k256: IDENTITY and GENERATOR point constants (#511)

Adds inherent constants to `AffinePoint` and `ProjectivePoint`
representing the identity and generator points.

This should make it possible to write `const fn`s that produce things
like precomputed basepoint tables (see #508).

Deprecates the previous inherent methods on `ProjectivePoint` for
returning these constants.

Author: tarcieri

k256/bench/scalar.rs

@@ -28,14 +28,14 @@ fn test_scalar_y() -> Scalar {
 }
 
 fn bench_point_mul<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
-    let p = ProjectivePoint::generator();
+    let p = ProjectivePoint::GENERATOR;
     let m = hex!("AA5E28D6A97A2479A65527F7290311A3624D4CC0FA1578598EE3C2613BF99522");
     let s = Scalar::from_repr(m.into()).unwrap();
     group.bench_function("point-scalar mul", |b| b.iter(|| &p * &s));
 }
 
 fn bench_point_lincomb<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
-    let p = ProjectivePoint::generator();
+    let p = ProjectivePoint::GENERATOR;
     let m = hex!("AA5E28D6A97A2479A65527F7290311A3624D4CC0FA1578598EE3C2613BF99522");
     let s = Scalar::from_repr(m.into()).unwrap();
     group.bench_function("lincomb via mul+add", |b| b.iter(|| &p * &s + &p * &s));

k256/src/arithmetic/affine.rs

@@ -6,8 +6,6 @@ use super::{FieldElement, ProjectivePoint, CURVE_EQUATION_B};
 use crate::{CompressedPoint, EncodedPoint, FieldBytes, Scalar, Secp256k1};
 use core::ops::{Mul, Neg};
 use elliptic_curve::{
-    ff::Field,
-    generic_array::arr,
     group::{prime::PrimeCurveAffine, GroupEncoding},
     sec1::{self, FromEncodedPoint, ToEncodedPoint},
     subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption},
@@ -39,9 +37,46 @@ use elliptic_curve::serde::{de, ser, Deserialize, Serialize};
 #[derive(Clone, Copy, Debug)]
 #[cfg_attr(docsrs, doc(cfg(feature = "arithmetic")))]
 pub struct AffinePoint {
+    /// x-coordinate
     pub(crate) x: FieldElement,
+
+    /// y-coordinate
     pub(crate) y: FieldElement,
-    pub(super) infinity: Choice,
+
+    /// Is this point the point at infinity? 0 = no, 1 = yes
+    ///
+    /// This is a proxy for [`Choice`], but uses `u8` instead to permit `const`
+    /// constructors for `IDENTITY` and `GENERATOR`.
+    pub(super) infinity: u8,
+}
+
+impl AffinePoint {
+    /// Additive identity of the group: the point at infinity.
+    pub const IDENTITY: Self = Self {
+        x: FieldElement::ZERO,
+        y: FieldElement::ZERO,
+        infinity: 1,
+    };
+
+    /// Base point of secp256k1.
+    ///
+    /// ```text
+    /// Gₓ = 79be667e f9dcbbac 55a06295 ce870b07 029bfcdb 2dce28d9 59f2815b 16f81798
+    /// Gᵧ = 483ada77 26a3c465 5da4fbfc 0e1108a8 fd17b448 a6855419 9c47d08f fb10d4b8
+    /// ```
+    pub const GENERATOR: Self = Self {
+        x: FieldElement::from_bytes_unchecked(&[
+            0x79, 0xbe, 0x66, 0x7e, 0xf9, 0xdc, 0xbb, 0xac, 0x55, 0xa0, 0x62, 0x95, 0xce, 0x87,
+            0x0b, 0x07, 0x02, 0x9b, 0xfc, 0xdb, 0x2d, 0xce, 0x28, 0xd9, 0x59, 0xf2, 0x81, 0x5b,
+            0x16, 0xf8, 0x17, 0x98,
+        ]),
+        y: FieldElement::from_bytes_unchecked(&[
+            0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc, 0x0e, 0x11,
+            0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19, 0x9c, 0x47, 0xd0, 0x8f,
+            0xfb, 0x10, 0xd4, 0xb8,
+        ]),
+        infinity: 0,
+    };
 }
 
 impl PrimeCurveAffine for AffinePoint {
@@ -50,38 +85,17 @@ impl PrimeCurveAffine for AffinePoint {
 
     /// Returns the identity of the group: the point at infinity.
     fn identity() -> Self {
-        Self {
-            x: FieldElement::zero(),
-            y: FieldElement::zero(),
-            infinity: Choice::from(1),
-        }
+        Self::IDENTITY
     }
 
-    /// Returns the base point of SECP256k1.
+    /// Returns the base point of secp256k1.
     fn generator() -> Self {
-        // SECP256k1 basepoint in affine coordinates:
-        // x = 79be667e f9dcbbac 55a06295 ce870b07 029bfcdb 2dce28d9 59f2815b 16f81798
-        // y = 483ada77 26a3c465 5da4fbfc 0e1108a8 fd17b448 a6855419 9c47d08f fb10d4b8
-        AffinePoint {
-            x: FieldElement::from_bytes(&arr![u8;
-                0x79, 0xbe, 0x66, 0x7e, 0xf9, 0xdc, 0xbb, 0xac, 0x55, 0xa0, 0x62, 0x95, 0xce, 0x87,
-                0x0b, 0x07, 0x02, 0x9b, 0xfc, 0xdb, 0x2d, 0xce, 0x28, 0xd9, 0x59, 0xf2, 0x81, 0x5b,
-                0x16, 0xf8, 0x17, 0x98
-            ])
-            .unwrap(),
-            y: FieldElement::from_bytes(&arr![u8;
-                0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc, 0x0e, 0x11,
-                0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19, 0x9c, 0x47, 0xd0, 0x8f,
-                0xfb, 0x10, 0xd4, 0xb8
-            ])
-            .unwrap(),
-            infinity: Choice::from(0),
-        }
+        Self::GENERATOR
     }
 
     /// Is this point the identity point?
     fn is_identity(&self) -> Choice {
-        self.infinity
+        Choice::from(self.infinity)
     }
 
     /// Convert to curve representation.
@@ -101,7 +115,7 @@ impl ConditionallySelectable for AffinePoint {
         AffinePoint {
             x: FieldElement::conditional_select(&a.x, &b.x, choice),
             y: FieldElement::conditional_select(&a.y, &b.y, choice),
-            infinity: Choice::conditional_select(&a.infinity, &b.infinity, choice),
+            infinity: u8::conditional_select(&a.infinity, &b.infinity, choice),
         }
     }
 }
@@ -116,7 +130,7 @@ impl ConstantTimeEq for AffinePoint {
 
 impl Default for AffinePoint {
     fn default() -> Self {
-        Self::identity()
+        Self::IDENTITY
     }
 }
 
@@ -146,7 +160,7 @@ impl DecompressPoint<Secp256k1> for AffinePoint {
                 Self {
                     x,
                     y: y.normalize(),
-                    infinity: Choice::from(0),
+                    infinity: 0,
                 }
             })
         })
@@ -189,7 +203,7 @@ impl FromEncodedPoint<Secp256k1> for AffinePoint {
     /// `None` value if `encoded_point` is not on the secp256k1 curve.
     fn from_encoded_point(encoded_point: &EncodedPoint) -> CtOption<Self> {
         match encoded_point.coordinates() {
-            sec1::Coordinates::Identity => CtOption::new(Self::identity(), 1.into()),
+            sec1::Coordinates::Identity => CtOption::new(Self::IDENTITY, 1.into()),
             sec1::Coordinates::Compact { .. } => {
                 // TODO(tarcieri): add decompaction support
                 CtOption::new(Self::default(), 0.into())
@@ -206,11 +220,7 @@ impl FromEncodedPoint<Secp256k1> for AffinePoint {
                         // Check that the point is on the curve
                         let lhs = (y * &y).negate(1);
                         let rhs = x * &x * &x + &CURVE_EQUATION_B;
-                        let point = AffinePoint {
-                            x,
-                            y,
-                            infinity: Choice::from(0),
-                        };
+                        let point = AffinePoint { x, y, infinity: 0 };
                         CtOption::new(point, (lhs + &rhs).normalizes_to_zero())
                     })
                 })
@@ -228,7 +238,7 @@ impl ToEncodedPoint<Secp256k1> for AffinePoint {
                 compress,
             ),
             &EncodedPoint::identity(),
-            self.infinity,
+            self.is_identity(),
         )
     }
 }
@@ -369,16 +379,16 @@ mod tests {
 
     #[test]
     fn affine_negation() {
-        let basepoint = AffinePoint::generator();
+        let basepoint = AffinePoint::GENERATOR;
         assert_eq!((-(-basepoint)), basepoint);
     }
 
     #[test]
     fn identity_encoding() {
         // This is technically an invalid SEC1 encoding, but is preferable to panicking.
-        assert_eq!([0; 33], AffinePoint::identity().to_bytes().as_slice());
+        assert_eq!([0; 33], AffinePoint::IDENTITY.to_bytes().as_slice());
         assert!(bool::from(
-            AffinePoint::from_bytes(&AffinePoint::identity().to_bytes())
+            AffinePoint::from_bytes(&AffinePoint::IDENTITY.to_bytes())
                 .unwrap()
                 .is_identity()
         ))

k256/src/arithmetic/mul.rs

@@ -101,7 +101,7 @@ impl LookupTable {
         let xabs = (x + xmask) ^ xmask;
 
         // Get an array element in constant time
-        let mut t = ProjectivePoint::identity();
+        let mut t = ProjectivePoint::IDENTITY;
         for j in 1..9 {
             let c = (xabs as u8).ct_eq(&(j as u8));
             t.conditional_assign(&self.0[j - 1], c);
@@ -278,7 +278,7 @@ fn lincomb_generic<const N: usize>(xs: &[ProjectivePoint; N], ks: &[Scalar; N])
         Radix16Decomposition::default(),
     );
 
-    let mut acc = ProjectivePoint::identity();
+    let mut acc = ProjectivePoint::IDENTITY;
     for component in 0..N {
         acc += &tables1[component].select(digits1[component].0[32]);
         acc += &tables2[component].select(digits2[component].0[32]);