Faster Scalar Multiplication on Koblitz Curves Combining Point Halving with the Frobenius Endomorphism

Let E be an elliptic curve defined over F-2n. The inverse operation of point doubling, called point halving, can be done up to three times as fast as doubling. Some authors have therefore proposed to perform a scalar multiplication by an "halve-and-add" algorithm, which is faster than the classical double-and-add method. If the coefficients of the equation defining the curve lie in a small subfield of F-2n, one can use the Frobenius endomorphism tau of the field extension to replace doublings. Since the cost of tau is negligible if normal bases are used, the scalar multiplication is written in "base tau" and the resulting "tau-and-add" algorithm gives very good performance. For elliptic Koblitz curves, this work combines the two ideas for the first time to achieve a novel decomposition of the scalar. This gives a new scalar multiplication algorithm which is up to 14.29% faster than the Robenius method, without any additional precomputation.

[1]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[2]  Aaron Strauss Continuous Dependence of Solutions of Ordinary Differential Equations , 1964 .

[3]  Igor E. Shparlinski,et al.  On the Security of Diffie-Hellman Bits , 2000, Electron. Colloquium Comput. Complex..

[4]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[5]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[6]  Igor E. Shparlinski,et al.  The Hidden Number Problem in Extension Fields and Its Applications , 2002, LATIN.

[7]  George W. Reitwiesner,et al.  Binary Arithmetic , 1960, Adv. Comput..

[8]  Emmanuel Bresson,et al.  New Security Results on Encrypted Key Exchange , 2003, Public Key Cryptography.

[9]  Mihir Bellare,et al.  The AuthA Protocol for Password-Based Authenticated Key Exchange , 2000 .

[10]  Igor E. Shparlinski Bit Security of NTRU , 2003 .

[11]  Phong Q. Nguyen The Two Faces of Lattices in Cryptology , 2001, Selected Areas in Cryptography.

[12]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[13]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[14]  Christof Paar,et al.  Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves , 2003, CHES.

[15]  R. Kannan ALGORITHMIC GEOMETRY OF NUMBERS , 1987 .

[16]  Erik Woodward Knudsen,et al.  Elliptic Scalar Multiplication Using Point Halving , 1999, ASIACRYPT.

[17]  A. Shamir Security of Almost ALL Discrete Log Bits , 1998 .

[18]  Neal Koblitz,et al.  CM-Curves with Good Cryptographic Properties , 1991, CRYPTO.

[19]  Igor E. Shparlinski,et al.  Security of most significant bits of gx2 , 2002, Inf. Process. Lett..

[20]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[21]  Igor E. Shparlinski,et al.  Character Sums with Exponential Functions and their Applications: Applications to Coding Theory and Combinatorics , 1999 .

[22]  Roberto Maria Avanzi The Complexity of Certain Multi-Exponentiation Techniques in Cryptography , 2004, Journal of Cryptology.

[23]  Emmanuel Bresson,et al.  Security proofs for an efficient password-based key exchange , 2003, CCS '03.

[24]  Jacques Stern,et al.  Lattice Reduction in Cryptology: An Update , 2000, ANTS.

[25]  J. Wrench Table errata: The art of computer programming, Vol. 2: Seminumerical algorithms (Addison-Wesley, Reading, Mass., 1969) by Donald E. Knuth , 1970 .

[26]  Ari Juels,et al.  Client puzzles: A cryptographic defense against connection depletion , 1999 .

[27]  Igor E. Shparlinski,et al.  The Insecurity of the Digital Signature Algorithm with Partially Known Nonces , 2002, Journal of Cryptology.

[28]  Alfred Menezes,et al.  Field inversion and point halving revisited , 2004, IEEE Transactions on Computers.

[29]  Jerome A. Solinas,et al.  Efficient Arithmetic on Koblitz Curves , 2000, Des. Codes Cryptogr..

[30]  D. H. Brown,et al.  New bounds for Gauss sums derived from kth powers , 2000 .

[31]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[32]  Igor E. Shparlinski,et al.  The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces , 2003, Des. Codes Cryptogr..

[33]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[34]  Igor E. Shparlinski,et al.  Hidden number problem with hidden multipliers, timed-release crypto, and noisy exponentiation , 2003, Math. Comput..

[35]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[36]  Angelos D. Keromytis,et al.  Efficient, DoS-resistant, secure key exchange for internet protocols , 2001, CCS '02.

[37]  Igor E. Shparlinski,et al.  Hidden Number Problem with the Trace and Bit Security of XTR and LUC , 2002, CRYPTO.

[38]  Gustav Hast Nearly One-Sided Tests and the Goldreich–Levin Predicate , 2003, Journal of Cryptology.

[39]  Alfred Menezes,et al.  Software Implementation of Elliptic Curve Cryptography over Binary Fields , 2000, CHES.

[40]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[41]  Jerome A. Solinas An Improved Algorithm for Arithmetic on a Family of Elliptic Curves , 1997, CRYPTO.

[42]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[43]  Igor E. Shparlinski,et al.  Security of the most significant bits of the Shamir message passing scheme , 2000, Math. Comput..

[44]  Ian F. Blake,et al.  Low complexity normal bases , 1989, Discret. Appl. Math..