I did some CPU profiling on the benchmarks, and found that the biggest single operation slowing us down was coming from mod() calls. This isn't too surprising - Jacobian points are used precisely to avoid excessive use of modulo operations, as they require expensive division. However, there were a lot of places where I was doing mod unnecessarily.

Numbers only need to be taken modulo P when they are either being compared with one-another directly, being returned to the caller, or being subtracted in such a way that might result in negative values being fed into forthcoming multiplicative operations.

Other than those cases, modulo operations can be pruned.

I also found a improvement in the dbl-2009-l jacobian point doubling formula, where the expression for d can be simplified.

I discovered that when I removed the mod(d) call, the formula still worked. After expanding the terms to investigate, I realized the expression for d is always positive, and happened to notice an opportunity to simplify, removing several subtraction and multiplication operations.

The official dbl-2009-l formula specifies:

d = 2 * ((x1+b)² - a - c)

But it can be simplified, because:

a = x1², c = b²
d = 2 * ((x1+b)² - a - c)
  = 2 * ((x1+b)² - x1² - b²)
  = 2 * ((x1+b)(x1+b) - x1² - b²)
  = 2 * (x1² + 2(x1*b) + b² - x1² - b²)
  = 2 * 2(x1*b)

So actually:

d = 4 * x1 * b

Much easier on the eyes.

• ExampleWeierstrass is now an example of uncompressing a public key.
• All examples moved into one file.
• Examples now all import ekliptic instead of being inside the package scope.
• Specify alice and bob are priv keys
• Use NewPrivateKey in ECDSA example

Current Behavior

The various point-multiplication methods use non-constant-time algorithms which will leak a lot of timing information.

New Behavior

• Multiplying with precomputation now uses a constant-time version of the windowed method using a table of precomputed values. See the README changes for a full explanation.
• Multiplying without precomputation now uses the Montgomery Ladder algorithm to ensure constant-time multiplication.

Fixes #4

Not going to remove ekliptic.NewPrivateKey as suggested in the issue. Callers may want an obvious way of generating keys. Also, elliptic.GenerateKey returns the private key as a byte slice, which is contrary to the idiom in Ekliptic (using big.Ints for everything).

0000000000000000000000000000000000000000000000000000000000000001 vs 6d1b68d0dd35b49978b210349b47202a998d0eaaa4eec00b4d8f056173a2dd4e

is easier to compare visually than

1 vs 6d1b68d0dd35b49978b210349b47202a998d0eaaa4eec00b4d8f056173a2dd4e

Test vectors are rather opaque right now as to where they came from and how I got them. We could write scripts to re-derive (thus validating) our test vectors using other stable secp256k1 implementations.

Potential side-quest related to this issue: in EC math unit tests, we should check affine equality against vectors rather than jacobian equality. It doesn't matter in the end what the exact (x,y,z) pair is, as long as the jacobian ratio is equivalent to the desired affine point. Testing affine equality will make it easier to consume the test vectors of other implementations, because they may use different jacobian math than us.

Golang's standard library provides an elliptic curve crypto utility:

$ go doc elliptic.curve

package elliptic // import "crypto/elliptic"

type Curve interface {
	// Params returns the parameters for the curve.
	Params() *CurveParams
	// IsOnCurve reports whether the given (x,y) lies on the curve.
	IsOnCurve(x, y *big.Int) bool
	// Add returns the sum of (x1,y1) and (x2,y2)
	Add(x1, y1, x2, y2 *big.Int) (x, y *big.Int)
	// Double returns 2*(x,y)
	Double(x1, y1 *big.Int) (x, y *big.Int)
	// ScalarMult returns k*(Bx,By) where k is a number in big-endian form.
	ScalarMult(x1, y1 *big.Int, k []byte) (x, y *big.Int)
	// ScalarBaseMult returns k*G, where G is the base point of the group
	// and k is an integer in big-endian form.
	ScalarBaseMult(k []byte) (x, y *big.Int)
}
    A Curve represents a short-form Weierstrass curve with a=-3.

    The output of Add, Double, and ScalarMult when the input is not a point on
    the curve is undefined.

    Note that the conventional point at infinity (0, 0) is not considered on the
    curve, although it can be returned by Add, Double, ScalarMult, or
    ScalarBaseMult (but not Unmarshal or UnmarshalCompressed).

We should provide a struct which fulfills this interface, so callers can use it in golang standard library APIs.

Possibly related: if we have an elliptic.Curve, we can get rid of ekliptic.NewPrivateKey, because callers could just use crypto/elliptic.GenerateKey instead:

package elliptic // import "crypto/elliptic"

func GenerateKey(curve Curve, rand io.Reader) (priv []byte, x, y *big.Int, err error)
    GenerateKey returns a public/private key pair. The private key is generated
    using the given reader, which must return random data.

• [x] More examples of how to use this code, in human readable terms (https://github.com/kklash/ekliptic/pull/11)
• [ ] Add custom artwork for the library
• [x] Publish a link to pkg.go.dev in readme (https://github.com/kklash/ekliptic/commit/9e6b550c2c4add6881394356dd572a19628c3b6f)