Extending Scalar Multiplication Using Double Bases

  • Roberto Avanzi
  • Vassil Dimitrov
  • Christophe Doche
  • Francesco Sica
Conference paper

DOI: 10.1007/11935230_9

Part of the Lecture Notes in Computer Science book series (LNCS, volume 4284)
Cite this paper as:
Avanzi R., Dimitrov V., Doche C., Sica F. (2006) Extending Scalar Multiplication Using Double Bases. In: Lai X., Chen K. (eds) Advances in Cryptology – ASIACRYPT 2006. ASIACRYPT 2006. Lecture Notes in Computer Science, vol 4284. Springer, Berlin, Heidelberg


It has been recently acknowledged [4,6,9] that the use of double bases representations of scalars n, that is an expression of the form n = ∑e, s, t (–1)eAsBt can speed up significantly scalar multiplication on those elliptic curves where multiplication by one base (say B) is fast. This is the case in particular of Koblitz curves and supersingular curves, where scalar multiplication can now be achieved in o(logn) curve additions.

Previous literature dealt basically with supersingular curves (in characteristic 3, although the methods can be easily extended to arbitrary characteristic), where A,B ∈ℕ. Only [4] attempted to provide a similar method for Koblitz curves, where at least one base must be non-real, although their method does not seem practical for cryptographic sizes (it is only asymptotic), since the constants involved are too large.

We provide here a unifying theory by proposing an alternate recoding algorithm which works in all cases with optimal constants. Furthermore, it can also solve the until now untreatable case where both A and B are non-real. The resulting scalar multiplication method is then compared to standard methods for Koblitz curves. It runs in less than logn/loglogn elliptic curve additions, and is faster than any given method with similar storage requirements already on the curve K-163, with larger improvements as the size of the curve increases, surpassing 50% with respect to the τ-NAF for the curves K-409 and K-571. With respect of windowed methods, that can approach our speed but require O(log(n)/loglog(n)) precomputations for optimal parameters, we offer the advantage of a fixed, small memory footprint, as we need storage for at most two additional points.

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Roberto Avanzi
    • 1
  • Vassil Dimitrov
    • 2
  • Christophe Doche
    • 3
  • Francesco Sica
    • 4
  1. 1.Faculty of Mathematics and Horst Görtz Institute for IT SecurityRuhr-University BochumGermany
  2. 2.Advanced Technology Information Processing Systems laboratory, Centre for Informations Security and CryptographyUniversity of CalgaryCanada
  3. 3.Department of ComputingMacquarie UniversityNorth RydeAustralia
  4. 4.Department of Mathematics and Computer Science – AcecryptMount Allison UniversitySackvilleCanada

Personalised recommendations