Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scalar-mul: Constant-Time double-and-add #198

Open
mratsim opened this issue Aug 6, 2022 · 0 comments
Open

Scalar-mul: Constant-Time double-and-add #198

mratsim opened this issue Aug 6, 2022 · 0 comments
Labels
constant time ⏳ Enhancement is suitable for secret data performance 🏁

Comments

@mratsim
Copy link
Owner

mratsim commented Aug 6, 2022
edited
Loading

For curves without endomorphisms

https://eprint.iacr.org/2017/669.pdf
https://www.aimsciences.org/article/exportPdf?id=5c293be6-723e-4b97-ae1d-ff359e261cdb

Abstract

This paper presents a series of Montgomery scalar multiplication algorithms on general short Weierstrass curves over odd characteristic fields, which need only 12 field multiplications plus 12 ~ 20 field additions per scalar bit using 8 ~ 10 field registers, thus significantly outperform the binary NAF method on average. Over binary fields, the Montgomery scalar multiplication algorithm which was presented at the first CHES workshop by López and Dahab has been a favorite of ECC implementors, due to its nice properties such as high efficiency outperforming the binary NAF, natural SPA-resistance, generality coping with all ordinary curves and implementation easiness. Over odd characteristic fields, the new scalar multiplication algorithms are the first ones featuring all these properties. Building-blocks of our contribution are new efficient differential addition-and-doubling formulae and a novel conception of on-the-fly adaptive coordinates which softly represent points occurring during a scalar multiplication not only in accordance with the basepoint but also bits of the given scalar. Importantly, the new algorithms are equipped with built-in countermeasures against known side-channel attacks, while it is shown that previous Montgomery ladder algorithms with the randomized addressing countermeasure fail to thwart attacks exploiting address-dependent leakage.

paulmillr/noble-secp256k1#55

This is an algorithm for EC multiplication that emulates the Montgomery
Ladder double-and-add, but in a constant time way. An early version of
this algorithm was published in 2017, and the version implemented here
was published in 2020. The result is constant time multiply that is 85%
faster than wNAF, <10% slower than endomorphic Montgommery Ladder and
~20% faster than w/o endomorphism.

bitcoin-core/secp256k1#1099

May be combined with #35
@mratsim mratsim changed the title Scalar:ul: Constant-Time double-and-add Scalar-mul: Constant-Time double-and-add Aug 6, 2022
@mratsim mratsim added constant time ⏳ Enhancement is suitable for secret data performance 🏁 labels Aug 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
constant time ⏳ Enhancement is suitable for secret data performance 🏁
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mratsim