3.6. Point multiplication using halving |
129 |
Since v1 and v2 do not depend on k, it is possible to precompute estimates for b1/n and −b2/n for use in step 4 of Algorithm 3.74. In this case, only steps 4–6 of Algorithm 3.74 must be performed, and hence the cost Ck is insignificant in the overall point multiplication.
Algorithm 3.77 Point multiplication with efficiently computable endomorphisms
INPUT: Integer k [1, n − 1], P E(Fq ), window widths w1 and w2, and λ.
OUTPUT: k P.
1. |
Use Algorithm 3.74 to find k1 and k2 such that k = k1 + k2λ mod n. |
|||||
2. |
Calculate P2 = φ ( P), and let P1 = P. |
l j −1 |
|
|
i |
for j = 1, 2. |
3. |
Use Algorithm 3.30 to compute NAFw j (|k j |) = |
i=0 |
k j,i 2 |
|||
4. |
|
< l, 1 |
≤ |
j |
≤ |
2. |
Let l = max{l1, l2} and define k j,i = 0 for l j ≤ i |
|
|
||||
5. |
If k j < 0, then set k j,i ← − k j,i for 0 ≤ i < l j , 1 ≤ j ≤ 2. |
|
|
|
||
6.Compute i Pj for i {1, 3, . . . , 2w j −1 − 1}, 1 ≤ j ≤ 2.
7.Q ← ∞.
8.For i from l − 1 downto 0 do
8.1Q ← 2Q.
8.2For j from 1 to 2 do
If k j,i = 0 then
If k j,i > 0 then Q ← Q + k j,i Pj ; Else Q ← Q − |k j,i | Pj .
9.Return(Q).
3.6Point multiplication using halving
Point multiplication methods based on point halving share strategy with τ -adic methods on Koblitz curves (§3.4) in the sense that point doubling is replaced by a potentially faster operation. As with the efficiently computable endomorphisms in §3.5, the improvement is not as dramatic as that obtained with methods for Koblitz curves, although halving applies to a wider class of curves.
Point halving was proposed independently by E. Knudsen and R. Schroeppel. We restrict our attention to elliptic curves E over binary fields F2m defined by the equation
y2 + x y = x3 + ax2 + b
where a, b F2m , b = 0. To simplify the exposition, we assume that Tr(a) = 1 (cf. Theorem 3.18).2 We further assume that m is prime and that the reduction polynomials
2The algorithms presented in this section can be modified for binary curves with Tr(a) = 0; however, they are more complicated than the case where Tr(a) = 1.
130 3. Elliptic Curve Arithmetic
are trinomials or pentanomials. These properties are satisfied by the five random curves over binary fields recommended by NIST in the FIPS 186-2 standard (see §A.2.2).
Let P = (x, y) be a point on E with P = − P. From §3.1.2, the (affine) coordinates of Q = 2P = (u, v) can be computed as follows:
λ = x + y/x |
(3.39) |
u = λ2 + λ + a |
(3.40) |
v = x2 + u(λ + 1). |
(3.41) |
Affine point doubling requires one field multiplication and one field division. With projective coordinates and a {0, 1}, point doubling can be done in four field multiplications. Point halving is the following operation: given Q = (u, v), compute P = (x, y) such that Q = 2P. Since halving is the reverse operation of doubling, the basic idea for halving is to solve (3.40) for λ, (3.41) for x, and finally (3.39) for y.
When G is a subgroup of odd order n in E, point doubling and point halving are automorphisms of G. Therefore, given a point Q G, one can always find a unique point P G such that Q = 2P. §3.6.1 and §3.6.2 describe an efficient algorithm for point halving in G. In §3.6.3, point halving is used to obtain efficient halve-and-add methods for point multiplication in cryptographic schemes based on elliptic curves over binary fields.
3.6.1Point halving
The notion of trace plays a central role in deriving an efficient algorithm for point halving.
Definition 3.78 The trace function on F2m is the function Tr : F2m → F2m defined by Tr(c) = c + c2 + c22 + · · · + c2m−1 .
Lemma 3.79 (properties of the trace function) Let c, d F2m .
(i)Tr(c) = Tr(c2) = Tr(c)2; in particular, Tr(c) {0, 1}.
(ii)Trace is linear; that is, Tr(c + d) = Tr(c) + Tr(d).
(iii)If (u, v) G, then Tr(u) = Tr(a).
Property (iii) follows from (3.40) because
Tr(u) = Tr(λ2 + λ + a) = Tr(λ)2 + Tr(λ) + Tr(a) = Tr(a).
Given Q = (u, v) G, point halving seeks the unique point P = (x, y) G such that Q = 2P. The first step of halving is to find λ = x + y/x by solving the equation
|
+ = |
|
+ a |
|
λ2 |
λ |
u |
|
(3.42) |
|
|
|
3.6. |
Point multiplication using halving |
131 |
If |
|
|
|
|
|
for λ. An efficient algorithm for solving (3.42) is presented in §3.6.2. Let λ denote the |
|||||
|
|
= |
|
|
+ 1}. |
solution of (3.42) obtained from this algorithm. It is easily verified that λ {λ, λ |
|||||
|
Tr(a) 1, the following result can be used to identify λ. |
|
|||
Theorem 3.80 Let P = (x, y), Q = (u, v) G be such that Q = 2P, and denote λ = x + y/x. Let λ be a solution to (3.42), and t = v + uλ. Suppose that Tr(a) = 1. Then λ = λ if and only if Tr(t) = 0.
Proof: Recall from (3.41) that x2 |
|
|
= v + u(λ + 1). By Lemma 3.79(iii), we get Tr(x) = |
Tr(a) since P = (x, y) G. Thus, |
|
Tr(v + u(λ + 1)) = Tr(x2) = Tr(x) = Tr(a) = 1. |
|
Hence, if λ = λ + 1, then Tr(t) = Tr(v + u(λ + 1)) = 1 as required. Otherwise, we must
have λ = λ, which gives Tr(t) = Tr(v + uλ) = Tr(v + u((λ + 1) + 1)). Since the trace |
|
function is linear, |
|
|
|
|
|
Tr(v + u((λ + 1) + 1)) = Tr(v + u(λ + 1)) + Tr(u) = 1 + Tr(u) = 0. |
|
Hence, we conclude that λ = λ if and only if Tr(t) = 0. |
|
Theorem 3.80 suggests a simple algorithm for identifying λ in the case that Tr(a) = 1. We can then solve x2 = v + u(λ + 1) for the unique root x. §3.6.2 presents efficient algorithms for finding traces and square roots in F2m . Finally, if needed, y = λx + x2 may be recovered with one field multiplication.
Let the λ-representation of a point Q = (u, v) be (u, λQ ), where
λQ = u + v . u
Given the λ-representation of Q as the input to point halving, we may compute t in Theorem 3.80 without converting to affine coordinates since
t = v + uλ = u |
u + u + u |
+ uλ = u(u + λQ + λ). |
|
|
v |
may be performed directly on the λ- |
|
In point multiplication, repeated halvings |
|||
|
|
|
|
representation of a point, with conversion to affine only when a point addition is required.
Algorithm 3.81 Point halving
INPUT: λ-representation (u, λQ ) or affine representation (u, v) of Q G.
OUTPUT: λ-representation |
(2 |
|
|
|
P |
) of P |
= |
(x, y) |
G |
, where Q |
= |
2P. |
|||||||||
x, λ |
|
|
|
|
|||||||||||||||||
1. |
Find a solution λ of λ + λ = u + a. |
|
|
|
|
|
|
||||||||||||||
2. |
If the input is in λ-representation, |
then compute t = u(u + λQ + λ); |
|||||||||||||||||||
else, compute t v uλ. |
|
|
|
|
|||||||||||||||||
|
|
|
|
= |
+ |
|
λ, x |
|
√ |
|
|
|
; |
|
|
|
|
||||
3. |
If Tr(t) |
0, then λP |
|
|
|
t |
|
u |
|
|
|
||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
+ |
|
|
←√t. |
|
|
← |
|
|
+ |
|
|
|
|
|
|
||||
|
← |
1, x |
|
|
|
|
|
|
|
|
|
|
|
||||||||
|
else λP = |
λ |
|
|
|
|
|
|
|
|
|
|
|
|
|||||||
4. |
Return (x, λP ). |
← |
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
132 3. Elliptic Curve Arithmetic
3.6.2Performing point halving efficiently
Point halving requires a field multiplication and three main steps: (i) computing the trace of t; (ii) solving the quadratic equation (3.42); and (iii) computing a square root. In a normal basis, field elements are represented in terms of a basis of the form
{β, β2, . . . , β2m−1 }. The trace of an element c = |
|
ci β2i = (c0, c1, . . . , cm−1) is given by |
||||||||||||||||||
Tr(c) |
= |
c |
i . The square root |
computation is a left rotation: |
c |
= |
(c |
1 |
, . . . , c |
m−1 |
, c |
0 |
). |
|||||||
|
|
|
2 |
+ |
x |
= |
|
|
√ |
|
|
|
|
|
||||||
|
|
is a right rotation, and x |
|
c can be solved bitwise. These operations |
||||||||||||||||
Squaring |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
are expected to be inexpensive relative to field multiplication. However, field multiplication in software for normal basis representations is very slow in comparison to multiplication with a polynomial basis. Conversion between polynomial and normal bases at each halving appears unlikely to give a competitive method, even if significant storage is used. For these reasons, we restrict our discussion to computations in a polynomial basis representation.
Computing the trace
A |
|
= |
|
i=0 |
i |
zi |
|
2 |
i { } |
= |
|
m−1 |
|
− |
|
Let c |
|
|
m−1 c |
F m , with c |
0, 1 , represented as the vector c |
|
(c |
|
, . . . , c |
). |
|||||
|
primitive method for computing Tr(c) uses the definition of trace, requiring m |
|
1 |
||||||||||||
field squarings and m − 1 field additions. A much more efficient method makes use of
the property that the trace is linear: |
−0 ci zi |
= i |
−0 ci Tr(zi ). |
Tr(c) = Tr i |
|||
m |
1 |
m |
1 |
|
|
||
= |
= |
||
The values Tr(zi ) may be precomputed, allowing the trace of an element to be found efficiently, especially if Tr(zi ) = 0 for most i.
Example 3.82 (computing traces of elements in F2163 ) Consider F2163 with reduction polynomial f (z) = z163 + z7 + z6 + z3 + 1. A routine calculation shows that Tr(zi ) = 1 if and only if i {0, 157}. As examples, Tr(z160 + z46) = 0, Tr(z157 + z46) = 1, and Tr(z157 + z46 + 1) = 0.
Solving the quadratic equation
The first step of point halving seeks a solution x of a quadratic equation of the form x2 + x = c over F2m . The time performance of this step is crucial in obtaining an efficient point halving.
Definition 3.83 Let m be an odd integer. The half-trace function H : F2m → F2m is defined by
(m−1)/2
H (c) = c22i .
i=0
3.6. Point multiplication using halving |
133 |
Lemma 3.84 (properties of the half-trace function) Let m be an odd integer.
(i)H (c + d) = H (c) + H (d) for all c, d F2m .
(ii)H (c) is a solution of the equation x2 + x = c + Tr(c).
(iii)H (c) = H (c2) + c + Tr(c) for all c F2m .
x = c. A |
|
|
i=0 |
i |
|
2 |
|
= |
i |
− |
|
||
Let c |
= |
|
zi |
with Tr(c) |
0; in particular, H (c) is a solution of x2 |
+ |
|||||||
|
|
|
m−1 c |
F m |
|
|
|
||||||
|
|
simple method for finding H (c) directly from the definition requires m |
|
|
1 |
||||||||
squarings and (m − 1)/2 additions. If storage for {H (z ) : 0 ≤ i < m} is available, then Lemma 3.84(i) may be applied to obtain
H (c) = H |
i |
−0 ci zi |
= i |
−0 ci H (zi ). |
|
m |
1 |
m |
1 |
|
|
|
||
|
= |
= |
||
However, this requires storage for m field elements, and the associated method requires an average of m/2 field additions.
Lemma 3.84 can be used to significantly reduce the storage required as well as the time needed to solve the quadratic equation. The basic strategy is to write H (c) = H (c ) + s where c has fewer nonzero coefficients than c. For even i, note that
H (zi ) = H (zi/2) + zi/2 + Tr(zi ).
134 3. Elliptic Curve Arithmetic |
|
The basic idea is to apply Lemma 3.84(iii) j times, obtaining |
|
H (zi ) = H (z2 j i ) + z2 j −1i + · · · + z4i + z2i + zi + j Tr(zi ). |
(3.43) |
Let f (z) = zm +r (z), where r (z) = zb + · · · + zb1 + 1 and 0 < b1 < · · · < b < m. Then
H (z2 j i ) = H (zsr (z)) = H (zs+b ) + H (zs+b −1 ) + · · · + H (zs+b1 ) + H (zs ).
Thus, storage for H (zi ) may be exchanged for storage of H (zs+e) for e {0, b1, . . . , b } (some of which may be further reduced). The amount of storage reduction is limited by dependencies among elements H (zi ).
If degr < m/2, the strategy can be applied in an especially straightforward fashion to eliminate some of the storage for H (zi ) in Algorithm 3.85. For m/2 < i < m − degr ,
H (zi ) = H (z2i ) + zi + Tr(zi )
=H (r (z)z2i−m ) + zi + Tr(zi )
=H (z2i−m+b + · · · + z2i−m+b1 + z2i−m ) + zi + Tr(zi ).
Since 2i − m + degr < i, the reduction may be applied to eliminate storage of H (zi ) for odd i, m/2 < i < m − degr . If degr is small, Algorithm 3.86 requires approximately m/4 elements of storage.
Algorithm 3.86 Solve x2 |
+ x = c |
|
|
||||
|
= |
|
i=m |
|
2 |
= |
|
INPUT: c |
|
|
m−01 ci zi |
|
F2m where m is odd and Tr(c) |
|
0, and reduction polynomial |
f (z) = z + r (z). |
|
|
|||||
OUTPUT: A solution s of x + x = c.
1.Precompute H (zi ) for i I0 I1, where I0 and I1 consist of the odd integers in [1, (m − 1)/2] and [m − degr, m − 2], respectively.
2.s ← 0.
3.For each odd i ((m − 1)/2, m − degr ), processed in decreasing order, do:
3.1If ci = 1 then do: c ← c + z2i−m+b + · · · + z2i−m , s ← s + zi .
4.For i from (m − 1)/2 downto 1 do:
4.1If c2i = 1 then do: c ← c + zi , s ← s + zi .
5.s ← s + i ).ci H (z
i I0 I1
6. Return(s).
The technique may also reduce the time required for solving the quadratic equation, since the cost of reducing each H (zi ) may be less than the cost of adding a precomputed value of H (zi ) to the accumulator. Elimination of the even terms (step 4) can be implemented efficiently. Processing odd terms (as in step 3) is more involved, but will be less expensive than a field addition if only a few words must be updated.
3.6. Point multiplication using halving |
135 |
Example 3.87 (Algorithm 3.86 for the field F2163 ) Consider F2163 with reduction polynomial f (z) = z163 + z7 + z6 + z3 + 1. Step 3 of Algorithm 3.86 begins with i = 155.
By Lemma 3.84,
H (z155) = H (z310) + z155 + Tr(z155)
=H (z147z163) + z155
=H (z147(z7 + z6 + z3 + 1)) + z155.
If c155 = 1, then z154 + z153 + z150 + z147 is added to c, and z155 is added to s. In this fashion, storage for H (zi ) is eliminated for i {83, 85, . . . , 155}, the odd integers in
((m − 1)/2, m − degr ).
Algorithm 3.86 uses 44 field elements of precomputation. While this is roughly half that required by the basic algorithm, it is not minimal. For example, storage for H (z51) may be eliminated, since
H (z51) = H (z102) + z51 + Tr(z51)
=H (z204) + z102 + z51 + Tr(z102) + Tr(z51)
=H (z163z41) + z102 + z51
=H (z48 + z47 + z44 + z41) + z102 + z51
which corresponds to equation (3.43) with j = 2. The same technique eliminates storage for H (zi ), i {51, 49, . . . , 41}. Similarly, if (3.43) is applied with i = 21 and j = 3,
then
H (z21) = H (z12 + z11 + z8 + z5) + z84 + z42 + z21.
Note that the odd exponents 11 and 5 are less than 21, and hence storage for H (z21) may be eliminated.
In summary, the use of (3.43) with j {1, 2, 3} eliminates storage for odd values of i {21, 41, . . . , 51, 83, . . . , 155}, and a corresponding algorithm for solving the quadratic equation requires 37 elements of precomputation. Further reductions are possible, but there are some complications since the formula for H (zi ) involves H (z j ) for j > i. As an example,
H (z23) = H (z28 + z27 + z24 + z21) + z92 + z46 + z23
and storage for H (z23) may be exchanged for storage on H (z27). These strategies reduce the precomputation to 30 field elements, significantly less than the 44 used in Algorithm 3.86. In fact, use of
zn = z157+n + zn+1 + zn−3 + zn−6
together with the previous techniques reduces the storage to 21 field elements H (zi ) for i {157, 73, 69, 65, 61, 57, 53, 39, 37, 33, 29, 27, 17, 15, 13, 11, 9, 7, 5, 3, 1}. However,
136 3. Elliptic Curve Arithmetic
this final reduction comes at a somewhat higher cost in required code compared with the 30-element version.
Experimentally, the algorithm for solving the quadratic equation (with 21 or 30 elements of precomputation) requires approximately 2/3 the time of a field multiplication. Special care should be given to branch misprediction factors (§5.1.4) as this algorithm performs many bit tests.
Computing square roots in F2m
The basic method for computing √ |
|
, where c |
|
|
|
m , is based on the little theorem of |
|||||||||||||||||||||||||||||||
c |
F |
2 |
|||||||||||||||||||||||||||||||||||
|
m |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
m |
|
1 |
|
|
|
|
|
|
|
|||||
Fermat: c2 |
|
= c. Then |
√c can be computed as |
|
√c = c2 |
|
− |
|
, requiring m − 1 squarings. |
||||||||||||||||||||||||||||
A more efficient method is obtained from the observation that √ |
|
can be expressed in |
|||||||||||||||||||||||||||||||||||
c |
|||||||||||||||||||||||||||||||||||||
terms of the square root of the element z. Let c |
= |
|
|
i=0 |
|
|
i |
zi |
|
2 |
i { } |
||||||||||||||||||||||||||
|
|
|
|
m−1 c |
|
F m , c |
0, 1 . Since |
||||||||||||||||||||||||||||||
squaring is a linear operation in |
F2 |
|
|
, the square |
root of c can be written as |
||||||||||||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
m |
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||
|
|
|
|
|
√c = |
i |
|
−0 ci zi |
|
2m−1 |
= i −0 ci (z2m−1 )i . |
|
|
|
|
||||||||||||||||||||||
|
|
|
|
|
|
|
|
m |
1 |
|
|
|
|
|
|
|
|
|
m |
1 |
|
|
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
= |
|
|
|
|
|
|
|
|
|
|
|
= |
|
|
|
|
|
|
|
|
|
|
|
|
|||
Splitting c into even and odd powers, we have |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||||||||
|
|
|
|
|
(m−1)/2 |
|
|
|
|
|
|
|
|
|
|
(m−3)/2 |
|
|
|
|
|
|
|
|
|
|
|
||||||||||
|
|
√ |
|
= |
|
c2i (z2m−1 )2i + |
|
|
|
|
c2i+1(z2m−1 )2i+1 |
|
|||||||||||||||||||||||||
|
|
c |
|
i=0 |
|
|
i=0 |
|
|
|
|||||||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
(m−1)/2 |
|
|
|
|
|
|
(m−3)/2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||
|
|
= |
|
c2i zi + |
|
c2i+1z2m−1 zi |
|
|
|
|
|
|
|
||||||||||||||||||||||||
|
|
|
|
|
|
i=0 |
|
|
|
|
|
|
|
|
|
|
i=0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
+ |
|
|
|
|
i |
|
|
−2 . |
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
= ci z 2 |
√z |
|
ci z |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||||
|
|
|
|
|
i even |
|
i |
|
|
|
|
|
|
|
|
odd |
|
i |
|
1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
√
This reveals an efficient method for computing c: extract the two half-length vectors ceven = (cm−1, . . . , c4, c2, c0) and codd = (cm−2, . . . , c5, c3, c1) from c (assuming m is
odd), perform a field multiplication of codd of length m/2 with the precomputed
√
value z, and finally add this result with ceven. The computation is expected to require approximately half the time of a field multiplication. √ In the case that the reduction polynomial f is a trinomial, the computation of c can be further accelerated by the observation that an efficient formula for √z can be derived directly from f . Let f (z) = zm + zk + 1 be an irreducible trinomial of degree
m, where m > 2 is prime.
Consider the case that k is odd. Note that 1 ≡ zm + zk (mod f (z)). Then multiplying
by z and taking the square root, we get |
|
√z ≡ z m2+1 + z k+2 1 |
(mod f (z)). |