Abstract
We present a secure and efficient scalar multiplication method for supersingular elliptic curves over binary fields based on Montgomery’s ladder algorithm. Our approach uses only the x-coordinate of elliptic curve points to perform scalar multiplication, requires no precomputation and executes the same number of operations over the binary field in every iteration. When applied to projective coordinates, our method is faster than the other typical scalar multiplication methods in practical situations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cohen, H., Frey, G. (eds.): Handbook of Elliptic and Hyperelliptic Curve Cryptography. CRC Press, Boca Raton (2005)
López, J., Dahab, R.: Fast multiplication on elliptic curves over \(GF\)(2\(^{\rm m}\)) without precomputation. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 316–327. Springer, Heidelberg (1999)
Okeya, K., Sakurai, K.: Efficient elliptic curve cryptosystems from a scalar multiplication algorithm with recovery of the \(y\)-coordinate on a montgomery-form elliptic curve. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, p. 126. Springer, Heidelberg (2001)
Fischer, W., Giraud, C., Knudsen, E., Seifert, J.: Parallel Scalar Multiplication on General Elliptic Curves over \(F_p\) hedged against Non-Differential Side Channel Attacks. Cryptology ePrint Archive, 2002/007 (2002). http://citeseer.ist.psu.edu/fischer02parallel.html
Joye, M.: Highly regular right-to-left algorithms for scalar multiplication. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 135–147. Springer, Heidelberg (2007)
Saeki, M.: Elliptic Curve Cryptosystems. Master Thesis. McGill University, Montreal (1997)
Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)
Hankerson, D., Menezes, A.J., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer-Verlag New York Inc., Secaucus (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix: Montgomery’s Ladder Invariant
A Appendix: Montgomery’s Ladder Invariant
Lemma 1
Every iteration in Montgomery’s ladder algorithm to compute \(kP_0\), where \(k = (k_{n-1}, k_{n-2}, \ldots , k_0)_2\), keeps the difference \(S - R = P_0\).
Proof
Before the first iteration, we have \(R = P_0\) and \(S = 2P_0\), and thus \(Q_2 - Q_1 = P_0\). Now let’s assume that during an iteration \(0 \le i \le l-2\) we have \(R = nP_0\) and \(S = (n+1)P_0\), where \(1 \le n\le k\). The difference \(S - R = P_0\) holds. To prove that in iteration \(i+1\) the invariant \(S - R = P_0\) is held, we must consider two cases:
-
if \(k_i = 0\): the values of R and S are updated such that \(R = 2nP_0\) and \(S = (n + n + 1)P_0 = (2n+1)P_0\). We can see that the difference \(S - R = P_0\) holds in this case.
-
if \(k_i = 1\): the values of R and S are updated such that \(R = (n + n + 1)P_0 = (2n+1)P_0\) and \(S = 2(k+1)P_0 = (2k+2)P_0\). We can see that the difference \(S - R = P_0\) holds in this case too.
By the end of iterations, we have \(i = 0\) and \(Q_2 - Q_1 = P_0\) is mantained.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
de Oliveira, M.F., Henriques, M.A.A. (2015). A Secure and Efficient Method for Scalar Multiplication on Supersingular Elliptic Curves over Binary Fields. In: Desmedt, Y. (eds) Information Security. Lecture Notes in Computer Science(), vol 7807. Springer, Cham. https://doi.org/10.1007/978-3-319-27659-5_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-27659-5_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27658-8
Online ISBN: 978-3-319-27659-5
eBook Packages: Computer ScienceComputer Science (R0)