
Fast Multiplication with Slow Additions - loup-vaillant
http://loup-vaillant.fr/tutorials/fast-scalarmult
======
zimmerfrei
There should some warning note right at the top, given the topic is presented
mainly for cryptographic purposes.

There is a huge body of quite diverse side channel attacks against all of
these "fast" techniques for scalar multiplication, and the article is too
weakly making references to pitfalls for each approach and the importance of
constant time logic (also, no mention of masking techniques! Though those are
routinely overlooked by way too many speed-obsessed practitioners).

~~~
loup-vaillant
I confess I'm quite tired of having to litter every article that might be
about cryptography with the standard warnings. I might as well warn readers
not to use this knowledge at all, because they shouldn't implement their own
crypto to begin with (even though I did).

This is an advanced topic. If the reader is in a position to use such
knowledge, I felt I could safely assume they would know when it is safe not to
be constant time. (For instance, signature verification doesn't process
secrets, and can be variable time.)

> _also, no mention of masking techniques!_

Out of scope. Those are hidden behind magical constant time routines.

~~~
zimmerfrei
>> also, no mention of masking techniques!

> Out of scope. Those are hidden behind magical constant time routines.

How is that? Side-channel resistance is largely a matter of reducing the
Signal-to-Noise ratio for traces an attacker can leverage to extract secrets.
A constant-time logic reduces the Signal; a masking logic increases the
noises. The two are largely independent and at times at odds. For instance,
recent fast curves (like DJB's) are good because they can be easily
implemented in constant time in software (as far as we know) but they are
actually much harder to mask (in software or hardware).

~~~
loup-vaillant
Oh, I thought you were talking about the bit twiddling required to implement
constant time lookup and constant time branching.

> _Side-channel resistance is largely a matter of reducing the Signal-to-Noise
> ratio for traces an attacker can leverage to extract secrets._

Who cares about resistance when you can have immunity? Constant time crypto
leaks _zero_ signal through timings, who needs any noise to mask that utter
absence of signal?

Unless maybe you were thinking about other side channels, such as energy
consumption, or electromagnetic emissions? I'd agree those are worth pursuing
for smart cards and dongles, but on regular computers (from palmtops to
servers), the threat is mostly academic.

------
evancox100
The "non-adjacent form" optimization appears to just be radix-8 booth
recoding, no?

~~~
loup-vaillant
_< looks up what the heck is "booth recoding"…>_

I think they're different. In booth recoding, the windows are _fixed_ , and
non adjacent form is a special case of _sliding_ windows (2-bit wide). I don't
think booth recoding does minimise the number of non-zero digits. That said,
it does seem to produce similar results in some cases:

    
    
        01111111 100  (binary)
        10000000-100  (NAF)
    
        -- radix-4 Booth recoding
        01111111100
                 000 -> 00
               110   -> 0-1
             111     -> 00
           111       -> 00
         111         -> 00
       001           -> 01
       010000000-100  (same as NAF)
    

But I think it's just a coincidence, here.

~~~
detaro
semi-OT: big thumbs up for your Poly1305 "tutorial", clearest explanation of
it I've seen yet.

