Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
The binary GCD has inferior performance to other approaches for big numbers because those min() comparisons require that you had to update the entire numbers at each step.
I submitted a writeup on the safegcd algorithm used by libsecp256k1 a while back, but it got the HN zomg-bitcoin-related quick flagging: https://github.com/bitcoin-core/secp256k1/blob/master/doc/sa...
Safegcd-like functions requires somewhat more iterations but most of the iterations need to only operate on the least significant bits of the numbers, which makes them faster in practice.
For safegcd-ish functions proving a hard upper bound on the number of require iterations is non-trivial. But it's useful to prove the bound in order to make constant time versions. Here is a writeup on our techniques for proving the upper bounds: https://github.com/sipa/safegcd-bounds#bounds-on-divsteps-it...
The binary GCD has inferior performance to other approaches for big numbers because those min() comparisons require that you had to update the entire numbers at each step.
I submitted a writeup on the safegcd algorithm used by libsecp256k1 a while back, but it got the HN zomg-bitcoin-related quick flagging: https://github.com/bitcoin-core/secp256k1/blob/master/doc/sa...
Safegcd-like functions requires somewhat more iterations but most of the iterations need to only operate on the least significant bits of the numbers, which makes them faster in practice.
For safegcd-ish functions proving a hard upper bound on the number of require iterations is non-trivial. But it's useful to prove the bound in order to make constant time versions. Here is a writeup on our techniques for proving the upper bounds: https://github.com/sipa/safegcd-bounds#bounds-on-divsteps-it...