Commit d51ff03e by Niels Möller

### Notes on the Montgomery ladder.

parent ac1e6e5a
 ... @@ -63,6 +63,75 @@ y_2)$: ... @@ -63,6 +63,75 @@ y_2)$: Again, very similar to the Weierstraß formulas, with only an Again, very similar to the Weierstraß formulas, with only an additional $b$ term in the formula for $x_3$. additional $b$ term in the formula for $x_3$. \subsection{Montgomery ladder} It's possible to do operations on a Montgomery curve in terms of the $x$ coordinate only. Or, with homogeneous coordinates, use $X$ and $Z$ with $x = X/Z$. For doubling, \begin{align*} x' &= (x^2 - z^2)^2 = (x-z)^2 (x+z)^2 \\ t &= (x+z)^2 - (x-z)^2 \\ z' &= 4 xz (x^2 + bzx + z^2) = t \left((x+z)^2 + b't\right) \end{align*} with $b' = (b-2)/4$. Addition is a bit trickier. If we have $x$ and $z$ for points $Q_1$, $Q_2$ and $Q_3$, with $Q_3 = Q_1 + Q_3$, and $x_1, z_1 \neq 0$, we get the coordinates for $Q_2 + Q_3$ as \begin{align*} x' &= 4 (x_2 x_3 - z_2 z_3)^2 z_1 = \left((x_2 - z_2)(x_3 + z_3) + (x_2 + z_2)(x_3 - z_3)\right)^2 z_1 \\ z' &= 4 (x_2 z_3 - z_2 x_3)^2 x_1 = \left((x_2 - z_2)(x_3 + z_3) - (x_2 + z_2)(x_3 - z_3)\right)^2 x_1 \end{align*} Note that the doubling formula is symmetric in $Q_2$ and $Q_3$. Which is consistent with negating of $Q_1$, which really is the negatiion of the $y$-coordinate, which doesn't appear in the formula. This can be used for a binary Montgomery ladder'' to compute $n Q$ for any $n$. If we have the points $Q$, $n Q$, and $(n+1) Q$, we can compute the three points \begin{align*} (2n) Q &= 2 (nQ) && \text{doubling} \\ (2n+1) Q &= (nQ) + (n+1)Q && \text{addition} \\ (2n+2) Q &= 2((n+1) Q) && \text{doubling} \end{align*} The following algorithm is suggested by dj (see \url{http://www.ietf.org/mail-archive/web/cfrg/current/msg05004.html}. \begin{verbatim} x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): bit = 1 & (n >> i) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2,x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2,4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2) \end{verbatim} It's not too hard to decipher this. The update for $x_2, z_2$ is the doubling. The update for $x_3, z_3$ is an addition. If the bit is zero, we get $x_2', z_2'$ representing $Q_2' = 2 Q_2$, and $x_3', z_3'$ representing $Q_3' = Q_2 + Q_3 = 2 Q_2 + Q_1$. What if the bit is set? For the doubling, we get it applied to $Q_3$ instead, so we get $x_3', z_3'$ representing $Q_3' = 2 Q_3 = 2 Q_2 + 2 Q_1$. For the add, the initial swap flips the sign of one of the intermediate values, but the end result is the same, so we get $x_2', z_2'$ representing $Q_2' = Q_2 + Q_3 = 2 Q_2 + Q_1$, as desired. Note that the initial conditional swap doesn't have to be a full swap; if that's convenient in the implementation, a conditional assignment should be sufficient to get the duplication formula appplied to the right point. It looks like, in all cases, one will start by computing $x_2 \pm z_2$ and $x_3 \pm z_3$, so maybe one can apply conditional assignment to these values instead. \section{Edwards curve} \section{Edwards curve} For an Edwards curve, we consider the special case For an Edwards curve, we consider the special case ... ...
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!