<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">The Montgomery ladder can take advantage of mixed differential addition, where R+Q is computed with the additional information that R-Q is equal to the base point P. (It’s called “mixed” because R and Q are in projective form, but P is affine.) Unlike ordinary addition, differential addition can be computed using just the x-coordinates of P, Q and R. So can doubling. Therefore, you can compute the whole ladder using only x coordinates. You can recover y at the end, but usually people don’t.</div><div class=""><br class=""></div><div class="">This pair of operations — x-only mixed differential addition and doubling — is significantly faster and simpler on a Montgomery curve than on a short Weierstrass curve. The same is not true of the ordinary addition and doubling formulas. This is why Montgomery curves are used for ECDH, but not usually other operations.</div><div class=""><br class=""></div><div class="">You can take advantage of the same technique on a short Weierstrass curve, using for example co-z coordinates. But it’s not as simple or fast as on a Montgomery curve. Furthermore, while the mixed differential addition law is unified on a Montgomery curve, it is not unified on a short Weierstrass curve. This makes it noticeably harder to start the ladder.</div><div class=""><br class=""></div><div class="">— Mike</div><div class=""><br class=""></div><div><blockquote type="cite" class=""><div class="">On Jul 8, 2015, at 5:11 PM, Ron Garret <<a href="mailto:ron@flownet.com" class="">ron@flownet.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=windows-1252" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Could you please elaborate on this, or point me to a reference? According to:<div class=""><br class=""></div><div class=""><a href="https://choucroutage.com/Papers/SideChannelAttacks/ches-2002-joye.pdf" class="">https://choucroutage.com/Papers/SideChannelAttacks/ches-2002-joye.pdf</a></div><div class=""><br class=""></div><div class="">the Montgomery ladder “is of full generality and applies to any abelian group.”</div><div class=""><br class=""></div><div class="">Is it really the ladder that is more efficient for Montgomery curves, or is it just the point addition and doubling operations that are more efficient?</div><div class=""><br class=""></div><div class="">rg<br class=""><div class=""><div class=""><br class=""><div class=""><div class="">On Jul 8, 2015, at 4:05 PM, Michael Hamburg <<a href="mailto:mike@shiftleft.org" class="">mike@shiftleft.org</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite" class=""><meta http-equiv="Content-Type" content="text/html charset=windows-1252" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">The Montgomery ladder is significantly simpler and more efficient on Montgomery curves than on short Weierstrass curves.</div><br class=""><div class=""><blockquote type="cite" class=""><div class="">On Jul 8, 2015, at 3:38 PM, Ron Garret <<a href="mailto:ron@flownet.com" class="">ron@flownet.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=windows-1252" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">“Montgomery curves are attractive because of the ladder method of scalar multiplication”<div class=""><br class=""></div><div class="">Is this actually true? I was under the impression that the Montgomery ladder was applicable to any kind of elliptic curve. They just both happen to have been invented by Peter Montgomery.</div><div class=""><br class=""></div><div class="">rg</div><div class=""><br class=""><div class=""><div class="">On Jul 7, 2015, at 8:12 PM, Tony Arcieri <<a href="mailto:bascule@gmail.com" class="">bascule@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite" class=""><div dir="ltr" class=""><div class="gmail_quote"><div dir="ltr" class="">I made this poster for the DEFCON Crypto and Privacy Village. It's intended for audiences of mixed ability levels:</div><div dir="ltr" class=""><br class=""></div><div dir="ltr" class=""><a href="https://i.imgur.com/hwbSRHh.png" class="">https://i.imgur.com/hwbSRHh.png</a><br class=""><div class=""><br class=""></div><div class="">Would appreciate technical feedback on it. If you'd like to suggest copy changes, please consider design constraints (i.e. available room on the page).</div><div class=""><br class=""></div><div class="">Thanks!</div><div class=""><br class=""></div></div></div>-- <br class=""><div class="gmail_signature">Tony Arcieri<br class=""></div>
</div>
_______________________________________________<br class="">Curves mailing list<br class=""><a href="mailto:Curves@moderncrypto.org" class="">Curves@moderncrypto.org</a><br class=""><a href="https://moderncrypto.org/mailman/listinfo/curves" class="">https://moderncrypto.org/mailman/listinfo/curves</a><br class=""></blockquote></div><br class=""></div></div>_______________________________________________<br class="">Curves mailing list<br class=""><a href="mailto:Curves@moderncrypto.org" class="">Curves@moderncrypto.org</a><br class=""><a href="https://moderncrypto.org/mailman/listinfo/curves" class="">https://moderncrypto.org/mailman/listinfo/curves</a><br class=""></div></blockquote></div><br class=""></div></blockquote></div><br class=""></div></div></div></div></div></blockquote></div><br class=""></body></html>