curve. This section presents a general technique for accelerating point multiplication on elliptic curves that have efficiently computable endomorphisms. While the technique
does not yield a speedup that is as dramatic as achieved in §3.4 for Koblitz curves (where all the point doublings are replaced by much faster applications of the Frobe- nius map), it can be used to accelerate point multiplication on a larger class of curves including some elliptic curves over large prime fields. Roughly speaking, if the endo- morphism can be computed in no more time than it takes to perform a small number of point doublings, then the technique eliminates about half of all doublings and reduces the point multiplication time by roughly 33%.
Endomorphisms of elliptic curves
Let E be an elliptic curve defined over a field K. The set of all points on E whose coordinates lie in any finite extension ofK is also denoted byE. Anendomorphismφ
of EoverK is a mapφ:E→E such thatφ(∞)= ∞andφ(P)=(g(P),h(P))for allP∈E, wheregandhare rational functions whose coefficients lie inK. The set of all endomorphisms ofEoverK forms a ring, called theendomorphism ringofEover
K. An endomorphismφis also a group homomorphism, that is,
φ(P1+P2)=φ(P1)+φ(P2)for allP1,P2∈E.
Thecharacteristic polynomial of an endomorphismφis the monic polynomial f(X)
of least degree inZ[X]such that f(φ)=0, that is, f(φ)(P)= ∞for all P∈E. IfEis a non-supersingular elliptic curve, then the characteristic polynomial ofφhas degree 1 or 2.
Example 3.71(endomorphisms of elliptic curves)
(i) LetEbe an elliptic curve defined overFq. For each integerm, themultiplication
by m map[m] :E→Edefined by
[m] :P→m P
is an endomorphism of E defined over Fq. A special case is thenegationmap defined byP→ −P. The characteristic polynomial of[m]is X−m.
(ii) LetEbe an elliptic curve defined overFq. Then theq-th power mapφ:E→E defined by
φ:(x,y)→(xq,yq), φ: ∞ → ∞
is an endomorphism ofEdefined overFq, called theFrobenius endomorphism. The characteristic polynomial ofφisX2−t X+q, wheret=q+1−#E(Fq). (iii) Let p≡1 (mod 4)be a prime, and consider the elliptic curve
E:y2=x3+ax
defined overFp. Leti ∈Fpbe an element of order 4. Then the mapφ:E→E defined by
is an endomorphism of E defined over Fp. Note that φ(P)can be computed using only one multiplication. The characteristic polynomial ofφis X2+1. (iv) Let p≡1 (mod 3)be a prime, and consider the elliptic curve
E:y2=x3+b
defined overFp. Letβ∈Fpbe an element of order 3. Then the mapφ:E→E defined by
φ:(x,y)→(βx,y), φ: ∞ → ∞
is an endomorphism of E defined over Fp. Note that φ(P)can be computed using only one multiplication. The characteristic polynomial ofφisX2+X+1. Note 3.72(integer representation of an endomorphism) Suppose now thatE is an el- liptic curve defined over the finite fieldFq. Suppose also that #E(Fq)is divisible by a prime n, and that n2 does not divide #E(Fq). Then E(Fq) contains exactly one subgroup of order n; let this subgroup bePwhere P∈E(Fq)has ordern. Ifφ is an endomorphism of E defined overFq, thenφ(P)∈E(Fq)and henceφ(P)∈ P. Suppose thatφ(P) = ∞. Then we can write
φ(P)=λPfor someλ∈ [1,n−1]. In factλis a root modulonof the characteristic polynomial ofφ. Example 3.73 (the elliptic curve P-160) Consider the elliptic curve
E:y2=x3+3 defined over the 160-bit prime fieldFp, where
p=2160−229233
=1461501637330902918203684832716283019655932313743.
Sincep≡1 (mod 3), the curve is of the type described in Example 3.71(iv). The group ofFp-rational points onEhas prime order
#E(Fp)=n=1461501637330902918203687013445034429194588307251. An element of order 3 inFpis
β=771473166210819779552257112796337671037538143582
and so the mapφ: E →E defined by φ: ∞ → ∞ andφ:(x,y)→(βx,y)is an endomorphism ofEdefined overFp. The solution
λ=903860042511079968555273866340564498116022318806
to the equationλ2+λ+1≡0 (modn)has the property thatφ(P)=λPfor all P∈ E(Fp).
Accelerating point multiplication
The strategy for computingk P, wherek∈ [0,n−1], is the following. First write
k=k1+k2λmodn (3.36)
where the integers k1 and k2 are of approximately half the bitlength of k. Such an
expression is called abalanced length-two representation of k. Since
k P = k1P+k2λP
= k1P+k2φ(P), (3.37)
k P can be obtained by first computing φ(P) and then using simultaneous multiple point multiplication (Algorithm 3.48) or interleaving (Algorithm 3.51) to evaluate (3.37). Since k1 andk2 are of half the bitlength ofk, half of the point doublings are
eliminated. The strategy is effective provided that a decomposition (3.36) and φ(P)
can be computed efficiently.
Decomposing a multiplier
We describe one method for obtaining a balanced length-two representation of the multiplierk. For a vectorv=(a,b)∈Z×Z, define
f(v)=a+bλmodn.
The idea is to first find two vectors,v1=(a1,b1)andv2=(a2,b2)inZ×Zsuch that
1. v1andv2are linearly independent overR;
2. f(v1)= f(v2)=0; and
3. v1andv2have small Euclidean norm (i.e.,||v1|| = 3
a12+b21≈√n, and similarly forv2).
Then, by considering(k,0)as a vector inQ×Q, we can use elementary linear algebra to write
(k,0)=γ1v1+γ2v2, whereγ1,γ2∈Q.
If we let c1= γ1 andc2= γ2, wherexdenotes the integer closest to x, then v=c1v1+c2v2 is an integer-valued vector close to (k,0)such that f(v)=0. Thus
the vector u=(k,0)−v has small norm and satisfies f(u)=k. It follows that the componentsk1,k2ofuare small in absolute value and satisfyk1+k2λ≡k (mod n).
The independent short vectorsv1andv2satisfying f(v1)= f(v2)=0 can be found
by applying the extended Euclidean algorithm (Algorithm 2.19) tonandλ. The algo- rithm produces a sequences of equationssin+tiλ=ri wheres0=1,t0=0,r0=n, s1=0,t1=1,r1=λ. Furthermore, it is easy to show that the remaindersri are strictly decreasing and non-negative, that |ti|<|ti+1| for i ≥0, and that |si|< |si+1| and
ri−1|ti|+ri|ti−1| =nfori≥1. Now, letlbe the greatest index for whichrl≥√n. Then it can be easily verified thatv1=(rl+1,−tl+1)satisfies f(v1)=0 and||v1|| ≤
√
2n, and thatv2=(rl,−tl)(and alsov2=(rl+2,−tl+2))is linearly independent ofv1and
satisfies f(v2)=0. Heuristically, we would expectv2to have small norm. Thusv1and v2 satisfy conditions 1–3 above. For this choice of v1, v2, we haveγ1=b2k/n and γ2= −b1k/n. The method for decomposingkis summarized in Algorithm 3.74.
Algorithm 3.74Balanced length-two representation of a multiplier INPUT: Integersn,λ,k∈ [0,n−1].
OUTPUT: Integersk1,k2such thatk=k1+k2λmodnand|k1|,|k2| ≈√n.
1. Run the extended Euclidean algorithm (Algorithm 2.19) with inputsnandλ. The algorithm produces a sequence of equationssin+tiλ=ri wheres0=1,t0=0, r0=n,s1=0,t1=1,r1=λ, and the remaindersri and are non-negative and strictly decreasing. Letlbe the greatest index for whichrl≥√n.
2. Set(a1,b1)←(rl+1,−tl+1). 3. If(rl2+tl2)≤(rl2+2+tl2+2)then set(a2,b2)←(rl,−tl); Else set(a2,b2)←(rl+2,−tl+2). 4. Computec1= b2k/nandc2= −b1k/n. 5. Computek1=k−c1a1−c2a2andk2= −c1b1−c2b2. 6. Return(k1,k2).
Example 3.75 (balanced length-two representation of a multiplier k) Consider the elliptic curve P-160 defined in Example 3.73. In the notation of Algorithm 3.74 we have (rl,tl)=(2180728751409538655993509,−186029539167685199353061) (rl+1,tl+1)=(788919430192407951782190,602889891024722752429129) (rl+2,tl+2)=(602889891024722752429129,−1391809321217130704211319) (a1,b1)=(788919430192407951782190,−602889891024722752429129) (a2,b2)=(602889891024722752429129,1391809321217130704211319). Now, let k=965486288327218559097909069724275579360008398257. We obtain c1=919446671339517233512759, c2=398276613783683332374156 and k1= −98093723971803846754077, k2=381880690058693066485147.
Example 3.76 (balanced representation for special parameters) The elliptic curve can be chosen so that the parametersk1andk2may be obtained with much less effort than
that required by Algorithm 3.74. For example, consider the curve
E:y2=x3−2
over Fp, where p=2390+3 is prime and, as in Example 3.71(iv), satisfies p≡1
(mod 3). The group ofFp-rational points onEhas order #E(Fp)=2390−2195+7=63n wherenis prime. If
λ= 2195−2
3 and β=2
389+2194+1,
thenβis an element of order 3 inFp,λsatisfiesλ2+λ+1≡0 (modn), andλ(x,y)=
(βx,y)for all(x,y)in the order-nsubgroup ofE(Fp).
Suppose now thatP=(x,y)is in the order-nsubgroup ofE(Fp), andk∈ [0,n−1] is a multiplier. To find a balanced length-two representation ofk, writek=2195k2+k1
fork1 <2195. Then k P=(2195k2+k1)P=((3λ+2)k2 +k1)P=(2k2+k1 k1 )P+3k2 k2 λP =k1(x,y)+k2(βx,y).
The method splits a multiplierk<n of approximately 384 bits intok1 andk2 where
each is approximately half the bitlength ofk. Finally, note that the cost of calculating
βx=(2389+2194+1)xis less than a field multiplication.
Point multiplication algorithm
Given an elliptic curve Edefined over a finite fieldFq with a suitable endomorphism
φ, Algorithm 3.77 calculates the point multiplication k P using the decomposition
k =k1+k2λmodn and interleaving k1P+k2φ(P). The expected running time is
approximately * |{j:wj >2}|D+ 2 j=1 (2wj−2−1)A+C k+Cφ + + * D+ 2 j=1 1 wj+1 A + t 2 (3.38)
wheretis the bitlength ofn,kj is written with a width-wj NAF,Ckdenotes the cost of the decomposition ofk, andCφis the cost of findingφ(P). The storage requirement is 2w1−2+2w2−2points.
Sincev1andv2do not depend onk, it is possible to precompute estimates forb1/n
and−b2/nfor use in step 4 of Algorithm 3.74. In this case, only steps 4–6 of Algo-
rithm 3.74 must be performed, and hence the costCkis insignificant in the overall point multiplication.
Algorithm 3.77Point multiplication with efficiently computable endomorphisms INPUT: Integerk∈ [1,n−1],P∈E(Fq), window widthsw1andw2, andλ.
OUTPUT:k P.
1. Use Algorithm 3.74 to findk1andk2such thatk=k1+k2λmodn.
2. CalculateP2=φ(P), and let P1=P.
3. Use Algorithm 3.30 to compute NAFwj(|kj|)= lj−1
i=0 kj,i2i for j=1,2.
4. Letl=max{l1,l2}and definekj,i =0 forlj ≤i<l, 1≤ j≤2. 5. Ifkj <0, then setkj,i← −kj,i for 0≤i<lj, 1≤ j≤2. 6. Computei Pj fori ∈ {1,3,...,2wj−1−1}, 1≤ j≤2.
7. Q←∞.
8. Fori froml−1 downto 0 do 8.1 Q←2Q. 8.2 For jfrom 1 to 2 do Ifkj,i =0 then Ifkj,i >0 thenQ←Q+kj,iPj; ElseQ←Q− |kj,i|Pj. 9. Return(Q).