Skip to content

Perf: Add-only emulated scalar multiplication #726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
yelhousni merged 7 commits into from
Jul 4, 2023
Merged

Perf: Add-only emulated scalar multiplication #726

yelhousni merged 7 commits into from
Jul 4, 2023

Conversation

@yelhousni
Copy link
Contributor

@yelhousni yelhousni commented Jun 16, 2023
edited
Loading

I was trying to have a ScalarMul() circuit with only additions and no doublings. Ultimately, I could make the circuit work with less constraints than the previous right-to-left double-and-add circuit. So I looked in the literature to check if it was previously known and I found that Marc Joye of course did it in 2007 😅
So this PR corresponds actually to Alg.2 of [CHES:Joye07] with some tweaks to make it work efficiently in-circuit:

  • select-logic with an additional register;
  • isolate first iteration and use [ELM02] triple() method;
  • isolate last iteration and discard R1 and R2 computations.

Now when we use this new method in precompiles it saves:

  • ECRECOVER:
    • 17 609 r1cs
    • 111 590 scs
  • ECMUL:
    • 22 997 r1cs
    • 124 945 scs

P.S.: We can ditch the old ScalarMul() and replace it with the new ScalarMulAddOnly() once the PR is reviewed.

@yelhousni yelhousni added type: perf dep: linea Issues affecting Linea downstream labels Jun 16, 2023
@yelhousni yelhousni added this to the v0.9.0 milestone Jun 16, 2023
@yelhousni yelhousni requested a review from ivokub June 16, 2023 15:42
ivokub
ivokub approved these changes Jun 23, 2023
View reviewed changes
Copy link
Collaborator

@ivokub ivokub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The table-free windowubg in JointScalarMulBase was difficult to follow but seems correct (two selects in a row thing...).

I'm not sure about name ScalarMulAddOnly, but really cannot suggest anything more succincit (maybe ScalarMulWithAdds, but it still is very long).

@ivokub
Copy link
Collaborator

ivokub commented Jun 23, 2023

The table-free windowubg in JointScalarMulBase was difficult to follow but seems correct (two selects in a row thing...).

I'm not sure about name ScalarMulAddOnly, but really cannot suggest anything more succincit (maybe ScalarMulWithAdds, but it still is very long).

Oh, we can ditch old ScalarMul and replace with it. Yup, makes also sense. But leave it in comments just in case, maybe is useful in the future, so is good to have close :)

@yelhousni yelhousni merged commit 5f2979f into develop Jul 4, 2023
@yelhousni yelhousni deleted the emulated/scalarMul branch July 4, 2023 11:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ivokub ivokub ivokub approved these changes

Assignees

No one assigned

Labels

dep: linea Issues affecting Linea downstream type: perf

Projects

None yet

Milestone

v0.9.0

Development

Successfully merging this pull request may close these issues.

3 participants

@yelhousni @ivokub