# Faster Addition and Doubling on Elliptic Curves

• Daniel J. Bernstein
• Tanja Lange
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4833)

## Abstract

Edwards recently introduced a new normal form for elliptic curves. Every elliptic curve over a non-binary field is birationally equivalent to a curve in Edwards form over an extension of the field, and in many cases over the original field.

This paper presents fast explicit formulas (and register allocations) for group operations on an Edwards curve. The algorithm for doubling uses only 3M + 4S, i.e., 3 field multiplications and 4 field squarings. If curve parameters are chosen to be small then the algorithm for mixed addition uses only 9M + 1S and the algorithm for non-mixed addition uses only 10M + 1S. Arbitrary Edwards curves can be handled at the cost of just one extra multiplication by a curve parameter.

For comparison, the fastest algorithms known for the popular “a 4 = −3 Jacobian” form use 3M + 5S for doubling; use 7M + 4S for mixed addition; use 11M + 5S for non-mixed addition; and use 10M + 4S for non-mixed addition when one input has been added before.

The explicit formulas for non-mixed addition on an Edwards curve can be used for doublings at no extra cost, simplifying protection against side-channel attacks. Even better, many elliptic curves (approximately 1/4 of all isomorphism classes of elliptic curves over a non-binary finite field) are birationally equivalent — over the original field — to Edwards curves where this addition algorithm works for all pairs of curve points, including inverses, the neutral element, etc.

This paper contains an extensive comparison of different forms of elliptic curves and different coordinate systems for the basic group operations (doubling, mixed addition, non-mixed addition, and unified addition) as well as higher-level operations such as multi-scalar multiplication.

## Keywords

Elliptic curves addition doubling explicit formulas register allocation scalar multiplication multi-scalar multiplication side-channel countermeasures unified addition formulas complete addition formulas efficient implementation performance evaluation

## References

1. 1.
Antipa, A., Brown, D.R.L., Gallant, R.P., Lambert, R.J., Struik, R., Vanstone, S.A.: Accelerated verification of ECDSA signatures, in [43], pp. 307–318 (2006). MR 2007d:94044, www.cacr.math.uwaterloo.ca/techreports/2005/tech_reports2005.html (Cited in §7)
2. 2.
Avanzi, R.M.: The complexity of certain multi-exponentiation techniques in cryptography. Journal of Cryptology 18, 357–373 (2005). MR 2007f:94027, www.eprint.iacr.org/2002/154 (Cited in §6, §7)
3. 3.
Barbosa, M., Page, D.: On the automatic construction of indistinguishable operations (2005), www.eprint.iacr.org/2005/174 (Cited in §8)
4. 4.
Bellare, M., Garay, J.A., Rabin, T.: Batch verification with applications to cryptography and checking, in [35], pp. 170–191 (1998). MR 99h:94043. (Cited in §7)Google Scholar
5. 5.
Bernstein, D.J.: A software implementation of NIST P-224 (2001), www.cr.yp.to/talks.html#2001.10.29 (Cited in §5)
6. 6.
Bernstein, D.J.: Differential addition chains (2006), www.cr.yp.to/papers.html#diffchain (Cited in §7, §8)
7. 7.
Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records, in [45], pp. 207–228 (2006), www.cr.yp.to/papers.html#curve25519 (Cited in §1, §2,§4, §5, §8)
8. 8.
Bernstein, D.J., Lange, T.: Explicit-formulas database (2007), www.hyperelliptic.org/EFD (Cited in §2, §3, §3,§5)
9. 9.
Billet, O., Joye, M.: The Jacobi model of an elliptic curve and side-channel analysis, in [26], pp. 34–42 (2003). MR 2005c:94045, www.eprint.iacr.org/2002/125 (Cited in §1, §5)
10. 10.
Blake, I.F., Seroussi, G., Smart, N.P. (eds.): Advances in elliptic curve cryptography. London Mathematical Society Lecture Note Series, 317. Cambridge University Press, Cambridge (2005), MR 2007g:94001. See [27]Google Scholar
11. 11.
Bosma, W., Lenstra Jr., H.W.: Complete systems of two addition laws for elliptic curves. Journal of Number Theory 53, 229–240 (1995), MR 96f:11079. (Cited in §3, §3)Google Scholar
12. 12.
Brier, É., Déchène, I., Joye, M.: Unified point addition formulae for elliptic curve cryptosystems, in [40], pp. 247–256 (2004) (Cited in §5)Google Scholar
13. 13.
Brier, É., Joye, M.: Weierstrass elliptic curves and side-channel attacks, in [39], pp. 335–345 (2002), www.geocities.com/MarcJoye/publications.html (Cited in §5, §8)
14. 14.
Brown, D.R.L.: Multi-dimensional Montgomery ladders for elliptic curves (2006), www.eprint.iacr.org/2006/220 (Cited in §7, §8)
15. 15.
Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity. IEEE Transactions on Computers 53, 760–768 (2004), www.bcm.crypto.free.fr/pdf/CCJ04.pdf (Cited in §8)
16. 16.
Chudnovsky, D.V., Chudnovsky, G.V.: Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Advances in Applied Mathematics 7, 385–434 (1986), MR 88h:11094. (Cited in §5)Google Scholar
17. 17.
Cohen, H., Frey, G. (eds.): Handbook of elliptic and hyperelliptic curve cryptography. CRC Press, Boca Raton (2005), MR 2007f:14020. See [22], [24], [33]Google Scholar
18. 18.
Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates, in [41], pp. 51–65 (1998), MR 1726152, www.math.u-bordeaux.fr/~cohen/asiacrypt98.dvi (Cited in §1, §5)
19. 19.
Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems, in [32], pp. 292–302 (1999) (Cited in §8, §8, §8)Google Scholar
20. 20.
de Rooij, P.: Efficient exponentiation using precomputation and vector addition chains, in [21], pp. 389–399 (1995), MR 1479665. (Cited in §7)Google Scholar
21. 21.
De Santis, A. (ed.): Advances in cryptology: EUROCRYPT 1994. LNCS, vol. 950. Springer, Heidelberg (1995), MR 98h:94001. See [20]Google Scholar
22. 22.
Doche, C.: Exponentiation, in [17], pp. 145–168 (2005) MR 2162725. (Cited in §6, §7)Google Scholar
23. 23.
Doche, C., Icart, T., Kohel, D.R.: Efficient scalar multiplication by isogeny decompositions, in [45], pp. 191–206 (2006) (Cited in §1)Google Scholar
24. 24.
Doche, C., Lange, T.: Arithmetic of elliptic curves, in [17], pp. 267–302 (2005), MR 2162729. (Cited in §5)Google Scholar
25. 25.
Edwards, H.M.: A normal form for elliptic curves. Bulletin of the American Mathematical Society 44, 393–422 (2007), www.ams.org/bull/2007-44-03/S0273-0979-07-01153-6/home.html (Cited in §1, §3)
26. 26.
Fossorier, M.P.C., Høholdt, T., Poli, A. (eds.): Applied Algebra, Algebraic Algorithms and Error-Correcting Codes. LNCS, vol. 2643. Springer, Heidelberg (2003). ISBN 3-540-40111-3. MR 2004j:94001. (Sec [9])Google Scholar
27. 27.
Joye, M.: Defences against side-channel analysis, in [10], pp. 87–100 (2005) (Cited in §8)Google Scholar
28. 28.
Joye, M., Quisquater, J.-J.: Hessian elliptic curves and side-channel attacks, in [31], pp. 402–410 (2001). MR 2003k:94032, www.geocities.com/MarcJoye/publications.html (Cited in §1, §5)
29. 29.
Joye, M., Yen, S.-M.: The Montgomery powering ladder, in [30], pp. 291–302 (2003), www.gemplus.com/smart/rd/publications/pdf/JY03mont.pdf (Cited in §8)
30. 30.
Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.): Cryptographic hardware and embedded systems-CHES 2002. LNCS, vol. 2523. Springer, Heidelberg (2003). ISBN 3-540-42521-7. See [29]Google Scholar
31. 31.
Koç, Ç.K., Naccache, D., Paar, C. (eds.): Cryptographic hardware and embedded systems-CHES 2001. LNCS, vol. 2162. Springer, Heidelberg (2001). ISBN 3-540-42521-7. MR 2003g:94002. See [28], [34], [42]Google Scholar
32. 32.
Koç, Ç.K., Paar, C. (eds.): Cryptographic hardware and embedded systems. In: first international workshop CHES 1999. LNCS, vol. 1717. Springer, Heidelberg (1999). ISBN 3-540-66646-X. See [19]Google Scholar
33. 33.
Lange, T.: Mathematical countermeasures against side-channel attacks, in [17], pp. 687–714 (2005), MR 2163785. (Cited in §8, §8)Google Scholar
34. 34.
Liardet, P.-Y., Smart, N.P.: Preventing SPA/DPA in ECC systems using the Jacobi form, in [31], pp. 391–401 (2001), MR 2003k:94033. (Cited in §1, §5, §8)Google Scholar
35. 35.
Lucchesi, C.L., Moura, A.V. (eds.): LATIN 1998: theoretical informatic. LNCS, vol. 1380. Springer, Heidelberg (1998). ISBN 3-540-64275-7. MR 99d:68007. See [4]Google Scholar
36. 36.
Mangard, S., Oswald, E., Popp, T.: Power analysis attacks: revealing the secrets of smart cards. Springer, Heidelberg (2007) (Cited in §8, §8)Google Scholar
37. 37.
Miller, V.S.: Use of elliptic curves in cryptography, in [44], pp. 417–426 (1986) MR 88b:68040. (Cited in §1)Google Scholar
38. 38.
Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48, 243–264 (1987) MR 88e:11130, www.links.jstor.org/sici?sici=0025-5718 (Cited in §1, §6, §7)
39. 39.
Naccache, D., Paillier, P. (eds.): Public key cryptography. In: PKC 2002. LNCS, vol. 2274. Springer, Heidelberg (2002). ISBN 3-540-43168-3. MR 2005b:94044. See [13]Google Scholar
40. 40.
Nedjah, N., de Macedo Mourelle, L. (eds.): Embedded Cryptographic Hardware: Methodologies & Architectures, Nova Science Publishers (2004) ISBN 1-59454-012-8. See [12]Google Scholar
41. 41.
Ohta, K., Pei, D. (eds.): Advances in cryptology-ASIACRYPT 1998. LNCS, vol. 1514. Springer, Berlin (1998). ISBN 3-540-65109-8. MR 2000h:94002. See [18]Google Scholar
42. 42.
Oswald, E., Aigner, M.: Randomized addition-subtraction chains as a countermeasure against power attack, in [31], pp. 39–50 (2001) MR 2003m:94068. (Cited in §8)Google Scholar
43. 43.
Preneel, B., Tavares, S.E. (eds.): Selected Areas in Cryptography. In: SAC 2005. LNCS, vol. 3897, Springer, Heidelberg (2006). ISBN3-540-33108-5. MR 2007b:94002. See [1]Google Scholar
44. 44.
Williams, H.C. (ed.): CRYPTO 1985. LNCS, vol. 218. Springer, Berlin (1986). ISBN 3-540-16463-4. MR 87d:94002. See [37]Google Scholar
45. 45.
Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.): 9th international conference on theory and practice in public-key cryptography. LNCS, vol. 3958. Springer, Heidelberg (2006). ISBN 978-3-540-33851-2. See [7], [23] Google Scholar

## Authors and Affiliations

• Daniel J. Bernstein
• 1
• Tanja Lange
• 2
1. 1.Department of Mathematics, Statistics, and Computer Science (M/C 249), University of Illinois at Chicago, Chicago, IL 60607–7045USA
2. 2.Department of Mathematics and Computer Science, Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB EindhovenNetherlands