Binary Kummer Line

Document Type

Conference Article

Publication Title

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Abstract

The idea of the Kummer line was introduced by Gaudry and Lubicz [22]. Karati and Sarkar [31] proposed three efficient Kummer lines over prime fields, and [31, 40] show that they are faster than Curve25519 [4]. In this work, we explore the problem of secure and efficient scalar multiplications using the Kummer lines over binary fields compared to Koblitz curves, binary Edwards curves, and Weierstrass curves. In this article, we provide the first concrete proposal for binary Kummer line: BKL251 over the field F2251, and it offers 124.5-bit security that is the same as that of BEd251 [8] and CURVE2251 [51]. BKL251 has small curve parameters and a small base point. We implement BKL251 using the instruction PCLMULQDQ of modern Intel processors and a software BBK251 for batch computation of scalar multiplications using the bitslicing technique. We also provide the first implementation of Edwards curve BEd251 [8] using the PCLMULQDQ, best to our knowledge. Thus this work complements the works of [5, 8]. All the implemented software compute scalar multiplications in constant time using Montgomery ladders. For the right-to-left Montgomery ladder scalar multiplication, each ladder step of a binary Kummer line needs fewer field operations than an Edwards curve. In the case of the left-to-right Montgomery ladder, a Kummer line and an Edwards curve have almost the same number of field operations. Our experimental results show that left-to-right Montgomery scalar multiplications of BKL251 are 9.63 % and 0.52 % faster than those of BEd251 for fixed-base and variable-base, respectively. Left-to-right Montgomery scalar multiplication for the variable-base of BKL251 is 39.74 %, 23.25 %, and 32.92 % faster than those of the curves CURVE2251, K- 283, and B- 283, respectively. Using the right-to-left Montgomery ladder with precomputation, BKL251 achieves a 17.84 % speedup over BEd251 for fixed-base scalar multiplication. For a batch computation, BBK251 performs comparatively the same (slightly faster) as the BBE251 and sect283r1. Our experiments reveal that scalar multiplications on BKL251 and BEd251 are (approximately) 65% faster than one scalar multiplication (after scaling down) of batch software BBK251 and BBE251.

First Page

363

Last Page

393

DOI

10.1007/978-3-031-33488-7_14

Publication Date

1-1-2023

This document is currently not available here.

Share

COinS