# EXODUS - EXchange Of Digital Uniformed Signatures ## Overview This module optimizes a hot spot in the verification formula used for missing‑signer recovery. The target expression is: `k*P + l*Q + d*M` which requires three scalar multiplications and two point additions. Naive elliptic‑curve routines make this very gas‑expensive; this work reduces cost while maintaining correctness. For full background and protocol details see the [project wiki](https://git.ghostchain.io/ghostchain/ghost-exodus-draft/wiki/Description). ## Goals * Reduce gas for the targeted combination of scalar multiplications and additions. * Keep implementation compact and auditable for on‑chain use. * Maintain correctness and safety for cryptographic operations. ## Design choices * Use Projective coordinates (not Jacobian) to cut down on the number of `mulmod`/`addmod` operations where possible while retaining simple formulas for point addition and doubling. * Perform the final conversion to affine coordinates with an optimized `Extended Euclidean Algorithm` implemented in inline assembly to reduce gas compared with high‑level inversion routines. * Benchmark against the Jacobian implementation from the [witnet elliptic‑curve‑solidity project](https://github.com/witnet/elliptic-curve-solidity) as a reference. ## Rationale * Projective coordinates: fewer modular multiplications in the common path, making point operations cheaper on average. * Assembly `Extended Euclidean Algorithm` for inversion: this algorithm in optimized inline assembly typically yields lower gas for single inversions compared with repeated `mulmod` exponentiation or other higher‑level approaches. * Comparing to a well‑maintained Jacobian implementation gives a meaningful baseline for gas and correctness. ## Gas Usage `Jacobian` is the original implementation used as a reference implementation, while `Projective` is optimized one. ```bash ╭----------------------------------------+-----------------+---------+---------+---------+---------╮ | src/MathTester.sol:MathTester Contract | | | | | | +==================================================================================================+ | Deployment Cost | Deployment Size | | | | | |----------------------------------------+-----------------+---------+---------+---------+---------| | 2624055 | 11923 | | | | | |----------------------------------------+-----------------+---------+---------+---------+---------| | | | | | | | |----------------------------------------+-----------------+---------+---------+---------+---------| | Function Name | Min | Avg | Median | Max | # Calls | |----------------------------------------+-----------------+---------+---------+---------+---------| | addJacobian | 1896 | 1896 | 1896 | 1896 | 88 | |----------------------------------------+-----------------+---------+---------+---------+---------| | addProjective | 1110 | 1110 | 1110 | 1110 | 44 | |----------------------------------------+-----------------+---------+---------+---------+---------| | addProjectiveMixed | 1084 | 1084 | 1084 | 1084 | 44 | |----------------------------------------+-----------------+---------+---------+---------+---------| | doubleJacobian | 889 | 889 | 889 | 889 | 45 | |----------------------------------------+-----------------+---------+---------+---------+---------| | doubleProjective | 641 | 641 | 641 | 641 | 45 | |----------------------------------------+-----------------+---------+---------+---------+---------| | isOnCurve | 280 | 280 | 280 | 280 | 262 | |----------------------------------------+-----------------+---------+---------+---------+---------| | mulEcPair | 103258 | 731053 | 1058263 | 1269945 | 44 | |----------------------------------------+-----------------+---------+---------+---------+---------| | mulEcQuartet | 308151 | 1561360 | 1982690 | 2672830 | 42 | |----------------------------------------+-----------------+---------+---------+---------+---------| | mulEcTriplet | 205666 | 1140527 | 1546387 | 1958933 | 43 | |----------------------------------------+-----------------+---------+---------+---------+---------| | mulProjectivePair | 4265 | 178529 | 311013 | 338160 | 44 | |----------------------------------------+-----------------+---------+---------+---------+---------| | mulProjectiveQuartet | 12001 | 206222 | 345559 | 396103 | 42 | |----------------------------------------+-----------------+---------+---------+---------+---------| | mulProjectiveTriplet | 6622 | 199854 | 346604 | 397492 | 43 | |----------------------------------------+-----------------+---------+---------+---------+---------| | toAffineJacobian | 40300 | 47765 | 47884 | 53888 | 133 | |----------------------------------------+-----------------+---------+---------+---------+---------| | toAffineProjective | 11129 | 13876 | 13864 | 16178 | 262 | ╰----------------------------------------+-----------------+---------+---------+---------+---------╯ ``` ## Contributing All contributions are welcome — whether it's code, documentation, tests, performance benchmarks, or review. Please submit commits, issues, or pull requests; any help to improve correctness, security, or gas efficiency is greatly appreciated.