doc: users list

[mmcloughlin]

Add a list of users to README or elsewhere.

• crypto/elliptic P-521 (CL 315271, tweet)
• Don't forget the constant-time in CSURF (preprint, source code)
• cloudflare/circl ted448 implementation (ref)

[jedisct1]

• Libsodium (here, here)
• Wasm-crypto (here)
• ZIg (here, here, here)

[mmcloughlin]

• Libsodium (here, here)
• Wasm-crypto (here)
• ZIg (here, here, here)

Awesome! I had no idea :)

[mmcloughlin]

mratsim/constantine BLS12-381 sqrt (comment, code)

[mratsim]

Not only that:

• BLS12-377 inversion (code
• BLS12-377 Tonelli-Shanks sqrt (code)
• BLS12-381 inversion (code)
• BLS12-381 invsqrt (code)
• BN254-Nogami inversion (code)
• BN254-Nogami invsqrt (code)
• BN254-Snarks (Ethereum / Zcash) inversion (code)
• BN254-Snarks invsqrt (code)
• BW6-761 inversion (code)
• BW6-761 invsqrt (code)

In the future inversion will likely be replaced by either Bernstein-Yang fast inversion or Pornin's fast inversion but the addition chain will stay as a benchmark reference point.

[mmcloughlin]

Not only that:

• BLS12-377 inversion (code
• BLS12-377 Tonelli-Shanks sqrt (code)
• BLS12-381 inversion (code)
• BLS12-381 invsqrt (code)
• BN254-Nogami inversion (code)
• BN254-Nogami invsqrt (code)
• BN254-Snarks (Ethereum / Zcash) inversion (code)
• BN254-Snarks invsqrt (code)
• BW6-761 inversion (code)
• BW6-761 invsqrt (code)

In the future inversion will likely be replaced by either Bernstein-Yang fast inversion or Pornin's fast inversion but the addition chain will stay as a benchmark reference point.

Wow that's awesome, thanks for sharing.

Curious if you had any script to convert addchain output into code. See #94.

[mmcloughlin]

Cloudflare CIRCL also using for BLS12-381 prime field.

https://github.com/mmcloughlin/addchain/issues/95#issuecomment-939066819 https://github.com/cloudflare/circl/pull/296

cc @armfazh

[gbotrel]

can add gnark (well, gnark-crypto) to the list. For Sqrt methods so far, but it may be useful in other places 👍

See this pr .

[mmcloughlin]

can add gnark (well, gnark-crypto) to the list. For Sqrt methods so far, but it may be useful in other places

Awesome thanks @gbotrel !

[mmcloughlin]

Cited in: https://eprint.iacr.org/2022/748

[mmcloughlin]

Anemoi: Exploiting the Link between Arithmetization-Orientation and CCZ-Equivalence https://eprint.iacr.org/2022/840

[mmcloughlin]

Pairings in Rank-1 Constraint Systems https://eprint.iacr.org/2022/1162

[mmcloughlin]

@Yawning https://github.com/Yawning/secp256k1-voi

[mmcloughlin]

@mcarrickscott https://github.com/mcarrickscott/modarith

[emmansun]

ShangMi (SM) cipher suites for Golang gmsm

1. SM2 inversion (here, here, here)
2. SM2 sqrt (here, here)
3. SM9 inversion & sqrt (here)
4. SM9 exp_u (here, here)