Upstream MultiExponentiation to crypto-bigint (#46)

After [upstreaming our multi-exponentiation code to
crypto-bigint](RustCrypto/crypto-bigint#248),
this PR updates the crypto-bigint version and removes the local
`multiexp` module in its favor

Cargo.toml

@@ -5,7 +5,7 @@ edition = "2021"
 license = "Apache-2.0"
 
 [dependencies]
-crypto-bigint = { version = "0.5.5", features = ["rand_core", "serde"], default-features = false }
+crypto-bigint = { version = "0.5.5", features = ["rand_core", "serde", "alloc"], default-features = false }
 merlin = { version = "3.0.0", default-features = false }
 serde = { version = "1.0.163", features = ["derive"] }
 thiserror = "1.0.40"

src/batch_verification.rs

@@ -4,11 +4,9 @@
 use crypto_bigint::{
     modular::runtime_mod::{DynResidue, DynResidueParams},
     rand_core::CryptoRngCore,
-    Random, Uint,
+    MultiExponentiateBoundedExp, Random, Uint,
 };
 
-use crate::multiexp::multi_exponentiate;
-
 #[derive(thiserror::Error, Debug, PartialEq)]
 pub enum Error {
     #[error("Invalid Params")]
@@ -93,19 +91,20 @@ fn batch_equation_side<
 
     let batched_columns: Vec<DynResidue<LIMBS>> = (0..number_of_columns)
         .map(|i| {
-            let bases_and_exponents: Vec<(Uint<LIMBS>, Uint<COMPUTATIONAL_SECURITY_LIMBS>)> = bases
+            let bases_and_exponents: Vec<_> = bases
                 .iter()
-                .map(|equation_bases| equation_bases.get(i).copied().unwrap_or(Uint::<LIMBS>::ONE))
+                .map(|equation_bases| {
+                    DynResidue::new(
+                        &equation_bases.get(i).copied().unwrap_or(Uint::<LIMBS>::ONE),
+                        residue_params,
+                    )
+                })
                 .zip(randomizers.clone())
                 .collect();
 
-            let batched_column = DynResidue::new(
-                &multi_exponentiate(
-                    bases_and_exponents,
-                    Uint::<COMPUTATIONAL_SECURITY_LIMBS>::BITS,
-                    residue_params,
-                ),
-                residue_params,
+            let batched_column = DynResidue::multi_exponentiate_bounded_exp(
+                bases_and_exponents.as_slice(),
+                Uint::<COMPUTATIONAL_SECURITY_LIMBS>::BITS,
             );
 
             if i < exponents.len() {

src/decryption_key_share.rs

@@ -7,19 +7,19 @@ use std::{
 
 #[cfg(feature = "benchmarking")]
 pub(crate) use benches::{benchmark_combine_decryption_shares, benchmark_decryption_share};
-use crypto_bigint::{modular::runtime_mod::DynResidueParams, rand_core::CryptoRngCore, NonZero};
+use crypto_bigint::{rand_core::CryptoRngCore, MultiExponentiateBoundedExp, NonZero};
 #[cfg(feature = "parallel")]
 use rayon::prelude::*;
 
 use crate::{
     error::{ProtocolError, SanityCheckError},
     factorial_upper_bound,
-    multiexp::multi_exponentiate,
     precomputed_values::PrecomputedValues,
     proofs::ProofOfEqualityOfDiscreteLogs,
     secret_key_share_size_upper_bound, AdjustedLagrangeCoefficientSizedNumber, AsNaturalNumber,
     AsRingElement, EncryptionKey, Error, LargeBiPrimeSizedNumber, Message,
-    PaillierModulusSizedNumber, Result, SecretKeyShareSizedNumber, MAX_PLAYERS,
+    PaillierModulusSizedNumber, PaillierRingElement, Result, SecretKeyShareSizedNumber,
+    MAX_PLAYERS,
 };
 
 #[derive(Clone)]
@@ -254,12 +254,11 @@ impl DecryptionKeyShare {
         // integer:
         //      $2n!\lambda_{0,j}^{S}=2n!\Pi_{j'\in S\setminus\{j\}}\frac{j'}{j'-j}=\frac{2n!\Pi_{j'
         // \in [n]\setminus S}(j'-j)\Pi_{j'\in S\setminus{j}}j'}{\Pi_{j'\in [n]\setminus{j}}(j'-j)}$
-        // Or, more compcatly:
+        // Or, more compactly:
         //      $2n!\lambda_{0,j}^{S}=2{n\choose j}(-1)^{j-1}\Pi_{j'\in [n] \setminus S}
         // (j'-j)\Pi_{j' \in S}j'$.
 
         let n2 = encryption_key.n2;
-        let params = DynResidueParams::new(&n2);
 
         let batch_size = ciphertexts.len();
         #[cfg(not(feature = "parallel"))]
@@ -363,8 +362,15 @@ impl DecryptionKeyShare {
                         .max()
                         .unwrap();
 
-                    multi_exponentiate(bases_and_exponents, exponent_bits, params)
-                        .as_ring_element(&n2)
+                    let bases_and_exponents: Vec<_> = bases_and_exponents
+                        .into_iter()
+                        .map(|(base, exponent)| (base.as_ring_element(&n2), exponent))
+                        .collect();
+
+                    PaillierRingElement::multi_exponentiate_bounded_exp(
+                        bases_and_exponents.as_slice(),
+                        exponent_bits,
+                    )
                 });
 
                 let c_prime =

src/lib.rs

@@ -22,7 +22,6 @@ mod message;
 mod precomputed_values;
 
 mod batch_verification;
-mod multiexp;
 pub mod proofs;
 pub mod secret_sharing;
 
@@ -216,5 +215,4 @@ criterion_group!(
     proofs::benchmark_proof_of_equality_of_discrete_logs,
     decryption_key_share::benchmark_decryption_share,
     decryption_key_share::benchmark_combine_decryption_shares,
-    multiexp::benchmark_multiexp,
 );