CryptoDB
Wei Yu
Publications
Year
Venue
Title
2024
PKC
Fast and Simple Point Operations on Edwards448 and E448
Abstract
Since Edwards curves were introduced in elliptic curve cryptography, they have attracted a lot of attention. The twisted Edwards curves are defined by the equation $E_{a,d}: ax^2 + y^2 = 1 + d x^2y^2$. Twisted Edwards curve is the state-of-the-art for $a=-1$, and even for $a \ne -1$. E448 and Edwards448 are NIST standard curve in 2023 and TLS 1.3 standard curve in 2018. They both can be converted to $d=-1$, but can not be converted to $a=-1$ through isomorphism. The motivation of using a curve with $d=-1$ is that we want to improve the efficiency of E448, and Edwards448, especially to achieve a great saving in terms of the number of field multiplications ($\bfm M$)
and field squarings ($\bfm S$). We propose new explicit formulas for point operations on these curves. Our full point addition only requires $8 \bfm M$, and mixed addition requires $7 \bfm M$. Our results applied on the Edward448 and E448 yield a clean and simple implementation and achieve a brand new speed record. The scalar multiplication on Edwards448 and E448 have the same cost of $\bfm M$ and $\bfm S$ as that on Edwards25519 per bit.
2021
EUROCRYPT
Pre-Computation Scheme of Window $\tau$NAF for Koblitz Curves Revisited
📺
Abstract
Let $E_a/ \mathbb{F}_{2}: y^2+xy=x^3+ax^2+1$ be a Koblitz curve. The window $\tau$-adic non-adjacent form (window $\tau$NAF) is currently the standard representation system to perform scalar multiplications on $E_a/ \mathbb{F}_{2^m}$ utilizing the Frobenius map $\tau$.
This work focuses on the pre-computation part of scalar multiplication. We first introduce $\mu\bar{\tau}$-operations where $\mu=(-1)^{1-a}$ and $\bar{\tau}$ is the complex conjugate of $\tau$. Efficient formulas of $\mu\bar{\tau}$-operations are then derived and used in a novel pre-computation scheme. Our pre-computation scheme requires $6${\bf M}$+6${\bf S}, $18${\bf M}$+17${\bf S}, $44${\bf M}$+32${\bf S}, and $88${\bf M}$+62${\bf S} ($a=0$) and $6${\bf M}$+6${\bf S}, $19${\bf M}$+17${\bf S}, $46${\bf M}$+32${\bf S}, and $90${\bf M}$+62${\bf S} ($a=1$) for window $\tau$NAF with widths from $4$ to $7$ respectively. It is about two times faster, compared to the state-of-the-art technique of pre-computation in the literature. The impact of our new efficient pre-computation is also reflected by the significant improvement of scalar multiplication. Traditionally, window $\tau$NAF with width at most $6$ is used to achieve the best scalar multiplication. Because of the dramatic cost reduction of the proposed pre-computation, we are able to increase the width for window $\tau$NAF to $7$ for a better scalar multiplication. This indicates that the pre-computation part becomes more important in performing scalar multiplication. With our efficient pre-computation and the new window width, our scalar multiplication runs in at least 85.2\% the time of Kohel's work (Eurocrypt'2017) combining the best previous pre-computation. Our results push the scalar multiplication of Koblitz curves, a very well-studied and long-standing research area, to a significant new stage.
2020
EUROCRYPT
Double-Base Chains for Scalar Multiplications on Elliptic Curves
📺
Abstract
Double-base chains (DBCs) are widely used to speed up scalar multiplications on elliptic curves. We present three results of DBCs. First, we display a structure of the set containing all DBCs and propose an iterative algorithm to compute the number of DBCs for a positive integer. This is the first polynomial time algorithm to compute the number of DBCs for positive integers. Secondly, we present an asymptotic lower bound on average Hamming weights of DBCs $\frac{\log n}{8.25}$ for a positive integer $n$. This result answers an open question about the Hamming weights of DBCs. Thirdly, we propose a new algorithm to generate an optimal DBC for any positive integer. The time complexity of this algorithm is $\mathcal{O}\left(\left(\log n\right)^2 \log\log n\right)$ bit operations and the space complexity is $\mathcal{O}\left(\left(\log n\right)^{2}\right)$ bits of memory. This algorithm accelerates the recoding procedure by more than $6$ times compared to the state-of-the-art Bernstein, Chuengsatiansup, and Lange's work. The Hamming weights of optimal DBCs are over $60$\% smaller than those of NAFs. Experimental results show that scalar multiplication using our optimal DBC is about $13$\% faster than that using non-adjacent form on elliptic curves over large prime fields.
Coauthors
- Luying Li (1)
- Bao Li (1)
- Saud Al Musa (1)
- Peng Xu (1)
- Guangwu Xu (1)
- Wei Yu (3)