Optimize MNT4 pairing (2-NAF Miller loop)

[yelhousni]

305

MNT4

[jon-chuang]

Is there a reason why one does not use a bigger window size for the w-NAf?

[yelhousni]

Is there a reason why one does not use a bigger window size for the w-NAf?

The Miller loop iterates over the binary decomposition of ATE_LOOP_COUNT (double if 0, double-and-add if 1). Noting that point negation is cheap (x,y)->(x,-y), one can leverage a 2-NAF decomposition if it has more 0's than in the binary form.

[jon-chuang]

Wouldn't it make sense to use a table here then?

[yelhousni]

Wouldn't it make sense to use a table here then?

@jon-chuang How would you suggest to do that? I am storing the pre-computed 2-NAF decomposition here https://github.com/scipr-lab/zexe/blob/48ccd3290ddf9502c005a44f0bc6f9e100c9ce8d/algebra/src/mnt4_753/curves/mod.rs#L40 and running a 1/-1 pattern matching in the Miller Loop here https://github.com/scipr-lab/zexe/blob/48ccd3290ddf9502c005a44f0bc6f9e100c9ce8d/algebra-core/src/curves/models/mnt4/mod.rs#L128

[yelhousni]

For CI / Test (nightly) failing, see #303

[Pratyush]

Hey @yelhousni, thanks for the PR! We're transitioning the code in this repo over to https://github.com/arkworks-rs/algebra/; could you make the PR there instead?

[Pratyush]

Hi @yelhousni do you mind re-opening this PR against arkworks-rs/algebra? Sorry for the inconvenience!