Efficient Scalar Multiplication by Isogeny Decompositions

  • Christophe Doche
  • Thomas Icart
  • David R. Kohel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3958)

Abstract

On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication–by–ℓ map [ℓ] has degree ℓ2, therefore the complexity to directly evaluate [ℓ](p) is O(ℓ2). For a small prime ℓ (= 2, 3) such that the additive binary representation provides no better performance, this represents the true cost of application of scalar multiplication. If an elliptic curve admits an isogeny ϕ of degree ℓ then the costs of computing ϕ(P) should in contrast be O(ℓ) field operations. Since we then have a product expression [ℓ]=\(\hat{\varphi}\varphi\), the existence of an ℓ-isogeny ϕ on an elliptic curve yields a theoretical improvement from O(ℓ2) to O(ℓ) field operations for the evaluation of [ℓ](p) by naïve application of the defining polynomials. In this work we investigate actual improvements for small ℓ of this asymptotic complexity. For this purpose, we describe the general construction of families of curves with a suitable decomposition [ℓ]=\(\hat{\varphi}\varphi\), and provide explicit examples of such a family of curves with simple decomposition for [3]. Finally we derive a new tripling algorithm to find complexity improvements to triplication on a curve in certain projective coordinate systems, then combine this new operation to non-adjacent forms for ℓ-adic expansions in order to obtain an improved strategy for scalar multiplication on elliptic curves.

Keywords

Elliptic curve cryptography fast arithmetic efficiently computable isogenies efficient tripling ℓ-adic  NAFω 

References

  1. [ACD+05] Avanzi, R.M., Cohen, H., Doche, C., Frey, G., Lange, T., Nguyen, K., Vercauteren, F.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. CRC Press, Inc., Boca Raton (2005)MATHGoogle Scholar
  2. [Ber01] Bernstein, D.J.: A software implementation of NIST P-224, slides of a talk given at ECC 2001 (2001)Google Scholar
  3. Brier, É., Joye, M.: Fast point multiplication on elliptic curves through isogenies. In: Fossorier, M.P.C., Høholdt, T., Poli, A. (eds.) AAECC 2003. LNCS, vol. 2643, pp. 43–50. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. [CJLM05] Ciet, M., Joye, M., Lauter, K., Montgomery, P.L.: Trading inversions for multiplications in elliptic curve cryptography. Des. Codes Cryptogr. (to appear, 2005); Also available from Cryptology ePrint ArchiveGoogle Scholar
  5. [CLSQ03] Ciet, M., Lange, T., Sica, F., Quisquater, J.-J.: Improved algorithms for efficient arithmetic on elliptic curves using fast endomorphisms. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 388–400. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. [CMO97] Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation. In: Han, Y., Quing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 282–290. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  7. [CMO98] Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 51–65. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  8. [CS05] Ciet, M., Sica, F.: An Analysis of Double Base Number Systems and a sublinear scalar multiplication algorithm. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 171–182. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. [DIM05] Dimitrov, V.S., Imbert, L., Mishra, P.K.: Efficient and secure elliptic curve point multiplication using double-base chains. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 59–78. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. [DJM99] Dimitrov, V.S., Jullien, G.A., Miller, W.C.: Theory and applications of the double-base number system. IEEE Trans. on Computers 48(10), 1098–1106 (1999)CrossRefGoogle Scholar
  11. [GLV01] Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. [HMV03] Hankerson, D., Menezes, A.J., Vanstone, S.A.: Guide to elliptic curve cryptography. Springer, Heidelberg (2003)MATHGoogle Scholar
  13. [HT05] Han, D.-G., Takagi, T.: Some analysis of radix-r representations (preprint, 2005), http://eprint.iacr.org/2005/402/
  14. [JMV05] Jao, D., Miller, S.D., Venkatesan, R.: Do all elliptic curves of the same order have the same difficulty of discrete log? In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 21–40. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. [Kob92] Koblitz, N.: CM-curves with good cryptographic properties. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 279–287. Springer, Heidelberg (1992)Google Scholar
  16. [Lan05] Lange, T.: Koblitz curve cryptosystems. Finite Fields Appl. 11(2), 220–229 (2005)MathSciNetCrossRefMATHGoogle Scholar
  17. [LD98] López, J., Dahab, R.: Improved algorithms for elliptic curve arithmetic in GF(2n), Tech. Report IC-98-39, Relatório Técnico (October 1998)Google Scholar
  18. [MO90] Morain, F., Olivos, J.: Speeding up the computations on an elliptic curve using addition-subtraction chains. Inform. Theory Appl. 24, 531–543 (1990)MathSciNetCrossRefMATHGoogle Scholar
  19. [MV90] Menezes, A.J., Vanstone, S.A.: The implementation of elliptic curve cryptosystems. In: Seberry, J., Pieprzyk, J.P. (eds.) AUSCRYPT 1990. LNCS, vol. 453, pp. 2–13. Springer, Heidelberg (1990)Google Scholar
  20. [Sol00] Solinas, J.A.: Efficient arithmetic on Koblitz curves. Des. Codes Cryptogr. 19, 195–249 (2000)MathSciNetCrossRefMATHGoogle Scholar
  21. [TYW04] Takagi, T., Yen, S.-M., Wu, B.-C.: Radix-r non-adjacent form. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 99–110. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Christophe Doche
    • 1
  • Thomas Icart
    • 2
  • David R. Kohel
    • 3
  1. 1.Department of ComputingMacquarie UniversityAustralia
  2. 2.Laboratoire d’Informatique de l’École PolytechniqueFrance
  3. 3.School of Mathematics and StatisticsUniversity of SydneyAustralia

Personalised recommendations