EdMSM

Now we will show that when the highest word of the modulus $p$ is at most $\frac{(B-1)}{2} - 1$ (which holds when for 64-bit machine words, the significant word of the modulus is at most 0x7FFFFFFFFFFFFFFE), the two highlighted additions (1) and (2) can be safely omitted.

Observe that for the last iterations of two inner loops, the results have the form of $\mathsf{(carry\_out}, t_{new}) := t_{old} + x_1 \cdot x_2 + \mathsf{carry\_in}$. We can derive the lemma below with a simple calculation.

Lemma 1. If one of $x_1$ and $x_2$$x_1$ is at most $\frac{(B-1)}{2} - 1$, then $\mathsf{carry\_out} \le \frac{(B-1)}{2}$.

From this lemma, we can derive that if the highest word of $n$ is at most $\frac{(B-1)}{2} - 1$ then the variables $t[l]$ and $t[l+1]$ always store the value $0$ at the beginning of the iteration. This is shown by a proof of induction.

The base case ($i=0$) is trivial ($t$ is always initialized to $0$).

At iteration $i$, suppose that $t[l] = t[l+1] = 0$ and trace the first inner loop execution through the iteration. As $\bar{a} < n$ and the highest word of $n$ is smaller than $\frac{(B-1)}{2}$, Lemma 1 can be used to see that the carry out from the last iteration of the first inner loop is at most $\frac{(B-1)}{2}$. Then line (1) sets

The same reasoning applies for the second inner loop as the highest word of $n$ is smaller than $\frac{(B-1)}{2}$. As $t[l] + \mathsf{carry\_out}$ has the maximum value of $\frac{(B-1)}{2} + \frac{(B-1)}{2} = (B-1)$, we can assume that it falls into one limb and the updated $\mathsf{carry\_out}$ is $0$, and we know that $t[l+1]$ is untouched during the loop, which altogether keeps the invariant true going through the line (2) :

SOS saves $l-1$ multiplications whereas CIOS saves $5l + 2$ additions and $l-1$ memory space.

Refer to the for the explanation of 2-chain and 2-cycle of elliptic curves.

All inner BLS curves admit a Short Weierstrass form of : $y^2 = x^3 + 1$

and they always admit a : $ay^2 + x^2 = 1 + dx^2y^2$ (with $a = 2\sqrt{3} - 3$ and $d = - 2\sqrt{3} - 3$ over $\mathbb{F}_p$).

Refer to the for the proof. Note that this implies both curves in a 2-cycle admit a twisted Edwards form following the same reasoning.

Refer to the written by us for the full background on Pippenger's.

Let $n$ be the size of MSM, $\lambda$ be the maximum bit length of scalars, $s$ be the window size, $P_i$ be the bases points ($i = [n]$), $W_i$ be the window sum ($i = [\lambda / s]$), and $B_i$ be the bucket sums ($i = [2^{s-1}]$).

Using parallelism, we can achieve best improvement when we have $\lambda/s$ cores and let each core compute each window sum $W_i$ in Bucket Reduction step. But this increases memory usage as each core needs to keep $2^s - 1$ buckets.

Precomputation also may improve the performance when the bases $P_1, \ ..., \ P_n$ are known in advance. For example, for each base $P_i$ we can choose $k$ as big as the storage allows and precompute $k$ points $[2^s - k]P, \ ..., \ [2^s-1]P$ so that can skip first $k$ buckets. However large MSM instances already utilize their memory to extreme. Hence the precomputation approach yields negligible improvement in our case.

The number of buckets can be reduced by adopting the . This method decreases the bucket number by half, hence giving the final total cost $\approx \frac{\lambda}{s}(n+2^{s-1})$ group operations.

is an additional optimization that can be applied only when the curves of interest also have the endomorphism property.

To minimize the overall cost of storage but also run time, one can store the bases $P_i$ in affine coordinates (in tuples $(x_i, y_i)$).

As Bucket Accumulation is the only step whose cost includes a factor $n$, for large MSM instances the dominating cost is in summing up each bucket. Note that the additions here are mixed addition, which refers to the addition between a affine point ($P_i$) and a projective point (partial sum of $B_i$), which is faster than normal projective-projective addition.

Over the short Weierstrass (SW) form, we commonly choose extended Jacobian coordinates $\{X, Y, Z^2, Z^3\}$ where $x = \frac{X}{Z^2}$ and $y = \frac{Y} {Z^3}$, trading-off memory for run time compared to the usual Jacobian coordinates.

We take the example of BLS12-377 for which $a = -1$ :

For Bucket Accumulation step, they used unified mixed additions with some precomputations. Instead of storing $P_i$ in affine coordinates they store them in a custom coordinates system $(X, Y, T)$ where $y − x = X, y + x = Y$ and $2d' \cdot x \cdot y = T$.

The conversion of all the $P_i$ points given on a SW curve with affine coordinates to points on a tEd curve with the custom coordinates $(X, Y, T )$ is a one-time computation dominated by a single inverse using the Montgomery batch trick.

The implementation of EdMSM shows that an MSM instance of size $2^{16}$ on the BLS12-377 curve is 30% faster when $P_i$ points are given on a tEd curve with the custom coordinates compared to the extended-Jacobian-based version which takes points in affine coordinates on a SW curve.

Written by from