addchain
Build Status go.dev Go Report Card DOI: 10.5281/zenodo.5622943

Cryptographic Addition Chain Generation in Go

`addchain` generates short addition chains for exponents of cryptographic interest with [results](#results) rivaling the best hand-optimized chains. Intended as a building block in elliptic curve or other cryptographic code generators. * Suite of algorithms from academic research: continued fractions, dictionary-based and Bos-Coster heuristics * Custom run-length techniques exploit structure of cryptographic exponents with excellent results on Solinas primes * Generic optimization methods eliminate redundant operations * Simple domain-specific language for addition chain computations * Command-line interface or library * Code generation and templated output support ## Table of Contents * [Background](#background) * [Results](#results) * [Usage](#usage) * [Command-line Interface](#command-line-interface) * [Library](#library) * [Algorithms](#algorithms) * [Binary](#binary) * [Continued Fractions](#continued-fractions) * [Bos-Coster Heuristics](#bos-coster-heuristics) * [Dictionary](#dictionary) * [Runs](#runs) * [Optimization](#optimization) * [Citing](#citing) * [Thanks](#thanks) * [Contributing](#contributing) * [License](#license) ## Background An [_addition chain_](https://en.wikipedia.org/wiki/Addition_chain) for a target integer _n_ is a sequence of numbers starting at 1 and ending at _n_ such that every term is a sum of two numbers appearing earlier in the sequence. For example, an addition chain for 29 is ``` 1, 2, 4, 8, 9, 17, 25, 29 ``` Addition chains arise in the optimization of exponentiation algorithms with fixed exponents. For example, the addition chain above corresponds to the following sequence of multiplications to compute x29
 x2 = x1 * x1
 x4 = x2 * x2
 x8 = x4 * x4
 x9 = x1 * x8
x17 = x8 * x9
x25 = x8 * x17
x29 = x4 * x25
An exponentiation algorithm for a fixed exponent _n_ reduces to finding a _minimal length addition chain_ for _n_. This is especially relevent in cryptography where exponentiation by huge fixed exponents forms a performance-critical component of finite-field arithmetic. In particular, constant-time inversion modulo a prime _p_ is performed by computing xp-2 (mod p), thanks to [Fermat's Little Theorem](https://en.wikipedia.org/wiki/Fermat%27_little_theorem). Square root also reduces to exponentiation for some prime moduli. Finding short addition chains for these exponents is one important part of high-performance finite field implementations required for elliptic curve cryptography or RSA. Minimal addition chain search is famously hard. No practical optimal algorithm is known, especially for cryptographic exponents of size 256-bits and up. Given its importance for the performance of cryptographic implementations, implementers devote significant effort to hand-tune addition chains. The goal of the `addchain` project is to match or exceed the best hand-optimized addition chains using entirely automated approaches, building on extensive academic research and applying new tweaks that exploit the unique nature of cryptographic exponents. ## Results The following table shows the results of the `addchain` library on popular cryptographic exponents. For each one we also show the length of the [best known hand-optimized addition chain](https://briansmith.org/ecc-inversion-addition-chains-01), and the delta from the library result. | Name | This Library | Best Known | Delta | | ---- | -----------: | ---------: | ----: | | [Curve25519 Field Inversion](doc/results.md#curve25519-field-inversion) | 266 | 265 | +1 | | [NIST P-256 Field Inversion](doc/results.md#nist-p-256-field-inversion) | 266 | 266 | **+0** | | [NIST P-384 Field Inversion](doc/results.md#nist-p-384-field-inversion) | 397 | 396 | +1 | | [secp256k1 (Bitcoin) Field Inversion](doc/results.md#secp256k1-bitcoin-field-inversion) | 269 | 269 | **+0** | | [Curve25519 Scalar Inversion](doc/results.md#curve25519-scalar-inversion) | 283 | 284 | **-1** | | [NIST P-256 Scalar Inversion](doc/results.md#nist-p-256-scalar-inversion) | 294 | 292 | +2 | | [NIST P-384 Scalar Inversion](doc/results.md#nist-p-384-scalar-inversion) | 434 | 433 | +1 | | [secp256k1 (Bitcoin) Scalar Inversion](doc/results.md#secp256k1-bitcoin-scalar-inversion) | 293 | 290 | +3 | See [full results listing](doc/results.md) for more detail and results for less common exponents. These results demonstrate that `addchain` is competitive with hand-optimized chains, often with equivalent or better performance. Even when `addchain` is slightly sub-optimal, it can still be considered valuable since it fully automates a laborious manual process. As such, `addchain` can be trusted to produce high quality results in an automated code generation tool. ## Usage ### Command-line Interface Install a pre-compiled [release binary](https://github.com/mmcloughlin/addchain/releases): ``` curl -sSfL https://git.io/addchain | sh -s -- -b /usr/local/bin ``` Alternatively build from source: ``` go install github.com/mmcloughlin/addchain/cmd/addchain@latest ``` Search for a curve25519 field inversion addition chain with: ```sh addchain search '2^255 - 19 - 2' ``` Output: ``` addchain: expr: "2^255 - 19 - 2" addchain: hex: 7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeb addchain: dec: 57896044618658097711785492504343953926634992332820282019728792003956564819947 addchain: best: opt(runs(continued_fractions(dichotomic))) addchain: cost: 266 _10 = 2*1 _11 = 1 + _10 _1100 = _11 << 2 _1111 = _11 + _1100 _11110000 = _1111 << 4 _11111111 = _1111 + _11110000 x10 = _11111111 << 2 + _11 x20 = x10 << 10 + x10 x30 = x20 << 10 + x10 x60 = x30 << 30 + x30 x120 = x60 << 60 + x60 x240 = x120 << 120 + x120 x250 = x240 << 10 + x10 return (x250 << 2 + 1) << 3 + _11 ``` Next, you can [generate code from this addition chain](doc/gen.md). ### Library Install: ``` go get -u github.com/mmcloughlin/addchain ``` Algorithms all conform to the [`alg.ChainAlgorithm`](https://pkg.go.dev/github.com/mmcloughlin/addchain/alg#ChainAlgorithm) or [`alg.SequenceAlgorithm`](https://pkg.go.dev/github.com/mmcloughlin/addchain/alg#SequenceAlgorithm) interfaces and can be used directly. However the most user-friendly method uses the [`alg/ensemble`](https://pkg.go.dev/github.com/mmcloughlin/addchain/alg/ensemble) package to instantiate a sensible default set of algorithms and the [`alg/exec`](https://pkg.go.dev/github.com/mmcloughlin/addchain/alg/exec) helper to execute them in parallel. The following code uses this method to find an addition chain for curve25519 field inversion: ```go func Example() { // Target number: 2²⁵⁵ - 21. n := new(big.Int) n.SetString("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeb", 16) // Default ensemble of algorithms. algorithms := ensemble.Ensemble() // Use parallel executor. ex := exec.NewParallel() results := ex.Execute(n, algorithms) // Output best result. best := 0 for i, r := range results { if r.Err != nil { log.Fatal(r.Err) } if len(results[i].Program) < len(results[best].Program) { best = i } } r := results[best] fmt.Printf("best: %d\n", len(r.Program)) fmt.Printf("algorithm: %s\n", r.Algorithm) // Output: // best: 266 // algorithm: opt(runs(continued_fractions(dichotomic))) } ``` ## Algorithms This section summarizes the algorithms implemented by `addchain` along with references to primary literature. See the [bibliography](doc/bibliography.md) for the complete references list. ### Binary The [`alg/binary`](https://pkg.go.dev/github.com/mmcloughlin/addchain/alg/binary) package implements the addition chain equivalent of the basic [square-and-multiply exponentiation method](https://en.wikipedia.org/wiki/Exponentiation_by_squaring). It is included for completeness, but is almost always outperformed by more advanced algorithms below. ### Continued Fractions The [`alg/contfrac`](https://pkg.go.dev/github.com/mmcloughlin/addchain/alg/contfrac) package implements the continued fractions methods for addition sequence search introduced by Bergeron-Berstel-Brlek-Duboc in 1989 and later extended. This approach utilizes a decomposition of an addition chain akin to continued fractions, namely ``` (1,..., k,..., n) = (1,...,n mod k,..., k) ⊗ (1,..., n/k) ⊕ (n mod k). ``` for certain special operators ⊗ and ⊕. This decomposition lends itself to a recursive algorithm for efficient addition sequence search, with results dependent on the _strategy_ for choosing the auxillary integer _k_. The [`alg/contfrac`](https://pkg.go.dev/github.com/mmcloughlin/addchain/alg/contfrac) package provides a laundry list of strategies from the literature: binary, co-binary, dichotomic, dyadic, fermat, square-root and total. #### References * F Bergeron, J Berstel, S Brlek and C Duboc. Addition chains using continued fractions. Journal of Algorithms. 1989. http://www-igm.univ-mlv.fr/~berstel/Articles/1989AdditionChainDuboc.pdf * Bergeron, F., Berstel, J. and Brlek, S. Efficient computation of addition chains. Journal de theorie des nombres de Bordeaux. 1994. http://www.numdam.org/item/JTNB_1994__6_1_21_0 * Amadou Tall and Ali Yassin Sanghare. Efficient computation of addition-subtraction chains using generalized continued Fractions. Cryptology ePrint Archive, Report 2013/466. 2013. https://eprint.iacr.org/2013/466 * Christophe Doche. Exponentiation. Handbook of Elliptic and Hyperelliptic Curve Cryptography, chapter 9. 2006. http://koclab.cs.ucsb.edu/teaching/ecc/eccPapers/Doche-ch09.pdf ### Bos-Coster Heuristics Bos and Coster described an iterative algorithm for efficient addition sequence generation in which at each step a heuristic proposes new numbers for the sequence in such a way that the _maximum_ number always decreases. The [original Bos-Coster paper](https://link.springer.com/content/pdf/10.1007/0-387-34805-0_37.pdf) defined four heuristics: Approximation, Divison, Halving and Lucas. Package [`alg/heuristic`](https://pkg.go.dev/github.com/mmcloughlin/addchain/alg/heuristic) implements a variation on these heuristics: * **Approximation:** looks for two elements a, b in the current sequence with sum close to the largest element. * **Halving:** applies when the target is at least twice as big as the next largest, and if so it will propose adding a sequence of doublings. * **Delta Largest:** proposes adding the delta between the largest two entries in the current sequence. Divison and Lucas are not implemented due to disparities in the literature about their precise definition and poor results from early experiments. Furthermore, this library does not apply weights to the heuristics as suggested in the paper, rather it simply uses the first that applies. However both of these remain [possible avenues for improvement](https://github.com/mmcloughlin/addchain/issues/26). #### References * Bos, Jurjen and Coster, Matthijs. Addition Chain Heuristics. In Advances in Cryptology --- CRYPTO' 89 Proceedings, pages 400--407. 1990. https://link.springer.com/content/pdf/10.1007/0-387-34805-0_37.pdf * Riad S. Wahby. kwantam/addchain. Github Repository. Apache License, Version 2.0. 2018. https://github.com/kwantam/addchain * Christophe Doche. Exponentiation. Handbook of Elliptic and Hyperelliptic Curve Cryptography, chapter 9. 2006. http://koclab.cs.ucsb.edu/teaching/ecc/eccPapers/Doche-ch09.pdf * Ayan Nandy. Modifications of Bos and Coster’s Heuristics in search of a shorter addition chain for faster exponentiation. Masters thesis, Indian Statistical Institute Kolkata. 2011. http://library.isical.ac.in:8080/jspui/bitstream/10263/6441/1/DISS-285.pdf * F. L. Ţiplea, S. Iftene, C. Hriţcu, I. Goriac, R. Gordân and E. Erbiceanu. MpNT: A Multi-Precision Number Theory Package, Number Theoretical Algorithms (I). Technical Report TR03-02, Faculty of Computer Science, "Alexandru Ioan Cuza" University, Iasi. 2003. https://profs.info.uaic.ro/~tr/tr03-02.pdf * Stam, Martijn. Speeding up subgroup cryptosystems. PhD thesis, Technische Universiteit Eindhoven. 2003. https://cr.yp.to/bib/2003/stam-thesis.pdf ### Dictionary Dictionary methods decompose the binary representation of a target integer _n_ into a set of dictionary _terms_, such that _n_ may be written as a sum
n = ∑ 2ei di
for exponents _e_ and elements _d_ from a dictionary _D_. Given such a decomposition we can construct an addition chain for _n_ by 1. Find a short addition _sequence_ containing every element of the dictionary _D_. Continued fractions and Bos-Coster heuristics can be used here. 2. Build _n_ from the dictionary terms according to the sum decomposition. The efficiency of this approach boils down to the decomposition method. The [`alg/dict`](https://pkg.go.dev/github.com/mmcloughlin/addchain/alg/dict) package provides: * **Fixed Window:** binary representation of _n_ is broken into fixed _k_-bit windows * **Sliding Window**: break _n_ into _k_-bit windows, skipping zeros where possible * **Run Length**: decompose _n_ into runs of 1s up to a maximal length * **Hybrid**: mix of sliding window and run length methods #### References * Martin Otto. Brauer addition-subtraction chains. PhD thesis, Universitat Paderborn. 2001. http://www.martin-otto.de/publications/docs/2001_MartinOtto_Diplom_BrauerAddition-SubtractionChains.pdf * Kunihiro, Noboru and Yamamoto, Hirosuke. New Methods for Generating Short Addition Chains. IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences. 2000. https://pdfs.semanticscholar.org/b398/d10faca35af9ce5a6026458b251fd0a5640c.pdf * Christophe Doche. Exponentiation. Handbook of Elliptic and Hyperelliptic Curve Cryptography, chapter 9. 2006. http://koclab.cs.ucsb.edu/teaching/ecc/eccPapers/Doche-ch09.pdf ### Runs The runs algorithm is a custom variant of the dictionary approach that decomposes a target into runs of ones. It leverages the observation that building a dictionary consisting of runs of 1s of lengths l1, l2, ..., lk can itself be reduced to: 1. Find an addition sequence containing the run lengths li. As with dictionary approaches we can use Bos-Coster heuristics and continued fractions here. However here we have the advantage that the li are typically very _small_, meaning that a wider range of algorithms can be brought to bear. 2. Use the addition sequence for the run lengths li to build an addition sequence for the runs themselves r(li) where r(e) = 2e-1. See [`dict.RunsChain`](https://pkg.go.dev/github.com/mmcloughlin/addchain/alg/dict#RunsChain). This approach has proved highly effective against cryptographic exponents which frequently exhibit binary structure, such as those derived from [Solinas primes](https://en.wikipedia.org/wiki/Solinas_prime). > I have not seen this method discussed in the literature. Please help me find references to prior art if you know any. ### Optimization Close inspection of addition chains produced by other algorithms revealed cases of redundant computation. This motivated a final optimization pass over addition chains to remove unecessary steps. The [`alg/opt`](https://pkg.go.dev/github.com/mmcloughlin/addchain/alg/opt) package implements the following optimization: 1. Determine _all possible_ ways each element can be computed from those prior. 2. Count how many times each element is used where it is the _only possible_ way of computing that entry. 3. Prune elements that are always used in computations that have an alternative. These micro-optimizations were vital in closing the gap between `addchain`'s automated approaches and hand-optimized chains. This technique is reminiscent of basic passes in optimizing compilers, raising the question of whether other [compiler optimizations could apply to addition chains](https://github.com/mmcloughlin/addchain/issues/24)? > I have not seen this method discussed in the literature. Please help me find references to prior art if you know any. ## Citing If you use `addchain` in your research a citation would be appreciated. Citing a specific release is preferred, since they are [archived on Zenodo](https://doi.org/10.5281/zenodo.4625263) and assigned a DOI. Please use the following BibTeX to cite the most recent [0.4.0 release](https://github.com/mmcloughlin/addchain/releases/tag/v0.4.0). ```bib @misc{addchain, title = {addchain: Cryptographic Addition Chain Generation in Go}, author = {Michael B. McLoughlin}, year = 2021, month = oct, howpublished = {Repository \url{https://github.com/mmcloughlin/addchain}}, version = {0.4.0}, license = {BSD 3-Clause License}, doi = {10.5281/zenodo.5622943}, url = {https://doi.org/10.5281/zenodo.5622943}, } ``` If you need to cite a currently unreleased version please consider [filing an issue](https://github.com/mmcloughlin/addchain/issues/new) to request a new release, or to discuss an appropriate format for the citation. ## Thanks Thank you to [Tom Dean](https://web.stanford.edu/~trdean/), [Riad Wahby](https://wahby.org/), [Brian Smith](https://briansmith.org/) and [str4d](https://github.com/str4d) for advice and encouragement. Thanks also to [Damian Gryski](https://github.com/dgryski) and [Martin Glancy](https://twitter.com/mglancy) for review. ## Contributing Contributions to `addchain` are welcome: * [Submit bug reports](https://github.com/mmcloughlin/addchain/issues/new) to the issues page. * Suggest [test cases](https://github.com/mmcloughlin/addchain/blob/e6c070065205efcaa02627ab1b23e8ce6aeea1db/internal/results/results.go#L62) or update best-known hand-optimized results. * Pull requests accepted. Please discuss in the [issues section](https://github.com/mmcloughlin/addchain/issues) before starting significant work. ## License `addchain` is available under the [BSD 3-Clause License](LICENSE).