a16z / cicada Goto Github PK

Hi! Congrats! Nice work! Here are a few initial ideas for gas-golfing. Hope you'll find them useful.

1. Modular multiplication

• Toom-Cook multiplication: Currently, the mul512 function uses a schoolbook multiplication algorithm. I wonder if It would be more gas-efficient if we used a Toom-4 algorithm. Specifically, you split the 1024-bit integers exactly like you do now into 4 256-bit segments, then apply the Toom-4 algorithm. Generally, the rule of thumb is that after 300-bit or so, it is more efficient to use the Toom-Cook algorithm than the schoolbook multiplication algorithm. Though, not sure this observation also holds for the specific environment of EVM.

• Verifying modular multiplication on-chain: Another possible way to computea*b=c mod N (not sure if this is more gas-efficient than the current solution since it requires twice as long calldata than the current solution) is that the contract receives the quadruple (a,b,c,k)(all of these values have 1024 bits) and checks the multiplication over the integers mod p, i.e., whether a*b-c = k*N mod p where p should be a pseudorandom number, not necessarily a prime (e.g., BLOCKHASH) not known to the prover prior calling any of the Cicada contract's functions (note that p has roughly 256 bits, i.e., a single EVM word). Then the contract checks whether ((a mod p) * (b mod p)) - c mod p = (k mod p)*(N mod p). These mod p operations can be computed efficiently using the 0x06 MOD opcode on the constituent 256-bit words of a,b,c, and k.
  Or rather something along these lines: A note on probabilistically verifying integer and polynomial products

2. Conjunctive normal form (CNF) of Sigma-protocols
   When proving the correctness of the cast ballot, the prover needs to show that the exponential ElGamal encrypts to either 0 or 1, i.e., ($u=g^r \land v=h^r)\lor(u=g^r \land v\cdot y^{-1}=h^r)$. This composition of the Chaum-Pedersen proof and the OR-proof consists of 8 group elements and the verifier's work is 5 modular multiplication. Using the distributive law, would not it be more efficient to rather prove $u=g^r\land(v=h^r\lor v\cdot y^{-1}=h^r)$? This paper suggests a more efficient Sigma-protocol composition for CNF of Sigma protocols for DLOG relations than the original Cramer, Damgård, and Schoenmakers (CRYPTO'94) paper. Here is a link to the paper.