Three Dimensional Montgomery Ladder, Differential Point Tripling on Montgomery Curves and Point Quintupling on Weierstrass’ and Edwards Curves

Abstract

Elliptic Curve Cryptography is an important alternative to traditional public key schemes such as RSA. This paper presents

1. (i)

   a simultaneous triple scalar multiplication algorithm to compute the x-coordinate of \(kP+lQ+uR\) on a Montgomery Curve \(E_{m}\) defined over \(\mathbb {F}_p\) which is about 15 to 22 % faster than the straight forward method of doing the same. The algorithm, motivated by Bernstein’s paper on Differential Addition Chains, where the author proposes various 2-dimensional differential addition chains and asks for 3-dimensional versions to be constructed, can be generalized to other elliptic curve forms with differential addition formula,

2. (ii)

   a formula for Differential point tripling on Montgomery Curves which is slightly better than computing 3P as \(2P+P\) and relevant in the implementation of Montgomery’s PRAC and

3. (iii)

   an improvement in Mishra and Dimitrov’s point Quintupling algorithm for Weierstrass’ curves and an efficient Quintupling algorithm for Edwards Curves.

Appendices

Appendices

A Five Element Set \(G_{i+1}\) for all Combinations of \((k_{i},l_{i},u_{i})\)

Here, we list the five elements in \(G_{i+1}\) for all eight combinations of \((k_{i},l_{i},u_{i})\), that was used to construct the three dimensional Montgomery Ladder presented in Sect. 3 of this paper.

B Derivation of Differential Tripling Formula on Montgomery Curves and an Algorithm for Differential Tripling

We derive the differential point tripling formulae for Montgomery Curves. Let \(P_{1}=(X_{1},Y_{1},Z_{1})\), \(P_{2}=(X_{2},Y_{2},Z_{2})\) and \(P_{3}=(X_{3},Y_{3},Z_{3})\) be points on a Montgomery curve \(E_{m}\) with \(P_{2}=2P_{1}\) and\(P_{3}=3P_{1}\). We can write \(P_{3}=3P_{1}=2P_{1}+P_{1}=P_{2}+P_{1}\). Then,

$$\begin{aligned} X_{2}&=(X_{1} + Z_{1})^2(X_{1} - Z_{1})^2 \end{aligned}$$

(7)

$$\begin{aligned} Z_{2}&= 4X_{1}Z_{1}((X_{1}-Z_{1})^2+((A+2)/4)(4X_{1}Z_{1})) \end{aligned}$$

(8)

$$\begin{aligned} X_{3}&= Z_{1}[(X_{1}-Z_{1})(X_{2}+Z_{2})+(X_{1}+Z_{1})(X_{2}-Z_{2})]^2 \end{aligned}$$

(9)

$$\begin{aligned} Z_{3}&= X_{1}[(X_{1}-Z_{1})(X_{2}+Z_{2})-(X_{1}+Z_{1})(X_{2}-Z_{2})]^2 \end{aligned}$$

(10)

From Eqs. (7), (8), (9) and (10) we can write

$$\begin{aligned} X_{3} = Z_{1}\bigl [&\left( X_{1}-Z_{1}\right) \bigl \{\left( X_{1}+Z_{1}\right) ^2\left( X_{1}-Z_{1}\right) ^2+4X_{1}Z_{1}\left( X_{1}-Z_{1}\right) ^2 + \left( \left( A+2\right) /4\right) \left( 4X_{1}Z_{1}\right) ^2\bigr \} +\\&(X_{1}+Z_{1})\bigl \{\left( X_{1}+Z_{1}\right) ^2\left( X_{1}-Z_{1}\right) ^2-4X_{1}Z_{1}\left( X_{1}-Z_{1}\right) ^2 - \left( \left( A+2\right) /4\right) \left( 4X_{1}Z_{1}\right) ^2\bigr \}\bigr ]^2 \\ {}&= Z_{1}\bigl [\bigl ( \left( X_{1}+Z_{1}\right) \left( X_{1}-Z_{1}\right) \bigr )^2\bigl \{2X_{1}\bigr \}-4X_{1}Z_{1}\left( X_{1}-Z_{1}\right) ^2\bigl \{2Z_{1}\bigr \}-\\& \qquad \qquad \qquad \qquad \qquad \qquad \bigl ((A+2)/4\bigr )(4X_{1}Z_{1})^2\bigl \{2Z_{1}\bigr \}\bigr ]^2 \\&=4X_{1}^2Z_{1}\bigl [\bigl (\left( X_{1}+Z_{1}\right) \left( X_{1}-Z_{1}\right) \bigr )^2 - 4Z_{1}^2\left( X_{1}-Z_{1}\right) ^2 - \bigl (\left( A+2\right) /4 \bigr )\left( 16X_{1}Z_{1}^3\right) \bigr ]^2\\&=4X_{1}^2Z_{1}\bigl (\left( X_{1}^2-Z_{1}^2\right) ^2 - \left( X_{1}^2 + Z_{1}^2 + AX_{1}Z_{1}\right) \left( 2Z_{1} \right) ^2\bigr )^2 \end{aligned}$$

Similarly,

$$\begin{aligned} Z_{3} = X_{1}\bigl [&\left( X_{1}-Z_{1}\right) \bigl \{\left( X_{1}+Z_{1}\right) ^2\left( X_{1}-Z_{1}\right) ^2+4X_{1}Z_{1}\left( X_{1}-Z_{1}\right) ^2 + \left( \left( A+2\right) /4\right) \left( 4X_{1}Z_{1}\right) ^2\bigr \} -\\&(X_{1}+Z_{1})\bigl \{\left( X_{1}+Z_{1}\right) ^2\left( X_{1}-Z_{1}\right) ^2-4X_{1}Z_{1}\left( X_{1}-Z_{1}\right) ^2 - \left( \left( A+2\right) /4\right) \left( 4X_{1}Z_{1}\right) ^2\bigr \}\bigr ]^2 \\&= X_{1}\bigl [\bigl ( \left( X_{1}+Z_{1}\right) \left( X_{1}-Z_{1}\right) \bigr )^2\bigl \{-2Z_{1}\bigr \}-4X_{1}Z_{1}\left( X_{1}-Z_{1}\right) ^2\bigl \{2X_{1}\bigr \}-\\& \qquad \qquad \qquad \qquad \qquad \qquad \bigl ((A+2)/4\bigr )(4X_{1}Z_{1})^2\bigl \{2X_{1}\bigr \}\bigr ]^2 \\&=4X_{1}Z_{1}^2\bigl [-\bigl (\left( X_{1}+Z_{1}\right) \left( X_{1}-Z_{1}\right) \bigr )^2 + 4X_{1}^2\left( X_{1}-Z_{1}\right) ^2 + \bigl (\left( A+2\right) /4 \bigr )\left( 16X_{1}^3Z_{1}\right) \bigr ]^2\\&=4X_{1}Z_{1}^2\bigl (-\left( X_{1}^2-Z_{1}^2\right) ^2 + \left( X_{1}^2 + Z_{1}^2 + AX_{1}Z_{1}\right) \left( 2X_{1} \right) ^2\bigr )^2\\&=4X_{1}Z_{1}^2\bigl (\left( X_{1}^2-Z_{1}^2\right) ^2 - \left( X_{1}^2 + Z_{1}^2 + AX_{1}Z_{1}\right) \left( 2X_{1} \right) ^2\bigr )^2 \end{aligned}$$

Dividing both \(X_{3}\) and \(Z_{3}\) by \(4X_{1}Z_{1}\) we get, when \((X_{1}, Y_{1}) \ne (0,0)\)

$$\begin{aligned} X_{3}=X_{1}\bigl (\left( X_{1}^2-Z_{1}^2\right) ^2 - \left( X_{1}^2 + Z_{1}^2 + AX_{1}Z_{1}\right) \left( 2Z_{1} \right) ^2\bigr )^2\\ Z_{3}=Z_{1}\bigl (\left( X_{1}^2-Z_{1}^2\right) ^2 - \left( X_{1}^2 + Z_{1}^2 + AX_{1}Z_{1}\right) \left( 2X_{1} \right) ^2\bigr )^2 \end{aligned}$$

The formulae for \(X_{3}\) and \(Y_{3}\) derived above can be computed using the following algorithm:

$$\begin{aligned} T_{1}&\leftarrow X_{1}; T_{2} \leftarrow Z_{1}\\ T_{1}&\leftarrow T_{1}^2&&(=X_{1}^2)\\ T_{2}&\leftarrow T_{2}^2&&(=Z_{1}^2)\\ T_{3}&\leftarrow (T_{1}-T_{2})^2&&(=(X_{1}^2-Z_{1}^2)^2)\\ T_{4}&\leftarrow X_{1}Z_{1}&&(=X_{1}Z_{1})\\ T_{4}&\leftarrow A.T_{4}&&(=AX_{1}Z_{1})\\ T_{5}&\leftarrow T_{2}+T_{2}+T_{2}+T_{2}&&(=4Z_{1}^2)\\ T_{6}&\leftarrow T_{1}+T_{1}+T_{1}+T_{1}&&(=4X_{1}^2)\\ T_{4}&\leftarrow T_{1}+T_{2}+T_{4}&&(=X_{1}^2+Z_{1}^2+AX_{1}Z_{1})\\ T_{7}&\leftarrow T_{4}.T_{5}&&(=(X_{1}^2+Z_{1}^2+AX_{1}Z_{1})(4Z_{1}^2))\\ T_{8}&\leftarrow T_{4}.T_{6}&&(=(X_{1}^2+Z_{1}^2+AX_{1}Z_{1})(4X_{1}^2))\\ T_{1}&\leftarrow (T_{3}-T_{7})^2&&\bigl (=\bigl (\left( X_{1}^2-Z_{1}^2\right) ^2 - \left( X_{1}^2 + Z_{1}^2 + AX_{1}Z_{1}\right) \left( 2Z_{1} \right) ^2\bigr )^2\bigr )\\ T_{2}&\leftarrow (T_{3}-T_{8})^2&&\bigl (=\bigl (\left( X_{1}^2-Z_{1}^2\right) ^2 - \left( X_{1}^2 + Z_{1}^2 + AX_{1}Z_{1}\right) \left( 2X_{1} \right) ^2\bigr )^2\bigr )\\ X_{3}&\leftarrow X_{1}.T_{1}&&\bigl (=X_{1}\bigl (\left( X_{1}^2-Z_{1}^2\right) ^2 - \left( X_{1}^2 + Z_{1}^2 + AX_{1}Z_{1}\right) \left( 2Z_{1} \right) ^2\bigr )^2 \bigr )\\ Z_{3}&\leftarrow Z_{1}.T_{2}&&\bigl (=Z_{1}\bigl (\left( X_{1}^2-Z_{1}^2\right) ^2 - \left( X_{1}^2 + Z_{1}^2 + AX_{1}Z_{1}\right) \left( 2X_{1} \right) ^2\bigr )^2\bigr ) \end{aligned}$$

C Edwards Curve Quintupling Formulae

Algorithms A and B were verified by the authors in [22]. The only difference between Algorithm C presented in this paper and Algorithm B in [22] is in the computation of R. It was computed in Algorithm B as

$$\begin{aligned} R=((D+E)^2-J-H-I)^2 -2N \end{aligned}$$

In Algorithm C, we employ \(R=2(2JH-L)\) as we can rewrite R as follows:

$$\begin{aligned} R&=\bigg \{\big [(X_{1}^2+Y_{1}^2)+(2Z_{1}^2-(X_{1}^2+Y_{1}^2) \big ]^2 \\&\qquad - \big [2Z_{1}^2 -(X_{1}^2+Y_{1}^2) \big ]^2 -\big [X_{1}^4+Y_{1}^4 \big ] - 2X_{1}^2Y_{1}^2 \bigg \}^2-2N\\&=\big [2(X_{1}^2+Y_{1}^2)(2Z_{1}^2 -(X_{1}^2+Y_{1}^2))\big ]^2\\ {}&\qquad -2\big [(Y_{1}^4-X_{1}^4)^2+4(X_{1}^2Y_{1}^2)\{2Z_{1}^2-(X_{1}^2+Y_{1}^2)\}^2 \big ]\\&= 4\big [2Z_{1}^2-(X_{1}^2+Y_{1}^2) \big ]^2 \big \{X_{1}^4+Y_{1}^4\big \}-2\big [(Y_{1}^4-X_{1}^4)^2 \big ]=4JH-2L=2(2JH-L) \end{aligned}$$

D Three Dimensional Montgomery Ladder Algorithm