ecmult in pubkey_tweak_mul #387

issue fanatid opened this issue on April 27, 2016
  1. fanatid commented at 8:12 AM on April 27, 2016: contributor

    Is there any sense of using secp256k1_ecmult instead secp256k1_ecmult_const in pubkey_tweak_mul?

    cc @axic

  2. sipa commented at 8:16 AM on April 27, 2016: contributor

    Yes, the non-const version is faster, and this API call does not work on secret data that needs timing attack resistance.

  3. fanatid commented at 8:20 AM on April 27, 2016: contributor

    Sorry, I hadn't seen benchmarks, secp256k1_ecmult will be faster even if the second scalar will be zero? (i.e. na*A + 0*G)

  4. apoelstra commented at 10:09 AM on April 27, 2016: contributor

    I don't think there are direct benchmarks of these functions (though maybe you can infer data from the benchmarks for ECDH and ecdsa_verify). I hacked some in to see what the results are, and on my system ecmult takes 0.8 times as long as ecmult_const (though this increases to 0.9 if the second scalar is not zero).

    So yes, ecmult is faster than even a single call to ecmult_const, even though it appears to do twice-ish as much work.

  5. sipa commented at 10:10 AM on April 27, 2016: contributor

    The catch is that it's variable time, so it can notice the G multiplier is 0, and no do work for it :)

  6. fanatid commented at 10:19 AM on April 27, 2016: contributor

    @sipa @apoelstra thank you

  7. fanatid closed this on Apr 27, 2016
Contributors
fanatidsipaapoelstra
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-14 18:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me