The output of the Tate pairing on an elliptic curve over a nite eld is an element in the multiplicative group of an extension eld modulo a particular subgroup. One ordinarily powers this element to obtain a unique representative for the output coset, and performs any further necessary arithmetic in the extension eld. Rather than an obstruction, we show to the contrary that one can exploit this quotient group to eliminate the nal powering, to speed up exponentiations and to obtain a simple compression of pairing values which is useful during interactive identity-based cryptographic protocols. Speci cally we demonstrate that methods available for fast point multiplication on elliptic curves such as mixed addition, signed digit representations and Frobenius expansions, all transfer easily to the quotient group, and provide a signi cant improvement over the arithmetic of the extension eld.

Recently, Eisentrager et al. proposed a very elegant method for speeding up scalar multiplication on elliptic curves. Their method relies on improved formul for evaluating S = (2P + Q) from given points P and Q on an elliptic curve. Compared to the naive approach, the improved formul save a field multiplication each time the operation is performed.

Abstract. Addition-subtraction-chains obtained from signed digit recodings of integers are a common tool for computing multiples of random elements of a group where the computation of inverses is a fast operation. Cohen and Solinas independently described one such recoding, the w-NAF. For scalars of the size commonly used in cryptographic applications, it leads to the current scalar multiplication algorithm of choice. However, we could find no formal proof of its optimality in the literature. This recoding is computed right-to-left. We solve two open questions regarding the w-NAF. We first prove that the w-NAF is a redundant radix-2 recoding of smallest weight among all those with integral coefficients smaller in absolute value than 2 w−1. Secondly, we introduce a left-toright recoding with the same digit set as the w-NAF, generalizing previous results. We also prove that the two recodings have the same (optimal) weight. Finally, we sketch how to prove similar results for other recodings.

Abstract. We discuss an optimal method for the computation of linear combinations of elements of Abelian groups, which uses signed digit expansions. This has applications in elliptic curve cryptography. We compute the expected number of operations asymptotically (including a periodically oscillating second order term) and prove a central limit theorem. Apart from the usual right-to-left (i.e., least significant digit first) approach we also discuss a left-to-right computation of the expansions. This exhibits fractal structures that are studied in some detail. 1.

Abstract. Several cryptosystems rely on fast calculations of linear combinations in groups. One way to achieve this is to use joint signed binary digit expansions of small “weight. ” We study two algorithms, one based on non adjacent forms of the coefficients of the linear combination, the other based on a certain joint sparse form specifically adapted to this problem. Both methods are sped up using the sliding windows approach combined with precomputed lookup tables. We give explicit and asymptotic results for the number of group operations needed assuming uniform distribution of the coefficients. Expected values, variances and a central limit theorem are proved using generating functions. Furthermore, we provide a new algorithm which calculates the digits of an optimal expansion of pairs of integers from left to right. This avoids storing the whole expansion, which is needed with the previously known right to left methods, and allows an online computation. 1.

Abstract. It is known that every positive integer n can be represented as a finite sum of the form n = � ai2 i, where ai ∈ {0, 1, −1} for all i, and no two consecutive ai’s are non-zero. Such sums are called nonadjacent representations. Nonadjacent representations are useful in efficiently implementing elliptic curve arithmetic for cryptographic applications. In this paper, we investigate if other digit sets of the form {0, 1, x}, where x is an integer, provide each positive integer with a nonadjacent representation. If a digit set has this property we call it a nonadjacent digit set (NADS). We present an algorithm to determine if {0, 1, x} is a NADS; and if it is, we present an algorithm to efficiently determine the nonadjacent representation of any positive integer. We also present some necessary and sufficient conditions for {0, 1, x} to be a NADS. These conditions are used to exhibit infinite families of integers x such that {0, 1, x} is a NADS, as well as infinite families of x such that {0, 1, x} is not a NADS. 1

Abstract. In most algorithms involving elliptic curves, the most expensive part consists in computing multiples of points. This paper investigates how to extend the τ-adic expansion from Koblitz curves to a larger class of curves defined over a prime field having an efficiently-computable endomorphism φ in order to perform an efficient point multiplication with efficiency similar to Solinas ’ approach presented at CRYPTO ’97. Furthermore, many elliptic curve cryptosystems require the computation of k0P + k1Q. Following the work of Solinas on the Joint Sparse Form, we introduce the notion of φ-Joint Sparse Form which combines the advantages of a φ-expansion with the additional speedup of the Joint Sparse Form. We also present an efficient algorithm to obtain the φ-Joint Sparse Form. Then, the double exponentiation can be done using the φ endomorphism instead of doubling, resulting in an average of l applications of φ and l/2 additions, where l is the size of the ki’s. This results in an important speed-up when the computation of φ is particularly effective, as in the case of Koblitz curves. Keywords. Elliptic curves, fast endomorphisms, Joint Sparse Form. 1

Abstract. In [4], we introduced the alternating greedy expansion of integers, which turned out to be useful in several left-to-right algorihms in cryptography. In this paper, we collect known results about this alternating greedy expansion and complement it with other useful properties and algorithms. In the second part, we apply it to give an algorithm for computing a joint expansion of d integers of minimal joint Hamming weight from left to right, i.e., from the column with the most significant bits towards the column with the least significant bits. Furthermore, we can also compute an expansion equivalent to the so-called w-NAF from left to right using the alternating greedy expansion. 1.

We give a comparison of the performance of the recently proposed torus-based public key cryptosystem CEILIDH, and XTR. Underpinning both systems is the mathematics of the two dimensional algebraic torus T6(Fp). However, while they both attain the same discrete logarithm security and each achieve a compression factor of three for all data transmissions, the arithmetic performed in each is fundamentally different. In its inception, the designers of CEILIDH were reluctant to claim it offers any particular advantages over XTR other than its exact compression and decompression technique. From both an algorithmic and arithmetic perspective, we develop an e#cientversion of CEILIDH and show that while it seems bound to be inherently slower than XTR, the difference in performance is much smaller than what one might infer from the original description. Also, thanks to CEILIDH's simple group law, it provides a greater flexibility for applications, and maythus be considered a worthwhile alternative to XTR.

At Crypto 2004, van Dijk and Woodruff introduced a new way of using the algebraic tori Tn in cryptography, and obtained an asymptotically optimal n/φ(n) savings in bandwidth and storage for a number of cryptographic applications. However, the computational requirements of compression and decompression in their scheme were impractical, and it was left open to reduce them to a practical level. We give a new method that compresses orders of magnitude faster than the original, while also speeding up the decompression and improving on the compression factor (by a constant term). Further, we give the first efficient implementation that uses T30 , compare its performance to XTR, CEILIDH, and ECC, and present new applications. Our methods achieve better compression than XTR and CEILIDH for the compression of as few as two group elements. This allows us to apply our results to ElGamal encryption with a small message domain to obtain ciphertexts that are 10% smaller than in previous schemes.