1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
use crate::weierstrass::Group; // use crate::representation::ElementRepr; // use crate::representation::IntoWnaf; // // start with naive implementation. It'll not work faster than // // a trivial one before wNAF is implemented // pub(crate) fn ben_coster<G: Group, E: ElementRepr>(pairs: Vec<(G, E)>) -> G { // // sort the pairs together // if pairs.len() == 1 { // return pairs[0].0.mul(pairs[0].1); // } // let mut pairs = pairs; // pairs.sort_by(|a, b| a.1.cmp(&b.1)); // let mut reduced = vec![]; // let num_iter = pairs.len() - 1; // for _ in 0..num_iter { // // this element has a largest scalar // let mut last = pairs.pop().unwrap(); // // subtract a scalar // last.1.sub_noborrow(&pairs.last().unwrap().1); // // add a point to the point of the "next scalar" // pairs.last_mut().unwrap().0.add_assign_mixed(&last.0); // // push the result // reduced.push(last); // } // let acc = pairs.pop().unwrap(); // let mut acc = acc.0.mul(&acc.1); // let mut results: Vec<G> = reduced.into_iter().map(|pair| pair.0.mul(pair.1)).collect(); // // let mut results: Vec<G> = reduced.into_iter().map(|pair| pair.0.wnaf_mul_impl(pair.1)).collect(); // while let Some(p) = results.pop() { // acc.add_assign(&p); // } // acc // } // // start with naive implementation. It'll not work faster than // // a trivial one before wNAF is implemented // pub(crate) fn ben_coster_wnaf<G: Group, E: ElementRepr + IntoWnaf>(pairs: Vec<(G, E)>) -> G { // // sort the pairs together // if pairs.len() == 1 { // return pairs[0].0.mul(pairs[0].1); // } // let mut pairs = pairs; // pairs.sort_by(|a, b| a.1.cmp(&b.1)); // let mut reduced = vec![]; // let num_iter = pairs.len() - 1; // for _ in 0..num_iter { // // this element has a largest scalar // let mut last = pairs.pop().unwrap(); // // subtract a scalar // last.1.sub_noborrow(&pairs.last().unwrap().1); // // add a point to the point of the "next scalar" // pairs.last_mut().unwrap().0.add_assign_mixed(&last.0); // // push the result // reduced.push(last); // } // let acc = pairs.pop().unwrap(); // let mut acc = acc.0.wnaf_mul(acc.1); // let mut results: Vec<G> = reduced.into_iter().map(|pair| pair.0.wnaf_mul(pair.1)).collect(); // while let Some(p) = results.pop() { // acc.add_assign(&p); // } // acc // } use crate::weierstrass::curve::CurvePoint; use crate::weierstrass::CurveParameters; pub(crate) fn peppinger<'a, C: CurveParameters> ( pairs: Vec<(CurvePoint<'a, C>, Vec<u64>)> ) -> CurvePoint<'a, C> { use crate::representation::*; let mut g = vec![]; let mut s: Vec<Vec<u64>> = vec![]; for (point, scalar) in pairs.into_iter() { g.push(point); s.push(scalar); } let c = if s.len() < 32 { 3u32 } else { (f64::from(s.len() as u32)).ln().ceil() as u32 }; let mut windows = vec![]; let mut buckets = vec![]; let mask = (1u64 << c) - 1u64; let mut cur = 0; let num_bits = num_bits(&g[0].curve.subgroup_order_repr); let zero_point = CurvePoint::zero(g[0].curve); while cur <= num_bits { let mut acc = zero_point.clone(); buckets.truncate(0); buckets.resize((1 << c) - 1, zero_point.clone()); let g = g.clone(); for (s, g) in s.iter_mut().zip(g) { let index = (s[0] & mask) as usize; if index != 0 { buckets[index - 1].add_assign_mixed(&g); } left_shift_representation(s, c as u64); // s.shr(c as u32); } let mut running_sum = zero_point.clone(); for exp in buckets.iter().rev() { running_sum.add_assign(exp); acc.add_assign(&running_sum); } windows.push(acc); cur += c; } let mut acc = zero_point.clone(); for window in windows.into_iter().rev() { for _ in 0..c { acc.double(); } acc.add_assign(&window); } acc }