Faster Complete Addition Laws for Montgomery Curves

Authors

  • Reza Rezaeian Farashahi Department of Mathematical Sciences, Isfahan University of Technology, 84156-83111, Isfahan, Iran; School of Mathematics, Institute for Research in Fundamental Sciences (IPM), P.O. Box 19395-5746, Tehran, Iran
  • Mojtaba Fadavi Department of Computer Science, University of Calgary, 2500 University Drive, NW Calgary T2N 1N4, Canada
  • Soheila Sabbaghian Department of Mathematical Sciences, Isfahan University of Technology, 84156-83111, Isfahan, Iran

DOI:

https://doi.org/10.46586/tches.v2024.i4.737-762

Keywords:

Elliptic Curve Cryptography, Montgomery curve, Complete addition law

Abstract

An addition law for an elliptic curve is complete if it is defined for all possible pairs of input points on the elliptic curve. In Elliptic Curve Cryptography (ECC), a complete addition law provides a natural protection against side-channel attacks which are based on Simple Power Analysis (SPA). Montgomery curves are a specific family of elliptic curves that play a crucial role in ECC because of its well-known Montgomery ladder, particularly in the Elliptic Curve Diffie-Hellman Key Exchange (ECDHKE) protocol and the Elliptic Curve factorization Method (ECM). However, the complete addition law for Montgomery curves, as stated in the literature, has a computational cost of 14M+ 2D, where M,D denote the costs of a field multiplication and a field multiplication by a constant, respectively. The lack of a competitive complete addition law has led implementers towards twisted Edwards curves, which offer a complete addition law at a lower cost of 8M+ 1D for appropriately chosen curve constants.
In this paper, we introduce extended Montgomery coordinates as a novel representation for points on Montgomery curves. This coordinate system enables us to define birational multiplication-free maps between the extended twisted Edwards coordinates and extended Montgomery coordinates. Using this map, we can transfer the complete addition laws from twisted Edwards curves to Montgomery curves without incurring additional multiplications or squarings. In addition, we employ a technique known as scaling to refine the addition laws for twisted Edwards curves, which results in having i) Complete addition laws with the costs varying between 8M+1D and 9M+1D for a broader range of twisted Edwards curves, ii) Incomplete addition laws for twisted Edwards curves with the cost of 8M. Consequently, by leveraging our birational multiplication-free maps, we present complete addition laws for Montgomery curves with the cost of 8M+1D. This shows a significant improvement for complete addition law for Montgomery curves by reducing the computational cost by 6M+ 1D. This improvement makes Montgomery curves a more attractive option for applications where an efficient complete addition law is essential.

Downloads

Published

2024-09-05

Issue

Section

Articles

How to Cite

Farashahi, R. R., Fadavi, M., & Sabbaghian, S. (2024). Faster Complete Addition Laws for Montgomery Curves. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2024(4), 737-762. https://doi.org/10.46586/tches.v2024.i4.737-762