Skip to content

Use untwisted Edwards Curve for Ed448 scalar multiplication #1337

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 10 commits into from
Closed

Use untwisted Edwards Curve for Ed448 scalar multiplication #1337

wants to merge 10 commits into from

Conversation

daxpedda
Copy link
Contributor

@daxpedda daxpedda commented Jul 30, 2025
edited
Loading

The current scalar multiplication algorithm for EdwardsPoint does the computation on the twisted Edwards curve. However, the conversion is quite expensive. (turns out with #1332 the conversion is significantly faster)

This PR moves the computation to happen on the untwisted Edwards curve:

Ed448/scalar multiplication
                        time:   [256.58 µs 256.76 µs 256.94 µs]
                        change: [−7.9084% −7.7969% −7.6979%] (p = 0.00 < 0.05)
                        Performance has improved.

Based on #1303, #1313, #1314, #1329, #1330, #1332 and #1334 to make sure all optimizations are pulled in before comparing performance.

With further improvements to inversion, the difference could go away entirely, so we might want to hold off until we get a clearer picture from crypto-bigint.

@daxpedda daxpedda changed the title Ed448 mul opt Use untwisted Edwards Curve for Ed448 scalar multiplication Jul 30, 2025
@daxpedda
Copy link
Contributor Author

I think we should delete the whole mod scalar_mul and move its implementation to Decaf, the only place its going to be used after this PR.

The only alternative I see is to somehow make all this code generic to be able to share it between Decaf and Edwards, but it seems that will actually produce more code than it will save.

@daxpedda
Copy link
Contributor Author

daxpedda commented Aug 1, 2025
edited
Loading

I forgot to add #1332, which makes the conversion to twisted form and back much faster.

So now we are only seeing a 8% improvement, not sure if its worth it. If further optimizations to inversion are incoming this all might not be worth it.

@daxpedda daxpedda mentioned this pull request Aug 3, 2025
Open
46 tasks
@tarcieri
Copy link
Member

tarcieri commented Aug 3, 2025
edited
Loading

I think instead of this we should use a better conversion to/from the twisted form which avoids inversions: #1349

@tarcieri tarcieri mentioned this pull request Aug 3, 2025
Open
@daxpedda
Copy link
Contributor Author

daxpedda commented Aug 3, 2025

Yeah, with #1316 the performance of this PR is actually worse.

@daxpedda daxpedda closed this Aug 3, 2025
@daxpedda
Copy link
Contributor Author

daxpedda commented Aug 3, 2025

Just wanted to report back: with all optimizations applied the difference between the twisted and untwisted curve is only one extra multiplication when doing additions.

In total this adds up to 120 extra multiplications in the untwisted curve.
The conversion back and forth adds another 8 multiplications and 4 squarings.

So in total doing the multiplication in the twisted curve saves 112 multiplications but adds 4 squarings.
Clearly an improvement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@daxpedda @tarcieri