Cheap inversion with 32 bytes helper value

daimo-eth / p256-verifier

P256 signature verification solidity contract

https://p256.eth.limo

MIT License

147 stars 28 forks source link

Cheap inversion with 32 bytes helper value #33

Open kilic opened 7 months ago

kilic commented 7 months ago

Alongside with pubkey and signature transaction caller may provide an inverted value then we can check the inversion (a * a_inv == 1) mod n. So that modexp call can be skipped

nalinbhardwaj commented 7 months ago

Good idea, while this would certainly reduce computation gas cost, it would increase call data used and thus, the L1 calldata fee (which is the dominant cost) for users of the contract on L2s; Since that's the primary use case ATM we probably won't implement this.

kilic commented 7 months ago

Single 32 byte helper would suffice If it is multiple signature verification case with batch inversion technique. But I'm not sure it would worth to touch too many places if modexp cost is not that high