Results 1  10
of
29
Speeding Up The Computations On An Elliptic Curve Using AdditionSubtraction Chains
 Theoretical Informatics and Applications
, 1990
"... We show how to compute x k using multiplications and divisions. We use this method in the context of elliptic curves for which a law exists with the property that division has the same cost as multiplication. Our best algorithm is 11.11% faster than the ordinary binary algorithm and speeds up acco ..."
Abstract

Cited by 100 (4 self)
 Add to MetaCart
We show how to compute x k using multiplications and divisions. We use this method in the context of elliptic curves for which a law exists with the property that division has the same cost as multiplication. Our best algorithm is 11.11% faster than the ordinary binary algorithm and speeds up accordingly the factorization and primality testing algorithms using elliptic curves. 1. Introduction. Recent algorithms used in primality testing and integer factorization make use of elliptic curves defined over finite fields or Artinian rings (cf. Section 2). One can define over these sets an abelian law. As a consequence, one can transpose over the corresponding groups all the classical algorithms that were designed over Z/NZ. In particular, one has the analogue of the p \Gamma 1 factorization algorithm of Pollard [29, 5, 20, 22], the Fermatlike primality testing algorithms [1, 14, 21, 26] and the public key cryptosystems based on RSA [30, 17, 19]. The basic operation performed on an elli...
Theory and applications of the doublebase number system
 IEEE Trans. on Computers
, 1999
"... In this paper we present a rigorous theoretical analysis of the main properties of a double base number system, using bases 2 and 3; in particular we emphasize the sparseness of the representation. A simple geometric interpretation allows an efficient implementation of the basic arithmetic operation ..."
Abstract

Cited by 27 (10 self)
 Add to MetaCart
In this paper we present a rigorous theoretical analysis of the main properties of a double base number system, using bases 2 and 3; in particular we emphasize the sparseness of the representation. A simple geometric interpretation allows an efficient implementation of the basic arithmetic operations and we introduce an index calculus for logarithmiclike arithmetic with considerable hardware reductions in lookup table size. Two potential areas of applications are discussed: applications in digital signal processing for computation of inner products and in cryptography for computation of modular exponentiations. 1.
A note on the signed sliding window integer recoding and a lefttoright analogue
 in “Selected Areas in Cryptography – SAC 2004”, Lecture Notes in Computer Science 3357 (2005), 130– 143
, 2004
"... Abstract. Additionsubtractionchains obtained from signed digit recodings of integers are a common tool for computing multiples of random elements of a group where the computation of inverses is a fast operation. Cohen and Solinas independently described one such recoding, the wNAF. For scalars of ..."
Abstract

Cited by 19 (5 self)
 Add to MetaCart
Abstract. Additionsubtractionchains obtained from signed digit recodings of integers are a common tool for computing multiples of random elements of a group where the computation of inverses is a fast operation. Cohen and Solinas independently described one such recoding, the wNAF. For scalars of the size commonly used in cryptographic applications, it leads to the current scalar multiplication algorithm of choice. However, we could find no formal proof of its optimality in the literature. This recoding is computed righttoleft. We solve two open questions regarding the wNAF. We first prove that the wNAF is a redundant radix2 recoding of smallest weight among all those with integral coefficients smaller in absolute value than 2 w−1. Secondly, we introduce a lefttoright recoding with the same digit set as the wNAF, generalizing previous results. We also prove that the two recodings have the same (optimal) weight. Finally, we sketch how to prove similar results for other recodings.
Reconfigurable Implementation of Elliptic Curve Crypto Algorithms
 RECONFIGURABLE ARCHITECTURES WORKSHOP, 16TH INTERNATIONAL PARALLEL AND DISTRIBUTED PROCESSING SYMPOSIUM
, 2002
"... For FPGA based coprocessors for elliptic curve cryptography, a significant performance gain can be achieved when hybrid coordinates are used to represent points on the elliptic curve. We provide a new area/performance tradeoff analysis of different hybrid representations over fields of characteristi ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
For FPGA based coprocessors for elliptic curve cryptography, a significant performance gain can be achieved when hybrid coordinates are used to represent points on the elliptic curve. We provide a new area/performance tradeoff analysis of different hybrid representations over fields of characteristic two. Moreover, we present a new generic cryptoprocessor architecture that can be adapted to various area/performance constraints and finite field sizes, and show how to apply high level synthesis techniques to the controller design.
Optimizing doublebase ellipticcurve singlescalar multiplication
"... Abstract. This paper analyzes the best speeds that can be obtained for singlescalar multiplication with variable base point by combining a huge range of options: – many choices of coordinate systems and formulas for individual group operations, including new formulas for tripling on Edwards curves; ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. This paper analyzes the best speeds that can be obtained for singlescalar multiplication with variable base point by combining a huge range of options: – many choices of coordinate systems and formulas for individual group operations, including new formulas for tripling on Edwards curves; – doublebase chains with many different doubling/tripling ratios, including standard base2 chains as an extreme case; – many precomputation strategies, going beyond Dimitrov, Imbert, Mishra (Asiacrypt 2005) and Doche and Imbert (Indocrypt 2006). The analysis takes account of speedups such as S − M tradeoffs and includes recent advances such as inverted Edwards coordinates. The main conclusions are as follows. Optimized precomputations and triplings save time for singlescalar multiplication in Jacobian coordinates, Hessian curves, and triplingoriented Doche/Icart/Kohel curves. However, even faster singlescalar multiplication is possible in Jacobi intersections, Edwards curves, extended Jacobiquartic coordinates, and inverted Edwards coordinates, thanks to extremely fast doublings and additions; there is no evidence that doublebase chains are worthwhile for the fastest curves. Inverted Edwards coordinates are the speed leader.
Faster Square Roots in Annoying Finite Fields
"... Let q be an odd prime number. There are several methods known to compute square roots in Z=q: the quadraticextension methods of Legendre, Pocklington, Cipolla, Lehmer, et al., and the discretelogarithm methods of Tonelli, Shanks, et al. The quadraticextension methods use (3 + o(1)) lg q multiplic ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Let q be an odd prime number. There are several methods known to compute square roots in Z=q: the quadraticextension methods of Legendre, Pocklington, Cipolla, Lehmer, et al., and the discretelogarithm methods of Tonelli, Shanks, et al. The quadraticextension methods use (3 + o(1)) lg q multiplications and, on average, 2 + o(1) Jacobisymbol computations mod q. The discretelogarithm methods use only (1 + o(1)) lg q multiplications, after an easy precomputation of one element of Z=q, if ord2 (q 1) 2 o( p lg q). This paper presents an algorithm that uses only (1 + o(1)) lg q multiplications, after an easy precomputation of (lg q) O(1) elements of Z=q, if ord2 (q 1) 2 o( p lg q lg lg q). For example, the new algorithm can compute square roots in Z=q for q = 2 224 2 96 + 1 using 364 multiplications in Z=q and 1024 precomputed elements of Z=q. The same technique speeds up the SilverPohligHellman algorithm for computing discrete logarithms in any cyclic group of smooth order.
Efficient generation of minimal length addition chains
 SIAM Journal on Computing
, 1999
"... Abstract. An addition chain for a positive integer n is a set 1 = a0
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Abstract. An addition chain for a positive integer n is a set 1 = a0 <a1 < ·· · <ar = n of integers such that for each i ≥ 1, ai = aj + ak for some k ≤ j<i. This paper is concerned with some of the computational aspects of generating minimal length addition chains for an integer n. Particular attention is paid to various pruning techniques that cut down the search time for such chains. Certain of these techniques are influenced by the multiplicative structure of n. Later sections of the paper present some results that have been uncovered by searching for minimal length addition chains.
Pippenger's Exponentiation Algorithm
, 2002
"... Pippenger's exponentiation algorithm computes a power, or a product of powers, or a sequence of powers, or a sequence of products of powers, with very few multiplications. Pippenger's algorithm was published twentyve years ago, but it is still not widely understood or appreciated, although certain ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Pippenger's exponentiation algorithm computes a power, or a product of powers, or a sequence of powers, or a sequence of products of powers, with very few multiplications. Pippenger's algorithm was published twentyve years ago, but it is still not widely understood or appreciated, although certain parts of it have recently been reinvented, republished, and popularized. This paper is an exposition of the state of the art in generic exponentiation algorithmsin particular, Pippenger's algorithm. 1.
Analysis of DPA Countermeasures Based on Randomizing the Binary Algorithm
, 2003
"... One of the major threats to the security of cryptosystems nowadays is the information leaked through side channels. For instance, power analysis attacks have been successfully mounted on cryptosystems embedded into small devices such as smart cards. ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
One of the major threats to the security of cryptosystems nowadays is the information leaked through side channels. For instance, power analysis attacks have been successfully mounted on cryptosystems embedded into small devices such as smart cards.
Efficient Implementation of the Orlandi Protocol Extended Version
"... Abstract. We present an efficient implementation of the Orlandi protocol which is the first implementation of a protocol for multiparty computation on arithmetic circuits, which is secure against up to n−1 static, active adversaries. An efficient implementation of an actively secure selftrust protoc ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. We present an efficient implementation of the Orlandi protocol which is the first implementation of a protocol for multiparty computation on arithmetic circuits, which is secure against up to n−1 static, active adversaries. An efficient implementation of an actively secure selftrust protocol enables a number of multiparty computation where one or more of the parties only trust himself. Examples includes auctions, negotiations, and online gaming. The efficiency of the implementation is largely obtained through an efficient implementation of the Paillier cryptosystem, also described in this paper.