Paper 2019/1166
The complete cost of cofactor h=1
Abstract
This paper presents optimized software for constant-time variable-base scalar multiplication on prime-order Weierstraß curves using the complete addition and doubling formulas presented by Renes, Costello, and Batina in 2016. Our software targets three different microarchitectures: Intel Sandy Bridge, Intel Haswell, and ARM Cortex-M4. We use a 255-bit elliptic curve over $\mathbb{F}_{2^{255}-19}$ that was proposed by Barreto in 2017. The reason for choosing this curve in our software is that it allows most meaningful comparison of our results with optimized software for Curve25519. The goal of this comparison is to get an understanding of the cost of using cofactor-one curves with complete formulas when compared to widely used Montgomery (or twisted Edwards) curves that inherently have a non-trivial cofactor.
Note: The final authenticated version is available online at https://doi.org/10.1007/978-3-030-35423-7_19 CHANGELOG - Changed the citing style to splncs04, as requested by the INDOCRYPT editors. - Updated the cycle counts for AuCPake to better resemble our own benchmarks. - Textual fix (reported by Nicolas Braud-Santoni).
Metadata
- Available format(s)
-
PDF
- Category
- Implementation
- Publication info
- Published elsewhere. Progress in Cryptology – INDOCRYPT 2019
- DOI
- 10.1007/978-3-030-35423-7_19
- Keywords
- Elliptic Curve Cryptography SIMD Curve25519 scalar multiplication prime-field arithmetic cofactor security
- Contact author(s)
-
peter @ cryptojedi org
amber @ electricdusk com - History
- 2022-12-16: last of 2 revisions
- 2019-10-08: received
- See all versions
- Short URL
- https://ia.cr/2019/1166
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2019/1166,
author = {Peter Schwabe and Amber Sprenkels},
title = {The complete cost of cofactor h=1},
howpublished = {Cryptology {ePrint} Archive, Paper 2019/1166},
year = {2019},
doi = {10.1007/978-3-030-35423-7_19},
url = {https://eprint.iacr.org/2019/1166}
}
