moodlezoup
commented
1 year ago These are really good ideas! I will do some experimenting (or if anyone else wants to tackle one, let me know). Thank you for the suggestions!
Open seresistvanandras opened 1 year ago
moodlezoup
commented
1 year ago These are really good ideas! I will do some experimenting (or if anyone else wants to tackle one, let me know). Thank you for the suggestions!
Hi! Congrats! Nice work! Here are a few initial ideas for gas-golfing. Hope you'll find them useful.
_Toom-Cook multiplication:_ Currently, the
mul512function uses a schoolbook multiplication algorithm. I wonder if It would be more gas-efficient if we used a Toom-4 algorithm. Specifically, you split the 1024-bit integers exactly like you do now into 4 256-bit segments, then apply the Toom-4 algorithm. Generally, the rule of thumb is that after 300-bit or so, it is more efficient to use the Toom-Cook algorithm than the schoolbook multiplication algorithm. Though, not sure this observation also holds for the specific environment of EVM.Verifying modular multiplication on-chain: Another possible way to compute
a*b=c mod N(not sure if this is more gas-efficient than the current solution since it requires twice as long calldata than the current solution) is that the contract receives the quadruple(a,b,c,k)(all of these values have 1024 bits) and checks the multiplication over the integersmod p, i.e., whethera*b-c = k*N mod pwherepshould be a pseudorandom number, not necessarily a prime (e.g.,BLOCKHASH) not known to the prover prior calling any of the Cicada contract's functions (note thatphas roughly 256 bits, i.e., a single EVM word). Then the contract checks whether((a mod p) * (b mod p)) - c mod p = (k mod p)*(N mod p). Thesemod poperations can be computed efficiently using the0x06 MODopcode on the constituent 256-bit words ofa,b,c, andk. Or rather something along these lines: A note on probabilistically verifying integer and polynomial products0or1, i.e., ($u=g^r \land v=h^r)\lor(u=g^r \land v\cdot y^{-1}=h^r)$. This composition of the Chaum-Pedersen proof and the OR-proof consists of8group elements and the verifier's work is5modular multiplication. Using the distributive law, would not it be more efficient to rather prove $u=g^r\land(v=h^r\lor v\cdot y^{-1}=h^r)$? This paper suggests a more efficient Sigma-protocol composition for CNF of Sigma protocols for DLOG relations than the original Cramer, Damgård, and Schoenmakers (CRYPTO'94) paper. Here is a link to the paper.