Henry de Valence

Benedikt mentioned that the libsecp implementation does a hybrid strategy, jumping a few steps at once (without shrinking), then cutting the sizes of the vectors. Could be worth exploring, at...

Another strategy would be to try to speed up the double-base scalar multiplications by vectorizing across points. This would require a change in the upstream curve library, and I'm not...

Cool! Thanks for pointing this out. We should check 1. whether this optimization can be done transparently by the prover; 2. an estimate on how much time it actually saves...

Before we redesign the API at all, maybe it would be good to measure whether the allocations are actually expensive? When @cathieyun and I profiled the CS implementation, almost all...

Thanks for the reference!

My understanding is that there's not likely to be any problem with the construction, it's just that formalizing and proving correctness is a bunch of work, and nobody has done...

Is there a reason to do this instead of using the identity `1 + ... + x^{n-1} = (1 - x^n) / (1 - x)`? It costs one inversion, but...

Cool, I'm convinced this works but I'm not sure I understand why yet, so I'm working on some notes right now.

The power-of-two recurrence is really nicely explained and it makes sense, but I don't understand why the recurrence for general `n` works. Is it possible to prove it?

Since we moved to aggregated proofs, I think #27 is stale and has to be rewritten to handle the aggregated-proof verification checks.