0

For 256 bits "Double-and-add" multiplication uses about 128 addings and 256 doublings, where "Montgomery ladder" uses near 256 addings and 256 doublings. "Double-and-add" in my Intel(R) Core(TM) i3-8130U CPU @ 2.20GHz takes 0.02 s, it is normal or too big?

In adding we compute $\lambda = \frac{y_q - y_p}{x_q - x_p}$. Main cost is computing inverse of $x_q - x_p$ and inverse uses extended_gcd and modulo:

def extended_gcd(aa, bb):
    lastremainder, remainder = abs(aa), abs(bb)
    x, lastx, y, lasty = 0, 1, 1, 0
    while remainder:
        lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
        x, lastx = lastx - quotient * x, x
        y, lasty = lasty - quotient * y, y
    return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)

calculate modular inverse


def modinv(a, m):
    g, x, y = extended_gcd(a, m)
    if g != 1:
        raise ValueError
    return x % m

I must many times compute this inverse to obtain $\lambda$ or between [n]P and [n+1]P is the same $\lambda$ (or can be fast comnputed) as is between [n+1] and [n+2]P ?

Andrzej
  • 59
  • 2
  • 3
    Note that Montgomery Ladder is side-channel free. To eliminate the inverse use projective coordinates. – kelalaka Nov 19 '20 at 19:11
  • Indeed, usually implementations will use projective coordinates to reduce the number of inversions to 1 (at the very end) and will use a generalization of double and add to reduce the number of additions (though those require constant-time table lookups). – SEJPM Nov 19 '20 at 19:17
  • In Wikibooks in "Standard Projective Coordinates" are forrmulas. but it generates very large numbers because don't have modulo. Where can I place modulo and how move from projective to affine coordinates? – Andrzej Nov 19 '20 at 19:51
  • Handbook of Elliptic Curve Cryptography. Group laws on projective coordinates – kelalaka Nov 19 '20 at 19:53
  • I test example from nayuki site. This speedup is only 2.5 times, Is many multiplications with modulo. – Andrzej Nov 19 '20 at 20:47
  • What do you mean "only 2.5 times"? And note that if you want real fast calculations you may want to use a C library instead, possibly with some assembly included. For these kind of calculations even Java is relatively slow. A fully interpreted language will generally be much slower than Java. – Maarten Bodewes Nov 19 '20 at 23:56

0 Answers0