Constructing multidimensional differential addition chains and their applications

Abstract

We propose new algorithms for constructing multidimensional differential addition chains and for performing multidimensional scalar point multiplication based on these chains. Our algorithms work in any dimension and offer some key efficiency and security features. In particular, our scalar point multiplication algorithm is uniform, it can be parallelized, and differential addition formulas can be deployed. It also allows trading speed for precomputation cost and storage requirements. These key features and our theoretical estimates indicate that this new algorithm may offer some performance advantages over the existing point multiplication algorithms in practice. We also report some experimental results and verify some of our theoretical findings, and a simplistic Magma implementation is provided.

Appendices

Appendix A: A toy example

Suppose we wish to compute the point \(10P_1 + 14 P_2 + 9 P_3 + 11 P_4\) using Algorithm 3.

We are first to run Algorithm 1. There are two odd coefficients, and so \(A_{3} = \begin{bmatrix} 10&14&9&11 \end{bmatrix}\). Now we add or subtract 1 to the coefficients one at a time, ensuring that we end up with all evens in \(A_1\) and all odds in \(A_5\). Making random choices for whether to add or subtract, suppose we arrive at the matrix

$$\begin{aligned} A^{(1)} = \begin{bmatrix} 10&14&10&12 \\ 10&14&10&11 \\ 10&14&9&11 \\ 10&15&9&11 \\ 11&15&9&11 \end{bmatrix} \end{aligned}$$

as the output of A1.

For A3(2), we have \(k=1\) and \(h=2\).

Now we arrive at the loop, A3(3). We run A2 with the matrix \(A^{(1)}\) above as input. To compute \(\sigma \), we look at consecutive rows of \(A^{(1)}\). The change between rows \(A_1^{(1)}\) and \(A_2^{(1)}\) occurs at column 4, and so \(\sigma (2) = 4\). The change from \(A_2^{(1)}\) to \(A_3^{(1)}\) occurs at column 3, and so \(\sigma (3) = 3\). Continuing in this fashion, we have \(\sigma (4) = 2\) and \(\sigma (5) = 1\). To define the \(c_i\)’s, just subtract the first row of \(A^{(1)}\) from the final row to get \(\begin{bmatrix} 1&1&-1&-1 \end{bmatrix}\), which tells us \(c_1 = 1, c_2 = 1, c_3 = -1, c_4 = -1\).

To begin building B, halve the top row of \(A^{(1)}\) to get the numbers 5, 7, 5, 6. There are three odds here, and so \(B_4 = \begin{bmatrix} 5&7&5&6 \end{bmatrix}\). In A2(6), we initialize D as

We construct the remaining rows of B iteratively in A2(7) by inspecting the successive rows of \(A^{(1)}\).

The change in row \(A^{(1)}_2\) occurs in column 4 (already noted by \(\sigma (2) = 4\)) in which the 12 in row 1 decreased to 11. In order to make 11, we need a 5 to go with the 6 already placed in \(B_4\). Since 6 is even we define the new row of B to be placed below the current rows, consisting of the same numbers as \(B_4\) but changing the 6 to a 5:

$$\begin{aligned} B = \begin{bmatrix}&&\\&&\\&&\\ 5&7&5&6 \\ 5&7&5&5 \end{bmatrix} \qquad A^{(1)} = \begin{bmatrix} 10&14&10&12 \\ 10&14&10&11 \\ 10&14&9&11 \\ 10&15&9&11 \\ 11&15&9&11 \end{bmatrix} \end{aligned}$$

These are our results after executing A2(11) in the first iteration (\(k=2\)). This definition of the newly constructed row of B allows us to satisfy \(A^{(1)}_2 = B_4 + B_5\). The difference \(B_4 - B_5 = \begin{bmatrix} 0&0&0&1 \end{bmatrix}\) becomes the new R, and we append the column on to D with this information in A2(15):

We look at row 3 of \(A^{(1)}\). The change occurs at column 3 when 10 decreased to 9 (given by \(\sigma (3) = 3\) and \(c_3 = -1\)). In order to make 9, we need a 4 to go with the 5 in column 3 of B. Since 5 is odd we define the new row of B to be placed above the current rows, consisting of the same numbers as \(B_4\) but changing the 5 to a 4:

$$\begin{aligned} B = \begin{bmatrix}&&\\&&\\ 5&7&4&6 \\ 5&7&5&6 \\ 5&7&5&5 \end{bmatrix} \qquad A^{(1)} = \begin{bmatrix} 10&14&10&12 \\ 10&14&10&11 \\ 10&14&9&11 \\ 10&15&9&11 \\ 11&15&9&11 \end{bmatrix} \end{aligned}$$

The above is matrix B after the second iteration of A2(7) (\(k = 3\)). Again the definition of this new row ensures that \(B_3 + B_5 = A^{(1)}_3\). The row numbers and the difference \(B_3 - B_5 = \begin{bmatrix} 0&0&-1&1 \end{bmatrix}\) are stored into D:

We continue in this way, going down the rows of \(A^{(1)}\). The change in \(A^{(1)}_4\) occurs in column 2, where we need an 8 to go with our 7 in B. 7 is odd, so we append a row at the top of B (and a column onto D, shown further below):

$$\begin{aligned} B = \begin{bmatrix}&&\\ 5&8&4&6 \\ 5&7&4&6 \\ 5&7&5&6 \\ 5&7&5&5 \end{bmatrix} \qquad A^{(1)} = \begin{bmatrix} 10&14&10&12 \\ 10&14&10&11 \\ 10&14&9&11 \\ 10&15&9&11 \\ 11&15&9&11 \end{bmatrix} \end{aligned}$$

Finally, the last change occurs in column 1. We need a 6 with our current 5 in B in order to make 11, and since 5 is odd, we append at the top once more. This will finish the loop, and we will rename the matrix B to be \(A^{(2)}\):

$$\begin{aligned} A^{(2)} = B = \begin{bmatrix} 6&8&4&6 \\ 5&8&4&6 \\ 5&7&4&6 \\ 5&7&5&6 \\ 5&7&5&5 \end{bmatrix} \quad A^{(1)} = \begin{bmatrix} 10&14&10&12 \\ 10&14&10&11 \\ 10&14&9&11 \\ 10&15&9&11 \\ 11&15&9&11 \end{bmatrix} \end{aligned}$$

Assigning \(k=2\), this finishes the first iteration of the loop in A3(3). We continue iterating through this loop, constructing a sequence of matrices and arrays just as we did above. We construct the final matrix when \(k=4\) (however, the loop increments once more before exiting to leave us with \(k=5\)). In total, we now have:

The arrays \(D^{(i)}\) give us a road map for how to compute our desired \(A_3^{(1)}\) in terms of the rows of \(A^{(5)}\), which are particularly simple. We compute \(Q^{(5)}_i := A^{(5)}_i \cdot \begin{bmatrix} P_1&P_2&P_3&P_4 \end{bmatrix}^T\) for \(1 \le i \le 5\), as stated in A3(7):

$$\begin{aligned} Q^{(5)}_1&= 0 \\ Q^{(5)}_2&= P_2 \\ Q^{(5)}_3&= P_2 + P_4 \\ Q^{(5)}_4&= P_1 + P_2 + P_4 \\ Q^{(5)}_5&= P_1 + P_2 + P_3 + P_4 \end{aligned}$$

Proceeding into the loop in A3(9), we then compute the rows of \(A^{(4)}\) listed in the first row of \(D^{(4)}\) in terms of the above 5 points:

$$\begin{aligned} Q^{(4)}_1&= 2Q^{(5)}_5 = 2P_1 + 2P_2 + 2P_3 + 2P_4 \\ Q^{(4)}_2&= Q^{(5)}_4 + Q^{(5)}_5 = 2P_1 + 2P_2 + P_3 + 2P_4 \\ Q^{(4)}_3&= Q^{(5)}_3 + Q^{(5)}_5 = P_1 + 2P_2 + P_3 + 2P_4 \\ Q^{(4)}_4&= Q^{(5)}_2 + Q^{(5)}_5 = P_1 + 2P_2 + P_3 + P_4 \\ Q^{(4)}_5&= Q^{(5)}_1 + Q^{(5)}_5 = P_1 + P_1 + P_3 + P_4 \end{aligned}$$

Next, compute the rows of \(A^{(3)}\) listed in the first row of \(D^{(3)}\) using the above points:

$$\begin{aligned} Q^{(3)}_1&= 2Q^{(4)}_4 = 2P_1 + 4P_2 + 2P_3 + 2P_4 \\ Q^{(3)}_2&= Q^{(4)}_3 + Q^{(4)}_4 = 2P_1 + 4P_2 + 2P_3 + 3P_4 \\ Q^{(3)}_3&= Q^{(4)}_2 + Q^{(4)}_4 = 3P_1 + 4P_2 + 2P_3 + 3P_4 \\ Q^{(3)}_4&= Q^{(4)}_2 + Q^{(4)}_5 = 3P_1 + 3P_2 + 2P_3 + 3P_4 \\ Q^{(3)}_5&= Q^{(4)}_1 + Q^{(4)}_5 = 3P_1 + 3P_2 + 3P_3 + 3P_4 \end{aligned}$$

Compute the rows of \(A^{(2)}\) using \(D^{(2)}\) and the above points:

$$\begin{aligned} Q^{(2)}_1&= 2Q^{(3)}_3 = 6P_1 + 8P_2 + 4P_3 + 6P_4 \\ Q^{(2)}_2&= Q^{(3)}_2 + Q^{(3)}_3 = 5P_1 + 8P_2 + 4P_3 + 6P_4 \\ Q^{(2)}_3&= Q^{(3)}_2 + Q^{(3)}_4 = 5P_1 + 7P_2 + 4P_3 + 6P_4 \\ Q^{(2)}_4&= Q^{(3)}_2 + Q^{(3)}_5 = 5P_1 + 7P_2 + 5P_3 + 6P_4 \\ Q^{(2)}_5&= Q^{(3)}_1 + Q^{(3)}_5 = 5P_1 + 7P_2 + 5P_3 + 5P_4 \end{aligned}$$

And finally, compute the rows of \(A^{(1)}\) using \(D^{(1)}\) and the above points:

$$\begin{aligned} Q^{(1)}_1&= 2 Q^{(2)}_4 = 10P_1 + 14P_2 + 10P_3 + 12P_4 \\ Q^{(1)}_2&= Q^{(2)}_4 + Q^{(2)}_5 = 10P_1 + 14P_2 + 10P_3 + 11P_4 \\ Q^{(1)}_3&= Q^{(2)}_3 + Q^{(2)}_5 = 10P_1 + 14P_2 + 9P_3 + 11P_4 \\ Q^{(1)}_4&= Q^{(2)}_2 + Q^{(2)}_5 = 10P_1 + 15P_2 + 9P_3 + 11P_4 \\ Q^{(1)}_5&= Q^{(2)}_1 + Q^{(2)}_5 = 11P_1 + 15P_2 + 9P_3 + 11P_4 \end{aligned}$$

As we wanted to compute row 3 of \(A^{(1)}\), we output \(Q_3^{(1)}\).

Appendix B: Magma implementation

We provide Magma code below, which was written for the purpose of simplicity and ease of understanding and does not attempt to optimize the algorithm or make any additional security modifications outside of what is stated in this paper. Structure, notation, and indexing were matched with that of the algorithms presented in Sect. 3 as much as possible. The code following comments ”// i //” indicates the implementation of line i in the respective algorithm.