scalar mul: consider using incomplete addition/doubling #76
Labels
constant time ⏳
Enhancement is suitable for secret data
correctness 🛂
performance 🏁
question ❓
Further information is requested
Comments
mratsim
added
question ❓
Merged
|
The complete formulas are actually quite efficient (12M while Jacobian is 11M+5S) and the main overhead is the large number of addition (24A). On G2 this can be accelerated 2x by having parallel additions, one chain using ADCX and the other using ADOX. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In scalar multiplication we use the complete formula from
Joost Renes and Craig Costello and Lejla Batina, 2015
https://eprint.iacr.org/2015/1060
to handle the infinity point, or adding P or its opposite to itself in a constant-time fashion.
However infinity can be checked and conditionally copied at the end instead of paying that cost each doubling/addition
and my intuition is that adding P/-P to itself is not possible in a scalar multiplication context (proof?).
From the paper, the complete formula carry a 40% overhead hence we might be able to significantly increase signing speed if those assumptions hold.
The text was updated successfully, but these errors were encountered: