ghostchain/ghost-exodus-draft
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
901e969877
ghost-exodus-draft/README.md
Uncle Fatso 901e969877
simultaneous multiplication for triplets based on Straus-Shamir Trick 
Signed-off-by: Uncle Fatso <uncle.fatso@ghostchain.io>
2025-10-13 19:58:28 +03:00

5.0 KiB
Raw Blame History

EXODUS - EXchange Of Digital Uniformed Signatures

Overview

This module optimizes a hot spot in the verification formula used for missingsigner recovery. The target expression is:

k*P + l*Q + d*M

which requires three scalar multiplications and two point additions. Naive ellipticcurve routines make this very gasexpensive; this work reduces cost while maintaining correctness.

For full background and protocol details see the project wiki.

Goals

  • Reduce gas for the targeted combination of scalar multiplications and additions.
  • Keep implementation compact and auditable for onchain use.
  • Maintain correctness and safety for cryptographic operations.

Design choices

  • Use Projective coordinates (not Jacobian) to cut down on the number of mulmod/addmod operations where possible while retaining simple formulas for point addition and doubling.
  • Perform the final conversion to affine coordinates with an optimized Extended Euclidean Algorithm implemented in inline assembly to reduce gas compared with highlevel inversion routines.
  • Benchmark against the Jacobian implementation from the witnet ellipticcurvesolidity project as a reference.

Rationale

  • Projective coordinates: fewer modular multiplications in the common path, making point operations cheaper on average.
  • Assembly Extended Euclidean Algorithm for inversion: this algorithm in optimized inline assembly typically yields lower gas for single inversions compared with repeated mulmod exponentiation or other higherlevel approaches.
  • Comparing to a wellmaintained Jacobian implementation gives a meaningful baseline for gas and correctness.

Gas Usage

Jacobian is the original implementation used as a reference implementation, while Projective is optimized one.

╭----------------------------------------+-----------------+---------+---------+---------+---------╮
| src/MathTester.sol:MathTester Contract |                 |         |         |         |         |
+==================================================================================================+
| Deployment Cost                        | Deployment Size |         |         |         |         |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| 2011993                                | 9094            |         |         |         |         |
|----------------------------------------+-----------------+---------+---------+---------+---------|
|                                        |                 |         |         |         |         |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| Function Name                          | Min             | Avg     | Median  | Max     | # Calls |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| addJacobian                            | 1800            | 1800    | 1800    | 1800    | 88      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| addProjective                          | 1015            | 1015    | 1015    | 1015    | 44      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| addProjectiveMixed                     | 967             | 967     | 967     | 967     | 44      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| doubleJacobian                         | 794             | 794     | 794     | 794     | 45      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| doubleProjective                       | 546             | 546     | 546     | 546     | 45      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulEcTriplet                           | 205548          | 1140310 | 1546125 | 1958623 | 43      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulProjectiveTriplet                   | 6436            | 193298  | 334976  | 385511  | 43      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| toAffineJacobian                       | 40275           | 47740   | 47859   | 53863   | 133     |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| toAffineProjective                     | 11056           | 13787   | 13904   | 16105   | 176     |
╰----------------------------------------+-----------------+---------+---------+---------+---------╯

Contributing

All contributions are welcome — whether it's code, documentation, tests, performance benchmarks, or review. Please submit commits, issues, or pull requests; any help to improve correctness, security, or gas efficiency is greatly appreciated.