## Cryptology ePrint Archive: Report 2020/1558

Double-Odd Elliptic Curves

Thomas Pornin

Abstract: This article explores the use of elliptic curves with order 2r = 2 mod 4, which we call double-odd elliptic curves. This is a very large class, comprising about 1/4th of all curves over a given field. On such curves, we manage to define a prime order group with appropriate characteristics for building cryptographic protocols:

- Element encoding is canonical, and verified upon decoding. For a 2n-bit group (with n-bit security), encoding size is 2n + 1 bits, i.e. as good as compressed points on classic prime order curves.

- Unified and complete formulas allow secure and efficient computations in the group.

- Efficiency is on par with twisted Edwards curves, and in some respects slightly better; e.g. half of double-odd curves have formulas for computing point doublings with only six multiplications (down to 1M+5S per doubling on some curves).

We describe here various formulas and discuss implementations. We also define two specific parameter choices for curves with 128-bit security, called do255e and do255s. Our own implementations on 64-bit x86 (Coffee Lake) and low-end ARM Cortex M0+ achieve generic point multiplication in 76696 and 2.19 million cycles, respectively, with curve do255e.

Category / Keywords: public-key cryptography / elliptic curve cryptosystems, double-odd curves

Date: received 13 Dec 2020

Contact author: thomas pornin at nccgroup com

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2020/1558

[ Cryptology ePrint archive ]