Join Log in
Score:3
avatar Crypto

Strauss-Shamir trick on EC multiplication by scalar

cn flag
carce-bo

I'm studying ECDSA, and almost all somewhat detailed articles talk about using Strauss-Shamir trick on the verification step.
Then I searched, and found this explanation (more like a stating) for the algorithm, and then this other pdf (page 7) that explains it a bit more in detail. But none of them provide an explanation why it works.
I would like to have some sort of demonstration or example of it step by step ? Anyhting that goes from a Shamir-Straus for dummies to a formal demonstration or a reference to any works for me, math should not be a problem.

117
0 + 0
dsa
fgrieu avatar
ng flag
fgrieu
Do you understand the basic Shamir trick as usable in (non-EC) DSA to compute $g^u\,y^v\bmod p$ significantly faster than by the obvious $(g^u\bmod p)\,(y^v\bmod p)\bmod p$? It would be usable in ECDSA too. I think the Strauss-Shamir trick is an extension. I'm not familiar with it.
0
Reply
cn flag
carce-bo
I am afraid I haven't heard about it.
1
Reply
fgrieu avatar
ng flag
fgrieu
Ah, I think that Shamir trick is a useful step. Before this: do you understand modular exponentiation by square and multiply with scanning of exponent starting from most significant bit? E.g. that one can compute $g^{21}\bmod p$ with 4 modular squaring and 2 modular multiplications, with intermediary steps $g^2\bmod p$, $g^4\bmod p$, $g^5\bmod p$, $g^{10}\bmod p$, $g^{20}\bmod p$, and finally $g^{21}\bmod p$ ?
0
Reply
cn flag
carce-bo
I have been taking a look at [this question](https://math.stackexchange.com/questions/119374/modular-exponentiation-by-repeated-squaring) to understand what you said, and I have come to the conclusion I kind of get the idea behind it. $ g^{21} = g^{(10101)_2} = g^{16}*g^{4}*g $, and so you need only to compute $ g^{20} $ by computing the least multiplications of the lowest powers possible to get the result. (I do still not understand Shamir-Strauss trick on EC multiplication by scalar, though).
0
Reply
cn flag
carce-bo
But understanding what you suggested sure has given me some intel to try and understand the stated references more deeply, thank you !
0
Reply
pe flag
Samuel Neves
[Bernstein's survey](https://cr.yp.to/papers/pippenger-20020118-retypeset20220327.pdf) on exponentiation methods includes [Straus's](https://www.jstor.org/stable/2310929) method on Section 3.
1
Reply
Score:3
fgrieu avatar Crypto
ng flag
fgrieu

I'll describe the standard Shamir trick adapted to the context of ECDSA signature verification. Dropping some indices, the computationally expensive part of it is computing $$u\cdot G+v\cdot Q$$ where $u$ and $v$ are (we assume, strictly positive) integers, $G$ and $Q$ are Elliptic Curve points, and $+$ is point addition (which for simplification I consider a black box, which execution dominates the computational cost). Recall that by definition, $$u\cdot G=\underbrace{G+G+\ldots+G+G}_{u\text{ terms}}$$

Well note $\mathbin\|u\mathbin\|$ for the number of bits in integer $u$, that is $\left\lfloor\log_2(u)+1\right\rfloor$; same for $\mathbin\|v\mathbin\|$.

A common way of computing $u\cdot G$ is to

  • set $R:=G$
  • for bit $b$ copied from the binary representation of $u$, starting at index $\mathbin\|u\mathbin\|-1$ (the first bit on the right of the leftmost $1$ bit) down to $0$ (the rightmost bit)
    • set $R:=R+R$
    • if $b=1$, set $R:=R+G$

The basic way to compute $u\cdot G+v\cdot Q$ would be to compute $u\cdot G$, then $v\cdot Q$ by the same method, then add the two results. Shamir's trick improves on that:

  • set $H:=G+Q$
  • if $\mathbin\|u\mathbin\|>\mathbin\|v\mathbin\|$, set $R:=G$;
  • else if $\mathbin\|u\mathbin\|<\mathbin\|v\mathbin\|$, set $R:=Q$;
  • else (that is if $\mathbin\|u\mathbin\|=\mathbin\|v\mathbin\|$ ), set $R:=H$;
  • for bit $b$ (resp. $c$) copied from the binary representation of $u$ (resp. $v$), with the representations of $u$ or $v$ left-padded with zeroes as necessary, at index from $\max(\mathbin\|u\mathbin\|,\mathbin\|v\mathbin\|)-1$ down to $0$
    • set $R:=R+R$
    • if $b=1$ and $c=0$, set $R:=R+G$
    • (else) if $b=0$ and $c=1$, set $R:=R+Q$
    • (else) if $b=1$ and $c=1$, set $R:=R+H$

This statement is nearly equivalent to the one given in this answer under the name Strauss-Shamir trick (when I know the trick as Shamir's). The variant I give avoids the need to know the group neutral, but requires $\max(u,v)>0$.

Correctness of standard point multiplication and Shamir's trick can be formally proven by induction.

For large random $u$ and $v$ of $k$ bits, the naive algorithm to compute $u\cdot G+v\cdot Q$ performs on average $\approx3k$ point additions, Shamir's trick reduces that to $\approx1.75k$, like 42% less (the cost benefit is lower, in large part because point doubling $R:=R+R$ is the fastest kind of point addition, and the one which gets most diminished). There are further improvements possible, e.g. grouping bits by two or slightly more, perhaps with "sliding window" when $b=0=c$.

Notice that in the context of signature verification, $u$, $v$, $G$ and $Q$ all are public, thus side channels (timing, power draw, emission, caches…) are not a security issue, as they are in signature generation.

I don't know the Strauss-Shamir trick of the question's other reference, but vaguely suspect that it further improves on this by sometime performing subtraction instead of addition, and/or is more compatible with a speedup technique for point addition.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.