The Montgomery ladder can take advantage of mixed differential addition, where R+Q is computed with the additional information that R-Q is equal to the base point P. (It’s called “mixed” because R and Q are in projective form, but P is affine.) Unlike ordinary addition, differential addition can be computed using just the x-coordinates of P, Q and R. So can doubling. Therefore, you can compute the whole ladder using only x coordinates. You can recover y at the end, but usually people don’t.
This pair of operations — x-only mixed differential addition and doubling — is significantly faster and simpler on a Montgomery curve than on a short Weierstrass curve. The same is not true of the ordinary addition and doubling formulas. This is why Montgomery curves are used for ECDH, but not usually other operations. You can take advantage of the same technique on a short Weierstrass curve, using for example co-z coordinates. But it’s not as simple or fast as on a Montgomery curve. Furthermore, while the mixed differential addition law is unified on a Montgomery curve, it is not unified on a short Weierstrass curve. This makes it noticeably harder to start the ladder. — Mike > On Jul 8, 2015, at 5:11 PM, Ron Garret <[email protected]> wrote: > > Could you please elaborate on this, or point me to a reference? According to: > > https://choucroutage.com/Papers/SideChannelAttacks/ches-2002-joye.pdf > <https://choucroutage.com/Papers/SideChannelAttacks/ches-2002-joye.pdf> > > the Montgomery ladder “is of full generality and applies to any abelian > group.” > > Is it really the ladder that is more efficient for Montgomery curves, or is > it just the point addition and doubling operations that are more efficient? > > rg > > On Jul 8, 2015, at 4:05 PM, Michael Hamburg <[email protected] > <mailto:[email protected]>> wrote: > >> The Montgomery ladder is significantly simpler and more efficient on >> Montgomery curves than on short Weierstrass curves. >> >>> On Jul 8, 2015, at 3:38 PM, Ron Garret <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> “Montgomery curves are attractive because of the ladder method of scalar >>> multiplication” >>> >>> Is this actually true? I was under the impression that the Montgomery >>> ladder was applicable to any kind of elliptic curve. They just both happen >>> to have been invented by Peter Montgomery. >>> >>> rg >>> >>> On Jul 7, 2015, at 8:12 PM, Tony Arcieri <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>>> I made this poster for the DEFCON Crypto and Privacy Village. It's >>>> intended for audiences of mixed ability levels: >>>> >>>> https://i.imgur.com/hwbSRHh.png <https://i.imgur.com/hwbSRHh.png> >>>> >>>> Would appreciate technical feedback on it. If you'd like to suggest copy >>>> changes, please consider design constraints (i.e. available room on the >>>> page). >>>> >>>> Thanks! >>>> >>>> -- >>>> Tony Arcieri >>>> _______________________________________________ >>>> Curves mailing list >>>> [email protected] <mailto:[email protected]> >>>> https://moderncrypto.org/mailman/listinfo/curves >>>> <https://moderncrypto.org/mailman/listinfo/curves> >>> >>> _______________________________________________ >>> Curves mailing list >>> [email protected] <mailto:[email protected]> >>> https://moderncrypto.org/mailman/listinfo/curves >>> <https://moderncrypto.org/mailman/listinfo/curves> >> >
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
