Differential addition chains

Differential addition chains (also known as strong addition chains, Lucas chains, and Chebyshev chains) are addition chains in which every sum is already accompanied by a difference. Low-cost differential addition chains are used to efficiently exponentiate in groups where the operation a, b, a/b 7→ ab is fast: in particular, to perform x-coordinate scalar multiplication P 7→ mP on an elliptic curve y = x + Ax + x. Similarly, low-cost two-dimensional differential addition chains are used to efficiently compute the function P, Q,P −Q 7→ mP +nQ on an elliptic curve. This paper presents two new constructive upper bounds on the costs of two-dimensional differential addition chains. The paper’s new “binary” chain is very easy to compute and uses 3 additions (14 field multiplications in the elliptic-curve context) per exponent bit, with a uniform structure that helps protect against side-channel attacks. The paper’s new “extended-gcd” chain takes more time to compute, does not have the uniform structure, and is not easy to analyze, but experiments show that it takes only about 1.77 additions (9.97 field multiplications) per exponent bit. 1 What is a differential addition chain? A differential addition chain is an addition chain in which each sum is already accompanied by a difference: i.e., whenever a new chain element P +Q is formed by adding P and Q, the difference P − Q was already in the chain. Here is an example of a one-dimensional differential addition chain starting from 0 and 1: 0 1 2 = 1 + 1 with difference 1 − 1 = 0 3 = 2 + 1 with difference 2 − 1 = 1 4 = 2 + 2 with difference 2 − 2 = 0 7 = 4 + 3 with difference 4 − 3 = 1 11 = 7 + 4 with difference 7 − 4 = 3 18 = 11 + 7 with difference 11 − 7 = 4 29 = 18 + 11 with difference 18 − 11 = 7 40 = 29 + 11 with difference 29 − 11 = 18 51 = 40 + 11 with difference 40 − 11 = 29 91 = 51 + 40 with difference 51 − 40 = 11 ? This work was carried out while the author was visiting Danmarks Tekniske Universitet. Date of this document: 2006.02.19. Permanent ID of this document: 9620b81ea01f66b2a782be234dade959. Here is an example of a two-dimensional differential addition chain starting from (0, 0), (1, 0), (0, 1), and (1,−1): (0, 0) (1, 0) (0, 1) (1,−1) (1, 1) = (1, 0) + (0, 1) with (1,−1) (1, 2) = (1, 1) + (0, 1) with (1, 0) (1, 3) = (1, 2) + (0, 1) with (1, 1) (2, 5) = (1, 3) + (1, 2) with (0, 1) (3, 8) = (2, 5) + (1, 3) with (1, 2) (5, 13) = (3, 8) + (2, 5) with (1, 3) (7, 18) = (5, 13) + (2, 5) with (3, 8) (12, 31) = (7, 18) + (5, 13) with (2, 5) (19, 49) = (12, 31) + (7, 18) with (5, 13) (26, 67) = (19, 49) + (7, 18) with (12, 31) (33, 85) = (26, 67) + (7, 18) with (19, 49) (40, 103) = (33, 85) + (7, 18) with (26, 67) (47, 121) = (40, 103) + (7, 18) with (33, 85) (54, 139) = (47, 121) + (7, 18) with (40, 103) (94, 242) = (47, 121) + (47, 121) with (0, 0) (141, 363) = (94, 242) + (47, 121) with (47, 121) (148, 381) = (94, 242) + (54, 139) with (40, 103) (289, 744) = (148, 381) + (141, 363) with (7, 18) (296, 762) = (148, 381) + (148, 381) with (0, 0) (585, 1506) = (296, 762) + (289, 744) with (7, 18) (874, 2250) = (585, 1506) + (289, 744) with (296, 762) (1459, 3756) = (874, 2250) + (585, 1506) with (289, 744) (2333, 6006) = (1459, 3756) + (874, 2250) with (585, 1506) (2918, 7512) = (1459, 3756) + (1459, 3756) with (0, 0) (5251, 13518) = (2918, 7512) + (2333, 6006) with (585, 1506) (8169, 21030) = (5251, 13518) + (2918, 7512) with (2333, 6006) (10502, 27036) = (5251, 13518) + (5251, 13518) with (0, 0) (18671, 48066) = (10502, 27036) + (8169, 21030) with (2333, 6006) More generally, a differential addition-subtraction chain is an additionsubtraction chain where each sum is already accompanied by a difference and each difference is already accompanied by a sum. A typical example starts from (0, 0) (1, 0) (0, 1) (1,−1) and reaches (26967, 48215) via (1, 1) (1, 2) (2, 3) (3, 5) (4, 7) (5, 9) (9, 16) (14, 25) (19, 34) (33, 59) (38, 68) (66, 118) (71, 127) (61, 109) (132, 236) (203, 363) (264, 472) (325, 581) (528, 944) (731, 1307) (1259, 2251) (1787, 3195) (2518, 4502) (3249, 5809) (5036, 9004) (6823, 12199) (10072, 18008) (16895, 30207) (26967, 48215); here (61, 109) is computed as (66, 118) − (5, 9), with the sum (66, 118) + (5, 9) = (71, 127) already in the chain. Notes on terminology Let C be a differential addition chain that starts from 0, 1, and let C ′ be the same addition chain without the initial 0. [10] calls C a “Lucas chain” if C strictly increases. A “STRONGCHAIN” program published online by Knuth refers to C ′ as “a strong addition chain—aka a Lucas chain or a Chebyshev chain” if C strictly increases. [12] calls C ′ a “Lucas chain” whether or not C increases. [8] calls C ′ a “Lucas chain” (and any positive integer multiple of C ′ a “Lucas prechain”) if C strictly increases. [11, Definition 3.1] calls C a “strong addition chain” whether or not it increases. [11, Definition 3.2] uses “Lucas chain” for any differential addition-subtraction chain that starts from 0, 1. [11, Definition 3.5] uses “vectorial Lucas chain” for any differential addition-subtraction chain that starts from (0, 0), (1, 0), (0, 1), (1,−1). There are several reasons that I’m avoiding the “Lucas chain” terminology. I want to talk about addition chains and about addition-subtraction chains; “Lucas chains” allow subtractions in [11] but not in [10], [12], or [8]. Furthermore, many new readers will confuse “Lucas chains” with Lucas sequences, which are a quite different concept. Furthermore, I see no evidence that Lucas deserves any credit for the concept of a “Lucas chain.” Furthermore, the terminology gives no hint that a “Lucas chain” is an addition chain satisfying an extra condition. “Strong addition chain” avoids this problem, but “differential addition chain” does a better job of helping the reader remember what the condition is. 2 What are the contributions of this paper? The point of this paper is to present two new constructive upper bounds on the costs of two-dimensional differential addition-subtraction chains. Assume, for example, that m and n are 256-bit integers. The new “binary” chain for (m, n) has the following features: • It starts from (0, 0), (1, 0), (0, 1), and (1,−1). • It has 768 additions (and no subtractions). • For each addition of P and Q, the difference P − Q is either (0, 0) or (1, 0) or (0, 1) or (1, 1) or (1,−1). • 256 of the additions are doublings, i.e., have difference (0, 0). The doublings appear in a uniform pattern: add, double, add; add, double, add; etc. The new “extended-gcd” chain for (m, n) has the following features: • It starts from (0, 0), (1, 0), (0, 1), and (1,−1). • It has approximately 455.0 (standard deviation 5.9) additions/subtractions for an average coprime pair (m, n). This figure comes from experiments with 1000 pairs; the actual average is almost certainly in [454, 456]. • Out of the additions/subtractions, approximately 88.8 on average (standard deviation 10.5) are doublings. The extended-gcd chain has several parameters that can be tweaked. Tweaking parameters can replace (455.0, 88.8) by (453.1, 77.5), for example.