Faster ECC over $\mathbb{F}_{2^{521}-1}$

Robert Granger; Michael Scott

Paper 2014/852

Faster ECC over $F_{2^{521} - 1}$

Robert Granger and Michael Scott

Abstract

In this paper we present a new multiplication algorithm for residues modulo the Mersenne prime $2^{521} - 1$ . Using this approach, on an Intel Haswell Core i7-4770, constant-time variable-base scalar multiplication on NIST's (and SECG's) curve P-521 requires 1,073,000 cycles, while on the recently proposed Edwards curve E-521 it requires just 943,000 cycles. As a comparison, on the same architecture openSSL's ECDH speed test for curve P-521 requires 1,319,000 cycles. Furthermore, our code was written entirely in C and so is robust across different platforms. The basic observation behind these speedups is that the form of the modulus allows one to multiply residues with as few word-by-word multiplications as is needed for squaring, while incurring very little overhead from extra additions, in contrast to the usual Karatsuba methods.

Note: This version now has cache-safe implementation timings.

Metadata

Available format(s): PDF
Category: Implementation
Publication info: A minor revision of an IACR publication in PKC 2015
Keywords: elliptic curve cryptography performance P-521 E-521 Edwards curves generalised repunit primes
Contact author(s): robbiegranger @ gmail com
History: 2015-03-23: revised; 2014-10-22: received; See all versions
Short URL: https://ia.cr/2014/852
License: CC BY

BibTeX

@misc{cryptoeprint:2014/852,
      author = {Robert Granger and Michael Scott},
      title = {Faster {ECC} over $\mathbb{F}_{2^{521}-1}$},
      howpublished = {Cryptology {ePrint} Archive, Paper 2014/852},
      year = {2014},
      url = {https://eprint.iacr.org/2014/852}
}

Paper 2014/852

Faster ECC over F2521−1

Abstract

Metadata

Faster ECC over $F_{2^{521} - 1}$