Ah, I see. Thanks! On Jul 8, 2015, at 6:00 PM, Michael Hamburg <[email protected]> wrote:
> The Montgomery ladder can take advantage of mixed differential addition, > where R+Q is computed with the additional information that R-Q is equal to > the base point P. (It’s called “mixed” because R and Q are in projective > form, but P is affine.) Unlike ordinary addition, differential addition can > be computed using just the x-coordinates of P, Q and R. So can doubling. > Therefore, you can compute the whole ladder using only x coordinates. You > can recover y at the end, but usually people don’t. > > This pair of operations — x-only mixed differential addition and doubling — > is significantly faster and simpler on a Montgomery curve than on a short > Weierstrass curve. The same is not true of the ordinary addition and > doubling formulas. This is why Montgomery curves are used for ECDH, but not > usually other operations. > > You can take advantage of the same technique on a short Weierstrass curve, > using for example co-z coordinates. But it’s not as simple or fast as on a > Montgomery curve. Furthermore, while the mixed differential addition law is > unified on a Montgomery curve, it is not unified on a short Weierstrass > curve. This makes it noticeably harder to start the ladder. > > — Mike > >> On Jul 8, 2015, at 5:11 PM, Ron Garret <[email protected]> wrote: >> >> Could you please elaborate on this, or point me to a reference? According >> to: >> >> https://choucroutage.com/Papers/SideChannelAttacks/ches-2002-joye.pdf >> >> the Montgomery ladder “is of full generality and applies to any abelian >> group.” >> >> Is it really the ladder that is more efficient for Montgomery curves, or is >> it just the point addition and doubling operations that are more efficient? >> >> rg >> >> On Jul 8, 2015, at 4:05 PM, Michael Hamburg <[email protected]> wrote: >> >>> The Montgomery ladder is significantly simpler and more efficient on >>> Montgomery curves than on short Weierstrass curves. >>> >>>> On Jul 8, 2015, at 3:38 PM, Ron Garret <[email protected]> wrote: >>>> >>>> “Montgomery curves are attractive because of the ladder method of scalar >>>> multiplication” >>>> >>>> Is this actually true? I was under the impression that the Montgomery >>>> ladder was applicable to any kind of elliptic curve. They just both >>>> happen to have been invented by Peter Montgomery. >>>> >>>> rg >>>> >>>> On Jul 7, 2015, at 8:12 PM, Tony Arcieri <[email protected]> wrote: >>>> >>>>> I made this poster for the DEFCON Crypto and Privacy Village. It's >>>>> intended for audiences of mixed ability levels: >>>>> >>>>> https://i.imgur.com/hwbSRHh.png >>>>> >>>>> Would appreciate technical feedback on it. If you'd like to suggest copy >>>>> changes, please consider design constraints (i.e. available room on the >>>>> page). >>>>> >>>>> Thanks! >>>>> >>>>> -- >>>>> Tony Arcieri >>>>> _______________________________________________ >>>>> Curves mailing list >>>>> [email protected] >>>>> https://moderncrypto.org/mailman/listinfo/curves >>>> >>>> _______________________________________________ >>>> Curves mailing list >>>> [email protected] >>>> https://moderncrypto.org/mailman/listinfo/curves >>> >> >
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
