Advertisement

Abstract

Edwards curves have attracted great interest for several reasons. When curve parameters are chosen properly, the addition formulas use only 10M + 1S. The formulas are strongly unified, i.e., work without change for doublings; even better, they are complete, i.e., work without change for all inputs. Dedicated doubling formulas use only 3M + 4S, and dedicated tripling formulas use only 9M + 4S.

This paper introduces inverted Edwards coordinates. Inverted Edwards coordinates (X 1:Y 1:Z 1) represent the affine point (Z 1/X 1,Z 1/Y 1) on an Edwards curve; for comparison, standard Edwards coordinates (X 1:Y 1:Z 1) represent the affine point (X 1/Z 1,Y 1/Z 1).

This paper presents addition formulas for inverted Edwards coordinates using only 9M + 1S. The formulas are not complete but still are strongly unified. Dedicated doubling formulas use only 3M + 4S, and dedicated tripling formulas use only 9M + 4S. Inverted Edwards coordinates thus save 1M for each addition, without slowing down doubling or tripling.

Keywords

Elliptic curves addition doubling explicit formulas Edwards coordinates inverted Edwards coordinates side-channel countermeasures unified addition formulas strongly unified addition formulas 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Barua, R., Lange, T. (eds.): INDOCRYPT 2006. LNCS, vol. 4329. Springer, Heidelberg (2006)Google Scholar
  2. 2.
    Bernstein, D.J., Birkner, P., Lange, T., Peters, C.: Optimizing Double-Base Elliptic-Curve Single-Scalar Multiplication. In: Srinathan, K., Pandu Rangan, C., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 167–182. Springer, Heidelberg (2007)Google Scholar
  3. 3.
    Bernstein, D.J., Lange, T.: Explicit-Formulas Database, http://www.hyperelliptic.org/EFD
  4. 4.
    Bernstein, D.J., Lange, T.: Faster Addition and Doubling on Elliptic Curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007), http://cr.yp.to/newelliptic/ CrossRefGoogle Scholar
  5. 5.
    Bosma, W., Lenstra, Jr., H.W.: Complete Systems of Two Addition Laws for Elliptic Curves. J. Number Theory 53, 229–240 (1995)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Doche, C., Imbert, L.: Extended Double-Base Number System with Applications to Elliptic Curve Cryptography. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 335–348. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Duquesne, S.: Improving the Arithmetic of Elliptic Curves in the Jacobi Model. Information Processing Letters 104, 101–105 (2007)CrossRefGoogle Scholar
  8. 8.
    Edwards, H.M.: A Normal Form for Elliptic Curves. Bulletin of the American Mathematical Society 44, 393–422 (2007), http://www.ams.org/bull/2007-44-03/S0273-0979-07-01153-6/home.html zbMATHCrossRefGoogle Scholar
  9. 9.
    Hisil, H., Carter, G., Dawson, E.: New Formulae for Efficient Elliptic Curve Arithmetic. In: Srinathan, K., Pandu Rangan, C., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, Springer, Heidelberg (2007)Google Scholar
  10. 10.
    Kurosawa, K. (ed.): ASIACRYPT 2007. LNCS, vol. 4833. Springer, Heidelberg (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
  • Tanja Lange
    • 2
  1. 1.Department of Mathematics, Statistics, and Computer Science (M/C 249), University of Illinois at Chicago, Chicago, IL 60607–7045USA
  2. 2.Department of Mathematics and Computer Science, Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB EindhovenNetherlands

Personalised recommendations