curve25519_dalek/backend/vector/scalar_mul/
variable_base.rs

1#![allow(non_snake_case)]
2
3#[curve25519_dalek_derive::unsafe_target_feature_specialize(
4    "avx2",
5    conditional("avx512ifma,avx512vl", nightly)
6)]
7pub mod spec {
8
9    #[for_target_feature("avx2")]
10    use crate::backend::vector::avx2::{CachedPoint, ExtendedPoint};
11
12    #[for_target_feature("avx512ifma")]
13    use crate::backend::vector::ifma::{CachedPoint, ExtendedPoint};
14
15    use crate::edwards::EdwardsPoint;
16    use crate::scalar::Scalar;
17    use crate::traits::Identity;
18    use crate::window::LookupTable;
19
20    /// Perform constant-time, variable-base scalar multiplication.
21    pub fn mul(point: &EdwardsPoint, scalar: &Scalar) -> EdwardsPoint {
22        // Construct a lookup table of [P,2P,3P,4P,5P,6P,7P,8P]
23        let lookup_table = LookupTable::<CachedPoint>::from(point);
24        // Setting s = scalar, compute
25        //
26        //    s = s_0 + s_1*16^1 + ... + s_63*16^63,
27        //
28        // with `-8 ≤ s_i < 8` for `0 ≤ i < 63` and `-8 ≤ s_63 ≤ 8`.
29        let scalar_digits = scalar.as_radix_16();
30        // Compute s*P as
31        //
32        //    s*P = P*(s_0 +   s_1*16^1 +   s_2*16^2 + ... +   s_63*16^63)
33        //    s*P =  P*s_0 + P*s_1*16^1 + P*s_2*16^2 + ... + P*s_63*16^63
34        //    s*P = P*s_0 + 16*(P*s_1 + 16*(P*s_2 + 16*( ... + P*s_63)...))
35        //
36        // We sum right-to-left.
37        let mut Q = ExtendedPoint::identity();
38        for i in (0..64).rev() {
39            Q = Q.mul_by_pow_2(4);
40            Q = &Q + &lookup_table.select(scalar_digits[i]);
41        }
42        Q.into()
43    }
44}