Elliptic curve with Optimal mixed Montgomery-Edwards model for low-end devices

This paper introduces a special family of twisted Edwards curve named Optimal mixed Montgomery-Edwards (OME) curves. The OME curve is proposed by exploiting the fact that every twisted Edwards curve is birationally equivalent to some elliptic curve in Montgomery form. The OME curves achieve optimal group arithmetic for both of twisted Edwards model and Montgomery model. In particular, the Montgomery model of OME curves only requires 3M + 2S and 1M + 3S + 3C to perform the point addition and point doubling operations, while 7M and 3M + 4S are needed for executing a point addition and point doubling for the twisted Edwards model of them. We also make effort to carefully choose the curve parameters and the underlying implementation field to achieve high performance. An example of OME curve is $$\mathcal{E}/\mathbb{F}_p : - x^2 + y^2 = 1 - 2782^2 \cdot x^2 y^2$$ over p = 2192 − 264 − 1. Our implementation results on the widely used 8-bit micro-controller platforms (i.e., AVR Atmega128) further demonstrate and highlight the practical benefits of proposed OME curve on low-end device. In particular, our implementation, performed in constant-time, reduces the execution time by up to 14% and 18% for fixed point and random point scalar multiplication, respectively, when comparing with the state-of-the-art implementation on the identical platform.摘要创新点本文提出了一类适用于低端设备上高效安全实现椭圆曲线密码系统的OME曲线。该类曲线能提供在Montgomery模型和扭Edwards模型下目前最优群律计算, 并为Montgomery模型的参数选择提供了一种替代方法。作为特例, 在NIST素数P192域上选择了一条满足SafeCurves安全要求的OME曲线, 并为其设计了高效的有限域计算和曲线群律计算方法。在8位AVR处理器平台上实现了该曲线上的固定/随机点标量乘法计算, 该实现运行时间为常数, 能抵抗简单能量分析攻击。相比之前同类平台上最新水平的实现, 本文方法提速14%以上。

[1]  Donald E. Knuth,et al.  The art of computer programming. Vol.2: Seminumerical algorithms , 1981 .

[2]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[3]  Ç. Koç,et al.  Incomplete reduction in modular arithmetic , 2002 .

[4]  Hans Eberle,et al.  Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs , 2004, CHES.

[5]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[6]  Sandeep S. Kumar,et al.  Elliptic Curve Cryptography for Constrained Devices , 2008 .

[7]  Ed Dawson,et al.  Twisted Edwards Curves Revisited , 2008, IACR Cryptol. ePrint Arch..

[8]  Tanja Lange,et al.  Twisted Edwards Curves , 2008, AFRICACRYPT.

[9]  Wouter Castryck,et al.  Efficient arithmetic on elliptic curves using a mixed Edwards-Montgomery representation , 2008, IACR Cryptol. ePrint Arch..

[10]  Patrick Longa,et al.  Fast and Flexible Elliptic Curve Point Arithmetic over Prime Fields , 2008, IEEE Transactions on Computers.

[11]  Manuel Koschuch,et al.  Energy-Efficient Implementation of ECDH Key Exchange for Wireless Sensor Networks , 2009, WISTP.

[12]  Zhe Liu,et al.  Low-Weight Primes for Lightweight Elliptic Curve Cryptography on 8-bit AVR Processors , 2013, Inscrypt.

[13]  Yang Zhang,et al.  Twisted edwards-form elliptic curve cryptography for 8-bit AVR-based sensor nodes , 2013, AsiaPKC '13.

[14]  Peter Schwabe,et al.  NaCl on 8-Bit AVR Microcontrollers , 2013, AFRICACRYPT.

[15]  Zhe Liu,et al.  MoTE-ECC: Energy-Scalable Elliptic Curve Cryptography for Wireless Sensor Networks , 2014, ACNS.

[16]  Peter Schwabe,et al.  Multiprecision multiplication on AVR revisited , 2015, Journal of Cryptographic Engineering.

[17]  Zhe Liu,et al.  Efficient Implementation of NIST-Compliant Elliptic Curve Cryptography for 8-bit AVR-Based Sensor Nodes , 2016, IEEE Transactions on Information Forensics and Security.