Score:2

Crypto

What is the equation to get P-Q in Montgomery curve XZ coordinates

Cisco Saeed

3/1/24, 8:25 PM

Based on Differentia-addition on P I can understand (Xp,Zp) which is the base point, (Xq,Zq) which comes from Doubling, but I don't know what is the equation used to get P-Q to get X-,Z-.

So for example if I have P1(8,3,1) so it means (X⊖,Z⊖) = (8,1) and the value of (Xq,Zq) is from doubling? what about (Xp,Zp)?

1 + 2

elliptic-curves

elliptic-curve-generation

montgomery-multiplication

poncho

3/2/24, 6:43 PM

Does the text I added to the question address your concern? Or, are you looking to use differential addition in a context other than the Montgomery Ladder?

Cisco Saeed

3/3/24, 2:32 PM

Actually I am looking for deferential Addition in Montgomery curve https://www.hyperelliptic.org/EFD/g1p/auto-montgom-xz.html

Score:2

Crypto

poncho

3/1/24, 10:03 PM

I don't know what is the equation used to get P-Q to get X-,Z-.

Actually, if you're using the Montgomery Ladder algorithm, it's the base point we're multiplying.

At each step of the iteration, we have the points $P, P+G, G$ (where $P = zG$, where $z$ is the part of the multiplier we've already entered), and depending on whether the next bit in the multiplier is a 1, we want (if it is a 0) $2P, 2P+G, G$ or (if it is a 1) $2P+G, 2P+2G, G$.

So, the first step is to take $(X_P, Z_P) = P+G$, and $(X_Q, Z_Q) = P$, and $(X_\ominus, Z_\ominus ) = G$; it is easy to see that the precondition $(X_P, Z_P) - (X_Q, Z_Q) = (X_\ominus, Z_\ominus )$ holds; the addition algorithm then gives us $(X_\oplus, Z_\oplus ) = (X_P, Z_P) + (X_Q, Z_Q) = 2P+G$. And, all we need to do is compute either $2P$ or $2P+2G$ - either case is just a doubling of a value we already have.

And, to start the process, we start with $P=0$ (hence our triple is $(0, G, G)$, which fulfills the precondition, and then we can start by shifting the multiplier bits in, in msb to lsb order...

Hence, in this application, $X_\ominus, Z_\ominus )$ is always $G$ (the base point we are multiplying by).

+ 11

Cisco Saeed

3/2/24, 4:45 AM

Actually I am using Montgomery curve differential addition and want to know what is the equation used to get the value of (X⊖,Z⊖) ?

poncho

3/2/24, 1:25 PM

@CiscoSaeed: so, you have $(X_\oplus, Z_\oplus)$, and want to know how to get $(X_\ominus, Z_\ominus)$?

Cisco Saeed

3/2/24, 1:54 PM

the issue is how to get (X⊖,Z⊖) to use it in equation without calculation (X⊕,Z⊕)

poncho

3/2/24, 2:05 PM

@CiscoSaeed: If you're just given $(X_P, Z_P), (X_Q, Z_Q)$, you can't. The representation of the points $P, Q$ are missing the $y$ coordinates, that is, the sign information, and so there's nothing distinguishing $P-Q$ from $P+Q$, that is $(X_\ominus, Z_\ominus)$ from $(X_\oplus, Z_\oplus)$. While you could devise a procedure to compute both, there would be no way to know which is which.

Cisco Saeed

3/2/24, 2:55 PM

But i don't understand as in paper to use it incase to reduce multiplication so if i used addition so what is the difference? And what is the addition equation?

poncho

3/2/24, 3:00 PM

@CiscoSaeed: I'm sorry, but I cannot parse your question. Might I ask what application you intend to use differential addition for?

Cisco Saeed

3/2/24, 4:07 PM

I am trying to apply this https://www.hyperelliptic.org/EFD/g1p/auto-montgom-xz.html to see how does it work? I don't understand How to use (X⊖,Z⊖) without addition!

Cisco Saeed

3/2/24, 5:41 PM

I edited the question to make it easy to parse the question.

Cisco Saeed

3/2/24, 7:07 PM

so based on your solution edited, the (XP,ZP) is (0,0) and (XQ,ZQ) is (8,1) and (X⊖,Z⊖) is (8,1) if I considered the G point is (8,3,1)?

poncho

3/2/24, 7:15 PM

@CiscoSaeed: well, yes, at least, for the initial iteration of the Montgomery ladder

Cisco Saeed

3/3/24, 7:03 AM

thanks, but I need to understand if I want to double then do add so doubled `P(8,3,1)` then get `(6,3)` then if I want to do addition then the values will be like this order (XP,ZP) is (6,3) and (XQ,ZQ) is (8,1) and (X⊖,Z⊖) is (8,1) ?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What is the equation to get P-Q in Montgomery curve XZ coordinates

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.