Koblitz curves over quadratic fields

In this work, we retake an old idea that Koblitz presented in his landmark paper, where he suggested the possibility of defining anomalous elliptic curves over the base field F4. We present a careful implementation of the base and quadratic field arithmetic required for computing the scalar multiplication operation in such curves. We also introduce two ordinary Koblitz-like elliptic curves defined over F4 that are equipped with efficient endomorphisms. To the best of our knowledge these endomorphisms have not been reported before. In order to achieve a fast reduction procedure, we adopted a redundant trinomial strategy that embeds elements of the field F4^m, with m a prime number, into a ring of higher order defined by an almost irreducible trinomial. We also present a number of techniques that allow us to take full advantage of the native vector instructions of high-end microprocessors. Our software library achieves the fastest timings reported for the computation of the timing-protected scalar multiplication on Koblitz curves, and competitive timings with respect to the speed records established recently in the computation of the scalar multiplication over binary and prime fields

Counting hyperelliptic curves that admit a Koblitz model

Let k be a finite field of odd characteristic. We find a closed formula for the number of k-isomorphism classes of pointed, and non-pointed, hyperelliptic curves of genus g over k, admitting a Koblitz model. These numbers are expressed as a polynomial in the cardinality q of k, with integer coefficients (for pointed curves) and rational coefficients (for non-pointed curves). The coefficients depend on g and the set of divisors of q-1 and q+1. These formulas show that the number of hyperelliptic curves of genus g suitable (in principle) of cryptographic applications is asymptotically (1-e^{-1})2q^{2g-1}, and not 2q^{2g-1} as it was believed. The curves of genus g=2 and g=3 are more resistant to the attacks to the DLP; for these values of g the number of curves is respectively (91/72)q^3+O(q^2) and (3641/2880)q^5+O(q^4)

Optimality of the Width-ww Non-adjacent Form: General Characterisation and the Case of Imaginary Quadratic Bases

Efficient scalar multiplication in Abelian groups (which is an important operation in public key cryptography) can be performed using digital expansions. Apart from rational integer bases (double-and-add algorithm), imaginary quadratic integer bases are of interest for elliptic curve cryptography, because the Frobenius endomorphism fulfils a quadratic equation. One strategy for improving the efficiency is to increase the digit set (at the prize of additional precomputations). A common choice is the width\nbd-$w$ non-adjacent form (\wNAF): each block of $w$ consecutive digits contains at most one non-zero digit. Heuristically, this ensures a low weight, i.e.\ number of non-zero digits, which translates in few costly curve operations. This paper investigates the following question: Is the \wNAF{}-expansion optimal, where optimality means minimising the weight over all possible expansions with the same digit set? The main characterisation of optimality of \wNAF{}s can be formulated in the following more general setting: We consider an Abelian group together with an endomorphism (e.g., multiplication by a base element in a ring) and a finite digit set. We show that each group element has an optimal \wNAF{}-expansion if and only if this is the case for each sum of two expansions of weight 1. This leads both to an algorithmic criterion and to generic answers for various cases. Imaginary quadratic integers of trace at least 3 (in absolute value) have optimal \wNAF{}s for $w\ge 4$. The same holds for the special case of base $(\pm 3\pm\sqrt{-3})/2$ and $w\ge 2$, which corresponds to Koblitz curves in characteristic three. In the case of $\tau=\pm1\pm i$, optimality depends on the parity of $w$. Computational results for small trace are given

A refinement of Koblitz's conjecture

Let E be an elliptic curve over the number field Q. In 1988, Koblitz conjectured an asymptotic for the number of primes p for which the cardinality of the group of F_p-points of E is prime. However, the constant occurring in his asymptotic does not take into account that the distributions of the |E(F_p)| need not be independent modulo distinct primes. We shall describe a corrected constant. We also take the opportunity to extend the scope of the original conjecture to ask how often |E(F_p)|/t is prime for a fixed positive integer t, and to consider elliptic curves over arbitrary number fields. Several worked out examples are provided to supply numerical evidence for the new conjecture