the gas cost for modexp will soon be increased in https://eips.ethereum.org/EIPS/eip-7883. It is also possible that it will become a non-precompile at some point, making gas even worse, see https://x.com/VitalikButerin/status/1985396529172017156.
Wherever possible we should use plain EVM instead.
- for BN254
modexpLegendre(), it is probably no longer true that it "is cheaper than an addchain for exponent (N-1)/2". One possibility is to not do legendre and instead attempt sqrt directly, but we don't know which is cheaper.
- for BLS12 G1 decompression,
x^3 is easy enough to compute ad hoc but sqrt would require an addchain.
- for BLS12 381-bit modulo, it was a bit silly of me to use modexp in the first place
We should also have insightful benchmarks before we begin. I am working on it.
the gas cost for modexp will soon be increased in https://eips.ethereum.org/EIPS/eip-7883. It is also possible that it will become a non-precompile at some point, making gas even worse, see https://x.com/VitalikButerin/status/1985396529172017156.
Wherever possible we should use plain EVM instead.
modexpLegendre(), it is probably no longer true that it "is cheaper than an addchain for exponent (N-1)/2". One possibility is to not do legendre and instead attempt sqrt directly, but we don't know which is cheaper.x^3is easy enough to compute ad hoc butsqrtwould require an addchain.We should also have insightful benchmarks before we begin. I am working on it.