Faster Scalar Multiplication on the x-Line: Three-Dimensional GLV Method with Three-Dimensional Differential Addition Chains

Abstract

On the quadratic twist of a GLV curve, we explore faster scalar multiplication on its x-coordinate system utilizing three-dimensional GLV method. We construct and implement two kinds of three-dimensional differential addition chains, one of which is uniform and the other is non-uniform but runs faster. Implementations show that at about 254-bit security level, the triple scalar multiplication using our second differential addition chains runs about \(26\%\) faster than the straightforward computing using Montgomery ladder, and about \(6\%\) faster that the double scalar multiplication using DJB chains.

A Four-dimensional Case

If we consider further the straightforward 4-dimensional extension of DJB chains, we found that in each iteration we should compute \(2+(2^4-2)/2=9\) elements, containing 1 double and 8 additions, which is rather expensive and hence has no practical usage. For completeness, in this part we give its definition and a simple example. Its complex proof of correctness has been done by authors and one can also check it by computers.

For brief of notation we let \(e_1=(1,0,0,0),e_2=(0,1,0,0),e_3=(0,0,1,0),e_4=(0,0,0,1),e_5=(1,1,0,0),e_6=(1,0,1,0),e_7=(1,0,0,1)\). Denote by \(n^4\) the 4-tuple (n, n, n, n). Then the 7 elements omitted from S(a, b, c, d)² can be described as \(T_i=(a,b,c,d)+(U_i\mathrm {~mod~}2)\) where \(U_i=(a,b,c,d)+f_i^4+e_i\) and \(f_i\in \{0,1\}\) for \(i=1,\cdots ,7\).

Definition 2

For a given 4-tuple of nonnegative integers (A, B, C, D) and the set \(\{F_1,\cdots ,F_7\}\) where \(F_i\in \{0,1\},i=1,\cdots ,7\), the chain \(C(\{F_i\}_{i=1}^7;A,B,\) C, D) is defined recursively, as the set \(C(\{f_i\}_{i=1}^7;a,b,c,d)\) added with the following nine elements:

$$\begin{array}{llllll} M_{-1}&{}=(A,B,C,D)+((A+1,&{}B+1,&{}C+1,&{}D+1)\mathrm {~mod~}2),\\ M_0&{}=(A,B,C,D)+((A,&{}B,&{}C,&{}D)\mathrm {~mod~}2), \end{array}$$

and for \(i=1,\cdots ,7\),

$$M_i=(A,B,C,D)+ (N_i \mathrm {~mod~}2)\quad \text { where } N_i=(A,B,C,D)+(F_i+1)^4+e_i.$$

Here \((a,b,c,d)=(\lfloor A/2\rfloor ,\lfloor B/2\rfloor ,\lfloor C/2\rfloor ,\lfloor D/2\rfloor )\) and \((f_1,\cdots ,f_7)\) is taken as

$$\begin{array}{cccc} (f_1,\cdots ,f_7) &{} \begin{array}{cc} &{}if (a+A,b+B,\\ {} &{}c+C,d+D)\mathrm {~mod~}2\end{array} &{} (f_1,\cdots ,f_7) &{} \begin{array}{cc} &{}if (a+A,b+B,\\ {} &{}c+C,d+D)\mathrm {~mod~}2\end{array} \\ (1,0,0,0,1,1,1) &{} (1,0,0,0) &{} (0,1,1,1,0,0,0) &{} (0,1,1,1)\\ (0,1,0,0,1,0,0) &{} (0,1,0,0) &{} (1,0,1,1,0,1,1) &{} (1,0,1,1)\\ (0,0,1,0,0,1,0) &{} (0,0,1,0) &{} (1,1,0,1,1,0,1) &{} (1,1,0,1)\\ (0,0,0,1,0,0,1) &{} (0,0,0,1) &{} (1,1,1,0,1,1,0) &{} (1,1,1,0)\\ (1,1,0,0,1,0,0) &{} (1,1,0,0) &{} (0,0,1,1,0,0,0) &{} (0,0,1,1)\\ (1,0,1,0,0,1,0) &{} (1,0,1,0) &{} (0,1,0,1,0,0,0) &{} (0,1,0,1)\\ (1,0,0,1,0,0,1) &{} (1,0,0,1) &{} (0,1,1,0,0,0,0) &{} (0,1,1,0)\\ \begin{array}{cc}&{}(F_1,F_2,F_3,F_4,\\ {} &{}F_5,F_6,F_7)\end{array} &{} (0,0,0,0) &{} \begin{array}{cc}&{}(1-F_1,1-F_2,1-F_3,\\ {} &{}1-F_4,1-F_5,1-F_6,\\ {} &{}1-F_7)\end{array}&(1,1,1,1). \end{array}$$

Specially, for arbitrary \(F_1,\cdots ,F_7\), let \(C(\{F_i\};0,0,0,0)\) be the union of the sets

$$\begin{array}{ll} S_1=&{}\{(0,0,0,0), (1,0,0,0), (0,1,0,0), (0,0,1,0),(0,0,0,1),\\ &{}(1,-1,0,0),(1,0,-1,0),(1,0,0,-1),(0,1,-1,0),(0,1,0,-1),(0,0,1,-1), \\ &{}(1,1,-1,0),(1,1,0,-1),(1,0,1,-1),(0,1,1,-1),\\ &{}(1,1,1,-1)\} \\ S_2=&{}\{(1,1,0,0),(1,0,1,0),(1,0,0,1),(0,1,1,0),(0,1,0,1),(0,0,1,1),\\ &{}(1,1,1,0),(1,1,0,1),(1,0,1,1),(0,1,1,1),\\ &{}(1,-1,1,0),(1,-1,0,1),(1,0,-1,1),(0,1,-1,1),\\ &{}(-1,1,1,0),(-1,1,0,1),(-1,0,1,1),(0,-1,1,1),\\ &{}(1,1,-1,1),(1,-1,1,1),(-1,1,1,1),\\ &{}(1,1,-1,-1),(1,-1,1,-1),(1,-1,-1,1) \}\\ \end{array}$$

where \(S_2\) can be computed from \(S_1\).

We find that as the dimension of the chain increases, the pre-computation part becomes a heavy burden, and it grows exponentially w.r.t. the dimension. In some situation, this maybe a main disadvantage of computing scalar multiplication using higher dimensional DACs.

Example 3

Given a simple 4-tuple (10, 9, 8, 7). The uniform 4-dimensional DAC of (10, 9, 8, 7) is: \(S_1\cup S_2 \cup S_3\) where \(S_3=\)

$$\begin{aligned} \begin{aligned}&\{(1,1,1,1),(2,2,2,0),(2,1,1,1),(2,1,2,0),(2,2,1,0),(2,2,2,1),(2,2,1,1),(2,1,2,1),(2,1,1,0),\\&(3,3,3,1),(2,2,2,2),(3,2,2,2),(3,2,3,1),(3,3,2,1),(3,3,3,2),(3,3,2,2),(3,2,3,2),(3,2,2,1),\\&(5,5,5,3),(6,4,4,4),(5,4,4,4),(6,5,4,4),(5,5,4,3),(5,5,5,4),(5,5,4,4),(5,4,5,4),(5,4,4,3),\\&(11,9,9,7),(10,10,8,8),(10,9,9,7),(11,10,9,7),(11,9,8,7),(11,9,9,8),(10,10,9,7),(10,9,8,7),\\&(10.9.9.8)\} \end{aligned} \end{aligned}$$