A class of safe and efficient binary Edwards curves

Abstract

This work describes a family of binary Edwards curves that admit modular reductions (an operation that can be responsible for up to 30% of the processing time in point arithmetic) twice as fast than the best usual settings, while essentially being as secure as a binary elliptic curve can be (in terms of being rigid and twist safe). Moreover, we present a hardware architecture with a generic VHDL description that can be synthesized to any FPGA with enough area to support the circuit. For this architecture, we are able to execute a point multiplication by scalar on \(\mathbb {F}_{562}\) in 2.28 ms on Cyclone IV GX, in 1.23 ms on Virtex-7 and in 1.01 ms on Zynq 7020.

Appendices

A Magma script

In the code present in this section, we are searching for fields with degree \(m=2*p\), where p covers each prime number in the gap from 234 to 300. (This gap can be changed if we intend to find others field size.)

We start p as 234 (and execute until m be 600). Then, we test if the result of \(x^{(m+1)}-1\) divided by \(x-1\) is irreducible. If it is irreducible, then we create a extension field F(z). With this field created, we search for a element rr in F(z) with trace zero.

Then we search for \(d\_1\) element; some values are different from those found previously. (In case the value that already has been found is \(z^{12} + z^{11} + z^8 + z^3 + z^2 + z\).)

After it we check whether the values that we are testing is a elliptic curve. If it is, we count who many points it have (with SEA function). We test whether this value of points is a probable prime multiplied by 2 or by 4.

If the SEA count is a probable prime number, we check the twist, and if the count of points in the twist yet is a probable prime number multiplied by 2 or by 4, then we found a good set of parameters for the curve that we describe in this paper.

B Sample curves: details

• \(m = 58\):

  $$\begin{aligned} d_1= & {} z^8 + z^6 + z^5 + z^3 + z\\ n= & {} 288230375445473588\\= & {} 4 \,\times \, 72057593861368397\\ n'= & {} 288230376857949902\\= & {} 2 \,\times \, 144115188428974951 \end{aligned}$$

• \(m = 82\):

  $$\begin{aligned} d= & {} z^{11} + z^9 + z^2 + 1\\ n= & {} 4835703278459576034907172\\= & {} 4 \,\times \, 1208925819614894008726793\\ n'= & {} 4835703278457457362742238\\= & {} 2 \,\times \, 2417851639228728681371119 \end{aligned}$$

• \(m = 106\):

  $$\begin{aligned} d= & {} z^{14} + z^9 + z^6 + z^4 + z\\ n= & {} 81129638414606680316138098015796\\= & {} 4 \,\times \, 20282409603651670079034524503949\\ n'= & {} 81129638414606683075439912272334\\= & {} 2 \,\times \, 40564819207303341537719956136167 \end{aligned}$$

• \(m = 178\):

  $$\begin{aligned} d= & {} z^{12} + z^{10} + z^6 + z^5 + z^4\\ n= & {} 3831238852164722145895867571509618001760\\&72870648066644\\= & {} 4 \,\times \, 957809713041180536473966892877404500\\&44018217662016661\\ n'= & {} 3831238852164722145895867564241927916332\\&96690443734446\\= & {} 2 \,\times \, 191561942608236107294793378212096395\\&816648345221867223 \end{aligned}$$

• \(m = 226\):

  $$\begin{aligned} d= & {} z^{16} + z^{14} + z^{11}\\ n= & {} 1078397866686025591786680603480785148387\\&23978719346221822204112556116\\= & {} 4 \,\times \, 269599466671506397946670150870196287\\&09680994679836555455551028139029\\ n'= & {} 1078397866686025591786680603480785305503\\&73176660978358026624769437614\\= & {} 2 \,\times \, 539198933343012795893340301740392652\\&75186588330489179013312384718807 \end{aligned}$$

• \(m = 346\):

  $$\begin{aligned} d= & {} z^{10} + z^9 + z^8 + z^6 + z^4\\ n= & {} 1433436634993794694756763059563804337997\\&8531182301756030815611442781745106431013\\&3494630692700326095277268\\= & {} 4 \,\times \, 358359158748448673689190764890951084\\&4994632795575439007703902860695436276607\\&7533373657673175081523819317\\ n'= & {} 1433436634993794694756763059563804337997\\&8531182301758015904249049554790844675046\\&7514121626438439615542062\\= & {} 2 \,\times \, 716718317496897347378381529781902168\\&9989265591150879007952124524777395422337\\&5233757060813219219807771031 \end{aligned}$$

• \(m = 466\):

  $$\begin{aligned} d= & {} z^{22} + z^{20} + z^{17} + z^{16} + z^{11}\\ n= & {} 1905364105417475727161619402949930606536\\&0096085601630559443096677400950607274500\\&3825283402250238447512805874573608417060\\&858121508671009869012\\= & {} 4 \,\times \, 476341026354368931790404850737482651\\&6340024021400407639860774169350237651818\\&6250956320850562559611878201468643402104\\&265214530377167752467253\\ n'= & {} 1905364105417475727161619402949930606536\\&0096085601630559443096677400950501365216\\&6599558651346379224747915186354297664835\\&558867709992110895918\\= & {} 2 \,\times \, 952682052708737863580809701474965303\\&2680048042800815279721548338700475250682\\&6083299779325673189612373957593177148832\\&417779433854996055447959 \end{aligned}$$

• \(m = 562\):

  $$\begin{aligned} d= & {} z^{20} + z^{15} + z^3 + 1\\ n= & {} 1509584969928616540896621832395307556366\\&7684881665761713504825200982496649568595\\&4083416982234451412114867987721595604655\\&9027609621738192282225111643168585180877\\&8317447524\\= & {} 4 \,\times \, 377396242482154135224155458098826889\\&0916921220416440428376206300245624162392\\&1488520854245558612853028716996930398901\\&1639756902405434548070556277910792146295\\&2194579361881\\ n'= & {} 1509584969928616540896621832395307556366\\&7684881665761713504825200982496649568595\\&4083473155779761289288449482280865502936\\&0788858082201641823824035757977571654041\\&6845168286\\= & {} 2 \,\times \, 754792484964308270448310916197653778\\&1833842440832880856752412600491248324784\\&2977041736577889880644644224741140432751\\&4680394429041100820911912017878988785827\\&0208422584143 \end{aligned}$$