Complete Addition Formulas for Prime Order Elliptic Curves

An elliptic curve addition law is said to be complete if it correctly computes the sum of any two points in the elliptic curve group. One of the main reasons for the increased popularity of Edwards curves in the ECC community is that they can allow a complete group law that is also relatively efficient e.g., when compared to all known addition laws on Edwards curves. Such complete addition formulas can simplify the task of an ECC implementer and, at the same time, can greatly reduce the potential vulnerabilities of a cryptosystem. Unfortunately, until now, complete addition laws that are relatively efficient have only been proposed on curves of composite order and have thus been incompatible with all of the currently standardized prime order curves. In this paper we present optimized addition formulas that are complete on every prime order short Weierstrass curve defined over a field k with $$\mathrm{char}k \ne 2,3$$charki¾?2,3. Compared to their incomplete counterparts, these formulas require a larger number of field additions, but interestingly require fewer field multiplications. We discuss how these formulas can be used to achieve secure, exception-free implementations on all of the prime order curves in the NIST and many other standards.

[1]  H. Lange,et al.  Complete systems of addition laws on abelian varieties , 1985 .

[2]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[3]  Editors , 1986, Brain Research Bulletin.

[4]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[5]  Chae Hoon Lim,et al.  More Flexible Exponentiation with Precomputation , 1994, CRYPTO.

[6]  H. Lenstra,et al.  Complete Systems of Two Addition Laws for Elliptic Curves , 1995 .

[7]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[8]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[9]  Atsuko Miyaji,et al.  Efficient Elliptic Curve Exponentiation Using Mixed Coordinates , 1998, ASIACRYPT.

[10]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[11]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[12]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[13]  Marc Joye,et al.  Weierstraß Elliptic Curves and Side-Channel Attacks , 2002, Public Key Cryptography.

[14]  T. Takagi,et al.  Exceptional Procedure Attackon Elliptic Curve Cryptosystems , 2003 .

[15]  Tsuyoshi Takagi,et al.  The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar Multiplications Secure against Side Channel Attacks , 2003, CT-RSA.

[16]  Tsuyoshi Takagi,et al.  Exceptional Procedure Attack on Elliptic Curve Cryptosystems , 2003, Public Key Cryptography.

[17]  Marc Joye,et al.  Fast Point Multiplication on Elliptic Curves through Isogenies , 2003, AAECC.

[18]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[19]  Lejla Batina,et al.  Flexible Hardware Design for RSA and Elliptic Curve Cryptosystems , 2004, CT-RSA.

[20]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[21]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[22]  Tanja Lange,et al.  Faster Addition and Doubling on Elliptic Curves , 2007, ASIACRYPT.

[23]  Gang Chen,et al.  A High-Performance Elliptic Curve Cryptographic Processor for General Curves Over ${\rm GF}(p)$ Based on a Systolic Arithmetic Unit , 2007, IEEE Transactions on Circuits and Systems II: Express Briefs.

[24]  H. Edwards A normal form for elliptic curves , 2007 .

[25]  Tibor Juhas The use of elliptic curves in cryptography , 2007 .

[26]  Tanja Lange,et al.  Twisted Edwards Curves , 2008, AFRICACRYPT.

[27]  Kazumaro Aoki,et al.  SEC X.2: Recommended Elliptic Curve Domain Parameters , 2008 .

[28]  Ricardo Dahab,et al.  NanoECC: Testing the Limits of Elliptic Curve Cryptography in Sensor Networks , 2008, EWSN.

[29]  Tim Güneysu,et al.  Ultra High Performance ECC over NIST Primes on Commercial FPGAs , 2008, CHES.

[30]  Carl Eklund,et al.  National Institute for Standards and Technology , 2009, Encyclopedia of Biometrics.

[31]  Marc Joye,et al.  Exponent Recoding and Regular Exponentiation Algorithms , 2009, AFRICACRYPT.

[32]  Johannes Merkle,et al.  Elliptic Curve Cryptography (ecc) Brainpool Standard Curves and Curve Generation , 2010 .

[33]  Patrick Longa,et al.  Efficient Techniques for High-Speed Elliptic Curve Cryptography , 2010, CHES.

[34]  D. Kohel Addition law structure of elliptic curves , 2010, 1005.3623.

[35]  H. Hisil Elliptic curves, group law, and efficient computation , 2010 .

[36]  Frederik Vercauteren,et al.  To Infinity and Beyond: Combined Attack on ECC Using Points of Low Order , 2011, CHES.

[37]  D. Kohel,et al.  Complete addition laws on abelian varieties , 2011, 1102.2349.

[38]  Emilia Käsper Fast Elliptic Curve Cryptography in OpenSSL , 2011, Financial Cryptography Workshops.

[39]  Ingrid Verbauwhede,et al.  An Updated Survey on Secure ECC Implementations: Attacks, Countermeasures and Cost , 2012, Cryptography and Security.

[40]  Patrick Longa,et al.  Implementing the 4-dimensional GLV method on GLS elliptic curves with j-invariant 0 , 2012, Des. Codes Cryptogr..

[41]  Daniel J. Bernstein,et al.  Elligator: elliptic-curve points indistinguishable from uniform random strings , 2013, IACR Cryptol. ePrint Arch..

[42]  Zhe Liu,et al.  Efficient Implementation of NIST-Compliant Elliptic Curve Cryptography for Sensor Nodes , 2013, ICICS.

[43]  Mehdi Tibouchi Elligator Squared: Uniform Points on Elliptic Curves of Prime Order as Uniform Random Strings , 2014, Financial Cryptography.

[44]  Michael Hamburg Twisting Edwards curves with isogenies , 2014, IACR Cryptol. ePrint Arch..

[45]  Michael Naehrig,et al.  Elliptic Curve Cryptography in Practice , 2014, Financial Cryptography.

[46]  Tanja Lange,et al.  Curve41417: Karatsuba revisited , 2014, IACR Cryptol. ePrint Arch..

[47]  Nicolas Christin,et al.  Financial cryptography and data security : 18th International Conference, FC 2014, Christ Church, Barbados, March 3-7, 2014, revised selected papers , 2014 .

[48]  Michael Hamburg,et al.  Ed448-Goldilocks, a new elliptic curve , 2015, IACR Cryptol. ePrint Arch..

[49]  Tanja Lange,et al.  Twisted Hessian Curves , 2015, LATINCRYPT.

[50]  Michael Hamburg,et al.  Decaf: Eliminating Cofactors Through Point Compression , 2015, CRYPTO.

[51]  Craig Costello,et al.  Selecting elliptic curves for cryptography: an efficiency and security analysis , 2016, Journal of Cryptographic Engineering.