4 files changed, 382 insertions, 4 deletions

diff --git a/tests/performance_tests/crypto_ops.h b/tests/performance_tests/crypto_ops.h
index ae00bb517..9db2e413a 100644
--- a/tests/performance_tests/crypto_ops.h
+++ b/tests/performance_tests/crypto_ops.h
@@ -51,11 +51,15 @@ enum test_op
   op_scalarmult8_p3,
   op_ge_dsm_precomp,
   op_ge_double_scalarmult_base_vartime,
+  op_ge_triple_scalarmult_base_vartime,
   op_ge_double_scalarmult_precomp_vartime,
+  op_ge_triple_scalarmult_precomp_vartime,
   op_ge_double_scalarmult_precomp_vartime2,
   op_addKeys2,
   op_addKeys3,
   op_addKeys3_2,
+  op_addKeys_aGbBcC,
+  op_addKeys_aAbBcC,
   op_isInMainSubgroup,
   op_zeroCommitUncached,
 };
@@ -70,15 +74,20 @@ public:
   {
     scalar0 = rct::skGen();
     scalar1 = rct::skGen();
+    scalar2 = rct::skGen();
     point0 = rct::scalarmultBase(rct::skGen());
     point1 = rct::scalarmultBase(rct::skGen());
+    point2 = rct::scalarmultBase(rct::skGen());
     if (ge_frombytes_vartime(&p3_0, point0.bytes) != 0)
       return false;
     if (ge_frombytes_vartime(&p3_1, point1.bytes) != 0)
       return false;
+    if (ge_frombytes_vartime(&p3_2, point2.bytes) != 0)
+      return false;
     ge_p3_to_cached(&cached, &p3_0);
     rct::precomp(precomp0, point0);
     rct::precomp(precomp1, point1);
+    rct::precomp(precomp2, point2);
     return true;
   }
 
@@ -109,11 +118,15 @@ public:
       case op_scalarmult8_p3: rct::scalarmult8(p3_0,point0); break;
       case op_ge_dsm_precomp: ge_dsm_precomp(dsmp, &p3_0); break;
       case op_ge_double_scalarmult_base_vartime: ge_double_scalarmult_base_vartime(&tmp_p2, scalar0.bytes, &p3_0, scalar1.bytes); break;
+      case op_ge_triple_scalarmult_base_vartime: ge_triple_scalarmult_base_vartime(&tmp_p2, scalar0.bytes, scalar1.bytes, precomp1, scalar2.bytes, precomp2); break;
       case op_ge_double_scalarmult_precomp_vartime: ge_double_scalarmult_precomp_vartime(&tmp_p2, scalar0.bytes, &p3_0, scalar1.bytes, precomp0); break;
+      case op_ge_triple_scalarmult_precomp_vartime: ge_triple_scalarmult_precomp_vartime(&tmp_p2, scalar0.bytes, precomp0, scalar1.bytes, precomp1, scalar2.bytes, precomp2); break;
       case op_ge_double_scalarmult_precomp_vartime2: ge_double_scalarmult_precomp_vartime2(&tmp_p2, scalar0.bytes, precomp0, scalar1.bytes, precomp1); break;
       case op_addKeys2: rct::addKeys2(key, scalar0, scalar1, point0); break;
       case op_addKeys3: rct::addKeys3(key, scalar0, point0, scalar1, precomp1); break;
       case op_addKeys3_2: rct::addKeys3(key, scalar0, precomp0, scalar1, precomp1); break;
+      case op_addKeys_aGbBcC: rct::addKeys_aGbBcC(key, scalar0, scalar1, precomp1, scalar2, precomp2); break;
+      case op_addKeys_aAbBcC: rct::addKeys_aAbBcC(key, scalar0, precomp0, scalar1, precomp1, scalar2, precomp2); break;
       case op_isInMainSubgroup: rct::isInMainSubgroup(point0); break;
       case op_zeroCommitUncached: rct::zeroCommit(9001); break;
       case op_zeroCommitCached: rct::zeroCommit(9000); break;
@@ -123,9 +136,9 @@ public:
   }
 
 private:
-  rct::key scalar0, scalar1;
-  rct::key point0, point1;
-  ge_p3 p3_0, p3_1;
+  rct::key scalar0, scalar1, scalar2;
+  rct::key point0, point1, point2;
+  ge_p3 p3_0, p3_1, p3_2;
   ge_cached cached;
-  ge_dsmp precomp0, precomp1;
+  ge_dsmp precomp0, precomp1, precomp2;
 };
diff --git a/tests/performance_tests/main.cpp b/tests/performance_tests/main.cpp
index ca0528e16..e59bb52fd 100644
--- a/tests/performance_tests/main.cpp
+++ b/tests/performance_tests/main.cpp
@@ -60,6 +60,8 @@
 #include "bulletproof.h"
 #include "crypto_ops.h"
 #include "multiexp.h"
+#include "sig_mlsag.h"
+#include "sig_clsag.h"
 
 namespace po = boost::program_options;
 
@@ -213,6 +215,21 @@ int main(int argc, char** argv)
   TEST_PERFORMANCE1(filter, p, test_cn_fast_hash, 32);
   TEST_PERFORMANCE1(filter, p, test_cn_fast_hash, 16384);
 
+  TEST_PERFORMANCE3(filter, p, test_sig_mlsag, 4, 2, 2); // MLSAG verification
+  TEST_PERFORMANCE3(filter, p, test_sig_mlsag, 8, 2, 2);
+  TEST_PERFORMANCE3(filter, p, test_sig_mlsag, 16, 2, 2);
+  TEST_PERFORMANCE3(filter, p, test_sig_mlsag, 32, 2, 2);
+  TEST_PERFORMANCE3(filter, p, test_sig_mlsag, 64, 2, 2);
+  TEST_PERFORMANCE3(filter, p, test_sig_mlsag, 128, 2, 2);
+  TEST_PERFORMANCE3(filter, p, test_sig_mlsag, 256, 2, 2);
+  TEST_PERFORMANCE3(filter, p, test_sig_clsag, 4, 2, 2); // CLSAG verification
+  TEST_PERFORMANCE3(filter, p, test_sig_clsag, 8, 2, 2);
+  TEST_PERFORMANCE3(filter, p, test_sig_clsag, 16, 2, 2);
+  TEST_PERFORMANCE3(filter, p, test_sig_clsag, 32, 2, 2);
+  TEST_PERFORMANCE3(filter, p, test_sig_clsag, 64, 2, 2);
+  TEST_PERFORMANCE3(filter, p, test_sig_clsag, 128, 2, 2);
+  TEST_PERFORMANCE3(filter, p, test_sig_clsag, 256, 2, 2);
+
   TEST_PERFORMANCE2(filter, p, test_ringct_mlsag, 11, false);
   TEST_PERFORMANCE2(filter, p, test_ringct_mlsag, 11, true);
 
@@ -257,11 +274,15 @@ int main(int argc, char** argv)
   TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_scalarmult8_p3);
   TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_ge_dsm_precomp);
   TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_ge_double_scalarmult_base_vartime);
+  TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_ge_triple_scalarmult_base_vartime);
   TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_ge_double_scalarmult_precomp_vartime);
+  TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_ge_triple_scalarmult_precomp_vartime);
   TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_ge_double_scalarmult_precomp_vartime2);
   TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_addKeys2);
   TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_addKeys3);
   TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_addKeys3_2);
+  TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_addKeys_aGbBcC);
+  TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_addKeys_aAbBcC);
   TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_isInMainSubgroup);
   TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_zeroCommitUncached);
   TEST_PERFORMANCE1(filter, p, test_crypto_ops, op_zeroCommitCached);
diff --git a/tests/performance_tests/sig_clsag.h b/tests/performance_tests/sig_clsag.h
new file mode 100644
index 000000000..c59e1e869
--- /dev/null
+++ b/tests/performance_tests/sig_clsag.h
@@ -0,0 +1,172 @@
+// Copyright (c) 2014-2020, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+// 
+// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
+
+#pragma once
+
+#include "ringct/rctSigs.h"
+#include "ringct/rctTypes.h"
+#include "device/device.hpp"
+
+using namespace rct;
+
+template<size_t a_N, size_t a_T, size_t a_w>
+class test_sig_clsag
+{
+    public:
+        static const size_t loop_count = 1000;
+        static const size_t N = a_N;
+        static const size_t T = a_T;
+        static const size_t w = a_w;
+
+        bool init()
+        {
+            pubs.reserve(N);
+            pubs.resize(N);
+
+            r = keyV(w); // M[l[u]] = Com(0,r[u])
+
+            a = keyV(w); // P[l[u]] = Com(a[u],s[u])
+            s = keyV(w);
+
+            Q = keyV(T); // Q[j] = Com(b[j],t[j])
+            b = keyV(T);
+            t = keyV(T);
+
+            // Random keys
+            key temp;
+            for (size_t k = 0; k < N; k++)
+            {
+                skpkGen(temp,pubs[k].dest);
+                skpkGen(temp,pubs[k].mask);
+            }
+
+            // Signing and commitment keys (assumes fixed signing indices 0,1,...,w-1 for this test)
+            // TODO: random signing indices
+            C_offsets = keyV(w); // P[l[u]] - C_offsets[u] = Com(0,s[u]-s1[u])
+            s1 = keyV(w);
+            key a_sum = zero();
+            key s1_sum = zero();
+            messages = keyV(w);
+            for (size_t u = 0; u < w; u++)
+            {
+                skpkGen(r[u],pubs[u].dest); // M[u] = Com(0,r[u])
+
+                a[u] = skGen(); // P[u] = Com(a[u],s[u])
+                s[u] = skGen();
+                addKeys2(pubs[u].mask,s[u],a[u],H);
+
+                s1[u] = skGen(); // C_offsets[u] = Com(a[u],s1[u])
+                addKeys2(C_offsets[u],s1[u],a[u],H);
+
+                sc_add(a_sum.bytes,a_sum.bytes,a[u].bytes);
+                sc_add(s1_sum.bytes,s1_sum.bytes,s1[u].bytes);
+
+                messages[u] = skGen();
+            }
+
+            // Outputs
+            key b_sum = zero();
+            key t_sum = zero();
+            for (size_t j = 0; j < T-1; j++)
+            {
+                b[j] = skGen(); // Q[j] = Com(b[j],t[j])
+                t[j] = skGen();
+                addKeys2(Q[j],t[j],b[j],H);
+
+                sc_add(b_sum.bytes,b_sum.bytes,b[j].bytes);
+                sc_add(t_sum.bytes,t_sum.bytes,t[j].bytes);
+            }
+            // Value/mask balance for Q[T-1]
+            sc_sub(b[T-1].bytes,a_sum.bytes,b_sum.bytes);
+            sc_sub(t[T-1].bytes,s1_sum.bytes,t_sum.bytes);
+            addKeys2(Q[T-1],t[T-1],b[T-1],H);
+
+            // Build proofs
+            sigs.reserve(w);
+            sigs.resize(0);
+            ctkey sk;
+            for (size_t u = 0; u < w; u++)
+            {
+                sk.dest = r[u];
+                sk.mask = s[u];
+
+                sigs.push_back(proveRctCLSAGSimple(messages[u],pubs,sk,s1[u],C_offsets[u],NULL,NULL,NULL,u,hw::get_device("default")));
+            }
+
+            return true;
+        }
+
+        bool test()
+        {
+            for (size_t u = 0; u < w; u++)
+            {
+                if (!verRctCLSAGSimple(messages[u],sigs[u],pubs,C_offsets[u]))
+                {
+                    return false;
+                }
+            }
+
+            // Check balanace
+            std::vector<MultiexpData> balance;
+            balance.reserve(w + T);
+            balance.resize(0);
+            key ZERO = zero();
+            key ONE = identity();
+            key MINUS_ONE;
+            sc_sub(MINUS_ONE.bytes,ZERO.bytes,ONE.bytes);
+            for (size_t u = 0; u < w; u++)
+            {
+                balance.push_back({ONE,C_offsets[u]});
+            }
+            for (size_t j = 0; j < T; j++)
+            {
+                balance.push_back({MINUS_ONE,Q[j]});
+            }
+            if (!(straus(balance) == ONE)) // group identity
+            {
+                return false;
+            }
+
+            return true;
+        }
+
+    private:
+        ctkeyV pubs;
+        keyV Q;
+        keyV r;
+        keyV s;
+        keyV s1;
+        keyV t;
+        keyV a;
+        keyV b;
+        keyV C_offsets;
+        keyV messages;
+        std::vector<clsag> sigs;
+};
diff --git a/tests/performance_tests/sig_mlsag.h b/tests/performance_tests/sig_mlsag.h
new file mode 100644
index 000000000..89645e155
--- /dev/null
+++ b/tests/performance_tests/sig_mlsag.h
@@ -0,0 +1,172 @@
+// Copyright (c) 2014-2020, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+// 
+// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
+
+#pragma once
+
+#include "ringct/rctSigs.h"
+#include "ringct/rctTypes.h"
+#include "device/device.hpp"
+
+using namespace rct;
+
+template<size_t a_N, size_t a_T, size_t a_w>
+class test_sig_mlsag
+{
+    public:
+        static const size_t loop_count = 1000;
+        static const size_t N = a_N;
+        static const size_t T = a_T;
+        static const size_t w = a_w;
+
+        bool init()
+        {
+            pubs.reserve(N);
+            pubs.resize(N);
+
+            r = keyV(w); // M[l[u]] = Com(0,r[u])
+
+            a = keyV(w); // P[l[u]] = Com(a[u],s[u])
+            s = keyV(w);
+
+            Q = keyV(T); // Q[j] = Com(b[j],t[j])
+            b = keyV(T);
+            t = keyV(T);
+
+            // Random keys
+            key temp;
+            for (size_t k = 0; k < N; k++)
+            {
+                skpkGen(temp,pubs[k].dest);
+                skpkGen(temp,pubs[k].mask);
+            }
+
+            // Signing and commitment keys (assumes fixed signing indices 0,1,...,w-1 for this test)
+            // TODO: random signing indices
+            C_offsets = keyV(w); // P[l[u]] - C_offsets[u] = Com(0,s[u]-s1[u])
+            s1 = keyV(w);
+            key a_sum = zero();
+            key s1_sum = zero();
+            messages = keyV(w);
+            for (size_t u = 0; u < w; u++)
+            {
+                skpkGen(r[u],pubs[u].dest); // M[u] = Com(0,r[u])
+
+                a[u] = skGen(); // P[u] = Com(a[u],s[u])
+                s[u] = skGen();
+                addKeys2(pubs[u].mask,s[u],a[u],H);
+
+                s1[u] = skGen(); // C_offsets[u] = Com(a[u],s1[u])
+                addKeys2(C_offsets[u],s1[u],a[u],H);
+
+                sc_add(a_sum.bytes,a_sum.bytes,a[u].bytes);
+                sc_add(s1_sum.bytes,s1_sum.bytes,s1[u].bytes);
+
+                messages[u] = skGen();
+            }
+
+            // Outputs
+            key b_sum = zero();
+            key t_sum = zero();
+            for (size_t j = 0; j < T-1; j++)
+            {
+                b[j] = skGen(); // Q[j] = Com(b[j],t[j])
+                t[j] = skGen();
+                addKeys2(Q[j],t[j],b[j],H);
+
+                sc_add(b_sum.bytes,b_sum.bytes,b[j].bytes);
+                sc_add(t_sum.bytes,t_sum.bytes,t[j].bytes);
+            }
+            // Value/mask balance for Q[T-1]
+            sc_sub(b[T-1].bytes,a_sum.bytes,b_sum.bytes);
+            sc_sub(t[T-1].bytes,s1_sum.bytes,t_sum.bytes);
+            addKeys2(Q[T-1],t[T-1],b[T-1],H);
+
+            // Build proofs
+            sigs.reserve(w);
+            sigs.resize(0);
+            ctkey sk;
+            for (size_t u = 0; u < w; u++)
+            {
+                sk.dest = r[u];
+                sk.mask = s[u];
+
+                sigs.push_back(proveRctMGSimple(messages[u],pubs,sk,s1[u],C_offsets[u],NULL,NULL,u,hw::get_device("default")));
+            }
+
+            return true;
+        }
+
+        bool test()
+        {
+            for (size_t u = 0; u < w; u++)
+            {
+                if (!verRctMGSimple(messages[u],sigs[u],pubs,C_offsets[u]))
+                {
+                    return false;
+                }
+            }
+
+            // Check balanace
+            std::vector<MultiexpData> balance;
+            balance.reserve(w + T);
+            balance.resize(0);
+            key ZERO = zero();
+            key ONE = identity();
+            key MINUS_ONE;
+            sc_sub(MINUS_ONE.bytes,ZERO.bytes,ONE.bytes);
+            for (size_t u = 0; u < w; u++)
+            {
+                balance.push_back({ONE,C_offsets[u]});
+            }
+            for (size_t j = 0; j < T; j++)
+            {
+                balance.push_back({MINUS_ONE,Q[j]});
+            }
+            if (!(straus(balance) == ONE)) // group identity
+            {
+                return false;
+            }
+
+            return true;
+        }
+
+    private:
+        ctkeyV pubs;
+        keyV Q;
+        keyV r;
+        keyV s;
+        keyV s1;
+        keyV t;
+        keyV a;
+        keyV b;
+        keyV C_offsets;
+        keyV messages;
+        std::vector<mgSig> sigs;
+};