- Element encoding is canonical, and verified upon decoding. For a 2n-bit group (with n-bit security), encoding size is 2n + 1 bits, i.e. as good as compressed points on classic prime order curves.
- Unified and complete formulas allow secure and efficient computations in the group.
- Efficiency is on par with twisted Edwards curves, and in some respects slightly better; e.g. half of double-odd curves have formulas for computing point doublings with only six multiplications (down to 1M+5S per doubling on some curves).
We describe here various formulas and discuss implementations. We also define two specific parameter choices for curves with 128-bit security, called do255e and do255s. Our own implementations on 64-bit x86 (Coffee Lake) and low-end ARM Cortex M0+ achieve generic point multiplication in 76696 and 2.19 million cycles, respectively, with curve do255e.
Category / Keywords: public-key cryptography / elliptic curve cryptosystems, double-odd curves Date: received 13 Dec 2020 Contact author: thomas pornin at nccgroup com Available format(s): PDF | BibTeX Citation Version: 20201214:120940 (All versions of this report) Short URL: ia.cr/2020/1558