-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New arithmetic for k256 #59
Conversation
A couple options:
|
Looks like some recent changes to Overall this looks exciting! |
Sure, I'm doing some abstracting now, will rebase after. |
1bda801
to
8b38257
Compare
Sorry for a bit of a delay on this. I was playing with endomorphism-based multiplication from the original libsecp256k1, but the code related to it is quite large in size and very convoluted, so it is better left for the next PR. For now I'll settle for a simple fixed-window multiplication (which is still an almost 2x improvement over the previous double-and-add) and limit this PR to scalar arithmetic. |
@tarcieri I added the |
My suggestion was to add a #[cfg(nightly)] |
For some reason it doesn't work for me. The marked functions/imports are picked neither in a
|
Hmm, that's unfortunate. I think a better option in general would be finding a way to make it work with criterion, which in addition to working on stable provides a much better benchmarking tool in general. |
I see. I guess I'll just scrap the benchmark in the final version then. |
Sounds good for now. We can explore adding an |
Not sure why the codecov check is failing, but regardless, don't worry about it |
No worries, seems like a small change anyway. I know I've been taking some time with this PR, but I'm really hoping to get it ready for review this weekend. |
@fjarri fantastic! I can keep working off your WIP branch in the meantime. Also: do you plan on adding scalar inversions? It looks like you have most of the prerequisites in place. (Edit: for a PoC I tried gluing together @nickray's scalar inversions from #57 together with this branch's u64x4 backend in #68) |
@tarcieri , uhh, I just realized you merged some of my commits to upstream. I was intending to squash them, they're quite unkempt, but I guess it's too late now... |
Also, I added an addition-chain based inversion for scalars, which should be faster than a generic vartime power. |
Ah, my bad, I'm going to do some squashing then. |
Another small change you might consider making (or otherwise I can) is wiring up the https://github.com/RustCrypto/elliptic-curves/blob/42dcac1/k256/src/arithmetic.rs#L519-L535 |
708289b
to
391800c
Compare
Use only to/from bytes, remove to/from words
17f35ce
to
09f240d
Compare
Codecov Report
@@ Coverage Diff @@
## master #59 +/- ##
===========================================
- Coverage 81.50% 56.82% -24.68%
===========================================
Files 12 18 +6
Lines 1395 2965 +1570
===========================================
+ Hits 1137 1685 +548
- Misses 258 1280 +1022
Continue to review full report at Codecov.
|
@fjarri I'd say this is ready to merge unless there are any objections (would definitely like to use this ASAP) Normally we use GitHub's "Squash and Merge" however if you'd like me to preserve the commit history here (or squash it yourself) you can. |
Squash and merge sounds good to me. Please give me until the end of the day before merging, I just want to add a bit more comments. |
@fjarri regarding the Notably it can also be made constant time by always generating a fixed number of samples. The probability of a non-biased RNG generating multiple consecutive candidates which are out of range vanishes rather quickly (after ~4 candidates). Whether that's actually worthwhile seems to be a matter of debate. For now I think it's fine to leave as-is. |
This PR made the following dependency changes: Added Packages (Duplicate versions in '()'):
num-bigint 0.3.0
num-integer 0.1.43
Removed Packages (Remaining versions in '()'):
fiat-crypto 0.1.5
|
Ok, I think it's ready now. I exposed both |
Merged! 🎉 Thanks so much! |
Hey, y'all! Sorry I didn't see these mentions (GitHub notifications don't exactly pull my attention anymore 😅), but it sounds like y'all figured it out anyway. This PR looks great @fjarri. Excited to build on this for sure! |
In my professional opinion that is the best way to do it. It's what we use in Zcash for RedDSA signatures. There is no reason to worry about a ~2-256 bias in any plausible cryptographic context. I think there's no reason to use a name like |
Interesting article on rejection sampling vs modular reduction for randomly generating in-range values with a uniform distribution. The conclusion was interesting: why not both? |
This PR implements "lazy reduction" arithmetic for SECP256k1, based on libsecp256k1.
(Disclaimer: this is my first non-trivial piece of Rust code. Don't hesitate to point out my mistakes).
num-bigint
as a reference)More advanced multiplication routines (wNAF, endomorphism, batch multiplication) will not be included in this PR — it has too much stuff already. Even the windowed multiplication already gives a good performance boost. As compared to the baseline performance, I currently see an almost 3x speedup (300us vs 106us per mul).
The old Montgomery field can be enabled with
field-montgomery
, 32-bit fields & scalars on a 64-bit target can be enabled withforce-32-bit
.