Signed-digit multi-comb ecmult_gen algorithm #1057
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sipa
changed the title
|
Just out of curiosity, some perf. numbers (best Min of 3
("experimental" is this PR plus the other PRs for normalize, group formulae, and the "vector" modinv). |
This introduces a new secp256k1_scalar_half function which multiplies a scalar with the multiplicative inverse of 2 (modulo order).
Instead of having the starting point of the ecmult_gen computation be offset, do it with the final point. This enables reasoning over the set of points reachable in intermediary computations, which can be leveraged by potential future optimization. Because the final point is in affine coordinates, its projective blinding is no longer possible. It will be reintroduced again in a different way, in a later commit. Also introduce some more comments and more descriptive names.
|
@peterdettman Care to redo benchmarks for the latest commit (I've removed the incomplete comb optimization, and re-added the uint32_t[9] recoded approach)? |
|
These were the best min I got (running the benchmark thrice) on my machine (64-bit, i7-8750H).
|
|
Updated perf. numbers (-O3, best Min of 3
("experimental" is this PR plus the other PRs for normalize, group formulae, and the "vector" modinv). So this looks just slightly slower than before, but perfectly fine if we are merge-focused. We can go hunting the extra 2% once we've booked the 20%. |
sipa
changed the title
This introduces the signed-digit multi-comb multiplication algorithm for constant-time G multiplications (ecmult_gen). It is based on section 3.3 of "Fast and compact elliptic-curve cryptography" by Mike Hamburg (see https://eprint.iacr.org/2012/309). Original implementation by Peter Dettman, with changes by Pieter Wuille to use scalars for recoding, and additional comments.
It is unnecessary to recompute the 2^COMB_BITS-1 scalar offset needed by the SDMC algorithm for every multiplication; move it into the context scalar_offset value instead.
The existing code needs to deal with the edge case that bit_pos >= 256, which would lead to an out-of-bounds read from secp256k1_scalar. Instead, recode the scalar into an array of uint32_t with enough zero padding at the end to alleviate the issue. This also simplifies the code, and is necessary for a security improvement in a follow-up commit. Original code by Peter Dettman, with modifications by Pieter Wuille.
|
Restarting this in a new PR to avoid the WIP discussion: #1058. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A third iteration of the signed-digit multi-comb ecmult_gen algorithm (earlier attempts: #693, and #546 by Peter Dettman). Short summary:
Compared with the previous PR #693: