4

I'm working with the affine representations of points of the Secp256k1 elliptic curve (from Bitcoin).

I've read many papers that show that computing some functions, like $f(P)=3P$ can be computed faster than the standard way. Other papers say that with some pre-computation, the field inversion can be amortized if $F^1(P) ... F^k(P)$ must be computed.

I need the fastest function $F(P)$ that, when applied to the last result iteratively, generates a sequences of points whose average period is large (I don't need any proof, it can be just large in practice). To be fast I suppose it should be computed without field inversions. I don't mind to pre-compute some values.

For example, it could be $F(P) = 1.5P+4Q$ for a fixed $Q$. It doesn't matter which function it is, because I need it to generate random points in the curve. The probability distribution doesn't matter either. (notation: $1.5$ is the point halving of $3P$)

Motivation: Solutions to this problem may be helpful for generating vanity addresses.

D.W.
  • 36,982
  • 13
  • 107
  • 196
Richard
  • 41
  • 2

2 Answers2

4

Depending on what you actually want to do, it might be possible to speed this up using a batch inversion, instead of inverting each denominator individually.

  1. Use some form of extended coordinates
  2. Compute a few hundred new points in extended coordinates, with known relation to the original point.
  3. Multiply all denominators together and invert it.
  4. Use multiplications of the combined denominator with the existing denominators to compute the individual denominators.

AFAIK Step 3+4 have a cost of 3 field multiplications per-point. Which is much cheaper that 200ish multiplications required for an inversion.

One way to implement steps 2 and 3 is:

Given the denominators $z_1 ... z_n$:

  • Define $r_i = \Pi_{j=i+1}^n z_j$ compute iteratively as $r_n=1$, $r_i=r_{i+1} \cdot z_{i+1}$ for $i=n ... 0$ and store it in an array.

  • Compute $r_0^{-1}$ using a field inversion.

  • Define $l_1 = r_0^{-1} \cdot \Pi_{j=1}^{i-1} z_j$ and compute it iteratively as $l_0= r_0^{-1}$ and then $l_i = l_{i-1}\cdot z_{i-1}$

  • $z_i^{-1}=l_i \cdot r_i$. Given $z_i^{-1}$ the affine coordinate can be obtained by multiplying it with the nominator.

Why does this work?

$z_i^{-1} =\\ = (\Pi_{j=1}^n z_j) \cdot (\Pi_{j=1}^n z_j)^{-1} \cdot z_i^{-1} \\ = (\Pi_{j=1}^{i-1} z_j \cdot z_i \cdot \Pi_{j=i+1}^n z_j)\cdot (\Pi_{j=1}^n z_j)^{-1} \cdot z_i^{-1}\\ = ((\Pi_{j=1}^n z_j)^{-1}\cdot\Pi_{j=1}^{i-1} z_j) \cdot \Pi_{j=i+1}^n z_j\\ = l_i \cdot r_i$

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
3

With your curve, you can use the Gallant-Lambert-Vanstone (GLV) method to answer your question. Indeed, the equation of your curve is: $$y^2=x^3+7.$$ Since $p$ is congruent to $1$ modulo $3$, there are cube roots of unity modulo $p$. Let: $$j=55594575648329892869085402983802832744385952214688224221778511981742606582254 \pmod{p}.$$ You can check that $j^3\equiv 1\pmod{p}$. The complex multiplication by $j$ sends $P=(X_P,Y_P)$ to $P'=(jX_P,Y_P)$.

Moreover, $P'=J\cdot P,$ where $$J=37718080363155996902926221483475020450927657555482586988616620542887997980018.$$

Finally, multiplication by $J-1$ can be performed efficiently (one application of complex multiplication and one addition) and has high order. Don't use $J+1$: it has order $6$.

EDIT $J^3$ is $1$ modulo the order of the curve, while $j^3$ is $1$ mod $p$.

This endomorphism of the curve is the projection of the complex multiplication of the curve $y^2=x^3+7$ over the rationals to the curve reduced mod $p$. This is why is is usually called the complex multiplication.

All in all, this gives a reasonably fast way to generate random looking multiples of $P$.

The full GLV method is much more than that since it speeds up multiplication by an arbitrary constant compared to regular double and add, but its basic idea relies on having an endomorphism that can be computed quickly.

minar
  • 2,282
  • 15
  • 26