Scalar Multiplication on Elliptic Curves by Frobenius Expansions

Koblitz has suggested to use “anomalous” elliptic curves defined over F₂, which are non-supersingular and allow for efficient multiplication of a point by an integer. For these curves, Meier and Staffelbach gave a method to find a polynomial of the Frobenius map corresponding to a given multiplier. Muller generalized their method to arbitrary non-supersingular elliptic curves defined over a small field of characteristic 2. In this paper, we propose an algorithm to speed up scalar multiplication on an elliptic curve defined over a small field. The proposed algorithm uses the same technique as Muller's to get an expansion by the Frobenius map, but its expansion length is half of Muller's due to the reduction step (Algorithm 1). Also, it uses a more efficient algorithm (Algorithm 3) to perform multiplication using the Frobenius expansion. Consequently, the proposed algorithm is two times faster than Muller's. Moreover, it can be applied to an elliptic curve defined over a finite field with odd characteristic and does not require any precomputation or additional memory.     

Two fast algorithms for computing point scalar multiplications on elliptic curves

The key operation in Elliptic Curve Cryptosystems(ECC) is point scalar multiplication. Making use of Frobenius endomorphism, Mfiller and Smart proposed two efficient algorithms for point scalar multiplications over even or odd finite fields respectively. This paper reduces thec orresponding multiplier by modulo τ^k-1 … τ 1 and improves the above algorithms. Implementation of our Algorithm 1 in Maple for a given elliptic curve shows that it is at least as twice fast as binary method. By setting up a precomputation table, Algorithm 2, an improved version of Algorithm 1, is proposed. Since the time for the precomputation table can be considered free, Algorithm 2 is about (3/2) log2 q - 1 times faster than binary method for an elliptic curve over Fq.     

Speeding up Scalar Multiplication in Genus 2 Hyperelliptic Curves with Efficient Endomorphisms

This paper proposes an efficient scalar multiplication algorithm for hyperelliptic curves, which is based on the idea that efficient endomorphisms can be used to speed up scalar multiplication. We first present a new Frobenius expansion method for special hyperelliptic curves that have Gallant‐Lambert‐Vanstone (GLV) endomorphisms. To compute kD for an integer k and a divisor D, we expand the integer k by the Frobenius endomorphism and the GLV endomorphism. We also present improved scalar multiplication algorithms that use the new expansion method. By our new expansion method, the number of divisor doublings in a scalar multiplication is reduced to a quarter, while the number of divisor additions is almost the same. Our experiments show that the overall throughputs of scalar multiplications are increased by 15.6 to 28.3 % over the previous algorithms when the algorithms are implemented over finite fields of odd characteristics.     

一类j=0超奇异椭圆曲线的性质及其标量乘算法

针对非超奇异椭圆曲线上的标量乘算法已经有比较多的研究.与非超奇异曲线不同,超奇异椭圆曲线的自同态环是四元数代数的一个序模,为非交换环.本文主要针对特征大于3的有限域上一类j不变量为0的超奇异椭圆曲线,分析了曲线自同态环及其商环的结构.进而研究了此类曲线上整数表示的性质,并基于这种表示方法提出了一种针对此类曲线的标量乘算法.理论上证明了针对此类超奇异曲线,当选择合适系数集合时,此表示实质上为p-adic展开.实验结果表明：相较于4-NAF等方法,p-adic表示方法提高标量乘效率一倍以上.     

Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves

Efficiently computable homomorphisms allow elliptic curve point multiplication to be accelerated using the Gallant–Lambert–Vanstone (GLV) method. Iijima, Matsuo, Chao and Tsujii gave such homomorphisms for a large class of elliptic curves by working over \mathbbF_p²{\mathbb{F}}_{p^{2}}. We extend their results and demonstrate that they can be applied to the GLV method.     

Fault-Based Attack on Montgomery��s Ladder Algorithm

In this paper we present invalid-curve attacks that apply to the Montgomery ladder elliptic curve scalar multiplication (ECSM) algorithm. An elliptic curve over the binary field is defined using two parameters, a and b. We show that with a different “value” for curve parameter a, there exists a cryptographically weaker group in nine of the ten NIST-recommended elliptic curves over \mathbbF_2^m\mathbb{F}_{2^{m}}. Thereafter, we present two attacks that are based on the observation that parameter a is not utilized for the Montgomery ladder algorithms proposed by López and Dahab (CHES 1999: Cryptographic Hardware and Embedded Systems, LNCS, vol. 1717, pp. 316–327, Springer, Berlin, 1999). We also present the probability of success of such attacks for general and NIST-recommended elliptic curves. In addition we give some countermeasures to resist these attacks.     

Fast Reconfigurable Elliptic Curve Cryptography Acceleration for <Emphasis Type="Italic">GF</Emphasis>(2<Superscript><Emphasis Type="Italic">m</Emphasis></Superscript>) on 32 bit Processors

This paper focuses on the design and implementation of a fast reconfigurable method for elliptic curve cryptography acceleration in GF(2 ^m ). The main contribution of this paper is comparing different reconfigurable modular multiplication methods and modular reduction methods for software implementation on Intel IA-32 processors, optimizing point arithmetic to reduce the number of expensive reduction operations through a novel reduction sharing technique, and measuring performance for scalar point multiplication in GF(2 ^m ) on Intel IA-32 processors. This paper determined that systematic reduction is best for fields defined with trinomials or pentanomials; however, for fields defined with reduction polynomials with large Hamming weight Barrett reduction is best. In GF(2⁵⁷¹) for Intel P4 2.8 GHz processor, long multiplication with systematic reduction was 2.18 and 2.26 times faster than long multiplication with Barrett or Montgomery reduction. This paper determined that Montgomery Invariant scalar point multiplication with Systematic reduction in Projective coordinates was the fastest method for single scalar point multiplication for the NIST fields from GF(2¹⁶³) to GF(2⁵⁷¹). For single scalar point multiplication on a reconfigurable elliptic curve cryptography accelerator, we were able to achieve ∼6.1 times speedup using reconfigurable reduction methods with long multiplication, Montgomery’s MSB Invariant method in projective coordinates, and systematic reduction. Further extensions were made to implement fast reconfigurable elliptic curve cryptography for repeated scalar point multiplication on the same base point. We also show that for L > 20 the LSB invariant method combined with affine doubling precomputation outperforms the LSB invariant method combined with López-Dahab doubling precomputation for all reconfigurable reduction polynomial techniques in GF(2⁵⁷¹) for Intel IA-32 processors. For L = 1000, the LSB invariant scalar point multiplication method was 13.78 to 34.32% faster than using the fastest Montgomery Invariant scalar point multiplication method on Intel IA-32 processors.     

优化扩域上椭圆曲线标量乘的一个新算法

提出了一种优化扩域上椭圆曲线标量乘的新算法.算法基于Frobenius映射和二进制串的逻辑操作.文中对这个算法给出了细致精确的分析,而且在此基础上对新算法作了进一步改进.最后从理论分析和实际仿真两个方面就新算法和传统算法进行了比较.指出新算法执行时间比传统的φ-adic算法要少20%到40%.     

Design of highly efficient elliptic curve crypto-processor with two multiplications over GF（2^163）

In this article, a parallel hardware processor is presented to compute elliptic curve scalar multiplication in polynomial basis representation. The processor is applicable to the operations of scalar multiplication by using a modular arithmetic logic unit (MALU). The MALU consists of two multiplications, one addition, and one squaring. The two multiplications and the addition or squaring can be computed in parallel. The whole computations of scalar multiplication over GF(2163) can be performed in 3 064 cycles. The simulation results based on Xilinx Virtex2 XC2V6000 FPGAs show that the proposed design can compute random GF(2163) elliptic curve scalar multiplication operations in 31.17 μs, and the resource occupies 3 994 registers and 15 527 LUTs, which indicates that the crypto-processor is suitable for high-performance application.     

Speed up rational point scalar multiplications on elliptic curves by Frobenius equations

Let q be a power of a prime and φ be the Frobenius endomorphism on E（Fqk）, then q = tφ - φ^2. Applying this equation, a new algorithm to compute rational point scalar multiplications on elliptic curves by finding a suitable small positive integer s such that q^s can be represented as some very sparse φ-polynomial is proposed. If a Normal Basis （NB） or Optimal Normal Basis （ONB） is applied and the precomputations are considered free, our algorithm will cost, on average, about 55% to 80% less than binary method, and about 42% to 74% less than φ-ary method. For some elliptic curves, our algorithm is also taster than Mǖller＇s algorithm. In addition, an effective algorithm is provided for finding such integer s.     

Faster Ate Pairing Computation over Pairing‐Friendly Elliptic Curves Using GLV Decomposition

The preexisting pairings ate, ate_i, R‐ate, and optimal‐ate use q‐expansion, where q is the size of the defining field for the elliptic curves. Elliptic curves with small embedding degrees only allow a few of these pairings. In such cases, efficiently computable endomorphisms can be used, as in [11] and [12]. They used the endomorphisms that have characteristic polynomials with very small coefficients, which led to some restrictions in finding various pairing‐friendly curves. To construct more pairing‐friendly curves, we consider μ‐expansion using the Gallant‐Lambert‐Vanstone (GLV) decomposition method, where μ is an arbitrary integer. We illustrate some pairing‐friendly curves that provide more efficient pairing from the μ‐expansion than from the ate pairing. The proposed method can achieve timing results at least 20% faster than the ate pairing.     

Efficient Exponentiation in Extensions of Finite Fields without Fast Frobenius Mappings

This paper proposes an exponentiation method with Frobenius mappings. The main target is an exponentiation in an extension field. This idea can be applied for scalar multiplication of a rational point of an elliptic curve defined over an extension field. The proposed method is closely related to so‐called interleaving exponentiation. Unlike interleaving exponentiation methods, it can carry out several exponentiations of the same base at once. This happens in some pairing‐based applications. The efficiency of using Frobenius mappings for exponentiation in an extension field was well demonstrated by Avanzi and Mihailescu. Their exponentiation method efficiently decreases the number of multiplications by inversely using many Frobenius mappings. Compared to their method, although the number of multiplications needed for the proposed method increases about 20%, the number of Frobenius mappings becomes small. The proposed method is efficient for cases in which Frobenius mapping cannot be carried out quickly.     

一类安全椭圆曲线的选取及其标量乘法的快速计算

安全椭圆曲线的选取和标量乘法的快速计算是有效实现椭圆曲线密码体制的两个主要问题.本文将二者结合起来考虑给出了一类适合普通PC机实现的安全椭圆曲线,并详细给出了选取这类曲线的具体步骤和基于"大步-小步法"思想构造了一种新的计算这类曲线上标量乘法的快速算法.这类曲线不仅选取容易而且利用本文所提出方法计算其标量乘法时能使所需椭圆曲线运算次数大大减少.此外,选用这类曲线后基域中元素不再需要专门的表示方法,各种运算能非常快地得到实现,从而能极大地提高体制的整体实现速度.     

A Method for Distinguishing the Two Candidate Elliptic Curves in the Complex Multiplication Method

In this paper, we particularly deal with no F_p‐rational two‐torsion elliptic curves, where F_p is the prime field of the characteristic p. First we introduce a shift product‐based polynomial transform. Then, we show that the parities of (#E – 1)/2 and (#E’ – 1)/2 are reciprocal to each other, where #E and #E’ are the orders of the two candidate curves obtained at the last step of complex multiplication (CM)‐based algorithm. Based on this property, we propose a method to check the parity by using the shift product‐based polynomial transform. For a 160 bits prime number as the characteristic, the proposed method carries out the parity check 25 or more times faster than the conventional checking method when 4 divides the characteristic minus 1. Finally, this paper shows that the proposed method can make CM‐based algorithm that looks up a table of precomputed class polynomials more than 10 percent faster.     

High-performance Public-key Cryptoprocessor for Wireless Mobile Applications

We present a high-speed public-key cryptoprocessor that exploits three-level parallelism in Elliptic Curve Cryptography (ECC) over GF(2 ⁿ ). The proposed cryptoprocessor employs a Parallelized Modular Arithmetic Logic Unit (P-MALU) that exploits two types of different parallelism for accelerating modular operations. The sequence of scalar multiplications is also accelerated by exploiting Instruction-Level Parallelism (ILP) and processing multiple P-MALU instructions in parallel. The system is programmable and hence independent of the type of the elliptic curves and scalar multiplication algorithms. The synthesis results show that scalar multiplication of ECC over GF(2¹⁶³) on a generic curve can be computed in 20 and 16 μs respectively for the binary NAF (Non-Adjacent Form) and the Montgomery method. The performance can be accelerated furthermore on a Koblitz curve and reach scalar multiplication of 12 μs with the TNAF (τ-adic NAF) method. This fast performance allows us to perform over 80,000 scalar multiplications per second and to enhance security in wireless mobile applications.

Four-Dimensional Gallant–Lambert–Vanstone Scalar Multiplication

The GLV method of Gallant, Lambert, and Vanstone (CRYPTO 2001) computes any multiple kP of a point P of prime order n lying on an elliptic curve with a low-degree endomorphism Φ (called GLV curve) over $\mathbb{F}_{p}$ as $$kP = k_1P + k_2\varPhi(P) \quad\text{with } \max \bigl\{ |k_1|,|k_2| \bigr\} \leq C_1\sqrt{n} $$ for some explicit constant C ₁>0. Recently, Galbraith, Lin, and Scott (EUROCRYPT 2009) extended this method to all curves over $\mathbb{F}_{p^{2}}$ which are twists of curves defined over $\mathbb{F}_{p}$ . We show in this work how to merge the two approaches in order to get, for twists of any GLV curve over $\mathbb{F}_{p^{2}}$ , a four-dimensional decomposition together with fast endomorphisms Φ,Ψ over $\mathbb{F}_{p^{2}}$ acting on the group generated by a point P of prime order n, resulting in a proven decomposition for any scalar k∈[1,n] given by $$kP=k_1P+ k_2\varPhi(P)+ k_3\varPsi(P) + k_4\varPsi\varPhi(P) \quad \text{with } \max_i \bigl(|k_i| \bigr)< C_2\, n^{1/4} $$ for some explicit C ₂>0. Remarkably, taking the best C ₁,C ₂, we obtain C ₂/C ₁<412, independently of the curve, ensuring in theory an almost constant relative speedup. In practice, our experiments reveal that the use of the merged GLV–GLS approach supports a scalar multiplication that runs up to 1.5 times faster than the original GLV method. We then improve this performance even further by exploiting the Twisted Edwards model and show that curves originally slower may become extremely efficient on this model. In addition, we analyze the performance of the method on a multicore setting and describe how to efficiently protect GLV-based scalar multiplication against several side-channel attacks. Our implementations improve the state-of-the-art performance of scalar multiplication on elliptic curves over large prime characteristic fields for a variety of scenarios including side-channel protected and unprotected cases with sequential and multicore execution.     

On the Efficient Generation of Prime-Order Elliptic Curves

We consider the generation of prime-order elliptic curves (ECs) over a prime field \mathbbF_p\mathbb{F}_{p} using the Complex Multiplication (CM) method. A crucial step of this method is to compute the roots of a special type of class field polynomials with the most commonly used being the Hilbert and Weber ones. These polynomials are uniquely determined by the CM discriminant D. In this paper, we consider a variant of the CM method for constructing elliptic curves (ECs) of prime order using Weber polynomials. In attempting to construct prime-order ECs using Weber polynomials, two difficulties arise (in addition to the necessary transformations of the roots of such polynomials to those of their Hilbert counterparts). The first one is that the requirement of prime order necessitates that D≡3mod8), which gives Weber polynomials with degree three times larger than the degree of their corresponding Hilbert polynomials (a fact that could affect efficiency). The second difficulty is that these Weber polynomials do not have roots in \mathbbF_p\mathbb{F}_{p} .     

基于Markov链的椭圆曲线标量乘法算法性能分析

在椭圆曲线密码系统中,采用规范重编码、滑动窗口等优化技术可以有效提高椭圆曲线上点的标量乘法k·P的运算性能,但在实现中,需要对不同优化技术的算法性能进行定量分析,才能确定标量乘法的最优实现.本文运用Markov链对标量k规范重编码表示的滑动窗口划分过程进行了建模,提出了一种对椭圆曲线标量乘法的平均算法性能进行定量分析的方法,并运用该方法分析了不同参数下标量乘法运算的平均性能,计算了滑动窗口的最优窗口大小.最后,通过比较说明,采用规范重编码和滑动窗口技术的椭圆曲线标量乘法的运算开销比用m-ary法少10.32~17.32％,比单纯采用滑动窗口法也要少4.53~8.40％.     

Random Point Blinding Methods for Koblitz Curve Cryptosystem

While the elliptic curve cryptosystem (ECC) is getting more popular in securing numerous systems, implementations without consideration for side‐channel attacks are susceptible to critical information leakage. This paper proposes new power attack countermeasures for ECC over Koblitz curves. Based on some special properties of Koblitz curves, the proposed methods randomize the involved elliptic curve points in a highly regular manner so the resulting scalar multiplication algorithms can defeat the simple power analysis attack and the differential power analysis attack simultaneously. Compared with the previous countermeasures, the new methods are also noticeable in terms of computational cost.     

有限域上的圆锥曲线的数乘运算

文中介绍了有限域上的圆锥曲线的点群结构及加法运算,给出了三种不同的方法计算加法,并进一步比较了他们在数乘运算中的效率。同时通过和椭圆曲线的比较,显示了圆锥曲线在点的运算方面具有明显的优势。