## Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms (2001)

### Cached

### Download Links

- [www.cacr.math.uwaterloo.ca]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Citations: | 74 - 0 self |

### BibTeX

@MISC{Gallant01fasterpoint,

author = {R. Gallant and R. Lambert and S. Vanstone},

title = {Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms},

year = {2001}

}

### Years of Citing Articles

### OpenURL

### Abstract

The fundamental operation in elliptic curve cryptographic schemes is that of point multiplication of an elliptic curve point by an integer. This paper describes a new method for accelerating this operation on classes of elliptic curves that have efficiently-computable endomorphisms. One advantage of the new method is that it is applicable to a larger class of curves than previous such methods.

### Citations

2583 | Handbook of applied cryptography
- Menezes, Oorschot, et al.
- 1997
(Show Context)
Citation Context ...que for exponentiation is the repeated square-and-multiply algorithm. Numerous methods for speeding up exponentiation and point multiplication have been discussed in the literature; for a survey, see =-=[11, 12, 17]-=-. These methods can be categorized as follows: 1. Generic methods which can be applied to speed up exponentiation in any ¯nite abelian group, including: (a) Comb techniques (e.g. [15]) which precomput... |

931 |
A Course in Computational Algebraic Number Theory, Graduate Texts
- Cohen
- 1996
(Show Context)
Citation Context ...tation of Á(P ) is normally quite fast. For example, if a normal basis of Fqn over Fq is used, this computation can be implemented as a cyclic shift of the vector representation. Example 3 (x7.2.3 of =-=[5]-=-). Let p ´ 1 (mod 4) be a prime, and consider the elliptic curve E1 : y 2 = x3 + ax (1) de¯ned over Fp. Let ® 2 Fp be an element of order 4. Then the map Á : E1 ! E1 de¯ned by (x; y) 7! (¡x; ®y) and O... |

837 |
The arithmetic of elliptic curves
- Silverman
- 1992
(Show Context)
Citation Context ...he ¯nite ¯eld Fq. The point at in¯nity is denoted by O. For any n ¸ 1, the group of Fqn-rational points on E is denoted by E(Fqn). An endomorphism of E is a rational map Á : E ! E satisfying Á(O) = O =-=[27]-=-. If the rational map is de¯ned over Fq, then the endomorphism Á is also said to be de¯ned over Fq. In this case, Á is a group homomorphism of E(Fq), and also of E(Fqn) for any n ¸ 1. Example 1. Let E... |

314 | An improved algorithm for computing logarithms over GF(p) and its cryptographic significance
- Pohlig, Hellman
- 1978
(Show Context)
Citation Context ...lliptic curve E over Fq for cryptographic use, one must ensure that the order #E(Fq) of the elliptic curve is divisible by a large prime number n (say n ¸ 2160) in order to prevent the Pohlig-Hellman =-=[22]-=- and Pollard's rho [23, 21] attacks. In addition, one must ensure that #E(Fq) 6= q in order to prevent the Semaev-Satoh-Araki-Smart attack [26, 25, 28], and that n does not divide qi¡ 1 for all 1 · i ... |

293 |
Reducing elliptic curve logarithms to logarithms in a finite field
- Menezes, Okamoto, et al.
- 1993
(Show Context)
Citation Context ...dition, one must ensure that #E(Fq) 6= q in order to prevent the Semaev-Satoh-Araki-Smart attack [26, 25, 28], and that n does not divide qi¡ 1 for all 1 · i · 20 in order to prevent the Weil pairing =-=[16]-=- and Tate pairing attacks [8]. Given a curve satisfying these conditions, there is no attack known that signi¯cantly reduces the time required to compute elliptic curve discrete logarithms. Many such ... |

237 |
On Lovasz’ lattice reduction and the nearest lattice point problem
- Babai
- 1986
(Show Context)
Citation Context ... be precomputed if n and ¸ are shared domain parameters. Finding v. A vector v in the integer lattice generated by v1 and v2 that is close to (k; 0) can be easily found using elementary linear algebra=-=[1]-=-. By considering (k; 0), v1 and v2 as vectors in Q £ Q, we can write (k; 0) = ¯1v1 + ¯2v2, where ¯1; ¯2 2 Q. Then round ¯1, ¯2 to the nearest integers: b1 = b¯1e, b2 = b¯2e. Finally, let v = b1v1 + b2... |

236 |
Monte Carlo methods for index computation mod p
- Pollard
- 1978
(Show Context)
Citation Context ... for cryptographic use, one must ensure that the order #E(Fq) of the elliptic curve is divisible by a large prime number n (say n ¸ 2160) in order to prevent the Pohlig-Hellman [22] and Pollard's rho =-=[23, 21]-=- attacks. In addition, one must ensure that #E(Fq) 6= q in order to prevent the Semaev-Satoh-Araki-Smart attack [26, 25, 28], and that n does not divide qi¡ 1 for all 1 · i · 20 in order to prevent th... |

194 |
A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves
- Frey, Rück
- 1994
(Show Context)
Citation Context ...E(Fq) 6= q in order to prevent the Semaev-Satoh-Araki-Smart attack [26, 25, 28], and that n does not divide qi¡ 1 for all 1 · i · 20 in order to prevent the Weil pairing [16] and Tate pairing attacks =-=[8]-=-. Given a curve satisfying these conditions, there is no attack known that signi¯cantly reduces the time required to compute elliptic curve discrete logarithms. Many such curves having e±cient endomor... |

159 | A survey of fast exponentiation methods
- Gordon
- 1998
(Show Context)
Citation Context ...que for exponentiation is the repeated square-and-multiply algorithm. Numerous methods for speeding up exponentiation and point multiplication have been discussed in the literature; for a survey, see =-=[11, 12, 17]-=-. These methods can be categorized as follows: 1. Generic methods which can be applied to speed up exponentiation in any ¯nite abelian group, including: (a) Comb techniques (e.g. [15]) which precomput... |

155 | Software Implementation of Elliptic Curve Cryptography over Binary Fields
- Hankerson, Lopez, et al.
(Show Context)
Citation Context ...que for exponentiation is the repeated square-and-multiply algorithm. Numerous methods for speeding up exponentiation and point multiplication have been discussed in the literature; for a survey, see =-=[11, 12, 17]-=-. These methods can be categorized as follows: 1. Generic methods which can be applied to speed up exponentiation in any ¯nite abelian group, including: (a) Comb techniques (e.g. [15]) which precomput... |

151 | Efficient elliptic curve exponentiation using mixed coordinates
- Cohen, Ono, et al.
- 1998
(Show Context)
Citation Context ...etic. For example, selection of an irreducible trinomial as the reduction polynomial for binary extension ¯elds. (c) Selection of a point representation which enables faster elliptic curve arithmetic =-=[6]-=-. (d) Selection of an elliptic curve with special properties, for example Koblitz curves [13]. Koblitz curves are elliptic curves de¯ned over F2, and were ¯rst proposed for cryptographic use in [13]. ... |

151 | Parallel collision search with cryptanalytic applications
- Oorschot, Wiener
- 1999
(Show Context)
Citation Context ... for cryptographic use, one must ensure that the order #E(Fq) of the elliptic curve is divisible by a large prime number n (say n ¸ 2160) in order to prevent the Pohlig-Hellman [22] and Pollard's rho =-=[23, 21]-=- attacks. In addition, one must ensure that #E(Fq) 6= q in order to prevent the Semaev-Satoh-Araki-Smart attack [26, 25, 28], and that n does not divide qi¡ 1 for all 1 · i · 20 in order to prevent th... |

125 |
CM-curves with good cryptographic properties
- Koblitz
- 1992
(Show Context)
Citation Context ...ary extension ¯elds. (c) Selection of a point representation which enables faster elliptic curve arithmetic [6]. (d) Selection of an elliptic curve with special properties, for example Koblitz curves =-=[13]-=-. Koblitz curves are elliptic curves de¯ned over F2, and were ¯rst proposed for cryptographic use in [13]. The primary advantage of Koblitz curves is that the Frobenius endomorphism can be exploited t... |

107 |
Sequences of numbers generated by addition in formal groups and new primality and factorization tests, Adv
- Chudnovsky, Chudnovsky
- 1986
(Show Context)
Citation Context ...3 [18]) plus 1 evaluation of the map Á. If the cost of a point doubling is 8 ¯eld multiplications and the cost of a point addition is 11 ¯eld multiplications (as is the case with Jacobian coordinates =-=[4]-=-), then the ratio of the running times of the proposed method to the traditional method is 0:66. Thus the new method for point multiplication is roughly 50% faster than the traditional method when t... |

98 | J.Olivos, \Speeding up the computations on an elliptic curve using addition-subtraction chains", Information Theory Application 24(1990
- Morain
(Show Context)
Citation Context ...Q2 + ¢ ¢ ¢+ ktQt, for example in ECDSA signature veri¯- cation. 2. Exponent recoding techniques which replace the binary representation of k with a representation which has fewer non-zero terms (e.g, =-=[10, 19]-=-). 3. Methods which are particular to elliptic curve point multiplication such as: (a) Selection of an underlying ¯nite ¯eld which enables faster ¯eld arithmetic. For example, selection of a prime ¯el... |

89 |
An Improved Algorithm for Arithmetic on a Family of Elliptic Curves
- Solinas
- 1997
(Show Context)
Citation Context ...yptographic use in [13]. The primary advantage of Koblitz curves is that the Frobenius endomorphism can be exploited to devise fast point multiplication algorithms that do not use any point doublings =-=[30, 32]-=-. These techniques can be generalized to use arbitrary endomorphisms but are generally not e±cient. The contribution of this paper is a new technique for speeding up point multiplication of elliptic c... |

86 | The discrete logarithm problem on elliptic curves of trace one
- Smart
- 1999
(Show Context)
Citation Context ... n (say n ¸ 2160) in order to prevent the Pohlig-Hellman [22] and Pollard's rho [23, 21] attacks. In addition, one must ensure that #E(Fq) 6= q in order to prevent the Semaev-Satoh-Araki-Smart attack =-=[26, 25, 28]-=-, and that n does not divide qi¡ 1 for all 1 · i · 20 in order to prevent the Weil pairing [16] and Tate pairing attacks [8]. Given a curve satisfying these conditions, there is no attack known that s... |

83 | Efficient arithmetic on Koblitz curves
- Solinas
(Show Context)
Citation Context ...yptographic use in [13]. The primary advantage of Koblitz curves is that the Frobenius endomorphism can be exploited to devise fast point multiplication algorithms that do not use any point doublings =-=[30, 32]-=-. These techniques can be generalized to use arbitrary endomorphisms but are generally not e±cient. The contribution of this paper is a new technique for speeding up point multiplication of elliptic c... |

74 |
Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves
- Araki, Satoh
- 1998
(Show Context)
Citation Context ... n (say n ¸ 2160) in order to prevent the Pohlig-Hellman [22] and Pollard's rho [23, 21] attacks. In addition, one must ensure that #E(Fq) 6= q in order to prevent the Semaev-Satoh-Araki-Smart attack =-=[26, 25, 28]-=-, and that n does not divide qi¡ 1 for all 1 · i · 20 in order to prevent the Weil pairing [16] and Tate pairing attacks [8]. Given a curve satisfying these conditions, there is no attack known that s... |

67 | Improving the parallelized Pollard lambda search on anomalous binary curves
- Gallant, Lambert, et al.
(Show Context)
Citation Context .... Many such curves having e±cient endomorphisms exist and hence appear suitable for cryptographic use. One attack on the elliptic curve discrete logarithm problem on such curves is along the lines of =-=[9]-=- and [34]. The application of such ideas does not reduce the time to compute a logarithm by more than a small factor. The number of curves for which this technique applies seems to be reasonably large... |

61 | Faster attacks on elliptic curve cryptosystems
- Wiener, Zuccherato
- 1999
(Show Context)
Citation Context ...uch curves having e±cient endomorphisms exist and hence appear suitable for cryptographic use. One attack on the elliptic curve discrete logarithm problem on such curves is along the lines of [9] and =-=[34]-=-. The application of such ideas does not reduce the time to compute a logarithm by more than a small factor. The number of curves for which this technique applies seems to be reasonably large. For ins... |

60 | Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p
- Semaev
- 1998
(Show Context)
Citation Context ... n (say n ¸ 2160) in order to prevent the Pohlig-Hellman [22] and Pollard's rho [23, 21] attacks. In addition, one must ensure that #E(Fq) 6= q in order to prevent the Semaev-Satoh-Araki-Smart attack =-=[26, 25, 28]-=-, and that n does not divide qi¡ 1 for all 1 · i · 20 in order to prevent the Weil pairing [16] and Tate pairing attacks [8]. Given a curve satisfying these conditions, there is no attack known that s... |

50 | Generalized Mersenne numbers
- Solinas
- 1999
(Show Context)
Citation Context ... multiplication such as: (a) Selection of an underlying ¯nite ¯eld which enables faster ¯eld arithmetic. For example, selection of a prime ¯eld Fp where p is a Mersenne prime or a Mersenne-like prime =-=[31]-=-, or an optimal ¯eld extension [2]. (b) Selection of a representation of the underlying ¯nite ¯eld which enables faster ¯eld arithmetic. For example, selection of an irreducible trinomial as the reduc... |

42 | Efficient elliptic curve exponentiation
- Miyaji, Ono, et al.
- 1997
(Show Context)
Citation Context ...tion techniques available. Nevertheless, the following provides some indication of the relative bene¯ts of our method. Assume that k is a randomly selected t-bit integer. When t = 160, Algorithm 2 of =-=[18]-=- (an exponent recoding and sliding window algorithm) is among the best algorithms for computing kP . This method costs approximately 157 point doubles and 34 point additions using windows of size 4 [1... |

37 | Primes of the Form x + ny - Cox - 1989 |

33 | Fast multiplication on elliptic curves over small fields of characteristic two - Muller - 1998 |

17 |
Elliptic curve cryptosystems over small ¯elds of odd characteristic
- Smart
- 1999
(Show Context)
Citation Context ...y) 7! µ ¡2x 2 + 4x+ 9 4(x+ 2) ; ¡ 2x 2 + 8x¡ 1 4 p¡2(x+ 2)2 y ¶ and O 7! O is an endomorphism de¯ned over Fp. Computing the endomorphism is a little harder than doubling a point. The existing methods =-=[13, 14, 20, 29, 32]-=- for point multiplication which exploit e±ciently-computable endomorphisms all use the Frobenius endomorphism. Let E be an elliptic curve de¯ned over a small ¯eld Fq, and let Á be the Frobenius endomo... |

11 |
Redundant integer representations and fast exponentiation
- Gollmann, Han, et al.
- 1996
(Show Context)
Citation Context ...Q2 + ¢ ¢ ¢+ ktQt, for example in ECDSA signature veri¯- cation. 2. Exponent recoding techniques which replace the binary representation of k with a representation which has fewer non-zero terms (e.g, =-=[10, 19]-=-). 3. Methods which are particular to elliptic curve point multiplication such as: (a) Selection of an underlying ¯nite ¯eld which enables faster ¯eld arithmetic. For example, selection of a prime ¯el... |

11 | More exponentiation with precomputation - Lim, Lee - 1994 |

8 |
Wireless Application Protocol Wireless Transport Layer Security Speci¯cation, Wireless Application Protocol Forum
- WTLS
- 1999
(Show Context)
Citation Context ...n a larger class of elliptic curves, for example certain curves over prime ¯elds. Such elliptic curves over prime ¯elds have been included in the WAP WTLS (Wireless Transport Layer Security) standard =-=[33]-=-. We believe the ideas discussed in this paper are new (though not di±cult). In particular, we believe that the approach of decomposing k modulo n, and applying just one application of the endomorphis... |

3 | Optimal extension for fast arithmetic in public-key algorithms - Bailey, Paar - 1998 |

3 | An elliptic curve implementation of the digital signature algorithm - Koblitz - 1998 |

3 |
Optimal extension ¯elds for fast arithmetic in public-key algorithms
- Bailey, Paar
- 1998
(Show Context)
Citation Context ...ion of an underlying ¯nite ¯eld which enables faster ¯eld arithmetic. For example, selection of a prime ¯eld Fp where p is a Mersenne prime or a Mersenne-like prime [31], or an optimal ¯eld extension =-=[2]-=-. (b) Selection of a representation of the underlying ¯nite ¯eld which enables faster ¯eld arithmetic. For example, selection of an irreducible trinomial as the reduction polynomial for binary extensi... |

3 |
On the generation of DSA one-time keys
- Bleichenbacher
(Show Context)
Citation Context ... Fp. Example 5 (x7.2.3 of [5]). Let p > 3 be a prime such that ¡7 is a perfect square in Fp, and let ! = (1 + p¡7)=2, and let a = (! ¡ 3)=4. Consider the elliptic curve E3 : y 2 = x3 ¡ 3 4 x2 ¡ 2x¡ 1 =-=(3)-=- de¯ned over Fp. Then the map Á : E3 ! E3 de¯ned by (x; y) 7! µ !¡2 x2 ¡ ! x¡ a ; ! ¡3y x2 ¡ 2ax+ ! (x¡ a)2 ¶ and O 7! O is an endomorphism de¯ned over Fp. Computing the endomorphism is a little harde... |

3 |
An elliptic curve implementation of the ¯nite ¯eld digital signature algorithm
- Koblitz
- 1998
(Show Context)
Citation Context ...y) 7! µ ¡2x 2 + 4x+ 9 4(x+ 2) ; ¡ 2x 2 + 8x¡ 1 4 p¡2(x+ 2)2 y ¶ and O 7! O is an endomorphism de¯ned over Fp. Computing the endomorphism is a little harder than doubling a point. The existing methods =-=[13, 14, 20, 29, 32]-=- for point multiplication which exploit e±ciently-computable endomorphisms all use the Frobenius endomorphism. Let E be an elliptic curve de¯ned over a small ¯eld Fq, and let Á be the Frobenius endomo... |

3 |
More °exible exponentiation with precomputation
- Lim, Lee
- 1994
(Show Context)
Citation Context ...vey, see [11, 12, 17]. These methods can be categorized as follows: 1. Generic methods which can be applied to speed up exponentiation in any ¯nite abelian group, including: (a) Comb techniques (e.g. =-=[15]-=-) which precompute tables which depend on Q. Such techniques are applicable when the base point Q is ¯xed and known a priori, for example in ECDSA signature generation. (b) Addition chains which are u... |

1 |
Fast multiplication in elliptic curves over small ¯elds of characteristic two
- MÄuller
- 1998
(Show Context)
Citation Context ...y) 7! µ ¡2x 2 + 4x+ 9 4(x+ 2) ; ¡ 2x 2 + 8x¡ 1 4 p¡2(x+ 2)2 y ¶ and O 7! O is an endomorphism de¯ned over Fp. Computing the endomorphism is a little harder than doubling a point. The existing methods =-=[13, 14, 20, 29, 32]-=- for point multiplication which exploit e±ciently-computable endomorphisms all use the Frobenius endomorphism. Let E be an elliptic curve de¯ned over a small ¯eld Fq, and let Á be the Frobenius endomo... |

1 |
personal communication
- Proos
- 2000
(Show Context)
Citation Context ...', `Shamir's trick', or `multi-exponentiation'. Algorithm 2 of [18] can be combined with the simultaneous multiple exponentiation technique of Algorithm 1 to give an algorithm which is among the best =-=[24]-=- for computing k1P + k2Q. Essentially, this combined algorithm computes P and Q for the integers corresponding to allowable windows, then writes each of k1 and k2 in signed windowed-NAF form as in... |