A Secure and Efficient Method for Scalar Multiplication on Supersingular Elliptic Curves over Binary Fields

Abstract

We present a secure and efficient scalar multiplication method for supersingular elliptic curves over binary fields based on Montgomery’s ladder algorithm. Our approach uses only the x-coordinate of elliptic curve points to perform scalar multiplication, requires no precomputation and executes the same number of operations over the binary field in every iteration. When applied to projective coordinates, our method is faster than the other typical scalar multiplication methods in practical situations.

A Appendix: Montgomery’s Ladder Invariant

Lemma 1

Every iteration in Montgomery’s ladder algorithm to compute \(kP_0\), where \(k = (k_{n-1}, k_{n-2}, \ldots , k_0)_2\), keeps the difference \(S - R = P_0\).

Proof

Before the first iteration, we have \(R = P_0\) and \(S = 2P_0\), and thus \(Q_2 - Q_1 = P_0\). Now let’s assume that during an iteration \(0 \le i \le l-2\) we have \(R = nP_0\) and \(S = (n+1)P_0\), where \(1 \le n\le k\). The difference \(S - R = P_0\) holds. To prove that in iteration \(i+1\) the invariant \(S - R = P_0\) is held, we must consider two cases:

• if \(k_i = 0\): the values of R and S are updated such that \(R = 2nP_0\) and \(S = (n + n + 1)P_0 = (2n+1)P_0\). We can see that the difference \(S - R = P_0\) holds in this case.

• if \(k_i = 1\): the values of R and S are updated such that \(R = (n + n + 1)P_0 = (2n+1)P_0\) and \(S = 2(k+1)P_0 = (2k+2)P_0\). We can see that the difference \(S - R = P_0\) holds in this case too.

By the end of iterations, we have \(i = 0\) and \(Q_2 - Q_1 = P_0\) is mantained.