--- Day changed Thu Jun 01 2017 00:11 < gmaxwell> author of the paper I mentioned here: 00:11 < gmaxwell> 20:46 < gmaxwell> A little bit of LOL WUT in an otherwise interesting paper, https://eprint.iacr.org/2015/1060.pdf 00:11 < gmaxwell> 20:47 < gmaxwell> compared to Bitcoin’s incomplete mixed addition function secp256k1 gej add ge var, our 00:11 < gmaxwell> 20:47 < gmaxwell> complete mixed addition saves 3S at the cost of 3M + 2a + 1mul int; and, compared to 00:11 < gmaxwell> 20:47 < gmaxwell> Bitcoin’s doubling function secp256k1 gej double var, our formulas save 2S + 5mul int at 00:11 < gmaxwell> 20:47 < gmaxwell> the cost of 3M + 3a. In this case it is unclear which set of formulas would perform faster 00:11 < gmaxwell> 20:47 < gmaxwell> ... 00:11 < gmaxwell> just commented on modern crypto curves list. 01:02 -!- Cory [~Cory@unaffiliated/cory] has quit [Ping timeout: 258 seconds] 01:03 < sipa> ? 01:03 < gmaxwell> The author of that paper was writing on the curves list. 01:04 < gmaxwell> the paper is good though it had some lol about suggesting that maybe their formulas were faster than ours, when theirs were obviously strictly slower. 01:04 < gmaxwell> (e.g. saves 3S at a cost of 3M + 2a + 1const mul -- which cannot be faster than 3S...) 01:04 < sipa> oh,lol 01:05 < gmaxwell> paper is good otherwise I thought. 01:05 < gmaxwell> or so I vaguely recall. 01:05 < sipa> 2S+5mulint compared to 3M + 3a is less clear 01:06 < gmaxwell> 21:19 < gmaxwell> andytoshi: so this looks like it will be faster than our constant time group code IF we can manage the multiplies by 21. 01:06 < gmaxwell> sipa: right I think our conclusion was that it required an extra normalization which made it a loss. 01:06 < sipa> ah 01:06 < gmaxwell> just refreshing peoples memory in case someone wanted to join the thread. 01:07 < sipa> oh, that optimization 01:07 < sipa> the one we already conskdered twice because it looks obvious, and then decide that in practoce ot's worse 01:10 < gmaxwell> this is why I went and found the logs from the prior time we talked about that paper. 01:10 -!- Cory [~Cory@unaffiliated/cory] has joined #secp256k1 01:10 < gmaxwell> I'm tempted to add a citation to the paper in the source code and note that what we have is faster than what it describes. :P 01:10 < gmaxwell> so I can stop forgetting that. 01:12 < sipa> go ahead 01:17 < gmaxwell> lol 01:17 < gmaxwell> the comment is already there. 01:18 < sipa> hahaha 01:18 < gmaxwell> not exactly the same one, but the same point. 02:04 -!- roconnor [~roconnor@host-45-58-194-118.dyn.295.ca] has quit [Ping timeout: 268 seconds] 03:02 -!- jtimon [~quassel@117.29.134.37.dynamic.jazztel.es] has joined #secp256k1 03:12 -!- jtimon [~quassel@117.29.134.37.dynamic.jazztel.es] has quit [Ping timeout: 260 seconds] 03:41 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has quit [Ping timeout: 245 seconds] 03:56 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has joined #secp256k1 06:20 -!- jtimon [~quassel@117.29.134.37.dynamic.jazztel.es] has joined #secp256k1 06:28 -!- roconnor [~roconnor@host-45-58-245-46.dyn.295.ca] has joined #secp256k1 12:46 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has quit [Quit: Leaving] --- Log closed Thu Jun 01 16:48:51 2017 --- Log opened Thu Jun 01 16:59:14 2017 16:59 -!- kanzure [~kanzure@unaffiliated/kanzure] has joined #secp256k1 16:59 -!- Irssi: #secp256k1: Total of 31 nicks [0 ops, 0 halfops, 0 voices, 31 normal] 17:10 -!- Irssi: Join to #secp256k1 was synced in 714 secs 17:33 -!- cfields [~quassel@unaffiliated/cfields] has quit [Quit: No Ping reply in 180 seconds.] 17:34 -!- cfields [~quassel@unaffiliated/cfields] has joined #secp256k1 23:05 -!- jtimon [~quassel@117.29.134.37.dynamic.jazztel.es] has quit [Ping timeout: 255 seconds]