ghostchain/ghost-exodus-draft
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
98031ae4c5
ghost-exodus-draft/README.md
Uncle Fatso c66175a577
Shamir-Straus trick for pair and quartet 
Signed-off-by: Uncle Fatso <uncle.fatso@ghostchain.io>
2025-10-18 15:48:45 +03:00

80 lines
6.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# EXODUS - EXchange Of Digital Uniformed Signatures
## Overview
This module optimizes a hot spot in the verification formula used for missingsigner recovery. The target expression is:
`k*P + l*Q + d*M`
which requires three scalar multiplications and two point additions. Naive ellipticcurve routines make this very gasexpensive; this work reduces cost while maintaining correctness.
For full background and protocol details see the [project wiki](https://git.ghostchain.io/ghostchain/ghost-exodus-draft/wiki/Description).
## Goals
* Reduce gas for the targeted combination of scalar multiplications and additions.
* Keep implementation compact and auditable for onchain use.
* Maintain correctness and safety for cryptographic operations.
## Design choices
* Use Projective coordinates (not Jacobian) to cut down on the number of `mulmod`/`addmod` operations where possible while retaining simple formulas for point addition and doubling.
* Perform the final conversion to affine coordinates with an optimized `Extended Euclidean Algorithm` implemented in inline assembly to reduce gas compared with highlevel inversion routines.
* Benchmark against the Jacobian implementation from the [witnet ellipticcurvesolidity project](https://github.com/witnet/elliptic-curve-solidity) as a reference.
## Rationale
* Projective coordinates: fewer modular multiplications in the common path, making point operations cheaper on average.
* Assembly `Extended Euclidean Algorithm` for inversion: this algorithm in optimized inline assembly typically yields lower gas for single inversions compared with repeated `mulmod` exponentiation or other higherlevel approaches.
* Comparing to a wellmaintained Jacobian implementation gives a meaningful baseline for gas and correctness.
## Gas Usage
`Jacobian` is the original implementation used as a reference implementation, while `Projective` is optimized one.
```bash
╭----------------------------------------+-----------------+---------+---------+---------+---------╮
| src/MathTester.sol:MathTester Contract | | | | | |
+==================================================================================================+
| Deployment Cost | Deployment Size | | | | |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| 2624055 | 11923 | | | | |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| | | | | | |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| Function Name | Min | Avg | Median | Max | # Calls |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| addJacobian | 1896 | 1896 | 1896 | 1896 | 88 |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| addProjective | 1110 | 1110 | 1110 | 1110 | 44 |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| addProjectiveMixed | 1084 | 1084 | 1084 | 1084 | 44 |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| doubleJacobian | 889 | 889 | 889 | 889 | 45 |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| doubleProjective | 641 | 641 | 641 | 641 | 45 |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| isOnCurve | 280 | 280 | 280 | 280 | 262 |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulEcPair | 103258 | 731053 | 1058263 | 1269945 | 44 |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulEcQuartet | 308151 | 1561360 | 1982690 | 2672830 | 42 |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulEcTriplet | 205666 | 1140527 | 1546387 | 1958933 | 43 |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulProjectivePair | 4265 | 178529 | 311013 | 338160 | 44 |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulProjectiveQuartet | 12001 | 206222 | 345559 | 396103 | 42 |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| mulProjectiveTriplet | 6622 | 199854 | 346604 | 397492 | 43 |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| toAffineJacobian | 40300 | 47765 | 47884 | 53888 | 133 |
|----------------------------------------+-----------------+---------+---------+---------+---------|
| toAffineProjective | 11129 | 13876 | 13864 | 16178 | 262 |
╰----------------------------------------+-----------------+---------+---------+---------+---------╯
```
## Contributing
All contributions are welcome — whether it's code, documentation, tests, performance benchmarks, or review. Please submit commits, issues, or pull requests; any help to improve correctness, security, or gas efficiency is greatly appreciated.
Reference in New Issue View Git Blame Copy Permalink