### Notes on the Montgomery ladder.

parent ac1e6e5a
 ... ... @@ -63,6 +63,75 @@ y_2)$: Again, very similar to the Weierstraß formulas, with only an additional$b$term in the formula for$x_3$. \subsection{Montgomery ladder} It's possible to do operations on a Montgomery curve in terms of the$x$coordinate only. Or, with homogeneous coordinates, use$X$and$Z$with$x = X/Z. For doubling, \begin{align*} x' &= (x^2 - z^2)^2 = (x-z)^2 (x+z)^2 \\ t &= (x+z)^2 - (x-z)^2 \\ z' &= 4 xz (x^2 + bzx + z^2) = t \left((x+z)^2 + b't\right) \end{align*} withb' = (b-2)/4$. Addition is a bit trickier. If we have$x$and$z$for points$Q_1$,$Q_2$and$Q_3$, with$Q_3 = Q_1 + Q_3$, and$x_1, z_1 \neq 0$, we get the coordinates for$Q_2 + Q_3as \begin{align*} x' &= 4 (x_2 x_3 - z_2 z_3)^2 z_1 = \left((x_2 - z_2)(x_3 + z_3) + (x_2 + z_2)(x_3 - z_3)\right)^2 z_1 \\ z' &= 4 (x_2 z_3 - z_2 x_3)^2 x_1 = \left((x_2 - z_2)(x_3 + z_3) - (x_2 + z_2)(x_3 - z_3)\right)^2 x_1 \end{align*} Note that the doubling formula is symmetric inQ_2$and$Q_3$. Which is consistent with negating of$Q_1$, which really is the negatiion of the$y$-coordinate, which doesn't appear in the formula. This can be used for a binary Montgomery ladder'' to compute$n Q$for any$n$. If we have the points$Q$,$n Q$, and$(n+1) Q, we can compute the three points \begin{align*} (2n) Q &= 2 (nQ) && \text{doubling} \\ (2n+1) Q &= (nQ) + (n+1)Q && \text{addition} \\ (2n+2) Q &= 2((n+1) Q) && \text{doubling} \end{align*} The following algorithm is suggested by dj (see \url{http://www.ietf.org/mail-archive/web/cfrg/current/msg05004.html}. \begin{verbatim} x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): bit = 1 & (n >> i) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2,x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2,4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2) \end{verbatim} It's not too hard to decipher this. The update forx_2, z_2$is the doubling. The update for$x_3, z_3$is an addition. If the bit is zero, we get$x_2', z_2'$representing$Q_2' = 2 Q_2$, and$x_3', z_3'$representing$Q_3' = Q_2 + Q_3 = 2 Q_2 + Q_1$. What if the bit is set? For the doubling, we get it applied to$Q_3$instead, so we get$x_3', z_3'$representing$Q_3' = 2 Q_3 = 2 Q_2 + 2 Q_1$. For the add, the initial swap flips the sign of one of the intermediate values, but the end result is the same, so we get$x_2', z_2'$representing$Q_2' = Q_2 + Q_3 = 2 Q_2 + Q_1$, as desired. Note that the initial conditional swap doesn't have to be a full swap; if that's convenient in the implementation, a conditional assignment should be sufficient to get the duplication formula appplied to the right point. It looks like, in all cases, one will start by computing$x_2 \pm z_2$and$x_3 \pm z_3\$, so maybe one can apply conditional assignment to these values instead. \section{Edwards curve} For an Edwards curve, we consider the special case ... ...
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!