perf(crypto): CRP-1559 Use affine rather than projective points for BLS12-381 signture protocols (#7969)

The `multi_sig` and `threshold_sig` BLS12-381 signature libraries used
projective points for public keys and signatures. Various operations
such as serialization or verifying a BLS signature require that the
input points are in affine format, and converting from projective to
affine is relatively expensive. Other operations like point addition are
cheaper if one of the elements is in affine form. Also when
deserializing a point the natural encoding is affine, not projective. So
for example when verifying a multi signature, the signature would be
presented to the crypto component as bytes, deserialized into projective
form, then converted back to affine in order to verify the signature
equation.

Serialization and deserialization of the relevant artifacts is
unaffected. Projective points cannot be serialized directly, instead
they must anyway be converted into affine form, which right now happens
internally in `G(1|2)Projective::serialize`. Likewise, deserialization
is always into affine coordinates, and then the point is converted to
projective.

This removes serialization and deserialization functions from the
projective types, as potential performance footguns. For serialization,
that's because the serialization hides the (expensive) conversion to
affine form. For deserialization, it's because keeping the point in
affine form as long as possible is typically best for performance.

Author: randombit

rs/crypto/internal/crypto_lib/bls12_381/type/benches/ops.rs

@@ -206,7 +206,7 @@ fn bls12_381_scalar_ops(c: &mut Criterion) {
     group.bench_function("serialize", |b| {
         b.iter_batched_ref(
             || random_scalar(rng),
-            |pt| pt.serialize(),
+            |s| s.serialize(),
             BatchSize::SmallInput,
         )
     });
@@ -275,24 +275,24 @@ fn bls12_381_g1_ops(c: &mut Criterion) {
 
     group.bench_function("serialize", |b| {
         b.iter_batched_ref(
-            || random_g1(rng),
+            || random_g1(rng).to_affine(),
             |pt| pt.serialize(),
             BatchSize::SmallInput,
         )
     });
 
     group.bench_function("deserialize", |b| {
         b.iter_batched_ref(
-            || random_g1(rng).serialize(),
-            |bytes| G1Projective::deserialize(bytes),
+            || random_g1(rng).to_affine().serialize(),
+            |bytes| G1Affine::deserialize(bytes),
             BatchSize::SmallInput,
         )
     });
 
     group.bench_function("deserialize_unchecked", |b| {
         b.iter_batched_ref(
-            || random_g1(rng).serialize(),
-            |bytes| G1Projective::deserialize_unchecked(bytes),
+            || random_g1(rng).to_affine().serialize(),
+            |bytes| G1Affine::deserialize_unchecked(bytes),
             BatchSize::SmallInput,
         )
     });
@@ -475,39 +475,43 @@ fn bls12_381_g2_ops(c: &mut Criterion) {
 
     group.bench_function("serialize", |b| {
         b.iter_batched_ref(
-            || random_g2(rng),
+            || random_g2(rng).to_affine(),
             |pt| pt.serialize(),
             BatchSize::SmallInput,
         )
     });
 
     group.bench_function("deserialize", |b| {
         b.iter_batched_ref(
-            || random_g2(rng).serialize(),
-            |bytes| G2Projective::deserialize(bytes),
+            || random_g2(rng).to_affine().serialize(),
+            |bytes| G2Affine::deserialize(bytes),
             BatchSize::SmallInput,
         )
     });
 
     group.bench_function("deserialize_unchecked", |b| {
         b.iter_batched_ref(
-            || random_g2(rng).serialize(),
-            |bytes| G2Projective::deserialize_unchecked(bytes),
+            || random_g2(rng).to_affine().serialize(),
+            |bytes| G2Affine::deserialize_unchecked(bytes),
             BatchSize::SmallInput,
         )
     });
 
     group.bench_function("deserialize_cached", |b| {
         b.iter_batched_ref(
-            || (G2Affine::generator() * Scalar::from_u32(rng.r#gen::<u32>() % 100)).serialize(),
+            || {
+                (G2Affine::generator() * Scalar::from_u32(rng.r#gen::<u32>() % 100))
+                    .to_affine()
+                    .serialize()
+            },
             |bytes| G2Affine::deserialize_cached(bytes),
             BatchSize::SmallInput,
         )
     });
 
     group.bench_function("deserialize_cached_miss", |b| {
         b.iter_batched_ref(
-            || random_g2(rng).serialize(),
+            || random_g2(rng).to_affine().serialize(),
             |bytes| G2Affine::deserialize_cached(bytes),
             BatchSize::SmallInput,
         )

rs/crypto/internal/crypto_lib/bls12_381/type/src/lib.rs

@@ -1302,6 +1302,15 @@ macro_rules! define_affine_and_projective_types {
                 let v = scalars.clone().map(|s| self * s);
                 $projective::batch_normalize_array(&v)
             }
+
+            /// Sum some points
+            pub fn sum(pts: &[Self]) -> $projective {
+                let mut sum = ic_bls12_381::$projective::identity();
+                for pt in pts {
+                    sum += pt.inner();
+                }
+                $projective::new(sum)
+            }
         }
 
         paste! {
@@ -1365,33 +1374,12 @@ macro_rules! define_affine_and_projective_types {
                 Self::new(sum)
             }
 
-            /// Deserialize a point (compressed format only)
-            ///
-            /// This version verifies that the decoded point is within the prime order
-            /// subgroup, and is safe to call on untrusted inputs.
-            pub fn deserialize<B: AsRef<[u8]>>(bytes: &B) -> Result<Self, PairingInvalidPoint> {
-                let pt = $affine::deserialize(bytes)?;
-                Ok(pt.into())
-            }
-
-            /// Serialize a point in compressed format in some specific type
-            pub fn serialize_to<T: From<[u8; Self::BYTES]>>(&self) -> T {
-                T::from(self.serialize())
-            }
-
-            /// Deserialize a point (compressed format only), trusted bytes edition
-            ///
-            /// As only compressed format is accepted, it is not possible to
-            /// create a point which is not on the curve. However it is possible
-            /// using this function to create a point which is not within the
-            /// prime-order subgroup. This can be detected by calling is_torsion_free
-            pub fn deserialize_unchecked<B: AsRef<[u8]>>(bytes: &B) -> Result<Self, PairingInvalidPoint> {
-                let pt = $affine::deserialize_unchecked(bytes)?;
-                Ok(pt.into())
-            }
-
             /// Serialize this point in compressed format
-            pub fn serialize(&self) -> [u8; Self::BYTES] {
+            ///
+            /// This exists for implementing Debug but is intentionally pub(crate)
+            /// since it hides the expensive affine conversion so should be avoided
+            /// in production code.
+            pub(crate) fn serialize(&self) -> [u8; Self::BYTES] {
                 $affine::from(self).serialize()
             }
 

rs/crypto/internal/crypto_lib/bls12_381/type/tests/tests.rs

@@ -1714,14 +1714,14 @@ test_point_operation!(serialization_round_trip, [g1, g2], {
     let rng = &mut reproducible_rng();
 
     for _ in 1..30 {
-        let orig = Projective::hash(b"serialization-round-trip-test", &rng.r#gen::<[u8; 32]>());
+        let orig = Affine::hash(b"serialization-round-trip-test", &rng.r#gen::<[u8; 32]>());
         let bits = orig.serialize();
 
-        let d = Projective::deserialize(&bits).expect("Invalid serialization");
+        let d = Affine::deserialize(&bits).expect("Invalid serialization");
         assert_eq!(orig, d);
         assert_eq!(d.serialize(), bits);
 
-        let du = Projective::deserialize_unchecked(&bits).expect("Invalid serialization");
+        let du = Affine::deserialize_unchecked(&bits).expect("Invalid serialization");
         assert_eq!(orig, du);
         assert_eq!(du.serialize(), bits);
     }

rs/crypto/internal/crypto_lib/bls12_381/vetkd/src/lib.rs

@@ -61,7 +61,7 @@ impl DerivationContext {
             DERIVATION_CANISTER_DST,
         );
 
-        let canister_key = G2Affine::generator() * &offset + master_pk;
+        let canister_key = G2Affine::from(G2Affine::generator() * &offset + master_pk);
 
         if let Some(context) = &self.context {
             let context_offset =
@@ -70,7 +70,7 @@ impl DerivationContext {
             offset += context_offset;
             (G2Affine::from(canister_key_with_context), offset)
         } else {
-            (G2Affine::from(canister_key), offset)
+            (canister_key, offset)
         }
     }
 }

rs/crypto/internal/crypto_lib/multi_sig/bls12_381/src/api.rs

@@ -93,13 +93,13 @@ pub fn combine(
 
 fn key_from_bytes_with_cache(public_key_bytes: &PublicKeyBytes) -> Result<PublicKey, CryptoError> {
     // This can't be defined on PublicKey because it is just a typedef for G2Projective at the moment
-    ic_crypto_internal_bls12_381_type::G2Affine::deserialize_cached(&public_key_bytes.0)
-        .map_err(|_| CryptoError::MalformedPublicKey {
+    ic_crypto_internal_bls12_381_type::G2Affine::deserialize_cached(&public_key_bytes.0).map_err(
+        |_| CryptoError::MalformedPublicKey {
             algorithm: AlgorithmId::MultiBls12_381,
             key_bytes: Some(public_key_bytes.0.to_vec()),
             internal_error: "Point decoding failed".to_string(),
-        })
-        .map(|pt| pt.into())
+        },
+    )
 }
 
 /// Verifies an individual signature over the given `message` using the given

rs/crypto/internal/crypto_lib/multi_sig/bls12_381/src/crypto.rs

@@ -7,7 +7,7 @@ use crate::types::{
 };
 
 use ic_crypto_internal_bls12_381_type::{
-    G1Projective, G2Affine, G2Projective, Scalar, verify_bls_signature,
+    G1Affine, G1Projective, G2Affine, Scalar, verify_bls_signature,
 };
 
 use ic_crypto_sha2::DomainSeparationContext;
@@ -56,12 +56,12 @@ pub fn keypair_from_seed(seed: [u64; 4]) -> (SecretKey, PublicKey) {
 
 pub fn keypair_from_rng<R: Rng + CryptoRng>(rng: &mut R) -> (SecretKey, PublicKey) {
     let secret_key = Scalar::random(rng);
-    let public_key = G2Affine::generator() * &secret_key;
+    let public_key = (G2Affine::generator() * &secret_key).to_affine();
     (secret_key, public_key)
 }
 
 pub fn sign_point(point: &G1Projective, secret_key: &SecretKey) -> IndividualSignature {
-    point * secret_key
+    (point * secret_key).to_affine()
 }
 pub fn sign_message(message: &[u8], secret_key: &SecretKey) -> IndividualSignature {
     sign_point(&hash_message_to_g1(message), secret_key)
@@ -80,22 +80,23 @@ pub fn create_pop(public_key: &PublicKey, secret_key: &SecretKey) -> Pop {
 }
 
 pub fn combine_signatures(signatures: &[IndividualSignature]) -> CombinedSignature {
-    G1Projective::sum(signatures)
+    G1Affine::sum(signatures).to_affine()
 }
 pub fn combine_public_keys(public_keys: &[PublicKey]) -> CombinedPublicKey {
-    G2Projective::sum(public_keys)
+    G2Affine::sum(public_keys).to_affine()
 }
 
-pub fn verify_point(hash: &G1Projective, signature: &G1Projective, public_key: &PublicKey) -> bool {
-    verify_bls_signature(&signature.into(), &public_key.into(), &hash.into())
+pub fn verify_point(hash: &G1Affine, signature: &G1Affine, public_key: &PublicKey) -> bool {
+    verify_bls_signature(signature, public_key, hash)
 }
+
 pub fn verify_individual_message_signature(
     message: &[u8],
     signature: &IndividualSignature,
     public_key: &PublicKey,
 ) -> bool {
     let hash = hash_message_to_g1(message);
-    verify_point(&hash, signature, public_key)
+    verify_point(&hash.to_affine(), signature, public_key)
 }
 pub fn verify_pop(pop: &Pop, public_key: &PublicKey) -> bool {
     let public_key_bytes = PublicKeyBytes::from(public_key);
@@ -104,7 +105,7 @@ pub fn verify_pop(pop: &Pop, public_key: &PublicKey) -> bool {
         .extend(DomainSeparationContext::new(DOMAIN_MULTI_SIG_BLS12_381_POP).as_bytes());
     domain_separated_public_key.extend(&public_key_bytes.0[..]);
     let hash = hash_public_key_to_g1(&domain_separated_public_key);
-    verify_point(&hash, pop, public_key)
+    verify_point(&hash.to_affine(), pop, public_key)
 }
 
 pub fn verify_combined_message_signature(
@@ -114,5 +115,5 @@ pub fn verify_combined_message_signature(
 ) -> bool {
     let hash = hash_message_to_g1(message);
     let public_key = combine_public_keys(public_keys);
-    verify_point(&hash, signature, &public_key)
+    verify_point(&hash.to_affine(), signature, &public_key)
 }

rs/crypto/internal/crypto_lib/multi_sig/bls12_381/src/tests.rs

@@ -5,29 +5,8 @@ use crate::{
     types::IndividualSignature, types::PublicKey, types::SecretKey, types::SecretKeyBytes,
     types::arbitrary,
 };
-use ic_crypto_internal_bls12_381_type::G1Projective;
 use ic_crypto_test_utils_reproducible_rng::reproducible_rng;
 
-fn check_single_point_signature_verifies(
-    secret_key: &SecretKey,
-    public_key: &PublicKey,
-    point: &G1Projective,
-) {
-    let signature = multi_crypto::sign_point(point, secret_key);
-    assert!(multi_crypto::verify_point(point, &signature, public_key));
-}
-
-fn check_individual_multi_signature_contribution_verifies(
-    secret_key: &SecretKey,
-    public_key: &PublicKey,
-    message: &[u8],
-) {
-    let signature = multi_crypto::sign_message(message, secret_key);
-    assert!(multi_crypto::verify_individual_message_signature(
-        message, &signature, public_key
-    ));
-}
-
 fn check_multi_signature_verifies(keys: &[(SecretKey, PublicKey)], message: &[u8]) {
     let signatures: Vec<IndividualSignature> = keys
         .iter()
@@ -56,7 +35,11 @@ mod stability {
     #[test]
     fn message_to_g1() {
         assert_eq!(
-            hex::encode(multi_crypto::hash_message_to_g1(b"abc").serialize()),
+            hex::encode(
+                multi_crypto::hash_message_to_g1(b"abc")
+                    .to_affine()
+                    .serialize()
+            ),
             "a13964470939e806ca5ca96b348ab13af3f06a7d9dc4e8a0cf20d8a81a6d8f5a692c67424228d45d749e7832d27cea79"
         );
     }
@@ -66,7 +49,11 @@ mod stability {
         let (_secret_key, public_key) = multi_crypto::keypair_from_rng(&mut csprng);
         let public_key_bytes = PublicKeyBytes::from(&public_key);
         assert_eq!(
-            hex::encode(multi_crypto::hash_public_key_to_g1(&public_key_bytes.0[..]).serialize()),
+            hex::encode(
+                multi_crypto::hash_public_key_to_g1(&public_key_bytes.0[..])
+                    .to_affine()
+                    .serialize()
+            ),
             "b02fd0d54faab7498924d7e230f84b00519ea7f3846cd30f82b149c1f172ad79ee68adb2ea2fc8a2d40ffdf3fd5df02a"
         );
     }
@@ -125,8 +112,9 @@ mod basic_functionality {
         let number_of_messages = 100;
         let points: HashSet<_> = (0..number_of_messages as u32)
             .map(|number| {
-                let g1 = multi_crypto::hash_message_to_g1(&number.to_be_bytes()[..]);
-                let bytes = g1.serialize();
+                let bytes = multi_crypto::hash_message_to_g1(&number.to_be_bytes()[..])
+                    .to_affine()
+                    .serialize();
                 // It suffices to prove that the first 32 bytes are distinct.  More requires a
                 // custom hash implementation.
                 let mut hashable = [0u8; 32];
@@ -146,7 +134,7 @@ mod basic_functionality {
             .map(|_| {
                 let (_secret_key, public_key) = multi_crypto::keypair_from_rng(rng);
                 let public_key_bytes = PublicKeyBytes::from(&public_key);
-                let g1 = multi_crypto::hash_public_key_to_g1(&public_key_bytes.0[..]);
+                let g1 = multi_crypto::hash_public_key_to_g1(&public_key_bytes.0[..]).to_affine();
                 let bytes = g1.serialize();
                 // It suffices to prove that the first 32 bytes are distinct.  More requires a
                 // custom hash implementation.
@@ -177,14 +165,26 @@ mod advanced_functionality {
     fn single_point_signature_verifies() {
         let (secret_key, public_key) = multi_crypto::keypair_from_seed([1, 2, 3, 4]);
         let point = multi_crypto::hash_message_to_g1(b"abba");
-        check_single_point_signature_verifies(&secret_key, &public_key, &point);
+        let signature = multi_crypto::sign_point(&point, &secret_key);
+        assert!(multi_crypto::verify_point(
+            &point.to_affine(),
+            &signature,
+            &public_key
+        ));
     }
 
     #[test]
     fn individual_multi_signature_contribution_verifies() {
         let (secret_key, public_key) = multi_crypto::keypair_from_seed([1, 2, 3, 4]);
-        check_individual_multi_signature_contribution_verifies(&secret_key, &public_key, b"abba");
+        let message = b"bjork";
+        let signature = multi_crypto::sign_message(message, &secret_key);
+        assert!(multi_crypto::verify_individual_message_signature(
+            message,
+            &signature,
+            &public_key
+        ));
     }
+
     #[test]
     fn pop_verifies() {
         let (secret_key, public_key) = multi_crypto::keypair_from_seed([1, 2, 3, 4]);