Efficient Scalar Multiplication by Isogeny Decompositions

On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication–by–l map [l] has degree l2, therefore the complexity to directly evaluate [l](p) is O(l2). For a small prime l (= 2, 3) such that the additive binary representation provides no better performance, this represents the true cost of application of scalar multiplication. If an elliptic curve admits an isogeny ϕ of degree l then the costs of computing ϕ(P) should in contrast be O(l) field operations. Since we then have a product expression [l]=$\hat{\varphi}\varphi$, the existence of an l-isogeny ϕ on an elliptic curve yields a theoretical improvement from O(l2) to O(l) field operations for the evaluation of [l](p) by naive application of the defining polynomials. In this work we investigate actual improvements for small l of this asymptotic complexity. For this purpose, we describe the general construction of families of curves with a suitable decomposition [l]=$\hat{\varphi}\varphi$, and provide explicit examples of such a family of curves with simple decomposition for [3]. Finally we derive a new tripling algorithm to find complexity improvements to triplication on a curve in certain projective coordinate systems, then combine this new operation to non-adjacent forms for l-adic expansions in order to obtain an improved strategy for scalar multiplication on elliptic curves.

[1]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[2]  Neal Koblitz,et al.  CM-Curves with Good Cryptographic Properties , 1991, CRYPTO.

[3]  Tanja Lange,et al.  Improved Algorithms for Efficient Arithmetic on Elliptic Curves Using Fast Endomorphisms , 2003, EUROCRYPT.

[4]  Alfred Menezes,et al.  The Implementation of Elliptic Curve Cryptosystems , 1990, AUSCRYPT.

[5]  Laurent Imbert,et al.  Efficient and Secure Elliptic Curve Point Multiplication Using Double-Base Chains , 2005, ASIACRYPT.

[6]  Atsuko Miyaji,et al.  Efficient Elliptic Curve Exponentiation Using Mixed Coordinates , 1998, ASIACRYPT.

[7]  Yang Han Subrepresentations of Kronecker representations , 2004 .

[8]  Atsuko Miyaji,et al.  Efficient elliptic curve exponentiation , 1997, ICICS.

[9]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[10]  Ricardo Dahab,et al.  Improved Algorithms for Elliptic Curve Arithmetic in GF(2n) , 1998, Selected Areas in Cryptography.

[11]  Marc Joye,et al.  Fast Point Multiplication on Elliptic Curves through Isogenies , 2003, AAECC.

[12]  Francesco Sica,et al.  An Analysis of Double Base Number Systems and a Sublinear Scalar Multiplication Algorithm , 2005, Mycrypt.

[13]  Jerome A. Solinas,et al.  Efficient Arithmetic on Koblitz Curves , 2000, Des. Codes Cryptogr..

[14]  David Jao,et al.  Do All Elliptic Curves of the Same Order Have the Same Difficulty of Discrete Log? , 2004, ASIACRYPT.

[15]  J. Olivos,et al.  Speeding up the computations on an elliptic curve using addition-subtraction chains , 1990, RAIRO Theor. Informatics Appl..

[16]  Tanja Lange Koblitz curve cryptosystems , 2005, Finite Fields Their Appl..

[17]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[18]  Tsuyoshi Takagi,et al.  Radix-r Non-Adjacent Form , 2004, ISC.

[19]  Tsuyoshi Takagi,et al.  Some Analysis of Radix-r Representations , 2005, IACR Cryptol. ePrint Arch..

[20]  Ricardo Dahaby Improved Algorithms for Elliptic Curve Arithmetic in Gf(2 N ) Improved Algorithms for Elliptic Curve Arithmetic in Gf (2 N ) , 1998 .

[21]  Andreas Bender,et al.  On the Implementation of Elliptic Curve Cryptosystems , 1989, CRYPTO.

[22]  Marc Joye,et al.  Trading Inversions for Multiplications in Elliptic Curve Cryptography , 2006, Des. Codes Cryptogr..

[23]  Graham A. Jullien,et al.  Theory and applications for a double-base number system , 1997, Proceedings 13th IEEE Sympsoium on Computer Arithmetic.