Switch to Montgomery representation

icicle/CMakeLists.txt

@@ -106,6 +106,11 @@ if (HASH)
   setup_hash_target()
 endif()
 
+option(BARRET "Enable memory address sanitizer" OFF)
+if(BARRET)
+  add_compile_definitions(BARRET)
+endif()
+
 if (CPU_BACKEND)
   add_subdirectory(backend/cpu)
 endif()

icicle/backend/cpu/src/curve/cpu_msm.hpp

@@ -451,9 +451,13 @@ void Msm<A, P>::phase1_bucket_accumulator(const scalar_t* scalars, const A* base
     bool negate_p_and_s = scalar.get_scalar_digit(scalar_t::NBITS - 1, 1) > 0;
     if (negate_p_and_s) { scalar = scalar_t::neg(scalar); }
     for (int j = 0; j < m_precompute_factor; j++) {
-      // Handle required preprocess of base P
+      // Handle required preprocess of base P according to the version of Field/Ec adder (accepting Barret / Montgomery)
       A base =
+#ifdef BARRET
         m_are_points_mont ? A::from_montgomery(bases[m_precompute_factor * i + j]) : bases[m_precompute_factor * i + j];
+#else
+        m_are_points_mont ? bases[m_precompute_factor * i + j] : A::to_montgomery(bases[m_precompute_factor * i + j]);
+#endif
       if (base == A::zero()) { continue; }
       if (negate_p_and_s) { base = A::neg(base); }
 
@@ -780,12 +784,23 @@ eIcicleError cpu_msm_precompute_bases(
   const unsigned int shift = c * ((num_bms_no_precomp - 1) / precompute_factor + 1);
   for (int i = 0; i < nof_bases; i++) {
     output_bases[precompute_factor * i] = input_bases[i];
-    P point = P::from_affine(is_mont ? A::from_montgomery(input_bases[i]) : input_bases[i]);
+    // Handle required preprocess of base P according to the version of Field/Ec adder (accepting Barret / Montgomery)
+    P point =
+#ifdef BARRET
+      P::from_affine(is_mont ? A::from_montgomery(input_bases[i]) : input_bases[i]);
+#else
+      P::from_affine(is_mont ? input_bases[i] : A::to_montgomery(input_bases[i]));
+#endif
     for (int j = 1; j < precompute_factor; j++) {
       for (int k = 0; k < shift; k++) {
         point = P::dbl(point);
       }
-      output_bases[precompute_factor * i + j] = is_mont ? A::to_montgomery(P::to_affine(point)) : P::to_affine(point);
+      output_bases[precompute_factor * i + j] =
+#ifdef BARRET
+        is_mont ? A::to_montgomery(P::to_affine(point)) : P::to_affine(point);
+#else
+        is_mont ? P::to_affine(point) : A::from_montgomery(P::to_affine(point));
+#endif
     }
   }
   return eIcicleError::SUCCESS;

icicle/include/icicle/curves/projective.h

@@ -47,7 +47,14 @@ class Projective
     return {FF::from_montgomery(point.x), FF::from_montgomery(point.y), FF::from_montgomery(point.z)};
   }
 
+#ifdef BARRET
   static HOST_DEVICE_INLINE Projective generator() { return {Gen::gen_x, Gen::gen_y, FF::one()}; }
+#else
+  static HOST_DEVICE_INLINE Projective generator()
+  {
+    return {FF::to_montgomery(Gen::gen_x), FF::to_montgomery(Gen::gen_y), FF::one()};
+  }
+#endif
 
   static HOST_DEVICE_INLINE Projective neg(const Projective& point) { return {point.x, FF::neg(point.y), point.z}; }
 
@@ -179,6 +186,10 @@ class Projective
 
   friend HOST_DEVICE Projective operator*(SCALAR_FF scalar, const Projective& point)
   {
+#ifndef BARRET
+    scalar = SCALAR_FF::from_montgomery(scalar);
+#endif
+
     // Precompute points: P, 2P, ..., (2^window_size - 1)P
     constexpr unsigned window_size =
       4; // 4 seems fastest. Optimum is minimizing EC add and depends on the field size. for 256b it's 4.

icicle/include/icicle/fields/complex_extension.h

@@ -48,12 +48,12 @@ class ComplexExtensionField
 
   static constexpr HOST_DEVICE_INLINE ComplexExtensionField to_montgomery(const ComplexExtensionField& xs)
   {
-    return ComplexExtensionField{xs.real * FF{CONFIG::montgomery_r}, xs.imaginary * FF{CONFIG::montgomery_r}};
+    return ComplexExtensionField{FF::to_montgomery(xs.real), FF::to_montgomery(xs.imaginary)};
   }
 
   static constexpr HOST_DEVICE_INLINE ComplexExtensionField from_montgomery(const ComplexExtensionField& xs)
   {
-    return ComplexExtensionField{xs.real * FF{CONFIG::montgomery_r_inv}, xs.imaginary * FF{CONFIG::montgomery_r_inv}};
+    return ComplexExtensionField{FF::from_montgomery(xs.real), FF::from_montgomery(xs.imaginary)};
   }
 
   static HOST_INLINE ComplexExtensionField rand_host()
@@ -128,17 +128,14 @@ class ComplexExtensionField
     return ExtensionWide{FF::mul_wide(xs.real, ys), FF::mul_wide(xs.imaginary, ys)};
   }
 
-  template <unsigned MODULUS_MULTIPLE = 1>
   static constexpr HOST_DEVICE_INLINE ExtensionWide mul_wide(const FF& xs, const ComplexExtensionField& ys)
   {
     return mul_wide(ys, xs);
   }
 
-  template <unsigned MODULUS_MULTIPLE = 1>
   static constexpr HOST_DEVICE_INLINE ComplexExtensionField reduce(const ExtensionWide& xs)
   {
-    return ComplexExtensionField{
-      FF::template reduce<MODULUS_MULTIPLE>(xs.real), FF::template reduce<MODULUS_MULTIPLE>(xs.imaginary)};
+    return ComplexExtensionField{FF::reduce(xs.real), FF::reduce(xs.imaginary)};
   }
 
   template <class T1, class T2>