ff: More trait refactoring

bellman/src/domain.rs

@@ -11,7 +11,7 @@
 //! [`EvaluationDomain`]: crate::domain::EvaluationDomain
 //! [Groth16]: https://eprint.iacr.org/2016/260
 
-use ff::{Field, PowVartime, PrimeField, ScalarEngine};
+use ff::{Field, PrimeField, ScalarEngine};
 use group::CurveProjective;
 use std::ops::{AddAssign, MulAssign, SubAssign};
 
@@ -221,7 +221,7 @@ impl<G: CurveProjective> Group<G::Engine> for Point<G> {
         Point(G::zero())
     }
     fn group_mul_assign(&mut self, by: &G::Scalar) {
-        self.0.mul_assign(by.into_repr());
+        self.0.mul_assign(by.to_repr());
     }
     fn group_add_assign(&mut self, other: &Self) {
         self.0.add_assign(&other.0);

bellman/src/gadgets/boolean.rs

@@ -318,7 +318,7 @@ pub fn field_into_allocated_bits_le<E: ScalarEngine, CS: ConstraintSystem<E>, F:
             let mut tmp = Vec::with_capacity(F::NUM_BITS as usize);
 
             let mut found_one = false;
-            for b in BitIterator::<u8, _>::new(value.into_repr()) {
+            for b in BitIterator::<u8, _>::new(value.to_repr()) {
                 // Skip leading bits
                 found_one |= field_char.next().unwrap();
                 if !found_one {

bellman/src/gadgets/multieq.rs

@@ -1,4 +1,4 @@
-use ff::{PowVartime, PrimeField, ScalarEngine};
+use ff::{Field, PrimeField, ScalarEngine};
 
 use crate::{ConstraintSystem, LinearCombination, SynthesisError, Variable};
 

bellman/src/gadgets/num.rs

@@ -103,8 +103,8 @@ impl<E: ScalarEngine> AllocatedNum<E> {
 
         // We want to ensure that the bit representation of a is
         // less than or equal to r - 1.
-        let mut a = self.value.map(|e| BitIterator::<u8, _>::new(e.into_repr()));
-        let b = (-E::Fr::one()).into_repr();
+        let mut a = self.value.map(|e| BitIterator::<u8, _>::new(e.to_repr()));
+        let b = (-E::Fr::one()).to_repr();
 
         let mut result = vec![];
 
@@ -557,7 +557,7 @@ mod test {
 
             assert!(cs.is_satisfied());
 
-            for (b, a) in BitIterator::<u8, _>::new(r.into_repr())
+            for (b, a) in BitIterator::<u8, _>::new(r.to_repr())
                 .skip(1)
                 .zip(bits.iter().rev())
             {

bellman/src/gadgets/test/mod.rs

@@ -1,6 +1,6 @@
 //! Helpers for testing circuit implementations.
 
-use ff::{Field, PowVartime, PrimeField, ScalarEngine};
+use ff::{Endianness, Field, PrimeField, ScalarEngine};
 
 use crate::{ConstraintSystem, Index, LinearCombination, SynthesisError, Variable};
 
@@ -106,11 +106,9 @@ fn hash_lc<E: ScalarEngine>(terms: &[(Variable, E::Fr)], h: &mut Blake2sState) {
             }
         }
 
-        // BLS12-381's Fr is canonically serialized in little-endian, but the hasher
-        // writes its coefficients in big endian. For now, we flip the endianness
-        // manually, which is not necessarily correct for circuits using other curves.
-        // TODO: Fix this in a standalone commit, and document the no-op change.
-        let coeff_be: Vec<_> = coeff.into_repr().as_ref().iter().cloned().rev().collect();
+        let mut coeff_repr = coeff.to_repr();
+        <E::Fr as PrimeField>::ReprEndianness::toggle_little_endian(&mut coeff_repr);
+        let coeff_be: Vec<_> = coeff_repr.as_ref().iter().cloned().rev().collect();
         buf[9..].copy_from_slice(&coeff_be[..]);
 
         h.update(&buf);

bellman/src/groth16/generator.rs

@@ -2,7 +2,7 @@ use rand_core::RngCore;
 use std::ops::{AddAssign, MulAssign};
 use std::sync::Arc;
 
-use ff::{Field, PowVartime};
+use ff::Field;
 use group::{CurveAffine, CurveProjective, Wnaf};
 use pairing::Engine;
 

bellman/src/groth16/tests/dummy_engine.rs

@@ -1,9 +1,8 @@
-use ff::{Field, PowVartime, PrimeField, ScalarEngine, SqrtField};
+use ff::{Field, PrimeField, ScalarEngine};
 use group::{CurveAffine, CurveProjective, EncodedPoint, GroupDecodingError};
 use pairing::{Engine, PairingCurveAffine};
 
 use rand_core::RngCore;
-use std::cmp::Ordering;
 use std::fmt;
 use std::num::Wrapping;
 use std::ops::{Add, AddAssign, BitAnd, Mul, MulAssign, Neg, Shr, Sub, SubAssign};
@@ -48,18 +47,6 @@ impl ConditionallySelectable for Fr {
     }
 }
 
-impl Ord for Fr {
-    fn cmp(&self, other: &Fr) -> Ordering {
-        (self.0).0.cmp(&(other.0).0)
-    }
-}
-
-impl PartialOrd for Fr {
-    fn partial_cmp(&self, other: &Fr) -> Option<Ordering> {
-        Some(self.cmp(other))
-    }
-}
-
 impl Neg for Fr {
     type Output = Self;
 
@@ -214,12 +201,6 @@ impl Field for Fr {
         }
     }
 
-    fn frobenius_map(&mut self, _: usize) {
-        // identity
-    }
-}
-
-impl SqrtField for Fr {
     fn sqrt(&self) -> CtOption<Self> {
         // Tonelli-Shank's algorithm for q mod 16 = 1
         // https://eprint.iacr.org/2012/685.pdf (page 12, algorithm 5)
@@ -291,6 +272,7 @@ impl Default for FrRepr {
 
 impl PrimeField for Fr {
     type Repr = FrRepr;
+    type ReprEndianness = byteorder::LittleEndian;
 
     const NUM_BITS: u32 = 16;
     const CAPACITY: u32 = 15;
@@ -305,7 +287,7 @@ impl PrimeField for Fr {
         }
     }
 
-    fn into_repr(&self) -> FrRepr {
+    fn to_repr(&self) -> FrRepr {
         FrRepr::from(*self)
     }
 

bellman/src/groth16/tests/mod.rs

@@ -1,4 +1,4 @@
-use ff::{Field, PowVartime, PrimeField};
+use ff::{Field, PrimeField};
 use pairing::Engine;
 
 mod dummy_engine;

bellman/src/groth16/verifier.rs

@@ -31,7 +31,7 @@ pub fn verify_proof<'a, E: Engine>(
     let mut acc = pvk.ic[0].into_projective();
 
     for (i, b) in public_inputs.iter().zip(pvk.ic.iter().skip(1)) {
-        AddAssign::<&E::G1>::add_assign(&mut acc, &b.mul(i.into_repr()));
+        AddAssign::<&E::G1>::add_assign(&mut acc, &b.mul(i.to_repr()));
     }
 
     // The original verification equation is:

bellman/src/multiexp.rs

@@ -1,6 +1,6 @@
 use super::multicore::Worker;
 use bit_vec::{self, BitVec};
-use ff::{Field, PrimeField, ScalarEngine};
+use ff::{Endianness, Field, PrimeField, ScalarEngine};
 use futures::Future;
 use group::{CurveAffine, CurveProjective};
 use std::io;
@@ -195,8 +195,18 @@ where
                             bases.skip(1)?;
                         }
                     } else {
-                        let exp = exp >> skip;
-                        let exp = exp & ((1 << c) - 1);
+                        let mut exp = exp.to_repr();
+                        <<G::Engine as ScalarEngine>::Fr as PrimeField>::ReprEndianness::toggle_little_endian(&mut exp);
+
+                        let exp = exp
+                            .as_ref()
+                            .into_iter()
+                            .map(|b| (0..8).map(move |i| (b >> i) & 1u8))
+                            .flatten()
+                            .skip(skip as usize)
+                            .take(c as usize)
+                            .enumerate()
+                            .fold(0u64, |acc, (i, b)| acc + ((b as u64) << i));
 
                         if exp != 0 {
                             (&mut buckets[(exp - 1) as usize])
@@ -295,7 +305,7 @@ fn test_with_bls12() {
         let mut acc = G::zero();
 
         for (base, exp) in bases.iter().zip(exponents.iter()) {
-            AddAssign::<&G>::add_assign(&mut acc, &base.mul(exp.into_repr()));
+            AddAssign::<&G>::add_assign(&mut acc, &base.mul(exp.to_repr()));
         }
 
         acc

ff/Cargo.toml

@@ -11,15 +11,15 @@ repository = "https://github.com/ebfull/ff"
 edition = "2018"
 
 [dependencies]
-byteorder = { version = "1", optional = true }
+byteorder = { version = "1", default-features = false }
 ff_derive = { version = "0.6", path = "ff_derive", optional = true }
 rand_core = { version = "0.5", default-features = false }
 subtle = { version = "2.2.1", default-features = false, features = ["i128"] }
 
 [features]
 default = ["std"]
 derive = ["ff_derive"]
-std = ["byteorder"]
+std = []
 
 [badges]
 maintenance = { status = "actively-developed" }