Are there shortcuts for computing ECC Point multiplication?
$begingroup$
I'm trying to learn about elliptic curve cryptography.
Let's say you have point $P$ and 256 bit number $n$ and you want to compute $nP$. It sounds like computing additions one at a time is not computationally feasible. Is there an algorithmic "shortcut" to compute this? If so, how does it work?
elliptic-curves
edited 2 days ago
AleksanderRas
2,8901835
asked 2 days ago
Jon AirdJon Aird
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
$begingroup$
I'm trying to learn about elliptic curve cryptography.
Let's say you have point $P$ and 256 bit number $n$ and you want to compute $nP$. It sounds like computing additions one at a time is not computationally feasible. Is there an algorithmic "shortcut" to compute this? If so, how does it work?
elliptic-curves
edited 2 days ago
AleksanderRas
2,8901835
asked 2 days ago
Jon AirdJon Aird
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
1
$begingroup$
First google hits en.wikipedia.org/wiki/Elliptic_curve_point_multiplication and crypto.stackexchange.com/questions/3907/… .
$endgroup$
– dave_thompson_085
2 days ago
add a comment |
$begingroup$
I'm trying to learn about elliptic curve cryptography.
Let's say you have point $P$ and 256 bit number $n$ and you want to compute $nP$. It sounds like computing additions one at a time is not computationally feasible. Is there an algorithmic "shortcut" to compute this? If so, how does it work?
elliptic-curves
edited 2 days ago
AleksanderRas
2,8901835
asked 2 days ago
Jon AirdJon Aird
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
I'm trying to learn about elliptic curve cryptography.
Let's say you have point $P$ and 256 bit number $n$ and you want to compute $nP$. It sounds like computing additions one at a time is not computationally feasible. Is there an algorithmic "shortcut" to compute this? If so, how does it work?
elliptic-curves
elliptic-curves
edited 2 days ago
AleksanderRas
2,8901835
asked 2 days ago
Jon AirdJon Aird
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
AleksanderRas
2,8901835
asked 2 days ago
Jon AirdJon Aird
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
AleksanderRas
2,8901835
edited 2 days ago
AleksanderRas
2,8901835
edited 2 days ago
AleksanderRas
2,8901835
2,8901835
asked 2 days ago
Jon AirdJon Aird
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Jon AirdJon Aird
61
asked 2 days ago
Jon AirdJon Aird
61
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
$begingroup$
First google hits en.wikipedia.org/wiki/Elliptic_curve_point_multiplication and crypto.stackexchange.com/questions/3907/… .
$endgroup$
– dave_thompson_085
2 days ago
add a comment |
1
$begingroup$
First google hits en.wikipedia.org/wiki/Elliptic_curve_point_multiplication and crypto.stackexchange.com/questions/3907/… .
$endgroup$
– dave_thompson_085
2 days ago
1
1
$begingroup$
First google hits en.wikipedia.org/wiki/Elliptic_curve_point_multiplication and crypto.stackexchange.com/questions/3907/… .
$endgroup$
– dave_thompson_085
2 days ago
$begingroup$
First google hits en.wikipedia.org/wiki/Elliptic_curve_point_multiplication and crypto.stackexchange.com/questions/3907/… .
$endgroup$
– dave_thompson_085
2 days ago
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
It is called "double-and-add". For instance, take a point, and add it to itself. Then take the result, and add it to itself. Do that again. And again. After ten additions, what you get is $2^{10} = 1024$ times the original point: in just 10 additions, not 1023. That's the "shortcut".
More generally, with $k$ successive doublings (a "doubling" is the addition of a point with itself), starting from a point $P$, you get $2^k P$. Now, all you have to do is to consider your multiplier $n$ in binary: this is about writing it as a sum of powers of two. For instance, if $n = 224965$, then, in binary, it becomes $110110111011000101$, which means that:
$$ n = 2^0 + 2^2 + 2^6 + 2^7 + 2^9 + 2^{10} + 2^{11} + 2^{13} + 2^{14} + 2^{16} + 2^{17} $$
And therefore:
$$ nP = 2^0P + 2^2P + 2^6P + 2^7P + 2^9P + 2^{10}P + 2^{11}P + 2^{13}P + 2^{14}P + 2^{16}P + 2^{17}P $$
So all you have to do to compute $nP$ is to compute these $2^kP$ (with successive doublings) and then add them together.
$2^0P$ is just $P$, so you already have it. Double it twice, and you get $2^2P$. Double that one four times, and you get $2^6P$. And so on. With $17$ doublings, you'll get all $2^kP$ for $k$ up to $17$, so in particular you'll get all the values you are interested in. As the formulas above show, ten extra additions, between the eleven $2^kP$ that are needed, will yield the result. In total, you got $224965 P$ with $17$ doublings and $10$ additions, i.e. much fewer than $224964$.
In all generality, if $n$ is a number of $t$ bits (i.e. less than $2^t$), then $t-1$ doublings and at most $t-1$ extra additions are enough.
There are many variations upon this mechanism, depending on how you interleave the doublings and the additions, and possibly reuse some addition results. You'll still need to compute the $t-1$ doublings, but you may save on some of the extra additions. How many intermediate results you need to keep in RAM is also a consideration. Moreover, if $n$ is a secret value, then you'll want to avoid side-channel attacks that may result in leaking some of the bits of $n$, and this impacts the kinds of double-and-add algorithms you can tolerate.
answered 2 days ago
Thomas PorninThomas Pornin
70.4k13184267
$endgroup$
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Jon Aird is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68278%2fare-there-shortcuts-for-computing-ecc-point-multiplication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
It is called "double-and-add". For instance, take a point, and add it to itself. Then take the result, and add it to itself. Do that again. And again. After ten additions, what you get is $2^{10} = 1024$ times the original point: in just 10 additions, not 1023. That's the "shortcut".
More generally, with $k$ successive doublings (a "doubling" is the addition of a point with itself), starting from a point $P$, you get $2^k P$. Now, all you have to do is to consider your multiplier $n$ in binary: this is about writing it as a sum of powers of two. For instance, if $n = 224965$, then, in binary, it becomes $110110111011000101$, which means that:
$$ n = 2^0 + 2^2 + 2^6 + 2^7 + 2^9 + 2^{10} + 2^{11} + 2^{13} + 2^{14} + 2^{16} + 2^{17} $$
And therefore:
$$ nP = 2^0P + 2^2P + 2^6P + 2^7P + 2^9P + 2^{10}P + 2^{11}P + 2^{13}P + 2^{14}P + 2^{16}P + 2^{17}P $$
So all you have to do to compute $nP$ is to compute these $2^kP$ (with successive doublings) and then add them together.
$2^0P$ is just $P$, so you already have it. Double it twice, and you get $2^2P$. Double that one four times, and you get $2^6P$. And so on. With $17$ doublings, you'll get all $2^kP$ for $k$ up to $17$, so in particular you'll get all the values you are interested in. As the formulas above show, ten extra additions, between the eleven $2^kP$ that are needed, will yield the result. In total, you got $224965 P$ with $17$ doublings and $10$ additions, i.e. much fewer than $224964$.
In all generality, if $n$ is a number of $t$ bits (i.e. less than $2^t$), then $t-1$ doublings and at most $t-1$ extra additions are enough.
There are many variations upon this mechanism, depending on how you interleave the doublings and the additions, and possibly reuse some addition results. You'll still need to compute the $t-1$ doublings, but you may save on some of the extra additions. How many intermediate results you need to keep in RAM is also a consideration. Moreover, if $n$ is a secret value, then you'll want to avoid side-channel attacks that may result in leaking some of the bits of $n$, and this impacts the kinds of double-and-add algorithms you can tolerate.
answered 2 days ago
Thomas PorninThomas Pornin
70.4k13184267
$endgroup$
add a comment |
$begingroup$
It is called "double-and-add". For instance, take a point, and add it to itself. Then take the result, and add it to itself. Do that again. And again. After ten additions, what you get is $2^{10} = 1024$ times the original point: in just 10 additions, not 1023. That's the "shortcut".
More generally, with $k$ successive doublings (a "doubling" is the addition of a point with itself), starting from a point $P$, you get $2^k P$. Now, all you have to do is to consider your multiplier $n$ in binary: this is about writing it as a sum of powers of two. For instance, if $n = 224965$, then, in binary, it becomes $110110111011000101$, which means that:
$$ n = 2^0 + 2^2 + 2^6 + 2^7 + 2^9 + 2^{10} + 2^{11} + 2^{13} + 2^{14} + 2^{16} + 2^{17} $$
And therefore:
$$ nP = 2^0P + 2^2P + 2^6P + 2^7P + 2^9P + 2^{10}P + 2^{11}P + 2^{13}P + 2^{14}P + 2^{16}P + 2^{17}P $$
So all you have to do to compute $nP$ is to compute these $2^kP$ (with successive doublings) and then add them together.
$2^0P$ is just $P$, so you already have it. Double it twice, and you get $2^2P$. Double that one four times, and you get $2^6P$. And so on. With $17$ doublings, you'll get all $2^kP$ for $k$ up to $17$, so in particular you'll get all the values you are interested in. As the formulas above show, ten extra additions, between the eleven $2^kP$ that are needed, will yield the result. In total, you got $224965 P$ with $17$ doublings and $10$ additions, i.e. much fewer than $224964$.
In all generality, if $n$ is a number of $t$ bits (i.e. less than $2^t$), then $t-1$ doublings and at most $t-1$ extra additions are enough.
There are many variations upon this mechanism, depending on how you interleave the doublings and the additions, and possibly reuse some addition results. You'll still need to compute the $t-1$ doublings, but you may save on some of the extra additions. How many intermediate results you need to keep in RAM is also a consideration. Moreover, if $n$ is a secret value, then you'll want to avoid side-channel attacks that may result in leaking some of the bits of $n$, and this impacts the kinds of double-and-add algorithms you can tolerate.
answered 2 days ago
Thomas PorninThomas Pornin
70.4k13184267
$endgroup$
add a comment |
$begingroup$
It is called "double-and-add". For instance, take a point, and add it to itself. Then take the result, and add it to itself. Do that again. And again. After ten additions, what you get is $2^{10} = 1024$ times the original point: in just 10 additions, not 1023. That's the "shortcut".
More generally, with $k$ successive doublings (a "doubling" is the addition of a point with itself), starting from a point $P$, you get $2^k P$. Now, all you have to do is to consider your multiplier $n$ in binary: this is about writing it as a sum of powers of two. For instance, if $n = 224965$, then, in binary, it becomes $110110111011000101$, which means that:
$$ n = 2^0 + 2^2 + 2^6 + 2^7 + 2^9 + 2^{10} + 2^{11} + 2^{13} + 2^{14} + 2^{16} + 2^{17} $$
And therefore:
$$ nP = 2^0P + 2^2P + 2^6P + 2^7P + 2^9P + 2^{10}P + 2^{11}P + 2^{13}P + 2^{14}P + 2^{16}P + 2^{17}P $$
So all you have to do to compute $nP$ is to compute these $2^kP$ (with successive doublings) and then add them together.
$2^0P$ is just $P$, so you already have it. Double it twice, and you get $2^2P$. Double that one four times, and you get $2^6P$. And so on. With $17$ doublings, you'll get all $2^kP$ for $k$ up to $17$, so in particular you'll get all the values you are interested in. As the formulas above show, ten extra additions, between the eleven $2^kP$ that are needed, will yield the result. In total, you got $224965 P$ with $17$ doublings and $10$ additions, i.e. much fewer than $224964$.
In all generality, if $n$ is a number of $t$ bits (i.e. less than $2^t$), then $t-1$ doublings and at most $t-1$ extra additions are enough.
There are many variations upon this mechanism, depending on how you interleave the doublings and the additions, and possibly reuse some addition results. You'll still need to compute the $t-1$ doublings, but you may save on some of the extra additions. How many intermediate results you need to keep in RAM is also a consideration. Moreover, if $n$ is a secret value, then you'll want to avoid side-channel attacks that may result in leaking some of the bits of $n$, and this impacts the kinds of double-and-add algorithms you can tolerate.
answered 2 days ago
Thomas PorninThomas Pornin
70.4k13184267
$endgroup$
It is called "double-and-add". For instance, take a point, and add it to itself. Then take the result, and add it to itself. Do that again. And again. After ten additions, what you get is $2^{10} = 1024$ times the original point: in just 10 additions, not 1023. That's the "shortcut".
More generally, with $k$ successive doublings (a "doubling" is the addition of a point with itself), starting from a point $P$, you get $2^k P$. Now, all you have to do is to consider your multiplier $n$ in binary: this is about writing it as a sum of powers of two. For instance, if $n = 224965$, then, in binary, it becomes $110110111011000101$, which means that:
$$ n = 2^0 + 2^2 + 2^6 + 2^7 + 2^9 + 2^{10} + 2^{11} + 2^{13} + 2^{14} + 2^{16} + 2^{17} $$
And therefore:
$$ nP = 2^0P + 2^2P + 2^6P + 2^7P + 2^9P + 2^{10}P + 2^{11}P + 2^{13}P + 2^{14}P + 2^{16}P + 2^{17}P $$
So all you have to do to compute $nP$ is to compute these $2^kP$ (with successive doublings) and then add them together.
$2^0P$ is just $P$, so you already have it. Double it twice, and you get $2^2P$. Double that one four times, and you get $2^6P$. And so on. With $17$ doublings, you'll get all $2^kP$ for $k$ up to $17$, so in particular you'll get all the values you are interested in. As the formulas above show, ten extra additions, between the eleven $2^kP$ that are needed, will yield the result. In total, you got $224965 P$ with $17$ doublings and $10$ additions, i.e. much fewer than $224964$.
In all generality, if $n$ is a number of $t$ bits (i.e. less than $2^t$), then $t-1$ doublings and at most $t-1$ extra additions are enough.
There are many variations upon this mechanism, depending on how you interleave the doublings and the additions, and possibly reuse some addition results. You'll still need to compute the $t-1$ doublings, but you may save on some of the extra additions. How many intermediate results you need to keep in RAM is also a consideration. Moreover, if $n$ is a secret value, then you'll want to avoid side-channel attacks that may result in leaking some of the bits of $n$, and this impacts the kinds of double-and-add algorithms you can tolerate.
answered 2 days ago
Thomas PorninThomas Pornin
70.4k13184267
answered 2 days ago
Thomas PorninThomas Pornin
70.4k13184267
answered 2 days ago
Thomas PorninThomas Pornin
70.4k13184267
answered 2 days ago
Thomas PorninThomas Pornin
70.4k13184267
70.4k13184267
add a comment |
add a comment |
Jon Aird is a new contributor. Be nice, and check out our Code of Conduct.
Jon Aird is a new contributor. Be nice, and check out our Code of Conduct.
Jon Aird is a new contributor. Be nice, and check out our Code of Conduct.
Jon Aird is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68278%2fare-there-shortcuts-for-computing-ecc-point-multiplication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
$begingroup$
First google hits en.wikipedia.org/wiki/Elliptic_curve_point_multiplication and crypto.stackexchange.com/questions/3907/… .
$endgroup$
– dave_thompson_085
2 days ago