API

davxy · davxy · commit d20c20b3eb48 · 2025-03-14T15:15:44.000+01:00
diff --git a/src/ietf.rs b/src/ietf.rs
@@ -91,8 +91,8 @@ impl<S: IetfSuite> Prover<S> for Secret<S> {
     fn prove(&self, input: Input<S>, output: Output<S>, ad: impl AsRef<[u8]>) -> Proof<S> {
         let k = S::nonce(&self.scalar, input);
 
-        let k_b = utils::mul_secret::<S>(k, S::generator()).into_affine();
-        let k_h = utils::mul_secret::<S>(k, input.0).into_affine();
+        let k_b = utils::mul_secret::<S>(S::generator(), k).into_affine();
+        let k_h = utils::mul_secret::<S>(input.0, k).into_affine();
 
         let c = S::challenge(
             &[&self.public.0, &input.0, &output.0, &k_b, &k_h],
diff --git a/src/lib.rs b/src/lib.rs
@@ -242,7 +242,7 @@ impl<S: Suite> Secret<S> {
 
     /// Get the VRF output point relative to input.
     pub fn output(&self, input: Input<S>) -> Output<S> {
-        Output(utils::mul_secret::<S>(self.scalar, input.0).into_affine())
+        Output(utils::mul_secret::<S>(input.0, self.scalar).into_affine())
     }
 }
 
diff --git a/src/pedersen.rs b/src/pedersen.rs
@@ -89,17 +89,17 @@ impl<S: PedersenSuite> Prover<S> for Secret<S> {
         let kb = S::nonce(&blinding, input);
 
         // Yb = x*G + b*B
-        let xg = utils::mul_secret::<S>(self.scalar, S::generator());
-        let bb = utils::mul_secret::<S>(blinding, S::BLINDING_BASE);
+        let xg = utils::mul_secret::<S>(S::generator(), self.scalar);
+        let bb = utils::mul_secret::<S>(S::BLINDING_BASE, blinding);
         let pk_com = (xg + bb).into_affine();
 
         // R = k*G + kb*B
-        let kg = utils::mul_secret::<S>(k, S::generator());
-        let kbb = utils::mul_secret::<S>(kb, S::BLINDING_BASE);
+        let kg = utils::mul_secret::<S>(S::generator(), k);
+        let kbb = utils::mul_secret::<S>(S::BLINDING_BASE, kb);
         let r = (kg + kbb).into_affine();
 
         // Ok = k*I
-        let ok = utils::mul_secret::<S>(k, input.0).into_affine();
+        let ok = utils::mul_secret::<S>(input.0, k).into_affine();
 
         // c = Hash(Yb, I, O, R, Ok, ad)
         let c = S::challenge(&[&pk_com, &input.0, &output.0, &r, &ok], ad.as_ref());
diff --git a/src/utils/mod.rs b/src/utils/mod.rs
@@ -19,7 +19,8 @@ type Projective<S> = <AffinePoint<S> as AffineRepr>::Group;
 /// retain the same sum. Incurs 2x penalty in scalar multiplications, but provides
 /// side channel defenses.
 #[cfg(feature = "secret-split")]
-pub(crate) fn mul_secret<S: Suite>(s: ScalarField<S>, p: AffinePoint<S>) -> Projective<S> {
+#[inline(always)]
+pub(crate) fn mul_secret<S: Suite>(p: AffinePoint<S>, s: ScalarField<S>) -> Projective<S> {
     use ark_std::UniformRand;
     let mut rng = ark_std::rand::rngs::OsRng;
     let x1 = ScalarField::<S>::rand(&mut rng);
@@ -30,6 +31,6 @@ pub(crate) fn mul_secret<S: Suite>(s: ScalarField<S>, p: AffinePoint<S>) -> Proj
 /// Point scalar multiplication with no secret splitting.
 #[cfg(not(feature = "secret-split"))]
 #[inline(always)]
-pub(crate) fn mul_secret<S: Suite>(s: ScalarField<S>, p: AffinePoint<S>) -> Projective<S> {
+pub(crate) fn mul_secret<S: Suite>(p: AffinePoint<S>, s: ScalarField<S>) -> Projective<S> {
     p * s
 }

Original file line number	Diff line number	Diff line change
`@@ -242,7 +242,7 @@ impl<S: Suite> Secret<S> {`
`242`	`242`
`243`	`243`	`/// Get the VRF output point relative to input.`
`244`	`244`	`pub fn output(&self, input: Input<S>) -> Output<S> {`
`245`		`- Output(utils::mul_secret::<S>(self.scalar, input.0).into_affine())`
	`245`	`+ Output(utils::mul_secret::<S>(input.0, self.scalar).into_affine())`
`246`	`246`	`}`
`247`	`247`	`}`
`248`	`248`