k256+p256: use revised LinearCombination trait (#478)

See RustCrypto/traits#835

Author: tarcieri

Cargo.lock

@@ -19,7 +19,7 @@ rust-version = "1.56"
 
 [dependencies]
 cfg-if = "1.0"
-elliptic-curve = { version = "0.11.4", default-features = false, features = ["hazmat", "sec1"] }
+elliptic-curve = { version = "0.11.5", default-features = false, features = ["hazmat", "sec1"] }
 sec1 = { version = "0.2", default-features = false }
 
 # optional dependencies

k256/Cargo.toml

@@ -6,7 +6,7 @@ use criterion::{
 use hex_literal::hex;
 use k256::{
     elliptic_curve::{generic_array::arr, group::ff::PrimeField, ops::LinearCombination},
-    ProjectivePoint, Scalar, Secp256k1,
+    ProjectivePoint, Scalar,
 };
 
 fn test_scalar_x() -> Scalar {
@@ -40,7 +40,7 @@ fn bench_point_lincomb<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
     let s = Scalar::from_repr(m.into()).unwrap();
     group.bench_function("lincomb via mul+add", |b| b.iter(|| &p * &s + &p * &s));
     group.bench_function("lincomb()", |b| {
-        b.iter(|| Secp256k1::lincomb(&p, &s, &p, &s))
+        b.iter(|| ProjectivePoint::lincomb(&p, &s, &p, &s))
     });
 }
 

k256/bench/scalar.rs

@@ -65,12 +65,9 @@
 //! In experiments, I was not able to detect any case where they would go outside the 128 bit bound,
 //! but I cannot be sure that it cannot happen.
 
-use crate::{
-    arithmetic::{
-        scalar::{Scalar, WideScalar},
-        ProjectivePoint,
-    },
-    Secp256k1,
+use crate::arithmetic::{
+    scalar::{Scalar, WideScalar},
+    ProjectivePoint,
 };
 use core::ops::{Mul, MulAssign};
 use elliptic_curve::{
@@ -305,7 +302,7 @@ fn mul(x: &ProjectivePoint, k: &Scalar) -> ProjectivePoint {
     lincomb_generic(&[*x], &[*k])
 }
 
-impl LinearCombination for Secp256k1 {
+impl LinearCombination for ProjectivePoint {
     fn lincomb(
         x: &ProjectivePoint,
         k: &Scalar,
@@ -354,10 +351,7 @@ impl MulAssign<&Scalar> for ProjectivePoint {
 
 #[cfg(test)]
 mod tests {
-    use crate::{
-        arithmetic::{ProjectivePoint, Scalar},
-        Secp256k1,
-    };
+    use crate::arithmetic::{ProjectivePoint, Scalar};
     use elliptic_curve::{ops::LinearCombination, rand_core::OsRng, Field, Group};
 
     #[test]
@@ -368,7 +362,7 @@ mod tests {
         let l = Scalar::random(&mut OsRng);
 
         let reference = &x * &k + &y * &l;
-        let test = Secp256k1::lincomb(&x, &k, &y, &l);
+        let test = ProjectivePoint::lincomb(&x, &k, &y, &l);
         assert_eq!(reference, test);
     }
 }

k256/src/arithmetic/mul.rs

@@ -51,7 +51,7 @@ use crate::{
         ops::{Invert, LinearCombination, Reduce},
         DecompressPoint,
     },
-    AffinePoint, FieldBytes, NonZeroScalar, ProjectivePoint, Scalar, Secp256k1,
+    AffinePoint, FieldBytes, NonZeroScalar, ProjectivePoint, Scalar,
 };
 
 #[cfg(feature = "keccak256")]
@@ -176,18 +176,18 @@ impl Signature {
         let z = <Scalar as Reduce<U256>>::from_be_bytes_reduced(*digest_bytes);
         let R = AffinePoint::decompress(&r.to_bytes(), self.recovery_id().is_y_odd());
 
-        if R.is_some().into() {
-            let R = ProjectivePoint::from(R.unwrap());
-            let r_inv = r.invert().unwrap();
-            let u1 = -(r_inv * z);
-            let u2 = r_inv * *s;
-            let pk = Secp256k1::lincomb(&ProjectivePoint::generator(), &u1, &R, &u2).to_affine();
-
-            // TODO(tarcieri): ensure the signature verifies?
-            Ok(VerifyingKey::from(&pk))
-        } else {
-            Err(Error::new())
+        if R.is_none().into() {
+            return Err(Error::new());
         }
+
+        let R = ProjectivePoint::from(R.unwrap());
+        let r_inv = r.invert().unwrap();
+        let u1 = -(r_inv * z);
+        let u2 = r_inv * *s;
+        let pk = ProjectivePoint::lincomb(&ProjectivePoint::generator(), &u1, &R, &u2).to_affine();
+
+        // TODO(tarcieri): ensure the signature verifies?
+        Ok(VerifyingKey::from(&pk))
     }
 
     /// Parse the `r` component of this signature to a [`NonZeroScalar`]

k256/src/ecdsa/recoverable.rs

@@ -110,7 +110,7 @@ impl VerifyPrimitive<Secp256k1> for AffinePoint {
         let u1 = z * s_inv;
         let u2 = *r * s_inv;
 
-        let x = Secp256k1::lincomb(
+        let x = ProjectivePoint::lincomb(
             &ProjectivePoint::generator(),
             &u1,
             &ProjectivePoint::from(*self),

k256/src/ecdsa/verify.rs

@@ -17,7 +17,7 @@ edition = "2021"
 rust-version = "1.56"
 
 [dependencies]
-elliptic-curve = { version = "0.11", default-features = false, features = ["hazmat", "sec1"] }
+elliptic-curve = { version = "0.11.5", default-features = false, features = ["hazmat", "sec1"] }
 sec1 = { version = "0.2", default-features = false }
 
 # optional dependencies

p256/Cargo.toml

@@ -6,9 +6,7 @@ pub(crate) mod projective;
 pub(crate) mod scalar;
 pub(crate) mod util;
 
-use crate::NistP256;
 use affine::AffinePoint;
-use elliptic_curve::ops::LinearCombination;
 use field::{FieldElement, MODULUS};
 use projective::ProjectivePoint;
 use scalar::Scalar;
@@ -27,8 +25,6 @@ const CURVE_EQUATION_B: FieldElement = FieldElement([
     0xdc30_061d_0487_4834,
 ]);
 
-impl LinearCombination for NistP256 {}
-
 #[cfg(test)]
 mod tests {
     use super::{CURVE_EQUATION_A, CURVE_EQUATION_B};

p256/src/arithmetic.rs

@@ -13,6 +13,7 @@ use elliptic_curve::{
         prime::{PrimeCurve, PrimeCurveAffine, PrimeGroup},
         Curve, Group, GroupEncoding,
     },
+    ops::LinearCombination,
     rand_core::RngCore,
     sec1::{FromEncodedPoint, ToEncodedPoint},
     subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption},
@@ -93,6 +94,8 @@ impl PrimeCurve for ProjectivePoint {
     type Affine = AffinePoint;
 }
 
+impl LinearCombination for ProjectivePoint {}
+
 impl From<AffinePoint> for ProjectivePoint {
     fn from(p: AffinePoint) -> Self {
         let projective = ProjectivePoint {