Faster and Lower Memory Scalar Multiplication on Supersingular Curves in Characteristic Three

  • Roberto Avanzi
  • Clemens Heuberger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6571)


We describe new algorithms for performing scalar multiplication on supersingular elliptic curves in characteristic three. These curves can be used in pairing-based cryptography. Since in pairing-based protocols besides pairing computations also scalar multiplications are required, and the performance of the latter is not negligible, improving it is clearly important as well. The techniques presented here bring noticeable speed ups (up to 30% for methods using a variable amount of memory and up to 46.7% for methods with a small, fixed memory usage), while at the same time bringing substantial memory reductions – factors like 3 to 8 are not uncommon.

The starting point for our methods is a structure theorem for unit groups of residue classes of a quadratic order associated to the Frobenius endomorphism of the considered curves. This allows us to define new digit sets whose elements are products of powers of certain generators of said groups. There are of course several choices for these generators: we chose generators associated to endomorphisms for which we could find efficient explicit formulae in a suitable coordinate system. A multiple-base-like scalar multiplication algorithm making use of these digits and these formulae brings the claimed speed up.


Supersingular elliptic curves pairing-friendly elliptic curves scalar multiplication Frobenius expansion explicit formulae 


  1. 1.
    Ahmadi, O., Hankerson, D., Menezes, A.: Software Implementation of Arithmetic in \(\mathbb{F}_{3^m}\). In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 85–102. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. 2.
    Avanzi, R.M., Dimitrov, V.S., Doche, C., Sica, F.: Extending scalar multiplication using double bases. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 130–144. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Avanzi, R.M., Heuberger, C., Prodinger, H.: On redundant τ-adic expansions and non-adjacent digit sets. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 285–301. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    Avanzi, R.M., Heuberger, C., Prodinger, H.: Redundant τ-adic Expansions I: Non-Adjacent Digit Sets and their Applications to Scalar Multiplication, Design, Codes and Cryptography (2010) (to appear)Google Scholar
  5. 5.
    Avanzi, R.M., Heuberger, C., Prodinger, H.: Arithmetic of Koblitz Curves in Characteristic Three (2010) (preprint) Google Scholar
  6. 6.
    Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient Algorithms for Pairing-Based Cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Beuchat, J.-L., Brisebarre, N., Detrey, J., Okamoto, E., Rodríguez-Henríquez, F.: A Comparison between Hardware Accelerators for the Modified Tate Pairing over F\(_{2^m}\) and F\(_{3^m}\). In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 297–315. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Beuchat, J.-L., López-Trejo, E., Martínez-Ramos, L., Mitsunari, S., Rodríguez-Henríquez, F.: Multi-core implementation of the tate pairing over supersingular elliptic curves. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 413–432. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Beuchat, J.-L., Shirase, M., Takagi, T., Okamoto, E.: An Algorithm for the η T Pairing Calculation in Characteristic Three and its Hardware Implementation. In: ARITH 2007, pp. 97–104. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  10. 10.
    Blake, I.F., Murty, V.K., Xu, G.: Efficient algorithms for Koblitz curves over fields of characteristic three. J. Discrete Algorithms 3(1), 113–124 (2005)MathSciNetMATHCrossRefGoogle Scholar
  11. 11.
    Brickell, E., Chen, L., Li, J.: A new direct anonymous attestation scheme from bilinear maps. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 166–178. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Cesena, E.: Trace Zero Varieties in Pairing-based Cryptography. Ph.D. Thesis, Università degli Studi Roma TRE (2010)Google Scholar
  13. 13.
    Chudnovsky, D.V., Chudnovsky, G.V.: Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Advances in Applied Math. 7, 385–434 (1986)MathSciNetMATHCrossRefGoogle Scholar
  14. 14.
    Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 51–65. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  15. 15.
    Coron, J.-S., M’Raïhi, D., Tymen, C.: Fast generation of pairs (k,[k]P) for koblitz elliptic curves. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 151–164. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Freeman, D., Scott, M., Teske, E.: A Taxonomy of Pairing-Friendly Elliptic Curves. J. Cryptology 23(2), 224–280 (2010)MathSciNetMATHCrossRefGoogle Scholar
  17. 17.
    Halter-Koch, F.: Einseinheitengruppen und prime Restklassengruppen in quadratischen Zahlkörpern. Journal of Number Theory 4, 10–17 (1972)Google Scholar
  18. 18.
    Harrison, K., Page, D., Smart, N.: Software Implementation of Finite Fields of Characteristic Three, for Use in Pairing Based Cryptosystems. LMS Journal of Computation and Mathematics 5, 181–193 (2002)MathSciNetMATHGoogle Scholar
  19. 19.
    Kim, K.-H., Nègre, C.: Point multiplication on supersingular elliptic curves defined over fields of characteristic 2 and 3. In: SECRYPT 2008. INSTICC Press, pp. 373–376 (2008)Google Scholar
  20. 20.
    Koblitz, N.: An elliptic curve implementation of the finite field digital signature algorithm. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 327–337. Springer, Heidelberg (1998)Google Scholar
  21. 21.
    Nakagoshi, N.: The structure of the multiplicative group of residue classes modulo \(\mathfrak{p}\sp{N+1}\). Nagoya Mathematical Journal 73, 41–60 (1979)MathSciNetGoogle Scholar
  22. 22.
    Mitsunari, S.: A fast implementation of η T pairing in characteristic three on intel processor. Cryptology ePrint Archive, report 2009/032 (2009)Google Scholar
  23. 23.
    Smart, N.: Elliptic Curve Cryptosystems over Small Fields of Odd Characteristic. J. Cryptology 12, 141–151 (1999)MathSciNetMATHCrossRefGoogle Scholar
  24. 24.
    Solinas, J.A.: Efficient arithmetic on Koblitz curves. Design, Codes and Cryptography 19, 195–249 (2000)MathSciNetMATHCrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Roberto Avanzi
    • 1
  • Clemens Heuberger
    • 2
  1. 1.Faculty of Mathematics and Horst Görtz Institute for IT SecurityRuhr-University BochumGermany
  2. 2.Institut für Mathematik BTechnische Universität GrazAustria

Personalised recommendations