Youssef El Housni
Youssef El Housni
Currently, MNT4/6 pairing is implemented in projective coordinate with a binary Miller loop. Note that the Hamming weight of ATE_LOOP_COUNT for both MNT298 and MNT753 is lower when decomposed in...
In SW and tEd gadgets, when using the hinted scalar decomposition for GLV, we only check that `s1 + λ * s2 == s + k*o` but this is done...
scalar multiplication on bandersnatch in [gnark-crypto](https://github.com/ConsenSys/gnark-crypto/blob/87e7abd83ece7467bb5ec85615421ba3491f0ef8/ecc/bls12-381/twistededwards/bandersnatch/point.go#L430) uses endomorphism-based acceleration. gnark/std should do the same with hints for scalar decomposition.
Add BLS12-378 and BW6-756 support to gnark + proof composition with this chain.
We should clean and correct comments across gnark. Also, It would be nice in the code generation to use mmcloughlin's [mathfmt](https://github.com/mmcloughlin/mathfmt) for equations and [bib](https://github.com/mmcloughlin/bib) for Bibtex references.
A double-and-add scalar multiplication by `N` costs on average `log(N)` doublings and `log(N/2)` additions. For twisted Edwards curves (used in gnark for edDSA circuits), it costs **7 rank-1 constraints** (Groth16)...
Currently only ALT_BN128/BN128, MNT4-298/MNT6-298 and EDWARDS-80 elliptic curves are supported in libff. All of them have a lower security level than 128-bit. Is there any plans to support other curves...
How are the wnaf_window_table and fixed_base_exp_window_table are computed for each curve? Thanks
Is is possible to generate a short addition chain with `addchain` taking into account the signed representation `{-1,0,1}` (2-NAF) of the input integer? In some-use case (final exponentiation in the...
Currently one can weight double/add (square/multiply) when selecting the best chain from the results. Is it possible to weight shifts (doubles or squares in a row) as well? The use-case...