Science China Information Sciences

, Volume 58, Issue 11, pp 1–8 | Cite as

Elliptic curve with Optimal mixed Montgomery-Edwards model for low-end devices

  • Zhe Liu
  • Zhi HuEmail author
  • Wei Wu
Research Paper


This paper introduces a special family of twisted Edwards curve named Optimal mixed Montgomery-Edwards (OME) curves. The OME curve is proposed by exploiting the fact that every twisted Edwards curve is birationally equivalent to some elliptic curve in Montgomery form. The OME curves achieve optimal group arithmetic for both of twisted Edwards model and Montgomery model. In particular, the Montgomery model of OME curves only requires 3M + 2S and 1M + 3S + 3C to perform the point addition and point doubling operations, while 7M and 3M + 4S are needed for executing a point addition and point doubling for the twisted Edwards model of them. We also make effort to carefully choose the curve parameters and the underlying implementation field to achieve high performance. An example of OME curve is \(\mathcal{E}/\mathbb{F}_p : - x^2 + y^2 = 1 - 2782^2 \cdot x^2 y^2\) over p = 2192 − 264 − 1. Our implementation results on the widely used 8-bit micro-controller platforms (i.e., AVR Atmega128) further demonstrate and highlight the practical benefits of proposed OME curve on low-end device. In particular, our implementation, performed in constant-time, reduces the execution time by up to 14% and 18% for fixed point and random point scalar multiplication, respectively, when comparing with the state-of-the-art implementation on the identical platform.


cryptography elliptic curve scalar multiplication efficient implementation 8-bit AVR processors 




本文提出了一类适用于低端设备上高效安全实现椭圆曲线密码系统的OME曲线。该类曲线能提供在Montgomery模型和扭Edwards模型下目前最优群律计算, 并为Montgomery模型的参数选择提供了一种替代方法。作为特例, 在NIST素数P192域上选择了一条满足SafeCurves安全要求的OME曲线, 并为其设计了高效的有限域计算和曲线群律计算方法。在8位AVR处理器平台上实现了该曲线上的固定/随机点标量乘法计算, 该实现运行时间为常数, 能抵抗简单能量分析攻击。相比之前同类平台上最新水平的实现, 本文方法提速14%以上。


密码学 椭圆曲线 标量乘法 有效实现 8位AVR处理器 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kumar S S. Elliptic curve cryptography for constrained devices. Dissertation for the Doctoral Degree. Bochum: Ruhr University, 2006Google Scholar
  2. 2.
    Gura N, Patel A, Wander A S, et al. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In: Proceedings of the 6th International Workshop on Cryptographic Hardware and Embedded Systems, Cambridge, 2004. 119–132Google Scholar
  3. 3.
    Liu A, Ning P. Tiny ECC: a configurable library for elliptic curve cryptography in wireless sensor networks. In: Proceedings of the 7th International Conference on Information Processing in Sensor Networks, St. Louis, 2008. 245–256Google Scholar
  4. 4.
    Liu Z, Seo H, Großschädl J, et al. Efficient implementation of NIST-compliant elliptic curve cryptography for 8-bit AVR-based sensor nodes. IEEE Trans Inf Foren Secur, 2015, in pressGoogle Scholar
  5. 5.
    Liu Z, Wenger E, Großschädl J. MoTE-ECC: energy-scalable elliptic curve cryptography for wireless sensor networks. In: Proceedings of the 12th International Conference on Applied Cryptography and Network Security, Lausanne, 2014. 361–379Google Scholar
  6. 6.
    National Institute of Standards and Technology (NIST). Recommended Elliptic Curves for Federal Government Use, White paper, 1999Google Scholar
  7. 7.
    Hutter M, Schwabe P. Nacl on 8-bit AVR microcontrollers. In: Proceedings of the 6th International Conference on Cryptology in Africa, Cairo, 2013. 156–172Google Scholar
  8. 8.
    Liu Z, Großschädl J, Wong D S. Low-weight primes for lightweight elliptic curve cryptography on 8-bit AVR processors. In: Proceedings of the 9th International Conference on Information Security and Cryptology, Guangzhou, 2014. 217–235Google Scholar
  9. 9.
    Bernstein D J, Lange T. SafeCurves: choosing safe curves for elliptic-curve cryptography. Scholar
  10. 10.
    Castryck W, Galbraith S, Farashahi R R. Efficient arithmetic on elliptic curves using a mixed Edwards-Montgomery representation. IACR Cryptol ePrint Arch 218. 2008Google Scholar
  11. 11.
    Montgomery P L. Speeding the Pollard and elliptic curve methods of factorization. Math Comput, 1987, 48: 243–264zbMATHCrossRefGoogle Scholar
  12. 12.
    Bernstein D J, Birkner P, Joye M, et al. Twisted Edwards curves. In: Proceedings of the 6th International Conference on Cryptology in Africa, Casablanca, 2008. 389–405Google Scholar
  13. 13.
    Hişil H, Wong K K H, Carter G, et al. Twisted Edwards curves revisited. In: Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, 2008. 326–343Google Scholar
  14. 14.
    Longa P, Miri A. Fast and flexible elliptic curve point arithmetic over prime fields. IEEE Trans Comput, 2008, 57: 289–302MathSciNetCrossRefGoogle Scholar
  15. 15.
    Bernstein D J. Curve25519: new DiffieCHellman speed records. In: Proceedings of the 9th International Conference on Theory and Practice in Public-Key Cryptography, New York, 2006. 207–228Google Scholar
  16. 16.
    Yanik T, Savaş E, Koç C K. Incomplete reduction in modular arithmetic. IEE Proc-Comput Digit Tech, 2002, 149: 46–52CrossRefGoogle Scholar
  17. 17.
    Hutter M, Schwabe P. Multiprecision multiplication on AVR revisited. J Cryptog Eng, 2015, 5: 201–214CrossRefGoogle Scholar
  18. 18.
    Hankerson D R, Menezes A J, Vanstone S A. Guide to Elliptic Curve Cryptography. New York: Springer, 2004. 35–39zbMATHGoogle Scholar
  19. 19.
    Knuth D E. The Art of Computer Programming, Vol 2: Seminumerical Algorithms. 3rd ed. Reading: Addison-Wesley, 1997. 461–484Google Scholar
  20. 20.
    Chu D, Großschädl J, Liu Z, et al. Twisted Edwards-form elliptic curve cryptography for 8-bit AVR-based sensor nodes. In: Proceedings of the 1st ACM Workshop on Asia Public-key Cryptography, Hangzhou, 2013. 39–44CrossRefGoogle Scholar
  21. 21.
    Lederer C, Mader R, Koschuch M, et al. Energy-efficient implementation of ECDH key exchange for wireless sensor networks. In: Proceedings of the 3rd International Workshop on Information Security Theory and Practice, Brussels, 2009. 112–127Google Scholar
  22. 22.
    Crossbow Technology Inc. MICAz Wireless Measurement System, Data sheet, 2006Google Scholar

Copyright information

© Science China Press and Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  1. 1.University of LuxembourgLuxembourgLuxembourg
  2. 2.School of Mathematics and StatisticsCentral South UniversityChangshaChina
  3. 3.School of Mathematics and Computer ScienceFujian Normal UniversityFuzhouChina

Personalised recommendations