Advertisement

Complete Addition Law for Montgomery Curves

  • Jaeheon Kim
  • Je Hong Park
  • Dong-Chan KimEmail author
  • Woo-Hwan Kim
Conference paper
  • 29 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11975)

Abstract

Montgomery curves allow efficient and side-channel resistant computation of ECDH using the Montgomery ladder. But the addition law of a Montgomery curve derived from the chord-tangent method is less efficient than other curve models such as a short Weierstrass curve and an Edwards curve. So, the usage of a Montgomery curve is strictly limited to ECDH only, such as \(\mathsf {X25519}\) and \(\mathsf {X448}\) functions in IETF RFC 7748. For other operations including fixed-base and multiple scalar multiplications, their birationally-equivalent (twisted) Edwards curves are recommended for use since the conversions between Montgomery curves and their Edwards equivalents are simple. This conversion enables the use of the efficient complete addition law of the Edwards curve that works for all pairs of input points with no exceptional cases. As a result, the combination allows secure and exception-free implementations, but at the expense of additional storage for the two curve parameters and for the conversion between them. However, smart devices in IoT environments that mainly operate ECDH (for example, RawPublicKey mode of IETF RFC 7250) do not need to implement such a conversion if a complete addition law does exist for the Montgomery curves.

To make such implementations possible, we provide a complete addition law on Montgomery curves. The explicit formulas for the complete addition law are not as efficient as those of Edwards curves, but they can make the Montgomery curve addition operation more efficient compared to using the conversion to the (twisted) Edwards equivalent. We also confirmed the validity of the comparison by implementing such two methods of realizing the addition operation on \(\text {Curve25519}\).

Keywords

Elliptic curves Montgomery curve Complete addition law 

Notes

Acknowledgement

We are grateful to the anonymous reviewers for their help in improving the quality of the paper. This work was supported by Institute for Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korean government (MSIT) (No.2017-0-00267).

Supplementary material

References

  1. 1.
    Aranha, D.F., Barreto, P.S., Pereira, G.C., Ricardini, J.E.: A note on high-security general-purpose elliptic curves. Cryptology ePrint Archive, Report 2013/647 (2013). http://eprint.iacr.org/2013/647.pdf
  2. 2.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006).  https://doi.org/10.1007/11745853_14CrossRefGoogle Scholar
  3. 3.
    Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-68164-9_26CrossRefGoogle Scholar
  4. 4.
    Bernstein, D.J., Chuengsatiansup, C., Kohel, D., Lange, T.: Twisted Hessian curves. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 269–294. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-22174-8_15 CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-76900-2_3CrossRefGoogle Scholar
  6. 6.
    Bernstein, D.J., Lange, T.: A complete set of addition laws for incomplete Edwards curves. J. Number Theory 131(5), 858–872 (2011).  https://doi.org/10.1016/j.jnt.2010.06.015CrossRefMathSciNetzbMATHGoogle Scholar
  7. 7.
    Bos, J.W., Costello, C., Longa, P., et al.: Selecting elliptic curves for cryptography: an efficiency and security analysis. J. Cryptogr. Eng. 6, 259 (2016).  https://doi.org/10.1007/s13389-015-0097-yCrossRefGoogle Scholar
  8. 8.
    Bosma, W., Lenstra, H.: Complete systems of two addition laws for elliptic curves. J. Number Theory 53(2), 229–240 (1995).  https://doi.org/10.1006/jnth.1995.1088CrossRefMathSciNetzbMATHGoogle Scholar
  9. 9.
    Costello, C., Smith, B.: Montgomery curves and their arithmetic. J. Cryptogr. Eng. 8, 227 (2018).  https://doi.org/10.1007/s13389-017-0157-6CrossRefGoogle Scholar
  10. 10.
    Edwards, H.M.: A normal form for elliptic curves. Bull. Am. Math. Soc. 44(3), 393–422 (2007).  https://doi.org/10.1090/S0273-0979-07-01153-6CrossRefMathSciNetzbMATHGoogle Scholar
  11. 11.
    Farashahi, R.R., Joye, M.: Efficient arithmetic on Hessian curves. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 243–260. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13013-7_15CrossRefGoogle Scholar
  12. 12.
    Garcia-Morchon, O., Kumar, S., Sethi, M.: Internet of Things (IoT) Security: State of the Art and Challenges. IETF RFC 8576 (2019).  https://doi.org/10.17487/RFC8576
  13. 13.
    Hamburg, M.: Ed448-Goldilocks, a new elliptic curve. Cryptology ePrint Archive, Report 2015/625 (2015). http://eprint.iacr.org/2015/625
  14. 14.
    Hart, W.: FLINT: Fast Library for Number Theory (2016). http://www.flintlib.org
  15. 15.
    Langley, A., Hamburg, M., Turner, S.: Elliptic Curves for Security. IETF RFC 7748 (2016).  https://doi.org/10.17487/RFC7748
  16. 16.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987).  https://doi.org/10.1090/S0025-5718-1987-0866113-7CrossRefMathSciNetzbMATHGoogle Scholar
  17. 17.
    Nir, Y., Josefsson, S.: Curve25519 and Curve448 for the Internet Key Exchange Protocol Version 2 (IKEv2) Key Agreement. IETF RFC 8031 (2016).  https://doi.org/10.17487/RFC8031
  18. 18.
    Nir, Y., Josefsson, S., Pégourié-Gonnard, M.: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier. IETF RFC 8422 (2018).  https://doi.org/10.17487/RFC8422
  19. 19.
    Renes, J., Costello, C., Batina, L.: Complete addition formulas for prime order elliptic curves. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 403–428. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_16CrossRefGoogle Scholar
  20. 20.
    Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. IETF RFC 8446 (2018).  https://doi.org/10.17487/RFC8446
  21. 21.
    Shelby, Z., Hartke, K., Bormann, C.: The Constrained Application Protocol (CoAP). IETF RFC 7252 (2014).  https://doi.org/10.17487/RFC7252
  22. 22.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 186, 2nd edn. Springer, New York (2009).  https://doi.org/10.1007/978-1-4757-1920-8CrossRefzbMATHGoogle Scholar
  23. 23.
    Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., Kivinen, T.: Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). IETF RFC 7250 (2014).  https://doi.org/10.17487/RFC7250

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Jaeheon Kim
    • 1
  • Je Hong Park
    • 1
  • Dong-Chan Kim
    • 2
    Email author
  • Woo-Hwan Kim
    • 1
  1. 1.The Affiliated Institute of ETRIDaejeonKorea
  2. 2.Kookmin UniversitySeoulKorea

Personalised recommendations