Montgomery ladder
Montgomery curves and the Montgomery ladder
https://eprint.iacr.org/2017/293.pdf
The Montgomery ladder (applicable only to Edwards and Montgomery curves) is faster than standard weierstrass point multiplication methods.
constatnt-time, while the standard wierstrass point multipilication methods are not.
ed25519でのmulにおけるmontgomery ladderが、last bytesの1st and 2nd highest bitsの固定を生じさせている。
これらのbitsにおけるsecret key探索アルゴリズムがtiming leakに繋がってしまうので。
https://gyazo.com/a62f6b8d32b686ff42c4f70d179a7fc3
refs
https://crypto.stackexchange.com/questions/26329/what-are-the-differences-between-the-elliptic-curve-equations
https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication#Montgomery_ladder
#Cryptography