This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Field Inversion and Point Halving Revisited
August 2004 (vol. 53 no. 8)
pp. 1047-1059

Abstract—We present a careful analysis of elliptic curve point multiplication methods that use the point halving technique of Knudsen and Schroeppel and compare these methods to traditional algorithms that use point doubling. The performance advantage of halving methods is clearest in the case of point multiplication kP, where P is not known in advance and smaller field inversion to multiplication ratios generally favor halving. Although halving essentially operates on affine coordinate representations, we adapt an algorithm of Knuth to allow efficient use of projective coordinates with halving-based windowing methods for point multiplication.

[1] Advanced Micro Devices, AMD-K6 Processor Multimedia Technology, Publication 20726,http:/www.amd.com, 2000.
[2] E. De Win, A. Bosselaers, S. Vandenberghe, P. De Gersem, and J. Vandewalle, A Fast Software Implementation for Arithmetic Operations in$GF(2^n)$ Proc. Advances in Cryptology ASIACRYPT '96, pp. 65-76, 1996.
[3] E. De Win, S. Mister, B. Preneel, and M. Wiener, On the Performance of Signature Schemes Based on Elliptic Curves Proc. Algorithmic Number Theory ANTS-III, pp. 252-266, 1998.
[4] FIPS 186-2, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2, Nat'l Inst. Standards and Tech nology, 2000.
[5] K. Fong, D. Hankerson, J. López, and A. Menezes, Field Inversion and Point Halving Revisited Technical Report CORR 2003-18, Dept. of Combinatorics and Optimization, Univ. of Waterloo, Canada, 2003, http:/www.cacr.math.uwaterloo.ca.
[6] R. Gallant, R. Lambert, and S. Vanstone, Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms Proc. Advances in Cryptology CRYPTO 2001, pp. 190-200, 2001.
[7] J. Goodman and A. Chandrakasan, An Energy Efficient Reconfigurable Public-Key Cryptography Processor Architecture Proc. Cryptographic Hardware and Embedded Systems CHES 2000, pp. 175-190, 2000.
[8] D. Hankerson, J. López, and A. Menezes, Software Implementation of Elliptic Curve Cryptography over Binary Fields Proc. Cryptographic Hardware and Embedded Systems CHES 2000, pp. 1-24, 2000.
[9] Intel Corp., Intel Pentium 4 and Intel Xeon Processor Optimization Reference Manual, Number 248966-04,http:/developer.intel.com, 2001.
[10] B. Kaliski and Y. Yin, Storage-Efficient Finite Field Basis Conversion Proc. Selected Areas in Cryptography SAC '98, pp. 81-93, 1999.
[11] E. Knudsen, Elliptic Scalar Multiplication Using Point Halving Proc. Advances in Cryptology ASIACRYPT '99, pp. 135-149, 1999.
[12] E. Knudsen, personal communication, Aug. 2003.
[13] D. Knuth, The Art of Computer Programming Seminumerical Algorithms, third ed. Addison-Wesley, 1998.
[14] C. Lim and H. Hwang, Speeding Up Elliptic Scalar Multiplication with Precomputation Proc. Information Security and Cryptology ICISC '99, pp. 102-119, 2000.
[15] J. López and R. Dahab, Improved Algorithms for Elliptic Curve Arithmetic in$GF(2^n)$ Proc. Selected Areas in Cryptography SAC '98, pp. 201-212, 1999.
[16] J. López and R. Dahab, Fast Multiplication on Elliptic Curves over$GF(2^m)$without Precomputation Proc. Cryptographic Hardware and Embedded Systems CHES '99, pp. 316-327, 1999.
[17] J. López and R. Dahab, High-Speed Software Multiplication in${\hbox{\rlap{I}\kern 2.0pt{\hbox{F}}}}_{2^m}$ Proc. Progress in Cryptology INDOCRYPT 2000, pp. 203-212, 2000.
[18] B. Möller, Algorithms for Multi-Exponentiation Proc. Selected Areas in Cryptography SAC 2001, pp. 165-180, 2001.
[19] B. Möller, Improved Techniques for Fast Exponentiation Proc. Information Security and Cryptology (ICISC) 2002, P. Lee and C. Lim, eds., pp. 298-312, 2003.
[20] P. Ning and Y. Yin, Efficient Software Implementation for Finite Field Multiplication in Normal Basis Proc. Information and Comm. Security 2001, pp. 177-189, 2001.
[21] A. Reyhani-Masoleh and M.A. Hasan, Fast Normal Basis Multiplication Using General Purpose Processors (extended abstract) Proc. Selected Areas in Cryptography SAC 2001, pp. 230-244, 2001.
[22] R. Schroeppel, Elliptic Curve Point Halving Wins Big Second Midwest Arithmetical Geometry in Cryptography Workshop, Nov. 2000.
[23] R. Schroeppel, Elliptic Curve Point Ambiguity Resolution Apparatus and Method Int'l Application Number PCT/US00/31014, filed 9 Nov. 2000, publication number WO 01/35573 A1, 17 May 2001.
[24] R. Schroeppel, Automatically Solving Equations in Finite Fields US Patent Application No. 09/834,363, filed 12 Apr. 2001, publication number US 2002/0055962 A1, 9 May 2002.
[25] R. Schroeppel, personal communication, Oct. 2003.
[26] R. Schroeppel, C. Beaver, R. Gonzales, R. Miller, and T. Draelos, A Low-Power Design for an Elliptic Curve Digital Signature Chip Proc. Cryptographic Hardware and Embedded Systems CHES 2002, pp. 366-380, 2002.
[27] R. Schroeppel, H. Orman, S. O'Malley, and O. Spatscheck, Fast Key Exchange with Elliptic Curve Systems Proc. Advances in Cryptology CRYPTO '95, pp. 43-56, 1995.
[28] S. Chang Shantz, From Euclid's GCD to Montgomery Multiplication to the Great Divide SML Technical Report SMLI TR-2001-95, Sun Microsystems Laboratories, 2001.
[29] J. Solinas, Efficient Arithmetic on Koblitz Curves Designs, Codes and Cryptography, vol. 19, pp. 195-249, 2000.

Index Terms:
Public key cryptosystems, computer arithmetic, efficiency.
Citation:
Kenny Fong, Darrel Hankerson, Julio L?pez, Alfred Menezes, "Field Inversion and Point Halving Revisited," IEEE Transactions on Computers, vol. 53, no. 8, pp. 1047-1059, Aug. 2004, doi:10.1109/TC.2004.43
Usage of this product signifies your acceptance of the Terms of Use.