elliptic_curve: add BatchInvert and BatchNormalize traits

elliptic-curve/src/arithmetic.rs

@@ -84,3 +84,21 @@ pub trait PrimeCurveArithmetic:
     /// Prime order elliptic curve group.
     type CurveGroup: group::prime::PrimeCurve<Affine = <Self as CurveArithmetic>::AffinePoint>;
 }
+
+/// Normalize point(s) in projective representation by converting them to their affine ones.
+pub trait Normalize: group::Curve {
+    /// Perform a batched conversion to affine representation on a sequence of projective points
+    /// at an amortized cost that should be practically as efficient as a single conversion.
+    /// Internally, implementors should rely upon `InvertBatch`.
+    /// This variation takes a const-generic array and thus does not require `alloc`.
+    fn batch_normalize_array<const N: usize>(points: &[Self; N]) -> [Self::AffineRepr; N];
+
+    /// Perform a batched conversion to affine representation on a sequence of projective points
+    /// at an amortized cost that should be practically as efficient as a single conversion.
+    /// Internally, implementors should rely upon `InvertBatch`.
+    /// This variation takes a (possibly dynamically allocated) slice and returns `FromIterator<Self::AffinePoint>`
+    /// allowing it to work with any container.
+    /// However, this also requires to make dynamic allocations and as such requires `alloc`.
+    #[cfg(feature = "alloc")]
+    fn batch_normalize_vec(points: alloc::vec::Vec<Self>) -> alloc::vec::Vec<Self::AffineRepr>;
+}

elliptic-curve/src/lib.rs

@@ -127,7 +127,7 @@ pub use zeroize;
 #[cfg(feature = "arithmetic")]
 pub use {
     crate::{
-        arithmetic::{CurveArithmetic, PrimeCurveArithmetic},
+        arithmetic::{CurveArithmetic, Normalize, PrimeCurveArithmetic},
         point::{AffinePoint, ProjectivePoint},
         public_key::PublicKey,
         scalar::{NonZeroScalar, Scalar},

elliptic-curve/src/ops.rs

@@ -4,6 +4,7 @@ pub use core::ops::{Add, AddAssign, Mul, Neg, Shr, ShrAssign, Sub, SubAssign};
 
 use crypto_bigint::Integer;
 use group::Group;
+use subtle::{Choice, ConditionallySelectable, CtOption};
 
 /// Perform an inversion on a field element (i.e. base field element or scalar)
 pub trait Invert {
@@ -23,6 +24,117 @@ pub trait Invert {
         // Fall back on constant-time implementation by default.
         self.invert()
     }
+
+    /// Perform a batched inversion on a sequence of field elements (i.e. base field elements or scalars)
+    /// at an amortized cost that should be practically as efficient as a single inversion.
+    /// This variation takes a const-generic array and thus does not require `alloc`.
+    fn batch_invert_array<const N: usize>(field_elements: &[Self; N]) -> CtOption<[Self; N]>
+    where
+        Self: Invert<Output = CtOption<Self>>
+            + Mul<Self, Output = Self>
+            + Copy
+            + Default
+            + ConditionallySelectable,
+    {
+        let mut field_elements_multiples = [field_elements[0]; N];
+        let mut field_elements_multiples_inverses = [field_elements[0]; N];
+        let mut field_elements_inverses = [field_elements[0]; N];
+
+        let inversion_succeeded = invert_batch_internal(
+            field_elements,
+            &mut field_elements_multiples,
+            &mut field_elements_multiples_inverses,
+            &mut field_elements_inverses,
+        );
+
+        CtOption::new(field_elements_inverses, inversion_succeeded)
+    }
+
+    /// Perform a batched inversion on a sequence of field elements (i.e. base field elements or scalars)
+    /// at an amortized cost that should be practically as efficient as a single inversion.
+    /// This variation takes a (possibly dynamically allocated) sequence and returns `FromIterator<T>`, which allows it to work with any container (e.g. `Vec<_>`).
+    /// However, this also requires to make dynamic allocations and as such requires `alloc`.
+    #[cfg(feature = "alloc")]
+    fn batch_invert_vec(field_elements: alloc::vec::Vec<Self>) -> CtOption<alloc::vec::Vec<Self>>
+    where
+        Self: Invert<Output = CtOption<Self>>
+            + Mul<Self, Output = Self>
+            + Copy
+            + Default
+            + ConditionallySelectable,
+    {
+        let mut field_elements_multiples: alloc::vec::Vec<Self> = (0..field_elements.len())
+            .map(|i| field_elements[i])
+            .collect();
+        let mut field_elements_multiples_inverses: alloc::vec::Vec<Self> = (0..field_elements
+            .len())
+            .map(|i| field_elements[i])
+            .collect();
+        let mut field_elements_inverses: alloc::vec::Vec<Self> = (0..field_elements.len())
+            .map(|i| field_elements[i])
+            .collect();
+
+        let inversion_succeeded = invert_batch_internal(
+            &field_elements,
+            field_elements_multiples.as_mut(),
+            field_elements_multiples_inverses.as_mut(),
+            field_elements_inverses.as_mut(),
+        );
+
+        CtOption::new(
+            field_elements_inverses.into_iter().collect(),
+            inversion_succeeded,
+        )
+    }
+}
+
+/// Implements "Montgomery's trick", a trick for computing many modular inverses at once.
+///
+/// "Montgomery's trick" works by reducing the problem of computing `n` inverses
+/// to computing a single inversion, plus some storage and `O(n)` extra multiplications.
+///
+/// See: https://iacr.org/archive/pkc2004/29470042/29470042.pdf section 2.2.
+fn invert_batch_internal<
+    T: Invert<Output = CtOption<T>> + Mul<T, Output = T> + Default + ConditionallySelectable,
+>(
+    field_elements: &[T],
+    field_elements_multiples: &mut [T],
+    field_elements_multiples_inverses: &mut [T],
+    field_elements_inverses: &mut [T],
+) -> Choice {
+    let batch_size = field_elements.len();
+    if batch_size == 0
+        || batch_size != field_elements_multiples.len()
+        || batch_size != field_elements_multiples_inverses.len()
+    {
+        return Choice::from(0);
+    }
+
+    field_elements_multiples[0] = field_elements[0];
+    for i in 1..batch_size {
+        // $ a_n = a_{n-1}*x_n $
+        field_elements_multiples[i] = field_elements_multiples[i - 1] * field_elements[i];
+    }
+
+    field_elements_multiples[batch_size - 1]
+        .invert()
+        .map(|multiple_of_inverses_of_all_field_elements| {
+            field_elements_multiples_inverses[batch_size - 1] =
+                multiple_of_inverses_of_all_field_elements;
+            for i in (1..batch_size).rev() {
+                // $ a_{n-1} = {a_n}^{-1}*x_n $
+                field_elements_multiples_inverses[i - 1] =
+                    field_elements_multiples_inverses[i] * field_elements[i];
+            }
+
+            field_elements_inverses[0] = field_elements_multiples_inverses[0];
+            for i in 1..batch_size {
+                // $ {x_n}^{-1} = a_{n}^{-1}*a_{n-1} $
+                field_elements_inverses[i] =
+                    field_elements_multiples_inverses[i] * field_elements_multiples[i - 1];
+            }
+        })
+        .is_some()
 }
 
 /// Linear combination.