-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider using the add-2007-bl and dbl-2009-l formulae #59
Comments
We use https://eprint.iacr.org/2015/1060 for |
Also, looking at the code, we already use |
Reminded myself how https://eprint.iacr.org/2015/1060 works, and it uses homogeneous coordinates; we currently use Jacobian coordinates because of the tie-in with hash-to-curve. So I think using these addition formulas (which would be concretely faster than the Jacobian ones, per section 4.2 of that paper) is a good idea, as point addition is used significantly more. |
you can still do Jacobian hash to curves/groups. The output is in affine anyway so it does not really matter right? |
I'd like to note the importance of this given the current addition function isn't constant time, enabling side channel attacks. While I can create a dedicated issue/PR for that, ideally that's handled with this IMO. |
Addition (incomplete, any a): http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl
Doubling for a = 0: http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l
These are used in Arkworks for short Weierstrass curves. I also implemented a variant of them in the
ChudnovskyPoint
class in the Sage implementation of Pasta used to generate the hash-to-curve test vectors. (The latter actually modifies the addition formulae to be complete, at some extra cost.)A possible alternative is https://eprint.iacr.org/2015/1060 (see also privacy-scaling-explorations/halo2curves#15).
The text was updated successfully, but these errors were encountered: