Scalar multiplication on Weierstraß elliptic curves from Co-Z arithmetic

  • Raveen R. Goundar
  • Marc Joye
  • Atsuko Miyaji
  • Matthieu Rivain
  • Alexandre Venelli
Regular Paper


In 2007, Meloni introduced a new type of arithmetic on elliptic curves when adding projective points sharing the same Z-coordinate. This paper presents further co-Z addition formulæ (and register allocations) for various point additions on Weierstraß elliptic curves. It explains how the use of conjugate point addition and other implementation tricks allow one to develop efficient scalar multiplication algorithms making use of co-Z arithmetic. Specifically, this paper describes efficient co-Z based versions of Montgomery ladder, Joye’s double-add algorithm, and certain signed-digit algorithms, as well as faster (X, Y)-only variants for left-to-right versions. Further, the proposed implementations are regular, thereby offering a natural protection against a variety of implementation attacks.


Elliptic curves Meloni’s technique Jacobian coordinates Regular ladders Implementation attacks Embedded systems 


  1. 1.
    Koblitz N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  2. 2.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) Advances in Cryptology − CRYPTO’85. LNCS, vol. 218, pp. 417–426. Springer, Berlin (1985)Google Scholar
  3. 3.
    Avanzi, R., Cohen, H., Doche, C., Frey, G., Lange, T., Nguyen, K., Vercauteren, F.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. CRC Press, Boca Raton (2005)Google Scholar
  4. 4.
    Blake, I.F., Seroussi, G., Smart, N.P. (eds.): Advances in Elliptic Curve Cryptography, London Mathematical Society Lecture Note Series, vol. 317. Cambridge University Press, Cambridge (2005)Google Scholar
  5. 5.
    Meloni, N.: New point addition formulæ for ECC applications. In: Carlet, C., Sunar, B. (eds.) Arithmetic of Finite Fields (WAIFI 2007). LNCS, vol. 4547, pp. 189–201. Springer, Berlin (2007)Google Scholar
  6. 6.
    Goundar, R.R., Joye, M., Miyaji, A.: Co-Z addition formulæ and binary ladders on elliptic curves. In: Mangard, S., Standaert, F.X. (eds.) Cryptographic Hardware and Embedded Systems − CHES 2010. LNCS, vol. 6225, pp. 65–79. Springer, Berlin (2010)Google Scholar
  7. 7.
    Venelli A., Dassance F.: Faster side-channel resistant elliptic curve scalar multiplication. Contemp. Math. 521, 29–40 (2010)MathSciNetGoogle Scholar
  8. 8.
    Rivain, M.: Fast and regular algorithms for scalar multiplication over elliptic curves. Cryptology ePrint Archive, Report 2011/338 (2011).
  9. 9.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) Advances in Cryptology − CRYPTO ’99. LNCS, vol. 1666, pp. 388–397. Springer, Berlin (1999)Google Scholar
  10. 10.
    Yen S.M., Joye M.: Checking before output may not be enough against fault-based cryptanalysis. IEEE Trans. Comput. 49(9), 967–970 (2000)CrossRefGoogle Scholar
  11. 11.
    Yen, S.M., Kim, S., Lim, S., Moon, S.J.: A countermeasure against one physical cryptanalysis may benefit another attack. In: Kim, K. (ed.) Information Security and Cryptology—ICISC 2001. LNCS, vol. 2288, pp. 414–427. Springer, Berlin (2002)Google Scholar
  12. 12.
    Bernstein, D.J., Lange, T.: Explicit-formulas database.
  13. 13.
    Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) Advances in Cryptology—ASIACRYPT ’98. LNCS, vol. 1514, pp. 51–65. Springer, Berlin (1998)Google Scholar
  14. 14.
    Longa, P.: ECC Point Arithmetic Formulae (EPAF).
  15. 15.
    Chudnovsky D.V., Chudnovsky G.V.: Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Adv. Appl. Math. 7(4), 385–434 (1986)MathSciNetzbMATHCrossRefGoogle Scholar
  16. 16.
    Izu, T., Möller, B., Takagi, T.: Improved elliptic curve multiplication methods reistant against side-channel attacks. In: Menezes, A., Sarkar, P. (eds.) Progress in Cryptology—INDOCRYPT 2002. LNCS, vol. 2551, pp. 296–313. Springer, Berlin (2002)Google Scholar
  17. 17.
    Coron, J.S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koc, C.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems (CHES’99). LNCS, vol. 1717, pp. 292–302. Springer, Berlin (1999)Google Scholar
  18. 18.
    Montgomery P.L.: Speeding up the pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)zbMATHCrossRefGoogle Scholar
  19. 19.
    Joye, M., Yen, S.M.: The Montgomery powering ladder. In: Kaliski, B.S. Jr, et al. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Berlin (2003)Google Scholar
  20. 20.
    Brier, E., Joye, M.: Weierstraß elliptic curves and side-channel attacks. In: Naccache, D., Paillier, P. (eds.) Public Key Cryptography (PKC 2002) LNCS, vol. 2274, pp. 335–345. Springer, Berlin (2002)Google Scholar
  21. 21.
    Fischer, W., Giraud, C., Knudsen, E.W., Seifert, J.P.: Parallel scalar multiplication on general elliptic curves over \({\mathbb{F}_p}\) hedged against non-differential side-channel attacks. Cryptology ePrint Archive, Report 2002/007 (2002).
  22. 22.
    Izu, T., Takagi, T.: A fast parallel elliptic curve multiplication resistant against side channel attacks. In: Naccache, D., Paillier, P. (eds.) Public Key Cryptography (PKC 2002). LNCS, vol. 2274, pp. 280–296. Springer, Berlin (2002)Google Scholar
  23. 23.
    López, J., Dahab, R.: Fast multiplication on elliptic curves over GF(2m) without precomputation. In: Koc, C.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems (CHES’99). LNCS, vol. 1717, pp. 316–327. Springer, Berlin (1999)Google Scholar
  24. 24.
    Joye, M.: Highly regular right-to-left algorithms for scalar multiplication. In: Paillier, P., Verbauwhede, I. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2007. LNCS, vol. 4727, pp. 135–147. Springer, Berlin (2007)Google Scholar
  25. 25.
    Morain F., Olivos J.: Speeding up the computations on an elliptic curve using addition-subtraction chains. RAIRO Informatique théorique et applications 24(6), 531–543 (1990)MathSciNetzbMATHGoogle Scholar
  26. 26.
    Galbraith, S., Lin, X., Scott, M.: A faster way to do ECC. Presented at 12th Workshop on Elliptic Curve Cryptography (ECC 2008), Utrecht, The Netherlands (2008).
  27. 27.
    Longa, P., Gebotys, C.H.: Novel precomputation schemes for elliptic curve cryptosystems. In: Abdalla, M. et al. (eds.) Applied Cryptography and Network Security (ACNS 2009). LNCS, vol. 5536, pp. 71–88. Springer, Berlin (2009)Google Scholar
  28. 28.
    Longa, P., Miri, A.: New composite operations and precomputation for elliptic curve cryptosystems over prime fields. In: Cramer, R. (ed.) Public Key Cryptography—PKC 2008. LNCS, vol. 4939, pp. 229–247. Springer, Berlin (2008)Google Scholar
  29. 29.
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: Concrete results. In: Koç, C.K., Naccache, D., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Berlin (2001)Google Scholar
  30. 30.
    Agrawal, D., Archambeault, B., Rao, J., Rohatgi, P.: The EM side-channel(s). In: Kaliski, B.S. Jr et al. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Berlin (2003)Google Scholar
  31. 31.
    Chevallier-Mames B., Ciet M., Joye M.: Low-cost solutions for preventing simple side-channel analysis: Side-channel atomicity. IEEE Trans. Comput. 53(6), 760–768 (2004)CrossRefGoogle Scholar
  32. 32.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) Advances in Cryptology—CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Berlin (2000)Google Scholar
  33. 33.
    Boneh D., DeMillo R.A., Lipton R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptol. 14(2), 110–119 (2001) Extended abstract in Proc of EUROCRYPT, 97MathSciNetCrossRefGoogle Scholar
  34. 34.
    Fouque, P.A., Lercier, R., Réal, D., Valette, F.: Fault attack on elliptic curve Montgomery ladder implementation. In: Breveglieri, L. et al. (eds.) Fault Diagnosis and Tolerance in Cryptography (FDTC 2008), pp. 92–98. IEEE Computer Society (2008)Google Scholar
  35. 35.
    IEEE Std 1363-2000: IEEE Standard Specifications for Public-Key Cryptography. IEEE Computer Society (2000)Google Scholar

Copyright information

© Springer-Verlag 2011

Authors and Affiliations

  • Raveen R. Goundar
    • 1
  • Marc Joye
    • 2
  • Atsuko Miyaji
    • 3
  • Matthieu Rivain
    • 4
  • Alexandre Venelli
    • 5
  1. 1.BaFiji Islands
  2. 2.Technicolor, Security and Content Protection LabsCesson-Sévigné CedexFrance
  3. 3.Japan Advanced Institute of Science and TechnologyNomi, IshikawaJapan
  4. 4.CryptoExpertsParisFrance
  5. 5.Inside SecureRoussetFrance

Personalised recommendations