Bump k256 from 0.11.6 to 0.13.0

[dependabot]

polkadot companion: paritytech/polkadot#6924
cumulus companion: paritytech/cumulus#2354

Bumps k256 from 0.11.6 to 0.13.0.

Commits

• b002c65 k256 v0.13.0 (#775)
• 5fad8f5 bp384 v0.6.0 (#774)
• f6e2674 bp256 v0.6.0 (#773)
• 3049c50 fix compactabtility check (#772)
• 195ff67 Cargo.lock: bump dependencies (#771)
• 4f5d309 Bump elliptic-curve dependency to v0.13 (#770)
• 6cde6ac Bump elliptic-curve to v0.13.0-rc.0; MSRV 1.65 (#768)
• 113f463 build(deps): bump once_cell from 1.17.0 to 1.17.1 (#766)
• 5a43e66 p224: field inversion support (#765)
• 267e3c3 p521: CurveArithmetic + PrimeCurveParams (#764)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[bkchr]

@dependabot rebase

[davxy]

@bkchr @tarcieri compared to 0.11.6, the 0.13.0 noticeably improved the perfs, especially for signing operation.

Just to recap.

• Currently we are using secp256k1 a rust wrapper around a C lib.
• Not so long ago we were using libsecp256k1 a pure rust implementation.
• We would like to switch to k256 pure rust implementation as soon as the perfs are fairly close to secp256k1.

Some numbers from criterion benches (https://github.com/davxy/crypto-benches/tree/main/ecdsa)

Signing

* rust-crypto (0.11.6)    [74.929 µs 74.966 µs 75.011 µs]
* rust-crypto (0.13.0)    [41.314 µs 41.320 µs 41.329 µs]
* secp256k1               [27.813 µs 27.829 µs 27.846 µs] 
* libsecp256k1            [95.844 µs 95.853 µs 95.864 µs]

Verification

* rust-crypto (0.11.6)   [99.389 µs 99.421 µs 99.459 µs]
* rust-crypto (0.13.0)   [88.997 µs 89.014 µs 89.032 µs]    
* secp256k1              [31.669 µs 31.697 µs 31.747 µs]
* libsecp256k1           [137.86 µs 137.93 µs 137.99 µs]

Conclusions

As can be seen secp256k1 is still the faster but the gap is not so huge, especially with respect to signing operation.

It would be awesome if we could squeeze the perfs a bit more wrt verification the IMO we can start using k256 all over the place

[bkchr]

@davxy could you create the companions? 🙈

[davxy]

bot merge

[paritytech-processbot]

Error: "Check reviews" status is not passing for paritytech/cumulus#2354

[davxy]

bot merge

[paritytech-processbot]

Waiting for commit status.

[paritytech-processbot]

Merge cancelled due to error. Error: Github API says paritytech/polkadot#6924 is not mergeable

[tarcieri]

It would be awesome if we could squeeze the perfs a bit more wrt verification the IMO we can start using k256 all over the place

@davxy we do have plans to improve verification in the next release. Several aspects of verification still operate in constant-time (which is a reasonable place to start when reusing code for both signing and verification).

In v0.13 we started using variable-time inversions for verification which slightly improved performance. In the next release we'd like to move to the generic implementation of wNAF provided by the group crate (already a dependency). There's some initial work here:

https://github.com/RustCrypto/elliptic-curves/pull/708/files

Unfortunately we need some upstream changes to the group crate first:

zkcrypto/group#46

[davxy]

bot merge

[gilescope]

The pure rust versions have the added advantage that they compile.