Christophe Doche

Handbook of Elliptic and Hyperelliptic Curve Cryptography

Preface Introduction to Public-Key Cryptography Mathematical Background Algebraic Background Background on p-adic Numbers Background on Curves and Jacobians Varieties Over Special Fields Background on Pairings Background on Weil Descent Cohomological Background on Point Counting Elementary Arithmetic Exponentiation Integer Arithmetic Finite Field Arithmetic Arithmetic of p-adic Numbers Arithmetic of Curves Arithmetic of Elliptic Curves Arithmetic of Hyperelliptic Curves Arithmetic of Special Curves Implementation of Pairings Point Counting Point Counting on Elliptic and Hyperelliptic Curves Complex Multiplication Computation of Discrete Logarithms Generic Algorithms for Computing Discrete Logarithms Index Calculus Index Calculus for Hyperelliptic Curves Transfer of Discrete Logarithms Applications Algebraic Realizations of DL Systems Pairing-Based Cryptography Compositeness and Primality Testing-Factoring Realizations of DL Systems Fast Arithmetic Hardware Smart Cards Practical Attacks on Smart Cards Mathematical Countermeasures Against Side-Channel Attacks Random Numbers-Generation and Testing References

Extended double-base number system with applications to elliptic curve cryptography

We investigate the impact of larger digit sets on the length of Double-Base Number system (DBNS) expansions. We present a new representation system called extended DBNS whose expansions can be extremely sparse. When compared with double-base chains, the average length of extended DBNS expansions of integers of size in the range 200–500 bits is approximately reduced by 20% using one precomputed point, 30% using two, and 38% using four. We also discuss a new approach to approximate an integer n by d2a3b where d belongs to a given digit set. This method, which requires some precomputations as well, leads to realistic DBNS implementations. Finally, a left-to-right scalar multiplication relying on extended DBNS is given. On an elliptic curve where operations are performed in Jacobian coordinates, improvements of up to 13% overall can be expected with this approach when compared to window NAF methods using the same number of precomputed points. In this context, it is therefore the fastest method known to date to compute a scalar multiplication on a generic elliptic curve.

Efficient scalar multiplication by isogeny decompositions

On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication–by–l map [l] has degree l2, therefore the complexity to directly evaluate [l](p) is O(l2). For a small prime l (= 2, 3) such that the additive binary representation provides no better performance, this represents the true cost of application of scalar multiplication. If an elliptic curve admits an isogeny ϕ of degree l then the costs of computing ϕ(P) should in contrast be O(l) field operations. Since we then have a product expression [l]=

A Tree-Based Approach for Computing Double-Base Chains

\hat{\varphi}\varphi

Double-Base Number System for Multi-scalar Multiplications

, the existence of an l-isogeny ϕ on an elliptic curve yields a theoretical improvement from O(l2) to O(l) field operations for the evaluation of [l](p) by naive application of the defining polynomials. In this work we investigate actual improvements for small l of this asymptotic complexity. For this purpose, we describe the general construction of families of curves with a suitable decomposition [l]=

Extending scalar multiplication using double bases

\hat{\varphi}\varphi

Redundant trinomials for finite fields of characteristic 2

, and provide explicit examples of such a family of curves with simple decomposition for [3]. Finally we derive a new tripling algorithm to find complexity improvements to triplication on a curve in certain projective coordinate systems, then combine this new operation to non-adjacent forms for l-adic expansions in order to obtain an improved strategy for scalar multiplication on elliptic curves.

Finite Field Arithmetic

We introduce a tree-based method to find short Double-Base chains. As compared to the classical greedy approach, this new method is not only simpler to implement and faster, experimentally it also returns shorter chains on average. The complexity analysis shows that the average length of a chain returned by this tree-based approach is

Even moments of generalized Rudin–Shapiro polynomials

\frac{\log_2 n }{4.6419}\cdotp

On the spectrum of the Zhang-Zagier height

This tends to suggest that the average length of DB-chains generated by the greedy approach is not O(logn/loglogn). We also discuss generalizations of this method, namely to compute Step Multi-Base Representation chains involving more than 2 bases and extended DB-chains having nontrivial coefficients.