Skew Frobenius Map on Binary Edwards Curves

In this work we analyse the GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) which uses a fast endomorphism ' with minimal polynomial X2 +rX +s to compute any multiple kP of a point P of order n lying on an elliptic curve. First we flll in a gap in the proof of the bound of the kernel K vectors of the reduction map f : (i;j)7! i+‚j (mod n). In particular, we prove the GLV decomposition with explicit constant kP = k1P + k2'(P); with maxfjk1j;jk2jgp 1 +jrj + s p n : Next we improve on this bound and give the best constant in the given ex- amples for the quantity supk;n maxfjk1j;jk2jg= p n. Independently Park, Jeong, Kim, and Lim (PKC 2002) have given similar but slightly weaker bounds. Finally we provide the flrst explicit bounds for the GLV method gener- alised to hyperelliptic curves as described in Park, Jeong and Lim (EU- ROCRYPT 2002).

2008

Lecture Notes in Computer Science, 2003

In this work we analyse the GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) which uses a fast endomorphism Φ with minimal polynomial X 2 + rX + s to compute any multiple kP of a point P of order n lying on an elliptic curve. First we fill in a gap in the proof of the bound of the kernel K vectors of the reduction map f : (i, j) → i + λj (mod n). In particular, we prove the GLV decomposition with explicit constant kP = k1P + k2Φ(P ), with max{|k1|, |k2|} ≤ 1 + |r| + s √ n .

Lecture Notes in Computer Science, 2004

We describe a new scalar multiplication algorithm for elliptic and hyperelliptic curve cryptosystems. The algorithm is obtained by combining Koblitz's idea of using Frobenius automorphism along with a very special kind of look-up table. In the case where the base point is unknown, we present an efficient algorithm to compute the look-up table online. Our algorithm applies to prime power fields GF (p n). One important subclass of such fields are Optimal Extension Fields (OEF's) which are believed to be ideal for efficient implementation of cryptographic primitives. Over prime power fields, our algorithm compares favourably to other known algorithms for scalar multiplication.

ADVANCES IN CRYPTOLOGY EUROCRYPT 2009Book Series Lecture Notes in Computer Science, 2009

Efficiently computable homomorphisms allow elliptic curve point multiplication to be accelerated using the Gallant-Lambert-Vanstone (GLV) method. Iijima, Matsuo, Chao and Tsujii gave such homomorphisms for a large class of elliptic curves by working over F p 2 . We extend their results and demonstrate that they can be applied to the GLV method. In general we expect our method to require about 0.75 the time of previous best methods (except for subfield curves, for which Frobenius expansions can be used). We give detailed implementation results which show that the method runs in between 0.70 and 0.83 the time of the previous best methods for elliptic curve point multiplication on general curves. This is the full version of a paper published at Eurocrypt 2009.

eprint.iacr.org

This paper presents a deterministic algorithm for converting points on an ordinary elliptic curve (defined over a field of characteristic 2) to points on a complete binary Edwards curve. This avoids the problem of choosing curve parameters at random. When implemented on a large (512 bit) hardware multiplier, computation of point multiplication using this algorithm performs significantly better, in terms of code complexity, code coverage and timing, than the standard implementation. In addition, we propose a simple modification to the birational equivalence detailed in the paper by Bernstein et al. which both reduces the number of inversions required in the affine mapping and has fewer exceptional points. Finally, we compare software implementations using this efficient point multiplication for binary Edwards curves with computations on elliptic curves in Weierstrass form.

Lecture Notes in Computer Science, 2003

In most algorithms involving elliptic curves, the most expensive part consists in computing multiples of points. This paper investigates how to extend the τ -adic expansion from Koblitz curves to a larger class of curves defined over a prime field having an efficiently-computable endomorphism φ in order to perform an efficient point multiplication with efficiency similar to Solinas' approach presented at CRYPTO '97. Furthermore, many elliptic curve cryptosystems require the computation of k0P +k1Q. Following the work of Solinas on the Joint Sparse Form, we introduce the notion of φ-Joint Sparse Form which combines the advantages of a φ-expansion with the additional speedup of the Joint Sparse Form. We also present an efficient algorithm to obtain the φ-Joint Sparse Form. Then, the double exponentiation can be done using the φ endomorphism instead of doubling, resulting in an average of l applications of φ and l/2 additions, where l is the size of the ki's. This results in an important speed-up when the computation of φ is particularly effective, as in the case of Koblitz curves.

Journal of Digital Information Management, 2022

Let be a finite ring of characteristic 2, where e 2 = e and n is a positive integer. Let (a, d) 2 () 2 , such that a and d + a 2 + a are invertible in , we study the binary Edwards curve over this ring, denoted by and we give a bijection between this curve and produces two binary Edwards curves defined on the finite field. Afterthat we study the addition law of binary Edwards curves over the ring. We end this work with cryptography applications, ElGamal twisted Edwards curve cryptosystem and Cramer-Shoup twisted Edwards curve cryptosystem.

Let E 1 and E 2 be two elliptic curves over a number field K. For a place v of K of good reduction for E 1 and for E 2 , let F (E 1 , v) and F (E 2 , v) denote the splitting fields of the characteristic polynomials of the Frobenius automorphism at v acting on the Tate modules of E 1 and E 2 respectively. F (E 1 , v) and F (E 2 , v) are called the Frobenius fields of E 1 and E 2 at v. Assume that at least one of the two elliptic curves is without complex multiplication. Then, we show that the set of places v of K of good reduction such that F (E 1 , v) = F (E 2 , v) has positive upper density if and only if E 1 and E 2 are isogenous over some extension of K. We use this result to prove that, for an elliptic curve E over a number field K, the set of finite places v of K such that F (E, v) equals a fixed imaginary quadratic field F has positive upper density iff E has complex multiplication by F .

International Journal of Algebra, 2013

Edwards curves, introduced in 2007 by Harold Edwards, has been widely studied for cryptography applications by many authors. This paper introduces a kind of Generalized Edwards Twisted Curves and Generalized Binary Edwards Curves which are birationally equivalent to some hyperelliptic curves of genus 2. Two different versions are proposed for the generalization of the binary Edwards form elliptic curve in order to have binary form hyperelliptic curves of genus 2.

Lecture Notes in Computer Science, 2013

IACR Cryptol. ePrint Arch., 2010

This paper presents a new model of ordinary elliptic curves with fast arithmetic over field of characteristic two. In addition, we propose two isomorphism maps between new curves and Weierstrass curves. This paper proposes new explicit addition law for new binary curves and prove the addition law corresponds to the usual addition law on Weierstrass curves. This paper also presents fast unified addition formulae and doubling formulae for these curves. The unified addition formulae cost 12M +2D, where M is the cost of a field multiplication, and D is the cost of multiplying by a curve parameter. These formulae are more efficient than other formulae in literature. Finally, this paper presents explicit formulae for w-coordinates differential addition. In a basic step of Montgomery ladder, the cost of a projective differential addition and doubling are 5M and 1M +1D respectively, and the cost of mixed w-coordinates differential addition is 4M .

2011

Finding multiplicative inverse (Modular Inversion) operation is the most time-consuming operation in Elliptic Curve Crypto-system (ECC) operations which affects the performance of ECC. Moreover, several factors that affect the design of ECC have not been intensively investigated in the majority of researches related to ECC, Such as system utilization, area, resources-consuming and area*time cost factors, which play significant role in designing efficient ECC for different applications. This work applies Binary Edwards ECC point doubling operation over GF(p) using projective coordinates instead of affine coordinates due to its ability to remove the long time inversion operation by converting it to a number of multiplication operations. We also utilize the inherent parallelism in ECC operations by mapping its computations to parallel hardware design, in order to improve the performance of ECC. Our results show that the shortest time delay is achieved using 7-Parallel Multipliers (PM) ...

IEEE Transactions on Computers, 2002

Lecture Notes in Computer Science, 2002

In this paper the Gallant-Lambert-Vanstone method is reexamined for speeding up scalar multiplication. Using the theory of µ-Euclidian algorithm, we provide a rigorous method to reduce the theoretical bound for the decomposition of an integer k in the endomorphism ring of an elliptic curve. We then compare the two different methods for decomposition through computational implementations.