Faster Addition and Doubling on Elliptic Curves

Edwards recently introduced a new normal form for elliptic curves. Every elliptic curve over a non-binary field is birationally equivalent to a curve in Edwards form over an extension of the field, and in many cases over the original field. This paper presents fast explicit formulas (and register allocations) for group operations on an Edwards curve. The algorithm for doubling uses only 3M + 4S, i.e., 3 field multiplications and 4 field squarings. If curve parameters are chosen to be small then the algorithm for mixed addition uses only 9M + 1S and the algorithm for non-mixed addition uses only 10M + 1S. Arbitrary Edwards curves can be handled at the cost of just one extra multiplication by a curve parameter. For comparison, the fastest algorithms known for the popular "a4=-3 Jacobian" form use 3M + 5S for doubling; use 7M + 4S for mixed addition; use 11M + 5S for non-mixed addition; and use 10M + 4S for non-mixed addition when one input has been added before. The explicit formulas for non-mixed addition on an Edwards curve can be used for doublings at no extra cost, simplifying protection against side-channel attacks. Even better, many elliptic curves (approximately 1/4 of all isomorphism classes of elliptic curves over a non-binary finite field) are birationally equivalent--over the original field--to Edwards curves where this addition algorithm works for all pairs of curve points, including inverses, the neutral element, etc. This paper contains an extensive comparison of different forms of elliptic curves and different coordinate systems for the basic group operations (doubling, mixed addition, non-mixed addition, and unified addition) as well as higher-level operations such as multi-scalar multiplication.

[1]  Alfredo De Santis,et al.  Advances in Cryptology — EUROCRYPT'94 , 1994, Lecture Notes in Computer Science.

[2]  Roberto Maria Avanzi The Complexity of Certain Multi-Exponentiation Techniques in Cryptography , 2004, Journal of Cryptology.

[3]  H. Edwards A normal form for elliptic curves , 2007 .

[4]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[5]  Annett Baier Selected Areas in Cryptography , 2005, Lecture Notes in Computer Science.

[6]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[7]  Nadia Nedjah,et al.  Embedded Cryptographic Hardware: Methodologies & Architectures , 2004 .

[8]  Manfred Josef Aigner,et al.  Randomized Addition-Subtraction Chains as a Countermeasure against Power Attacks , 2001, CHES.

[9]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[10]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[11]  Ian F. Blake,et al.  Advances in Elliptic Curve Cryptography: Frontmatter , 2005 .

[12]  Christophe Doche,et al.  Efficient Scalar Multiplication by Isogeny Decompositions , 2005, IACR Cryptol. ePrint Arch..

[13]  Arnaldo V. Moura,et al.  LATIN'98: Theoretical Informatics , 1998, Lecture Notes in Computer Science.

[14]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[15]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[16]  Shu Lin,et al.  Applied Algebra, Algebraic Algorithms and Error-Correcting Codes , 1999, Lecture Notes in Computer Science.

[17]  Carl Pomerance,et al.  Advances in Cryptology — CRYPTO ’87 , 2000, Lecture Notes in Computer Science.

[18]  Mihir Bellare,et al.  Batch Verification with Applications to Cryptography and Checking , 1998, LATIN.

[19]  Atsuko Miyaji,et al.  Efficient Elliptic Curve Exponentiation Using Mixed Coordinates , 1998, ASIACRYPT.

[20]  Daniel R. L. Brown Multi-Dimensional Montgomery Ladders for Elliptic Curves , 2006, IACR Cryptol. ePrint Arch..

[21]  M. Joye Advances in Elliptic Curve Cryptography: Defences Against Side-Channel Analysis , 2005 .

[22]  Marc Joye,et al.  The Jacobi Model of an Elliptic Curve and Side-Channel Analysis , 2003, AAECC.

[23]  Marc Joye,et al.  Weierstraß Elliptic Curves and Side-Channel Attacks , 2002, Public Key Cryptography.

[24]  Tibor Juhas The use of elliptic curves in cryptography , 2007 .

[25]  G. Goos Applied Algebra, Algebraic Algorithms and Error-Correcting Codes , 2003, Lecture Notes in Computer Science.

[26]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[27]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[28]  Kazuo Ohta,et al.  Advances in Cryptology — ASIACRYPT’98 , 2002, Lecture Notes in Computer Science.

[29]  Tanja Lange,et al.  Analysis and optimization of elliptic-curve single-scalar multiplication , 2007, IACR Cryptol. ePrint Arch..

[30]  Peter de Rooij,et al.  Efficient Exponentiation using Procomputation and Vector Addition Chains , 1994, EUROCRYPT.

[31]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[32]  Marc Joye,et al.  Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity , 2004, IEEE Transactions on Computers.

[33]  Manuel Barbosa,et al.  On the Automatic Construction of Indistinguishable Operations , 2005, IACR Cryptol. ePrint Arch..

[34]  D. Bernstein Differential addition chains , 2006 .

[35]  Tanja Lange Mathematical Countermeasures against Side-Channel Attacks , 2005, Handbook of Elliptic and Hyperelliptic Curve Cryptography.

[36]  Jennifer Seberry,et al.  Public Key Cryptography , 2000, Lecture Notes in Computer Science.

[37]  Kwok-Yan Lam,et al.  Advances in Cryptology - ASIACRYPT’99 , 1999, Lecture Notes in Computer Science.

[38]  David Naccache,et al.  Cryptographic Hardware and Embedded Systems - CHES 2001: Third International Workshop, Paris, France, May 14-16, 2001 Proceedings , 2001 .

[39]  Tanja Lange,et al.  Twisted Edwards Curves , 2008, AFRICACRYPT.

[40]  H. Lenstra,et al.  Complete Systems of Two Addition Laws for Elliptic Curves , 1995 .

[41]  Tanja Lange,et al.  Optimizing Double-Base Elliptic-Curve Single-Scalar Multiplication , 2007, INDOCRYPT.

[42]  Nigel P. Smart,et al.  Preventing SPA/DPA in ECC Systems Using the Jacobi Form , 2001, CHES.

[43]  Nigel P. Smart,et al.  Advances in Elliptic Curve Cryptography (London Mathematical Society Lecture Note Series) , 2005 .

[44]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[45]  D. Chudnovsky,et al.  Sequences of numbers generated by addition in formal groups and new primality and factorization tests , 1986 .

[46]  Scott A. Vanstone,et al.  Accelerated Verification of ECDSA Signatures , 2005, Selected Areas in Cryptography.

[47]  Marc Joye,et al.  Hessian Elliptic Curves and Side-Channel Attacks , 2001, CHES.

[48]  Henk L. Muller,et al.  Cryptographic Hardware and Embedded Systems — CHES 2001 , 2001, Lecture Notes in Computer Science.

[49]  Tanja Lange,et al.  Inverted Edwards Coordinates , 2007, AAECC.