Francesco Sica

CONGRUENCES SATISFIED BY APÉRY-LIKE NUMBERS

HENG HUAT CHAN∗, SHAUN COOPER† and FRANCESCO SICA‡ ∗Department of Mathematics, National University of Singapore Block S17, 10, Lower Kent Ridge Road, 119076 Singapore matchh@nus.edu.sg †Institute of Information and Mathematical Sciences Massey University, Private Bag 102904 North Shore Mail Centre, Auckland, New Zealand s.cooper@massey.ac.nz ‡Mathematics and Computer Science, Mount Allison University 67 York Street, Sackville, NB, E4L 1E6, Canada fsica@mta.ca

A Secure Family of Composite Finite Fields Suitable for Fast Implementation of Elliptic Curve Cryptography

In 1999 Silverman [21] introduced a family of binary finite fields which are composite extensions of F2 and on which arithmetic operations can be performed more quickly than on prime extensions of F2 of the same size.We present here a fast approach to elliptic curve cryptography using a distinguished subset of the set of Silverman fields F2N = Fhn. This approach leads to a theoretical computation speedup over fields of the same size, using a standard point of view (cf. [7]). We also analyse their security against prime extension fields F2p , where p is prime, following the method of Menezes and Qu [12]. We conclude that our fields do not present any significant weakness towards the solution of the elliptic curve discrete logarithm problem and that often the Weil descent of Galbraith-Gaudry-Hess-Smart (GGHS) does not offer a better attack on elliptic curves defined over F2N than on those defined over F2p, with a prime p of the same size as N.A noteworthy example is provided by F2226 : a generic elliptic curve Y2 + XY = X3 + ?X2 + s defined over F2226 is as prone to the GGHS Weil descent attack as a generic curve defined on the NIST field F2233.

Double-Base Number System for Multi-scalar Multiplications

The Joint Sparse Form is currently the standard representation system to perform multi-scalar multiplications of the form [n ]P + m [Q ]. We introduce the concept of Joint Double-Base Chain, a generalization of the Double-Base Number System to represent simultaneously n and m . This concept is relevant because of the high redundancy of Double-Base systems, which ensures that we can find a chain of reasonable length that uses exactly the same terms to compute both n and m . Furthermore, we discuss an algorithm to produce such a Joint Double-Base Chain. Because of its simplicity, this algorithm is straightforward to implement, efficient, and also quite easy to analyze. Namely, in our main result we show that the average number of terms in the expansion is less than 0.3945log2 n . With respect to the Joint Sparse Form, this induces a reduction by more than 20% of the number of additions. As a consequence, the total number of multiplications required for a scalar multiplications is minimal for our method, across all the methods using two precomputations, P + Q and P *** Q . This is the case even with coordinate systems offering very cheap doublings, in contrast with recent results on scalar multiplications. Several variants are discussed, including methods using more precomputed points and a generalization relevant for Koblitz curves. Our second contribution is a new way to evaluate

Extending scalar multiplication using double bases

\widehat\phi

Scalar multiplication on koblitz curves using double bases

, the dual endomorphism of the Frobenius. Namely, we propose formulae to compute

An analysis of double base number systems and a sublinear scalar multiplication algorithm

\pm{\widehat\phi}(P)

Analysis of the Gallant-Lambert-Vanstone Method Based on Efficient Endomorphisms: Elliptic and Hyperelliptic Curves

with at most 2 multiplications and 2 squarings in the base field

Selected Areas in Cryptography

\mathbb{F}_{2^d}

Selected Areas in Cryptography: 15th International Workshop, SAC 2008, Sackville, New Brunswick, Canada, August 14-15, Revised Selected Papers

. This represents a speed-up of about 50% with respect to the fastest known techniques. This has very concrete consequences on scalar and multi-scalar multiplications on Koblitz curves.

The Weight Distribution of C_5(1, n)

It has been recently acknowledged [4,6,9] that the use of double bases representations of scalars n, that is an expression of the form n = ∑e, s, t (–1)eAsBt can speed up significantly scalar multiplication on those elliptic curves where multiplication by one base (say B) is fast. This is the case in particular of Koblitz curves and supersingular curves, where scalar multiplication can now be achieved in o(logn) curve additions. Previous literature dealt basically with supersingular curves (in characteristic 3, although the methods can be easily extended to arbitrary characteristic), where A,B ∈ℕ. Only [4] attempted to provide a similar method for Koblitz curves, where at least one base must be non-real, although their method does not seem practical for cryptographic sizes (it is only asymptotic), since the constants involved are too large. We provide here a unifying theory by proposing an alternate recoding algorithm which works in all cases with optimal constants. Furthermore, it can also solve the until now untreatable case where both A and B are non-real. The resulting scalar multiplication method is then compared to standard methods for Koblitz curves. It runs in less than logn/loglogn elliptic curve additions, and is faster than any given method with similar storage requirements already on the curve K-163, with larger improvements as the size of the curve increases, surpassing 50% with respect to the τ-NAF for the curves K-409 and K-571. With respect of windowed methods, that can approach our speed but require O(log(n)/loglog(n)) precomputations for optimal parameters, we offer the advantage of a fixed, small memory footprint, as we need storage for at most two additional points.