diff --git a/misc/ecc-formulas.tex b/misc/ecc-formulas.tex index 1b21dea730c6c754b1289eb47e1e5bbcd9caa3c1..e347dcd9f5c071a107b751259436e7eb48bed306 100644 --- a/misc/ecc-formulas.tex +++ b/misc/ecc-formulas.tex @@ -63,6 +63,75 @@ y_2)$: Again, very similar to the Weierstraß formulas, with only an additional$b$term in the formula for$x_3$. +\subsection{Montgomery ladder} + +It's possible to do operations on a Montgomery curve in terms of the +$x$coordinate only. Or, with homogeneous coordinates, use$X$and$Z$+with$x = X/Z. + +For doubling, +\begin{align*} + x' &= (x^2 - z^2)^2 = (x-z)^2 (x+z)^2 \\ + t &= (x+z)^2 - (x-z)^2 \\ + z' &= 4 xz (x^2 + bzx + z^2) = t \left((x+z)^2 + b't\right) +\end{align*} +withb' = (b-2)/4$. + +Addition is a bit trickier. If we have$x$and$z$for points$Q_1$, +$Q_2$and$Q_3$, with$Q_3 = Q_1 + Q_3$, and$x_1, z_1 \neq 0$, we +get the coordinates for$Q_2 + Q_3as +\begin{align*} + x' &= 4 (x_2 x_3 - z_2 z_3)^2 z_1 = \left((x_2 - z_2)(x_3 + z_3) + + (x_2 + z_2)(x_3 - z_3)\right)^2 z_1 \\ + z' &= 4 (x_2 z_3 - z_2 x_3)^2 x_1 = \left((x_2 - z_2)(x_3 + z_3) - + (x_2 + z_2)(x_3 - z_3)\right)^2 x_1 +\end{align*} +Note that the doubling formula is symmetric inQ_2$and$Q_3$. Which +is consistent with negating of$Q_1$, which really is the negatiion of +the$y$-coordinate, which doesn't appear in the formula. + +This can be used for a binary Montgomery ladder'' to compute$n Q$+for any$n$. If we have the points$Q$,$n Q$, and$(n+1) Q, we can +compute the three points +\begin{align*} + (2n) Q &= 2 (nQ) && \text{doubling} \\ + (2n+1) Q &= (nQ) + (n+1)Q && \text{addition} \\ + (2n+2) Q &= 2((n+1) Q) && \text{doubling} +\end{align*} + +The following algorithm is suggested by dj (see +\url{http://www.ietf.org/mail-archive/web/cfrg/current/msg05004.html}. +\begin{verbatim} + x2,z2,x3,z3 = 1,0,x1,1 + for i in reversed(range(255)): + bit = 1 & (n >> i) + x2,x3 = cswap(x2,x3,bit) + z2,z3 = cswap(z2,z3,bit) + x3,z3 = ((x2*x3-z2*z3)^2,x1*(x2*z3-z2*x3)^2) + x2,z2 = ((x2^2-z2^2)^2,4*x2*z2*(x2^2+A*x2*z2+z2^2)) + x2,x3 = cswap(x2,x3,bit) + z2,z3 = cswap(z2,z3,bit) + return x2*z2^(p-2) +\end{verbatim} +It's not too hard to decipher this. The update forx_2, z_2$is the +doubling. The update for$x_3, z_3$is an addition. + +If the bit is zero, we get$x_2', z_2'$representing$Q_2' = 2 Q_2$, +and$x_3', z_3'$representing$Q_3' = Q_2 + Q_3 = 2 Q_2 + Q_1$. + +What if the bit is set? For the doubling, we get it applied to$Q_3$+instead, so we get$x_3', z_3'$representing$Q_3' = 2 Q_3 = 2 Q_2 + 2 +Q_1$. For the add, the initial swap flips the sign of one of the +intermediate values, but the end result is the same, so we get$x_2', +z_2'$representing$Q_2' = Q_2 + Q_3 = 2 Q_2 + Q_1$, as desired. + +Note that the initial conditional swap doesn't have to be a full swap; +if that's convenient in the implementation, a conditional assignment +should be sufficient to get the duplication formula appplied to the +right point. It looks like, in all cases, one will start by computing +$x_2 \pm z_2$and$x_3 \pm z_3\$, so maybe one can apply conditional +assignment to these values instead. + \section{Edwards curve} For an Edwards curve, we consider the special case