Fast Scalar Multiplication for Elliptic Curves over Binary Fields by Efficiently Computable Formulas

Abstract

This paper considers efficient scalar multiplication of elliptic curves over binary fields with a twofold purpose. Firstly, we derive the most efficient 3P formula in \(\lambda \)-projective coordinates and 5P formula in both affine and \(\lambda \)-projective coordinates. Secondly, extensive experiments have been conducted to test various multi-base scalar multiplication methods (e.g., greedy, ternary/binary, multi-base NAF, and tree-based) by integrating our fast formulas. The experiments show that our 3P and 5P formulas had an important role in speeding up the greedy, the ternary/binary, the multi-base NAF, and the tree-based methods over the NAF method. We also establish an efficient 3P formula for Koblitz curves and use it to construct an improved set for the optimal pre-computation of window TNAF.

Research supported in part by the National 973 Project of China (No. 2013CB834205).

A Appendix: Proofs

1.1 A.1 Theorem 1

Proof

Let \(P=(x_P,y_P)\in E({\mathbb F}_{2^m})\) and \(6P\ne \mathcal{O}\). Otherwise, if \(6P = \mathcal{O}\) then \(5P = -P\). We shall prove Theorem 1 by the fact

$$ (x_{5P},\lambda _{5P})= (x_{2P},\lambda _{2P})+(x_{3P},\lambda _{3P}). $$

By using the \(P+Q\) \(\lambda \)-affine formula given in [28], we have

$$\begin{aligned} x_{5P} = \frac{x_{3P} x_{2P}}{(x_{3P}+ x_{2P})^2} (\lambda _{3P}+\lambda _{2P}) . \end{aligned}$$

(3)

$$\begin{aligned} \lambda _{5P} = \frac{x_{3P} (x_{5P} + x_{2P})^2}{x_{5P} x_{2P}} + \lambda _{2P}+ 1. \end{aligned}$$

(4)

We apply \(x_{3P}=x_P+\frac{x_P^3}{\alpha }+\big (\frac{x_P^3}{\alpha }\big )^2\) and \( x_{2P} = \frac{x_P^4+b}{x_P^2} \) in Eq. (3). We have

$$\begin{aligned} x_{5P}&= \frac{x_P^3(\alpha ^2+x_P^2(x_P^4+b)) \alpha ^2 (x_P^4+b)}{ \big ( \alpha ^2 (x_P^4+b) + x_P^3(\alpha ^2+x_P^2(x_P^4+b))\big )^2} (\lambda _{3P}+\lambda _{2P}) \end{aligned}$$

(5)

$$\begin{aligned}&=\frac{x_P^3 \beta \alpha ^2 (x_P^4+b) }{\gamma ^2} (\lambda _{3P}+\lambda _{2P}) \end{aligned}$$

(6)

We note that

$$\begin{aligned} \lambda _{3P}+\lambda _{2P} = \frac{x_P \gamma ^2}{x_P^3 \beta \alpha ^2 (x_P^4+b)}+1. \end{aligned}$$

(7)

By applying Eq. (7) in Eq. (6), we have

$$\begin{aligned} x_{5P}&= x_P + \frac{x_P^3 \beta \alpha ^2 (x_P^4+b) }{\gamma ^2} \end{aligned}$$

(8)

$$\begin{aligned}&= x_P + \frac{x_P^3 \beta }{\gamma }+\big (\frac{x_P^3 \beta }{\gamma }\big )^2 . \end{aligned}$$

(9)

We have derived \( x_{5P}\). Next, we want to derive \( y_{5P}\). From Eq. (4), we have

$$\begin{aligned} \lambda _{5P} = \frac{x_{3P}}{x_{2P}} x_{5P} + \frac{x_{3P} x_{2P}}{x_{5P}} + \lambda _{2P} +1 . \end{aligned}$$

(10)

We apply Eq. (10) to the fact \( y_{5P} = x_{5P} (\lambda _{5P} + x_{5P}) \). We have

$$\begin{aligned} y_{5P} = x_{5P} ( \frac{x_{3P}}{x_{2P}} x_{5P}+\lambda _{2P} +1+ x_{5P}) + x_{3P} x_{2P} . \end{aligned}$$

(11)

We apply \( x_{3P} , x_{2P} \), and \( \lambda _{2P}= \frac{x_P^4}{x_P^4+b}+\lambda _P^2+a+1\) in Eq. (11). We have

$$\begin{aligned} y_{5P}&= x_{5P} \big ( \frac{x_P^3 \beta }{\alpha ^2(x_P^4+b)} x_{5P} + \frac{x_P^4}{x_P^4+b} + \frac{y_P^2}{x_P^2} + x_P^2+a+x_{5P} \big ) + \frac{(x_P^4+b) \beta }{x_P \alpha ^2}\\&= x_{5P} \big ( \big (\frac{x_P^3 \beta }{\gamma } \big )^2 + x_P^2+a+x_{5P} \big ) + \frac{(x_P^4+b) \beta }{x_P \alpha ^2} + \frac{ x_P^4 \beta }{\alpha ^2 (x_P^4+b) } x_{5P}\\ {}&\quad + \frac{ x_P^6 + y_P^2 (x_P^4+b)}{x_P^2 (x_P^4+b) } x_{5P}\\&= y_P + x_P + (x_{5P}+x_P) \big ( \big (\frac{x_P^3 \beta }{\gamma } \big )^2 + x_P^2+a+x_{5P}+x_P \big )\\ {}&\quad + \frac{x_P \beta \alpha ^2(x_P^6 + y_P^2(x_P^4+b))}{\gamma ^2} . \end{aligned}$$

We note that \( x_P^6= \beta + (x_P^4+b)^2 + x_P^2(x_P^4+b) \) and \( \big (\frac{x_P^3 \beta }{\gamma } \big )^2 = \frac{x_P^3 \beta }{\gamma } + x_{5P} + x_P\). We have

$$\begin{aligned} \begin{array}{l} y_{5P} = y_P + x_P + (x_{5P}+x_P) \big (\frac{x_P^3 \beta }{\gamma } + x_P^2+a \big ) + \frac{x_P \beta \alpha ^2(\beta +(x_P^4+b)(x_P^4+b+y_P^2+x_P^2))}{\gamma ^2}. \end{array} \end{aligned}$$

1.2 A.2 Theorem 2

Proof

We shall prove Theorem 2 by the fact

$$\begin{aligned} (x_{3P},\lambda _{3P}) = (x_P,\lambda _P) + (x_{2P},\lambda _{2P}) . \end{aligned}$$

(12)

By using the \(P+Q\) \(\lambda \)-affine formula given in [28], we have

$$\begin{aligned} x_{3P}=\frac{x_P x_{2P}}{(x_P+x_{2P})^2} (\lambda _P + \lambda _{2P}). \end{aligned}$$

(13)

$$\begin{aligned} \lambda _{3P} = \frac{x_{2P} (x_{3P}+x_P)^2}{x_{3P} x_P}+\lambda _P+1. \end{aligned}$$

(14)

We apply the relation \(\lambda _P + \lambda _{2P}= \frac{ (x_P+x_{2P})^2}{x_{2P}}+ 1\) in Eq. (13). We have

$$\begin{aligned} x_{3P}= & {} x_P + \frac{x_P x_{2P}}{(x_P+x_{2P})^2} \end{aligned}$$

(15)

$$\begin{aligned}= & {} \frac{x_P \big (x_{2P} + (x_{2P} +x_P)^2 \big )}{(x_P+x_{2P})^2}. \end{aligned}$$

(16)

We convert \(\lambda \)-affine point \((x_P,\lambda _P)\) to \(\lambda \)-projective point \((X_P,L_P,Z_P)\) by using the relation \((x_P,\lambda _P)=(\frac{X_P}{Z_P},\frac{L_P}{Z_P})\). Thus, the equations above become

$$\begin{aligned} x_{2P}&= \frac{L_P^2+L_P Z_P+a Z^2}{Z_P^2} = \frac{T}{Z_P^2}. \end{aligned}$$

$$\begin{aligned} x_{3P}&= \frac{ \frac{X_P}{Z_P} \big (\frac{T}{Z_P^2} + \frac{(T + X_P Z_P)^2}{Z_P^4} \big ) }{\frac{(T + X_P Z_P)^2}{Z_P^4}} \\&= \frac{X_P \big (T Z_P^2 + (T + X_P Z_P)^2 \big )}{Z_P (T + X_P Z_P)^2} \\&= \frac{X_P B}{Z_P A} .\\ \lambda _{3P}&= \frac{ \frac{T}{Z_P^2} \big (\frac{X_P B}{Z_P A} + \frac{X_P}{Z_P} \big )^2 }{\frac{X_P^2 B}{Z_P^2 A}} + \frac{L_P Z_P+Z_P^2}{Z_P^2} \\&= \frac{T (A+B)^2}{Z_P^2 A B} + \frac{L_P Z_P+ Z_P^2}{Z_P^2}\\&= \frac{T (A+B)^2 + (L_P Z_P+Z_P^2) A B }{Z_P^2 A B}. \end{aligned}$$

1.3 A.3 Theorem 3

Proof

We shall proof \(x_{5P}\) by the fact

$$ (x_{5P},\lambda _{5P}) = (x_{2P},\lambda _{2P}) + (x_{3P},\lambda _{3P}). $$

By using the \(P+Q\) \(\lambda \)-affine formula given in [28], we have

$$\begin{aligned} x_{5P}=\frac{x_{2P} x_{3P}}{(x_{2P}+x_{3P})^2} (\lambda _{2P} + \lambda _{3P}). \end{aligned}$$

(17)

We apply the relation \(\lambda _{2P} + \lambda _{3P}= \frac{ x_P (x_{2P}+x_{3P})^2}{x_{2P} x_{3P}}+ 1\) to Eq. (17). We have

$$\begin{aligned} x_{5P}= & {} x_P + \frac{x_{2P} x_{3P}}{(x_{2P}+x_{3P})^2} \end{aligned}$$

(18)

$$\begin{aligned}= & {} \frac{x_{P} (x_{2P}+x_{3P})^2 + x_{2P} x_{3P} }{(x_{2P}+x_{3P})^2}. \end{aligned}$$

(19)

Next, we shall derive \(\lambda _{5P}\) by the fact

$$ (x_{5P},\lambda _{5P}) = (x_{P},\lambda _{P}) + (x_{4P},\lambda _{4P}). $$

By using the \(P+Q\) \(\lambda \)-affine formula, we have

$$\begin{aligned} \lambda _{5P} = \frac{x_{4P} (x_{5P}+x_P)^2}{x_{5P} x_P}+\lambda _P+1. \end{aligned}$$

(20)

We convert \(\lambda \)-affine point \((x_P,\lambda _P)\) to \(\lambda \)-projective point \((X_P,L_P,Z_P)\) by using the relation \((x_P,\lambda _P)=(\frac{X_P}{Z_P},\frac{L_P}{Z_P})\). Thus, the equations above become

$$\begin{aligned} x_{2P}&= \frac{L_P^2+L_P Z_P+a Z^2}{Z_P^2} = \frac{T}{Z_P^2}. \\ x_{3P}&= \frac{X_P \big (T Z_P^2 + (T + X_P Z_P)^2 \big )}{Z_P (T + X_P Z_P)^2} = \frac{X_P B}{Z_P A} .\\ x_{4P}&= \frac{L_{2P}^2+L_{2P} T Z_P^2+a (T Z^2)^2}{(T Z_P^2)^2} = \frac{T_2}{(T Z_P^2)^2}. \\ x_{5P}&= \frac{ \frac{X_P}{Z_P} \big (\frac{T}{Z_P^2} + \frac{X_{P} B}{Z_P A} \big )^2 + \frac{T X_P B}{Z_P^3 A} }{{(\frac{T}{Z_P^2} + \frac{X_{P} B}{Z_P A})^2}} \\&= \frac{X_P \big ( (TA + X_P Z_P B )^2 + T Z_P^2 A B \big )}{Z_P (TA + X_P Z_P B )^2} \\&= \frac{X_P D}{Z_P C} .\\ \lambda _{5P}&= \frac{ \frac{T_2}{(T Z_P^2)^2} \big (\frac{X_P D}{Z_P C} + \frac{X_P}{Z_P} \big )^2 }{\frac{X_P^2 D}{Z_P^2 C}} + \frac{L_P Z_P+Z_P^2}{Z_P^2} \\&= \frac{T_2 (C+D)^2}{(T Z_P^2)^2 C D} + \frac{L_P Z_P+ Z_P^2}{Z_P^2}\\&= \frac{Z^2 T_2 (AB)^2 + (L_P Z_P+Z_P^2) CD }{Z_P^2 C D}. \end{aligned}$$

We note the following relations

$$\begin{aligned} Z_P^2 T_2= & {} T (A+B)^2 + Z_P^2 A B. \\ C= & {} (TA + X_P Z_P B )^2 = (T (A+B))^2 + A B^2. \\ D= & {} T Z_P^2 A B + C =A^2 B + A B^2 + C. \end{aligned}$$

Thus, we have

$$\begin{aligned} L_{5P} = T (C + D)^2 + (L_P Z_P + Z_P^2) C D + Z_P^2 (A B)^3. \end{aligned}$$