elliptic-curve: impl BatchNormalize for NonIdentity (#1896)

daxpedda · web-flow · commit f24c2ae0b6ab · 2025-06-13T12:50:06.000-06:00
As discussed in #1889. I will add some tests in `elliptic-curves` as well. Resolves #1889. Companion PR: RustCrypto/elliptic-curves#1248.
diff --git a/.github/workflows/elliptic-curve.yml b/.github/workflows/elliptic-curve.yml
@@ -88,3 +88,21 @@ jobs:
       - run: cargo test --no-default-features
       - run: cargo test
       - run: cargo test --all-features
+
+  test-careful:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@nightly
+      - run: cargo install cargo-careful
+      - run: cargo careful test --all-features
+
+  test-miri:
+    runs-on: ubuntu-latest
+    env:
+      MIRIFLAGS: "-Zmiri-symbolic-alignment-check -Zmiri-strict-provenance"
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@nightly
+      - run: rustup component add miri && cargo miri setup
+      - run: cargo miri test --all-features
diff --git a/elliptic-curve/src/dev.rs b/elliptic-curve/src/dev.rs
@@ -4,7 +4,7 @@
 //! the traits in this crate.
 
 use crate::{
-    Curve, CurveArithmetic, FieldBytesEncoding, PrimeCurve,
+    BatchNormalize, Curve, CurveArithmetic, FieldBytesEncoding, PrimeCurve,
     array::typenum::U32,
     bigint::{Limb, U256},
     error::{Error, Result},
@@ -17,13 +17,17 @@ use crate::{
     zeroize::DefaultIsZeroes,
 };
 use core::{
+    array,
     iter::{Product, Sum},
     ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign},
 };
 use ff::{Field, PrimeField};
 use hex_literal::hex;
 use pkcs8::AssociatedOid;
 
+#[cfg(feature = "alloc")]
+use alloc::vec::Vec;
+
 #[cfg(feature = "bits")]
 use ff::PrimeFieldBits;
 
@@ -584,6 +588,23 @@ pub enum ProjectivePoint {
     Other(AffinePoint),
 }
 
+impl<const N: usize> BatchNormalize<[ProjectivePoint; N]> for ProjectivePoint {
+    type Output = [AffinePoint; N];
+
+    fn batch_normalize(points: &[ProjectivePoint; N]) -> [AffinePoint; N] {
+        array::from_fn(|index| points[index].into())
+    }
+}
+
+#[cfg(feature = "alloc")]
+impl BatchNormalize<[ProjectivePoint]> for ProjectivePoint {
+    type Output = Vec<AffinePoint>;
+
+    fn batch_normalize(points: &[ProjectivePoint]) -> Vec<AffinePoint> {
+        points.iter().copied().map(AffinePoint::from).collect()
+    }
+}
+
 impl ConstantTimeEq for ProjectivePoint {
     fn ct_eq(&self, other: &Self) -> Choice {
         match (self, other) {
diff --git a/elliptic-curve/src/lib.rs b/elliptic-curve/src/lib.rs
@@ -5,7 +5,8 @@
     html_logo_url = "https://raw.githubusercontent.com/RustCrypto/media/8f1a9894/logo.svg",
     html_favicon_url = "https://raw.githubusercontent.com/RustCrypto/media/8f1a9894/logo.svg"
 )]
-#![forbid(unsafe_code)]
+// Only allowed for newtype casts.
+#![deny(unsafe_code)]
 #![warn(
     clippy::cast_lossless,
     clippy::cast_possible_truncation,
diff --git a/elliptic-curve/src/point.rs b/elliptic-curve/src/point.rs
@@ -40,9 +40,9 @@ pub trait AffineCoordinates {
 
 /// Normalize point(s) in projective representation by converting them to their affine ones.
 #[cfg(feature = "arithmetic")]
-pub trait BatchNormalize<Points: ?Sized>: group::Curve {
+pub trait BatchNormalize<Points: ?Sized> {
     /// The output of the batch normalization; a container of affine points.
-    type Output: AsRef<[Self::AffineRepr]>;
+    type Output;
 
     /// Perform a batched conversion to affine representation on a sequence of projective points
     /// at an amortized cost that should be practically as efficient as a single conversion.
diff --git a/elliptic-curve/src/point/non_identity.rs b/elliptic-curve/src/point/non_identity.rs
@@ -6,11 +6,14 @@ use group::{Curve, Group, GroupEncoding, prime::PrimeCurveAffine};
 use rand_core::CryptoRng;
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
 
+#[cfg(feature = "alloc")]
+use alloc::vec::Vec;
+
 #[cfg(feature = "serde")]
 use serdect::serde::{Deserialize, Serialize, de, ser};
 use zeroize::Zeroize;
 
-use crate::{CurveArithmetic, NonZeroScalar, Scalar};
+use crate::{BatchNormalize, CurveArithmetic, NonZeroScalar, Scalar};
 
 /// Non-identity point type.
 ///
@@ -19,6 +22,7 @@ use crate::{CurveArithmetic, NonZeroScalar, Scalar};
 /// In the context of ECC, it's useful for ensuring that certain arithmetic
 /// cannot result in the identity point.
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
+#[repr(transparent)]
 pub struct NonIdentity<P> {
     point: P,
 }
@@ -103,6 +107,72 @@ impl<P> AsRef<P> for NonIdentity<P> {
     }
 }
 
+impl<const N: usize, P> BatchNormalize<[Self; N]> for NonIdentity<P>
+where
+    P: Curve + BatchNormalize<[P; N], Output = [P::AffineRepr; N]>,
+{
+    type Output = [NonIdentity<P::AffineRepr>; N];
+
+    fn batch_normalize(points: &[Self; N]) -> [NonIdentity<P::AffineRepr>; N] {
+        // Ensure casting is safe.
+        // This always succeeds because `NonIdentity` is `repr(transparent)`.
+        debug_assert_eq!(size_of::<P>(), size_of::<NonIdentity<P>>());
+        debug_assert_eq!(align_of::<P>(), align_of::<NonIdentity<P>>());
+
+        #[allow(unsafe_code)]
+        // SAFETY: `NonIdentity` is `repr(transparent)`.
+        let points: &[P; N] = unsafe { &*points.as_ptr().cast() };
+        let affine_points = <P as BatchNormalize<_>>::batch_normalize(points);
+
+        // Ensure `array::map()` can be optimized to a `memcpy`.
+        debug_assert_eq!(
+            size_of::<P::AffineRepr>(),
+            size_of::<NonIdentity<P::AffineRepr>>()
+        );
+        debug_assert_eq!(
+            align_of::<P::AffineRepr>(),
+            align_of::<NonIdentity<P::AffineRepr>>()
+        );
+
+        affine_points.map(|point| NonIdentity { point })
+    }
+}
+
+#[cfg(feature = "alloc")]
+impl<P> BatchNormalize<[Self]> for NonIdentity<P>
+where
+    P: Curve + BatchNormalize<[P], Output = Vec<P::AffineRepr>>,
+{
+    type Output = Vec<NonIdentity<P::AffineRepr>>;
+
+    fn batch_normalize(points: &[Self]) -> Vec<NonIdentity<P::AffineRepr>> {
+        // Ensure casting is safe.
+        // This always succeeds because `NonIdentity` is `repr(transparent)`.
+        debug_assert_eq!(size_of::<P>(), size_of::<NonIdentity<P>>());
+        debug_assert_eq!(align_of::<P>(), align_of::<NonIdentity<P>>());
+
+        #[allow(unsafe_code)]
+        // SAFETY: `NonIdentity` is `repr(transparent)`.
+        let points: &[P] = unsafe { &*(points as *const [NonIdentity<P>] as *const [P]) };
+        let affine_points = <P as BatchNormalize<_>>::batch_normalize(points);
+
+        // Ensure `into_iter()` + `collect()` can be optimized away.
+        debug_assert_eq!(
+            size_of::<P::AffineRepr>(),
+            size_of::<NonIdentity<P::AffineRepr>>()
+        );
+        debug_assert_eq!(
+            align_of::<P::AffineRepr>(),
+            align_of::<NonIdentity<P::AffineRepr>>()
+        );
+
+        affine_points
+            .into_iter()
+            .map(|point| NonIdentity { point })
+            .collect()
+    }
+}
+
 impl<P> ConditionallySelectable for NonIdentity<P>
 where
     P: ConditionallySelectable,
@@ -238,6 +308,7 @@ impl<P: Group> Zeroize for NonIdentity<P> {
 #[cfg(all(test, feature = "dev"))]
 mod tests {
     use super::NonIdentity;
+    use crate::BatchNormalize;
     use crate::dev::{AffinePoint, NonZeroScalar, ProjectivePoint, SecretKey};
     use group::GroupEncoding;
     use hex_literal::hex;
@@ -303,4 +374,38 @@ mod tests {
 
         assert_eq!(point.to_point(), pk.to_projective());
     }
+
+    #[test]
+    fn batch_normalize() {
+        let point = ProjectivePoint::from_bytes(
+            &hex!("02c9afa9d845ba75166b5c215767b1d6934e50c3db36e89b127b8a622b120f6721").into(),
+        )
+        .unwrap();
+        let point = NonIdentity::new(point).unwrap();
+        let points = [point, point];
+
+        for (point, affine_point) in points
+            .into_iter()
+            .zip(NonIdentity::batch_normalize(&points))
+        {
+            assert_eq!(point.to_affine(), affine_point);
+        }
+    }
+
+    #[test]
+    #[cfg(feature = "alloc")]
+    fn batch_normalize_alloc() {
+        let point = ProjectivePoint::from_bytes(
+            &hex!("02c9afa9d845ba75166b5c215767b1d6934e50c3db36e89b127b8a622b120f6721").into(),
+        )
+        .unwrap();
+        let point = NonIdentity::new(point).unwrap();
+        let points = vec![point, point];
+
+        let affine_points = NonIdentity::batch_normalize(points.as_slice());
+
+        for (point, affine_point) in points.into_iter().zip(affine_points) {
+            assert_eq!(point.to_affine(), affine_point);
+        }
+    }
 }
