Skip to content

Commit

Permalink
EdwardsPoint::vartime_check_double_scalar_mul_basepoint
Browse files Browse the repository at this point in the history
Checks whether [8a]A + [8b]B = [8]C in variable time.

This can be used to implement RFC 8032-compatible Ed25519 signature
validation. Note that it includes a multiplication by the cofactor.
  • Loading branch information
str4d committed Mar 29, 2024
1 parent c7f737d commit 1582468
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 0 deletions.
19 changes: 19 additions & 0 deletions curve25519-dalek/benches/dalek_benchmarks.rs
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,24 @@ mod edwards_benches {
});
}

fn vartime_check_double_scalar_mul_basepoint<M: Measurement>(c: &mut BenchmarkGroup<M>) {
c.bench_function(
"Variable-time 8(aA+bB)=8C, A&C variable, B fixed",
|bench| {
let mut rng = thread_rng();
let A = &Scalar::random(&mut rng) * constants::ED25519_BASEPOINT_TABLE;
let C = &Scalar::random(&mut rng) * constants::ED25519_BASEPOINT_TABLE;
bench.iter_batched(
|| (Scalar::random(&mut rng), Scalar::random(&mut rng)),
|(a, b)| {
EdwardsPoint::vartime_check_double_scalar_mul_basepoint(&a, &A, &b, &C)
},
BatchSize::SmallInput,
);
},
);
}

pub(crate) fn edwards_benches() {
let mut c = Criterion::default();
let mut g = c.benchmark_group("edwards benches");
Expand All @@ -65,6 +83,7 @@ mod edwards_benches {
consttime_fixed_base_scalar_mul(&mut g);
consttime_variable_base_scalar_mul(&mut g);
vartime_double_base_scalar_mul(&mut g);
vartime_check_double_scalar_mul_basepoint(&mut g);
}
}

Expand Down
16 changes: 16 additions & 0 deletions curve25519-dalek/src/backend/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -249,3 +249,19 @@ pub fn vartime_double_base_mul(a: &Scalar, A: &EdwardsPoint, b: &Scalar) -> Edwa
BackendKind::Serial => serial::scalar_mul::vartime_double_base::mul(a, A, b),
}
}

/// Checks whether \\([8a]A + [8b]B = [8]C\\) in variable time.
///
/// This can be used to implement [RFC 8032]-compatible Ed25519 signature validation.
/// Note that it includes a multiplication by the cofactor.
///
/// [RFC 8032]: https://tools.ietf.org/html/rfc8032
#[allow(non_snake_case)]
pub(crate) fn scalar_mul_abglsv_pornin(
a: &Scalar,
A: &EdwardsPoint,
b: &Scalar,
C: &EdwardsPoint,
) -> EdwardsPoint {
serial::scalar_mul::abglsv_pornin::mul(a, A, b, C)
}
17 changes: 17 additions & 0 deletions curve25519-dalek/src/edwards.rs
Original file line number Diff line number Diff line change
Expand Up @@ -906,6 +906,23 @@ impl EdwardsPoint {
) -> EdwardsPoint {
crate::backend::vartime_double_base_mul(a, A, b)
}

/// Checks whether \\([8a]A + [8b]B = [8]C\\) in variable time.
///
/// This can be used to implement [RFC 8032]-compatible Ed25519 signature validation.
/// Note that it includes a multiplication by the cofactor.
///
/// [RFC 8032]: https://tools.ietf.org/html/rfc8032
pub fn vartime_check_double_scalar_mul_basepoint(
a: &Scalar,
A: &EdwardsPoint,
b: &Scalar,
C: &EdwardsPoint,
) -> bool {
crate::backend::scalar_mul_abglsv_pornin(a, A, b, C)
.mul_by_cofactor()
.is_identity()
}
}

#[cfg(feature = "precomputed-tables")]
Expand Down

0 comments on commit 1582468

Please sign in to comment.