Paper 2008/171

Binary Edwards Curves

Daniel J. Bernstein, Tanja Lange, and Reza Rezaeian Farashahi

Abstract

This paper presents a new shape for ordinary elliptic curves over fields of characteristic 2. Using the new shape, this paper presents the first complete addition formulas for binary elliptic curves, i.e., addition formulas that work for all pairs of input points, with no exceptional cases. If n >= 3 then the complete curves cover all isomorphism classes of ordinary elliptic curves over F_2^n. This paper also presents dedicated doubling formulas for these curves using 2M + 6S + 3D, where M is the cost of a field multiplication, S is the cost of a field squaring, and D is the cost of multiplying by a curve parameter. These doubling formulas are also the first complete doubling formulas in the literature, with no exceptions for the neutral element, points of order 2, etc. Finally, this paper presents complete formulas for differential addition, i.e., addition of points with known difference. A differential addition and doubling, the basic step in a Montgomery ladder, uses 5M + 4S + 2D when the known difference is given in affine form.

Note: Improved explicit formulas. See also the Explicit-Formulas Database, http://hyperelliptic.org/EFD.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
Elliptic curvesEdwards curvesbinary fieldscomplete addition lawMontgomery ladder
Contact author(s)
tanja @ hyperelliptic org
History
2008-06-11: revised
2008-04-15: received
See all versions
Short URL
https://ia.cr/2008/171
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2008/171,
      author = {Daniel J.  Bernstein and Tanja Lange and Reza Rezaeian Farashahi},
      title = {Binary Edwards Curves},
      howpublished = {Cryptology ePrint Archive, Paper 2008/171},
      year = {2008},
      note = {\url{https://eprint.iacr.org/2008/171}},
      url = {https://eprint.iacr.org/2008/171}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.