Pre-computation Scheme of Window $$\tau $$NAF for Koblitz Curves Revisited

Abstract

Let \(E_a/ \mathbb {F}_{2}: y^2+xy=x^3+ax^2+1\) be a Koblitz curve. The window \(\tau \)-adic non-adjacent form (window \(\tau \)NAF) is currently the standard representation system to perform scalar multiplications on \(E_a/ \mathbb {F}_{2^m}\) utilizing the Frobenius map \(\tau \). This work focuses on the pre-computation part of scalar multiplication. We first introduce \(\mu \bar{\tau }\)-operations where \(\mu =(-1)^{1-a}\) and \(\bar{\tau }\) is the complex conjugate of \(\tau \). Efficient formulas of \(\mu \bar{\tau }\)-operations are then derived and used in a novel pre-computation scheme. Our pre-computation scheme requires 6M\(\,+\,6\)S, 18M\(\,+\,17\)S, 44M\(\,+\,32\)S, and 88M\(\,+\,62\)S (\(a=0\)) and 6M\(\,+\,6\)S, 19M\(\,+\,17\)S, 46M\(\,+\,32\)S, and 90M\(\,+\,62\)S (\(a=1\)) for window \(\tau \)NAF with widths from 4 to 7 respectively. It is about two times faster, compared to the state-of-the-art technique of pre-computation in the literature. The impact of our new efficient pre-computation is also reflected by the significant improvement of scalar multiplication. Traditionally, window \(\tau \)NAF with width at most 6 is used to achieve the best scalar multiplication. Because of the dramatic cost reduction of the proposed pre-computation, we are able to increase the width for window \(\tau \)NAF to 7 for a better scalar multiplication. This indicates that the pre-computation part becomes more important in performing scalar multiplication. With our efficient pre-computation and the new window width, our scalar multiplication runs in at least 85.2% the time of Kohel’s work (Eurocrypt’2017) combining the best previous pre-computation. Our results push the scalar multiplication of Koblitz curves, a very well-studied and long-standing research area, to a significant new stage.KeywordsElliptic curve cryptographyKoblitz curveScalar multiplicationWindow \(\tau \)NAFPre-computation