From 19982508bb490f366ce26c71c11391abcbf40e19 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Tue, 10 May 2016 20:12:53 -0400 Subject: Update ECDSA description in README.md -- the point multiplication algorithm hasn't been a Montgomery Ladder for a long time, if indeed it ever was. --- README.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 71fc0a0..d4a387e 100644 --- a/README.md +++ b/README.md @@ -80,18 +80,19 @@ The current point addition and point doubling algorithms come from the [EFD][]. At least at the moment, we're only interested in ECDSA with the NIST prime curves, so we use algorithms optimized for a=-3. -The point multiplication algorithm is a Montgomery Ladder, which is -not the fastest possible algorithm, but is relatively easy to confirm -by inspection as constant-time. Point multiplication could probably -be made faster by using a non-adjacent form (NAF) representation for -the scalar, but the author doesn't yet understand that well enough to +The point multiplication algorithm is a straightforward square and add +loop, which is not the fastest possible algorithm, but is relatively +easy to confirm by inspection as being constant-time within the limits +imposed by the NIST curves. Point multiplication could probably be +made faster by using a non-adjacent form (NAF) representation for the +scalar, but the author doesn't yet understand that well enough to implement it as a constant-time algorithm. In theory, changing to a NAF representation could be done without any change to the public API. Points stored in keys and curve parameters are in affine format, but -all point arithmetic is performed in Jacobian projective coordinates, -with the coordinates in Montgomery form; final mapping back to affine -coordinates also handles the final Montgomery reduction. +point arithmetic is performed in Jacobian projective coordinates, with +the coordinates themselves in Montgomery form; final mapping back to +affine coordinates also handles the final Montgomery reduction. ## API ## -- cgit v1.2.3