Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiplication-only lambda splitter without bignum #127

Merged
merged 3 commits into from
Dec 3, 2014
Merged

Multiplication-only lambda splitter without bignum #127

merged 3 commits into from
Dec 3, 2014

Conversation

sipa
Copy link
Contributor

@sipa sipa commented Dec 1, 2014

This contains a rebased version of @peterdettman's #21 (to account for the move of lambda splitting from group to scalar, and avoiding secp256k1_num_get_bit which got removed), and then simplifies it to a pure scalar-based version.

Gives around a 0.8% speedup on --enable-endomorphism CFLAGS=-O3, and enables the endomorphism optimization without using GMP (with a 28% performance hit).

@gmaxwell
Copy link
Contributor

gmaxwell commented Dec 2, 2014

Did you measure what it did to the Linf norm of the split numbers?

sipa and others added 3 commits December 2, 2014 16:50
@sipa
Add secp256k1_scalar_mul_shift_var
ff8746d
@peterdettman @sipa
Avoid division when decomposing scalars
cc604e9 
- In secp256k1_gej_split_exp, there are two divisions used. Since the denominator is a constant known at compile-time, each can be replaced by a multiplication followed by a right-shift (and rounding).
- Add the constants g1, g2 for this purpose and rewrite secp256k1_scalar_split_lambda_var accordingly.
- Remove secp256k1_num_div since no longer used

Rebased-by: Pieter Wuille
@sipa
Convert lambda splitter to pure scalar code.
c35ff1e 
This enables the use of the endomorphism optimization without bignum.
@sipa
Copy link
Contributor Author

sipa commented Dec 2, 2014

Rebased.

@gmaxwell Going to look at that now.

@sipa
Copy link
Contributor Author

sipa commented Dec 2, 2014

@gmaxwell: did 1000000 iterations using randomized ECDSA verifications, for each computing max(bits(wnaf(na_1)),bits(wnaf(na_lam))), and computing the quadratic average over those 1000000 max'es (to punish worst cases a bit stronger).
Before this pull: 126.51001458
After this pull: 126.51001359

Both were done with the same sequence of verifications.

@gmaxwell
Copy link
Contributor

gmaxwell commented Dec 2, 2014

Darn, ... :) I was hoping that was why the improvement was so small.

@sipa
Copy link
Contributor Author

sipa commented Dec 2, 2014

Normal linear averages: 127.501717 and 126.501716. Probably exactly 1 case in 1000000 where it's one less.

@gmaxwell
Copy link
Contributor

gmaxwell commented Dec 3, 2014

ACK.

@sipa sipa merged commit c35ff1e into bitcoin-core:master Dec 3, 2014
sipa added a commit that referenced this pull request Dec 3, 2014
@sipa
Merge pull request #127
d5e8362 
c35ff1e Convert lambda splitter to pure scalar code. (Pieter Wuille)
cc604e9 Avoid division when decomposing scalars (Peter Dettman)
ff8746d Add secp256k1_scalar_mul_shift_var (Pieter Wuille)
@roconnor-blockstream roconnor-blockstream mentioned this pull request Sep 21, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sipa @gmaxwell @peterdettman