Co-Z based precomputation (by Peter Dettman) #211
Conversation
sipa
force-pushed
the
coz
branch
2 times, most recently
from
765cbcf
to
a581e64
Compare
|
Rebased. |
|
This gives a 2.0-2.3% speedup for verification on top of #210. |
sipa
force-pushed
the
coz
branch
2 times, most recently
from
8eeb7c8
to
bdf8b99
Compare
sipa
force-pushed
the
coz
branch
2 times, most recently
from
77bfd71
to
abacebe
Compare
|
Rebased. |
|
A brief recap regarding novelty of this idea. Short version: this is not novel (but it's still pretty cool). Boring version: I learnt about the Co-Z formulae from several papers, of which http://joye.site88.net/papers/GJMRV11regpm.pdf may be taken as representative, and which in turn usually referenced papers of Meloni. At some point I realized it could be applied usefully to the pre-computation of a table of odd multiples, and duly implemented a rough version. Actually it was fairly fast, so I became curious what was the fastest known method for that pre-computation. A literature research turned up https://eprint.iacr.org/2008/051, which upon further investigation, turned out to describe essentially the same approach (explicitly mentioning Meloni's formulae), giving one scheme with the same cost as ours, and a second one that improved on that further. I subsequently implemented the second scheme, although that modification is not yet in any PR (and the effect is small). |
| typedef struct { | ||
| secp256k1_fe_t x; /* actual X: x/z^2 (z implied) */ | ||
| secp256k1_fe_t y; /* actual Y: y/z^3 (z implied) */ | ||
| } secp256k1_coz_t; |
There was a problem hiding this comment.
Is there any benefit to adding an #ifdef VERIFY z coordinate, then VERIFY_CHECKing in secp256k1_coz_zaddu_var that ra is actually co-Z with b?
There was a problem hiding this comment.
I think that makes perfect sense.
|
Added the consistency check that @apoelstra suggested. |
|
Please also add an explicit citation to the Meloni publicaiton for the co-z formula (the cite is in Longa/Miri 2008) |
- Selected Co-Z formulas from "Scalar Multiplication on Weierstraß Elliptic Curves from Co-Z Arithmetic" (Goundar, Joye, et. al.) added as group methods with new type sep256k1_coz_t. - Co-Z methods used for A and G point precomputations. - DBLU cost: 3M+4S, ZADDU cost: 5M+2S. Original idea and code by Peter Dettman. Refactored by Pieter Wuille.
|
Rebased. |
|
needs rebase |
Refactored version of Co-Z code from #41 and #174.
Builds on top of #210.