2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing

Elliptic Curve Scalar Multiplication with a Bijective Transform

Yoshitaka Nagai, Masaaki Shirase Tetsuya Izu

Future University Hakodate FUJITSU Laboratories of Europe
Hakodate, Japan Hayes, United Kingdom
Email: [email protected]

Abstract—It is important to speed up scalar multiplication addition algorithm used to compute 𝑛𝑃 ′ is smaller than
in elliptic curve cryptosystems and then various speeding-up one of general addition algorithm because 𝑃 ′ has special
techniques for that have been proposed. This paper proposes coordinate. In fact, when we use the proposed method, the
a method for computing a scalar multiplication, in which,
first, we map a point we would like to compute a scalar cost of scalar multiplication is reduced by about 2 ∼ 5%
multiplication into another point on another curve so that it has in projective, Jacobian, and modified Jacobian coordinates
a special coordinate, second, we compute a scalar multiplication systems.
on the another curve, finally, we map the computed point on
original curve. In fact, when we use the proposed method, the A. Notation
cost of scalar multiplication is reduced by about from 2 to
5% in projective, Jacobian, and modified Jacobian coordinate In this paper, the following notations are used.
systems.
Coordinate systems
Keywords-elliptic curve cryptosystem; scalar multiplication; 𝒜 : affine coordinate system
bijective transform;
𝒫 : projective coordinate system
𝒥 : Jacobian coordinate system
I. I NTRODUCTION
𝒥𝑚 : modified Jacobian coordinate system
Elliptic curve cryptosystems (ECCs) can provide same
security level as RSA with much shorter key size, and Computational cost
computational cost of ECCs is much smaller than one of 𝒜𝒟𝒟 : addition formula
RSA. Although it had been said that ECCs were future 𝒟ℬℒ : duplication formula
public key cryptosystems until several yeas ago, recently 𝑀 : a multiplication in 𝔽𝑝
ECCs have been used for some practical systems. For 𝑆 : a squaring in 𝔽𝑝
example, Bos et. al. [2] dealt with Bitcoin [10], secure shell 𝐼 : an inversion in 𝔽𝑝
(SSH) [12], transport layer security (TLS) [1] , and the Symbol
Australian e-ID [6] as real-world applications using ECCs , (𝑛𝑡−1 ⋅ ⋅ ⋅ 𝑛0 )2 : binary representation of an integer
and device authentication of some hard disk recorders and 𝑛 ≥ 1 of 𝑡 bit
digital videos and copyright protection of Blu-ray Disk also 𝐻𝑊 (⋅) : the Hamming weight
use ECCs.
In ECCs, the computational complexity of scalar multi-
plication is dominant, so speeding up scalar multiplication
is important. Scalar multiplication is performed repeatedly II. E LLIPTIC CURVE
using additions and duplications on elliptic curve in general Let 𝑝 ≥ 5 be a prime and 𝔽𝑝 a prime field with 𝑝 elements.
[7], [3]. An elliptic curve 𝐸 over 𝔽𝑝 is a cubic curve, for example,
This paper proposes a method for computing scalar mul- given by Weierstrass form,
tiplication 𝑛𝑃 for an elliptic curve 𝐸 given by Weierstrass
form and 𝑃 ∈ 𝐸. The proposed method consists of three 𝐸 : 𝑦 2 = 𝑥3 + 𝑎𝑥 + 𝑏, 𝑎, 𝑏 ∈ 𝔽𝑝 , 4𝑎3 + 27𝑏2 ∕= 0. (1)
steps. In first step, we map 𝑃 ∈ 𝐸 into 𝑃 ′ ∈ 𝐸 ′ with a bi-
jective transform so that 𝑃 ′ has coordinate 𝑃 ′ = (𝑥1 , ±𝑥1 ), The set of 𝔽𝑝 -rational points, 𝐸(𝔽𝑝 ), is defined by
that is,
𝐸(𝔽𝑝 ) = {(𝑥, 𝑦) ∈ 𝔽𝑝 × 𝔽𝑝 : (𝑥, 𝑦) satisfies (1)} ∪ {𝒪},
∣𝑥-coordinate of 𝑃 ′ ∣ = ∣𝑦-coordinate of 𝑃 ′ ∣
where 𝒪 is the point at infinity. It is known that for any
is held. In second step, we compute 𝑛𝑃 ′ ∈ 𝐸 ′ using a two points 𝑃 and 𝑄 ∈ 𝐸(𝔽𝑝 ), addition 𝑃 + 𝑄 ∈ 𝐸(𝔽𝑝 )
left-to-right binary algorithm. In final step, we do inverse is defined, and 𝐸(𝔽𝑝 ) forms a group with the “+” and the
transform 𝑛𝑃 ′ ∈ 𝐸 ′ into 𝑛𝑃 ∈ 𝐸. Note that the cost of zero element 𝒪.

978-1-4799-4331-9/14 $31.00 © 2014 IEEE 280

DOI 10.1109/IMIS.2014.35
 Algorithm 1: Binary method [3] Algorithm 2: Binary method with countermeasure against SPAs [3]
Input: 𝑃 ∈ 𝐸(𝔽𝑝 ), 𝑛 = (𝑛𝑡−1 ⋅ ⋅ ⋅ 𝑛0 )2 Input: 𝑃 ∈ 𝐸(𝔽𝑝 ), 𝑛 = (𝑛𝑡−1 ⋅ ⋅ ⋅ 𝑛0 )2
Output: 𝑛𝑃 Output: 𝑛𝑃
1. 𝑄 ← 𝑂 and 𝑖 ← 𝑡 − 1 1. 𝑄[0] ← 𝑃
2. while 𝑖 ≥ 0 2. for 𝑖 = 𝑡 − 2 down to 0 do
3. 𝑄 ← 2𝑄 3. 𝑄[0] ← 2𝑄[0]
4. if 𝑛𝑖 = 1 then 𝑄 ← 𝑃 + 𝑄 4. 𝑄[1] ← 𝑃 + 𝑄[0]
5. 𝑖←𝑖−1 5. 𝑄[0] ← 𝑄[𝑛𝑖 ]
6. return 𝑄 6. return 𝑄[0]

Let 𝑃 = (𝑥1 , 𝑦1 ), 𝑄 = (𝑥2 , 𝑦2 ), and 𝑃 + 𝑄 = (𝑥3 , 𝑦3 ) ∈ B. Existing addition and duplication algorithms in each
𝐸(𝔽𝑝 ). Then, 𝑥3 and 𝑦3 are computed with 𝑥1 , 𝑦1 , 𝑥2 , 𝑦2 as coordinate system
{ Choice of coordinate system has impact on the cost of
𝑥 3 = 𝜆2 − 𝑥 1 − 𝑥 2 ,
(2) addition, duplication, and scalar multiplication. In almost
𝑦3 = 𝜆(𝑥1 − 𝑥3 ) − 𝑦1 ,
computation environment, the cost of inversion in a finite
where 𝜆 is the slope of a line through 𝑃 and 𝑄 or a tangent field 𝔽𝑝 is much lager than one of multiplication. Thus, we
line of 𝐸 at 𝑃 , that is, compute scalar multiplication in 𝒫, 𝒥 , 𝒥 𝑚 , and so on to
{ reduce the number of inversions in general. We ignore the
(𝑦2 − 𝑦1 )/(𝑥2 − 𝑥1 ) if 𝑥1 ∕= 𝑥2 cost of addition/subtraction in 𝔽𝑝 as in [3] and [4], because
𝜆=
(3𝑥21 + 𝑎)/(2𝑦1 ) if 𝑃1 = 𝑃2 . the cost of addition/subtraction in 𝔽𝑝 is much smaller than
The formula (2) is called the addition formula when 𝑥1 ∕= one of multiplication.
𝑥2 , and called the duplication formula when 𝑃1 = 𝑃2 . The This subsection deals with existing addition and duplica-
negation of 𝑃 = (𝑥1 , 𝑦1 ) is −𝑃 = (𝑥1 , −𝑦1 ). tion algorithms described in [4], [3] in 𝒫, 𝒥 , and 𝒥 𝑚 .
1) Existing addition and duplication algorithms in 𝒫:
For an integer 𝑛 ≥ 1 and a base point 𝑃 ∈ 𝐸(𝔽𝑝 ), scalar
In 𝒫, a point on 𝑥-𝑦 plane is represented by three elements
multiplication 𝑛𝑃 is defined repeatedly using the “+”.
[𝑋 : 𝑌 : 𝑍] in 𝔽𝑝 , and the projective point [𝑋 : 𝑌 : 𝑍]
𝑛𝑃 = 𝑃 + 𝑃 + ⋅ ⋅ ⋅ + 𝑃 corresponds to the affine point (𝑋/𝑍, 𝑌 /𝑍) when 𝑍 ∕= 0.
   For any 𝜆 ∈ 𝔽∗𝑝 (= 𝔽𝑝 ∖ {0}), [𝑋 : 𝑌 : 𝑍] and [𝜆𝑋 :
𝑛 terms
𝜆𝑌 : 𝜆𝑍] represent a same point in 𝒫. The point at infinity
For 𝑛 ≤ −1 scalar multiplication 𝑛𝑃 is defined by 𝑛𝑃 = 𝒪 on elliptic curve 𝐸 given by Weierstrass form Eq. (1) is
(−𝑛)(−𝑃 ), and 0𝑃 = 𝒪. 𝒪 = [0 : 1 : 0] in 𝒫.
Let 𝑃1 = [𝑋1 : 𝑌1 : 𝑍1 ], 𝑃2 = [𝑋2 : 𝑌2 : 𝑍2 ], 𝑃3 =
III. S CALAR MULTIPLICATION ALGORITHM 𝑃1 + 𝑃2 = [𝑋3 : 𝑌3 : 𝑍3 ], and 𝑃4 = 2𝑃1 = [𝑋4 : 𝑌4 : 𝑍4 ] ∈
A. Left-to-right binary algorithm 𝐸(𝔽𝑝 ) in 𝒫. Then, addition and duplication are computed
as follows:
We deal with left-to-right binary algorithm such as Algo- Addition in 퓟:
rithm 1 [3] for computing scalar multiplication. The cost of ⎧
Algorithm 1 is ⎨ 𝑋3 = 𝑣𝐴,
𝑌3 = 𝑢(𝑣 2 𝑋1 𝑍2 − 𝐴) − 𝑣 3 𝑌1 𝑍2 ,
⎩
𝐻𝑊 (𝑛)𝒜𝒟𝒟 + (𝑡 − 1)𝒟ℬℒ. 𝑍3 = 𝑣 3 𝑍1 𝑍2 ,
where, 𝑢 = 𝑌2 𝑍1 − 𝑌1 𝑍2 , 𝑣 = 𝑋2 𝑍1 − 𝑋1 𝑍2 , 𝐴 =
Algorithm 1 has a vulnerability against single power anal-
𝑢2 𝑍1 𝑍2 − 𝑣 3 − 2𝑣 2 𝑋1 𝑍2 .
ysis (SPA) attacks [8] which are one type of side channel
Duplication in 퓟:
attacks because step 4 is performed only when 𝑛𝑖 = 1. ⎧
Algorithm 2 is a left-to-right binary algorithm with ⎨ 𝑋4 = 2ℎ𝑠,
countermeasure against SPA attacks, in which operations are 𝑌4 = 𝜔(4𝐵 − ℎ) − 8𝑌12 𝑠2 ,
⎩
same within any iteration. The cost of Algorithm 2 is 𝑍4 = 8𝑠3 ,

(𝑡 − 1)𝒜𝒟𝒟 + (𝑡 − 1)𝒟ℬℒ. where, 𝜔 = 𝑎𝑍12 + 3𝑋12 , 𝑠 = 𝑌1 𝑍1 , 𝐵 = 𝑋1 𝑌1 𝑠, ℎ = 𝜔 2 −

8𝐵.
Remark 1 Algorithms 3 and 4 are algorithms for computing these
In Algorithm 1 for computing scalar multiplication, a point addition and duplication in 𝒫. Costs of Algorithms 3 and
𝑃 is non-updated, that is, 𝑃 of addition 𝑃 + 𝑄 at step 4 is 4 are 12𝑀 + 2𝑆 and 7𝑀 + 5𝑆, respectively. The cost of
fixed during the Algorithm 1 runs. As well in Algorithm Algorithm 3 is reduced to 9𝑀 + 2𝑆 if 𝑍1 = 1.
2 𝑃 is also non-updated, that is, 𝑃 of addition 𝑃 + 𝑄[0] at
step 4 is fixed during the Algorithm 2 runs.

281
 Algorithm 3: Existing addition algorithm in 𝒫 Algorithm 5: Existing addition algorithm in 𝒥
Input: 𝑃1 = [𝑋1 : 𝑌1 : 𝑍1 ], 𝑃2 = [𝑋2 : 𝑌2 : 𝑍2 ] Input: 𝑃1 = [𝑋1 : 𝑌1 : 𝑍1 ], 𝑃2 = [𝑋2 : 𝑌2 : 𝑍2 ]
Output: 𝑃3 = 𝑃1 + 𝑃2 = [𝑋3 : 𝑌3 : 𝑍3 ] Output: 𝑃3 = 𝑃1 + 𝑃2 = [𝑋3 : 𝑌3 : 𝑍3 ]
1. 𝑊1 ← 𝑌1 𝑍2 (1𝑀 ) 1. 𝑊1 ← 𝑍12 (1𝑆)
2. 𝑢 ← 𝑌2 𝑍1 − 𝑊1 (1𝑀 ) 2. 𝑊2 ← 𝑊1 𝑍1 (= 𝑍13 ) (1𝑀 )
3. 𝑊2 ← 𝑋1 𝑍2 (1𝑀 ) 3. 𝑊3 ← 𝑍22 (1𝑆)
4. 𝑣 ← 𝑋2 𝑍1 − 𝑊2 (1𝑀 ) 4. 𝑊4 ← 𝑊3 𝑍2 (= 𝑍23 ) (1𝑀 )
5. 𝑊3 ← 𝑢2 (1𝑆) 5. 𝑈1 ← 𝑋1 𝑊3 (1𝑀 )
6. 𝑊4 ← 𝑣 2 (1𝑆) 6. 𝑈2 ← 𝑋2 𝑊1 (1𝑀 )
7. 𝑊5 ← 𝑣𝑊4 (= 𝑣 3 ) (1𝑀 ) 7. 𝐻 ← 𝑈2 − 𝑈1
8. 𝑊6 ← 𝑍1 𝑍2 (1𝑀 ) 8. 𝑆1 ← 𝑌1 𝑊4 (1𝑀 )
9. 𝑊7 ← 𝑊3 𝑊6 (1𝑀 ) 9. 𝑆2 ← 𝑌2 𝑊2 (1𝑀 )
10. 𝑊8 ← 𝑊2 𝑊4 (1𝑀 ) 10. 𝑟 ← 𝑆2 − 𝑆1
11. 𝐴 ← 𝑊7 − 𝑊5 − 2𝑊8 11. 𝑊5 ← 𝐻 2 (1𝑆)
12. 𝑋3 ← 𝑣𝐴 (1𝑀 ) 12. 𝑊6 ← 𝑊5 𝐻(= 𝐻 3 ) (1𝑀 )
13. 𝑊9 ← 𝑢(𝑊8 − 𝐴) (1𝑀 ) 13. 𝑊7 ← 𝑟 2 (1𝑆)
14. 𝑌3 ← 𝑊9 − 𝑊1 𝑊5 (1𝑀 ) 14. 𝑊8 ← 𝑈1 𝑊5 (1𝑀 )
15. 𝑍3 ← 𝑊5 𝑊6 (1𝑀 ) 15. 𝑋3 ← −𝑊6 − 2𝑊8 + 𝑊7
total cost: 12𝑀 + 2𝑆 (9𝑀 + 2𝑆 if 𝑍1 = 1) 16. 𝑊9 ← 𝑆1 𝑊6 (1𝑀 )
17. 𝑌3 ← −𝑊9 + 𝑟(𝑊8 − 𝑋3 ) (1𝑀 )
18. 𝑊10 ← 𝑍1 𝑍2 (1𝑀 )
Algorithm 4: Existing duplication algorithm in 𝒫 19. 𝑍3 ← 𝑊10 𝐻 (1𝑀 )
Input: 𝑃1 = [𝑋1 : 𝑌1 : 𝑍1 ] total cost: 12𝑀 + 4𝑆 (8𝑀 + 3𝑆 if 𝑍1 = 1)
Output: 𝑃4 = 2𝑃1 = [𝑋4 : 𝑌4 : 𝑍4 ]
1. 𝑠 ← 𝑌1 𝑍1 (1𝑀 )
2. 𝑊1 ← 𝑍12 (1𝑆) Algorithm 6: Existing duplication algorithm in 𝒥
3. 𝑊2 ← 𝑋12 (1𝑆) Input: 𝑃1 = [𝑋1 : 𝑌1 : 𝑍1 ]
4. 𝜔 ← 𝑎𝑊1 + 3𝑊2 (1𝑀 ) Output: 𝑃4 = 2𝑃1 = [𝑋4 : 𝑌4 : 𝑍4 ]
5. 𝑊3 ← 𝑠𝑌1 (1𝑀 ) 1. 𝑊1 ← 𝑌12 (1𝑆)
6. 𝐵 ← 𝑋1 𝑊3 (1𝑀 ) 2. 𝑆 ← 4𝑋1 𝑊1 (1𝑀 )
7. ℎ ← 𝜔 2 − 8𝐵 (1𝑆) 3. 𝑊2 ← 𝑋12 (1𝑆)
8. 𝑋4 ← 2ℎ𝑠 (1𝑀 ) 4. 𝑊3 ← 𝑍12 (1𝑆)
9. 𝑊4 ← 𝑊3 2 (1𝑆) 5. 𝑊4 ← 𝑊32 (1𝑆)
10. 𝑌4 ← 𝜔(4𝐵 − ℎ) − 8𝑊4 (1𝑀 ) 6. 𝑀 ← 3𝑊2 + 𝑎𝑊4 (1𝑀 )
11. 𝑊5 ← 𝑠2 (1𝑆) 7. 𝑇 ← −2𝑆 + 𝑀 2 (1𝑆)
12. 𝑍4 ← 8𝑠𝑊5 (1𝑀 ) 8. 𝑊5 ← 𝑊12 (1𝑆)
total cost: 7𝑀 + 5𝑆 9. 𝑋4 ← 𝑇
10. 𝑌4 ← 𝑀 (𝑆 − 𝑇 ) − 8𝑊5 (1𝑀 )
11. 𝑍4 ← 2𝑌1 𝑍1 (1𝑀 )
total cost: 4𝑀 + 6𝑆

Remark 2
Let 𝐸 be an elliptic curve and 𝑃 ∈ 𝐸 a base point we would
like to compute a scalar multiplication. Then, 𝑃 is normally where 𝑈1 = 𝑋1 𝑍22 , 𝑈2 = 𝑋2 𝑍12 , 𝑆1 = 𝑌1 𝑍23 , 𝑆2 =
given as an affine point 𝑃 = (𝑥1 , 𝑦1 ) and thus we may set 𝑌2 𝑍13 , 𝐻 = 𝑈2 − 𝑈1 , 𝑟 = 𝑆2 − 𝑆1 .
𝑃 = [𝑥, 𝑦, 1] in 𝒫. Due to Remark 1, 𝑃 is non-updated Duplication in 퓙 :
during a left-to-right algorithm runs to compute the scalar ⎧
multiplication. Then, we may suppose 𝑍1 = 1 in Algorithm ⎨ 𝑋4 = 𝑇,
𝑌4 = −8𝑌14 + 𝑀 (𝑆 − 𝑇 ),
3 when it is used to compute scalar multiplication. ⎩
𝑍4 = 2𝑌1 𝑍1 ,
2) Existing addition and duplication algorithms in 𝒥 :
In 𝒥 , a point on 𝑥-𝑦 plane is represented by three elements where 𝑆 = 4𝑋1 𝑌12 , 𝑀 = 3𝑋12 + 𝑎𝑍14 , 𝑇 = −2𝑆 + 𝑀 2 .
[𝑋 : 𝑌 : 𝑍] in 𝔽𝑝 , and the Jacobian point [𝑋 : 𝑌 : 𝑍] Algorithms 5 and 6 are algorithms for computing these
corresponds to the affine point (𝑋/𝑍 2 , 𝑌 /𝑍 3 ) when 𝑍 ∕= 0. addition and duplication in 𝒥 . Costs of Algorithms 5 and
For any 𝜆 ∈ 𝔽∗𝑝 , [𝑋 : 𝑌 : 𝑍] and [𝜆2 𝑋 : 𝜆3 𝑌 : 𝜆𝑍] 6 are 12𝑀 + 4𝑆 and 4𝑀 + 6𝑆, respectively. The cost of
represent a same point. The point at infinity 𝒪 on elliptic Algorithm 5 is reduced to 8𝑀 +3𝑆 if 𝑍1 = 1. Note that we
curve 𝐸 given by Eq. (1) is 𝒪 = [1 : 1 : 0] in 𝒥 . may suppose that 𝑍1 = 1 for the same reason as Remark
Let 𝑃1 = [𝑋1 : 𝑌1 : 𝑍1 ], 𝑃2 = [𝑋2 : 𝑌2 : 𝑍2 ], 𝑃3 = 2.
𝑃1 +𝑃2 = [𝑋3 : 𝑌3 : 𝑍3 ], and 𝑃4 = 2𝑃1 = [𝑋4 : 𝑌4 : 𝑍4 ] in 3) Existing addition and duplication algorithms in 𝒥 𝑚 :
𝒥 . Then, addition and duplication are computed as follows: In 𝒥 𝑚 , a point on an elliptic curve 𝐸(𝔽𝑝 ) given by Eq. (1) is
Addition in 퓙 : represented by four elements [𝑋 : 𝑌 : 𝑍 : 𝑎𝑍 4 ] in 𝔽𝑝 , where
⎧ [𝑋 : 𝑌 : 𝑍] is same as in 𝒥 . The point [𝑋 : 𝑌 : 𝑍 : 𝑎𝑍 4 ]
⎨ 𝑋3 = −𝐻 3 − 2𝑈1 𝐻 2 + 𝑟2 , corresponds to the affine point (𝑋/𝑍 2 , 𝑌 /𝑍 3 ) when 𝑍 ∕= 0.
𝑌3 = −𝑆1 𝐻 3 + 𝑟(𝑈1 𝐻 2 − 𝑋3 ), For any 𝜆 ∈ 𝔽∗𝑝 , [𝑋 : 𝑌 : 𝑍 : 𝑎𝑍 4 ] and [𝜆2 𝑋 : 𝜆3 𝑌 : 𝜆𝑍 :
⎩ 𝑎𝜆4 𝑍 4 ] represent a same point. The point at infinity 𝒪 on
𝑍3 = 𝑍1 𝑍2 𝐻,

282
 Algorithm 7: Existing addition algorithm in 𝒥 𝑚 Algorithm 8: Existing duplication algorithm in 𝒥 𝑚
Input: 𝑃1 = [𝑋1 : 𝑌1 : 𝑍1 : 𝑎𝑍14 ], 𝑃2 = [𝑋2 : 𝑌2 : 𝑍2 : 𝑎𝑍24 ] Input: 𝑃1 = [𝑋1 : 𝑌1 : 𝑍1 : 𝑎𝑍14 ]
Output: 𝑃3 = 𝑃1 + 𝑃2 = [𝑋3 : 𝑌3 : 𝑍3 : 𝑎𝑍34 ] Output: 𝑃4 = 2𝑃1 = [𝑋4 : 𝑌4 : 𝑍4 : 𝑎𝑍44 ]
1. 𝑊1 ← 𝑍12 (1𝑆) 1. 𝑊1 ← 𝑋12 (1𝑆)
2. 𝑊2 ← 𝑍22 (1𝑆) 2. 𝑊2 ← 𝑌12 (1𝑆)
3. 𝑈1 ← 𝑋1 𝑊2 (1𝑀 ) 3. 𝑊3 ← 𝑊22 (= 𝑌14 ) (1𝑆)
4. 𝑈2 ← 𝑋2 𝑊1 (1𝑀 ) 4. 𝑆 ← 4𝑋1 𝑊2 (1𝑀 )
5. 𝑊3 ← 𝑍1 𝑊1 (= 𝑍13 ) (1𝑀 ) 5. 𝑈 ← 8𝑊3
6. 𝑊4 ← 𝑍2 𝑊2 (= 𝑍23 ) (1𝑀 ) 6. 𝑀 ← 3𝑊1 + (𝑎𝑍14 )
7. 𝐻 ← 𝑈2 − 𝑈1 7. 𝑋4 ← 𝑀 2 − 2𝑆 (1𝑆)
8. 𝑆1 ← 𝑌1 𝑊4 (1𝑀 ) 8. 𝑌4 ← 𝑀 (𝑆 − 𝑋4 ) − 𝑈 (1𝑀 )
9. 𝑆2 ← 𝑌2 𝑊3 (1𝑀 ) 9. 𝑍4 ← 2𝑌1 𝑍1 (1𝑀 )
10. 𝑅 ← 2(𝑆2 − 𝑆1 ) 10. 𝑎𝑍44 ← 2𝑈 (𝑎𝑍14 ) (1𝑀 )
11. 𝐼 ← (2𝐻)2 (1𝑆) total cost: 4𝑀 + 4𝑆
12. 𝐽1 ← 𝐼𝐻 (1𝑀 )
13. 𝐽2 ← 𝐼𝑈1 (1𝑀 )
14. 𝑋3 ← 𝑅2 − 𝐽1 − 2𝐽2 (1𝑆)
15. 𝑊5 ← 𝑆1 𝐽1 (1𝑀 )
16. 𝑌3 ← 𝑅(𝐽2 − 𝑋3 ) − 2𝑊5 (1𝑀 ) Remark 3:
17. 𝑊6 ← (𝑍1 + 𝑍2 )2 (1𝑆) In almost ECCs, given 𝑃 ∈ 𝐸(𝔽𝑝 ) in 𝒜, we need a
18. 𝑍3 ← (𝑊6 − 𝑊1 − 𝑊2 )𝐻 (1𝑀 ) computational result of a scalar multiplication 𝑛𝑃 in 𝒜 not
19. 𝑊7 ← 𝑍32 (1𝑆)
in others. Then, we compute 𝑛𝑃 in 𝒜 as follows:
20. 𝑊8 ← 𝑊72 (= 𝑍34 ) (1𝑆)
21. 𝑎𝑍34 ← 𝑎𝑊8 (1𝑀 ) 1) For 𝑃 = (𝑥1 , 𝑦1 ) in 𝒜, we set [𝑥1 , 𝑦1 , 1] in 𝒫,
total cost: 12𝑀 + 7𝑆 (9𝑀 + 5𝑆 if 𝑍1 = 1) [𝑥1 , 𝑦1 , 1] in 𝒥 , or [𝑥1 , 𝑦1 , 1, 𝑎] in 𝒥 𝑚 , respectively.
Note that coordinate transform of the point from 𝒜
into 𝒫, 𝒥 , or 𝒥 𝑚 is performed without cost.
elliptic curve 𝐸 is 𝒪 = [1 : 1 : 0 : 0] in 𝒥 𝑚 . 2) We compute a scalar multiplication 𝑛𝑃 using a binary
Let 𝑃1 = [𝑋1 : 𝑌1 : 𝑍1 : 𝑎𝑍14 ], 𝑃2 = [𝑋2 : 𝑌2 : 𝑍2 : algorithm in 𝒫, 𝒥 or 𝒥 𝑚 .
𝑎𝑍24 ], 𝑃3 = 𝑃1 + 𝑃2 = [𝑋3 : 𝑌3 : 𝑍3 : 𝑎𝑍34 ], and 𝑃4 = 3) After 2) we do coordinate transform of 𝑛𝑃 into 𝒜.
2𝑃1 = [𝑋4 : 𝑌4 : 𝑍4 : 𝑎𝑍44 ] in 𝒥 𝑚 . Then, addition and
Coordinate transform from 𝒫 into 𝒜 is performed as
duplication are computed as follows: ( )
Addition in 퓙 𝒎 : 𝑋 𝑌
⎧ [𝑋 : 𝑌 : 𝑍] −→ , ,
2 𝑍 𝑍
 𝑋3 = 𝑅 − 𝐽1 − 2𝐽2 ,

⎨
𝑌3 = 𝑅(𝐽2 − 𝑋3 ) − 2𝑆1 𝐽1 , and its cost is 2𝑀 + 𝐼 because it is computed as follows:

 𝑍 3 = ((𝑍1 + 𝑍2 )2 − 𝑍12 − 𝑍22 )𝐻, 𝑍 −1 (1𝐼)
⎩
𝑎𝑍3 = 𝑎𝑍34 ,
4
𝑋𝑍 −1 (1𝑀 )
𝑈1 = 𝑋1 𝑍22 , 𝑈2 = 𝑋2 𝑍12 , 𝑆1 = 𝑌1 𝑍23 , 𝑆2 = 𝑌2 𝑍13 , 𝐻 = 𝑌 𝑍 −1 (1𝑀 )
𝑈2 − 𝑈1 , 𝑅 = 2(𝑆2 − 𝑆1 ), 𝐼 = (2𝐻)2 , 𝐽1 = 𝐼𝐻, 𝐽2 = 𝐼𝑈1 .
Duplication in 퓙 𝒎 : Coordinate transform from 𝒥 into 𝒜 is performed as
⎧ ( )
 𝑋4 = 𝑀 2 − 2𝑆, 𝑋𝑍 𝑌

⎨ [𝑋 : 𝑌 : 𝑍] −→ , ,
𝑌4 = 𝑀 (𝑆 − 𝑋3 ) − 𝑈, 𝑍3 𝑍3

 𝑍 4 = 2𝑌1 𝑍1 , and its cost is 4𝑀 +𝑆 +𝐼 because it is computed as follows:
⎩
𝑎𝑍34 = 2𝑈 (𝑎𝑍14 ),
𝑍2 (1𝑆)
where 𝑆 = 4𝑋1 𝑌12 , 𝑈= 8𝑌14 , 𝑀
= 3𝑋12
+ (𝑎𝑍14 ). 𝑍3 (1𝑀 )
Algorithms 7 and 8 are algorithms for computing these
addition and duplication in 𝒥 𝑚 . Costs of Algorithms 7 and (𝑍 3 )−1 (1𝐼)
8 are 12𝑀 + 7𝑆 and 4𝑀 + 4𝑆, respectively. The cost of 𝑋𝑍 (1𝑀 )
Algorithm 7 is reduced to 9𝑀 +5𝑆 if 𝑍1 = 1. Note that we 𝑋𝑍(𝑍 3 )−1 (1𝑀 )
may suppose that 𝑍1 = 1 for the same reason as Remark 𝑌 (𝑍 3 )−1 (1𝑀 )
2.
Coordinate transform from 𝒥 𝑚 into 𝒜 is same as one
C. Coordinate transform into 𝒜 from 𝒥 into 𝒜 because part of [𝑋 : 𝑌 : 𝑍] of [𝑋 : 𝑌 : 𝑍 :
The following remark explains that why we have to 𝑎𝑍 4 ] in 𝒥 𝑚 is same as in 𝒥 .
consider coordinate transform into 𝒜.

283
 Algorithm 9: Proposed algorithm for adding [𝑥1 : 𝑦1 : 1] in 𝒫 Algorithm 10: Proposed algorithm for adding [𝑥1 : 𝑥1 : 1] in 𝒥
Input: 𝑃1 = [𝑥1 : 𝑥1 : 1], 𝑃2 = [𝑋2 : 𝑌2 : 𝑍2 ] Input: 𝑃1 = [𝑥1 : 𝑥1 : 1], 𝑃2 = [𝑋2 : 𝑌2 : 𝑍2 ]
Output: 𝑃3 = 𝑃1 + 𝑃2 = [𝑋3 : 𝑌3 : 𝑍3 ] Output: 𝑃3 = 𝑃1 + 𝑃2 = [𝑋3 : 𝑌3 : 𝑍3 ]
1. 𝑊1 ← 𝑥1 𝑍2 (1𝑀 ) 1. 𝑊1 ← 𝑍22 (1𝑆)
2. 𝐴 ← 𝑋2 − 𝑊1 2. 𝑊2 ← 𝑥1 𝑊1 (1𝑀 )
3. 𝐵 ← 𝑌2 − 𝑊1 3. 𝐴 ← 𝑌2 − 𝑊2 𝑍2 (1𝑀 )
4. 𝑊2 ← 𝐴2 (1𝑆) 4. 𝐵 ← 𝑋2 − 𝑊2
5. 𝑊3 ← 𝑊2 𝐴(= 𝐴3 ) (1𝑀 ) 5. 𝑍3 ← 𝑍2 𝐵 (1𝑀 )
6. 𝑊4 ← 𝐵 2 (1𝑆) 6. 𝑊3 ← 𝐴2 (1𝑆)
7. 𝑊5 ← 𝑊4 𝑍2 (1𝑀 ) 7. 𝑊4 ← 𝐵 2 (1𝑆)
8. 𝑊6 ← 𝑊1 𝑊2 (1𝑀 ) 8. 𝑊5 ← 𝑊4 𝐵(= 𝐵 3 ) (1𝑀 )
9. 𝐶 ← 𝑊5 − 𝑊3 − 2𝑊6 9. 𝑊6 ← 𝑊2 𝑊4 (1𝑀 )
10. 𝑋3 ← 𝐴𝐶 (1𝑀 ) 10. 𝑋3 ← −𝑊5 − 2𝑊6 + 𝑊3
11. 𝑊7 ← 𝑊1 𝑊3 (1𝑀 ) 11. 𝑊7 ← 𝑊6 𝑍3 (1𝑀 )
12. 𝑌3 ← 𝐵(𝑊6 − 𝐶) − 𝑊7 (1𝑀 ) 12. 𝑌3 ← −𝑊7 + 𝐴(𝑊6 − 𝑋3 ) (1𝑀 )
13. 𝑍3 ← 𝑊3 𝑍2 (1𝑀 ) total cost: 7𝑀 + 3𝑆
total cost: 8𝑀 + 2𝑆

then 𝜙 maps the point (𝑥0 , 𝑦0 ) ∈ 𝐸 into (𝑥′0 , ±𝑥′0 ) ∈ 𝐸 ′ ,

IV. P ROPOSED METHOD where
This section proposes a method of a scalar multiplication 𝑥4 𝑥6 𝑥3
𝐸 ′ : 𝑦 2 = 𝑥3 + 40 𝑎𝑥 + 60 𝑏 and 𝑥′0 = 20 .
𝑛𝑃 for 𝐸 given by Eq. (1) and 𝑃 ∈ 𝐸. In the method, 𝑦0 𝑦0 𝑦0
first, we map 𝐸 → 𝐸 ′ by a bijective transform 𝜙 so that The cost of the bijective transform 𝜙 is 3𝑀 + 2𝑆 + 𝐼
𝑃 is mapped to 𝑃 ′ = (𝑥1 , ±𝑥1 ) ∈ 𝐸 ′ in 𝒜. Next, we because it is computed as follows:
compute a scalar multiplication 𝑛𝑃 ′ ∈ 𝐸 ′ using a left-to-
right binary algorithm in 𝒫, 𝒥 , or 𝒥 𝑚 . We will see that (𝑦0 )−1 (1𝐼)
used addition algorithm in the binary algorithm has smaller 𝑥0 (𝑦0 )−1 (= 𝑐) (1𝑀 )
cost than general one because 𝑃 ′ has special coordinate. 𝑥20 (𝑦02 )−1 (= 𝑐2 ) (1𝑆)
Besides we use existing duplication algorithm in the binary
𝑥30 (𝑦02 )−1 (1𝑀 )
algorithm. Finally, we do inverse transform 𝜙−1 : 𝐸 ′ →
𝐸, 𝑛𝑃 ′ → 𝑛𝑃 (in 𝒜) to return the computed point 𝑛𝑃 ′ 𝑥40 (𝑦04 )−1 (1𝑆)
on the original curve 𝐸. Note that 𝑃 ′ may be non-updated 𝑥40 (𝑦04 )−1 𝑎 (1𝑀 )
during the left-to-right algorithm for computing the scalar
multiplication runs due to Remark 1. As mentioned later B. Proposed algorithm for adding (𝑥1 , ±𝑥1 )
costs of transforms 𝜙 and 𝜙−1 are small. In this subsection we consider addition algorithms for
computing 𝑃1 + 𝑃2 for 𝑃1 , 𝑃2 ∈ 𝐸 ′ , where 𝑃1 = (𝑥1 , 𝑥1 ) in
𝑃 ∈ 𝐸 in 𝒜 −𝜙→ 𝑃 ′ = (𝑥1 , ±𝑥1 ) ∈ 𝐸 ′ in 𝒜 𝒜. We easily modify them for the case of 𝑃1 = (𝑥1 , −𝑥1 ).
⇓ scalar multiplication
We suppose 𝑃1 = [𝑥1 : 𝑥1 : 1] in 𝒫, 𝑃1 = [𝑥1 : 𝑥1 : 1]
𝑛𝑃 ∈ 𝐸 in 𝒜 ←− 𝑛𝑃 ′ ∈ 𝐸 ′ in 𝒫, 𝒥 , or 𝒥 𝑚
𝜙−1 in 𝒥 , or 𝑃1 = [𝑥1 : 𝑥1 : 1 : 𝑎] in 𝒥 𝑚 due to Remark 3.
1) Proposed algorithm for adding [𝑥1 : 𝑥1 : 1] in 𝒫:
A. Bijective transform 𝜙 Let 𝑃1 = [𝑥1 : 𝑥1 : 1] and 𝑃2 = [𝑋2 : 𝑌2 : 𝑍2 ] ∈ 𝐸 ′ (𝔽𝑝 )
Let 𝐸 be an elliptic curve given by in 𝒫. Then, an addition 𝑃3 = 𝑃1 + 𝑃2 = [𝑋3 : 𝑌3 : 𝑍3 ] is
computed as
𝐸 : 𝑦 2 = 𝑥3 + 𝑎𝑥 + 𝑏, ⎧
⎨ 𝑋3 = 𝐴𝐶,
and 𝑃 = (𝑥0 , 𝑦0 ) ∈ 𝐸 (𝑦0 ∕= 0) a base point we would like 𝑌3 = 𝐵(𝐴2 𝑥1 𝑍2 − 𝐶) − 𝐴3 𝑥1 𝑍2 ,
⎩
to compute scalar multiplication. Consider another elliptic 𝑍3 = 𝐴3 𝑍2 ,
curve 𝐸 ′ given by
where 𝐴 = 𝑋2 − 𝑥1 𝑍2 , 𝐵 = 𝑌2 − 𝑥1 𝑍2 , 𝐶 = 𝐵 2 𝑍2 − 𝐴3 −
′ 2
𝐸 : 𝑦 = 𝑥 + 𝑎𝑐 𝑥 + 𝑏𝑐 . 3 4 6 2𝐴2 𝑥1 𝑍2 . Algorithm 9 is the algorithm for computing it,
and its cost is 8𝑀 + 2𝑆.
Then, a map 2) Proposed algorithm for adding [𝑥1 : 𝑥1 : 1] in 𝒥 :
Let 𝑃1 = [𝑥1 : 𝑥1 : 1] and 𝑃2 = [𝑋2 : 𝑌2 : 𝑍2 ] ∈ 𝐸 ′ (𝔽𝑝 )
𝜙 : 𝐸 → 𝐸′
in 𝒥 . Then, an addition 𝑃3 = 𝑃1 + 𝑃2 = [𝑋3 : 𝑌3 : 𝑍3 ] is
(𝑥, 𝑦) → (𝑐 𝑥, 𝑐3 𝑦)
2
computed as
⎧
is bijective transform for 𝑐 ∕= 0 [11]. Therefore, if we choose ⎨ 𝑋3 = −𝐵 3 − 2𝐵 2 𝑥1 𝑍22 + 𝐴2 ,
𝑥0 𝑌3 = −𝐵 3 𝑥1 𝑍23 + 𝐴(𝐵 2 𝑥1 𝑍22 − 𝑋3 ),
𝑐=± , ⎩
𝑦0 𝑍3 = 𝐵𝑍2 ,

284
 Algorithm 11: Proposed algorithm for adding [𝑥1 : 𝑥1 : 1 : 𝑎] in 𝒥 𝑚 and it cost is 5𝑀 + 𝑆 + 𝐼 because it is computed as follows:
Input: 𝑃1 = [𝑥1 : 𝑥1 : 1 : 𝑎], 𝑃2 = [𝑋2 : 𝑌2 : 𝑍2 : 𝑎𝑍24 ]
Output: 𝑃3 = 𝑃1 + 𝑃2 = [𝑋3 : 𝑌3 : 𝑍3 : 𝑎𝑍34 ] 𝑍𝑐 (1𝑀 )
1. 𝑊1 ← 𝑍22 (1𝑆)
2. 𝑊2 ← 𝑥1 𝑊1 (1𝑀 )
𝑍 2 𝑐2 (1𝑆)
3. 𝐴 ← 𝑌2 − 𝑊2 𝑍2 (1𝑀 ) 𝑍 3 𝑐3 (1𝑀 )
4. 𝐵 ← 𝑋2 − 𝑊2
5. 𝑍3 ← 𝑍2 𝐵 (1𝑀 ) (𝑍 3 𝑐3 )−1 (1𝐼)
6. 𝑊3 ← 𝐴2 (1𝑆) 𝑋𝑍𝑐 (1𝑀 )
7. 𝑊4 ← 𝐵 2 (1𝑆)
8. 𝑊5 ← 𝑊4 𝐵(= 𝐵 3 ) (1𝑀 ) 𝑋𝑍𝑐(𝑍 3 𝑐3 )−1 (1𝑀 )
9. 𝑊6 ← 𝑊2 𝑊4 (1𝑀 )
10. 𝑋3 ← −𝑊5 − 2𝑊6 + 𝑊3 𝑌 (𝑍 3 𝑐3 )−1 (1𝑀 )
11. 𝑊7 ← 𝑊6 𝑍3 (1𝑀 )
12. 𝑌3 ← −𝑊7 + 𝐴(𝑊6 − 𝑋3 ) (1𝑀 )
Note that 𝑐 is already computed at the computation of 𝜙.
13. 𝑊8 ← 𝑍3 2 (1𝑆)
14. 𝑊9 ← 𝑊82 (= 𝑍34 ) (1𝑆)
D. Comparison of existing and proposed scalar multiplica-
15. 𝑎𝑍34 ← 𝑎𝑊9 (1𝑀 ) tion
total cost: 8𝑀 + 5𝑆
The following table summarizes costs of the existing and
proposed addition algorithms in 𝒫, 𝒥 , and 𝒥 𝑚 in the case
where 𝐴 = 𝑌2 − 𝑥1 𝑍23 , 𝐵 = 𝑋2 − 𝑥1 𝑍22 . Algorithm 10 is of the 𝑍 coordinate of one of input points = 1.
the algorithm for computing it, and its cost is 7𝑀 + 3𝑆. Existing Proposed
3) Proposed algorithm for adding [𝑥1 , 𝑥1 , 1, 𝑎] in 𝒥 𝑚 : in 𝒫 9𝑀 + 2𝑆 8𝑴 + 2𝑺
Let 𝑃1 = [𝑥1 : 𝑥1 : 1 : 𝑎] and 𝑃2 = [𝑋2 : 𝑌2 : 𝑍2 : 𝑎𝑍24 ] ∈ in 𝒥 8𝑀 + 3𝑆 7𝑴 + 3𝑺
𝐸 ′ (𝔽𝑝 ) in 𝒥 𝑚 . Then, an addition 𝑃1 + 𝑃2 = [𝑋3 : 𝑌3 : 𝑍3 : in 𝒥 𝑚 9𝑀 + 5𝑆 8𝑴 + 5𝑺
𝑎𝑍34 ] is computed as
⎧ Recall that it is supposed that coordinate of the point is

 𝑋3 = −𝐵 3 − 2𝐵 2 𝑥1 𝑍22 + 𝐴2 , [𝑥1 , 𝑥1 , 1] in 𝒫, [𝑥1 , 𝑥1 , 1] in 𝒥 , and [𝑥1 , 𝑥1 , 1, 𝑎] in 𝒥 𝑚 ,
⎨
𝑌3 = −𝐵 3 𝑥1 𝑍23 + 𝐴(𝐵 2 𝑥1 𝑍22 − 𝑋3 ), respectively, in the proposed addition algorithms.

 𝑍3 = 𝐵𝑍2 , Next, we consider costs of scalar multiplication using
⎩
𝑎𝑍34 = 𝑎𝑍34 , existing and proposed methods. As mentioned at the begin-
ning of Sec. IV, in order to compute a scalar multiplication
where 𝐴 = 𝑌2 − 𝑥1 𝑍23 , 𝐵 = 𝑋2 − 𝑥1 𝑍22 . Algorithm 11 is with the proposed method, we need the bijective transform
the algorithm for computing it, and its cost is 8𝑀 + 5𝑆. 𝜙 : 𝐸 → 𝐸 ′ , scalar multiplication in 𝐸 ′ using Algorithm 1
C. Inverse transform 𝜙−1 into original curve or 2 in which the proposed addition algorithm can be used,
and the inverse transform 𝜙−1 : 𝐸 ′ → 𝐸. Thus, the cost
Later computation of 𝑛𝑃 ′ ∈ 𝐸 ′ we have to do inverse of scalar multiplication is total cost of them. As well when
transform 𝜙−1 : 𝑛𝑃 ′ ∈ 𝐸 ′ → 𝑛𝑃 ∈ 𝐸 in 𝒜 to return on the we compute a scalar multiplication with an existing method
original curve. we need coordinate transform into 𝒜 after computation of a
In 𝒫, 𝜙−1 is performed by scalar multiplication in 𝒫, 𝒥 , or 𝒥 𝑚 .
( )
𝑋𝑐 𝑌 Tables I or II provide the cost of scalar multiplication
[𝑋 : 𝑌 : 𝑍] in 𝒫 −
 → , in 𝒜,
𝑍𝑐3 𝑍𝑐3 using Algorithm 1 or 2, respectively, with existing and
proposed methods in each coordinate system. In tables we
and its cost is 5𝑀 + 𝐼 because it is computed as follows: suppose that 𝑡 = 256, 𝐼 = 10𝑀 , and 𝑆 = 0.8𝑀 to estimate
𝑐3 (1𝑀 ) reduction ratio. We see that when we use the proposed
𝑍𝑐3 (1𝑀 ) method, the cost of scalar multiplication is reduced by about
2 ∼ 5% in projective, Jacobian, and modified Jacobian
(𝑍𝑐3 )−1 (1𝐼)
coordinates systems.
𝑋𝑐 (1𝑀 ) Refer to Sec. III-A, III-B, III-C, IV-A, IV-B, and IV-C,
𝑋𝑐(𝑍𝑐3 )−1 (1𝑀 ) for the cost of Algorithms 1 or 2 which is a left-to-right
𝑌 (𝑍𝑐3 )−1 (1𝑀 ) binary algorithm, one of existing algorithm for addition and
duplication in each coordinate system, one of coordinate
Note that 𝑐 and 𝑐2 are already computed at the computation transform into 𝒜 for existing scalar multiplication, one of
of 𝜙. 𝜙, one of proposed algorithms for adding, and one of 𝜙−1 ,
In 𝒥 and 𝒥 𝑚 , 𝜙−1 is performed by respectively.
[𝑋 : 𝑌 : 𝑍] in 𝒥( or [𝑋 : 𝑌 :)𝑍 : 𝑎𝑍 4 ] in 𝒥 𝑚
𝑋𝑍𝑐 𝑌
−→ , in 𝒜,
𝑍 3 𝑐3 𝑍 3 𝑐3

285
 Table I
T HE C OST OF SCALAR MULTIPLICATION USING A LGORITHM 1
Cost Cost of Case 1
Existing (9𝐻𝑊 (𝑛) + 7𝑡 − 5)𝑀 + (2𝐻𝑊 (𝑛) + 5𝑡 − 5)𝑆 + 𝐼 4173.8𝑀
in 𝒫 Proposed (8𝑯𝑾 (𝒏) + 7𝒕 + 1)𝑴 + (2𝑯𝑾 (𝒏) + 5𝒕 − 3)𝑺 + 2𝑰 4063.4𝑴
Reduction ratio 2.6%
Existing (8𝐻𝑊 (𝑛) + 4𝑡)𝑀 + (3𝐻𝑊 (𝑛) + 6𝑡 − 5)𝑆 + 𝐼 3590𝑀
in 𝒥 Propped (7𝑯𝑾 (𝒏) + 4𝒕 + 4)𝑴 + (3𝑯𝑾 (𝒏) + 6𝒕 − 3)𝑺 + 2𝑰 3477.6𝑴
Reduction ratio 3.1%
Existing (9𝐻𝑊 (𝑛) + 4𝑡)𝑀 + (5𝐻𝑊 (𝑛) + 4𝑡 − 3)𝑆 + 𝐼 3514.8𝑀
in 𝒥 𝑚 Proposed (8𝑯𝑾 (𝒏) + 4𝒕 + 4)𝑴 + (5𝑯𝑾 (𝒏) + 4𝒕 − 1)𝑺 + 2𝑰 3402.4𝑴
Reduction ratio 3.2%
Case 1 : case of 𝑡 = 256, 𝐻𝑊 (𝑛) = 0.5𝑡, 𝑆 = 0.8𝑀 , and 𝐼 = 10𝑀 .

Table II
T HE C OST OF SCALAR MULTIPLICATION USING A LGORITHM 2
Cost Cost of Case 2
Existing (16𝑡 − 14)𝑀 + (7𝑡 − 7)𝑆 + 𝐼 5520𝑀
in 𝒫 Proposed (15𝒕 − 7)𝑴 + (7𝒕 − 5)𝑺 + 2𝑰 5282.6𝑴
Reduction ratio 4.3%
Existing (12𝑡 − 8)𝑀 + (9𝑡 − 8)𝑆 + 𝐼 4910.8𝑀
in 𝒥 Proposed (11𝒕 − 3)𝑴 + (9𝒕 − 6)𝑺 + 2𝑰 4671.4𝑴
Reduction ratio 4.9%
Existing (13𝑡 − 9)𝑀 + (9𝑡 − 8)𝑆 + 𝐼 5165.8𝑀
in 𝒥 𝑚 Proposed (12𝒕 − 4)𝑴 + (9𝒕 − 6)𝑺 + 2𝑰 4926.4𝑴
Reduction ratio 4.6%
Case 2 : case of 𝑡 = 256, 𝑆 = 0.8𝑀 , and 𝐼 = 10𝑀 .

V. C ONCLUSION AND F UTURE W ORK [3] H. Cohen, G. Frey, R. Avanzi, C. Doche, and T. Lange,
Handbook of elliptic and hyperelliptic curve cryptography
This paper proposed a scalar multiplication method in 2nd edition. Chapman and Hall/CRC, 2011.
which
1) transforming the base point 𝑃 to be 𝑃 ′ = (𝑥1 , ±𝑥1 ), [4] H. Cohen, A. Miyaji, and T. Ono, “Efficient elliptic
curve exponentiation using mixed coordinates,” Proc. ASI-
2) using the proposed efficient algorithm for addition ACRYPT’98, Springer, LNCS 1514, Oct. 1998, pp.51-65.
(and existing one for duplication) to compute scalar
multiplication 𝑛𝑃 ′ , [5] R. R. Goundar, M. Joye, A. Miyaji, M. Rivain, and A.
3) doing inverse transform 𝑛𝑃 ′ to 𝑛𝑃 on the original Venelli, “Scalar multiplication on Weierstrass elliptic curves
curve 𝐸. from Co-Z arithmetic,” Journal of Cryptographic Engineering,
Springer, Vol.1, Aug. 2011, pp.161-176.
Moreover, this paper estimated the cost of the proposed
method. [6] A. Hollosi, G. Karlinger, T. Rössler, M. Centner, and et al,
As a future work, the authors will try to evaluate timings “Die österreichische bürgerkarte,” http://www.buergerkarte.at/
konzept/securitylayer/spezifikation/20080220/, 2008.
of proposed algorithms on PC, and apply the proposed
method for other forms of elliptic curves such as Mont- [7] N. Koblitz, A course in number theory and cryptography.
gomery, Edwards, Koblitz forms, and so on, and for new GTM 114, Springer-Verlag, 1994.
coordinate system as co-Z [9], [5].
[8] P. Kocher, J. Jaffe, and B. Jun, “Differential power analy-
ACKNOWLEDGMENT sis,” Proc. CRYPTO’99, Springer, LNCS 1666, Aug. 1999,
pp.388-397.
This work was supported by JSPS KAKENHI Grant-in-
Aid for Scientific Research(C) Number 25330156. [9] N. Meloni, “New point addition formulae for ECC appli-
cations,” Arithmetic of Finite Fields (WAIFI 2007), LNCS,
R EFERENCES vol.4547, pp.189-201. Springer, Berlin, 2007.

[1] S. Blake-Wilson, N. Bolyard, V. Gupta, C. Hawk, and B. [10] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash sys-
Moeller, “Elliptic curve cryptography (ECC) cipher suites for tem,” http://bitcoin.org/bitcoin.pdf, 2009.
transport layer security (TLS),” RFC 4492, 2006.
[11] J. H. Silverman, The arithmetic of elliptic curves. GTM 106,
[2] J. Bos, J. Halderman, N. Heninger, J. Moore, M. Naehrig, Springer-Verlag, 1986.
and E. Wustrow, “Elliptic Curve Cryptography in Practice”,
Cryptology ePrint Archive, Report 2013/734, http://eprint. [12] D. Stebila and J. Green, “Elliptic curve algorithm integration
iacr.org/2013/734.pdf, 2013. in the secure shell transport layer,” RFC 5656, 2009.

286