Precompute DlogProverInput.public_image

This avoids repeated multiplications by group element when signing

Author: SethDusek

Cargo.toml

@@ -36,8 +36,8 @@ ergo-nipopow = { version = "^0.15", path = "./ergo-nipopow" }
 ergo-merkle-tree = { version = "^0.15.0", path = "./ergo-merkle-tree" }
 ergo-rest = { version = "^0.13.0", path = "./ergo-rest" }
 ergo-lib = { version = "^0.28.0", path = "./ergo-lib"}
-k256 = { version = "0.13.1", features = ["arithmetic", "ecdsa"] }
-elliptic-curve = { version = "0.12", features = ["ff"] }
+k256 = { version = "0.13.1", features = ["arithmetic", "ecdsa", "precomputed-tables"] }
+elliptic-curve = { version = "0.13.8", features = ["ff"] }
 thiserror = "1"
 bounded-vec = { version = "^0.7.0" }
 bitvec = { version = "1.0.1" }

ergo-chain-types/src/ec_point.rs

@@ -10,7 +10,7 @@ use std::convert::TryFrom;
 use std::ops::{Add, Mul, Neg};
 
 /// Elliptic curve point
-#[derive(PartialEq, Clone, Default, From, Into)]
+#[derive(PartialEq, Clone, Copy, Default, From, Into)]
 #[cfg_attr(
     feature = "json",
     derive(serde::Serialize, serde::Deserialize),

ergotree-interpreter/src/sigma_protocol/dlog_protocol.rs

@@ -105,7 +105,7 @@ pub mod interactive_prover {
     /// The function computes initial prover's commitment to randomness
     /// ("a" message of the sigma-protocol) based on the verifier's challenge ("e")
     /// and prover's response ("z")
-    ///  
+    ///
     /// g^z = a*h^e => a = g^z/h^e
     pub fn compute_commitment(
         proposition: &ProveDlog,

ergotree-interpreter/src/sigma_protocol/private_input.rs

@@ -2,6 +2,7 @@
 use std::convert::TryInto;
 use std::fmt::Formatter;
 
+use elliptic_curve::ops::MulByGenerator;
 use ergo_chain_types::EcPoint;
 use ergotree_ir::serialization::SigmaSerializable;
 use ergotree_ir::sigma_protocol::dlog_group;
@@ -13,6 +14,7 @@ use ergotree_ir::sigma_protocol::sigma_boolean::SigmaBoolean;
 extern crate derive_more;
 use derive_more::From;
 use k256::elliptic_curve::PrimeField;
+use k256::ProjectivePoint;
 use num_bigint::BigUint;
 use num_traits::ToPrimitive;
 
@@ -22,10 +24,12 @@ use super::wscalar::Wscalar;
 /// Secret key of discrete logarithm signature protocol
 #[cfg_attr(feature = "json", derive(serde::Serialize, serde::Deserialize))]
 #[cfg_attr(feature = "json", serde(transparent))]
-#[derive(PartialEq, Eq, Clone, derive_more::From)]
+#[derive(PartialEq, Eq, Clone)]
 pub struct DlogProverInput {
     /// secret key value
     pub w: Wscalar,
+    #[serde(skip)]
+    pk: EcPoint,
 }
 
 impl std::fmt::Debug for DlogProverInput {
@@ -35,22 +39,35 @@ impl std::fmt::Debug for DlogProverInput {
     }
 }
 
+impl From<Wscalar> for DlogProverInput {
+    fn from(scalar: Wscalar) -> Self {
+        DlogProverInput::new(scalar)
+    }
+}
+
 impl DlogProverInput {
     /// Scalar(secret key) size in bytes
     pub const SIZE_BYTES: usize = 32;
 
+    /// Create new DlogProverInput
+    pub fn new(w: Wscalar) -> DlogProverInput {
+        Self {
+            pk: EcPoint::from(ProjectivePoint::mul_by_generator(w.as_scalar_ref())),
+            w,
+        }
+    }
     /// generates random secret in the range [0, n), where n is DLog group order.
     pub fn random() -> DlogProverInput {
-        DlogProverInput {
-            w: dlog_group::random_scalar_in_group_range(crypto_utils::secure_rng()).into(),
-        }
+        DlogProverInput::new(
+            dlog_group::random_scalar_in_group_range(crypto_utils::secure_rng()).into(),
+        )
     }
 
     /// Attempts to parse the given byte array as an SEC-1-encoded scalar(secret key).
     /// Returns None if the byte array does not contain a big-endian integer in the range [0, modulus).
     pub fn from_bytes(bytes: &[u8; DlogProverInput::SIZE_BYTES]) -> Option<DlogProverInput> {
         k256::Scalar::from_repr((*bytes).into())
-            .map(|s| DlogProverInput::from(Wscalar::from(s)))
+            .map(|s| DlogProverInput::new(Wscalar::from(s)))
             .into()
     }
 
@@ -87,12 +104,7 @@ impl DlogProverInput {
 
     /// public key of discrete logarithm signature protocol
     pub fn public_image(&self) -> ProveDlog {
-        // test it, see https://github.com/ergoplatform/sigma-rust/issues/38
-        let g = ergo_chain_types::ec_point::generator();
-        ProveDlog::new(ergo_chain_types::ec_point::exponentiate(
-            &g,
-            self.w.as_scalar_ref(),
-        ))
+        ProveDlog::new(self.pk)
     }
 
     /// Return true if the secret is 0