Results 1 
3 of
3
Batch binary Edwards
 In Crypto 2009, volume 5677 of LNCS
, 2009
"... Abstract. This paper sets new software speed records for highsecurity DiffieHellman computations, specifically 251bit ellipticcurve variablebasepoint scalar multiplication. In one second of computation on a $200 Core 2 Quad Q6600 CPU, this paper’s software performs 30000 251bit scalar multipli ..."
Abstract

Cited by 32 (10 self)
 Add to MetaCart
Abstract. This paper sets new software speed records for highsecurity DiffieHellman computations, specifically 251bit ellipticcurve variablebasepoint scalar multiplication. In one second of computation on a $200 Core 2 Quad Q6600 CPU, this paper’s software performs 30000 251bit scalar multiplications on the binary Edwards curve d(x + x 2 + y + y 2) = (x + x 2)(y + y 2) over the field F2[t]/(t 251 + t 7 + t 4 + t 2 + 1) where d = t 57 + t 54 + t 44 + 1. The paper’s fieldarithmetic techniques can be applied in much more generality but have a particularly efficient interaction with the completeness of addition formulas for binary Edwards curves. Keywords. Scalar multiplication, Diffie–Hellman, batch throughput, vectorization, Karatsuba, Toom, elliptic curves, binary Edwards curves, differential addition, complete addition formulas 1
Selecting Elliptic Curves for Cryptography: An Efficiency and Security Analysis
"... Abstract. We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomeryfriendly ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomeryfriendly and pseudoMersenne primes allows us to consider more possibilities which improves the overall efficiency of base field arithmetic. Our Weierstrass curves are backwards compatible with current implementations of prime order NIST curves, while providing improved efficiency and stronger security properties. We choose algorithms and explicit formulas to demonstrate that our curves support constanttime, exceptionfree scalar multiplications, thereby offering high practical security in cryptographic applications. Our implementation shows that variablebase scalar multiplication on the new Weierstrass curves at the 128bit security level is about 1.4 times faster than the recent implementation record on the corresponding NIST curve. For practitioners who are willing to use a different curve model and sacrifice a few bits of security, we present a collection of twisted Edwards curves with particularly efficient arithmetic that are up to 1.43, 1.26 and 1.24 times faster than the new Weierstrass curves at the 128, 192 and 256bit security levels, respectively. Finally, we discuss how these curves behave in a real world protocol by considering different scalar multiplication scenarios in the transport layer security (TLS) protocol. 1
Edwards curves and CM curves
, 2009
"... Edwards curves are a particular form of elliptic curves that admit a fast, unified and complete addition law. Relations between Edwards curves and Montgomery curves have already been described. Our work takes the view of parameterizing elliptic curves given by their jinvariant, a problematic that a ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Edwards curves are a particular form of elliptic curves that admit a fast, unified and complete addition law. Relations between Edwards curves and Montgomery curves have already been described. Our work takes the view of parameterizing elliptic curves given by their jinvariant, a problematic that arises from using curves with complex multiplication, for instance. We add to the catalogue the links with Kubert parameterizations of X0(2) and X0(4). We classify CM curves that admit an Edwards or Montgomery form over a finite field, and justify the use of isogenous curves when needed. 1