Are there shortcuts for computing ECC Point multiplication? The Next CEO of Stack OverflowHow does one calculate the scalar multiplication on elliptic curves?Elliptic curve parameter generationFinite fields and ECCUnderstanding elliptic curve encryptionECC - Point Addition/Point MultiplicationFast hashing into elliptic curveDo I understand (below) why Q = dP is easy while finding d is hardElliptic Curve Point at Inifnity in Projective CoordinatesFor elliptic-curve cryptography, does a 256-bit key imply that $x$ and $y$ are each 256-bits or 128-bits?Does this simple signature scheme work?Proving that a point on elliptic curve is smaller than half of group's order
I'm self employed. Can I contribute to my previous employers 401k?
Is it my responsibility to learn a new technology in my own time my employer wants to implement?
Is 'diverse range' a pleonastic phrase?
I want to make a picture in physics with TikZ. Can you help me?
How to get the end in algorithm2e
Why is the US ranked as #45 in Press Freedom ratings, despite its extremely permissive free speech laws?
Why isn't acceleration zero when velocity is zero as an object reflects off a wall?
How to invert MapIndexed on a ragged structure? How to construct a tree from rules?
Why this way of making earth uninhabitable in Interstellar?
What happens if you roll doubles 3 times then land on "Go to jail?"
Can we say or write : "No, it'sn't"?
Solving system of ODEs with extra parameter
Which kind of appliances can one connect to electric sockets located in an airplane's toilet?
If Nick Fury and Coulson already knew about aliens (Kree and Skrull) why did they wait until Thor's appearance to start making weapons?
What's the best way to handle refactoring a big file?
I want to delete every two lines after 3rd lines in file contain very large number of lines :
Is wanting to ask what to write an indication that you need to change your story?
Proper way to express "He disappeared them"
How do I go from 300 unfinished/half written blog posts, to published posts?
Example of a Mathematician/Physicist whose Other Publications during their PhD eclipsed their PhD Thesis
Why didn't Khan get resurrected in the Genesis Explosion?
Are police here, aren't itthey?
Is it possible to search for a directory/file combination?
Are there any unintended negative consequences to allowing PCs to gain multiple levels at once in a short milestone-XP game?
Are there shortcuts for computing ECC Point multiplication?
The Next CEO of Stack OverflowHow does one calculate the scalar multiplication on elliptic curves?Elliptic curve parameter generationFinite fields and ECCUnderstanding elliptic curve encryptionECC - Point Addition/Point MultiplicationFast hashing into elliptic curveDo I understand (below) why Q = dP is easy while finding d is hardElliptic Curve Point at Inifnity in Projective CoordinatesFor elliptic-curve cryptography, does a 256-bit key imply that $x$ and $y$ are each 256-bits or 128-bits?Does this simple signature scheme work?Proving that a point on elliptic curve is smaller than half of group's order
$begingroup$
I'm trying to learn about elliptic curve cryptography.
Let's say you have point $P$ and 256 bit number $n$ and you want to compute $nP$. It sounds like computing additions one at a time is not computationally feasible. Is there an algorithmic "shortcut" to compute this? If so, how does it work?
elliptic-curves
edited Mar 25 at 13:56
AleksanderRas
2,8801935
asked Mar 25 at 13:40
Jon AirdJon Aird
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
$begingroup$
I'm trying to learn about elliptic curve cryptography.
Let's say you have point $P$ and 256 bit number $n$ and you want to compute $nP$. It sounds like computing additions one at a time is not computationally feasible. Is there an algorithmic "shortcut" to compute this? If so, how does it work?
elliptic-curves
edited Mar 25 at 13:56
AleksanderRas
2,8801935
asked Mar 25 at 13:40
Jon AirdJon Aird
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
1
$begingroup$
First google hits en.wikipedia.org/wiki/Elliptic_curve_point_multiplication and crypto.stackexchange.com/questions/3907/… .
$endgroup$
– dave_thompson_085
Mar 25 at 22:55
add a comment |
$begingroup$
I'm trying to learn about elliptic curve cryptography.
Let's say you have point $P$ and 256 bit number $n$ and you want to compute $nP$. It sounds like computing additions one at a time is not computationally feasible. Is there an algorithmic "shortcut" to compute this? If so, how does it work?
elliptic-curves
edited Mar 25 at 13:56
AleksanderRas
2,8801935
asked Mar 25 at 13:40
Jon AirdJon Aird
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
I'm trying to learn about elliptic curve cryptography.
Let's say you have point $P$ and 256 bit number $n$ and you want to compute $nP$. It sounds like computing additions one at a time is not computationally feasible. Is there an algorithmic "shortcut" to compute this? If so, how does it work?
elliptic-curves
elliptic-curves
edited Mar 25 at 13:56
AleksanderRas
2,8801935
asked Mar 25 at 13:40
Jon AirdJon Aird
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited Mar 25 at 13:56
AleksanderRas
2,8801935
asked Mar 25 at 13:40
Jon AirdJon Aird
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited Mar 25 at 13:56
AleksanderRas
2,8801935
edited Mar 25 at 13:56
AleksanderRas
2,8801935
edited Mar 25 at 13:56
AleksanderRas
2,8801935
2,8801935
asked Mar 25 at 13:40
Jon AirdJon Aird
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Mar 25 at 13:40
Jon AirdJon Aird
61
asked Mar 25 at 13:40
Jon AirdJon Aird
61
61
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Jon Aird is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
$begingroup$
First google hits en.wikipedia.org/wiki/Elliptic_curve_point_multiplication and crypto.stackexchange.com/questions/3907/… .
$endgroup$
– dave_thompson_085
Mar 25 at 22:55
add a comment |
1
$begingroup$
First google hits en.wikipedia.org/wiki/Elliptic_curve_point_multiplication and crypto.stackexchange.com/questions/3907/… .
$endgroup$
– dave_thompson_085
Mar 25 at 22:55
1
1
$begingroup$
First google hits en.wikipedia.org/wiki/Elliptic_curve_point_multiplication and crypto.stackexchange.com/questions/3907/… .
$endgroup$
– dave_thompson_085
Mar 25 at 22:55
$begingroup$
First google hits en.wikipedia.org/wiki/Elliptic_curve_point_multiplication and crypto.stackexchange.com/questions/3907/… .
$endgroup$
– dave_thompson_085
Mar 25 at 22:55
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
It is called "double-and-add". For instance, take a point, and add it to itself. Then take the result, and add it to itself. Do that again. And again. After ten additions, what you get is $2^10 = 1024$ times the original point: in just 10 additions, not 1023. That's the "shortcut".
More generally, with $k$ successive doublings (a "doubling" is the addition of a point with itself), starting from a point $P$, you get $2^k P$. Now, all you have to do is to consider your multiplier $n$ in binary: this is about writing it as a sum of powers of two. For instance, if $n = 224965$, then, in binary, it becomes $110110111011000101$, which means that:
$$ n = 2^0 + 2^2 + 2^6 + 2^7 + 2^9 + 2^10 + 2^11 + 2^13 + 2^14 + 2^16 + 2^17 $$
And therefore:
$$ nP = 2^0P + 2^2P + 2^6P + 2^7P + 2^9P + 2^10P + 2^11P + 2^13P + 2^14P + 2^16P + 2^17P $$
So all you have to do to compute $nP$ is to compute these $2^kP$ (with successive doublings) and then add them together.
$2^0P$ is just $P$, so you already have it. Double it twice, and you get $2^2P$. Double that one four times, and you get $2^6P$. And so on. With $17$ doublings, you'll get all $2^kP$ for $k$ up to $17$, so in particular you'll get all the values you are interested in. As the formulas above show, ten extra additions, between the eleven $2^kP$ that are needed, will yield the result. In total, you got $224965 P$ with $17$ doublings and $10$ additions, i.e. much fewer than $224964$.
In all generality, if $n$ is a number of $t$ bits (i.e. less than $2^t$), then $t-1$ doublings and at most $t-1$ extra additions are enough.
There are many variations upon this mechanism, depending on how you interleave the doublings and the additions, and possibly reuse some addition results. You'll still need to compute the $t-1$ doublings, but you may save on some of the extra additions. How many intermediate results you need to keep in RAM is also a consideration. Moreover, if $n$ is a secret value, then you'll want to avoid side-channel attacks that may result in leaking some of the bits of $n$, and this impacts the kinds of double-and-add algorithms you can tolerate.
answered Mar 25 at 15:19
Thomas PorninThomas Pornin
70.4k13184267
$endgroup$
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Jon Aird is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68278%2fare-there-shortcuts-for-computing-ecc-point-multiplication%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
It is called "double-and-add". For instance, take a point, and add it to itself. Then take the result, and add it to itself. Do that again. And again. After ten additions, what you get is $2^10 = 1024$ times the original point: in just 10 additions, not 1023. That's the "shortcut".
More generally, with $k$ successive doublings (a "doubling" is the addition of a point with itself), starting from a point $P$, you get $2^k P$. Now, all you have to do is to consider your multiplier $n$ in binary: this is about writing it as a sum of powers of two. For instance, if $n = 224965$, then, in binary, it becomes $110110111011000101$, which means that:
$$ n = 2^0 + 2^2 + 2^6 + 2^7 + 2^9 + 2^10 + 2^11 + 2^13 + 2^14 + 2^16 + 2^17 $$
And therefore:
$$ nP = 2^0P + 2^2P + 2^6P + 2^7P + 2^9P + 2^10P + 2^11P + 2^13P + 2^14P + 2^16P + 2^17P $$
So all you have to do to compute $nP$ is to compute these $2^kP$ (with successive doublings) and then add them together.
$2^0P$ is just $P$, so you already have it. Double it twice, and you get $2^2P$. Double that one four times, and you get $2^6P$. And so on. With $17$ doublings, you'll get all $2^kP$ for $k$ up to $17$, so in particular you'll get all the values you are interested in. As the formulas above show, ten extra additions, between the eleven $2^kP$ that are needed, will yield the result. In total, you got $224965 P$ with $17$ doublings and $10$ additions, i.e. much fewer than $224964$.
In all generality, if $n$ is a number of $t$ bits (i.e. less than $2^t$), then $t-1$ doublings and at most $t-1$ extra additions are enough.
There are many variations upon this mechanism, depending on how you interleave the doublings and the additions, and possibly reuse some addition results. You'll still need to compute the $t-1$ doublings, but you may save on some of the extra additions. How many intermediate results you need to keep in RAM is also a consideration. Moreover, if $n$ is a secret value, then you'll want to avoid side-channel attacks that may result in leaking some of the bits of $n$, and this impacts the kinds of double-and-add algorithms you can tolerate.
answered Mar 25 at 15:19
Thomas PorninThomas Pornin
70.4k13184267
$endgroup$
add a comment |
$begingroup$
It is called "double-and-add". For instance, take a point, and add it to itself. Then take the result, and add it to itself. Do that again. And again. After ten additions, what you get is $2^10 = 1024$ times the original point: in just 10 additions, not 1023. That's the "shortcut".
More generally, with $k$ successive doublings (a "doubling" is the addition of a point with itself), starting from a point $P$, you get $2^k P$. Now, all you have to do is to consider your multiplier $n$ in binary: this is about writing it as a sum of powers of two. For instance, if $n = 224965$, then, in binary, it becomes $110110111011000101$, which means that:
$$ n = 2^0 + 2^2 + 2^6 + 2^7 + 2^9 + 2^10 + 2^11 + 2^13 + 2^14 + 2^16 + 2^17 $$
And therefore:
$$ nP = 2^0P + 2^2P + 2^6P + 2^7P + 2^9P + 2^10P + 2^11P + 2^13P + 2^14P + 2^16P + 2^17P $$
So all you have to do to compute $nP$ is to compute these $2^kP$ (with successive doublings) and then add them together.
$2^0P$ is just $P$, so you already have it. Double it twice, and you get $2^2P$. Double that one four times, and you get $2^6P$. And so on. With $17$ doublings, you'll get all $2^kP$ for $k$ up to $17$, so in particular you'll get all the values you are interested in. As the formulas above show, ten extra additions, between the eleven $2^kP$ that are needed, will yield the result. In total, you got $224965 P$ with $17$ doublings and $10$ additions, i.e. much fewer than $224964$.
In all generality, if $n$ is a number of $t$ bits (i.e. less than $2^t$), then $t-1$ doublings and at most $t-1$ extra additions are enough.
There are many variations upon this mechanism, depending on how you interleave the doublings and the additions, and possibly reuse some addition results. You'll still need to compute the $t-1$ doublings, but you may save on some of the extra additions. How many intermediate results you need to keep in RAM is also a consideration. Moreover, if $n$ is a secret value, then you'll want to avoid side-channel attacks that may result in leaking some of the bits of $n$, and this impacts the kinds of double-and-add algorithms you can tolerate.
answered Mar 25 at 15:19
Thomas PorninThomas Pornin
70.4k13184267
$endgroup$
add a comment |
$begingroup$
It is called "double-and-add". For instance, take a point, and add it to itself. Then take the result, and add it to itself. Do that again. And again. After ten additions, what you get is $2^10 = 1024$ times the original point: in just 10 additions, not 1023. That's the "shortcut".
More generally, with $k$ successive doublings (a "doubling" is the addition of a point with itself), starting from a point $P$, you get $2^k P$. Now, all you have to do is to consider your multiplier $n$ in binary: this is about writing it as a sum of powers of two. For instance, if $n = 224965$, then, in binary, it becomes $110110111011000101$, which means that:
$$ n = 2^0 + 2^2 + 2^6 + 2^7 + 2^9 + 2^10 + 2^11 + 2^13 + 2^14 + 2^16 + 2^17 $$
And therefore:
$$ nP = 2^0P + 2^2P + 2^6P + 2^7P + 2^9P + 2^10P + 2^11P + 2^13P + 2^14P + 2^16P + 2^17P $$
So all you have to do to compute $nP$ is to compute these $2^kP$ (with successive doublings) and then add them together.
$2^0P$ is just $P$, so you already have it. Double it twice, and you get $2^2P$. Double that one four times, and you get $2^6P$. And so on. With $17$ doublings, you'll get all $2^kP$ for $k$ up to $17$, so in particular you'll get all the values you are interested in. As the formulas above show, ten extra additions, between the eleven $2^kP$ that are needed, will yield the result. In total, you got $224965 P$ with $17$ doublings and $10$ additions, i.e. much fewer than $224964$.
In all generality, if $n$ is a number of $t$ bits (i.e. less than $2^t$), then $t-1$ doublings and at most $t-1$ extra additions are enough.
There are many variations upon this mechanism, depending on how you interleave the doublings and the additions, and possibly reuse some addition results. You'll still need to compute the $t-1$ doublings, but you may save on some of the extra additions. How many intermediate results you need to keep in RAM is also a consideration. Moreover, if $n$ is a secret value, then you'll want to avoid side-channel attacks that may result in leaking some of the bits of $n$, and this impacts the kinds of double-and-add algorithms you can tolerate.
answered Mar 25 at 15:19
Thomas PorninThomas Pornin
70.4k13184267
$endgroup$
It is called "double-and-add". For instance, take a point, and add it to itself. Then take the result, and add it to itself. Do that again. And again. After ten additions, what you get is $2^10 = 1024$ times the original point: in just 10 additions, not 1023. That's the "shortcut".
More generally, with $k$ successive doublings (a "doubling" is the addition of a point with itself), starting from a point $P$, you get $2^k P$. Now, all you have to do is to consider your multiplier $n$ in binary: this is about writing it as a sum of powers of two. For instance, if $n = 224965$, then, in binary, it becomes $110110111011000101$, which means that:
$$ n = 2^0 + 2^2 + 2^6 + 2^7 + 2^9 + 2^10 + 2^11 + 2^13 + 2^14 + 2^16 + 2^17 $$
And therefore:
$$ nP = 2^0P + 2^2P + 2^6P + 2^7P + 2^9P + 2^10P + 2^11P + 2^13P + 2^14P + 2^16P + 2^17P $$
So all you have to do to compute $nP$ is to compute these $2^kP$ (with successive doublings) and then add them together.
$2^0P$ is just $P$, so you already have it. Double it twice, and you get $2^2P$. Double that one four times, and you get $2^6P$. And so on. With $17$ doublings, you'll get all $2^kP$ for $k$ up to $17$, so in particular you'll get all the values you are interested in. As the formulas above show, ten extra additions, between the eleven $2^kP$ that are needed, will yield the result. In total, you got $224965 P$ with $17$ doublings and $10$ additions, i.e. much fewer than $224964$.
In all generality, if $n$ is a number of $t$ bits (i.e. less than $2^t$), then $t-1$ doublings and at most $t-1$ extra additions are enough.
There are many variations upon this mechanism, depending on how you interleave the doublings and the additions, and possibly reuse some addition results. You'll still need to compute the $t-1$ doublings, but you may save on some of the extra additions. How many intermediate results you need to keep in RAM is also a consideration. Moreover, if $n$ is a secret value, then you'll want to avoid side-channel attacks that may result in leaking some of the bits of $n$, and this impacts the kinds of double-and-add algorithms you can tolerate.
answered Mar 25 at 15:19
Thomas PorninThomas Pornin
70.4k13184267
answered Mar 25 at 15:19
Thomas PorninThomas Pornin
70.4k13184267
answered Mar 25 at 15:19
Thomas PorninThomas Pornin
70.4k13184267
answered Mar 25 at 15:19
Thomas PorninThomas Pornin
70.4k13184267
70.4k13184267
add a comment |
add a comment |
Jon Aird is a new contributor. Be nice, and check out our Code of Conduct.
Jon Aird is a new contributor. Be nice, and check out our Code of Conduct.
Jon Aird is a new contributor. Be nice, and check out our Code of Conduct.
Jon Aird is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68278%2fare-there-shortcuts-for-computing-ecc-point-multiplication%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
$begingroup$
First google hits en.wikipedia.org/wiki/Elliptic_curve_point_multiplication and crypto.stackexchange.com/questions/3907/… .
$endgroup$
– dave_thompson_085
Mar 25 at 22:55