Set function: Difference between revisions

Template:Multiple issues

This table relates to the computational cost for certain operations used in elliptic curve cryptography, used in practice for strong cryptographic security of a public key system. The columns of the table are labelled by various computational steps. The rows of the table are for different models of elliptic curves. The table below contains the time-cost for these operations:

Abbreviations for the operations

In the next section a table of all the costs of some of the possible operations in elliptic curves is given. In some applications of elliptic curve cryptography and the elliptic curve method of factorization (ECM) it is necessary to consider the scalar multiplication [n]P. So, one way to do this is to compute successively:

${\displaystyle P,[2]P=P+P,[3]P=[2]P+P,\dots ,[n]P=[n-1]P+P}$

But, it is faster to use double-and-add method, e.g. [5]P = [2]([2]P) + P. In general to compute [k]P,write

${\displaystyle k=\sum _{i\le l}{k}_i{2}^i}$

with k_i in {0,1} and ${\displaystyle l=[lo{g}_{2}k]}$, k_{l = 1, then:}

${\displaystyle [2](....([2]([2]([2]([2]([2]P+[k_{(l-1)}]P)+[k_{(l-2)}]P)+[k_{(l-3)}]P)+\dots )\dots +[k_1]P)+[k_0]P=[2^l]P+[k_{(l-1)}{2}^{l-1}]P+\dots +[k_{1}2]P+[k_0]P}$.

Note that, this simple algorithm takes at most 2l steps and each step consists of a doubling and (if k_i ≠ 0) adding two points. So, this is one of the reasons why addition and doubling formulas are defined. Furthermore, this method is applicable to any group and if the group law is written multiplicatively, the double-and-add algorithm is instead called square-and-multiply algorithm.

For more information about other possible operations on elliptic curves see http://hyperelliptic.org/EFD/g1p/index.html.

To see what adding (ADD) and doubling (DBL) points on elliptic curves mean, see The group law.

These are the operations considered in the table below: <poem> DBL - Doubling ADD - Addition mADD - Mixed addition: addition of an input that has been scaled to have Z-coordinate 1. mDBL - Mixed doubling: doubling of an input that has been scaled to have Z coordinate 1. TPL - Tripling. </poem>

Tabulation

Under different assumptions on the multiplication, addition, inversion for the elements in some fixed field, the time-cost of these operations varies. In this table it is assumed that:

I = 100M, S = 1M, *param = 0M, add = 0M, *const = 0M

This means that 100 multiplications (M) are required to invert (I) an element; 1 multiplication is required to compute the square (S) of an element; no multiplication is needed to multiply an element by a parameter (*param), by a constant (*const), nor to add two elements.

For more information about other results obtained with different assumptions, see http://hyperelliptic.org/EFD/g1p/index.html

References

• http://hyperelliptic.org/EFD/g1p/index.html