Optimize ed25519 hashing

LFDT-Lockness · Apr 19, 2024 · ca49116 · ca49116
1 parent d8dd7fc
commit ca49116
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 4 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -12,3 +12,7 @@ exclude = [
 [patch.crates-io.generic-ec]
 git = "https://github.com/dfns/generic-ec"
 branch = "faster-multiscalar"
+
+[patch.crates-io.generic-ec-curves]
+git = "https://github.com/dfns/generic-ec"
+branch = "faster-multiscalar"
diff --git a/givre/Cargo.toml b/givre/Cargo.toml
@@ -10,6 +10,7 @@ cggmp21-keygen = { version = "0.1", optional = true }
 key-share = { version = "0.2.2", default-features = false }
 
 generic-ec = { version = "0.2.4", default-features = false, features = ["alloc"] }
+generic-ec-curves = { version = "0.1", default-features = false, optional = true }
 
 rand_core = { version = "0.6", default-features = false }
 digest = { version = "0.10", default-features = false }
@@ -23,6 +24,8 @@ sha2 = { version = "0.10", default-features = false, optional = true }
 
 serde = { version = "1", default-features = false, features = ["derive"], optional = true }
 
+curve25519-dalek = { version = "4", default-features = false, optional = true }
+
 [dev-dependencies]
 rand_core = { version = "0.6", default-features = false, features = ["getrandom"] }
 
@@ -47,6 +50,6 @@ hd-wallets = ["key-share/hd-wallets", "cggmp21-keygen?/hd-wallets"]
 
 all-ciphersuites = ["ciphersuite-secp256k1", "ciphersuite-ed25519", "ciphersuite-bitcoin"]
 ciphersuite-secp256k1 = ["generic-ec/curve-secp256k1", "k256", "sha2", "static_assertions"]
-ciphersuite-ed25519 = ["generic-ec/curve-ed25519", "sha2"]
+ciphersuite-ed25519 = ["generic-ec/curve-ed25519", "sha2", "curve25519-dalek", "generic-ec-curves/ed25519"]
 ciphersuite-bitcoin = ["ciphersuite-secp256k1"]
 
diff --git a/givre/src/ciphersuite/ed25519.rs b/givre/src/ciphersuite/ed25519.rs
@@ -23,7 +23,7 @@ impl Ciphersuite for Ed25519 {
         }
         let hash = hash.finalize();
 
-        generic_ec::Scalar::from_le_bytes_mod_order(hash)
+        reduce_512bits_le_scalar_mod_order(&hash.into())
     }
 
     fn compute_challenge(
@@ -37,7 +37,7 @@ impl Ciphersuite for Ed25519 {
             .chain_update(msg)
             .finalize();
 
-        generic_ec::Scalar::from_le_bytes_mod_order(hash)
+        reduce_512bits_le_scalar_mod_order(&hash.into())
     }
 
     fn h3(msg: &[&[u8]]) -> generic_ec::Scalar<Self::Curve> {
@@ -49,7 +49,7 @@ impl Ciphersuite for Ed25519 {
         }
         let hash = hash.finalize();
 
-        generic_ec::Scalar::from_le_bytes_mod_order(hash)
+        reduce_512bits_le_scalar_mod_order(&hash.into())
     }
 
     fn h4() -> Self::Digest {
@@ -100,3 +100,14 @@ impl Ciphersuite for Ed25519 {
         Ok(Self::normalize_point(point))
     }
 }
+
+/// Reduces 512 bits integer mod curve order
+///
+/// This is a more efficient version of [`generic_ec::Scalar::from_le_bytes_mod_order`]
+fn reduce_512bits_le_scalar_mod_order(
+    bytes: &[u8; 64],
+) -> generic_ec::Scalar<generic_ec::curves::Ed25519> {
+    let out = curve25519_dalek::Scalar::from_bytes_mod_order_wide(bytes);
+    let out = generic_ec_curves::ed25519::Scalar(out);
+    generic_ec::as_raw::FromRaw::from_raw(out)
+}