--- Day changed Tue Mar 27 2018 01:19 -!- jtimon [~quassel@142.29.134.37.dynamic.jazztel.es] has quit [Ping timeout: 268 seconds] 06:02 -!- instagibbs [~instagibb@pool-100-15-128-78.washdc.fios.verizon.net] has joined #secp256k1 08:13 -!- jtimon [~quassel@142.29.134.37.dynamic.jazztel.es] has joined #secp256k1 09:03 -!- arubi [~ese168@gateway/tor-sasl/ese168] has quit [Remote host closed the connection] 09:04 -!- arubi [~ese168@gateway/tor-sasl/ese168] has joined #secp256k1 10:29 < andytoshi> nickler: i'm getting worse results the more precomp i do, doing bullproof verification with #513 :( 10:30 < andytoshi> even with endo off 10:30 < sipa> worse compared to what? 10:31 < sipa> actually #513 will introduce half an EC operation per input point in non-endo 10:31 < andytoshi> precomputing 8 points is worse than 4, is worse than 2, is worse than 1 10:31 < andytoshi> all with #513 10:31 < sipa> by precomputing 8 points you mean splitting up the scalars into 32-bit slices? 10:31 < andytoshi> yes 10:31 < sipa> yeah, that won't work 10:32 < andytoshi> isn't that what jonas' example code does? 10:32 < sipa> the parameters are tuned for 256 bit inputs 10:32 < sipa> hmm 10:32 < sipa> actually, i don't think it matters 10:34 < andytoshi> https://github.com/apoelstra/secp256k1-mw/commit/3e13801febb7fe2782f24eb68f301cc616f2065b is what i'm doing 10:34 < andytoshi> in main_impl.h i set N_PRECOMP (which is 8 in that commit) .. then in inner_product_impl.h i change my verification code 10:35 < andytoshi> so every 8 iterations in the ecmult, it generates an actual scalar using the dettman algo, and splits it into 8 pieces 10:35 < andytoshi> then on the other iterations it just reads the pieces out of ctx->cache 10:36 < andytoshi> the relevant code is inner_product_iml.h 130-147 (reading out of cache) and 221-229 (doing the splitting), the rest is just supporting code 10:36 < sipa> you're not counting the precomp time inside the benchmark? 10:37 < sipa> nope, that code doesn't 10:37 < sipa> all good 10:38 < andytoshi> so, for pedersen-48 the verify time goes from 7111us to 7144us to 7818us to 10189us, as i go from 1 to 2 to 4 to 8 precomp points. so it looks like exponential growth 10:39 < andytoshi> it looks roughly like what i'd expect if the code wasn't reacting to all the leading zeroes, but i added some printfs in ecmult_impl.h and it's definitely getting mostly-0 scalars 10:41 < andytoshi> oh, one thing that differs from jonas' code is that i'm not precomputing everything 10:41 < andytoshi> 2log(N) of my scalars will be 256 bits, the rest will be small 10:43 < andytoshi> it's plausible that that'd eliminate the entire benefit of splitting 10:55 < andytoshi> so maybe forget precomp for the verifier (where we didn't expect a big benefit anyway), i'll implement it for the prover and see if we get an improvement there 12:08 < andytoshi> how large would a circuit be that did EC math over an arbitrary (ed25519) curve by binary decomposition? 12:43 < sipa> first question: how do you efficiently implement bigint math in an arithmetic circuit? 13:42 -!- maaku [~maaku@173.234.25.100] has quit [Ping timeout: 268 seconds] 13:54 < andytoshi> ok, i do see a speedup from precomp as long as _all_ scalars are reduced, including the G scalar 13:56 -!- hdevalence [~hdevalenc@52.119.117.17] has joined #secp256k1 13:58 < andytoshi> also, i don't see much (if any) of a slowdown by using #513 vs not 15:07 -!- maaku [~maaku@173.234.25.100] has joined #secp256k1 17:00 -!- weez17 [~isaac@unaffiliated/weez17] has quit [Remote host closed the connection] 17:00 -!- weez17 [~isaac@unaffiliated/weez17] has joined #secp256k1 17:19 -!- hdevalence [~hdevalenc@52.119.117.17] has quit [Quit: hdevalence] 21:38 -!- r251d [~r251d@2600:1700:e350:37f0:51f3:d51a:e636:637a] has quit [Read error: Connection reset by peer] 21:39 -!- r251d [~r251d@2600:1700:e350:37f0:65:55e2:20db:5713] has joined #secp256k1 22:02 -!- jtimon [~quassel@142.29.134.37.dynamic.jazztel.es] has quit [Ping timeout: 256 seconds] 22:25 -!- roconnor [~roconnor@host-45-78-192-92.dyn.295.ca] has quit [Quit: Konversation terminated!]