Try โ€‚โ€‰HackMD

Pippenger Algorithm for Multi-Scalar Multiplication (MSM)

Problem

Give

n scalars
ki and
n EC points
Pi, calculate
P such that
P=โˆ‘i=0nkiPi

The Pippenger / Bucket Algorithm

Step 1: partition scalars into windows

Let's first partition each scalar into

m windows each has
w bits, then
ki=ki,0+ki,12w+...+ki,(mโˆ’1)2(mโˆ’1)w

You can think each scalar

ki as a bignum and representing it as a multi-precision integer with limb size
w.

Then we have,

โˆ‘ikiPi=โˆ‘iโˆ‘j=0mโˆ’1ki,j2jwPi

By reordering the sums, we get

โˆ‘ikiPi=โˆ‘j2jw(โˆ‘iki,jPi)=โˆ‘j2jwWj

It means we can calculte the MSM for each window

Wj first, then aggregate the results via
โˆ‘j=0mโˆ’12jwWj

Then, let's examine

Wj=โˆ‘i=0nki,jPi

Step 2: for each window, add points by bucket

Because each window has

w bits,
ki,j has a value range of
[0,2wโˆ’1]. Therefore, we can put
n points into
2w buckets according to the value of
ki,j. We can first calculate
Wj by,

  1. for bucket
    t    ,
    tโˆˆ{0,2wโˆ’1}    , calculate the sum of points in this bucket and get
    Bt
  2. Wj=โˆ‘t=02wโˆ’1tBt

For example, if

w=3 and
n=15, then we have
15 points,
8 buckets, such that
Wj=4P1+3P2+5P3+1P4+4P5+6P7+6P8+3P14+5P15=1P4+3(P2+P14)+4(P1+P5)+5(P3+P15)+6(P7+P8)=1B1+3B3+4B4+5B5+6B6

Therefore,

Wj=โˆ‘t=02wโˆ’1tBt

Step 3: reduce window results

P=โˆ‘i=0nkiPi=โˆ‘j2jwWj

Reference

https://www.notamonadtutorial.com/multiscalar-multiplication-strategies-and-challenges/

tags: msm zkp public
Last changed by 
โ€‰
drouyang.eth
Co-founder @ Snarkify Network, Former FB Research Scientist, Ph.D. in Operating Systems
0
2
5441

Read more

Signed Bucket Indexes for Multi-Scalar Multiplication (MSM)

If we treat bucket indexes as signed integers, we are able to saves one bit in bucket index encoding, and therefore reduce number of buckets and bucket memory usage by half. The method is denoted as the signed-bucket-index method, and also known as NAF method. This method was reported in [1] and implemented by top-2 performers of the zPrize MSM-WASM track.

Oct 25, 2023
Optimizing Multi-Scalar Multiplication (MSM): Learning from ZPRIZE

The following algorithms and techniques are used by the top-2 performers of ZPrize 2022 MSM-WSAM track.

Oct 25, 2023
GLV Decomposition for Multi-Scalar Multiplication (MSM)

GLV Decomposition is an efficient way to calculate point scaling $kP$. This method was originally published by Gallant, Lambert and Vanstone in 2001 [1], and was later integrated into the Bitcoin core code [2]. However, GLV Decomposition was not enabled in Bitcoin until a patent around the GLV method expired in 2020 [3]. A textbook introduction of enomorphisms of elliptic curves can be found in [4]. Problem Given scalar $k$ and EC point $P$, caculate $kP$. Property of Enomorphism Consider the elliptic curve over field $\mathbb{F}_p$ $$E: y^2 = x^3 + c\

Mar 29, 2023
Montgomery Multiplication

Algorithm Consider prime field $\mathbb{F}_p$, select power of two $2^w$ such that $R=2^w > p$, we know that mod by R can be computed by bit shifting. Montgomery Form For $x \in \mathbb{F}_p$, define Montgomery form of $x$ as, $$\bar{x} = xR \pmod p$$ Transform To Montgomery Form Transforming $x$ to Montgomery form can be done by left-shift $x$ by $w$ and reduce modulo $p$. In practice, $x$ and $y$ are transformed to Montgomery form at the beginning of a computation, and transformed back at the end.

Feb 27, 2023
Read more from drouyang.eth
Published on HackMD