Paper 2014/852

Faster ECC over $\mathbb{F}_{2^{521}-1}$

Robert Granger and Michael Scott

Abstract

In this paper we present a new multiplication algorithm for residues modulo the Mersenne prime $2^{521} - 1$. Using this approach, on an Intel Haswell Core i7-4770, constant-time variable-base scalar multiplication on NIST's (and SECG's) curve P-521 requires 1,073,000 cycles, while on the recently proposed Edwards curve E-521 it requires just 943,000 cycles. As a comparison, on the same architecture openSSL's ECDH speed test for curve P-521 requires 1,319,000 cycles. Furthermore, our code was written entirely in C and so is robust across different platforms. The basic observation behind these speedups is that the form of the modulus allows one to multiply residues with as few word-by-word multiplications as is needed for squaring, while incurring very little overhead from extra additions, in contrast to the usual Karatsuba methods.

Note: This version now has cache-safe implementation timings.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
A minor revision of an IACR publication in PKC 2015
Keywords
elliptic curve cryptographyperformanceP-521E-521Edwards curvesgeneralised repunit primes
Contact author(s)
robbiegranger @ gmail com
History
2015-03-23: revised
2014-10-22: received
See all versions
Short URL
https://ia.cr/2014/852
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2014/852,
      author = {Robert Granger and Michael Scott},
      title = {Faster ECC over $\mathbb{F}_{2^{521}-1}$},
      howpublished = {Cryptology ePrint Archive, Paper 2014/852},
      year = {2014},
      note = {\url{https://eprint.iacr.org/2014/852}},
      url = {https://eprint.iacr.org/2014/852}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.