Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose and use precomputation tables for commitment generators #135

Closed
AaronFeickert opened this issue Oct 4, 2022 · 3 comments · Fixed by #136
Closed

Expose and use precomputation tables for commitment generators #135

AaronFeickert opened this issue Oct 4, 2022 · 3 comments · Fixed by #136

Comments

@AaronFeickert
Copy link
Contributor

AaronFeickert commented Oct 4, 2022
edited

Precomputation tables for fixed generators, like those used in commitments and public keys, can provide significant relative performance benefits in scalar-group multiplication operations. The "default" group generator G already has a table hardcoded in the curve library, and the API allows you to generate tables for any group element you wish. Aside from using tables for function-based operations like commitments, it may additionally be useful to expose references to these tables for higher-level protocol operations (like commitment signatures) that handle their own scalar-group multiplications.

An unfortunate downside of the dalek API is that it handles scalar-group multiplication precomputation differently than for multiscalar multiplication operations, and the latter is quite inflexible. There are a few options for how to handle these limitations, some of which might necessitate a custom fork of the curve library to expose some of the guts of the implementation.

For reference, local benchmarks suggest a 60% performance gain for generating a Pedersen commitment with the use of precomputation tables for both generators, relative to the use of constant-time multiscalar multiplication with no tables.
@AaronFeickert
Copy link
Contributor Author

One option for this could be to generate precomputation tables dynamically when a PedersenCommitmentFactory is created. However, this breaks the "it's cheap to create factories" guideline implied in the code comments.

Another option is to generate precomputation tables statically along with NUMS points. Most of them won't be used, however.

A middle ground could be statically creating only the standard H point's table with the NUMS points. Then creation of a PedersenCommitmentFactory could store references to it and the standard G point's table in the default case, or generate new tables in the non-default case. This would make the default case efficient even if the factory is created multiple times.

@hansieodendaal
Copy link
Contributor

AaronFeickert@5d0aa49

@AaronFeickert
Copy link
Contributor Author

AaronFeickert@5d0aa49

This is just a first attempt, and is probably not the best way to approach the issue. Comments and suggestions welcome!

@AaronFeickert AaronFeickert mentioned this issue Oct 11, 2022
Merged
stringhandler pushed a commit that referenced this issue Oct 25, 2022
@AaronFeickert
feat: use precomputation for default commitments (#136)
acdcee6 
This work adds precomputation support for Pedersen commitments that use a provided generator. Basepoint tables are created via `lazy_static` alongside the generators themselves. When computing a commitment using the default generators, the corresponding tables are used. Commitments using any other generators are unchanged.

Closes [issue #135](#135).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Tari Esme Testnet
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: use precomputation for default commitments AaronFeickert/tari-crypto
2 participants
@hansieodendaal @AaronFeickert