Paper 2019/1166

The complete cost of cofactor h=1

Peter Schwabe, Radboud University Nijmegen
Amber Sprenkels, Radboud University Nijmegen

This paper presents optimized software for constant-time variable-base scalar multiplication on prime-order Weierstraß curves using the complete addition and doubling formulas presented by Renes, Costello, and Batina in 2016. Our software targets three different microarchitectures: Intel Sandy Bridge, Intel Haswell, and ARM Cortex-M4. We use a 255-bit elliptic curve over $\mathbb{F}_{2^{255}-19}$ that was proposed by Barreto in 2017. The reason for choosing this curve in our software is that it allows most meaningful comparison of our results with optimized software for Curve25519. The goal of this comparison is to get an understanding of the cost of using cofactor-one curves with complete formulas when compared to widely used Montgomery (or twisted Edwards) curves that inherently have a non-trivial cofactor.

Note: The final authenticated version is available online at CHANGELOG - Changed the citing style to splncs04, as requested by the INDOCRYPT editors. - Updated the cycle counts for AuCPake to better resemble our own benchmarks. - Textual fix (reported by Nicolas Braud-Santoni).

Available format(s)
Publication info
Published elsewhere. Progress in Cryptology – INDOCRYPT 2019
Elliptic Curve Cryptography SIMD Curve25519 scalar multiplication prime-field arithmetic cofactor security
Contact author(s)
peter @ cryptojedi org
amber @ electricdusk com
2022-12-16: last of 2 revisions
2019-10-08: received
See all versions
Short URL
Creative Commons Attribution


      author = {Peter Schwabe and Amber Sprenkels},
      title = {The complete cost of cofactor h=1},
      howpublished = {Cryptology ePrint Archive, Paper 2019/1166},
      year = {2019},
      doi = {10.1007/978-3-030-35423-7_19},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.