git.codecow.com Git - Monocypher.git/commit

author	Loup Vaillant <loup@loup-vaillant.fr>
	Wed, 18 Jul 2018 19:08:40 +0000 (21:08 +0200)
committer	Loup Vaillant <loup@loup-vaillant.fr>
	Wed, 18 Jul 2018 19:08:40 +0000 (21:08 +0200)
commit	2b8f447792c3e94f9be263c206a2ea0fbadf99da
tree	ad5516e131f9069adf2c9f53dade879ec5ddf3dc	tree \| snapshot
parent	95dd2bed67fb566202ffbb79db1b570bd18674b2	commit \| diff

Unsigned sliding windows for EdDSA verification

Reduces the number of additions in ge_double_scalarmult_vartime().
Verification is now 80% as fast as signing (in naive implementations,
it's only 50% as fast).

It could be even faster, but it's probably not worth the trouble:

- We could precompute the lookup table for the base point instead of
  constructing a cache.  This would save about 8 point additions total,
  at the cost of 64 lines of code just to lay out the 320 precomputed
  constants.

- We could use special, cheaper additions for the precomputed base
  point, at the cost of an additional addition function.

- We could use *signed* sliding windows to further reduce the number of
  additions, at the cost of an additional point subtraction function
  (two if combined with special additions for the base point).  Besides,
  I don't understand how they work.

The low hanging fruits have been taken.  Signature verification is
faster than ever before.  This is good enough.