perf(emulated): ScalarMulBase with GLV is better

Consensys · Feb 22, 2024 · 7cc8816 · 7cc8816
1 parent 18d4d10
commit 7cc8816
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 2 deletions.
diff --git a/std/algebra/emulated/sw_emulated/point.go b/std/algebra/emulated/sw_emulated/point.go
@@ -1079,7 +1079,20 @@ func (c *Curve[B, S]) scalarBitsMulGeneric(p *AffinePoint[B], sBits []frontend.V
 	return R0
 }
 
-// ScalarMulBase computes s * g and returns it, where g is the fixed generator.
+// ScalarMulBase computes s * g and returns it where g is the fixed curve generator. It doesn't modify p nor s.
+//
+// ScalarMul calls scalarMulBaseGeneric or scalarMulGLV depending on whether an efficient endomorphism is available.
+func (c *Curve[B, S]) ScalarMulBase(s *emulated.Element[S], opts ...algopts.AlgebraOption) *AffinePoint[B] {
+	if c.eigenvalue != nil && c.thirdRootOne != nil {
+		return c.scalarMulGLV(c.Generator(), s, opts...)
+
+	} else {
+		return c.scalarMulBaseGeneric(s, opts...)
+
+	}
+}
+
+// scalarMulBaseGeneric computes s * g and returns it, where g is the fixed generator.
 // It doesn't modify s.
 //
 // ✅ When s=0, it returns (0,0).
@@ -1093,7 +1106,7 @@ func (c *Curve[B, S]) scalarBitsMulGeneric(p *AffinePoint[B], sBits []frontend.V
 //
 // [HMV04]: https://link.springer.com/book/10.1007/b97644
 // [EVM]: https://ethereum.github.io/yellowpaper/paper.pdf
-func (c *Curve[B, S]) ScalarMulBase(s *emulated.Element[S], opts ...algopts.AlgebraOption) *AffinePoint[B] {
+func (c *Curve[B, S]) scalarMulBaseGeneric(s *emulated.Element[S], opts ...algopts.AlgebraOption) *AffinePoint[B] {
 	cfg, err := algopts.NewConfig(opts...)
 	if err != nil {
 		panic(fmt.Sprintf("parse opts: %v", err))

diff --git a/std/algebra/emulated/sw_emulated/point_test.go b/std/algebra/emulated/sw_emulated/point_test.go
@@ -560,6 +560,44 @@ func TestScalarMulBase3(t *testing.T) {
 }
 
 func TestScalarMulBase4(t *testing.T) {
+	assert := test.NewAssert(t)
+	p256 := elliptic.P256()
+	s, err := rand.Int(rand.Reader, p256.Params().N)
+	assert.NoError(err)
+	px, py := p256.ScalarBaseMult(s.Bytes())
+
+	circuit := ScalarMulBaseTest[emulated.P256Fp, emulated.P256Fr]{}
+	witness := ScalarMulBaseTest[emulated.P256Fp, emulated.P256Fr]{
+		S: emulated.ValueOf[emulated.P256Fr](s),
+		Q: AffinePoint[emulated.P256Fp]{
+			X: emulated.ValueOf[emulated.P256Fp](px),
+			Y: emulated.ValueOf[emulated.P256Fp](py),
+		},
+	}
+	err = test.IsSolved(&circuit, &witness, testCurve.ScalarField())
+	assert.NoError(err)
+}
+
+func TestScalarMulBase5(t *testing.T) {
+	assert := test.NewAssert(t)
+	p384 := elliptic.P384()
+	s, err := rand.Int(rand.Reader, p384.Params().N)
+	assert.NoError(err)
+	px, py := p384.ScalarBaseMult(s.Bytes())
+
+	circuit := ScalarMulBaseTest[emulated.P384Fp, emulated.P384Fr]{}
+	witness := ScalarMulBaseTest[emulated.P384Fp, emulated.P384Fr]{
+		S: emulated.ValueOf[emulated.P384Fr](s),
+		Q: AffinePoint[emulated.P384Fp]{
+			X: emulated.ValueOf[emulated.P384Fp](px),
+			Y: emulated.ValueOf[emulated.P384Fp](py),
+		},
+	}
+	err = test.IsSolved(&circuit, &witness, testCurve.ScalarField())
+	assert.NoError(err)
+}
+
+func TestScalarMulBase6(t *testing.T) {
 	assert := test.NewAssert(t)
 	_, _, g, _ := bw6761.Generators()
 	var r fr_bw6761.Element