perf(bp): collapse aggregated verifier into single vendored MSM

.gitignore

@@ -1,4 +1,6 @@
 build/
+build-*/
+CMakePresets.json
 .DS_Store
 cmake-build-*/
 .idea/

.pre-commit-config.yaml

@@ -12,12 +12,21 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
 
+# Files under third_party/ are vendored from upstream sources and must
+# stay close to their upstream form so re-syncs apply cleanly. They are
+# excluded from style-enforcing hooks. See third_party/secp256k1-msm/
+# README.md for the vendoring policy.
+exclude: ^third_party/
+
 repos:
   # `pre-commit sample-config` default hooks
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # frozen: v6.0.0
     hooks:
       - id: check-added-large-files
+        # precomputed_ecmult.c is ~2.3 MB of generator table data;
+        # raise the threshold to admit vendored upstream sources.
+        args: ["--maxkb=4096"]
       - id: check-executables-have-shebangs
       - id: check-shebang-scripts-are-executable
       - id: end-of-file-fixer

CMakeLists.txt

@@ -12,6 +12,42 @@ if(NOT MSVC)
 endif()
 set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
 
+# --- Vendored MSM (libsecp256k1 ecmult_multi_var) ---
+# See third_party/secp256k1-msm/README.md for design rationale.
+# Self-contained vendor; not a dependency on the linked libsecp256k1
+# binary's internal types. Variable-time; verifier path only.
+add_library(
+    mpt-crypto-msm-vendor
+    OBJECT
+    third_party/secp256k1-msm/mpt_msm.c
+    third_party/secp256k1-msm/precomputed_ecmult.c
+)
+target_include_directories(
+    mpt-crypto-msm-vendor
+    PRIVATE third_party/secp256k1-msm include
+)
+target_link_libraries(mpt-crypto-msm-vendor PRIVATE secp256k1::secp256k1)
+# Rename the precomputed generator-table symbols so the vendored
+# copy never collides with the corresponding symbols inside the
+# linked libsecp256k1 binary. The vendored MSM uses these tables
+# internally; renaming via compile-time -D applies the rewrite
+# uniformly across the declaration (precomputed_ecmult.h), the
+# definition (precomputed_ecmult.c), and all use sites
+# (ecmult_impl.h, scratch_impl.h). The linked libsecp256k1
+# continues to use its own un-renamed copies; the two never meet.
+target_compile_definitions(
+    mpt-crypto-msm-vendor
+    PRIVATE
+        secp256k1_pre_g=mpt_secp256k1_pre_g
+        secp256k1_pre_g_128=mpt_secp256k1_pre_g_128
+)
+# Suppress -Wpedantic for the vendored TU: upstream libsecp256k1
+# uses extensions (variadic macros, designated initialisers, etc.)
+# that pedantic flags occasionally complain about.
+if(NOT MSVC)
+    target_compile_options(mpt-crypto-msm-vendor PRIVATE -Wno-pedantic)
+endif()
+
 # --- Define The Library ---
 add_library(
     mpt-crypto
@@ -24,6 +60,7 @@ add_library(
     src/proof_compact_clawback.c
     src/proof_compact_convertback.c
     src/utility/mpt_utility.cpp
+    $<TARGET_OBJECTS:mpt-crypto-msm-vendor>
 )
 
 # --- Set Include Directories ---

include/mpt_msm.h

@@ -0,0 +1,68 @@
+/* SPDX-License-Identifier: MIT */
+#ifndef MPT_MSM_H
+#define MPT_MSM_H
+
+#include <secp256k1.h>
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Two-profile MSM API.
+ *
+ * mpt_msm_variable_time   -- Vendored Pippenger/Straus from
+ *                            libsecp256k1 (third_party/secp256k1-msm).
+ *                            NOT constant-time. Verifier path only;
+ *                            do not call with secret scalars.
+ *
+ * mpt_msm_constant_time   -- Public-API loop (or future CT Pippenger
+ *                            variant). Safe for the prover path.
+ *
+ * The naming is deliberate: the constant-time requirement should be
+ * audit-visible at the call site. See cmpt-ct-and-batch.tex
+ * (sec:two-profile, sec:msm-options).
+ */
+
+typedef int (*mpt_msm_callback)(
+    unsigned char scalar_be32[32],
+    unsigned char point_sec1_33[33],
+    size_t idx,
+    void* data);
+
+/**
+ * @brief Variable-time multi-scalar multiplication.
+ *
+ * Computes r = inp_g_sc * G + sum_{i=0..n-1} s_i * P_i, where
+ * (s_i, P_i) is the i-th pair returned by the callback.
+ *
+ * NOT constant-time. Use only on the verifier path
+ * (no secret scalars). Routing prover-side MSMs through this
+ * entry point breaks the prover constant-time guarantee.
+ *
+ * @param ctx          libsecp256k1 context (any verify-capable context).
+ * @param r_sec1_33    Output buffer; receives the SEC1-compressed
+ *                     result point. Identity is encoded as 33 zero bytes.
+ * @param inp_g_sc_be32 Optional 32-byte big-endian scalar to multiply by
+ *                     the curve generator G; pass NULL to omit.
+ * @param cb           Callback returning the i-th (scalar, point) pair.
+ *                     Returning 0 aborts the MSM with failure.
+ * @param cbdata       Opaque pointer passed through to cb.
+ * @param n            Number of (scalar, point) pairs.
+ *
+ * @return 1 on success, 0 on failure (callback rejection or invalid input).
+ */
+SECP256K1_API int
+mpt_msm_variable_time(
+    secp256k1_context const* ctx,
+    unsigned char r_sec1_33[33],
+    unsigned char const inp_g_sc_be32[32],
+    mpt_msm_callback cb,
+    void* cbdata,
+    size_t n);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MPT_MSM_H */