Speedup sqrt_ratio #145
Open
Speedup sqrt_ratio #145
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
New implementation of sqrt_ratio using the modified version of the Tonelli--Shanks algorithm from https://eprint.iacr.org/2020/1497.pdf the gain is made mostly when (p - 1) is 2-adically large (3 mod 4, 5 mod 8, etc). In these cases the 1 inversion, 2 sqrts (= 3 exponentiations) of the previous implementation is replaced with 1 merged sqrt-ratio (= 1 exponentiation). Performance should become similar between the old and new implementations when p - 1 = 2^s * t with t small. Main changes: - Refactor `sqrt_impl` to separate out the Tonelli--Shanks loop logic - Write new `sqrt_ratio_impl` to generate an implementation for each prime. - Write new test to check `sqrt_ratio` behaviour. Note: Old function `sqrt_ratio_generic` no longer plays a role if derive is used.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implement in ff_derive the "merged" version of
sqrt_ratiousing the Tonelli--Shanks algorithm as described in Scott's Tricks of the trade article.In broad terms if$\mathbb{F}_p$ , and the same is true for inversions in $\mathbb{F}_p$ . The current implementation $2^{255} - 19$ ) when
p - 1 = 2^s * twithtlarge-ish the bulk of the Tonelli--Shanks algorithm is bundled in a single exponentiation insqrt_ratio_genericrequires 1 inversion and 2 square-roots (hence 3 exponentiations). Writingx = num^3 * divone can bundle all of these into a single "projenitor" calculation. This leads to a speed-up (e.g., ~2.5x forp-1is "not-too-2-adically-small" (with respect top). Whentis small (e.g., the fields used by JubJub, Bls381, Pallas, Vesta) performance is more-or-less comparable (or maybe very slightly worse) since most of the time is soaked up in the "loop" part of Tonelli--Shanks (which, in both cases, is called twice).Some (naive) comparisons can be found at this link.