ff::Field::pow_vartime and no_std support

bellman/src/domain.rs

@@ -106,7 +106,7 @@ impl<E: ScalarEngine, G: Group<E>> EvaluationDomain<E, G> {
         worker.scope(self.coeffs.len(), |scope, chunk| {
             for (i, v) in self.coeffs.chunks_mut(chunk).enumerate() {
                 scope.spawn(move |_scope| {
-                    let mut u = g.pow(&[(i * chunk) as u64]);
+                    let mut u = g.pow_vartime(&[(i * chunk) as u64]);
                     for v in v.iter_mut() {
                         v.group_mul_assign(&u);
                         u.mul_assign(&g);
@@ -131,7 +131,7 @@ impl<E: ScalarEngine, G: Group<E>> EvaluationDomain<E, G> {
     /// This evaluates t(tau) for this domain, which is
     /// tau^m - 1 for these radix-2 domains.
     pub fn z(&self, tau: &E::Fr) -> E::Fr {
-        let mut tmp = tau.pow(&[self.coeffs.len() as u64]);
+        let mut tmp = tau.pow_vartime(&[self.coeffs.len() as u64]);
         tmp.sub_assign(&E::Fr::one());
 
         tmp
@@ -294,7 +294,7 @@ fn serial_fft<E: ScalarEngine, T: Group<E>>(a: &mut [T], omega: &E::Fr, log_n: u
 
     let mut m = 1;
     for _ in 0..log_n {
-        let w_m = omega.pow(&[u64::from(n / (2 * m))]);
+        let w_m = omega.pow_vartime(&[u64::from(n / (2 * m))]);
 
         let mut k = 0;
         while k < n {
@@ -328,16 +328,16 @@ fn parallel_fft<E: ScalarEngine, T: Group<E>>(
     let num_cpus = 1 << log_cpus;
     let log_new_n = log_n - log_cpus;
     let mut tmp = vec![vec![T::group_zero(); 1 << log_new_n]; num_cpus];
-    let new_omega = omega.pow(&[num_cpus as u64]);
+    let new_omega = omega.pow_vartime(&[num_cpus as u64]);
 
     worker.scope(0, |scope, _| {
         let a = &*a;
 
         for (j, tmp) in tmp.iter_mut().enumerate() {
             scope.spawn(move |_scope| {
                 // Shuffle into a sub-FFT
-                let omega_j = omega.pow(&[j as u64]);
-                let omega_step = omega.pow(&[(j as u64) << log_new_n]);
+                let omega_j = omega.pow_vartime(&[j as u64]);
+                let omega_step = omega.pow_vartime(&[(j as u64) << log_new_n]);
 
                 let mut elt = E::Fr::one();
                 for (i, tmp) in tmp.iter_mut().enumerate() {

bellman/src/gadgets/multieq.rs

@@ -50,7 +50,9 @@ impl<E: ScalarEngine, CS: ConstraintSystem<E>> MultiEq<E, CS> {
 
         assert!((E::Fr::CAPACITY as usize) > (self.bits_used + num_bits));
 
-        let coeff = E::Fr::from_str("2").unwrap().pow(&[self.bits_used as u64]);
+        let coeff = E::Fr::from_str("2")
+            .unwrap()
+            .pow_vartime(&[self.bits_used as u64]);
         self.lhs = self.lhs.clone() + (coeff, lhs);
         self.rhs = self.rhs.clone() + (coeff, rhs);
         self.bits_used += num_bits;

bellman/src/gadgets/test/mod.rs

@@ -155,7 +155,7 @@ impl<E: ScalarEngine> TestConstraintSystem<E> {
         let negone = E::Fr::one().neg();
 
         let powers_of_two = (0..E::Fr::NUM_BITS)
-            .map(|i| E::Fr::from_str("2").unwrap().pow(&[u64::from(i)]))
+            .map(|i| E::Fr::from_str("2").unwrap().pow_vartime(&[u64::from(i)]))
             .collect::<Vec<_>>();
 
         let pp = |s: &mut String, lc: &LinearCombination<E>| {

bellman/src/groth16/generator.rs

@@ -242,7 +242,7 @@ where
             worker.scope(powers_of_tau.len(), |scope, chunk| {
                 for (i, powers_of_tau) in powers_of_tau.chunks_mut(chunk).enumerate() {
                     scope.spawn(move |_scope| {
-                        let mut current_tau_power = tau.pow(&[(i * chunk) as u64]);
+                        let mut current_tau_power = tau.pow_vartime(&[(i * chunk) as u64]);
 
                         for p in powers_of_tau {
                             p.0 = current_tau_power;

bellman/src/groth16/tests/dummy_engine.rs

@@ -172,7 +172,10 @@ impl Field for Fr {
         if <Fr as Field>::is_zero(self) {
             CtOption::new(<Fr as Field>::zero(), Choice::from(0))
         } else {
-            CtOption::new(self.pow(&[(MODULUS_R.0 as u64) - 2]), Choice::from(1))
+            CtOption::new(
+                self.pow_vartime(&[(MODULUS_R.0 as u64) - 2]),
+                Choice::from(1),
+            )
         }
     }
 
@@ -187,9 +190,9 @@ impl SqrtField for Fr {
         // https://eprint.iacr.org/2012/685.pdf (page 12, algorithm 5)
         let mut c = Fr::root_of_unity();
         // r = self^((t + 1) // 2)
-        let mut r = self.pow([32]);
+        let mut r = self.pow_vartime([32]);
         // t = self^t
-        let mut t = self.pow([63]);
+        let mut t = self.pow_vartime([63]);
         let mut m = Fr::S;
 
         while t != <Fr as Field>::one() {
@@ -311,7 +314,7 @@ impl PrimeField for Fr {
 
     fn from_repr(repr: FrRepr) -> Result<Self, PrimeFieldDecodingError> {
         if repr.0[0] >= (MODULUS_R.0 as u64) {
-            Err(PrimeFieldDecodingError::NotInField(format!("{}", repr)))
+            Err(PrimeFieldDecodingError::NotInField)
         } else {
             Ok(Fr(Wrapping(repr.0[0] as u32)))
         }

bellman/src/groth16/tests/mod.rs

@@ -127,22 +127,22 @@ fn test_xordemo() {
     let mut root_of_unity = Fr::root_of_unity();
 
     // We expect this to be a 2^10 root of unity
-    assert_eq!(Fr::one(), root_of_unity.pow(&[1 << 10]));
+    assert_eq!(Fr::one(), root_of_unity.pow_vartime(&[1 << 10]));
 
     // Let's turn it into a 2^3 root of unity.
-    root_of_unity = root_of_unity.pow(&[1 << 7]);
-    assert_eq!(Fr::one(), root_of_unity.pow(&[1 << 3]));
+    root_of_unity = root_of_unity.pow_vartime(&[1 << 7]);
+    assert_eq!(Fr::one(), root_of_unity.pow_vartime(&[1 << 3]));
     assert_eq!(Fr::from_str("20201").unwrap(), root_of_unity);
 
     // Let's compute all the points in our evaluation domain.
     let mut points = Vec::with_capacity(8);
     for i in 0..8 {
-        points.push(root_of_unity.pow(&[i]));
+        points.push(root_of_unity.pow_vartime(&[i]));
     }
 
     // Let's compute t(tau) = (tau - p_0)(tau - p_1)...
     //                      = tau^8 - 1
-    let mut t_at_tau = tau.pow(&[8]);
+    let mut t_at_tau = tau.pow_vartime(&[8]);
     t_at_tau.sub_assign(&Fr::one());
     {
         let mut tmp = Fr::one();

ff/Cargo.toml

@@ -11,14 +11,15 @@ repository = "https://github.com/ebfull/ff"
 edition = "2018"
 
 [dependencies]
-byteorder = "1"
+byteorder = { version = "1", default-features = false }
 ff_derive = { version = "0.4.0", path = "ff_derive", optional = true }
-rand_core = "0.5"
-subtle = "2.2.1"
+rand_core = { version = "0.5", default-features = false }
+subtle = { version = "2.2.1", default-features = false, features = ["i128"] }
 
 [features]
-default = []
+default = ["std"]
 derive = ["ff_derive"]
+std = []
 
 [badges]
 maintenance = { status = "actively-developed" }