Results 1  10
of
17
Faster addition and doubling on elliptic curves
 In Asiacrypt 2007 [10
, 2007
"... Abstract. Edwards recently introduced a new normal form for elliptic curves. Every elliptic curve over a nonbinary field is birationally equivalent to a curve in Edwards form over an extension of the field, and in many cases over the original field. This paper presents fast explicit formulas (and r ..."
Abstract

Cited by 53 (10 self)
 Add to MetaCart
Abstract. Edwards recently introduced a new normal form for elliptic curves. Every elliptic curve over a nonbinary field is birationally equivalent to a curve in Edwards form over an extension of the field, and in many cases over the original field. This paper presents fast explicit formulas (and register allocations) for group operations on an Edwards curve. The algorithm for doubling uses only 3M + 4S, i.e., 3 field multiplications and 4 field squarings. If curve parameters are chosen to be small then the algorithm for mixed addition uses only 9M + 1S and the algorithm for nonmixed addition uses only 10M + 1S. Arbitrary Edwards curves can be handled at the cost of just one extra multiplication by a curve parameter. For comparison, the fastest algorithms known for the popular “a4 = −3 Jacobian ” form use 3M + 5S for doubling; use 7M + 4S for mixed addition; use 11M + 5S for nonmixed addition; and use 10M + 4S for nonmixed addition when one input has been added before. The explicit formulas for nonmixed addition on an Edwards curve can be used for doublings at no extra cost, simplifying protection against sidechannel attacks. Even better, many elliptic curves (approximately 1/4 of all isomorphism classes of elliptic curves over a nonbinary finite field) are birationally equivalent — over the original field — to Edwards curves where this addition algorithm works for all pairs of curve points, including inverses, the neutral element, etc. This paper contains an extensive comparison of different forms of elliptic curves and different coordinate systems for the basic group operations (doubling, mixed addition, nonmixed addition, and unified addition) as well as higherlevel operations such as multiscalar multiplication.
New Composite Operations and Precomputation Scheme for Elliptic Curve Cryptosystems over Prime Fields
 in Public Key Cryptography (PKC’08), LNCS
, 2008
"... Abstract. We present a new methodology to derive faster composite operations of the form dP+Q, where d is a small integer ≥ 2, for generic ECC scalar multiplications over prime fields. In particular, we present an efficient DoublingAddition (DA) operation that can be exploited to accelerate most sc ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
Abstract. We present a new methodology to derive faster composite operations of the form dP+Q, where d is a small integer ≥ 2, for generic ECC scalar multiplications over prime fields. In particular, we present an efficient DoublingAddition (DA) operation that can be exploited to accelerate most scalar multiplication methods, including multiscalar variants. We also present a new precomputation scheme useful for windowbased scalar multiplications that is shown to achieve the lowest cost among all known methods using only one inversion. In comparison to the remaining approaches that use none or several inversions, our scheme offers higher performance for most common I/M ratios. By combining the benefits of our precomputation scheme and the new DA operation, we can save up to 6.2 % in the scalar multiplication using fractional wNAF.
Optimizing doublebase ellipticcurve singlescalar multiplication
"... Abstract. This paper analyzes the best speeds that can be obtained for singlescalar multiplication with variable base point by combining a huge range of options: – many choices of coordinate systems and formulas for individual group operations, including new formulas for tripling on Edwards curves; ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. This paper analyzes the best speeds that can be obtained for singlescalar multiplication with variable base point by combining a huge range of options: – many choices of coordinate systems and formulas for individual group operations, including new formulas for tripling on Edwards curves; – doublebase chains with many different doubling/tripling ratios, including standard base2 chains as an extreme case; – many precomputation strategies, going beyond Dimitrov, Imbert, Mishra (Asiacrypt 2005) and Doche and Imbert (Indocrypt 2006). The analysis takes account of speedups such as S − M tradeoffs and includes recent advances such as inverted Edwards coordinates. The main conclusions are as follows. Optimized precomputations and triplings save time for singlescalar multiplication in Jacobian coordinates, Hessian curves, and triplingoriented Doche/Icart/Kohel curves. However, even faster singlescalar multiplication is possible in Jacobi intersections, Edwards curves, extended Jacobiquartic coordinates, and inverted Edwards coordinates, thanks to extremely fast doublings and additions; there is no evidence that doublebase chains are worthwhile for the fastest curves. Inverted Edwards coordinates are the speed leader.
The Doublebase Number System and its Application to Elliptic Curve Cryptography
 in Mathematics of Computation
, 2008
"... Abstract. We describe an algorithm for point multiplication on generic elliptic curves, based on a representation of the scalar as a sum of mixed powers of 2 and 3. The sparseness of this socalled doublebase number system, combined with some efficient point tripling formulae, lead to efficient poi ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Abstract. We describe an algorithm for point multiplication on generic elliptic curves, based on a representation of the scalar as a sum of mixed powers of 2 and 3. The sparseness of this socalled doublebase number system, combined with some efficient point tripling formulae, lead to efficient point multiplication algorithms for curves defined over both prime and binary fields. Sidechannel resistance is provided thanks to sidechannel atomicity.
Faster group operations on elliptic curves
, 2007
"... This paper improves implementation techniques of Elliptic Curve Cryptography. We introduce new formulae and algorithms for the group law on Jacobi quartic, Jacobi intersection, Edwards, and Hessian curves. The proposed formulae and algorithms can save time in suitable point representations. To suppo ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
This paper improves implementation techniques of Elliptic Curve Cryptography. We introduce new formulae and algorithms for the group law on Jacobi quartic, Jacobi intersection, Edwards, and Hessian curves. The proposed formulae and algorithms can save time in suitable point representations. To support our claims, a cost comparison is made with classic scalar multiplication algorithms using previous and current operation counts. Most notably, the best speeds are obtained from Jacobi quartic curves which provide the fastest timings for most scalar multiplication strategies benefiting from the proposed 1 2M + 5S + 1D point doubling and 7M + 3S + 1D point addition algorithms. Furthermore, the new addition algorithm provides an efficient way to protect against side channel attacks which are based on simple power analysis (SPA).
Accelerating the Scalar Multiplication on Elliptic Curve Cryptosystems Over Prime Fields
, 2007
"... Elliptic curve cryptography (ECC), independently introduced by Koblitz and Miller in the 80’s, has attracted increasing attention in recent years due to its shorter key length requirement in comparison with other publickey cryptosystems such as RSA. Shorter key length means reduced power consumptio ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Elliptic curve cryptography (ECC), independently introduced by Koblitz and Miller in the 80’s, has attracted increasing attention in recent years due to its shorter key length requirement in comparison with other publickey cryptosystems such as RSA. Shorter key length means reduced power consumption and computing effort, and less storage requirement, factors that are fundamental in ubiquitous portable devices such as PDAs, cellphones, smartcards, and many others. To that end, a lot of research has been carried out to speedup and improve ECC implementations, mainly focusing on the most important and timeconsuming ECC operation: scalar multiplication. In this thesis, we focus in optimizing such ECC operation at the point and scalar arithmetic levels, specifically targeting standard curves over prime fields. At the point arithmetic level, we introduce two innovative methodologies to accelerate ECC formulae: the use of new composite operations, which are built on top of basic point doubling and addition operations; and the substitution of field multiplications by squarings and other cheaper operations. These techniques are efficiently exploited, individually or jointly, in several contexts: to accelerate computation of scalar multiplications, and the computation of
Hybrid BinaryTernary Joint Sparse Form and its Application in Elliptic Curve Cryptography
, 2008
"... Multiexponentiation is a common and time consuming operation in publickey cryptography. Its elliptic curve counterpart, called multiscalar multiplication is extensively used for digital signature verification. Several algorithms have been proposed to speedup those critical computations. They are ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Multiexponentiation is a common and time consuming operation in publickey cryptography. Its elliptic curve counterpart, called multiscalar multiplication is extensively used for digital signature verification. Several algorithms have been proposed to speedup those critical computations. They are based on simultaneously recoding a set of integers in order to minimize the number of general multiplications or point additions. When signeddigit recoding techniques can be used, as in the world of elliptic curves, Joint Sparse Form (JSF) and interleaving wNAF are the most efficient algorithms. In this paper, a novel recoding algorithm for a pair of integers is proposed, based on a decomposition that mixes powers of 2 and powers of 3. The socalled Hybrid BinaryTernary Joint Sparse Form require fewer digits and is sparser than the JSF and the interleaving wNAF. Its advantages are illustrated for elliptic curve doublescalar multiplication; the operation counts show a gain of up to 18%.
K.: Group Law Computations on Jacobians of Hyperelliptic Curves
 Selected Areas in Cryptography. LNCS
, 2011
"... Abstract. We derive an explicit method of computing the composition step in Cantor’s algorithm for group operations on Jacobians of hyperelliptic curves. Our technique is inspired by the geometric description of the group law and applies to hyperelliptic curves of arbitrary genus. While Cantor’s gen ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
Abstract. We derive an explicit method of computing the composition step in Cantor’s algorithm for group operations on Jacobians of hyperelliptic curves. Our technique is inspired by the geometric description of the group law and applies to hyperelliptic curves of arbitrary genus. While Cantor’s general composition involves arithmetic in the polynomial ring Fq[x], the algorithm we propose solves a linear system over the base field which can be written down directly from the Mumford coordinates of the group elements. We apply this method to give more efficient formulas for group operations in both affine and projective coordinates for cryptographic systems based on Jacobians of genus 2 hyperelliptic curves in general form.
Families of fast elliptic curves from Qcurves
"... Abstract. We construct new families of elliptic curves over Fp2 with efficiently computable endomorphisms, which can be used to accelerate elliptic curvebased cryptosystems in the same way as Gallant–Lambert–Vanstone (GLV) and Galbraith–Lin–Scott (GLS) endomorphisms. Our construction is based on red ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Abstract. We construct new families of elliptic curves over Fp2 with efficiently computable endomorphisms, which can be used to accelerate elliptic curvebased cryptosystems in the same way as Gallant–Lambert–Vanstone (GLV) and Galbraith–Lin–Scott (GLS) endomorphisms. Our construction is based on reducing Qcurves—curves over quadratic number fields without complex multiplication, but with isogenies to their Galois conjugates—modulo inert primes. As a first application of the general theory we construct, for every p> 3, two oneparameter families of elliptic curves over Fp2 equipped with endomorphisms that are faster than doubling. Like GLS (which appears as a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when p is fixed. Unlike GLS, we also offer the possibility of constructing twistsecure curves. Among our examples are primeorder curves equipped with fast endomorphisms, with almostprimeorder twists, over Fp2 for p = 2127 − 1 and p = 2 255 − 19.
New Multibase NonAdjacent Form Scalar Multiplication and its Application to Elliptic Curve Cryptosystems
, 2007
"... In this paper we present a new method for scalar multiplication that uses a generic multibase representation to reduce the number of required operations. Further, a multibase NAFlike algorithm that efficiently converts numbers to such representation without impacting memory or speed performance is ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
In this paper we present a new method for scalar multiplication that uses a generic multibase representation to reduce the number of required operations. Further, a multibase NAFlike algorithm that efficiently converts numbers to such representation without impacting memory or speed performance is developed and showed to be sublinear in terms of the number of nonzero terms. Additional representation reductions are discussed with the introduction of windowbased variants that use an extended set of precomputations. To realize the proposed multibase scalar multiplication with or without precomputations in the setting of Elliptic Curve Cryptosystems (ECC) over prime fields, we also present a methodology to derive fast composite operations such as tripling or quintupling of a point that require less memory than previous point formulae. Point operations are then protected against simple sidechannel attacks using a highly efficient atomic structure. Extensive testing is carried out to show that our multibase scalar multiplication is the fastest method to date in the setting of ECC and exhibits a small footprint, which makes it ideal for implementation on constrained devices.