Add a batch verifier to multiexp, along with constant time variants

Saves ~8% during FROST key gen, even with dropping a vartime for a constant time (as needed to be secure), as the new batch verifier is used where batch verification previously wasn't. The new multiexp API itself also offered a very slight performance boost, which may solely be a measurement error. Handles most of https://github.com/serai-dex/serai/issues/10. The blame function isn't binary searched nor randomly sorted yet.
2025-12-08 20:29:23 +00:00 · 2022-05-27 00:52:44 -04:00
parent c398b246ff
commit c90e957e6a
10 changed files with 161 additions and 98 deletions
--- a/coins/monero/src/frost.rs
+++ b/coins/monero/src/frost.rs
@@ -7,7 +7,6 @@ use blake2::{digest::Update, Digest, Blake2b512};

 use curve25519_dalek::{
  constants::ED25519_BASEPOINT_TABLE as DTable,
-  traits::VartimeMultiscalarMul,
  scalar::Scalar as DScalar,
  edwards::EdwardsPoint as DPoint
 };
@@ -56,8 +55,8 @@ impl Curve for Ed25519 {
    &dfg::ED25519_BASEPOINT_TABLE
  }

-  fn multiexp_vartime(scalars: &[Self::F], points: &[Self::G]) -> Self::G {
-    dfg::EdwardsPoint(DPoint::vartime_multiscalar_mul(scalars, points))
+  fn little_endian() -> bool {
+    true
  }

  // This, as used by CLSAG, will already be a keccak256 hash
--- a/coins/monero/tests/frost.rs
+++ b/coins/monero/tests/frost.rs
@@ -62,7 +62,7 @@ pub fn generate_keys() -> (HashMap<u16, MultisigKeys<Ed25519>>, Scalar) {
      }
      our_secret_shares.insert(*l, shares[&i].clone());
    }
-    keys.insert(*i, machine.complete(our_secret_shares).unwrap().clone());
+    keys.insert(*i, machine.complete(&mut OsRng, our_secret_shares).unwrap().clone());
  }

  let mut group_private = Scalar::zero();