TY - GEN

T1 - Faster repeated doublings on binary elliptic curves

AU - Doche, Christophe

AU - Sutantyo, Daniel

PY - 2014

Y1 - 2014

N2 - The use of precomputed data to speed up a cryptographic protocol is commonplace. For instance, the owner of a public point P on an elliptic curve can precompute various points of the form [2k]P and transmit them together with P. One inconvenience of this approach though may be the amount of information that needs to be exchanged. In the situation where the bandwidth of the transmissions is limited, this idea can become impractical. Instead, we introduce a new scheme that needs only one extra bit of information in order to efficiently and fully determine a point of the form [2k]P on a binary elliptic curve. It relies on the x-doubling operation, which allows to compute the point [2k]P at a lower cost than with regular doublings. As we trade off regular doublings for -doublings, we use multi-scalar multiplication techniques, such as the Joint Sparse Form or interleaving with NAFs. This idea gives rise to several methods, which are faster than Montgomery's method in characteristic . A software implementation shows that our method called induces a speed-up between 4 and 18 % for finite fields double-struck F2d with d between 233 and 571. We also generalize to characteristic the scheme of Dahmen et al. in order to precompute all odd points [3]P, [5]P,..., [2t-1]P in affine coordinates at the cost of a single inversion and some extra field multiplications. We use this scheme with -doublings as well as with the window NAF method in López-Dahab coordinates.

AB - The use of precomputed data to speed up a cryptographic protocol is commonplace. For instance, the owner of a public point P on an elliptic curve can precompute various points of the form [2k]P and transmit them together with P. One inconvenience of this approach though may be the amount of information that needs to be exchanged. In the situation where the bandwidth of the transmissions is limited, this idea can become impractical. Instead, we introduce a new scheme that needs only one extra bit of information in order to efficiently and fully determine a point of the form [2k]P on a binary elliptic curve. It relies on the x-doubling operation, which allows to compute the point [2k]P at a lower cost than with regular doublings. As we trade off regular doublings for -doublings, we use multi-scalar multiplication techniques, such as the Joint Sparse Form or interleaving with NAFs. This idea gives rise to several methods, which are faster than Montgomery's method in characteristic . A software implementation shows that our method called induces a speed-up between 4 and 18 % for finite fields double-struck F2d with d between 233 and 571. We also generalize to characteristic the scheme of Dahmen et al. in order to precompute all odd points [3]P, [5]P,..., [2t-1]P in affine coordinates at the cost of a single inversion and some extra field multiplications. We use this scheme with -doublings as well as with the window NAF method in López-Dahab coordinates.

UR - http://www.scopus.com/inward/record.url?scp=84902603150&partnerID=8YFLogxK

U2 - 10.1007/978-3-662-43414-7_23

DO - 10.1007/978-3-662-43414-7_23

M3 - Conference proceeding contribution

AN - SCOPUS:84902603150

SN - 9783662434130

VL - 8282 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 456

EP - 470

BT - Selected Areas in Cryptography, SAC 2013 - 20th International Conference, Revised Selected Papers

A2 - Lange, Tanja

A2 - Lauter, Kristin

A2 - Lisoněk, Petr

PB - Springer, Springer Nature

CY - Heidelberg

T2 - 20th International Conference on Selected Areas in Cryptography, SAC 2013

Y2 - 14 August 2013 through 16 August 2013

ER -