Two is the fastest prime: lambda coordinates for binary elliptic curves

Abstract

In this work, we present new arithmetic formulas for a projective version of the affine point representation \((x,x+y/x),\) for \(x\ne 0,\) which leads to an efficient computation of the scalar multiplication operation over binary elliptic curves. A software implementation of our formulas applied to a binary Galbraith–Lin–Scott elliptic curve defined over the field \(\mathbb {F}_{2^{254}}\) allows us to achieve speed records for protected/unprotected single/multi-core random-point elliptic curve scalar multiplication at the 127-bit security level. When executed on a Sandy Bridge 3.4 GHz Intel Xeon processor, our software is able to compute a single/multi-core unprotected scalar multiplication in 69,500 and 47,900 clock cycles, respectively, and a protected single-core scalar multiplication in 114,800 cycles. These numbers are improved by around 2 and 46 % on the newer Ivy Bridge and Haswell platforms, respectively, achieving in the latter a protected random-point scalar multiplication in 60,000 clock cycles.

Appendices

Appendix A: Proofs

Proof of Theorem 1

Let \(P=(x_{P}, \lambda _{P})\) be an elliptic point in \(E_{a,b}(\mathbb {F}_{2^m})\). Then, a formula for \(2P = (x_{2P}, \lambda _{2P})\) is given by

$$\begin{aligned} x_{2P}&= \lambda ^2_{P} + \lambda _{P} + a\\ \lambda _{2P}&= \frac{x^2_{P}}{x_{2P}} + \lambda ^2_{P} + a + 1. \end{aligned}$$

From [23], page 81, we have the formulas: \(x_{2P} = \lambda ^2_{P} + \lambda _{P} + a\) and \(y_{2P} = x^2_{P} + \lambda _{P}x_{2P} + x_{2P}\). Then, a formula for \(\lambda _{2P}\) can be obtained as follows:

$$\begin{aligned} \lambda _{2P}&= \frac{y_{2P} + x^2_{2P}}{x_{2P}} = \frac{\left( x^2_{P} + \lambda _{P} \cdot x_{2P} + x_{2P}\right) + x^2_{2P}}{x_{2P}}\\&= \frac{x^2_{P}}{x_{2P}} + \lambda _{P} + 1 + x_{2P} = \frac{x^2_{P}}{x_{2P}} + \lambda _{P} + 1\\&+ \left( \lambda ^2_{P} + \lambda _{P} + a\right) \\&= \frac{x^2_{P}}{x_{2P}} + \lambda ^2_{P} + a + 1. \end{aligned}$$

In affine coordinates, the doubling formula requires one division and two squarings. Given the point \(P = (X_{P}, L_{P}, Z_{P})\) in the \(\lambda \)-projective representation, an efficient projective doubling algorithm can be derived by applying the doubling formula to the affine point \((\frac{X_P}{Z_P},\frac{L_P}{Z_P})\). For \(x_{2P}\) we have

$$\begin{aligned} x_{2P}&= \frac{L^2_{P}}{Z^2_{P}} + \frac{L_{P}}{Z_{P}} + a = \frac{L^2_{P} + L_{P} \cdot Z_{P} + a \cdot Z^2_{P}}{Z^2_{P}}\\&= \frac{T}{Z^2_{P}} = \frac{T^2}{T \cdot Z^2_{P}}. \end{aligned}$$

For \(\lambda _{2P}\), we have

$$\begin{aligned} \lambda _{2P}&= \frac{\frac{X^2_{P}}{Z^2_{P}}}{\frac{T}{Z^2_{P}}} + \frac{L^2_{P}}{Z^2_{P}} + a + 1\\&= \frac{X^2_{P} \cdot Z^2_{P} + T \cdot \left( L^2_{P} + (a + 1) \cdot Z^2_{P}\right) }{T \cdot Z^2_{P}}. \end{aligned}$$

From the \(\lambda \)-projective equation, we have the relation \(T \cdot X^2_{P} = X^4_{P} + b \cdot Z^4_{P}\). Then, the numerator \(w\) of \(\lambda _{2P}\) can also be written as follows,

$$\begin{aligned} w&= X^2_{P} \cdot Z^2_{P} + T \cdot \left( L^2_{P} + (a + 1) \cdot Z^2_{P}\right) \\&= X^2_{P} \cdot Z^2_{P} + T \cdot L^2_{P} + T^2 + T^2 + (a + 1) \cdot Z_{2P}\\&= X^2_{P} \cdot Z^2_{P} + T \cdot L^2_{P} + L^4_{P} + L^2_{P} \cdot Z^2_{P} + a^2 \cdot Z^4_{P} + T^2\\&\quad \,\,+ (a + 1) \cdot Z_{2P}\\&= X^2_{P} \cdot Z^2_{P} + T \cdot \left( L^2_{P} + X^2_{P}\right) + X^4_{P} + b \cdot Z^4_{P} + L^4_{P}\\&\quad \,\,+ L^2_{P} \cdot Z^2_{P} + a^2 \cdot Z^4_{P} + T^2 + (a + 1) \cdot Z_{2P}\\&= \left( L^2_{P} + X^2_{P}\right) \cdot \left( \left( L^2_{P} + X^2_{P}\right) + T + Z^2_{P}\right) + T^2\\&\quad \,\,+ (a^2 + b) \cdot Z^4_{P} + (a + 1) \cdot Z_{2P}. \end{aligned}$$

This completes the proof. \(\square \)

Proof of Theorem 2

Let \(P=(x_{P}, \lambda _{P})\) and \(Q=(x_{Q}, \lambda _{Q})\) be elliptic points in \(E_{a,b}(\mathbb {F}_{2^m})\). Then, a formula for \(P+Q = (x_{P+Q}, \lambda _{P+Q})\) is given by

$$\begin{aligned} x_{P+Q}&= \frac{x_{P} \cdot x_{Q}}{(x_{P} + x_{Q})^2}(\lambda _{P} + \lambda _{Q})\\ \lambda _{P+Q}&= \frac{x_{Q} \cdot (x_{P+Q} + x_{P})^2}{x_{P+Q} \cdot x_{P}} + \lambda _{P} + 1. \end{aligned}$$

Since \(P\) and \(Q\) are elliptic points on a non-supersingular curve, we have the following relation: \(y^2_{P} + x_{P} \cdot y_{P} + x^3_{P} + a \cdot x^2_{P} = b = y^2_{Q} + x_{Q} \cdot y_{Q} + x^3_{Q} + a \cdot x^2_{Q}\). The known formula for computing the \(x\)-coordinate of \(P + Q\) is given by \(x_{P+Q} = s^2 + s + x_{P} + x_{Q} + a\), where \(s = \frac{y_{P} + y_{Q}}{x_{P} + x_{Q}}\). Then, one can derive the new formula as follows,

$$\begin{aligned} x_{P+Q}&= \frac{(y_{P} + y_{Q})^2 + (y_{P} + y_{Q}) \cdot (x_{P} + y_{Q})}{(x_{P} + x_{Q})^2}\\&\quad + \frac{(x_{P} + x_{Q})^3 + a \cdot (x_{P} + x_{Q})^2}{(x_{P} + x_{Q})^2}\\&= \frac{b + b + x_{Q} \cdot \left( x^2_{P} + y_{P}\right) + x_{P} \cdot \left( x^2_{Q} + y_{Q}\right) }{(x_{P} + x_{Q})^2}\\&= \frac{x_{P} \cdot x_{Q} \cdot (\lambda _{P} + \lambda _{Q})}{(x_{P} + x_{Q})^2}. \end{aligned}$$

For computing \(\lambda _{P+Q}\), we use the observation that the \(x\)-coordinate of \((P + Q) - P\) is \(x_{Q}\). We also know that for \(-P\) we have \(\lambda _{-P} = \lambda _{P} + 1\) and \(x_{-P} = x_{P}\). By applying the formula for the \(x\)-coordinate of \((P + Q) + (-P)\) we have

$$\begin{aligned} x_{Q}&= x_{(P+Q)+(-P)} = \frac{x_{P+Q} \cdot x_{-P}}{(x_{P+Q} + x_{-P})^2} \cdot (\lambda _{P+Q} + \lambda _{-P})\\&= \frac{x_{P+Q} \cdot x_{P}}{(x_{P+Q} + x_{P})^2} \cdot (\lambda _{P+Q} + \lambda _{P} + 1). \end{aligned}$$

Then \(\lambda _{P+Q} = \frac{x_{Q} \cdot (x_{P+Q} + x_{P})^2}{x_{P+Q} \cdot x_{P}} + \lambda _{P} + 1\).

To obtain a \(\lambda \)-projective addition formula, we apply the formulas above to the affine points \((\frac{X_{P}}{Z_{P}}, \frac{L_{P}}{Z_{P}})\) and \((\frac{X_{Q}}{Z_{Q}}, \frac{L_{Q}}{Z_{Q}})\). Then, the \(x_{P+Q}\) coordinate of \(P + Q\) can be computed as:

$$\begin{aligned} x_{P+Q}&= \frac{\frac{X_{P}}{Z_{P}} \cdot \frac{X_{Q}}{Z_{Q}} \cdot \left( \frac{L_{P}}{Z_{P}} + \frac{L_{Q}}{Z_{Q}}\right) }{\left( \frac{X_{P}}{Z_{P}} + \frac{X_{Q}}{Z_{Q}}\right) ^2}\\&= \frac{X_{P} \cdot X_{Q} \cdot (L_{P} \cdot Z_{Q} + L_{Q} \cdot Z_{P})}{(X_{P} \cdot Z_{Q} + X_{Q} \cdot Z_{P})^2} = X_{P} \cdot X_{Q} \cdot \frac{A}{B}. \end{aligned}$$

For the \(\lambda _{P+Q}\) coordinate of \(P + Q\), we have

$$\begin{aligned} \lambda _{P+Q}&= \frac{\frac{X_{Q}}{Z_{Q}} \cdot \left( \frac{X_{P} \cdot X_{Q} \cdot A}{B} + \frac{X_{P}}{Z_{P}}\right) ^2}{\frac{X_{P} \cdot X_{Q} \cdot A}{B} \cdot \frac{X_{P}}{Z_{P}}} + \frac{L_{P} + Z_{P}}{Z_{P}}\\&= \frac{(A \cdot X_{Q} \cdot Z_{P} + B)^2 + (A \cdot B \cdot Z_{Q})(L_{P} + Z_{P})}{A \cdot B \cdot Z_{P} \cdot Z_{Q}}. \end{aligned}$$

In order that both \(x_{P+Q}\) and \(\lambda _{P+Q}\) have the same denominator, the formula for \(x_{P+Q}\) can be written as

$$\begin{aligned} X_{P+Q} = \frac{X_{P} \cdot X_{Q} \cdot A}{B} = \frac{A \cdot (X_{P} \cdot Z_{Q}) \cdot (X_{Q} \cdot Z_{P}) \cdot A}{A \cdot B \cdot Z_{P} \cdot Z_{Q}}. \end{aligned}$$

Therefore, \(x_{P+Q} = \frac{X_{P+Q}}{Z_{P+Q}}\) and \(\lambda _{P+Q} = \frac{L_{P+Q}}{Z_{P+Q}}\). This completes the proof. \(\square \)

Proof of Theorem 3

The \(\lambda \)-projective formula is obtained by adding the \(\lambda \)-affine points \(2Q = (\frac{X_{2Q}}{Z_{2Q}}, \frac{L_{2Q}}{Z_{2Q}})\) and \(P = (x_{P}, \lambda _{P})\) with the formula of Theorem 2. Then, the \(x\) coordinate of \(2Q + P\) is given by

$$\begin{aligned} x_{2Q+P}&= \frac{x_{2Q} \cdot x_{P}}{(x_{2Q} + x_{P})^2}(\lambda _{2Q} + \lambda _{P})\\&= \frac{X_{2Q} \cdot x_{P}(L_{2Q} + \lambda _{P} \cdot Z_{2Q})}{(X_{2Q} + x_{P} \cdot Z_{2Q})^2}\\&= \frac{x_{P} \cdot \left( X^2_{Q} \cdot Z^2_{Q} {+} T \cdot \left( L^2_{Q} {+} (a {+} 1 {+} \lambda _{P}) \cdot Z^2_{Q}\right) \right) }{\left( T {+} x_{P} \cdot Z^2_{Q}\right) ^2}\\&= x_{P} \cdot \frac{A}{B}. \end{aligned}$$

The \(\lambda _{2Q+P}\) coordinate of \(2Q + P\) is computed as

$$\begin{aligned} \lambda _{2Q+P}&= \frac{\frac{X_{2Q}}{Z_{2Q}} \cdot \left( x_{P} \cdot \frac{A}{B} + x_{P}\right) ^2}{x_{P} \cdot \frac{A}{B} \cdot x_{P}} + \lambda _{P} + 1\\&= \frac{T \cdot (A + B)^2 + (\lambda _{P} + 1) \cdot (A \cdot B \cdot Z^2_{Q})}{A \cdot B \cdot Z^2_{Q}}. \end{aligned}$$

The formula for \(x_{2Q+P}\) can be written with denominator \(Z_{2Q+P}\) as follows:

$$\begin{aligned} x_{2Q+P} = \frac{x_{P} \cdot A}{B} = \frac{x_{P} \cdot Z^2_{Q} \cdot A^2}{A \cdot B \cdot Z^2_{Q}}. \end{aligned}$$

Therefore, \(x_{2Q+P} = \frac{X_{2Q+P}}{Z_{2Q+P}}\) and \(\lambda _{2Q+P} = \frac{L_{2Q+P}}{Z_{2Q+P}}\). This completes the proof. \(\square \)

Appendix B: Operation count for 2-GLV double-and-add using \(\lambda \)-coordinates

Basically, three cases can occur in the 2-GLV double-and-add main loop. The first one, when the digits of both scalars \(k_1, k_2\) equal zero, we just perform a point doubling (\(D\)) in the accumulator. The second one, when both scalar digits are different from zero, we have to double the accumulator and sum two points. In this case, we perform one doubling and addition (\(DA\)) followed by a mixed addition (\(A\)). Finally, it is possible that just one scalar has its digit different from zero. Here, we double the accumulator and add a point, which can be done with only one doubling and addition operation.

Then, as the nonzero bit distributions in the scalars represented by the \(w\)-NAF are independent, we have for the first case

$$\begin{aligned} \mathrm{Pr}[k_{1,i} = 0 \wedge k_{2,i} = 0] = \frac{w^2}{(w + 1)^2},\quad \text {for }i \in [0, n-1]. \end{aligned}$$

For the second case

$$\begin{aligned} \mathrm{Pr[}k_{1,i} \ne 0 \wedge k_{2,i} \ne 0] = \frac{1}{(w + 1)^2},\quad \text {for }i \in [0, n-1]. \end{aligned}$$

And for the third case

$$\begin{aligned} \mathrm{Pr}[(k_{1,i} \,{\ne }\, 0 \wedge k_{2,i} \,{=}\, 0) \vee (k_{1,i} \,{=}\, 0 \wedge k_{2,i} \ne 0)] \,{=}\, \frac{2w}{(w {+} 1)^2}. \end{aligned}$$

Consequently, the operation count can be written as

$$\begin{aligned}&\frac{n}{2}\left( \frac{w^2}{(w + 1)^2}D + \frac{1}{(w + 1)^2}(\textit{DA} + A) + \frac{2w}{(w + 1)^2}\textit{DA}\right) \\&\quad = \frac{(2w + 1)n}{2(w+1)^2}\textit{DA} + \frac{w^2n}{2(w+1)^2}D + \frac{n}{2(w+1)^2}A. \end{aligned}$$

Appendix C: Parameters used for the Galbraith–Lin–Scott elliptic curve

Using the notation given in Sect. 4, let \(q=2^m,\) with \(m=127.\) The towering of the fields \(\mathbb {F}_{q}\) and its quadratic extension \(\mathbb {F}_{q^{2}}\cong \mathbb {F}_{q}[u]/(g(u))\) are constructed by means of the irreducible trinomials \(f(x) = x^{127} + x^{63} + 1\) and \(g(u) = u^2 + u +1\), respectively. Let \(E/\mathbb {F}_{q} : y^2 + xy = x^3 + ax^2 + b\), with \(a, b \in \mathbb {F}_{q}\), be a binary elliptic curve and define the quadratic twist of \(E\) as the Galbraith–Lin–Scott elliptic curve

$$\begin{aligned} \tilde{E}/\mathbb {F}_{q^{2}} : y^2 + xy = x^3 +a'x^2 + b, \end{aligned}$$

with \(a' \in \mathbb {F}_{q^{2}}\) such that \(\mathrm{Tr}(a') = 1\). Given \(\#E(\mathbb {F}_q)=q+1-t,\) it follows that \(\#\tilde{E}_{a', b}(\mathbb {F}_{q^2}) = (q-1)^2+t^2=h\cdot r,\) where \(t\) is the trace of Frobenius of the curve \(E\), \(h=2\) and \(r\) is \(253\)-bit prime number.

In this work, the binary GLS elliptic curve \(\tilde{E}_{a',b}(\mathbb {F}_{q^2})\) was defined with the following parameters

• \(a' = u\)

• \(b\in \mathbb {F}_q\) is a degree \(126\) binary polynomial that can be represented in hexadecimal format as, \(b = 0x59C8202CB9E6E0AE2E6D944FA54DE7E5\)

• The \(253\)-bit prime order \(r\) of the main subgroup of \(\tilde{E}_{a',b}(\mathbb {F}_{q^2})\) is

  $$\begin{aligned} r&= 0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFF\\&FFDAC40D1195270779877DABA2A44750A5; \end{aligned}$$

• The base point \(P=(x_p, \lambda _p)\) of order \(r\) specified in \(\lambda \)-affine coordinates is,

  $$\begin{aligned} x_p&= 0x203B6A93395E0432344038B63FBA32DE\\&\quad + 0x78E51FD0C310696D5396E0681AA10E0D\cdot u\\ \lambda _p&= 0x5BD7653482085F55DEB59C6137074B50\\&\quad + 0x7F90D98B1589A17F24568FA5A1033946\cdot u. \end{aligned}$$