Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make ECDSA more efficient with GLV #209

Merged
merged 17 commits into from
Dec 19, 2023
Merged

Make ECDSA more efficient with GLV #209

merged 17 commits into from
Dec 19, 2023

Conversation

mitschabaude
Copy link
Collaborator

@mitschabaude mitschabaude commented Nov 17, 2023
edited
Loading

Companion of o1-labs/o1js#1257

  • Given a curve endomorphism with constants endoScalar, endoBase, implements methods to decompose a scalar, and to do faster scalar multiplication using that decomposition ("GLV method")
  • Also adds a method to automatically compute endoScalar and endoBase when they exist and are not already given as parameters (i.e. for secp256k1)
  • We can statically bound the max number of bits that decomposed scalars have. For Pallas and Vesta, we get 127 bits while for secp256k1 we get 128 bits. In both cases, this reduces the scalar bits that we need to process in the circuit exactly by half (while doubling the number of points to scale)

@mitschabaude mitschabaude changed the base branch from main to feature/ecdsa-new November 17, 2023 20:26
mitschabaude
mitschabaude commented Nov 28, 2023
View reviewed changes
crypto/elliptic-curve-endomorphism.ts
Comment on lines +81 to +83
/**
* GLV decomposition, named after the authors Gallant, Lambert and Vanstone who introduced it:
* https://iacr.org/archive/crypto2001/21390189.pdf
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is where the magic happens!

crypto/elliptic-curve-endomorphism.ts
Comment on lines +237 to +242
// upper bounds for
// |s0| <= 0.5 * (|v00| + |v01|)
// |s1| <= 0.5 * (|v10| + |v11|)
let maxS0 = ((abs(v00) + abs(v01)) >> 1n) + 1n;
let maxS1 = ((abs(v10) + abs(v11)) >> 1n) + 1n;
let maxBits = log2(max(maxS0, maxS1));
Copy link
Collaborator Author

@mitschabaude mitschabaude Nov 28, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's essential that we are able to statically compute the maximum number of bits (maxBits) that scalars have after GLV decomposition, with a reliable upper bound. Only with this knowledge can we leverage the gains of reduced bit lengths in a static circuit.

@mitschabaude mitschabaude mentioned this pull request Nov 28, 2023
Merged
@mitschabaude mitschabaude marked this pull request as ready for review November 28, 2023 15:41
Trivo25
Trivo25 approved these changes Dec 1, 2023
View reviewed changes
crypto/elliptic-curve-endomorphism.ts
generator
));
} catch (e: any) {
console.log(`Warning: no endomorphism for ${name}`, e?.message);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could also utilize console.warn if we want - but that also sometimes gets mistaken for runtime warnings and just ignored by users :X

Base automatically changed from feature/ecdsa-new to main December 6, 2023 21:06
@mitschabaude mitschabaude merged commit f7ed6da into main Dec 19, 2023
1 check passed
@mitschabaude mitschabaude deleted the feature/glv branch December 19, 2023 07:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Trivo25 Trivo25 Trivo25 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mitschabaude @Trivo25