Merge branch 'zz/three_scalar_mul' into zz/impl_heea

Author: zz-sol

curve25519-dalek-derive/tests/tests.rs

@@ -104,18 +104,35 @@ mod inner_spec {
     #[for_target_feature("avx2")]
     const IS_AVX2: bool = true;
 
+    #[for_target_feature("sse2")]
     #[test]
     fn test_specialized() {
         assert!(!IS_AVX2);
     }
 
+    #[for_target_feature("avx2")]
+    #[test]
+    fn test_specialized_avx2() {
+        assert!(IS_AVX2);
+    }
+
     #[cfg(test)]
+    #[for_target_feature("sse2")]
     mod tests {
         #[test]
         fn test_specialized_inner() {
             assert!(!super::IS_AVX2);
         }
     }
+
+    #[cfg(test)]
+    #[for_target_feature("avx2")]
+    mod tests_avx2 {
+        #[test]
+        fn test_specialized_inner_avx2() {
+            assert!(super::IS_AVX2);
+        }
+    }
 }
 
 #[unsafe_target_feature("sse2")]
@@ -127,9 +144,17 @@ fn test_sse2_only() {}
 // pretty esoteric feature. Looking at the table of supported avx512 features at
 // https://en.wikipedia.org/wiki/AVX-512#CPUs_with_AVX-512 it seems avx512vp2intersect is one of the
 // most unusual ones that has rustc knows about
+#[cfg(target_feature = "avx512vp2intersect")]
 #[unsafe_target_feature("avx512vp2intersect")]
 #[test]
 fn test_unset_target_feature() {
+    assert!(std::arch::is_x86_feature_detected!("avx512vp2intersect"));
+}
+
+#[cfg(not(target_feature = "avx512vp2intersect"))]
+#[unsafe_target_feature("avx512vp2intersect")]
+#[test]
+fn test_unset_target_feature_removed() {
     compile_error!("When an unknown target_feature is set on a test, unsafe_target_feature is expected remove the function");
 }
 

curve25519-dalek/docs/parallel-formulas.md

@@ -219,7 +219,7 @@ element vectors, whose optimum choice is determined by the details of
 the instruction set.  However, it's not possible to perfectly separate
 the implementation of the field element vectors from the
 implementation of the point operations.  Instead, the [`avx2`] and
-[`ifma`] backends provide `ExtendedPoint` and `CachedPoint` types, and
+`ifma` backends provide `ExtendedPoint` and `CachedPoint` types, and
 the [`scalar_mul`] code uses one of the backend types by a type alias.
 
 # Comparison to non-vectorized formulas

curve25519-dalek/src/backend.rs

@@ -292,7 +292,7 @@ pub fn vartime_triple_base_mul_128_128_256(
         BackendKind::Avx2 => {
             vector::scalar_mul::vartime_triple_base::spec_avx2::mul_128_128_256(a1, A1, a2, A2, b)
         }
-        #[cfg(all(curve25519_dalek_backend = "simd", nightly))]
+        #[cfg(all(curve25519_dalek_backend = "unstable_avx512", nightly))]
         BackendKind::Avx512 => {
             vector::scalar_mul::vartime_triple_base::spec_avx512ifma_avx512vl::mul_128_128_256(
                 a1, A1, a2, A2, b,

curve25519-dalek/src/backend/serial/scalar_mul/vartime_triple_base.rs

@@ -75,8 +75,8 @@ pub fn mul_128_128_256(
 
     // Find starting index - check all NAFs up to bit 127
     // (with potential carry to bit 128 or 129)
-    let mut i = HEEA_MAX_INDEX;
-    for j in (0..HEEA_MAX_INDEX).rev() {
+    let mut i: usize = HEEA_MAX_INDEX;
+    for j in (0..=HEEA_MAX_INDEX).rev() {
         i = j;
         if a1_naf[i] != 0 || a2_naf[i] != 0 || b_lo_naf[i] != 0 || b_hi_naf[i] != 0 {
             break;
@@ -147,17 +147,24 @@ pub fn mul_128_128_256(
 #[cfg(test)]
 mod test {
 
-    use rand::rng;
+    use rand::{RngCore, rng};
 
     use super::*;
     use crate::scalar::Scalar;
 
+    fn random_scalar() -> Scalar {
+        let mut wide = [0u8; 64];
+        let mut rng = rng();
+        rng.fill_bytes(&mut wide);
+        Scalar::from_bytes_mod_order_wide(&wide)
+    }
+
     #[test]
     fn test_triple_base_multiplication() {
         // Test vectors with random scalars
         let a1 = Scalar::from(12345u64);
         let a2 = Scalar::from(67890u64);
-        let b = Scalar::random(&mut rng());
+        let b = random_scalar();
 
         // Random points (using scalar multiplication of basepoint)
         let A1 = &constants::ED25519_BASEPOINT_POINT * &Scalar::from(2u64);
@@ -191,7 +198,7 @@ mod test {
         let a2 = Scalar::from_bytes_mod_order(a2_bytes);
 
         // Full 256-bit scalar for b
-        let b = Scalar::random(&mut rng());
+        let b = random_scalar();
 
         // Test points
         let A1 = &constants::ED25519_BASEPOINT_POINT * &Scalar::from(5u64);
@@ -210,7 +217,7 @@ mod test {
     fn test_triple_base_with_zero_scalars() {
         let a1 = Scalar::ZERO;
         let a2 = Scalar::from(123u64);
-        let b = Scalar::random(&mut rng());
+        let b = random_scalar();
 
         let A1 = &constants::ED25519_BASEPOINT_POINT * &Scalar::from(2u64);
         let A2 = &constants::ED25519_BASEPOINT_POINT * &Scalar::from(3u64);
@@ -225,7 +232,7 @@ mod test {
     fn test_triple_base_with_identity_points() {
         let a1 = Scalar::from(111u64);
         let a2 = Scalar::from(222u64);
-        let b = Scalar::random(&mut rng());
+        let b = random_scalar();
 
         let A1 = EdwardsPoint::identity();
         let A2 = &constants::ED25519_BASEPOINT_POINT * &Scalar::from(3u64);
@@ -241,7 +248,7 @@ mod test {
         // Test that both functions give the same result for 128-bit inputs
         let a1 = Scalar::from(0x123456789ABCDEFu64);
         let a2 = Scalar::from(0xFEDCBA987654321u64);
-        let b = Scalar::random(&mut rng());
+        let b = random_scalar();
 
         let A1 = &constants::ED25519_BASEPOINT_POINT * &Scalar::from(11u64);
         let A2 = &constants::ED25519_BASEPOINT_POINT * &Scalar::from(13u64);
@@ -268,7 +275,7 @@ mod test {
         }
         let a2 = Scalar::from_bytes_mod_order(a2_bytes);
 
-        let b = Scalar::random(&mut rng());
+        let b = random_scalar();
 
         let A1 = &constants::ED25519_BASEPOINT_POINT * &Scalar::from(17u64);
         let A2 = &constants::ED25519_BASEPOINT_POINT * &Scalar::from(19u64);
@@ -278,4 +285,42 @@ mod test {
 
         assert_eq!(result, expected);
     }
+
+    // Proptest for vartime_triple_scalar_mul_basepoint equivalence
+    proptest::proptest! {
+        #[test]
+        fn proptest_triple_scalar_mul_equivalence(
+            a1_bytes_16 in proptest::array::uniform16(proptest::num::u8::ANY),
+            a2_bytes_16 in proptest::array::uniform16(proptest::num::u8::ANY),
+            b_bytes in proptest::array::uniform32(proptest::num::u8::ANY),
+            A1_scalar_bytes in proptest::array::uniform32(proptest::num::u8::ANY),
+            A2_scalar_bytes in proptest::array::uniform32(proptest::num::u8::ANY),
+        ) {
+            // Construct 128-bit scalars a1 and a2 (upper 16 bytes are zero)
+            let mut a1_bytes = [0u8; 32];
+            let mut a2_bytes = [0u8; 32];
+            a1_bytes[..16].copy_from_slice(&a1_bytes_16);
+            a2_bytes[..16].copy_from_slice(&a2_bytes_16);
+
+            let a1 = Scalar::from_bytes_mod_order(a1_bytes);
+            let a2 = Scalar::from_bytes_mod_order(a2_bytes);
+
+            // Construct full 256-bit scalar b
+            let b = Scalar::from_bytes_mod_order(b_bytes);
+
+            // Generate random points A1 and A2 using scalar multiplication of basepoint
+            let A1_scalar = Scalar::from_bytes_mod_order(A1_scalar_bytes);
+            let A2_scalar = Scalar::from_bytes_mod_order(A2_scalar_bytes);
+            let A1 = &constants::ED25519_BASEPOINT_POINT * &A1_scalar;
+            let A2 = &constants::ED25519_BASEPOINT_POINT * &A2_scalar;
+
+            // Compute using the optimized triple-base function
+            let result_optimized = mul_128_128_256(&a1, &A1, &a2, &A2, &b);
+
+            // Compute using raw operations: a1*A1 + a2*A2 + b*B
+            let expected = &(&(&a1 * &A1) + &(&a2 * &A2)) + &(&b * &constants::ED25519_BASEPOINT_POINT);
+
+            proptest::prop_assert_eq!(result_optimized, expected, "Optimized triple scalar mul should equal raw operations");
+        }
+    }
 }

curve25519-dalek/src/backend/serial/u32/constants.rs

@@ -136,6 +136,48 @@ pub const ED25519_BASEPOINT_POINT: EdwardsPoint = EdwardsPoint {
     ]),
 };
 
+/// The Ed25519 basepoint, mul by 2^128, as an `EdwardsPoint`.
+pub const ED25519_BASEPOINT_128_POINT: EdwardsPoint = EdwardsPoint {
+    X: FieldElement2625::from_limbs([
+        2664042, 23449881, 8588504, 31570262, 52025907, 14016958, 17934911, 10536770, 36081707,
+        18715816,
+    ]),
+    Y: FieldElement2625::from_limbs([
+        53612635, 17322216, 64979144, 12220533, 27384794, 7796776, 63981171, 31808137, 3318544,
+        10876052,
+    ]),
+    Z: FieldElement2625::from_limbs([
+        38318927, 6633020, 30360108, 27133620, 43190211, 599215, 50990868, 21586734, 34463843,
+        14390137,
+    ]),
+    T: FieldElement2625::from_limbs([
+        46012201, 27645749, 48994527, 27092089, 44549182, 4023192, 8388284, 20428666, 53367776,
+        2097936,
+    ]),
+};
+
+#[cfg(all(test, feature = "precomputed-tables"))]
+mod tests {
+    use super::*;
+    use crate::window::NafLookupTable5;
+
+    #[test]
+    fn basepoint_128_table_matches_generated() {
+        let generated = NafLookupTable5::<ProjectiveNielsPoint>::from(&ED25519_BASEPOINT_128_POINT);
+
+        for (expected, actual) in AFFINE_ODD_MULTIPLES_OF_BASEPOINT_128
+            .0
+            .iter()
+            .zip(generated.0.iter())
+        {
+            assert_eq!(expected.Y_plus_X, actual.Y_plus_X);
+            assert_eq!(expected.Y_minus_X, actual.Y_minus_X);
+            assert_eq!(expected.Z, actual.Z);
+            assert_eq!(expected.T2d, actual.T2d);
+        }
+    }
+}
+
 /// The 8-torsion subgroup \\(\mathcal E \[8\]\\).
 ///
 /// In the case of Curve25519, it is cyclic; the \\(i\\)-th element of
@@ -4817,8 +4859,8 @@ pub(crate) const AFFINE_ODD_MULTIPLES_OF_BASEPOINT_128: NafLookupTable5<Projecti
     NafLookupTable5([
         ProjectiveNielsPoint {
             Y_plus_X: FieldElement2625::from_limbs([
-                56276677, 7217665, 6458785, 10236364, 12301838, 21813735, 14807218, 8790476,
-                39400252, 29591868,
+                56276677, 40772097, 73567648, 43790795, 79410701, 21813734, 81916082, 42344907,
+                39400251, 29591868,
             ]),
             Y_minus_X: FieldElement2625::from_limbs([
                 50948574, 27426767, 56390639, 14204703, 42467750, 27334249, 46046259, 21271367,
@@ -4835,8 +4877,8 @@ pub(crate) const AFFINE_ODD_MULTIPLES_OF_BASEPOINT_128: NafLookupTable5<Projecti
         },
         ProjectiveNielsPoint {
             Y_plus_X: FieldElement2625::from_limbs([
-                61573526, 26839672, 66658950, 7860582, 5467228, 30187735, 9483513, 29613442,
-                34510433, 30513335,
+                61573526, 60394104, 66658949, 41415014, 72576091, 30187734, 76592377, 63167873,
+                101619296, 30513334,
             ]),
             Y_minus_X: FieldElement2625::from_limbs([
                 51181788, 696007, 24915963, 12735707, 2911894, 7060820, 64624395, 1392014, 2117242,
@@ -4853,8 +4895,8 @@ pub(crate) const AFFINE_ODD_MULTIPLES_OF_BASEPOINT_128: NafLookupTable5<Projecti
         },
         ProjectiveNielsPoint {
             Y_plus_X: FieldElement2625::from_limbs([
-                63997925, 22141397, 16344335, 19270123, 11338216, 16163263, 54904184, 24982069,
-                56606655, 24922282,
+                63997925, 22141397, 83453199, 52824554, 78447079, 49717694, 122013047, 24982068,
+                56606655, 58476714,
             ]),
             Y_minus_X: FieldElement2625::from_limbs([
                 25892846, 11528509, 46114731, 26269695, 31949658, 18508240, 8742696, 14557236,
@@ -4871,8 +4913,8 @@ pub(crate) const AFFINE_ODD_MULTIPLES_OF_BASEPOINT_128: NafLookupTable5<Projecti
         },
         ProjectiveNielsPoint {
             Y_plus_X: FieldElement2625::from_limbs([
-                18135939, 20390706, 771316, 3834009, 62046955, 32059486, 53528634, 28397810,
-                53903558, 2683232,
+                85244803, 20390705, 67880180, 3834008, 62046955, 32059486, 53528634, 61952242,
+                53903557, 36237664,
             ]),
             Y_minus_X: FieldElement2625::from_limbs([
                 51282070, 16196724, 13662050, 32134248, 30369654, 19444710, 35256476, 33331300,
@@ -4889,8 +4931,8 @@ pub(crate) const AFFINE_ODD_MULTIPLES_OF_BASEPOINT_128: NafLookupTable5<Projecti
         },
         ProjectiveNielsPoint {
             Y_plus_X: FieldElement2625::from_limbs([
-                43828549, 14757490, 56664015, 24665671, 50233976, 14590870, 65779056, 33374083,
-                47093275, 4915216,
+                110937413, 48311921, 56664014, 24665671, 117342840, 14590869, 65779056, 33374083,
+                47093275, 38469648,
             ]),
             Y_minus_X: FieldElement2625::from_limbs([
                 11795097, 23045357, 37986619, 25517870, 61752555, 20274894, 5272019, 20059223,
@@ -4907,8 +4949,8 @@ pub(crate) const AFFINE_ODD_MULTIPLES_OF_BASEPOINT_128: NafLookupTable5<Projecti
         },
         ProjectiveNielsPoint {
             Y_plus_X: FieldElement2625::from_limbs([
-                22997800, 33050677, 60441767, 7973230, 30621382, 4134210, 41797844, 1978192,
-                58504534, 317870,
+                22997800, 33050677, 60441767, 41527662, 30621381, 4134210, 108906708, 35532623,
+                58504533, 33872302,
             ]),
             Y_minus_X: FieldElement2625::from_limbs([
                 6811554, 1638711, 35767789, 14166397, 19866339, 260838, 19580826, 7806685,
@@ -4925,8 +4967,8 @@ pub(crate) const AFFINE_ODD_MULTIPLES_OF_BASEPOINT_128: NafLookupTable5<Projecti
         },
         ProjectiveNielsPoint {
             Y_plus_X: FieldElement2625::from_limbs([
-                21843428, 19355043, 6522572, 1255394, 64421578, 23324883, 31082733, 13182074,
-                56269698, 27274610,
+                88952292, 52909474, 73631435, 34809825, 64421577, 23324883, 98191597, 46736505,
+                56269697, 27274610,
             ]),
             Y_minus_X: FieldElement2625::from_limbs([
                 36626131, 26445435, 43443322, 31269185, 4788786, 21966751, 10657839, 11622879,
@@ -4943,8 +4985,8 @@ pub(crate) const AFFINE_ODD_MULTIPLES_OF_BASEPOINT_128: NafLookupTable5<Projecti
         },
         ProjectiveNielsPoint {
             Y_plus_X: FieldElement2625::from_limbs([
-                47704924, 31694873, 47305006, 31556775, 44753887, 19755612, 25884799, 6259103,
-                377598, 26990890,
+                47704924, 31694873, 47305006, 31556775, 111862751, 53310043, 92993662, 39813534,
+                67486461, 60545321,
             ]),
             Y_minus_X: FieldElement2625::from_limbs([
                 4781635, 20898487, 30324746, 31566849, 66314586, 2020338, 46386772, 13303771,

curve25519-dalek/src/backend/serial/u64/constants.rs

@@ -187,28 +187,28 @@ pub const ED25519_BASEPOINT_POINT: EdwardsPoint = EdwardsPoint {
 
 /// The Ed25519 basepoint, mul by 2^128, as an `EdwardsPoint`.
 pub const ED25519_BASEPOINT_128_POINT: EdwardsPoint = EdwardsPoint {
-    X: FieldElement51([
+    X: FieldElement51::from_limbs([
         1573694877509226,
         2118644427590872,
         940662180141619,
         707110682864191,
         1255997186674731,
     ]),
-    Y: FieldElement51([
+    Y: FieldElement51::from_limbs([
         1162474291335259,
         820106152083656,
         523232807607258,
         2134608004007539,
         729879497843472,
     ]),
-    Z: FieldElement51([
+    Z: FieldElement51::from_limbs([
         445134475408207,
         1820906444767788,
         40212681131971,
         1448661247201044,
         965705781338211,
     ]),
-    T: FieldElement51([
+    T: FieldElement51::from_limbs([
         1855274855831337,
         1818119365171423,
         269991889323070,

curve25519-dalek/src/backend/vector/scalar_mul/vartime_triple_base.rs

@@ -9,7 +9,10 @@
 
 #[curve25519_dalek_derive::unsafe_target_feature_specialize(
     "avx2",
-    conditional("avx512ifma,avx512vl", nightly)
+    conditional(
+        "avx512ifma,avx512vl",
+        all(curve25519_dalek_backend = "unstable_avx512", nightly)
+    )
 )]
 pub mod spec {
 
@@ -25,14 +28,14 @@ pub mod spec {
     #[for_target_feature("avx2")]
     use crate::backend::vector::avx2::constants::BASEPOINT_ODD_LOOKUP_TABLE;
 
-    #[cfg(feature = "precomputed-tables")]
     #[for_target_feature("avx512ifma")]
     use crate::backend::vector::ifma::constants::BASEPOINT_ODD_LOOKUP_TABLE;
 
     use crate::constants;
     use crate::edwards::EdwardsPoint;
     use crate::scalar::HEEA_MAX_INDEX;
     use crate::scalar::Scalar;
+    #[allow(unused_imports)]
     use crate::traits::Identity;
     use crate::window::NafLookupTable5;