EXODUS - EXchange Of Digital Uniformed Signatures

Overview

This module optimizes a hot spot in the verification formula used for missing‑signer recovery. The target expression is:

k*P + l*Q + d*M

which requires three scalar multiplications and two point additions. Naive elliptic‑curve routines make this very gas‑expensive; this work reduces cost while maintaining correctness.

For full background and protocol details see the project wiki.

Goals

• Reduce gas for the targeted combination of scalar multiplications and additions.
• Keep implementation compact and auditable for on‑chain use.
• Maintain correctness and safety for cryptographic operations.

Design choices

• Use Projective coordinates (not Jacobian) to cut down on the number of mulmod/addmod operations where possible while retaining simple formulas for point addition and doubling.
• Perform the final conversion to affine coordinates with an optimized Extended Euclidean Algorithm implemented in inline assembly to reduce gas compared with high‑level inversion routines.
• Benchmark against the Jacobian implementation from the witnet elliptic‑curve‑solidity project as a reference.

Rationale

• Projective coordinates: fewer modular multiplications in the common path, making point operations cheaper on average.
• Assembly Extended Euclidean Algorithm for inversion: this algorithm in optimized inline assembly typically yields lower gas for single inversions compared with repeated mulmod exponentiation or other higher‑level approaches.
• Comparing to a well‑maintained Jacobian implementation gives a meaningful baseline for gas and correctness.

Gas Usage

Jacobian is the original implementation used as a reference implementation, while Projective is optimized one.

╭----------------------------------------+-----------------+---------+---------+---------+---------╮
| src/MathTester.sol:MathTester Contract |                 |         |         |         |         |
+==================================================================================================+
| Deployment Cost                        | Deployment Size |         |         |         |         |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| 2624055                                | 11923           |         |         |         |         |
|----------------------------------------+-----------------+---------+---------+---------+---------|
|                                        |                 |         |         |         |         |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| Function Name                          | Min             | Avg     | Median  | Max     | # Calls |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| addJacobian                            | 1896            | 1896    | 1896    | 1896    | 88      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| addProjective                          | 1110            | 1110    | 1110    | 1110    | 44      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| addProjectiveMixed                     | 1084            | 1084    | 1084    | 1084    | 44      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| doubleJacobian                         | 889             | 889     | 889     | 889     | 45      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| doubleProjective                       | 641             | 641     | 641     | 641     | 45      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| isOnCurve                              | 280             | 280     | 280     | 280     | 262     |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulEcPair                              | 103258          | 731053  | 1058263 | 1269945 | 44      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulEcQuartet                           | 308151          | 1561360 | 1982690 | 2672830 | 42      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulEcTriplet                           | 205666          | 1140527 | 1546387 | 1958933 | 43      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulProjectivePair                      | 4265            | 178529  | 311013  | 338160  | 44      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulProjectiveQuartet                   | 12001           | 206222  | 345559  | 396103  | 42      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulProjectiveTriplet                   | 6622            | 199854  | 346604  | 397492  | 43      |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| toAffineJacobian                       | 40300           | 47765   | 47884   | 53888   | 133     |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| toAffineProjective                     | 11129           | 13876   | 13864   | 16178   | 262     |
╰----------------------------------------+-----------------+---------+---------+---------+---------╯

Contributing

All contributions are welcome — whether it's code, documentation, tests, performance benchmarks, or review. Please submit commits, issues, or pull requests; any help to improve correctness, security, or gas efficiency is greatly appreciated.