Faster operations on the elliptical curve exponent by using nfield instead of big.Int #621
Conversation
|
Very nice! Thanks a ton for working on this. It's obviously going to take a lot of careful review and there are some Travis issues to take care of, but it will be nice to get this in not only for the speed up, but also because we can stop relying on the math/big package which has been rather buggy. |
|
Review status: 0 of 8 files reviewed at latest revision, 1 unresolved discussion, some commit checks failed. btcec/nfield.go, line 156 [r1] (raw file): Comments from the review on Reviewable.io |
|
@davecgh any update on this? |
|
rebase please |
|
I am wonder if it would useful for the big.Ints mode to be available to run in tandem with the field elements mode for testing and verification of results. |
btcec/nfield.go
Outdated
| // http://cacr.uwaterloo.ca/hac/ | ||
|
|
||
| // All elliptic curve operations for secp256k1 are done in a finite field | ||
| // characterized by a 256-bit prime. Given this precision is larger than the |
There was a problem hiding this comment.
These comments need to be updated to reflect reality. This is implementing modular arithmetic on the order of the curve as opposed to the prime.
|
There are several issues reported by Travis that need to be resolved before this can be merged as well: |
| S *big.Int | ||
| R *nfieldVal | ||
| S *nfieldVal | ||
| SNegPad bool |
There was a problem hiding this comment.
This is a test-specific thing and shouldn't be part of the struct that non-test code has to use.
There was a problem hiding this comment.
@davecgh SNegPad is used in several places below (non-test code).
Specifically, SNegPad is there so that we can reproduce the binary signature from two nfieldVals that are now in Signature. There's no other way to know if there's a negative padding for S otherwise as nfieldVal simply doesn't have that as part of the structure.
jimmysong
force-pushed
the
nfield
branch
2 times, most recently
from
8f7e75a
to
2c29c25
Compare
This changeset makes a bunch of operations on the secp256k1 curve fa Preliminary indications are that there's about a 20% speed increase
|
rebased, have addressed some of the comments. will put on my todo list. This is a time-consuming PR to put into mind again. I can't promise this will be there that soon. |
|
@jimmysong: Thanks. If you would prefer, I can take this over and drive it to completion. I will of course leave your name on the commit and give you the opportunity to review any modifications I might make. |
|
@davecgh I would like that very much. It'll be easier for me to review than to code right now. |
|
I tried to sync testnet with this PR and got this: |
|
@stevenroose: Thanks for pasting results. I haven't been able to go over this in great detail yet, so that will be handy to track down the issue when I eventually get to it. |
|
@davecgh I wanted to fix some of the remarks you made on the code in order to get this PR included. It seems like it could be a good performance bonus. I figured you'd walk into the same issue yourself anyway, though. I wondered how one would go about making a tree of if-blocks like this one into a constant-time implementation.. I tried, but the double if's at the end make it really messy. |
|
@stevenroose: You'd need to convert them to a series of bit manipulations with addition and/or subtraction as necessary to ensure that there are no differences in the branches (at least as much as possible, there is no way to full guarantee what the CPU will do even if the assembler is using constant time bitwise ops, but you still want to give it the best possible chance and in practice bitwise ops are the best bet for that) . For example, consider the constant time implementation of bits := f.n[0] | f.n[1] | f.n[2] | f.n[3] | f.n[4] | f.n[5] | f.n[6] | f.n[7] | f.n[8] | f.n[9]
return bits == 0Now compare that against the typical implementation that is not constant time: return f.n[0] == 0 && f.n[1] == 0 && ... f.n[9] == 0That will short circuit and return on the first non-zero word that is encountered, so different values will result in a different running time. This is easy to see when looking at the generated assembler since it will employ a bunch of "jump if equal" comparison branches. |
|
Just out of curiosity, where is the limit? |
|
I took a turn at resolving the rest of the comments and rebased - changes here. To aid in some of the constant time calculations I introduced a little library following crypto/subtle for uint32. I would appreciate any feedback - I talked to @jimmysong elsewhere and hope to get his approval on my changes soon to move this PR along. |
|
Also - in response to @stevenroose , I think that an effort to use crypto/subtle in place of any branching to avoid timing attacks based on branch prediction would be good for this repo. To check in on the relative performance of this approach I made a little example repo benchmarking the crypto/subtle functions against their branching counterparts. For all but equality checks there is no measurable performance cost to using functions like in crypto/subtle in place of built-in comparisons with equal-time branches. I will recommend we convert some other constant time function to use these tools in another issue. |
|
Any update here? |
|
Btcd was abandoned by the original authors as they went off to make an altcoin. Safe to say this feature is abandoned. |
|
@kcalvinalvin as far as I can tell @Roasbeef is still active as of November. Decred split off a while ago |
|
@jcvernaleo (as per #1530)
|
No description provided.