From d51ff03e79438cc8f28b0d91d209887aab59b0f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sat, 6 Sep 2014 22:42:31 +0200
Subject: [PATCH] Notes on the Montgomery ladder.

---
 misc/ecc-formulas.tex | 69 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)

diff --git a/misc/ecc-formulas.tex b/misc/ecc-formulas.tex
index 1b21dea7..e347dcd9 100644
--- a/misc/ecc-formulas.tex
+++ b/misc/ecc-formulas.tex
@@ -63,6 +63,75 @@ y_2)$:
 Again, very similar to the Weierstraß formulas, with only an
 additional $b$ term in the formula for $x_3$.
 
+\subsection{Montgomery ladder}
+
+It's possible to do operations on a Montgomery curve in terms of the
+$x$ coordinate only. Or, with homogeneous coordinates, use $X$ and $Z$
+with $x = X/Z$.
+
+For doubling,
+\begin{align*}
+  x' &= (x^2 - z^2)^2 = (x-z)^2 (x+z)^2 \\
+  t &= (x+z)^2 - (x-z)^2 \\
+  z' &= 4 xz (x^2 + bzx + z^2) = t \left((x+z)^2 + b't\right)
+\end{align*}
+with $b' = (b-2)/4$.
+
+Addition is a bit trickier. If we have $x$ and $z$ for points $Q_1$,
+$Q_2$ and $Q_3$, with $Q_3 = Q_1 +  Q_3$, and $x_1, z_1 \neq 0$, we
+get the coordinates for $Q_2 + Q_3$ as
+\begin{align*}
+  x' &= 4 (x_2 x_3 - z_2 z_3)^2 z_1 = \left((x_2 - z_2)(x_3 + z_3) +
+    (x_2 + z_2)(x_3 - z_3)\right)^2 z_1 \\
+  z' &= 4 (x_2 z_3 - z_2 x_3)^2 x_1 = \left((x_2 - z_2)(x_3 + z_3) -
+    (x_2 + z_2)(x_3 - z_3)\right)^2 x_1
+\end{align*}
+Note that the doubling formula is symmetric in $Q_2$ and $Q_3$. Which
+is consistent with negating of $Q_1$, which really is the negatiion of
+the $y$-coordinate, which doesn't appear in the formula.
+
+This can be used for a binary ``Montgomery ladder'' to compute $n Q$
+for any $n$. If we have the points $Q$, $n Q$, and $(n+1) Q$, we can
+compute the three points
+\begin{align*}
+  (2n) Q &= 2 (nQ) && \text{doubling} \\
+  (2n+1) Q &= (nQ) + (n+1)Q && \text{addition} \\
+  (2n+2) Q &= 2((n+1) Q) && \text{doubling}
+\end{align*}
+
+The following algorithm is suggested by dj (see
+\url{http://www.ietf.org/mail-archive/web/cfrg/current/msg05004.html}.
+\begin{verbatim}
+   x2,z2,x3,z3 = 1,0,x1,1
+   for i in reversed(range(255)):
+     bit = 1 & (n >> i)
+     x2,x3 = cswap(x2,x3,bit)
+     z2,z3 = cswap(z2,z3,bit)
+     x3,z3 = ((x2*x3-z2*z3)^2,x1*(x2*z3-z2*x3)^2)
+     x2,z2 = ((x2^2-z2^2)^2,4*x2*z2*(x2^2+A*x2*z2+z2^2))
+     x2,x3 = cswap(x2,x3,bit)
+     z2,z3 = cswap(z2,z3,bit)
+   return x2*z2^(p-2)
+\end{verbatim}
+It's not too hard to decipher this. The update for $x_2, z_2$ is the
+doubling. The update for $x_3, z_3$ is an addition.
+
+If the bit is zero, we get $x_2', z_2'$ representing $Q_2' = 2 Q_2$,
+and $x_3', z_3'$ representing $Q_3' = Q_2 + Q_3 = 2 Q_2 + Q_1$.
+
+What if the bit is set? For the doubling, we get it applied to $Q_3$
+instead, so we get $x_3', z_3'$ representing $Q_3' = 2 Q_3 = 2 Q_2 + 2
+Q_1$. For the add, the initial swap flips the sign of one of the
+intermediate values, but the end result is the same, so we get $x_2',
+z_2'$ representing $Q_2' = Q_2 + Q_3 = 2 Q_2 + Q_1$, as desired.
+
+Note that the initial conditional swap doesn't have to be a full swap;
+if that's convenient in the implementation, a conditional assignment
+should be sufficient to get the duplication formula appplied to the
+right point. It looks like, in all cases, one will start by computing
+$x_2 \pm z_2$ and $x_3 \pm z_3$, so maybe one can apply conditional
+assignment to these values instead.
+
 \section{Edwards curve}
 
 For an Edwards curve, we consider the special case
-- 
GitLab