Connecting Legendre with Kummer and Edwards

Scalar multiplication on Legendre form elliptic curves can be speeded up in two ways. One can perform the bulk of the computation either on the associated Kummer line or on an appropriate twisted Edwards form elliptic curve. This paper provides details of moving to and from between Legendre form elliptic curves and associated Kummer line and moving to and from between Legendre form elliptic curves and related twisted Edwards form elliptic curves. Further, concrete twisted Edwards form elliptic curves are identified which correspond to known Kummer lines at the 128-bit security level which provide very fast scalar multiplication on modern architectures supporting SIMD operations

Binary Kummer Line

Gaudry and Lubicz introduced the idea of Kummer line in 2009, and Karati and Sarkar proposed three Kummer lines over prime fields in 2017. In this work, we explore the problem of secure and efficient scalar multiplications on binary field using Kummer line and investigate the possibilities of speedups using Kummer line compared to Koblitz curves, binary Edwards curve and Weierstrass curves. We propose a binary Kummer line $\mathsf{BKL}251$ over binary field $\mathbb{F}_{2^{251}}$ where the associated elliptic curve satisfies the required security conditions and offers 124.5-bit security which is the same as that of Binary Edwards curve $\mathsf{BEd251}$ and Weierstrass curve $\mathsf{CURVE2251}$. $\mathsf{BKL}251$ has small curve parameter and small base point. We implement our software of $\mathsf{BKL}l251$ using the instruction ${\tt PCLMULQDQ}$ of modern Intel processors and batch software $\mathsf{BBK251}$ using bitslicing technique. For fair comparison, we also implement the software $\mathsf{BEd}251$ for binary Edwards curve. In both the implementations, scalar multiplications take constant time which use Montgomery ladders. In case of left-to-right Montgomery ladder, both the Kummer line and Edwards curve have almost the same number of field operations. For right-to-left Montgomery ladder scalar multiplication, each ladder step of binary Kummer line needs less number of field operations compared to Edwards curve. Our experimental results show that left-to-right Montgomery scalar multiplications of $\mathsf{BKL}251$ are $9.63\%$ and $0.52\%$ faster than those of $\mathsf{BEd}251$ for fixed-base and variable-base, respectively. Left-to-right Montgomery scalar multiplication for variable-base of $\mathsf{BKL}251$ is 39.74\%, 23.25\% and 32.92\% faster than those of the curves $\mathsf{CURVE2251}$, K-283 and B-283 respectively. Using right-to-left Montgomery ladder with precomputation, $\mathsf{BKL}251$ achieves 17.84\% speedup over $\mathsf{BEd}251$ for fixed-base scalar multiplication. For batch computation, $\mathsf{BBK251}$ has comparatively the same (slightly faster) performance as $\mathsf{BBE251}$ and $\mathsf{sect283r1}$. Also it is clear from our experiments that scalar multiplications on $\mathsf{BKL}251$ and $\mathsf{BEd251}$ are (approximately) 65\% faster than one scalar multiplication (after scaling down) of batch software $\mathsf{BBK251}$ and $\mathsf{BBE251}$

The Generalized Montgomery Coordinate: A New Computational Tool for Isogeny-based Cryptography

Recently, some studies have constructed one-coordinate arithmetics on elliptic curves. For example, formulas of the $x$-coordinate of Montgomery curves, $x$-coordinate of Montgomery$^-$ curves, $w$-coordinate of Edwards curves, $w$-coordinate of Huff\u27s curves, $\omega$-coordinates of twisted Jacobi intersections have been proposed. These formulas are useful for isogeny-based cryptography because of their compactness and efficiency. In this paper, we define a novel function on elliptic curves called the generalized Montgomery coordinate that has the five coordinates described above as special cases. For a generalized Montgomery coordinate, we construct an explicit formula of scalar multiplication that includes the division polynomial, and both a formula of an image point under an isogeny and that of a coefficient of the codomain curve. Finally, we present two applications of the theory of a generalized Montgomery coordinate. The first one is the construction of a new efficient formula to compute isogenies on Montgomery curves. This formula is more efficient than the previous one for high degree isogenies as the $\sqrt{\vphantom{2}}$\\u27{e}lu\u27s formula in our implementation. The second one is the construction of a new generalized Montgomery coordinate for Montgomery$^-$ curves used for CSURF

Security and Efficiency Trade-offs for Elliptic Curve Diffie-Hellman at the 128-bit and 224-bit Security Levels

Within the Transport Layer Security (TLS) Protocol Version 1.3, RFC 7748 specifies elliptic curves targeted at the 128-bit and the 224-bit security levels. For the 128-bit security level, the Montgomery curve Curve25519 and its birationally equivalent twisted Edwards curve Ed25519 are specified; for the 224-bit security level, the Montgomery curve Curve448, the Edwards curve Edwards448 (which is isogenous to Curve448) and another Edwards curve which is birationally equivalent to Curve448 are specified. Our first contribution is to provide the presently best known 64-bit assembly implementations of Diffie-Hellman shared secret computation using Curve25519. The main contribution of this work is to propose new pairs of Montgomery-Edwards curves at the 128-bit and the 224-bit security levels. The new curves are nice in the sense that they have very small curve coefficients and base points. Compared to the curves in RFC~7748, the new curves lose two bits of security. The gain is improved efficiency. For Intel processors, we have made different types of implementations of the Diffie-Hellman shared secret computation using the new curves. The new curve at the 128-bit level is faster than Curve25519 for all types of implementations, while the new curve at the 224-bit level is faster than Curve448 using 64-bit sequential implementation using schoolbook multiplication, but is slower than Curve448 for vectorized implementation using Karatsuba multiplication. Overall, the new curves provide good alternatives to Curve25519 and Curve448