Effectively affine precomp A for _ecmult without inversion! #171
Conversation
|
It intutively makes sense to me. This is quite awesome. I'd already thought about using an isogenous projection for blinding (having seen it mentioned in a list of blinding techinues)-- but doing scalar blinding seems more interesting for most of our need for blinding, never would have thought of it for this. Darn ECDSA: With schnorr this would make our verification completely inversion free. |
|
Perhaps a better reference: http://joye.site88.net/papers/JT01edpa.pdf @gmaxwell Im still a bit giddy that this works so well. I had the z-ratio trick and the isomorphism stuff in mind for a while, and yesterday it just gelled for me. I wasn't quite sure how it would work out , but I coded it up and... 1M per G add? Awesome, indeed. I actually now think it will work fine for a!=0 curves too, using "modified Jacobian" coordinates to avoid increasing the cost of doubling. Why not both scalar and point blinding? Simple point blinding amounts to just an extra 2M per scalar mult, assuming the G precomp points have been moved to some random curve isomorphism in setup. |
Not unresonable, just updating the point bilinding takes a fair amount more computation and we already have the unknown-discrete-log blinding. I'm all for implementing all reasonably simple, reasonably fast countermeasures for the secret data handling cases. Though actual immunity to things like high resolution power sidechannel analysis seem hopeless on general purposes computers, thats no reason to make an attacker's life easier. |
peterdettman
force-pushed
the
ecmult-coz
branch
from
aaa8b73 to
b9dd72f
Compare
|
This is just awesome. It seems we're around 8% slower than Ed25519 here with it (without using GLV, with gmp). I'm going to play around with the math, try to see if I can derive that it's correct :) |
|
FYI, I managed to apply this same technique to a P-521 random-base-mult implementation (http://indigo.ie/~mscott/ws521.cpp), with a similar ~8% performance boost. That curve has a==-3, which has to be scaled for the isomorphism, so to retain doubling performance (3M+5S) the formula has to be changed to a modified-Jacobian scheme. The adds (104) then cost 7M+6S instead of 11M+5S. This saving is offset by (4M+S) per precomputed point (15) to make them "co-Z". So we can tentatively conclude that this is applicable to any short Weierstrass form curve, with (only) a==0 being particularly efficient. I don't know enough about other curve forms to comment yet. The question arises whether the scheme can still be used for general (aP + bQ + cR + ...), and indeed I see no fundamental obstacle, just an extra few steps involved in the precomputation to arrange for all precomp-tables to be globally co-Z. |
- Selected Co-Z formulas from "Scalar Multiplication on Weierstraß Elliptic Curves from Co-Z Arithmetic" (Goundar, Joye, et. al.) added as group methods with new type sep256k1_coz_t. - Co-Z methods used for A and G point precomputations. - WINDOW_A size increased to 6 since the precomputation is much faster per-point. - DBLU cost: 3M+4S, ZADDU cost: 5M+2S. - Take advantage of z-ratios from Co-Z to speed up table inversion.
peterdettman
force-pushed
the
ecmult-coz
branch
from
b9dd72f to
7d3e82f
Compare
|
I'm going to add some comments and unit tests on top of this, if you're done making changes. |
|
See rebased/refactored version in #210. |
Anyway, the upshot of this is an ~5% performance improvement for bench_verify (64bit, endo=yes), over and above the Co-Z precomputation itself, so >8% total vs master. Rough math suggests it's saving ~116M vs the Co-Z arithmetic PR, which appears to make any inversion approach obsolete.
Questions welcome, as I'm not sure how to explain this in a straight-forward way (as far as I know this is a novel idea). I guess it's important to understand why the isogeny works out so neatly; it's a rather nice property of secp256k1 that stems from it having a==0 in the curve equation; otherwise, operating on an isogenous curve would require changes to the doubling formula. I recommend e.g. http://joye.site88.net/papers/TJ10coordblind.pdf, where this is discussed in the context of blinding (which reminds me I was meaning to PR a demo of that), albeit the a==0 case is not explicitly called out. It may be easier just to think of it as playing games with the z values...
EDIT: I'll leave it as I wrote it, but I think the above should be talking about isomorphisms rather than isogenies.