ b/src/primitives/sinsemilla.rs
@ -1,6 +1,6 @@
 //! The Sinsemilla hash function and commitment scheme.

-use group::prime::PrimeCurveAffine;
+use group::Wnaf;
 use halo2::arithmetic::{CurveAffine, CurveExt};
 use pasta_curves::pallas;
 use subtle::CtOption;
@ -120,7 +120,7 @@ impl HashDomain {
            .chunks(K)
            .fold(IncompletePoint::from(self.Q), |acc, chunk| {
                let (S_x, S_y) = SINSEMILLA_S[lebs2ip_k(chunk) as usize];
-                let S_chunk = pallas::Affine::from_xy(S_x, S_y).unwrap().to_curve();
+                let S_chunk = pallas::Affine::from_xy(S_x, S_y).unwrap();
                (acc + S_chunk) + acc
            })
    }
@ -174,7 +174,7 @@ impl CommitDomain {
        msg: impl Iterator<Item = bool>,
        r: &pallas::Scalar,
    ) -> CtOption<pallas::Point> {
-        (self.M.hash_to_point_inner(msg) + self.R * r).into()
+        (self.M.hash_to_point_inner(msg) + Wnaf::new().scalar(r).base(self.R)).into()
    }

    /// $\mathsf{SinsemillaShortCommit}$ from [§ 5.4.8.4][concretesinsemillacommit].
--- a/src/primitives/sinsemilla/addition.rs
+++ b/src/primitives/sinsemilla/addition.rs
@ -1,6 +1,6 @@
 use std::ops::Add;

-use group::Group;
+use group::{cofactor::CofactorCurveAffine, Group};
 use pasta_curves::pallas;
 use subtle::{ConstantTimeEq, CtOption};

@ -27,16 +27,16 @@ impl Add for IncompletePoint {

    #[allow(clippy::suspicious_arithmetic_impl)]
    fn add(self, rhs: Self) -> Self::Output {
-        // ⊥ ⊹ ⊥ = ⊥
-        // ⊥ ⊹ P = ⊥
+        // ⊥ ⸭ ⊥ = ⊥
+        // ⊥ ⸭ P = ⊥
        IncompletePoint(self.0.and_then(|p| {
-            // P ⊹ ⊥ = ⊥
+            // P ⸭ ⊥ = ⊥
            rhs.0.and_then(|q| {
-                // 0 ⊹ 0 = ⊥
-                // 0 ⊹ P = ⊥
-                // P ⊹ 0 = ⊥
-                // (x, y) ⊹ (x', y') = ⊥ if x == x'
-                // (x, y) ⊹ (x', y') = (x, y) + (x', y') if x != x'
+                // 0 ⸭ 0 = ⊥
+                // 0 ⸭ P = ⊥
+                // P ⸭ 0 = ⊥
+                // (x, y) ⸭ (x', y') = ⊥ if x == x'
+                // (x, y) ⸭ (x', y') = (x, y) + (x', y') if x != x'
                CtOption::new(
                    p + q,
                    !(p.is_identity() | q.is_identity() | p.ct_eq(&q) | p.ct_eq(&-q)),
@ -53,3 +53,29 @@ impl Add<pallas::Point> for IncompletePoint {
        self + IncompletePoint(CtOption::new(rhs, 1.into()))
    }
 }
+
+impl Add<pallas::Affine> for IncompletePoint {
+    type Output = IncompletePoint;
+
+    /// Specialisation of incomplete addition for mixed addition.
+    #[allow(clippy::suspicious_arithmetic_impl)]
+    fn add(self, rhs: pallas::Affine) -> Self::Output {
+        // ⊥ ⸭ ⊥ = ⊥
+        // ⊥ ⸭ P = ⊥
+        IncompletePoint(self.0.and_then(|p| {
+            // P ⸭ ⊥ = ⊥ is satisfied by definition.
+            let q = rhs.to_curve();
+
+            // 0 ⸭ 0 = ⊥
+            // 0 ⸭ P = ⊥
+            // P ⸭ 0 = ⊥
+            // (x, y) ⸭ (x', y') = ⊥ if x == x'
+            // (x, y) ⸭ (x', y') = (x, y) + (x', y') if x != x'
+            CtOption::new(
+                // Use mixed addition for efficiency.
+                p + rhs,
+                !(p.is_identity() | q.is_identity() | p.ct_eq(&q) | p.ct_eq(&-q)),
+            )
+        }))
+    }
+}