From d51ff03e79438cc8f28b0d91d209887aab59b0f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niels=20M=C3=B6ller?= Date: Sat, 6 Sep 2014 22:42:31 +0200 Subject: [PATCH] Notes on the Montgomery ladder. --- misc/ecc-formulas.tex | 69 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/misc/ecc-formulas.tex b/misc/ecc-formulas.tex index 1b21dea7..e347dcd9 100644 --- a/misc/ecc-formulas.tex +++ b/misc/ecc-formulas.tex @@ -63,6 +63,75 @@ y_2)$: Again, very similar to the Weierstraß formulas, with only an additional $b$ term in the formula for $x_3$. +\subsection{Montgomery ladder} + +It's possible to do operations on a Montgomery curve in terms of the +$x$ coordinate only. Or, with homogeneous coordinates, use $X$ and $Z$ +with $x = X/Z$. + +For doubling, +\begin{align*} + x' &= (x^2 - z^2)^2 = (x-z)^2 (x+z)^2 \\ + t &= (x+z)^2 - (x-z)^2 \\ + z' &= 4 xz (x^2 + bzx + z^2) = t \left((x+z)^2 + b't\right) +\end{align*} +with $b' = (b-2)/4$. + +Addition is a bit trickier. If we have $x$ and $z$ for points $Q_1$, +$Q_2$ and $Q_3$, with $Q_3 = Q_1 + Q_3$, and $x_1, z_1 \neq 0$, we +get the coordinates for $Q_2 + Q_3$ as +\begin{align*} + x' &= 4 (x_2 x_3 - z_2 z_3)^2 z_1 = \left((x_2 - z_2)(x_3 + z_3) + + (x_2 + z_2)(x_3 - z_3)\right)^2 z_1 \\ + z' &= 4 (x_2 z_3 - z_2 x_3)^2 x_1 = \left((x_2 - z_2)(x_3 + z_3) - + (x_2 + z_2)(x_3 - z_3)\right)^2 x_1 +\end{align*} +Note that the doubling formula is symmetric in $Q_2$ and $Q_3$. Which +is consistent with negating of $Q_1$, which really is the negatiion of +the $y$-coordinate, which doesn't appear in the formula. + +This can be used for a binary ``Montgomery ladder'' to compute $n Q$ +for any $n$. If we have the points $Q$, $n Q$, and $(n+1) Q$, we can +compute the three points +\begin{align*} + (2n) Q &= 2 (nQ) && \text{doubling} \\ + (2n+1) Q &= (nQ) + (n+1)Q && \text{addition} \\ + (2n+2) Q &= 2((n+1) Q) && \text{doubling} +\end{align*} + +The following algorithm is suggested by dj (see +\url{http://www.ietf.org/mail-archive/web/cfrg/current/msg05004.html}. +\begin{verbatim} + x2,z2,x3,z3 = 1,0,x1,1 + for i in reversed(range(255)): + bit = 1 & (n >> i) + x2,x3 = cswap(x2,x3,bit) + z2,z3 = cswap(z2,z3,bit) + x3,z3 = ((x2*x3-z2*z3)^2,x1*(x2*z3-z2*x3)^2) + x2,z2 = ((x2^2-z2^2)^2,4*x2*z2*(x2^2+A*x2*z2+z2^2)) + x2,x3 = cswap(x2,x3,bit) + z2,z3 = cswap(z2,z3,bit) + return x2*z2^(p-2) +\end{verbatim} +It's not too hard to decipher this. The update for $x_2, z_2$ is the +doubling. The update for $x_3, z_3$ is an addition. + +If the bit is zero, we get $x_2', z_2'$ representing $Q_2' = 2 Q_2$, +and $x_3', z_3'$ representing $Q_3' = Q_2 + Q_3 = 2 Q_2 + Q_1$. + +What if the bit is set? For the doubling, we get it applied to $Q_3$ +instead, so we get $x_3', z_3'$ representing $Q_3' = 2 Q_3 = 2 Q_2 + 2 +Q_1$. For the add, the initial swap flips the sign of one of the +intermediate values, but the end result is the same, so we get $x_2', +z_2'$ representing $Q_2' = Q_2 + Q_3 = 2 Q_2 + Q_1$, as desired. + +Note that the initial conditional swap doesn't have to be a full swap; +if that's convenient in the implementation, a conditional assignment +should be sufficient to get the duplication formula appplied to the +right point. It looks like, in all cases, one will start by computing +$x_2 \pm z_2$ and $x_3 \pm z_3$, so maybe one can apply conditional +assignment to these values instead. + \section{Edwards curve} For an Edwards curve, we consider the special case -- GitLab