Skip to content

k256: restore w-NAF support#1812

Merged
tarcieri merged 1 commit into
masterfrom
k256/restore-wnaf
Jun 17, 2026
Merged

k256: restore w-NAF support#1812
tarcieri merged 1 commit into
masterfrom
k256/restore-wnaf

Conversation

@tarcieri

Copy link
Copy Markdown
Member

Support for w-NAF was removed in #1810 which replaced it with a variable-time path through the existing scalar multiplication / linear combination implementation, first because that works without an alloc dependency, and secondly so we can stabilize k256 without having to stabilize the wnaf crate first (or find a solution to use the upstream implementation in the group crate, since we need many changes to make that work with the GLV endomorphism).

But that may have been too hasty when there's another option: vendor the parts of the group/wnaf implementation we actually need, with the goal of eventually migrating onto an upstream crate (most likely wnaf, which is located in-repo here and therefore easy to co-develop).

This brings back w-NAF support that was removed in #1810 but also leaves the (slower) variable-time implementation that doesn't require alloc in-place and using it when it's unavailable, only using w-NAF when alloc is enabled. So regardless of if alloc is enabled there is a variable-time fast path.

The performance gains definitely seem to be worth it:

ecdsa/verify_prehashed  time:   [46.603 µs 46.699 µs 46.802 µs]
                        change: [−18.301% −16.734% −15.271%] (p = 0.00 < 0.05)
                        Performance has improved.

high-level operations/point-scalar mul (variable-time)
                        time:   [29.060 µs 29.138 µs 29.218 µs]
                        change: [−15.332% −14.118% −12.622%] (p = 0.00 < 0.05)
                        Performance has improved.

schnorr/verify          time:   [44.450 µs 44.554 µs 44.659 µs]
                        change: [−17.402% −16.639% −15.827%] (p = 0.00 < 0.05)
                        Performance has improved.

Support for w-NAF was removed in #1810 which replaced it with a
variable-time path through the existing scalar multiplication / linear
combination implementation, first because that works without an `alloc`
dependency, and secondly so we can stabilize `k256` without having to
stabilize the `wnaf` crate first (or find a solution to use the upstream
implementation in the `group` crate, since we need many changes to make
that work with the GLV endomorphism).

But that may have been too hasty when there's another option: vendor the
parts of the `group`/`wnaf` implementation we actually need, with the
goal of eventually migrating onto an upstream crate (most likely `wnaf`,
which is located in-repo here and therefore easy to co-develop).

This brings back w-NAF support that was removed in #1810 but also
leaves the (slower) variable-time implementation that doesn't require
`alloc` in-place and using it when it's unavailable, only using w-NAF
when `alloc` is enabled. So regardless of if `alloc` is enabled there is
a variable-time fast path.

The performance gains definitely seem to be worth it:

ecdsa/verify_prehashed  time:   [46.603 µs 46.699 µs 46.802 µs]
                        change: [−18.301% −16.734% −15.271%] (p = 0.00 < 0.05)
                        Performance has improved.

high-level operations/point-scalar mul (variable-time)
                        time:   [29.060 µs 29.138 µs 29.218 µs]
                        change: [−15.332% −14.118% −12.622%] (p = 0.00 < 0.05)
                        Performance has improved.

schnorr/verify          time:   [44.450 µs 44.554 µs 44.659 µs]
                        change: [−17.402% −16.639% −15.827%] (p = 0.00 < 0.05)
                        Performance has improved.
@tarcieri tarcieri merged commit 80318c1 into master Jun 17, 2026
18 checks passed
@tarcieri tarcieri deleted the k256/restore-wnaf branch June 17, 2026 13:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant