@@ -1146,65 +1146,11 @@ func (c *Curve[B, S]) ScalarMulBase(s *emulated.Element[S], opts ...algopts.Alge
11461146 return c .scalarMulGLVAndFakeGLV (c .Generator (), s , opts ... )
11471147
11481148 } else {
1149- return c .scalarMulBaseGeneric ( s , opts ... )
1149+ return c .scalarMulFakeGLV ( c . Generator (), s , opts ... )
11501150
11511151 }
11521152}
11531153
1154- // scalarMulBaseGeneric computes [s]g and returns it, where g is the fixed generator.
1155- // It doesn't modify s.
1156- //
1157- // ✅ When s=0, it returns (0,0).
1158- // (0,0) is not on the curve but we conventionally take it as the
1159- // neutral/infinity point as per the [EVM].
1160- //
1161- // It computes the standard little-endian fixed-base double-and-add algorithm
1162- // [HMV04] (Algorithm 3.26), with the points [2^i]g precomputed. The bits at
1163- // positions 1 and 2 are handled outside of the loop to optimize the number of
1164- // constraints using a Lookup2 with pre-computed [3]g, [5]g and [7]g points.
1165- //
1166- // [HMV04]: https://link.springer.com/book/10.1007/b97644
1167- // [EVM]: https://ethereum.github.io/yellowpaper/paper.pdf
1168- func (c * Curve [B , S ]) scalarMulBaseGeneric (s * emulated.Element [S ], opts ... algopts.AlgebraOption ) * AffinePoint [B ] {
1169- cfg , err := algopts .NewConfig (opts ... )
1170- if err != nil {
1171- panic (fmt .Sprintf ("parse opts: %v" , err ))
1172- }
1173-
1174- var st S
1175- sr := c .scalarApi .Reduce (s )
1176- sBits := c .scalarApi .ToBits (sr )
1177- n := st .Modulus ().BitLen ()
1178- if cfg .NbScalarBits > 2 && cfg .NbScalarBits < n {
1179- n = cfg .NbScalarBits
1180- }
1181- // When cfg.CompleteArithmetic is set, we use AddUnified instead of Add. This means
1182- // when s=0 then Acc=(0,0) because AddUnified(Q, -Q) = (0,0).
1183- addFn := c .Add
1184- if cfg .CompleteArithmetic {
1185- addFn = c .AddUnified
1186- }
1187- g := c .Generator ()
1188- gm := c .GeneratorMultiples ()
1189-
1190- // i = 1, 2
1191- // gm[0] = 3g, gm[1] = 5g, gm[2] = 7g
1192- res := c .Lookup2 (sBits [1 ], sBits [2 ], g , & gm [0 ], & gm [1 ], & gm [2 ])
1193-
1194- for i := 3 ; i < n ; i ++ {
1195- // gm[i] = [2^i]g
1196- tmp := addFn (res , & gm [i ])
1197- res = c .Select (sBits [i ], tmp , res )
1198- }
1199-
1200- // i = 0
1201-
1202- tmp := addFn (res , c .Neg (g ))
1203- res = c .Select (sBits [0 ], res , tmp )
1204-
1205- return res
1206- }
1207-
12081154// JointScalarMulBase computes [s1]g + [s2]p and returns it, where g is the
12091155// fixed generator. It doesn't modify p, s1 and s2.
12101156//
0 commit comments