Minimality of the Hamming Weight of the τ-NAF for Koblitz Curves and Improved Combination with Point Halving

  • Roberto Maria Avanzi
  • Clemens Heuberger
  • Helmut Prodinger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3897)


In order to efficiently perform scalar multiplications on elliptic Koblitz curves, expansions of the scalar to a complex base associated with the Frobenius endomorphism are commonly used. One such expansion is the τ-adic NAF, introduced by Solinas. Some properties of this expansion, such as the average weight, are well known, but in the literature there is no proof of its optimality, i.e. that it always has minimal weight. In this paper we provide the first proof of this fact.

Point halving, being faster than doubling, is also used to perform fast scalar multiplications on generic elliptic curves over binary fields. Since its computation is more expensive than that of the Frobenius, halving was thought to be uninteresting for Koblitz curves. At PKC 2004, Avanzi, Ciet, and Sica combined Frobenius operations with one point halving to compute scalar multiplications on Koblitz curves using on average 14% less group additions than with the usual τ-and-add method without increasing memory usage. The second result of this paper is an improvement over their expansion. The new representation, called the wide-double-NAF, is not only simpler to compute, but it is also optimal in a suitable sense. In fact, it has minimal Hamming weight among all τ-adic expansions with digits {0,±1} that allow one halving to be inserted in the corresponding scalar multiplication algorithm. The resulting scalar multiplication requires on average 25% less group operations than the Frobenius method, and is thus 12.5% faster than the previously known combination.


Koblitz curves scalar multiplication point halving τ-adic expansion integer decomposition 


  1. 1.
    Ash, D.W., Blake, I.F., Vanstone, S.: Low complexity normal bases. Discrete Applied Math. 25, 191–210 (1989)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Avanzi, R.M., Ciet, M., Sica, F.: Faster Scalar Multiplication on Koblitz Curves combining Point Halving with the Frobenius Endomorphism. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 28–40. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Fong, K., Hankerson, D., Lopez, J., Menezes, A.: Field inversion and point halving revisited. IEEE Trans. on Computers 53(8), 1047–1059 (2004)CrossRefGoogle Scholar
  4. 4.
    Hankerson, D., Lopez-Hernandez, J., Menezes, A.: Software Implementation of Elliptic Curve Cryptography over Binary Fields. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 1–24. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Knudsen, E.W.: Elliptic Scalar Multiplication Using Point Halving. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 135–149. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  6. 6.
    Koblitz, N.: Elliptic curve cryptosystems. Mathematics of computation 48, 203–209 (1987)MathSciNetCrossRefMATHGoogle Scholar
  7. 7.
    Koblitz, N.: CM-curves with good cryptographic properties. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 279–287. Springer, Heidelberg (1992)Google Scholar
  8. 8.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  9. 9.
    Reitwiesner, G.W.: Binary arithmetic. Advances in Computers 1, 231–308 (1960)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Schroeppel, R.: Point halving wins big. In: Talks at (i) Midwest Arithmetical Geometry in Cryptography Workshop, November 17-19 (2000); University of Illinois at Urbana-Champaign; and (ii) ECC 2001Workshop, University of Waterloo, Ontario, Canada, October 29-31 (2001)Google Scholar
  11. 11.
    Schroeppel, R.: Elliptic curve point ambiguity resolution apparatus and method. International Application Number PCT/US00/31014, filed 9 (November 2000)Google Scholar
  12. 12.
    Sedgewick, R., Flajolet, P.: An Introduction to the Analysis of Algorithms. Addison-Wesley, Reading (1996)MATHGoogle Scholar
  13. 13.
    Solinas, J.A.: An improved algorithm for arithmetic on a family of elliptic curves. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 357–371. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  14. 14.
    Solinas, J.A.: Efficient Arithmetic on Koblitz Curves. Designs, Codes and Cryptography 19(2/3), 125–179 (2000)MathSciNetCrossRefMATHGoogle Scholar
  15. 15.
    IEEE Std 1363-2000. IEEE Standard Specifications for Public-Key Cryptography. IEEE Computer Society (August 29, 2000)Google Scholar
  16. 16.
    National Institute of Standards and Technology. Digital Signature Standard. FIPS Publication 186-2 (February 2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Roberto Maria Avanzi
    • 1
  • Clemens Heuberger
    • 2
  • Helmut Prodinger
    • 3
  1. 1.Faculty of Mathematics and Horst Görtz Institute for IT SecurityRuhr-University BochumGermany
  2. 2.Institut für Mathematik BTechnische Universität GrazAustria
  3. 3.Department of MathematicsUniversity of StellenboschSouth Africa

Personalised recommendations