Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Co-Z based precomputation (by Peter Dettman) #211

Closed
wants to merge 3 commits into from

Conversation

sipa
Copy link
Contributor

@sipa sipa commented Feb 11, 2015

Refactored version of Co-Z code from #41 and #174.

Builds on top of #210.

@sipa
Copy link
Contributor Author

sipa commented Mar 2, 2015

Rebased.

@sipa
Copy link
Contributor Author

sipa commented Mar 3, 2015

This gives a 2.0-2.3% speedup for verification on top of #210.

@sipa sipa force-pushed the coz branch 2 times, most recently from 8eeb7c8 to bdf8b99 Compare March 29, 2015 21:43
@sipa sipa force-pushed the coz branch 2 times, most recently from 77bfd71 to abacebe Compare April 12, 2015 09:25
@sipa
Copy link
Contributor Author

sipa commented Apr 23, 2015

Rebased.

@peterdettman
Copy link
Contributor

A brief recap regarding novelty of this idea. Short version: this is not novel (but it's still pretty cool).

Boring version: I learnt about the Co-Z formulae from several papers, of which http://joye.site88.net/papers/GJMRV11regpm.pdf may be taken as representative, and which in turn usually referenced papers of Meloni. At some point I realized it could be applied usefully to the pre-computation of a table of odd multiples, and duly implemented a rough version. Actually it was fairly fast, so I became curious what was the fastest known method for that pre-computation. A literature research turned up https://eprint.iacr.org/2008/051, which upon further investigation, turned out to describe essentially the same approach (explicitly mentioning Meloni's formulae), giving one scheme with the same cost as ours, and a second one that improved on that further. I subsequently implemented the second scheme, although that modification is not yet in any PR (and the effect is small).

typedef struct {
secp256k1_fe_t x; /* actual X: x/z^2 (z implied) */
secp256k1_fe_t y; /* actual Y: y/z^3 (z implied) */
} secp256k1_coz_t;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any benefit to adding an #ifdef VERIFY z coordinate, then VERIFY_CHECKing in secp256k1_coz_zaddu_var that ra is actually co-Z with b?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that makes perfect sense.

@sipa
Copy link
Contributor Author

sipa commented May 1, 2015

Added the consistency check that @apoelstra suggested.

@gmaxwell
Copy link
Contributor

gmaxwell commented May 2, 2015

Please also add an explicit citation to the Meloni publicaiton for the co-z formula (the cite is in Longa/Miri 2008)

peterdettman and others added 2 commits September 22, 2015 21:40
- Selected Co-Z formulas from "Scalar Multiplication on Weierstraß Elliptic Curves from Co-Z Arithmetic" (Goundar, Joye, et. al.) added as group methods with new type sep256k1_coz_t.
- Co-Z methods used for A and G point precomputations.
- DBLU cost: 3M+4S, ZADDU cost: 5M+2S.

Original idea and code by Peter Dettman. Refactored by Pieter Wuille.
@sipa
Copy link
Contributor Author

sipa commented Sep 22, 2015

Rebased.

@gmaxwell
Copy link
Contributor

gmaxwell commented Jun 6, 2017

needs rebase

@sipa sipa closed this May 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants