Pieter Wuille

So I think #1066 makes it very clear in what ways norm/mag are *not* compile-time known, as it puts all propagation logic for these fields together. I find: * fe_cmov...

It's still possible to randomize the Z coordinate of the initial/first-fetched table entry (and then multiply with its inverse before returning). That won't blind the table values and table lookups,...

@peterdettman If by projective blinding you mean transforming a point `(X,Y,Z)` to `(a^2*X,a^3*Y,a*Z)` with a random a - that's possible too, but not exactly what I mean. I'm thinking of...

We just moved to a model where all tables are computed at compile-time (#988). We could reintroduce optional runtime ones, but it would undo a decent amount of benefits of...

> Well without the tables per this PR wouldn't you then need a per-addition field mul the same way the strauss ladder does? Oh, of course. Nevermind.

Sorry it seems I got dragged into this discussion while missing the context of how it started. Right, isomorphism blinding is still possible with SDMC, but it's pointless when combined...

I spent some time thinking about using non-uniform addition (which I assume means a rule that cannot handle doubling or cancellation correctly) in combination with signed-digit multicomb, because there seems...

@peterdettman I don't think it's that simple. At every point, your intermediary result can be written as `sum(d_j*2^j*G)` for some values `d_j` which are all 1,0,-1. The zero/nonzeroness is statically...

@peterdettman I'm not convinced, because the pattern of zero/nonzero bits differs between the intermediary value and the table entry being added, and the difference between these patterns translates to less...

@peterdettman I wrote a simulator for the existing code that can determine for every addition in the SDMC algorithm which ones risk triggering doubling/cancellation. For all the choices on the...