p256/
point.rs

1use core::{
2    iter::Sum,
3    ops::{Mul, MulAssign},
4};
5
6use elliptic_curve::{
7    bigint::{ArrayEncoding, U256},
8    ops::{LinearCombination, MulByGenerator},
9    point::{AffineCoordinates, DecompactPoint, DecompressPoint},
10    rand_core::RngCore,
11    sec1::{FromEncodedPoint, ToEncodedPoint},
12    subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption},
13    zeroize::DefaultIsZeroes,
14    FieldBytesEncoding,
15};
16use openvm_algebra_guest::IntMod;
17use openvm_ecc_guest::{
18    weierstrass::{IntrinsicCurve, WeierstrassPoint},
19    CyclicGroup,
20};
21
22use crate::{
23    internal::{P256Coord, P256Point, P256Scalar},
24    EncodedPoint, NistP256,
25};
26
27// --- Implement elliptic_curve traits on P256Point ---
28
29/// P256 field element serialized as bytes.
30///
31/// Byte array containing a serialized field element value (base field or scalar).
32pub type FieldBytes = elliptic_curve::FieldBytes<NistP256>;
33
34impl FieldBytesEncoding<NistP256> for U256 {
35    fn decode_field_bytes(field_bytes: &FieldBytes) -> Self {
36        U256::from_be_byte_array(*field_bytes)
37    }
38
39    fn encode_field_bytes(&self) -> FieldBytes {
40        self.to_be_byte_array()
41    }
42}
43
44impl AffineCoordinates for P256Point {
45    type FieldRepr = FieldBytes;
46
47    fn x(&self) -> FieldBytes {
48        *FieldBytes::from_slice(&<Self as WeierstrassPoint>::x(self).to_be_bytes())
49    }
50
51    fn y_is_odd(&self) -> Choice {
52        (self.y().as_le_bytes()[0] & 1).into()
53    }
54}
55
56impl Copy for P256Point {}
57
58impl ConditionallySelectable for P256Point {
59    fn conditional_select(a: &P256Point, b: &P256Point, choice: Choice) -> P256Point {
60        P256Point::from_xy_unchecked(
61            P256Coord::conditional_select(
62                <Self as WeierstrassPoint>::x(a),
63                <Self as WeierstrassPoint>::x(b),
64                choice,
65            ),
66            P256Coord::conditional_select(a.y(), b.y(), choice),
67        )
68    }
69}
70
71impl ConstantTimeEq for P256Point {
72    fn ct_eq(&self, other: &P256Point) -> Choice {
73        <Self as WeierstrassPoint>::x(self).ct_eq(<Self as WeierstrassPoint>::x(other))
74            & self.y().ct_eq(other.y())
75    }
76}
77
78impl Default for P256Point {
79    fn default() -> Self {
80        <Self as WeierstrassPoint>::IDENTITY
81    }
82}
83
84impl DefaultIsZeroes for P256Point {}
85
86impl Sum for P256Point {
87    fn sum<I: Iterator<Item = Self>>(iter: I) -> Self {
88        iter.fold(<Self as WeierstrassPoint>::IDENTITY, |a, b| a + b)
89    }
90}
91
92impl<'a> Sum<&'a P256Point> for P256Point {
93    fn sum<I: Iterator<Item = &'a P256Point>>(iter: I) -> Self {
94        iter.cloned().sum()
95    }
96}
97
98impl Mul<P256Scalar> for P256Point {
99    type Output = P256Point;
100
101    fn mul(self, other: P256Scalar) -> P256Point {
102        NistP256::msm(&[other], &[self])
103    }
104}
105
106impl Mul<&P256Scalar> for &P256Point {
107    type Output = P256Point;
108
109    fn mul(self, other: &P256Scalar) -> P256Point {
110        NistP256::msm(&[*other], &[*self])
111    }
112}
113
114impl Mul<&P256Scalar> for P256Point {
115    type Output = P256Point;
116
117    fn mul(self, other: &P256Scalar) -> P256Point {
118        NistP256::msm(&[*other], &[self])
119    }
120}
121
122impl MulAssign<P256Scalar> for P256Point {
123    fn mul_assign(&mut self, rhs: P256Scalar) {
124        *self = NistP256::msm(&[rhs], &[*self]);
125    }
126}
127
128impl MulAssign<&P256Scalar> for P256Point {
129    fn mul_assign(&mut self, rhs: &P256Scalar) {
130        *self = NistP256::msm(&[*rhs], &[*self]);
131    }
132}
133
134impl elliptic_curve::Group for P256Point {
135    type Scalar = P256Scalar;
136
137    fn random(mut _rng: impl RngCore) -> Self {
138        // Self::GENERATOR * Self::Scalar::random(&mut rng)
139        unimplemented!()
140    }
141
142    fn identity() -> Self {
143        <Self as WeierstrassPoint>::IDENTITY
144    }
145
146    fn generator() -> Self {
147        Self::GENERATOR
148    }
149
150    fn is_identity(&self) -> Choice {
151        (<Self as openvm_ecc_guest::Group>::is_identity(self) as u8).into()
152    }
153
154    fn double(&self) -> Self {
155        self + self
156    }
157}
158
159impl elliptic_curve::group::Curve for P256Point {
160    type AffineRepr = P256Point;
161
162    fn to_affine(&self) -> P256Point {
163        *self
164    }
165}
166
167impl LinearCombination for P256Point {
168    fn lincomb(x: &Self, k: &Self::Scalar, y: &Self, l: &Self::Scalar) -> Self {
169        NistP256::msm(&[*k, *l], &[*x, *y])
170    }
171}
172
173// default implementation
174impl MulByGenerator for P256Point {}
175
176impl DecompressPoint<NistP256> for P256Point {
177    /// Note that this is not constant time
178    fn decompress(x_bytes: &FieldBytes, y_is_odd: Choice) -> CtOption<Self> {
179        use openvm_ecc_guest::weierstrass::FromCompressed;
180
181        let x = P256Coord::from_be_bytes_unchecked(x_bytes.as_slice());
182        let rec_id = y_is_odd.unwrap_u8();
183        CtOption::new(x, (x.is_reduced() as u8).into()).and_then(|x| {
184            let y = <P256Point as FromCompressed<P256Coord>>::decompress(x, &rec_id);
185            match y {
186                Some(point) => CtOption::new(point, 1.into()),
187                None => CtOption::new(P256Point::default(), 0.into()),
188            }
189        })
190    }
191}
192
193impl DecompactPoint<NistP256> for P256Point {
194    fn decompact(x_bytes: &FieldBytes) -> CtOption<Self> {
195        Self::decompress(x_bytes, Choice::from(0))
196    }
197}
198
199impl FromEncodedPoint<NistP256> for P256Point {
200    /// Attempts to parse the given [`EncodedPoint`] as an SEC1-encoded [`P256Point`].
201    ///
202    /// # Returns
203    ///
204    /// `None` value if `encoded_point` is not on the secp256k1 curve.
205    fn from_encoded_point(encoded_point: &EncodedPoint) -> CtOption<Self> {
206        match openvm_ecc_guest::ecdsa::VerifyingKey::<NistP256>::from_sec1_bytes(
207            encoded_point.as_bytes(),
208        ) {
209            Ok(verifying_key) => CtOption::new(*verifying_key.as_affine(), 1.into()),
210            Err(_) => CtOption::new(P256Point::default(), 0.into()),
211        }
212    }
213}
214
215impl ToEncodedPoint<NistP256> for P256Point {
216    fn to_encoded_point(&self, compress: bool) -> EncodedPoint {
217        EncodedPoint::conditional_select(
218            &EncodedPoint::from_affine_coordinates(
219                &<Self as WeierstrassPoint>::x(self).to_be_bytes().into(),
220                &<Self as WeierstrassPoint>::y(self).to_be_bytes().into(),
221                compress,
222            ),
223            &EncodedPoint::identity(),
224            elliptic_curve::Group::is_identity(self),
225        )
226    }
227}
228
229impl TryFrom<EncodedPoint> for P256Point {
230    type Error = elliptic_curve::Error;
231
232    fn try_from(point: EncodedPoint) -> elliptic_curve::Result<P256Point> {
233        P256Point::try_from(&point)
234    }
235}
236
237impl TryFrom<&EncodedPoint> for P256Point {
238    type Error = elliptic_curve::Error;
239
240    fn try_from(point: &EncodedPoint) -> elliptic_curve::Result<P256Point> {
241        Option::from(P256Point::from_encoded_point(point)).ok_or(elliptic_curve::Error)
242    }
243}
244
245impl From<P256Point> for EncodedPoint {
246    fn from(affine_point: P256Point) -> EncodedPoint {
247        EncodedPoint::from(&affine_point)
248    }
249}
250
251impl From<&P256Point> for EncodedPoint {
252    fn from(affine_point: &P256Point) -> EncodedPoint {
253        affine_point.to_encoded_point(true)
254    }
255}