The complete cost of cofactor h=1

This paper presents optimized software for constant-time variable-base scalar multiplication on prime-order Weierstraß curves using the complete addition and doubling formulas presented by Renes, Costello, and Batina in 2016. Our software targets three different microarchitectures: Intel Sandy Bridge, Intel Haswell, and ARM Cortex-M4. We use a 255-bit elliptic curve over $\mathbb{F}_{2^{255}-19}$ that was proposed by Barreto in 2017. The reason for choosing this curve in our software is that it allows most meaningful comparison of our results with optimized software for Curve25519. The goal of this comparison is to get an understanding of the cost of using cofactor-one curves with complete formulas when compared to widely used Montgomery (or twisted Edwards) curves that inherently have a non-trivial cofactor

On the Deployment of curve based cryptography for the Internet of Things

The typical battery supported IoT computing node has progressed in recent years from an 8-bit processor with limited memory resources, to a 32-bit processor with ample amounts of ROM and RAM. This is a game-changer for developers who no longer need to struggle with assembly language programming, but rather can bring to bear all of the tools of modern software engineering, including high level language compilers. At the same time curve based cryptography has matured to the extent that efficient curves and algorithms are now well known. However the dynamics of academic research are such that execution speed, mandating continued use of assembly language, trumps all other considerations. In this paper we report on the performance that can be expected from simple portable high-level language implementations across a wide range of contemporary architectures

Subgroup membership testing on elliptic curves via the Tate pairing

This note explains how to guarantee the membership of a point in the prime-order subgroup of an elliptic curve (over a finite field) satisfying some moderate conditions. For this purpose, we apply the Tate pairing on the curve, however it is not required to be pairing-friendly. Whenever the cofactor is small, the new subgroup test is much more efficient than other known ones, because it needs to compute at most two $n$-th power residue symbols (with small $n$) in the basic field. More precisely, the running time of the test is (sub-)quadratic in the bit length of the field size, which is comparable with the Decaf-style technique. The test is relevant, e.g., for the zk-SNARK friendly curves Bandersnatch and Jubjub proposed by the Ethereum and Zcash research teams respectively

The Complete Cost of Cofactor h=1

Contains fulltext : 214886.pdf (publisher's version ) (Closed access)Progress in Cryptology - INDOCRYPT 2019 - 20th International Conference on Cryptology in India, Hyderabad, India, December 15-18, 201