Thread: Armadillo ECDSA-113
View Single Post
  #6  
Old 03-15-2026, 03:05
cjack's Avatar
cjack cjack is offline
Family
  
Join Date: Jan 2002
Posts: 170
Rept. Given: 196
Rept. Rcvd 176 Times in 34 Posts
Thanks Given: 332
Thanks Rcvd at 219 Times in 64 Posts
cjack Reputation: 100-199 cjack Reputation: 100-199
Hey everyone,

Quick update on the Armadillo ECDSA-113 solver project. We just released v2.0.0 of both server and solver, fixing a critical bug discovered by WhoCares — huge thanks to him for the sharp eye.

What was wrong:

The walk partition function was using raw affine x-coordinate bits to determine the walk step (p = wX.hi & 31). Since the Frobenius endomorphism τ(x,y) = (x², y²) completely changes the bit pattern of x, two points in the same Frobenius orbit would take different walk paths. This means the 226× speedup from Frobenius equivalence classes was completely inactive — the solver was effectively brute-forcing the full 112-bit space instead of the reduced ~104-bit quotient space.

With 344M distinguished points collected under v1.x, the true collision probability was around 1.3%, not the 94.5% displayed on the dashboard. The old DPs were essentially useless for finding collisions through Frobenius orbits.

What v2.0 fixes:

The solver now implements canonical lifting — at every walk step, it finds the lexicographically smallest x-coordinate across all 113 Frobenius conjugates (x, x², x⁴, ..., x^(2¹¹²)), lifts the point to that canonical representative via repeated squaring, and scales the linear combination coefficients by the appropriate power of λ (the Frobenius eigenvalue). The partition function now operates on the canonical x, making the walk Frobenius-invariant.

Key changes:

ec_canon_x(): iterates 112 squarings to find lex-min x in the orbit
λ^i power table (113 entries) precomputed in __constant__ memory
Coefficient scaling via sc_mul128(a, lambda_pow[ci]) at each step
Server collision resolution updated for all 5 Frobenius cases (d=0, ±τ^d, ±τ^d')
Version gating: server rejects all agents < v2.0.0 to prevent mixing old/new DPs
Performance: ~377 M iter/s per RTX 5090 (down from ~1050 M/s due to canonicalization overhead), but each iteration now searches an effective space 226× smaller. Net theoretical speedup: ~81×.

Current status:

Server v2.0.0 and solver v2.0.0 are up and running, all workers active and submitting canonical DPs. Fresh start from zero — all old DPs discarded.

@WhoCares: Would you be willing to do another independent verification of the v2 solver+server? I've prepared a review package (source code + test suite + review instructions) — I can send it to you or you can grab it from the dashboard download. Specifically interested in confirming:

The canonical lifting logic is mathematically sound
Coefficient scaling with λ^i is correct
Walk partition is truly Frobenius-invariant
Server collision resolution handles all Frobenius rotation cases
No regression in DP generation/submission pipeline
Your previous analysis was spot-on and saved us from burning through the entire fleet budget on broken walks. Want to make absolutely sure v2 is solid before we spend the next few days waiting for a collision.

Source code and full changelog available on the dashboard. ZIP includes complete sources, build scripts, and test suite.
Reply With Quote
The Following 3 Users Say Thank You to cjack For This Useful Post:
Abaddon (03-19-2026), WhoCares (03-15-2026), wx69wx2023 (03-15-2026)