Summary

How many constraints should it be to compute x^{255}?

How many constraints should it be to compute x^{257}?

In our current implementation, the cost of powering by constants is as follows:

L = len of binary representation
N = num of ones in the binary representation
cost = L - 1 + N - 1

So, powering by 255 is more expensive than 257.

Yet, to compute x^{255}, why not compute x^{256}, and then go down to x^{255}, which only takes one constraint?

Problem Definition

The more efficient powering by constant would examine the NAF form (https://en.wikipedia.org/wiki/Non-adjacent_form), which, not just considering the binary representation, but a representation with alphabet -1, 0, 1.

This, indeed, gives a better performance for powering by constant.

Proposal

Enhance the powering by constant by first computing the NAF form, and then write down the constraints accordingly.

Relationship to Poseidon

Although this issue pops up during the implementation of Poseidon, it is semi-useful for Poseidon.

On the one hand, for Poseidon, if the cost of computing x^{255} and x^{257} is the same, it would always prefer 257 for alpha (ignoring the fact that 257 is also a prime, and 255 is not).

On the other hand, it might also be useful for Poseidon. For example, 7 = 8 - 1 is not that expensive indeed, and 7 may be a suitable prime.

cc'ed authors who have touched fields/mod.rs in the past: @ValarDragon @Pratyush

For Admin Use

• Not duplicate issue
• Appropriate labels applied
• Appropriate contributors tagged
• Contributor assigned/self-assigned