Kummer and Hessian Meet in the Field of Characteristic 2

Document Type

Conference Article

Publication Title

Lecture Notes in Computer Science Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics

Abstract

One can compute scalar multiplication on an ordinary short Weierstrass curve defined over a binary field. Also, one can move to the associated binary Kummer line BKL(1:c), or isomorphic generalized Hessian curve H(γ,δ) from short Weierstrass, and then compute the scalar multiplication. A generalized Hessian curve provides the best performance of scalar multiplication in RT coordinates where R=R3+S3 and T=T3 for a point P=(R:S:T) on H(γ,δ). Montgomery scalar multiplication gives us the nP and (n+1)P, again in RT. We propose a method to uniquely obtain the R and S coordinates of nP given P=(R:S:T) and RT coordinates of nP and (n+1)P. Next, we show that BKL(1:c) can be linked to an isomorphic H(γ,δ). But small c does not guarantee small γ or δ. First, we introduce two isogenies and their duals: one 2-isogeny between two short Weierstrass curves and one 3-isogeny between two generalized Hessian curves to solve the issue. Using the introduced isogenies, we show that there always exists a generalized Hessian curve H(γ,1) with γ3(γ+1)=c associated with a BKL(1:c). The obtained H(γ,1) needs 5[M]+4[S]+1[Cs] field operations for each ladder step of Montgomery scalar multiplication, and the operation count is the smallest one compared to any other curves over a binary field.

First Page

175

Last Page

196

DOI

10.1007/978-3-031-56232-7_9

Publication Date

1-1-2024

Link to Full Text

Share

COinS