Draft prototype for the EXODUS verifier in solidity.
|
|
||
|---|---|---|
| lib | ||
| src | ||
| test | ||
| .gitignore | ||
| .gitmodules | ||
| foundry.toml | ||
| raw_vectors.json | ||
| README.md | ||
EXODUS - EXchange Of Digital Uniformed Signatures
Overview
This module optimizes a hot spot in the verification formula used for missing‑signer recovery. The target expression is:
k*P + l*Q + d*M
which requires three scalar multiplications and two point additions. Naive elliptic‑curve routines make this very gas‑expensive; this work reduces cost while maintaining correctness.
For full background and protocol details see the project wiki.
Goals
- Reduce gas for the targeted combination of scalar multiplications and additions.
- Keep implementation compact and auditable for on‑chain use.
- Maintain correctness and safety for cryptographic operations.
Design choices
- Use Projective coordinates (not Jacobian) to cut down on the number of
mulmod/addmodoperations where possible while retaining simple formulas for point addition and doubling. - Perform the final conversion to affine coordinates with an optimized
Extended Euclidean Algorithmimplemented in inline assembly to reduce gas compared with high‑level inversion routines. - Benchmark against the Jacobian implementation from the witnet elliptic‑curve‑solidity project as a reference.
Rationale
- Projective coordinates: fewer modular multiplications in the common path, making point operations cheaper on average.
- Assembly
Extended Euclidean Algorithmfor inversion: this algorithm in optimized inline assembly typically yields lower gas for single inversions compared with repeatedmulmodexponentiation or other higher‑level approaches. - Comparing to a well‑maintained Jacobian implementation gives a meaningful baseline for gas and correctness.
Gas Usage
Jacobian is the original implementation used as a reference implementation, while Projective is optimized one.
╭----------------------------------------+-----------------+-------+--------+-------+---------╮
| src/MathTester.sol:MathTester Contract | | | | | |
+=============================================================================================+
| Deployment Cost | Deployment Size | | | | |
|----------------------------------------+-----------------+-------+--------+-------+---------|
| 1065323 | 4715 | | | | |
|----------------------------------------+-----------------+-------+--------+-------+---------|
| | | | | | |
|----------------------------------------+-----------------+-------+--------+-------+---------|
| Function Name | Min | Avg | Median | Max | # Calls |
|----------------------------------------+-----------------+-------+--------+-------+---------|
| addJacobian | 1768 | 1768 | 1768 | 1768 | 44 |
|----------------------------------------+-----------------+-------+--------+-------+---------|
| addProjective | 992 | 992 | 992 | 992 | 44 |
|----------------------------------------+-----------------+-------+--------+-------+---------|
| doubleJacobian | 777 | 777 | 777 | 777 | 45 |
|----------------------------------------+-----------------+-------+--------+-------+---------|
| doubleProjective | 532 | 532 | 532 | 532 | 45 |
|----------------------------------------+-----------------+-------+--------+-------+---------|
| toAffineJacobian | 30564 | 36206 | 36300 | 40841 | 89 |
|----------------------------------------+-----------------+-------+--------+-------+---------|
| toAffineProjective | 11838 | 13792 | 13796 | 15155 | 89 |
╰----------------------------------------+-----------------+-------+--------+-------+---------╯
Contributing
All contributions are welcome — whether it's code, documentation, tests, performance benchmarks, or review. Please submit commits, issues, or pull requests; any help to improve correctness, security, or gas efficiency is greatly appreciated.