Closed fleupold closed 5 years ago
It turns out we can save the x lookup constraint for fixed base multiplication if instead we pass the value around as a linear combination (which can be evaluated for free as part of the Montgomery addition constraints).
This is also how zCash does it (see https://github.com/zcash/librustzcash/issues/47 for more context).
This reduces 252bit multiplication from 512 to 428 constraints.
It turns out we can save the x lookup constraint for fixed base multiplication if instead we pass the value around as a linear combination (which can be evaluated for free as part of the Montgomery addition constraints).
This is also how zCash does it (see https://github.com/zcash/librustzcash/issues/47 for more context).
This reduces 252bit multiplication from 512 to 428 constraints.