Concordium · annenkov · Jan 3, 2024 · Oct 5, 2023 · Oct 5, 2023 · Oct 6, 2023
diff --git a/mobile_wallet/Cargo.lock b/mobile_wallet/Cargo.lock
diff --git a/rust-src/Cargo.lock b/rust-src/Cargo.lock
diff --git a/rust-src/concordium_base/CHANGELOG.md b/rust-src/concordium_base/CHANGELOG.md
@@ -1,6 +1,9 @@
 ## Unreleased changes
 
 - Improve performance of `multiexp*` family of functions.
+- Add traits `Field` and `PrimeField` with implementations for the underlying field of the `BLS12-381`` curve.
+- Add `MultiExp` trait that allows to have different `multiexp` algorithm implementations for different curves.
+- Add implementations of `Field`, `PrimeField` and `Curve` for the Ristretto representation of `curve25519`.
 - Support `P7` protocol version.
 - The `Debug` implementation for `ContractEvent` displays the value in `hex`.
   The alternate formatter (using `#`) displays it as a list of bytes.

diff --git a/rust-src/concordium_base/benches/bulletproofs.rs b/rust-src/concordium_base/benches/bulletproofs.rs
@@ -11,16 +11,14 @@ use concordium_base::{
     random_oracle::RandomOracle,
 };
 use criterion::Criterion;
-use ff::Field;
-use pairing::bls12_381::{Fr, G1};
+use curve25519_dalek::ristretto::RistrettoPoint;
+use pairing::bls12_381::G1;
 use rand::*;
 use std::time::Duration;
 
-type SomeCurve = G1;
-type SomeField = Fr;
-
-pub fn prove_verify_benchmarks(c: &mut Criterion) {
-    let mut group = c.benchmark_group("Range Proof");
+pub fn prove_verify_benchmarks<SomeCurve: Curve>(c: &mut Criterion) {
+    let bench_group_name = "Range Proof for ".to_owned() + std::any::type_name::<SomeCurve>();
+    let mut group = c.benchmark_group(bench_group_name);
 
     let rng = &mut thread_rng();
     let n: u8 = 32;
@@ -118,8 +116,12 @@ pub fn prove_verify_benchmarks(c: &mut Criterion) {
 }
 
 #[allow(non_snake_case)]
-fn compare_inner_product_proof(c: &mut Criterion) {
-    let mut group = c.benchmark_group("Inner-Product Proof");
+fn compare_inner_product_proof<SomeCurve: Curve>(c: &mut Criterion) {
+    let bench_group_name = format!(
+        "Inner-Product Proof for {}",
+        std::any::type_name::<SomeCurve>()
+    );
+    let mut group = c.benchmark_group(bench_group_name);
 
     // Testing with n = 4
     let rng = &mut thread_rng();
@@ -145,15 +147,15 @@ fn compare_inner_product_proof(c: &mut Criterion) {
     let H = H_vec.clone();
     let mut H_prime: Vec<SomeCurve> = Vec::with_capacity(n);
     let y_inv = y.inverse().unwrap();
-    let mut H_prime_scalars: Vec<SomeField> = Vec::with_capacity(n);
+    let mut H_prime_scalars: Vec<<SomeCurve as Curve>::Scalar> = Vec::with_capacity(n);
     let mut transcript = RandomOracle::empty();
     let G_vec_p = G_vec.clone();
     let H_vec_p = H_vec.clone();
     let a_vec_p = a_vec.clone();
     let b_vec_p = b_vec.clone();
     group.bench_function("Naive inner product proof", move |b| {
         b.iter(|| {
-            let mut y_inv_i = SomeField::one();
+            let mut y_inv_i = <SomeCurve as Curve>::Scalar::one();
             for h in H.iter().take(n) {
                 H_prime.push(h.mul_by_scalar(&y_inv_i));
                 y_inv_i.mul_assign(&y_inv);
@@ -164,7 +166,7 @@ fn compare_inner_product_proof(c: &mut Criterion) {
     let mut transcript = RandomOracle::empty();
     group.bench_function("Better inner product proof with scalars", move |b| {
         b.iter(|| {
-            let mut y_inv_i = SomeField::one();
+            let mut y_inv_i = <SomeCurve as Curve>::Scalar::one();
             for _ in 0..n {
                 H_prime_scalars.push(y_inv_i);
                 y_inv_i.mul_assign(&y_inv);
@@ -185,5 +187,5 @@ fn compare_inner_product_proof(c: &mut Criterion) {
 criterion_group!(
     name = benchmarks;
     config = Criterion::default().measurement_time(Duration::from_millis(1000)).sample_size(10);
-    targets = prove_verify_benchmarks, compare_inner_product_proof);
+    targets = prove_verify_benchmarks::<G1>, prove_verify_benchmarks::<RistrettoPoint>, compare_inner_product_proof::<G1>, compare_inner_product_proof::<RistrettoPoint>);
 criterion_main!(benchmarks);
diff --git a/rust-src/concordium_base/benches/multiexp_bench.rs b/rust-src/concordium_base/benches/multiexp_bench.rs
@@ -3,10 +3,12 @@ extern crate criterion;
 
 use concordium_base::curve_arithmetic::*;
 use criterion::Criterion;
+use curve25519_dalek::ristretto::RistrettoPoint;
 use pairing::bls12_381::G1;
 use rand::*;
+use std::time::Duration;
 
-pub fn bench_multiexp(c: &mut Criterion) {
+pub fn bench_multiexp_bls(c: &mut Criterion) {
     let mut csprng = thread_rng();
     let m = 3;
     let ns = (1..=m).map(|x| x * x);
@@ -21,7 +23,7 @@ pub fn bench_multiexp(c: &mut Criterion) {
         let gsc = gs[..i].to_vec();
         let esc = es[..i].to_vec();
         let mut group = c.benchmark_group(format!("Group({})", i));
-        group.bench_function(format!("{}: Baseline", module_path!()), move |b| {
+        group.bench_function(format!("{}: Baseline for BLS", module_path!()), move |b| {
             b.iter(|| {
                 let mut a = G1::zero_point();
                 for (g, e) in gsc.iter().zip(esc.iter()) {
@@ -33,13 +35,67 @@ pub fn bench_multiexp(c: &mut Criterion) {
             let gsc = gs[..i].to_vec();
             let esc = es[..i].to_vec();
             group.bench_function(
-                &format!("{}: Multiexp (window = {w})", module_path!()),
-                move |b| b.iter(|| multiexp_worker(&gsc, &esc, w)),
+                &format!("{}: Multiexp for BLS (window = {w})", module_path!()),
+                move |b| b.iter(|| GenericMultiExp::new(&gsc, w).multiexp(&esc)),
             );
         }
         group.finish();
     }
 }
 
-criterion_group!(multiexp_benchmarks, bench_multiexp);
+// Benchmarking multi-exponentiation over the Ristretto curve. Note that we have
+// two multiexp algorithms in our library: one that is tailor-made for the
+// Ristretto curve, and one generic algorithm for other curves (e.g., BLS).
+// The purpose of this benchmark is to measure the running time of the multiexp
+// algorithm for the Ristretto curve.
+pub fn bench_multiexp_ristretto(c: &mut Criterion) {
+    let mut csprng = thread_rng();
+    let m = 3;
+    let ns = (1..=m).map(|x| x * x);
+    let mut gs: Vec<RistrettoPoint> = Vec::with_capacity(m * m);
+    let mut es: Vec<<RistrettoPoint as Curve>::Scalar> = Vec::with_capacity(m * m);
+    for _ in 0..(m * m) {
+        gs.push(RistrettoPoint::generate(&mut csprng));
+        es.push(RistrettoPoint::generate_scalar(&mut csprng));
+    }
+
+    for i in ns {
+        let gsc = gs[..i].to_vec();
+        let esc = es[..i].to_vec();
+        let mut group = c.benchmark_group(format!("Group({})", i));
+        group.bench_function(
+            format!("{}: Baseline for Ristretto", module_path!()),
+            move |b| {
+                b.iter(|| {
+                    let mut a = RistrettoPoint::zero_point();
+                    for (g, e) in gsc.iter().zip(esc.iter()) {
+                        a = a.plus_point(&g.mul_by_scalar(e))
+                    }
+                })
+            },
+        );
+
+        let gsc = gs[..i].to_vec();
+        let esc = es[..i].to_vec();
+        group.bench_function(
+            format!("{}: Multiexp for Ristretto", module_path!()),
+            move |b| {
+                b.iter(|| {
+                    // Create msm algorithm instance with a precomputed point table.
+                    // For the Ristretto curve it will use the RistrettoMultiExpNoPrecompute and
+                    // our generic implementation for the BLS curve.
+                    let msm = RistrettoPoint::new_multiexp(&gsc);
+                    msm.multiexp(&esc);
+                })
+            },
+        );
+
+        group.finish();
+    }
+}
+
+criterion_group!(
+    name = multiexp_benchmarks;
+    config = Criterion::default().measurement_time(Duration::from_millis(10000)).sample_size(100);
+    targets = bench_multiexp_bls, bench_multiexp_ristretto);
 criterion_main!(multiexp_benchmarks);
diff --git a/rust-src/concordium_base/src/aggregate_sig/mod.rs b/rust-src/concordium_base/src/aggregate_sig/mod.rs
@@ -4,11 +4,10 @@ mod ffi;
 
 use crate::{
     common::{SerdeBase16Serialize, Serialize, *},
-    curve_arithmetic::{Curve, Pairing, Value},
+    curve_arithmetic::{Curve, Field, Pairing, Value},
     random_oracle::RandomOracle,
     sigma_protocols::{common::*, dlog::*},
 };
-use ff::Field;
 use rand::Rng;
 use rayon::iter::*;
 use sha2::{digest::Output, Digest, Sha512};

diff --git a/rust-src/concordium_base/src/bulletproofs/inner_product_proof.rs b/rust-src/concordium_base/src/bulletproofs/inner_product_proof.rs
@@ -2,10 +2,9 @@
 //! this crate
 use crate::{
     common::*,
-    curve_arithmetic::{multiexp, Curve},
+    curve_arithmetic::{multiexp, Curve, Field},
     random_oracle::RandomOracle,
 };
-use ff::Field;
 
 /// Inner product proof
 #[derive(Clone, Serialize, Debug)]

diff --git a/rust-src/concordium_base/src/bulletproofs/range_proof.rs b/rust-src/concordium_base/src/bulletproofs/range_proof.rs
@@ -2,12 +2,11 @@
 use super::{inner_product_proof::*, utils::*};
 use crate::{
     common::*,
-    curve_arithmetic::{multiexp, multiexp_table, multiexp_worker_given_table, Curve, Value},
+    curve_arithmetic::{multiexp, Curve, Field, MultiExp, PrimeField, Value},
     id::id_proof_types::ProofVersion,
     pedersen_commitment::*,
     random_oracle::RandomOracle,
 };
-use ff::{Field, PrimeField};
 use rand::*;
 use std::iter::once;
 
@@ -92,7 +91,7 @@ pub fn prove_given_scalars<C: Curve, T: Rng>(
     let mut v_integers = Vec::with_capacity(v_vec.len());
     for &v in v_vec {
         let rep = v.into_repr();
-        let r = rep.as_ref()[0];
+        let r = rep[0];
         v_integers.push(r);
     }
 
@@ -226,10 +225,9 @@ pub fn prove<C: Curve, T: Rng>(
         .chain(once(B_tilde))
         .collect();
     // compute A and S comittments using multi exponentiation
-    let window_size = 4;
-    let table = multiexp_table(&GH_B_tilde, window_size);
-    let A = multiexp_worker_given_table(&A_scalars, &table, window_size);
-    let S = multiexp_worker_given_table(&S_scalars, &table, window_size);
+    let multiexp_alg = C::new_multiexp(&GH_B_tilde);
+    let A = multiexp_alg.multiexp(&A_scalars);
+    let S = multiexp_alg.multiexp(&S_scalars);
     // append commitments A and S to transcript
     transcript.append_message(b"A", &A);
     transcript.append_message(b"S", &S);

diff --git a/rust-src/concordium_base/src/bulletproofs/set_membership_proof.rs b/rust-src/concordium_base/src/bulletproofs/set_membership_proof.rs
@@ -2,12 +2,11 @@
 use super::{inner_product_proof::*, utils::*};
 use crate::{
     common::*,
-    curve_arithmetic::{multiexp, multiexp_table, multiexp_worker_given_table, Curve},
+    curve_arithmetic::{multiexp, Curve, Field, MultiExp},
     id::id_proof_types::ProofVersion,
     pedersen_commitment::*,
     random_oracle::RandomOracle,
 };
-use ff::Field;
 use rand::*;
 use std::{convert::TryInto, iter::once};
 
@@ -169,10 +168,9 @@ pub fn prove<C: Curve, R: Rng>(
         .chain(once(B_tilde))
         .collect();
     // compute A and S commitments using multi exponentiation
-    let window_size = 4;
-    let table = multiexp_table(&GH_B_tilde, window_size);
-    let A = multiexp_worker_given_table(&A_scalars, &table, window_size);
-    let S = multiexp_worker_given_table(&S_scalars, &table, window_size);
+    let mexp = C::new_multiexp(&GH_B_tilde);
+    let A = mexp.multiexp(&A_scalars);
+    let S = mexp.multiexp(&S_scalars);
     // append commitments A and S to transcript
     transcript.append_message(b"A", &A);
     transcript.append_message(b"S", &S);