Improved Tripling on Elliptic Curves

Abstract

We propose efficient strategies for calculating point tripling on Hessian (\(8M+5S\)), Jacobi-intersection (\(7M+5S\)), Edwards (\(8M+5S\)) and Huff (\(10M+5S\)) curves, together with a fast quintupling formula on Edwards curves. M is the cost of a field multiplication and S is the cost of a field squaring. To get the best speeds for single-scalar multiplication without regarding perstored points, computational cost between different double-base representation algorithms with various forms of curves is analyzed. Generally speaking, tree-based approach achieves best timings on inverted Edwards curves; yet under exceptional environment, near optimal controlled approach also worths being considered.

This work is supported in part by National Research Foundation of China under Grant No. 61502487, 61272040, and in part by National Basic Research Program of China (973) under Grant No. 2013CB338001.

A Quintupling Formula on Edwards

We show a new formula to calculate the 5-fold of a point P on Edwards in this section. Let \((X_5,Y_5,Z_5)=5(X_1,Y_1,Z_1)\). Explicit expression of \((X_5,Y_5,Z_5)\) is quite involved so we exclude it in this context. Yet it’s straightforward computable using curve equation and addition formula, one can accomplish it with the help of Magma or SageMath. An alternative algorithm for computing \((X_5,Y_5,Z_5)\) is as follows:

$$\begin{aligned} A\leftarrow X_1^2, B\leftarrow Y_1^2, C\leftarrow Z_1^2, D\leftarrow A^2, E\leftarrow B^2, F\leftarrow C^2, \end{aligned}$$

$$\begin{aligned} G\leftarrow (A+C)^2-D-F, H\leftarrow (B+C)^2-E-F,I\leftarrow (A+B)^2, J\leftarrow I-D-E, \end{aligned}$$

$$\begin{aligned} K\leftarrow I^2, L\leftarrow I-G-H, M\leftarrow (D-E)^2, N\leftarrow J^2, \end{aligned}$$

$$\begin{aligned} O\leftarrow (D-E)(K-2d(K-M-2N)), P\leftarrow 2M(I+4F-G-H), \end{aligned}$$

$$\begin{aligned} Q\leftarrow K-4d\cdot N, R\leftarrow (D-E-G+H)Q, S\leftarrow L(2M-Q), \end{aligned}$$

$$\begin{aligned} T\leftarrow O+P, U\leftarrow P-Q, V\leftarrow R+S, W\leftarrow R-S, \end{aligned}$$

$$\begin{aligned} X_5\leftarrow X_1(U+W)(U-W), Y_5\leftarrow Y_1(T+V)(T-V), Z_5\leftarrow Z_1(T+V)(U-W). \end{aligned}$$

The above algorithm derives an efficient quintupling formula that costs \(10M+12S+2D\). Including previous work reported in [27], cost of different strategies for computing projective quintupling formula on Edwards curves is listed as Table 5. It turns out that the new formula is preferred in most practical environments when \(D \backslash M\), \(S \backslash M\)-ratio are less than 1.

Table 5. Different quintupling formulas on Edwards curves.