--- Day changed Wed May 02 2018
05:27 -!- jtimon [~quassel@142.29.134.37.dynamic.jazztel.es] has joined #secp256k1     
19:12 < maaku> I'm about to begin work on a pedersen hash replacement for BIP 32 key derivation, to allow among other thngs compact zk proofs of key relations
19:13 < maaku> before I begin, has anyone done anything similar or is there code I might reuse?
19:24 < sipa> you're aware of the conditional negation trick?
19:30 < maaku> sipa: no, please enlighten me
19:34 < sipa> maaku: so the optimal way to implement a peterson hash on curves where addition takes 3 multiplications (which is the case for secp)
19:34 < sipa> is to not have bits b0,b1,b2,... and get output b0*A + b1*B + b2*C + ...
19:35 < sipa> but to have groups of 3 bits b0,b1,b2 and map b0,b1 to a 4-point lookup table, and use b2 as a conditional negation of the output of that table
19:36 < sipa> the result of which isn't exactly a petersen hash anymore, but it can be shown to be equivalent in security
19:37 < sipa> and gives you 2.666 multiplications per bit of input overall
19:41 < maaku> interesting. does the pedersen hash benchmark code do this?
19:42 < sipa> yes     
19:42 < maaku> ok cool; i'll look at that
19:44 < sipa> also, if you need indistinguishability you can compute two independent pedersen hashes fromvthe same inputs (with different generators) and add the x coordinates
19:44 < sipa> which you can do with 4 multiplications per input bit, total
21:14 -!- jtimon [~quassel@142.29.134.37.dynamic.jazztel.es] has quit [Ping timeout: 264 seconds]