Highly Regular Right-to-Left Algorithms for Scalar Multiplication

  • Marc Joye
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4727)


This papers introduces several binary scalar multiplication algorithms with applications to cryptography. Remarkably, the proposed algorithms regularly repeat the same pattern when evaluating a scalar multiplication in an (additively written) abelian group. Furthermore, they are generic and feature the following properties:
  • no dummy operation is involved;

  • no precomputation nor prior recoding is needed;

  • a small number of temporary registers / code memory is required;

  • the scalar is processed right-to-left.

As a result, they are particularly well fitted for implementing cryptosystems in constrained devices, in an efficient yet secure way.


Scalar multiplication exponentiation implementation attacks constrained devices cryptography 


  1. 1.
    Agnew, G.B., Mullin, R.C., Vanstone, S.A.: An implementation of elliptic curve cryptosystems over \({\mathbb F}_{2^{155}}\). IEEE Journal on Selected Areas in Communications 11(5), 804–813 (1993)CrossRefGoogle Scholar
  2. 2.
    Bailey, D., Paar, C.: Optimal extension fields for fast arithmetic in public-key algorithms. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 472–485. Springer, Heidelberg (1998)Google Scholar
  3. 3.
    Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Blake, I.F., Seroussi, G., Smart, N.P.: Elliptic curves in cryptography. London Mathematical Society Lecture Note Series, vol. 265. Cambridge University Press, Cambridge (1999)zbMATHGoogle Scholar
  5. 5.
    Blake, I.F., Seroussi, G., Smart, N.P.: Advances in elliptic curve cryptography. London Mathematical Society Lecture Note Series, vol. 317. Cambridge University Press, Cambridge (2005)zbMATHGoogle Scholar
  6. 6.
    Brier, E., Joye, M.: Weierstraß elliptic curves and side-channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 335–345. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Brown, M., Hankerson, D., López, J., Menezes, A.: Software implementation of the NIST elliptic curves over prime fields. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 250–265. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Ciet, M., Joye, M., Lauter, K., Montgomery, P.L.: Trading inversions for multiplications in elliptic curve cryptography. Designs, Codes and Cryptography 39(2), 189–206 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Cohen, H.: A course in computational algebraic number theory. In: Graduate Texts in Mathematics, vol. 138, Springer, Heidelberg (1993)Google Scholar
  10. 10.
    Cohen, H., Frey, G. (eds.): Handbook of elliptic and hyperelliptic curve cryptography. Chapman & Hall/CRC (2006)Google Scholar
  11. 11.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  12. 12.
    De Win, E., Mister, S., Preneel, B., Wiener, M.J.: On the performance of signature schemes based on elliptic curves. In: Buhler, J.P. (ed.) Algorithmic Number Theory. LNCS, vol. 1423, pp. 252–266. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  13. 13.
    Durand, A.: Efficient ways to implement elliptic curve exponentiation on a smart card. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 357–365. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  14. 14.
    Eisenträger, K., Lauter, K., Montgomery, P.L.: Fast elliptic curve arithmetic and improved Weil pairing evaluation. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 343–354. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Fong, K., Hankerson, D., López, J., Menezes, A.: Field inversion and point halving revisited, Tech. Report CORR 2003-18, CACR, University of Waterloo (2003)Google Scholar
  16. 16.
    Fouque, P.-A., Valette, F.: The doubling attack − why upwards is better than downwards. In: D.Walter, C., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 269–280. Springer, Heidelberg (2003)Google Scholar
  17. 17.
    Gaubatz, G., Savaş, E., Sunar, B.: Sequential circuit design for embedded cryptographic applications resilient to adversarial faults. IEEE Transactions on Computers (to appear)Google Scholar
  18. 18.
    Giraud, C.: Fault resistant RSA implementation. In: Second Workshop on Fault Detection and Tolerance in Cryptography (Edinburgh, UK) September 2, pp. 142–151 (2005)Google Scholar
  19. 19.
    Gordon, D.M.: A survey of fast exponentiation methods. Journal of Algorithms 27(1), 129–146 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Guajardo, J., Paar, C.: Efficient algorithms for elliptic curve cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 342–356. Springer, Heidelberg (1997)Google Scholar
  21. 21.
    Hankerson, D., López, J., Menezes, A.: Software implementation of elliptic curve cryptography over binary fields. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 1–24. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  22. 22.
    Hankerson, D., Menezes, A., Vanstone, S.: Guide to elliptic curve cryptography. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  23. 23.
    Itoh, K., Izu, T., Takenaka, M.: Address-bit differential power analysis of cryptographic schemes OK-ECDH and OK-ECDSA. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 129–143. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  24. 24.
    Itoh, K., Izu, T., Takenaka, M.: Efficient countermeasures against power analysis for elliptic curve cryptosystems. In: Quisquater, J.-J. (ed.) Smart Card Research and Advanced Applications, vol. VI, pp. 99–113. Kluwer Academic Publishers, Dordrecht (2004)CrossRefGoogle Scholar
  25. 25.
    Izu, T., Takagi, T.: A fast parallel elliptic curve multiplication resistant against side channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 280–296. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  26. 26.
    Joye, M., Yen, S.-M.: The Montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  27. 27.
    Kobayashi, T., Morita, H., Kobayashi, K., Hoshino, F.: Fast elliptic curve algorithm combining Frobenius map and table reference to adapt to higher characteristic. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 176–189. Springer, Heidelberg (1999)Google Scholar
  28. 28.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  29. 29.
    Lim, C.H.: A new method for securing elliptic scalar multiplication against side-channel attacks. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 289–300. Springer, Heidelberg (2004)Google Scholar
  30. 30.
    Lim, C.H., Hwang, H.S.: Fast implementation of elliptic curve arithmetic in GF(p n). In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 405–421. Springer, Heidelberg (2000)Google Scholar
  31. 31.
    López, J., Dahab, R.: Improved algorithms for elliptic curve arithmetic in GF(2n). In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 201–212. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  32. 32.
    López, J., Dahab, R.: Fast multiplication on elliptic curves over GF(2m) without precomputation. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 316–327. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  33. 33.
    Mamiya, H., Miyaji, A., Morimoto, H.: Efficient countermeasures against RPA, DPA, and SPA. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 343–356. Springer, Heidelberg (2004)Google Scholar
  34. 34.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of applied cryptography. CRC Press, Boca Raton, USA (1997)zbMATHGoogle Scholar
  35. 35.
    Möller, B.: Securing elliptic curve point multiplication against side-channel attacks. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 324–334. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  36. 36.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48(177), 243–264 (1987)zbMATHCrossRefMathSciNetGoogle Scholar
  37. 37.
    Nguyen, K.: Curve based cryptography: The state of the art in smart card environments. In: 6th Workshop on Elliptic Curve Cryptography (ECC 2002), Essen, Germany (September 23-25, 2002)Google Scholar
  38. 38.
    Okeya, K., Kurumatani, H., Sakurai, K.: Elliptic curves with Montgomery form and their cryptographic applications. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 238–257. Springer, Heidelberg (2000)Google Scholar
  39. 39.
    Okeya, K., Takagi, T.: The width-w NAF method provides small memory and fast elliptic scalar multiplications secure against side channel attacks. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 328–334. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  40. 40.
    Page, D., Vercauteren, F.: Fault and side-channel attacks on pairing based cryptography, Cryptology ePrint Archive, Report 2004/283 (2004),
  41. 41.
    Savaş, E., Koç, Ç.K.: Architectures for unified field inversion with applications in elliptic curve cryptography. In: 9th International Conference on Electronics, Circuits and Systems − ICECS 2002, vol. 3, pp. 1155–1158. IEEE Press, Los Alamitos (2002)Google Scholar
  42. 42.
    Schroeppel, R., Orman, H., O’Malley, S., Spatschek, O.: Fast key exchange with elliptic curve systems. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 43–56. Springer, Heidelberg (1995)Google Scholar
  43. 43.
    Smart, N.: A comparison of different finite fields for elliptic curve cryptosystems. Computers and Mathematics with Applications 42, 91–100 (2001)zbMATHCrossRefMathSciNetGoogle Scholar
  44. 44.
    Stam, M.: On Montgomery-like representations for elliptic curves over GF(2k). In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 240–253. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  45. 45.
    Stam, M.: Speeding up subgroup cryptosystems. Ph.D. thesis, Technische Universiteit Eindhoven, Eindhoven (2003)Google Scholar
  46. 46.
    Thiérault, N.: SPA resistant left-to-right integer recodings. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 345–358. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  47. 47.
    Walter, C.D.: Sliding windows succumbs to big Mac attack. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 286–299. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  48. 48.
    Yen, S.-M., Joye, M.: Checking before output may not be enough against fault-based cryptanalysis. IEEE Transactions on Computers 49(9), 967–970 (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Marc Joye
    • 1
  1. 1.Thomson R&D France, Technology Group, Corporate Research, Security Laboratory, 1 avenue de Belle Fontaine, 35576 Cesson-Sévigné CedexFrance

Personalised recommendations