TY - GEN

T1 - Faster and lower memory scalar multiplication on supersingular curves in characteristic three

AU - Avanzi, Roberto

AU - Heuberger, Clemens

PY - 2011

Y1 - 2011

N2 - We describe new algorithms for performing scalar multiplication on supersingular elliptic curves in characteristic three. These curves can be used in pairing-based cryptography. Since in pairing-based protocols besides pairing computations also scalar multiplications are required, and the performance of the latter is not negligible, improving it is clearly important as well. The techniques presented here bring noticeable speed ups (up to 30% for methods using a variable amount of memory and up to 46.7% for methods with a small, fixed memory usage), while at the same time bringing substantial memory reductions - factors like 3 to 8 are not uncommon. The starting point for our methods is a structure theorem for unit groups of residue classes of a quadratic order associated to the Frobenius endomorphism of the considered curves. This allows us to define new digit sets whose elements are products of powers of certain generators of said groups. There are of course several choices for these generators: we chose generators associated to endomorphisms for which we could find efficient explicit formulae in a suitable coordinate system. A multiple-base-like scalar multiplication algorithm making use of these digits and these formulae brings the claimed speed up.

AB - We describe new algorithms for performing scalar multiplication on supersingular elliptic curves in characteristic three. These curves can be used in pairing-based cryptography. Since in pairing-based protocols besides pairing computations also scalar multiplications are required, and the performance of the latter is not negligible, improving it is clearly important as well. The techniques presented here bring noticeable speed ups (up to 30% for methods using a variable amount of memory and up to 46.7% for methods with a small, fixed memory usage), while at the same time bringing substantial memory reductions - factors like 3 to 8 are not uncommon. The starting point for our methods is a structure theorem for unit groups of residue classes of a quadratic order associated to the Frobenius endomorphism of the considered curves. This allows us to define new digit sets whose elements are products of powers of certain generators of said groups. There are of course several choices for these generators: we chose generators associated to endomorphisms for which we could find efficient explicit formulae in a suitable coordinate system. A multiple-base-like scalar multiplication algorithm making use of these digits and these formulae brings the claimed speed up.

KW - Frobenius expansion

KW - Supersingular elliptic curves

KW - explicit formulae

KW - pairing-friendly elliptic curves

KW - scalar multiplication

UR - http://www.scopus.com/inward/record.url?scp=79952521798&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-19379-8_7

DO - 10.1007/978-3-642-19379-8_7

M3 - Conference contribution

AN - SCOPUS:79952521798

SN - 9783642193781

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 109

EP - 127

BT - Public Key Cryptography, PKC 2011 - 14th International Conference on Practice and Theory in Public Key Cryptography, Proceedings

T2 - 14th International Conference on Practice and Theory in Public Key Cryptography, PKC 2011

Y2 - 6 March 2011 through 9 March 2011

ER -