Selecting elliptic curves for cryptography: an efficiency and security analysis

Abstract

We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomery-friendly and pseudo-Mersenne primes allows us to consider more possibilities which help to improve the overall efficiency of base field arithmetic. Our Weierstrass curves are backwards compatible with current implementations of prime order NIST curves, while providing improved efficiency and stronger security properties. We choose algorithms and explicit formulas to demonstrate that our curves support constant-time, exception-free scalar multiplications, thereby offering high practical security in cryptographic applications. Our implementation shows that variable-base scalar multiplication on the new Weierstrass curves at the 128-bit security level is about 1.4 times faster than the recent implementation record on the corresponding NIST curve. For practitioners who are willing to use a different curve model and sacrifice a few bits of security, we present a collection of twisted Edwards curves with particularly efficient arithmetic that are up to 1.42, 1.26 and 1.24 times faster than the new Weierstrass curves at the 128-, 192- and 256-bit security levels, respectively. Finally, we discuss how these curves behave in a real-world protocol by considering different scalar multiplication scenarios in the transport layer security protocol. The proposed curves and the results of the analysis are intended to contribute to the recent efforts towards recommending new elliptic curves for Internet standards.

Appendices

Appendix A: Algorithms for scalar multiplication

Algorithms for variable-base scalar multiplication Algorithm 1 computes scalar multiplication for the variable-base scenario using the fixed-window method from [49]. We refer to Sects. 4.1 and 4.2 for details on its usage with Weierstrass and twisted Edwards curves, respectively. The computation of this operation mainly consists of four different stages: input and point validation, precomputation, recoding and evaluation. Input and point validation are computed at the very beginning of the execution using Algorithm 2 for Weierstrass curves and Algorithm 3 for twisted Edwards curves. In particular, Algorithm 3 performs two doublings over the input point in twisted Edwards to ensure that subsequent computations are performed in the large prime order subgroup (avoiding small subgroup attacks). We remark that it is the protocol implementer’s responsibility to ensure that timing differences during the detection of errors do not leak sensitive information to an attacker. In the precomputation stage, the implementer should first select a window width \(2\le w < 10\) according to efficiency and/or memory considerations. For example, selecting \(w=6\) for 256-, 384- and 512-bit scalar multiplication was found to achieve optimal performance in our implementations of Weierstrass curves. Precomputation is then computed by successively executing \(P+2P+2P+\cdots +2P\) with \(2^{w-2}-1\) point additions and storing the intermediate results. Explicit schemes are given in Algorithms 4 and 5 for \(a=-3\) Weierstrass and \(a=-1\) twisted Edwards curves, respectively. In the recoding stage, we use a variant of the regular recoding by [36] that ensures fixed length (see Algorithm 6). Since Algorithm 6 only recodes odd integers, we include a conversion step at Step 6 to deal with even values. The corresponding correction is performed at Step 20. These computations should be executed in constant time to protect against timing attacks. For example, a constant time execution of Step 6 could be implemented as follows (assuming a two’s complement representation in which \(-1 \equiv \) 0xFF\(\ldots \)FF, and bitlength\((odd) =\) bitlength\((k)\)):

$$\begin{aligned}&odd=-(k\hbox { AND }1) \qquad \quad \{\hbox {If }k\, \hbox {is even}\\&\hbox {then } odd=\hbox {0xFF}\ldots \hbox {FF else }odd=0\} \\&k'=k-r \\&k=(odd\hbox { AND }(k\hbox { XOR }k'))\hbox { XOR }k' \quad \{\hbox {If }odd = 0\hbox { then }\\&k=k-r\} \end{aligned}$$

The main computation in the evaluation stage consists of \(t = \lceil \log _2(r)/(w-1) \rceil \) iterations each computing \((w-1)\) doublings and one addition with a value from the precomputed table. For \(a=-3\) Weierstrass curves, the use of Jacobian coordinates is a popular choice for efficiency reasons. If this is used, then Algorithm 1 can use an efficient merged doubling-addition formula [42] when \(w>2\) by setting DBLADD = \(true\). Other cases, including Weierstrass curves with \(w=2\) or twisted Edwards curves, should use DBLADD = \(false\). Note that the evaluation of DBLADD is used to simplify the description of the algorithm. An implementation might choose for having separate functions for twisted Edwards and Weierstrass curves. Following the recommendations from Sect. 4, the last addition should be performed with a unified formula (denoted by \(\oplus \)) in order to avoid exceptions and it has been separated from the main loop; see Steps 18 and 19. To achieve constant-time execution, the points from the precomputed table should be extracted by doing a full pass over all the points in the lookup table and masking the correct value with the index \((|k_i |-1)/2\). Finally, a suitable conversion to affine coordinates may be computed at Step 21 (if required).

Algorithm 7 computes scalar multiplication for the fixed-base scenario using the modified LSB-set method [27] (denoted by mLSB-set), which combines the comb method [40] and LSB-set recoding [28]. Refer to Sects. 4.1 and 4.2 for details on the use of the method with Weierstrass and twisted Edwards curves, respectively. This operation consists of computations executed offline, which involve point validation and precomputing multiples of the known input point, and computations executed online, which involve scalar validation, recoding and evaluation stages. As before, point validation for twisted Edwards using Algorithm 3 during the offline phase performs two doublings over the input point to ensure that the computation takes place in the large prime order subgroup. Again, it is the protocol implementer’s responsibility to ensure that timing differences during the detection of errors do not leak sensitive information to an attacker. The implementer should choose a window width \(2\le w < 10\) and a table parameter \(v \ge 1\) according to efficiency and/or memory constraints, taking into account that the mLSB-set method requires \(v \cdot 2^{w-1}\) precomputed points. For example, selecting \(w=6\) and \(v=3\) for 256-bit scalar multiplication was found to achieve optimal performance in our implementations of Weierstrass curves when storage is constrained to 6 KB. During the online computation, the recoded scalar obtained from Algorithm 8 has a fixed length, which enables a fully regular execution when the representation is set up as described at Step 7. Since Algorithm 8 only recodes odd integers, we include a conversion step at Step 6 to deal with even values. The corresponding correction is performed at Step 13. In the evaluation stage, the main computation consists of \(e-1 = \lceil \lceil \log _2(r)\rceil / (wv) \rceil - 1\) iterations each computing one doubling and \(v\) additions with a value from the precomputed table. Following Sect. 4, the additions should be performed with a unified formula (denoted by \(\oplus \)) to avoid exceptions. Note that, as described in the variable-base case, all the conditional computations using “if” statements as well as the extraction of points from the precomputed table should be executed in constant time in order to protect against timing attacks (with the exception of Step 3, which depends on public parameters; any potential leak through the detection of errors at Step 4 should be assessed by the protocol’s implementer). Finally, a suitable conversion to affine coordinates may be computed at Step 14 (if required).

Algorithm 9 computes double-scalar multiplication, which is typically found in signature verification schemes, and uses the width-\(w\) non-adjacent form [54] with interleaving [30, 45]. We assume that one of the input points is known in advance \((P_2)\) whereas the other one is a variable base \((P_1)\). Hence, we distinguish two phases: offline, which involves validation of \(P_2\) and a precomputation stage using the value \(w_2\); and online, which involves scalar validation, point validation of \(P_1\) and precomputation (using \(w_1\)), recoding and evaluation stages. Again, point validation for twisted Edwards curves with Algorithm 3 performs two doublings over the input points to ensure computation in the large prime order subgroup. The precomputation for both input points are performed as in the variable-base scenario using Algorithms 4 and 5 for \(a=-3\) Weierstrass and \(a=-1\) twisted Edwards curves, respectively. However, the implementer has additional freedom in the selection of \(w_2\) since the precomputation for the fixed-base is done offline. For example, we found that using \(w_1=6\) and \(w_2=7\) results in optimal performance in our implementations of Weierstrass curves when storage was restricted to 2, 3 and 4 KB for 128-, 192- and 256-bit security levels. In the online computation, recoding of the scalars is performed using [34], Algorithm 3.35]. Accordingly, the evaluation stage consists of \(\lceil \log _2(r) \rceil + 1\) iterations, each consisting of one doubling and at most two additions (one per precomputed table). As in the variable-base case, for \(a=-3\) Weierstrass curves using Jacobian coordinates one may use the merged doubling-addition formula [42] by setting DBLADD = \(true\). A suitable conversion to affine coordinates may be computed at Step 39 (if required).

Appendix B: Algorithms for point operations

Refer to Algorithms 10–17.

Appendix C: Implementing the group law

Weierstrass curves It is standard to represent points on \(E_b:y^2=x^3-3x+b\) using Jacobian coordinates [21, 48, 57]: for non-zero \(Z \in \mathbf{{F}}_p\), the tuple \((X :Y :Z)\) is used to represent the affine point \((X/Z^2, Y/Z^3)\) on \(E_b\). There are many different variants of the Jacobian formulas originally proposed in [23]. In our implementation we use the doubling formula from [41] (see Algorithm 10). Point additions are usually performed between a running point and a point from a (precomputed) ‘look-up’ table. Typically, it is advantageous to leave the precomputed points in projective form for variable-base computations, and to convert them (offline) to their affine form for fixed-base computations. When elements in the table are stored in affine coordinates, point addition is performed using mixed Jacobian/affine coordinates using, for example, the formula presented in [34] (see Algorithm 13). There are cases in which exceptions in the formulas might arise. This is the case, for example, for fixed-base scalar multiplication. To achieve constant-time execution, we devised a complete formula based on masking that works for point addition, doubling, inverses and the point at infinity (see Algorithm 18). If points from the precomputed table are stored in projective coordinates, we use Chudnovsky coordinates to represent the affine point \((X/Z^2, Y/Z^3) \in E_b\) by the projective tuple \((X:Y:Z:Z^2:Z^3)\). The corresponding addition formula is given as Algorithm 12. More efficiently, whenever a doubling is followed by an addition (as in the main loop of the variable-base scalar multiplication; see Algorithm 1) one can use a merged doubling-addition formula [42] that is based on the special addition with the same \(Z\)-coordinate from [43] (see Algorithm 11). The different costs of the point formulas used in our implementation can be found in Table 5. Finally, the exact routine to perform the precomputation for the variable-base scenario is outlined in Algorithm 4. The scheme uses a straightforward variant of the general formulas, including the special addition from [43].

Twisted Edwards curves   Hisil et al. [35] derive efficient formulas for additions on (special) twisted Edwards curves [7] by representing affine points \((X/Z, Y/Z)\) on \({\mathcal {E}}_d:-x^2+y^2=1+dx^2y^2\) by the projective tuple \((X:Y:Z:T)\), where \(T = XY/Z\). Hamburg [32] proposes to represent such a projective point using five elements: \((X:Y:Z:T_1:T_2)\), where \(T=T_1T_2\). This has the advantage of avoiding a required look-ahead when computing the elliptic curve scalar multiplication using the techniques from [35]. If the addition formulas are “dedicated” they do not work for doubling but are usually more efficient. The details of the dedicated additions used in our implementation are outlined in Algorithms 15 and 16. For settings that might trigger exceptions in the formulas (e.g., fixed-based scalar multiplication), one can use the unified addition formula proposed by [35] (see Algorithm 17). The algorithm for point doubling on \({\mathcal {E}}_d\) is given in Algorithm 14: this extends the formula from [7] by using the five element representation as suggested in [32].

When storing precomputed points, we follow the caching techniques described in [35]: we store affine points as \((x+y,y-x,2t)\) with \(t=xy\), or projective points as \((X+Y:Y-X:2Z:2T)\) with \(T=XY/Z\), both of which can speed up the scalar multiplication computation. Just as in the case of the Weierstrass curves above, it is usually advantageous to leave the precomputed points in projective form for variable-base computations, and to convert them (offline) to their affine form for fixed-base computations. The explicit routine that performs the precomputation for the variable-base scenario is outlined in Algorithm 5. The costs of the different formulas used in our implementation are displayed in Table 5.

Table 5 An overview of the number of modular operations required to implement the group law for \(a=-3\) Weierstrass, \(a=-1\) twisted Edwards and Montgomery curves using different coordinate systems

1.1 Appendix C.1: Complete addition laws

An elliptic curve addition law is said to be complete if it correctly computes the group operation regardless of the two input points. Although employing such an addition law on its own can simplify the task of the implementer, it usually incurs a performance penalty. This is because the fastest formulas available for a particular curve model, which work fine for most input pairs, tend to fail on certain inputs. However, it is often the case that implementers can safely exploit the speed of such incomplete formulas by correctly dealing with all possible exceptions, or by designing the scalar multiplication routine such that exceptions can never arise.

All of the twisted Edwards curves presented in this paper can make use of the complete addition law in [11] by working on the birationally equivalent Edwards model \(\mathcal {E}_{-1/d}: x^2 + y^2 = 1 - (1/d)x^2y^2\). However, the complete formulas are slower compared to the fastest formulas on the twisted Edwards curve [35]. But even when working on an Edwards curve with complete formulas, an implementation of the scalar multiplication could still be sped up by mapping to a different curve, while remaining with the complete formulas for all other operations. One could for example follow the approach suggested in [33], and use an isogeny to the twisted Edwards curve \(\mathcal {E}_{-1/d-1}: x^2 + y^2 = 1 - (1/d+1)x^2y^2\); or use the birational equivalence to \(\mathcal {E}: -x^2 + y^2 = 1 + dx^2y^2\).

The situation for the prime order Weierstrass curves in this paper is more complicated. As pointed out by Bosma and Lenstra [18], the best that we can do for general elliptic curves is as follows: on input of two points \(P_1\) and \(P_2\), we must compute two candidate sums, \(P_3\) and \(P_3'\), for which we can only be guaranteed that at least one of them is a correct projective representation for \(P_1+P_2\). In the case that precisely one of \(P_3\) and \(P_3'\) correctly corresponds to \(P_1+P_2\), the other candidate has all of its coordinates as zero; although this makes it straightforward to write a constant-time routine for complete additions, it also means that computing complete additions in this way is much more costly than computing incomplete additions.

For the sake of comparison, we present the simplified version of the complete formulas¹⁰ from [18], which are specialized to short Weierstrass curves of the form \(E:y^2=x^3+ax+b\). For two input points \(P_1 = (X_1 :Y_1 :Z_1)\) and \(P_2 = (X_2 :Y_2 :Z_2)\) in homogeneous projective space, the two candidate sums \(P_3=(X_3 :Y_3 :Z_3)\) and \(P_3' = (X_3' :Y_3' :Z_3')\) are computed as

$$\begin{aligned} X_3= & {} (X_1Y_2-X_2Y_1)(Y_1Z_2+Y_2Z_1) \nonumber \\&-(X_1Z_2-X_2Z_1)(a(X_1Z_2+X_2Z_1)\nonumber \\&+\,3bZ_1Z_2-Y_1Y_2); \nonumber \\ Y_3= & {} -(3X_1X_2+aZ_1Z_2)(X_1Y_2-X_2Y_1) \nonumber \\&+ (Y_1Z_2-Y_2Z_1)(a(X_1Z_2+X_2Z_1)\nonumber \\&+\,3bZ_1Z_2-Y_1Y_2); \nonumber \\ Z_3= & {} (3X_1X_2+aZ_1Z_2)(X_1Z_2-X_2Z_1) \nonumber \\&-(Y_1Z_2+Y_2Z_1)(Y_1Z_2-Y_2Z_1); \nonumber \\ X_3'= & {} -(X_1Y_2+X_2Y_1)(a(X_1Z_2+X_2Z_1)\nonumber \\&+3bZ_1Z_2-Y_1Y_2)-(Y_1Z_2+Y_2Z_1)\nonumber \\&(3b(X_1Z_2+X_2Z_1)+ a(X_1X_2-aZ_1Z_2)); \nonumber \\ Y_3'= & {} Y_1^2Y_2^2+3aX_1^2X_2^2-2a^2X_1X_2Z_1Z_2\nonumber \\&-(a^3+9b^2)Z_1Z_2^2+ (X_1Z_2+X_2Z_1)\nonumber \\&(3b(3X_1X_2-aZ_1Z_2)- a^2(X_2Z_1+X_1Z_2)); \nonumber \\ Z_3'= & {} (3X_1X_2+aZ_1Z_2)(X_1Y_2+X_2Y_1)\nonumber \\&+(Y_1Z_2+Y_2Z_1)(Y_1Y_2+3bZ_1Z_2\nonumber \\&+a(X_1Z_2+X_2Z_1)). \end{aligned}$$

(1)

In the case of \(a=-3\) short Weierstrass curves, like the prime order curves in this paper, we found that the computations in (1) require at most¹¹ 22 multiplications, 3 multiplications by \(b\), and one multiplication by \(b^2-3\). The adaptation of the formulas to points in Jacobian coordinates can be achieved in the obvious way at an additional cost of 6 multiplications and 3 squarings: preceding (1), we can transform from Jacobian coordinates to homogeneous coordinates by taking \(X_i \leftarrow X_i \cdot Z_i\) and then \(Z_i \leftarrow Z_i^3\) for \(i=1,2\); and, following the correct choosing of \(P_3 = (X_3 :Y_3 :Z_3)\), we can move back to Jacobian coordinates by taking \(X_3 \leftarrow X_3 \cdot Z_3\) and then \(Y_3 \leftarrow Y_3 \cdot Z_3^2\).

Table 6 The traces of Frobenius \(t\) for the curves in Tables 1 and 2

Table 7 The cost of converting points when using the curves from Tables 1 and 2

Although the formulas in (1) are mathematically satisfactory, their computation costs around twice as much as an incomplete addition (see Table 5), which renders them far from satisfactory in cryptographic applications. On the other hand, the work-around we present in Algorithm 19 and Algorithm 18, while perhaps not as mathematically elegant, is equivalent for all practical purposes and incurs a much smaller overhead over the incomplete formulas. In particular, there are no additional multiplications or squarings (on top of those incurred during an incomplete addition) required when performing a complete addition via this masking approach (Tables 6, 7).

As briefly discussed in Sect. 4.1, the idea is to exploit the similarity between the sequences of operations computed in a doubling and an addition. On input of \(P\) and \(Q\), one would ordinarily compute the doubling \(2P\) and the (non-unified) addition \(P+Q\) and mask out the correct result at the end, depending on whether \(P=Q\). However, the detection of \(P=Q\) (or not) can be achieved much earlier in projective space using only a few operations that are common to both doublings and non-unified additions—see Line 17 (resp. Line 12) in Algorithm 19 (resp. Algorithm 18). After this detection, the required operation (doubling or addition) is achieved by masking the correct inputs and outputs through a sequence of subsequent computations, those which overlap in the explicit formulas for point doublings and additions. Of course, in the case that one or both of \(P\) or \(Q\) is \({\mathcal {O}}\), or that \(P=-Q\), these superfluous computations are still computed in constant-time such that the correct result is masked out in a cache-attack resistant manner.

Appendix D: Traces of Frobenius

Refer to Table 6.

Appendix E: Costs of point conversion

Refer to Table 7.