Re: [Cfrg] Curve manipulation, revisited

[Peter Dettman <peter.dettman@bouncycastle.org>]

On 29/12/2014 8:31 pm, Adam Langley wrote:
> (An implementation that wants to use a windowed method with a 
> Montgomery-X *input* will need to perform a square-root first, but 
> that's the same cost as a design where compressed Edwards points are 
> sent. Note: smarter people than I might be able to eliminate the 
> square-root but I don't see it)

I believe I can give an example of how to eliminate the square-root for 
a random-base scalar-mult. I'll use short Weierstrass to describe it 
though, as I'm less familiar with Edwards and Montgomery. I assume we 
can convert easily enough between forms, and that twist security carries 
across.

- Given input X0, use curve equation to calculate {Y0}^2, let K = {Y0}^2.
- Initial point P0 is (X0,{Y0}) where {Y0} is unevaluated.
- Change of variables to an isomorphic curve: x' = u^2.x, y' = u^3.y, a' 
= u^4.a, with u = {Y0} (b' = u^6.b, but not typically needed).
- Can now write P0' as (K.X0, K^2) without unknowns.
- Proceed with scalar multiplication of P0' to result point Pn'.
- Recover output Xn from Pn' as Xn'/(K.Zn^2).

Note that the doubling formula is affected by the changed a' curve 
parameter (unless a==0); assume modified-Jacobian coordinates are used.

In the case where the original curve has a==-3, the extra cost of the 
windowing using the isomorphism in modified-Jacobian coordinates is 
+2S(quares) per addition (doubling cost is unchanged). The total extra 
cost using width 5 windows is therefore < 40% of the best-case cost of a 
sqrt.

However, there are actually good performance reasons to already be using 
an isomorphism: to allow mixed addition with precomputed points without 
needing an inversion in the precomputation. In that case, there is very 
little additional overhead for the scheme above.

Regards,
Pete Dettman