Efficient arithmetic on elliptic curves using a mixed Edwards-Montgomery representation
نویسندگان
چکیده
From the viewpoint of x-coordinate-only arithmetic on elliptic curves, switching between the Edwards model and the Montgomery model is quasi cost-free. We use this observation to speed up Montgomery’s algorithm, reducing the complexity of a doubling step from 2M + 2S to 1M + 3S for suitably chosen curve parameters. 1 Montgomery’s algorithm Aiming for an improved performance of Lenstra’s elliptic curve factorization method [6], Montgomery developed a very efficient algorithm to compute in the group associated to an elliptic curve over a non-binary finite field Fq, in which only x-coordinates are involved [8]. The algorithm also proves useful for point compression in elliptic curve cryptography. More precisely, instead of sending a point as part of some cryptographic protocol, one can reduce the communication cost by sending just its x-coordinate. From this, the receiver can compute the x-coordinate of any scalar multiple using Montgomery’s method. This idea was first mentioned in [7]. The type of curves Montgomery considered are of the following non-standard Weierstrass type MA,B : By = x +Ax + x, A ∈ Fq \ {±2}, B ∈ Fq \ {0}, which is now generally referred to as a Montgomery form. His method works as follows. Let P = (x1, y1, z1) be a point on MA,B , the projective closure of MA,B , and for any n ∈ N write n · P = (xn, yn, zn), where the multiple is taken in the algebraic group MA,B ,⊕ with neutral element O = (0, 1, 0). Then the following recursive relations hold: for any m,n ∈ N such that m 6= n we have xm+n = zm−n ((xm − zm)(xn + zn) + (xm + zm)(xn − zn)) , zm+n = xm−n ((xm − zm)(xn + zn)− (xm + zm)(xn − zn)) . (ADD)
منابع مشابه
On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic
Supersingular isogeny Diffie-Hellman (SIDH) is a proposal for a quantumresistant key exchange. The state-of-the-art implementation works entirely with Montgomery curves and basically can be divided into elliptic curve arithmetic and isogeny arithmetic. It is well known that twisted Edwards curves can provide a more efficient elliptic curve arithmetic. Therefore it was hinted by Costello and His...
متن کاملECM using Edwards curves
This paper introduces EECM-MPFQ, a fast implementation of the elliptic-curve method of factoring integers. EECM-MPFQ uses fewer modular multiplications than the well-known GMP-ECM software, takes less time than GMP-ECM, and finds more primes than GMP-ECM. The main improvements above the modular-arithmetic level are as follows: (1) use Edwards curves instead of Montgomery curves; (2) use extende...
متن کاملFast Algorithm for Converting Ordinary Elliptic Curves into Binary Edward Form
Scalar multiplication is computationally the most expensive operation in elliptic curve cryptosystems. Many techniques in literature have been proposed for speeding up scalar multiplication. In 2008, Bernstein et al proposed binary Edwards curves on which scalar multiplication is faster than traditional curves. At Crypto 2009, Bernstein obtained the fastest implementation for scalar multiplicat...
متن کاملTwisted μ4-Normal Form for Elliptic Curves
We introduce the twisted μ4-normal form for elliptic curves, deriving in particular addition algorithms with complexity 9M+ 2S and doubling algorithms with complexity 2M + 5S + 2m over a binary field. Every ordinary elliptic curve over a finite field of characteristic 2 is isomorphic to one in this family. This improvement to the addition algorithm, applicable to a larger class of curves, is co...
متن کاملCombining leak-resistant arithmetic for elliptic curves defined over Fp and RNS representation
In this paper we combine the residue number system (RNS) representation and the leakresistant arithmetic on elliptic curves. These two techniques are relevant for implementation of elliptic curve cryptography on embedded devices. It is well known that the RNS multiplication is very efficient whereas the reduction step is costly. Hence, we optimize formulae for basic operations arising in leak-r...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2008 شماره
صفحات -
تاریخ انتشار 2008