--- Day changed Tue Nov 14 2017
02:03 -!- roconnor_ [~roconnor@host-45-78-197-59.dyn.295.ca] has quit [Ping timeout: 240 seconds]     
03:01 -!- roconnor_ [~roconnor@host-45-58-247-46.dyn.295.ca] has joined #secp256k1     
03:32 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Ping timeout: 240 seconds]     
03:33 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined #secp256k1     
04:07 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has joined #secp256k1     
04:59 -!- instagibbs [~instagibb@pool-72-83-36-237.washdc.fios.verizon.net] has quit [Ping timeout: 246 seconds]     
10:28 -!- jtimon [~quassel@164.31.134.37.dynamic.jazztel.es] has joined #secp256k1     
11:17 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has quit [Read error: Connection reset by peer]     
12:07 -!- hdevalence [~hdevalenc@199-188-193-243.PUBLIC.monkeybrains.net] has joined #secp256k1     
12:08 < andytoshi> i'd be in favor of an bench_ecmult function that just does all the different ecmult (regarding hdevalence comments on #bitcoin-wizards)
12:12 -!- oleganza [~oleganza@199-188-193-243.PUBLIC.monkeybrains.net] has joined #secp256k1     
12:13 -!- oleganza [~oleganza@199-188-193-243.PUBLIC.monkeybrains.net] has quit [Quit: oleganza]     
12:14 < sipa> sounds good to me
12:17 -!- maaku [~mark@173.234.25.100] has joined #secp256k1     
12:23 -!- oleganza [~oleganza@199-188-193-243.PUBLIC.monkeybrains.net] has joined #secp256k1     
12:24 -!- oleganza [~oleganza@199-188-193-243.PUBLIC.monkeybrains.net] has quit [Client Quit]     
12:24 -!- oleganza [~oleganza@199-188-193-243.PUBLIC.monkeybrains.net] has joined #secp256k1     
12:27 -!- adiabat [~adiabat@45.63.20.152] has joined #secp256k1     
12:28 -!- oleganza [~oleganza@199-188-193-243.PUBLIC.monkeybrains.net] has quit [Client Quit]     
12:30 -!- oleganza [~oleganza@199-188-193-243.PUBLIC.monkeybrains.net] has joined #secp256k1     
12:58 < sipa> hdevalence: i hear you're asking more questions on slack? this is probably the better place to ask
13:06 < hdevalence> sipa: oh, sorry, I asked on a slack before I found out about the IRC channel
13:06 < sipa> oh, i see
13:06 < hdevalence> got directed to IRC
13:59 -!- andytosh1 [~apoelstra@wpsoftware.net] has joined #secp256k1     
13:59 -!- andytoshi [~apoelstra@unaffiliated/andytoshi] has quit [Ping timeout: 250 seconds]     
13:59 -!- Cory [~Cory@unaffiliated/cory] has quit [Ping timeout: 250 seconds]     
14:05 -!- Pasha [~Cory@unaffiliated/cory] has joined #secp256k1     
14:07 -!- Pasha is now known as Cory     
14:32 < hdevalence> if I want to ballpark the cost of a vartime double-base scalar mult, is it reasonable to take the ecdsa_verify cost minus the scalar_inverse cost?
14:32 < sipa> yes     
14:33 < hdevalence> cool!
14:33 < gmaxwell> by double base, do you mean one fixed one variable?
14:34 < sipa> yeah, ECDSA verification is a*P + b*G, where G is the constant secp256k1 generator
14:34 < hdevalence> by double base I mean P1 * s1 + P2 * s2
14:34 < hdevalence> without saying whether the bases are fixed
14:34 < sipa> a significant portion of the speed comes from having precomputed tables of G's multiples
14:34 < sipa> if it's 2 variable points, the speed is going to be 1.5x lower or so
14:35 < gmaxwell> We don't have a function for two variable bases merged, though there is a generic N-base multiexp as patches in flight right now.
14:35 < hdevalence> also, do I need to do anything special to select an appropriate field implementation?
14:35 < gmaxwell> (though even that code I don't know how optimized it really is for two variable bases, may still have overhead from expecting one input to be the generator)
14:36 < gmaxwell> hdevalence: no, it autodetects; though  endomorphism isn't enable by default and makes a pretty big difference in the two point case.
14:36 < gmaxwell> But depending on why you're benchmarking you may or may not want to benchmark with it.
14:36 < hdevalence> the only reason to disable endomorphisms is to avoid the GLV patent, correct?
14:36 < hdevalence> or is there a different reason?
14:36 < gmaxwell> Correct. Which expires in not so long.
14:37 < hdevalence> 2021 or so?
14:37 < gmaxwell> IIRC it's not that long I had thuught the relevant one was 2019. But don't quote me on that.
14:38 < sipa> december 2018 even, iirc
14:38 < sipa> but also, don't quote me on that - the various ways to even determine whether a patent expired seem to require someone with legalize training :)
14:42 < hdevalence> what hardware features does the field implementation use?
14:43 < sipa> there are 3 field implementations
14:43 < sipa> 1) C89 + uint64_t (used on 32-bit systems)
14:44 < sipa> 2) C89 + __int128 (used on 64-bit systems with 128-bit multiply, which includes all 64-bit x86)
14:44 < sipa> 3) C89 + x86_64 asm
14:45 < hdevalence> If I build 2) using march=haswell or newer, will it use MULX?
14:45 < sipa> probably
14:45 < hdevalence> Also, is 3) significantly better than 2)?
14:45 < sipa> at the time it was written it was significantly better
14:45 < sipa> compiler improvements have reduced the benefit though
14:47 < hdevalence> looks like it's still better
14:51 < hdevalence> secp is pretty fast.
14:51 < hdevalence> this is quite nice
14:57 -!- midnightmagic [~midnightm@unaffiliated/midnightmagic] has quit [Ping timeout: 264 seconds]     
15:14 -!- midnightmagic [~midnightm@unaffiliated/midnightmagic] has joined #secp256k1     
15:25 -!- hdevalence [~hdevalenc@199-188-193-243.PUBLIC.monkeybrains.net] has quit [Quit: hdevalence]     
17:18 < gmaxwell> oh sad he left.
17:36 -!- oleganza [~oleganza@199-188-193-243.PUBLIC.monkeybrains.net] has quit [Quit: oleganza]     
20:16 -!- oleganza [~oleganza@c-73-170-224-149.hsd1.ca.comcast.net] has joined #secp256k1     
21:51 -!- kallewoof [~karl@67.205.138.199] has joined #secp256k1     
21:55 -!- jtimon [~quassel@164.31.134.37.dynamic.jazztel.es] has quit [Ping timeout: 258 seconds]     
23:08 -!- oleganza [~oleganza@c-73-170-224-149.hsd1.ca.comcast.net] has quit [Quit: oleganza]