Cryptology ePrint Archive: Report 2019/1166

The complete cost of cofactor h=1

Peter Schwabe and Daan Sprenkels

Abstract: This paper presents optimized software for constant-time variable-base scalar multiplication on prime-order WeierstraƟ curves using the complete addition and doubling formulas presented by Renes, Costello, and Batina in 2016. Our software targets three different microarchitectures: Intel Sandy Bridge, Intel Haswell, and ARM Cortex-M4. We use a 255-bit elliptic curve over $\mathbb{F}_{2^{255}-19}$ that was proposed by Barreto in 2017. The reason for choosing this curve in our software is that it allows most meaningful comparison of our results with optimized software for Curve25519. The goal of this comparison is to get an understanding of the cost of using cofactor-one curves with complete formulas when compared to widely used Montgomery (or twisted Edwards) curves that inherently have a non-trivial cofactor.

Category / Keywords: implementation / Elliptic Curve Cryptography, SIMD, Curve25519, scalar multiplication, prime-field arithmetic, cofactor security

Original Publication (in the same form): INDOCRYPT19

Date: received 8 Oct 2019, last revised 11 Oct 2019

Contact author: peter at cryptojedi org, daan at dsprenkels com

Available format(s): PDF | BibTeX Citation


- Changed the citing style to splncs04, as requested by the INDOCRYPT editors. - Updated the cycle counts for AuCPake to better resemble our own benchmarks. - Textual fix (reported by Nicolas Braud-Santoni).

Version: 20191011:100544 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]