GLV Multiplication

This note explains the scalar decomposition step on the efficient EC multiplication algorithm proposed in this article.

Some implementations of the algorithm:

Python implementation
Go implementation
Rust implementation
In-circuit implementation in halo2wrong PR

Here is a good explanation of the whole algorithm along with an implementation: bitcoin secp impl.

Scalar decomposition

The following homomorphism is defined:

\begin{aligned} f : Z \times Z & \to F_{n} \\ (i, j) & \mapsto i + λ j \end{aligned}

where

λ

is the endoscalar of the curve.

The problem of decomposing a given scalar

k \in F_{n}

consists of finding a pair

(k_{1}, k_{2}) \in Z \times Z

s.t.

f (k_{1}, k_{2}) = k

. The key of the problem is to find the shortest vector possible that satisfies this relation.

First we precompute 2 vectors

γ, β

such that

f (γ) = f (β) = 0

.
The problem now turns into finding a vector

v

in the lattice generated by

[β, γ]

that is close to

(k, 0)

. With such vector

v

we easily compute

(k_{1}, k_{2}) := (k, 0) - v

which is short, (

\leq max (‖ β ‖, ‖ γ ‖)

) and satisfies our fist condition, since

f ((k_{1}, k_{2})) = f ((k, 0)) - f (v) = k

Let

v := t_{1} \cdot β + t_{2} \cdot γ

.
We solve the system

(\begin{matrix} β_{1} & γ_{1} \\ β_{2} & γ_{2} \end{matrix}) (\begin{matrix} t_{1} \\ t_{2} \end{matrix}) = (\begin{matrix} k \\ 0 \end{matrix})

(\begin{matrix} t_{1} \\ t_{2} \end{matrix}) = \frac{1}{d} (\begin{matrix} γ_{2} & - γ_{1} \\ - β_{2} & β_{1} \end{matrix}) (\begin{matrix} k \\ 0 \end{matrix})

where

d

is the determinant of the

[γ, β]

matrix.

We get

\begin{aligned} t_{1} = & \frac{1}{d} \cdot k \cdot γ_{2} \\ t_{2} = & - \frac{1}{d} \cdot k \cdot β_{2} \end{aligned}

Due to the determinant division, these values lie on

Q

. We round them to their closest integer value to obtain a point in the

[β, γ]

-generated lattice. Now we have:

(\begin{matrix} k_{1} \\ k_{2} \end{matrix}) = (\begin{matrix} k \\ 0 \end{matrix}) - (\begin{matrix} β_{1} & γ_{1} \\ β_{2} & γ_{2} \end{matrix}) (\begin{matrix} ⌊ t_{1} ⌉ \\ ⌊ t_{2} ⌉ \end{matrix})

We will only compute

- k_{2}

- k_{2} = β_{2} \cdot ⌊ t_{1} ⌉ + γ_{2} \cdot ⌊ t_{2} ⌉

Then we use the original definition

k = k_{1} + λ k_{2}

to compute

k_{1}

k_{1} = k + λ (- k_{2})

Finally, instead of returning

k_{1}, k_{2}

, this algorithm will return

- k_{i}

k_{i}

choosing the one with a lower absolute value. The choice is indicated with some flags. The output then is (k_1, k_1_neg, k_2, k_2_neg).

Carlos Pérez

2023/02/16 11:42:02

Finally, instead of returning $k_1, k_2$, this algorithm will return $-k_i$ or $k_i$ choosing the one with a lower absolute value. The choice is indicated with some flags. The output then is `(k_1, k_1_neg, k_2, k_2_neg)`.

Damn... we should check with Youseff about that. Let me ask him! (Edited)