The Community for Technology Leaders
Subscribe
Issue No.10 - October (2009 vol.58)
pp: 1411-1420
Darrel Hankerson , Auburn University, Auburn
Koray Karabina , University of Waterloo, Waterloo
Alfred Menezes , University of Waterloo, Waterloo
ABSTRACT
Galbraith, Lin, and Scott recently constructed efficiently computable endomorphisms for a large family of elliptic curves defined over {\hbox{\rlap{I}\kern 2.0pt{\hbox{F}}}}_{q^2} and showed, in the case where q is a prime, that the Gallant-Lambert-Vanstone point multiplication method for these curves is significantly faster than point multiplication for general elliptic curves over prime fields. In this paper, we investigate the potential benefits of using Galbraith-Lin-Scott elliptic curves in the case where q is a power of 2. The analysis differs from the q prime case because of several factors, including the availability of the point halving strategy for elliptic curves over binary fields. Our analysis and implementations show that Galbraith-Lin-Scott point multiplication method offers significant acceleration for curves over binary fields, in both doubling- and halving-based approaches. Experimentally, the acceleration surpasses that reported for prime fields (for the platform in common), a somewhat counterintuitive result given the relative costs of point addition and doubling in each case.
INDEX TERMS
Elliptic curve cryptography, computer arithmetic, efficiency.
CITATION
Darrel Hankerson, Koray Karabina, Alfred Menezes, "Analyzing the Galbraith-Lin-Scott Point Multiplication Method for Elliptic Curves over Binary Fields", IEEE Transactions on Computers, vol.58, no. 10, pp. 1411-1420, October 2009, doi:10.1109/TC.2009.61
REFERENCES
 [1] E. Al-Daoud, R. Mahmod, M. Rushdan, and A. Kilicman, “A New Addition Formula for Elliptic Curves over ${GF}(2^n)$ ,” IEEE Trans. Computers, vol. 51, no. 8, pp. 972-975, Aug. 2002. [2] R. Avanzi, “Another Look at Square Roots (And Other Less Common Operations) in Fields of Even Characteristic,” Proc. Int'l Workshop Selected Areas in Cryptography (SAC '07), pp. 138-154, 2007. [3] R. Avanzi and N. Thériault, “Effects of Optimizations for Software Implementations of Small Binary Field Arithmetic,” Proc. Int'l Workshop Arithmetic of Finite Fields (WAIFI '07), pp. 69-84, 2007. [4] D. Bernstein, T. Lange, and R. Farashahi, “Binary Edwards Curves,” Proc. Workshop Cryptographic Hardware and Embedded Systems (CHES '08), pp. 244-265, 2008. [5] R.P. Brent, P. Gaudry, E. Thomé, and P. Zimmermann, “Faster Multiplication in ${GF}(2)[x]$ ,” Proc. Symp. Algorithmic Number Theory (ANTS-VIII), pp. 153-166, 2008. [6] C. Diem and E. Thomé, “Index Calculus in Class Groups of Non-Hyperelliptic Curves of Genus Three,” J. Cryptology, vol. 21, pp.593-611, 2008. [7] A. Enge and P. Gaudry, “A General Framework for Subexponential Discrete Logarithm Algorithms,” Acta Arithmetica, vol. 102, pp.83-103, 2002. [8] K. Fong, D. Hankerson, J. López, and A. Menezes, “Field Inversion and Point Halving Revisited,” IEEE Trans. Computers, vol. 53, no. 8 pp. 1047-1059, Aug. 2004. [9] S. Galbraith, “Constructing Isogenies between Elliptic Curves over Finite Fields,” LMS J. Computation and Math., vol. 2, pp. 118-138, 1999. [10] S. Galbraith, F. Hess, and N. Smart, “Extending the GHS Weil Descent Attack,” Proc. Advances in Cryptology (EUROCRYPT '02), pp. 29-44, 2002. [11] S. Galbraith, X. Lin, and M. Scott, “Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves,” Proc. Advances in Cryptology (EUROCRYPT '09), pp. 518-535, 2009. [12] R. Gallant, R. Lambert, and S. Vanstone, “Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms,” Proc. Advances in Cryptology (CRYPTO '01), pp. 190-200, 2001. [13] P. Gaudry, F. Hess, and N. Smart, “Constructive and Destructive Facets of Weil Descent on Elliptic Curves,” J. Cryptology, vol. 15, pp. 19-46, 2002. [14] S. Gueron and M. Kounavis, “Carry-Less Multiplication and Its Usage for Computing the GCM Mode,” white paper, Intel Corporation, http://softwarecommunity.intel.com/articles/ eng3787.htm, 2008. [15] S. Gueron and M. Kounavis, “A Technique for Accelerating Characteristic 2 Elliptic Curve Cryptography,” Proc. Fifth Int'l Conf. Information Technology: New Generations (ITNG '08), pp. 265-272, 2008. [16] D. Hankerson, A. Menezes, and M. Scott, “Software Implementation of Pairings,” Identity-Based Cryptography, M. Joye and G. Neven, eds., IOS Press, 2008. [17] D. Hankerson, A. Menezes, and S. Vanstone, Guide to Elliptic Curve Cryptography. Springer, 2003. [18] F. Hess, “Generalising the GHS Attack on the Elliptic Curve Discrete Logarithm Problem,” LMS J. Computation and Math., vol. 7, pp. 167-192, 2004. [19] I. Iijima, K. Matsuo, J. Chao, and S. Tsujii, “Construction of Frobenius Maps of Twists Elliptic Curves and Its Application to Elliptic Scalar Multiplication,” Proc. Symp. Cryptography and Information Security (SCIS '02), 2002. [20] D. Jao, S. Miller, and R. Venkatesan, “Do All Elliptic Curves of the Same Order Have the Same Difficulty of Discrete Log?” Proc. Advances in Cryptology (ASIACRYPT '05), pp. 21-40, 2005. [21] K. Kim and S. Kim, “A New Method for Speeding Up Arithmetic on Elliptic Curves over Binary Fields,” Cryptology ePrint Archive: Report 2007/181, http://eprint.iacr.org/2007181, 2007. [22] B. King, “An Improved Implementation of Elliptic Curves over $GF(2^n)$ When Using Projective Point Arithmetic,” Proc. Int'l Workshop Selected Areas in Cryptography (SAC '01), pp. 134-150, 2001. [23] B. King and B. Rubin, “Improvements to the Point Halving Algorithm,” Proc. Australasian Conf. Information Security and Privacy (ACISP '04), pp. 262-276, 2004. [24] E. Knudsen, “Elliptic Scalar Multiplication Using Point Halving,” Proc. Advances in Cryptology (ASIACRYPT '99), pp. 135-149, 1999. [25] N. Koblitz, “CM-Curves with Good Cryptographic Properties,” Proc. Advances in Cryptology (CRYPTO '91), pp. 279-287, 1991. [26] T. Lange, “A Note on López-Dahab Coordinates,” Tatra Mountains Math. Publications, vol. 33, pp. 75-81, http://eprint.iacr.org/2004323, 2006. [27] C. Lim and H. Hwang, “Speeding Up Elliptic Scalar Multiplication with Precomputation,” Proc. Int'l Conf. Information Security and Cryptology, pp. 102-119, 1999. [28] J. López and R. Dahab, “Improved Algorithms for Elliptic Curve Arithmetic in $GF(2^n)$ ,” Proc. Int'l Workshop Selected Areas in Cryptography (SAC '98), pp. 201-212, 1998. [29] J. López and R. Dahab, “High-speed software multiplication in ${\hbox{\rlap{I}\kern 2.0pt{\hbox{F}}}}_{2^m}$ ”, Progress in Cryptology Proc. First Int'l Conf. in Cryptology in India (INDOCRYPT '00), pp. 203-212, 2000. [30] M. Maurer, A. Menezes, and E. Teske, “Analysis of the GHS Weil Descent Attack on the ECDLP over Characteristic Two Finite Fields of Composite Degree,” LMS J. Computation and Math., vol. 5, pp. 127-174, 2002. [31] A. Menezes and M. Qu, “Analysis of the Weil Descent Attack of Gaudry, Hess and Smart,” Proc. Topics in Cryptology: Cryptographers' Track at RSA (CT-RSA '01), pp. 308-318, 2001. [32] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography. CRC Press, 1996. [33] B. Möller, “Algorithms for Multi-Exponentiation,” Proc. Int'l Workshop Selected Areas in Cryptography (SAC '01), pp. 165-180, 2001. [34] J. Muir and D. Stinson, “Minimality and Other Properties of the Width-$w$ Nonadjacent Form,” Math. of Computation, vol. 75, pp.369-384, 2006. [35] R. Schroeppel, “Automatically Solving Equations in Finite Fields,” US patent 09/834,363, 2001. [36] M. Scott, MIRACL—Multiprecision Integer and Rational Arithmetic C Library, http://www.computing.dcu.ie/~mikemiracl.html , 2008. [37] J. Solinas, “Efficient Arithmetic on Koblitz Curves,” Designs, Codes and Cryptography, vol. 19, pp. 195-249, 2000.