Re: [Cfrg] Curve manipulation, revisited

Michael Hamburg <> Wed, 07 January 2015 18:34 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B28781A014C for <>; Wed, 7 Jan 2015 10:34:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.555
X-Spam-Level: *
X-Spam-Status: No, score=1.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iGUzKFkVQar9 for <>; Wed, 7 Jan 2015 10:34:00 -0800 (PST)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5B3161A00B0 for <>; Wed, 7 Jan 2015 10:34:00 -0800 (PST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id C6DDE3AA43; Wed, 7 Jan 2015 10:31:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=sldo; t=1420655480; bh=FTiQw7TLNYtBe1IlJzke7xF0SqYFOmkIalFDbtLmbc4=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=OG897iAqXbOItVnWSICHqN40ke4g5C9sxR9UXGSjHASOl6g5/9NrMnIDOUW0DVIA5 hWEfIE6pihiMBJOq4vOeQdwssCDKAtRybJkca8021PFAIEBrzjdiHJ8GCKTL4hA2tn VUpzgJxqe+oqFzFvgOBmcr+7zsHdaKcIiNmJZj3I=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2064\))
From: Michael Hamburg <>
In-Reply-To: <>
Date: Wed, 07 Jan 2015 10:33:58 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <>
To: Peter Dettman <>
X-Mailer: Apple Mail (2.2064)
Cc: Adam Langley <>,
Subject: Re: [Cfrg] Curve manipulation, revisited
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Jan 2015 18:34:03 -0000

> On Jan 1, 2015, at 2:16 AM, Peter Dettman <> wrote:
> On 29/12/2014 8:31 pm, Adam Langley wrote:
>> (An implementation that wants to use a windowed method with a Montgomery-X *input* will need to perform a square-root first, but that's the same cost as a design where compressed Edwards points are sent. Note: smarter people than I might be able to eliminate the square-root but I don't see it)
> I believe I can give an example of how to eliminate the square-root for a random-base scalar-mult. I'll use short Weierstrass to describe it though, as I'm less familiar with Edwards and Montgomery. I assume we can convert easily enough between forms, and that twist security carries across.
> - Given input X0, use curve equation to calculate {Y0}^2, let K = {Y0}^2.
> - Initial point P0 is (X0,{Y0}) where {Y0} is unevaluated.
> - Change of variables to an isomorphic curve: x' = u^2.x, y' = u^3.y, a' = u^4.a, with u = {Y0} (b' = u^6.b, but not typically needed).
> - Can now write P0' as (K.X0, K^2) without unknowns.
> - Proceed with scalar multiplication of P0' to result point Pn'.
> - Recover output Xn from Pn' as Xn'/(K.Zn^2).
> Note that the doubling formula is affected by the changed a' curve parameter (unless a==0); assume modified-Jacobian coordinates are used.
> In the case where the original curve has a==-3, the extra cost of the windowing using the isomorphism in modified-Jacobian coordinates is +2S(quares) per addition (doubling cost is unchanged). The total extra cost using width 5 windows is therefore < 40% of the best-case cost of a sqrt.
> However, there are actually good performance reasons to already be using an isomorphism: to allow mixed addition with precomputed points without needing an inversion in the precomputation. In that case, there is very little additional overhead for the scheme above.
> Regards,
> Pete Dettman

This is neat.  Have you tested it?  Does it work, and do you know if it’s better than a Montgomery ladder?  From your high-level description it looks like it should be competitive with the short Weierstrass XZ Montgomery ladder (8M + 7S + 5m IIUC).

— Mike