From 049f467871c217a485f34fa6a280313b0defb586 Mon Sep 17 00:00:00 2001
From: Peter Schwabe <peter@cryptojedi.org>
Date: Wed, 14 Aug 2019 23:24:38 +0200
Subject: [PATCH] Changes mainly to prelim.tex; started adding curves
 discussion

---
 intro.tex  |   4 +--
 prelim.tex | 103 ++++++++++++++++++++++++++++++++++++++++++-----------
 refs.bib   |   2 +-
 3 files changed, 86 insertions(+), 23 deletions(-)

diff --git a/intro.tex b/intro.tex
index 00a1901..5542bd3 100644
--- a/intro.tex
+++ b/intro.tex
@@ -186,9 +186,9 @@ curves.
   The most relevant related work for this paper can be grouped in two
   categories: papers presenting optimized implementations of Curve25519
   and papers estimating performance of complete group addition on WeierstraÃŸ curves.
-  XXX: Cite, briefly discuss.
+  \todo{Write this section}
 
-  XXX: Also mention line of work on even faster ECC arithmetic.
+  \todo{Also mention line of work on even faster ECC arithmetic.}
   
   \subheading{Availability of software.}
   We place all software related to this paper into the public domain
diff --git a/prelim.tex b/prelim.tex
index 25863c7..19831ba 100644
--- a/prelim.tex
+++ b/prelim.tex
@@ -2,16 +2,71 @@
 \label{sec:prelim}
 
 \subsection{WeierstraÃŸ, Montgomery, and twisted Edwards curves}
-XXX
+The typical way to introduce elliptic curves over a field with large characteristic $\F$ is
+through the \emph{short} WeierstraÃŸ equation
+$$
+E_W: y^2 = x^3 + ax + b,
+$$
+where $a,b \in \F$.
+As long as the discriminant $\delta = -16(4a^3 + 27b^2)$ is nonzero, this equation describes
+an elliptic curve and any elliptic curve over a field $\F$ with characteristic not equal to two or three
+can be described through such an equation. 
+For cryptography we typically choose a field of large prime order $p$; the relevant group
+in the cryptographic setup is the group of $\F_p$-rational points $E(\F_p)$.
+Whenever we talk about ``the order of an elliptic curve'' in this paper we 
+mean the order of this group.
+The typical way to use WeierstraÃŸ curves in cryptography is to pick curve
+parameter $a=-3$ for somewhat more efficient arithmetic, represent a point
+$P=(x,y)$ in Jacobian coordinates $(X:Y:Z)$ with $(x,y) = (X/Z^2, Y/Z^3)$.
+Point addition is using the formulas from~\cite[]{BL07} (improving on~\cite{}) 
+and uses $11\mathbf{M}+5\mathbf{S}+9\mathbf{a}$.
+Doubling also uses formulas from~\cite[]{BL07} (improving on~\cite{}) 
+and uses $3\mahtbf{M}+5\mathbf{S}+8\mathbf{a}$.
+Alternatively, one can use a ladder with differential additions, for
+example using the co-$Z$ approach from~\cite{}
+
+Scalar multiplication using a ladder is also what Montgomery proposed in~\cite{XXX}
+for a different class of elliptic curves, so-called \emph{Montgomery curves}.
+These are described through an equation of the form
+$$
+E_M: XXX
+$$
+
+The most common way to implement arithmt
+\todo{Write this section.}
 
 \subsection{Curve13318}
-Many factors may contribute to the general performance of scalar multiplication on an elliptic curve. In our research we have tried to produce a benchmark that is unaffected by irrelevant curve properties. For example, in the case of some of the traditional curves---like those from \cite{FIPS186-4,Brainpool,SEC2}---a performance penalty is expected from the use of large values for $a$ and $b$.
+The goal of this paper is to investigate the performance of complete addition and doubling
+on a WeierstraÃŸ curve and compare it to the performance of Curve25519.
+Many aspects contribute to the performance of elliptic-curve arithmetic and as we are
+mainly interested in the impact of formulas implementing the group law, we decided to
+choose a curve that is as similar to Curve25519 as possible, except that it is in WeierstraÃŸ
+form and has prime order. This means that in particular, we want a curve that
+\begin{itemize}
+  \item is defined over the field $\F_p$ with $p = 2^{255}-19$;
+  \item is twist secure (for a definition, see~\cite[Sec XXX]{XXX});
+  \item has curve parameter $a = -3$ to support common speedups of the group law;
+  \item has small curve parameter $b$;
+\end{itemize}
+
+It turns out that we were not the first to have the idea to look for a curve with
+precisely these properties. In 
 
-Therefore, we choose a (new) prime-order curve that---except for its struc\-ture---is similar to Bernstein's Curve25519. Aside from being able to make a good comparison, we can furthermore build on some of the optimizations that have been developed specifically
-for the field used in Curve25519. \cite{BS12,Cho16,DHH+15,FL15}.
-Our second priority is to choose properties that are ``straightforward'', i.e.\ properties that are often found in other standardized curves. In general,  we try to find an answer to the question: what would Curve25519 have looked like, had it been a prime-order curve?
+Many factors may contribute to the general performance of scalar multiplication on an elliptic curve. 
+In our research we have tried to produce a benchmark that is unaffected by irrelevant curve properties. For example, in the case of some of the traditional curves---like those from \cite{FIPS186-4,Brainpool,SEC2}---a performance penalty is expected from the use of large values for $a$ and $b$.
+\todo{check large values of $a$}
 
-The curve that we chose was proposed by P.~Barreto in May 2017~\cite{BarretoCurve}. The nameless curve is defined over $\mathds{F}_{2^{255}-19}$. It is described by equation~\ref{eq:curve13318} and a suitable generator is $G = (-7, 114)$.
+Therefore, we choose a (new) prime-order curve that---except for its struc\-ture---is similar to Bernstein's Curve25519. 
+Aside from being able to make a good comparison, we can furthermore build on some of the optimizations that have been developed specifically
+for the field used in Curve25519 \cite{BS12,Cho16,DHH+15,FL15}.
+Our second priority is to choose properties that are ``straightforward'', 
+i.e.\ properties that are often found in other standardized curves. 
+In general, we try to find an answer to the question: 
+what could ``Curve25519'' have looked like, had it been a prime-order curve?
+
+The curve that we chose was proposed by Barreto in May 2017~\cite{BarretoCurve}. 
+The curve is defined over $\mathds{F}_{2^{255}-19}$. 
+It is described by equation~\ref{eq:curve13318} and a suitable generator is $G = (-7, 114)$.
 \begin{equation}\label{eq:curve13318}
     E : y^2 = x^3 -3x + 13318
 \end{equation}
@@ -21,18 +76,27 @@ Its order is given by
 \begin{equation}
     N = \ell = 2^{255} + 325610659388873400306201440571661405155\texttt{.}
 \end{equation}
+In the following we will be calling this curve Curve13318,
+which at the same time points to the curve parameter $b$ and
+its intended similarities to Curve25519.
 
 % XXX(dsprenkels) Cannot choose a=0. Craig mentioned this to me once. It had
 %                 something to do with the fact that there would exist no
 %                 a=0 curve over GF(25519). I don't think we need to mention
 %                 this.
 \subheading{Choice of $a$.}
-Alternatively to choosing $a=-3$, we could choose $a=1$. The first reason we chose $a=-3$ instead is because---depending on the addition formulas that are used---it results in more efficient curve arithmetic~\cite{BJ03}.
+Alternatively to choosing $a=-3$, we could choose $a=1$. 
+The first reason we chose $a=-3$ instead is because---depending on the addition formulas that are used---it results in more efficient curve arithmetic~\cite{BJ03}.
 Indeed, the Renes-Costello-Batina complete addition formulas have a specialized case for $a=-3$~\cite[Section 3.2]{RCB16}.
-The second reason is that various cryptographic standards have adopted these kinds of curves~\cite{ETSI07,BSI12,FIPS186-4,Brainpool,SEC2}. Our results will apply to more commonly used curves if we mimic the standards.
+The second reason is that various cryptographic standards have adopted these kinds of curves~\cite{ETSI07,BSI12,FIPS186-4,Brainpool,SEC2}. 
+Our results will apply to more commonly used curves if we mimic the standards.
 
 \subheading{Twist security.}
-In the case an implementor uses formulas that do not depend on any of the constants $a$ and $b$, they could choose to omit checking whether the input point lies on the curve. To prevent invalid-curve attacks in this case, $E$'s twist ($E^d$) must also be of prime order. Then, the first valid value for $b$ is $13318$.
+In the case an implementor uses formulas that do not depend on any of the constants $a$ and $b$, 
+they could choose to omit checking whether the input point lies on the curve. 
+To prevent invalid curve attacks in this case, $E$'s twist ($E^d$) must also be of prime order. 
+Then, the first valid value for $b$ is $13318$.
+\todo{Comment on $x$-coordinate only.}
 
 \subheading{Point validation.}\label{sec:pointvalidation}
 All scalar-multiplication algorithms on Curve13318---or any short
@@ -40,8 +104,7 @@ WeierstraÃŸ curve for that matter---should implement appropriate
 point-validation routines. That is, they should check whether the input point
 lies on the curve, and that it is not the neutral element.
 Together, these checks prevent any invalid-curve and small-subgroup attacks.
-
-
+\todo{Update according to previous paragraph's update}
 
 \subsection{The Renes-Costello-Batina formulas}
 \label{sec:additionformulas}
@@ -67,7 +130,8 @@ The relevant complete formulas for (projective) point addition are
         &\quad +(X_1Y_2 + X_2Y_1)(3X_1X_2 - 3Z_1Z_2)\text{.}
 \end{align*}
 
-In their paper, the formula for addition is implemented using 43 distinct operations, of which $12\mathbf{M} + 2\mathbf{m_b} + 29\mathbf{a}$.
+In~\cite{RCB16}, the formula for addition is implemented through 43 distinct operations, 
+specifically $12\mathbf{M} + 2\mathbf{m_b} + 29\mathbf{a}$.
 The algorithm used to compute the addition (\Add{}) is listed in \Cref{alg:add}.
 
 \begin{algorithm}[h]
@@ -136,8 +200,8 @@ Correspondingly, the complete formulas for doubling are
         &\quad  + 3(3X^2 - 3Z^2)(2bXZ - X^2 - 3Z^2)\text{,} \\
     Z_3 &= 8Y^3Z\text{.}
 \end{align*}
-
-The cost of the doubling formulas is $8\mathbf{M} + 3\mathbf{S} + 2\mathbf{m_b} + 21\mathbf{a}$. The algorithm for doubling (\Double{}) is listed in~\Cref{alg:double}.
+The cost of the doubling formulas is $8\mathbf{M} + 3\mathbf{S} + 2\mathbf{m_b} + 21\mathbf{a}$. 
+The algorithm for doubling (\Double{}) is listed in~\Cref{alg:double}.
 
 \begin{algorithm}[h]
 \caption{Renes-Costello-Batina formula for $a=-3$. Used for exception-free doubling on Curve13318.}\label{alg:double}
@@ -192,9 +256,8 @@ The cost of the doubling formulas is $8\mathbf{M} + 3\mathbf{S} + 2\mathbf{m_b}
 \end{algorithmic}
 \end{algorithm}
 
-We can try to reduce the cost of the doubling algorithm by erasing (some of) the multiplications $v_{1}$, $v_{4}$, $v_{6}$, $v_{28}$, using the rule that $2\alpha\beta = (\alpha + \beta)^2 - \alpha^2 - \beta^2$.
-By applying this rule, we trade $1\mathbf{M} + 1\mathbf{a}$ for $1\mathbf{S} + 3\mathbf{a}$. Only on the \emph{Haswell} platform (\Cref{sec:haswell}), we found that the relative costs of $\mathbf{M}$, $\mathbf{S}$, and $\mathbf{a}$ were favorable, such that the substitution results in a faster algorithm.
-
-In the next sections, these algorithms will form the basis for the implementations of the \textsc{Double} and \textsc{Add}-routines in our scalar-multiplication algorithm. We apply more smaller optimizations when the platform allows for it.
-
-
+We can reduce the cost of the doubling algorithm by erasing (some of) the multiplications $v_{1}$, $v_{4}$, $v_{6}$, $v_{28}$, 
+using the rule that $2\alpha\beta = (\alpha + \beta)^2 - \alpha^2 - \beta^2$.
+By applying this rule, we trade $1\mathbf{M} + 1\mathbf{a}$ for $1\mathbf{S} + 3\mathbf{a}$. 
+As we will describe in Section~\ref{sec:implementation},
+this trick is beneficial only on the \emph{Haswell} platform, 
diff --git a/refs.bib b/refs.bib
index 5d266af..9e3d072 100644
--- a/refs.bib
+++ b/refs.bib
@@ -447,4 +447,4 @@
   year          = 2003,
   pages         = {43--50},
   note          = {\url{http://joye.site88.net/papers/BJ03isog.pdf}},
-}
\ No newline at end of file
+}
-- 
GitLab