-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Precompiles for ECADD and ECMUL #102
Comments
This seems reasonable if such functions are needed.
|
Updated to make it more generic (set your own curve parameters).
Reverse engineering from the current ECRECOVER cost, ie. an ECRECOVER is 3 multiply ops plus some adds and modexp, so the cost of ECMUL should be close to a third of that of ECRECOVER.
Not sure, especially with the curve generalization. |
Great. If curve params is supported, maybe it could have more functions, some for validating curve params, some that does an op with some standard checks, and one "unsafe" version that assumes the validation has already been done. A few basic validation functions and math (check If a number is prime, etc.) would be great. |
In general, I'd rather see the EVM be efficient enough that contracts like this are not necessary. |
Can we close this, in favour of #213 ? |
@Arachnid @Souptacular @nicksavers @cdetrio @gcolvin I think this issue should be closed given EIP196 was merged. |
Parameters
METROPOLIS_FORK_BLKNUM
: TBAGECADD
: 200GECMUL
: 1000Specification
Adds a precompile at address
0x0000....0a
which accepts as input 224 bytes that it interprets as[x1, y1, x2, y2, P, A, B]
(if less than 224 bytes are provided the remaining bytes are assumed to be zero, if more than 224 bytes are provided they are ignored). Throws if(x1, y1)
or(x2, y2)
are not on the curve defined by(P, A, B)
(ie.x**3+A*x+B-y**2
is not a multiple ofP
), otherwise returns 64 bytes representing the elliptic curve addition(x1, y1) + (x2, y2)
on that curve.Adds a precompile at address
0x0000....0b
which accepts as input192 bytes that it interprets as[x, y, n, P, A, B]
(if less than 192 bytes are provided the remaining bytes are assumed to be zero, if more than 192 bytes are provided they are ignored). Throws if(x1, y1)
is not on the curve defined by(P, A, B)
(ie.x**3+A*x+B-y**2
is not a multiple ofP
), otherwise returns 64 bytes representing the elliptic curve multiplication(x1, y1) * n
on that curve.Rationale
Allows for the efficient application of ring signatures and other cryptography based on elliptic curves. Currently, an secp256k1-focused implementation of these operations (see https://github.com/ethereum/serpent/blob/develop/examples/ecc/jacobian_arith.se ) takes ~200k gas for a multiply, ~750k gas for an ecrecover and ~900k gas per linkable ring signature participant, which is unacceptably high.
The text was updated successfully, but these errors were encountered: