Faster Montgomery and double-add ladders for short Weierstrass curves

Mike Hamburg

Paper 2020/437

Faster Montgomery and double-add ladders for short Weierstrass curves

Mike Hamburg

Abstract

The Montgomery ladder and Joye ladder are well-known algorithms for elliptic curve scalar multiplication with a regular structure. The Montgomery ladder is best known for its implementation on Montgomery curves, which requires $5 M + 4 S + 1 m + 8 A$ per scalar bit, and 6 field registers. Here $(M, S, m, A)$ represent respectively field $M$ ultiplications, $S$ quarings, $m$ ultiplications by a curve constant, and $A$ dditions or subtractions. This ladder is also complete, meaning that it works on all input points and all scalars. Many protocols do not use Montgomery curves, but instead use prime-order curves in short Weierstrass form. These have historically been much slower, with ladders costing at least 14 multiplications or squarings per bit: for the Montgomery ladder and for the Joye ladder. In 2017, Kim et al. improved the Montgomery ladder to per bit using 9 registers, where the represents a halving. Hamburg simplified Kim et al.'s formulas to per bit using 6 registers. Here we present improved formulas which compute the Montgomery ladder on short Weierstrass curves using per bit, and requiring 6 registers. We also give formulas for the Joye ladder that use per bit, requiring 5 registers. One of our new formulas supports very efficient 4-way vectorization. We also discuss curve invariants, exceptional points, side-channel protection and how to set up and finish these ladder operations. Finally, we show a novel technique to make these ladders complete when the curve order is not divisible by 2 or 3, at a modest increase in cost. A sample implementation of these techniques is given in the supplementary material, also posted at https://github.com/bitwiseshiftleft/ladder_formulas.

Note: CHES 2020 camera-ready version, plus one typo fixed (thanks Shiping Cai). Supplementary material is available at https://github.com/bitwiseshiftleft/ladder_formulas.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: A minor revision of an IACR publication in TCHES 2020
Keywords: Elliptic Curve Cryptography Montgomery Ladder Joye Ladder Short Weierstrass Curve Scalar Multiplication
Contact author(s): mhamburg @ rambus com
History: 2020-07-20: last of 7 revisions; 2020-04-19: received; See all versions
Short URL: https://ia.cr/2020/437
License: CC BY

BibTeX

@misc{cryptoeprint:2020/437,
      author = {Mike Hamburg},
      title = {Faster Montgomery and double-add ladders for short Weierstrass curves},
      howpublished = {Cryptology {ePrint} Archive, Paper 2020/437},
      year = {2020},
      url = {https://eprint.iacr.org/2020/437}
}