IEEE TRANSACTIONS ON COMPUTERS, VOL. 57, NO.

3, MARCH 2008 289

Fast and Flexible Elliptic Curve Point Arithmetic

over Prime Fields
Patrick Longa and Ali Miri, Senior Member, IEEE

Abstract—We present an innovative methodology for accelerating the elliptic curve point formulas over prime fields. This flexible
technique uses the substitution of multiplication with squaring and other cheaper operations by exploiting the fact that field squaring is
generally less costly than multiplication. Applying this substitution to the traditional formulas, we obtain faster point operations in
unprotected sequential implementations. We also show the significant impact our methodology has in protecting against simple side-
channel (SSCA) attacks. We modify the elliptic curve cryptography (ECC) point formulas to achieve a faster atomic structure when
applying side-channel atomicity protection. In contrast to previous atomic operations that assume that squarings are indistinguishable
from multiplications, our new atomic structure offers true SSCA-protection because it includes squaring in its formulation. Moreover,
we extend our implementation to parallel architectures such as Single-Instruction Multiple-Data (SIMD). With the introduction of a new
coordinate system and the flexibility of our methodology, we present, to our knowledge, the fastest formulas for SIMD-based schemes
that are capable of executing three and four operations simultaneously. Finally, a new parallel SSCA-protected scheme is proposed for
multiprocessor/parallel architectures by applying the atomic structure presented in this work. Our parallel and atomic operations are
shown to be significantly faster than previous implementations.

Index Terms—Elliptic curve, point arithmetic, side-channel attacks, atomicity, SIMD operation, parallel implementations.

1 INTRODUCTION

E LLIPTIC curve cryptography (ECC), independently intro-

duced by Koblitz and Miller in the 1980s, has attracted
increasing attention in recent years due to its shorter key
length requirement in comparison with other public-key
cryptosystems such as RSA. A shorter key length means
reduced power consumption and computing effort and less
storage requirement, factors that are fundamental in
ubiquitous portable devices such as PDAs, cell phones,
smart cards, and many others. To that end, a great deal of
research has been carried out to speed up and improve ECC
implementations, mainly focusing on the most important
ECC operation: scalar multiplication. The structure of this
operation involves three computational levels: scalar multi-
plication algorithm, point arithmetic, and field arithmetic
[1]. We will mainly focus on improvements at the point
arithmetic level to speed up the ECC scalar multiplication.
ECC point arithmetic involves the efficient execution of
doubling and addition operations. Significant effort to
optimize formulas for those operations has been carried
out through the last few years. In particular, projective
coordinates have been shown to be highly effective in
speeding up operations by eliminating the costly field
inversion from the main loop of the scalar multiplication.
This is achieved by introducing a third coordinate point into
the traditional ðx; yÞ-based point representation known as
. The authors are with the School of Information Technology and
Engineering (SITE), University of Ottawa, Ottawa, ON K1N 6N5,
Canada. E-mail: plong034@uottawa.ca, samiri@site.uottawa.ca.
Manuscript received 6 Mar. 2007; revised 31 July 2007; accepted 21 Aug.
2007; published online 6 Sept. 2007.
Recommended for acceptance by E. Antelo.
For information on obtaining reprints of this article, please send e-mail to:
tc@computer.org, and reference IEEECS Log Number TC-2007-03-0073.
Digital Object Identifier no. 10.1109/TC.2007.70815.
0018-9340/08/$25.00 ß 2008 IEEE
affine coordinates. For point addition, a combination of
projective and affine coordinates, namely, mixed addition
[2], has yielded the most efficient formulas. In the case of
adding points in the same coordinate system, the required
formula is more costly and is referred to as general
addition.
Recently, new approaches to compute faster scalar
multiplications (double-base chains [3] and the ternary/
binary method [4]) have introduced tripling as a new point
operation. Dimitrov et al. [3] developed efficient tripling
formulas.
In this work (see Section 4), we replace some expensive
field multiplications with a few cheaper operations to
accelerate traditional point doubling, addition, and tripling
formulas. Previous work presented in [5] makes use of a
direct algebraic substitution to replace one “even” field
multiplication (that is, a multiplication accompanied by a
multiple of two such as 2ab) by one squaring and three field
additions/subtractions in doubling and general addition
formulas. However, our technique first optimally modifies
current formulas for doubling, addition (general and mixed
addition), and tripling in such a way that allows maximum
gain through the mentioned algebraic substitution, which is
applied right after. It is important to note that it is widely
accepted that one squaring is less computationally expensive
than one multiplication in software platforms. In this case,
most implementations report 1S  0:6-0:8M [6], [7], [8], [9],
[10]. In particular, some implementations using special
primes and Optimal Extension Fields (OEFs) have reported
S=M ratios as low as 0.6-0.67 [11], [12], [13]. Also, note that, for
this part of our work (Section 4), we target applications where
the costs of additions/subtractions can be considered
negligible in comparison with that of multiplications. This
is typically observed in software implementations where
Published by the IEEE Computer Society
290
multiplication is carried out with no cryptocoprocessors or
hardware accelerators. For details of addition/subtraction
costs in an efficient implementation, the reader is referred
to [5] and [11].
Besides efforts to speed up scalar multiplication, there are
two additional and important areas of research in ECC: side-
channel analysis (SCA) attacks and efficient implementations
on parallel architectures. In the following sections, we present
a brief description of these areas of research.
1.1 Side-Channel Attacks
Side-channel information such as power dissipation and
electromagnetic (EM) emission leaked by real-world devices
has been shown to be highly useful for guessing private
keys and effectively breaking the otherwise mathemati-
cally strong ECC cryptosystem [14]. There are two main
strategies to these attacks: simple SCA (SSCA) and
differential SCA (DSCA). We will focus on SSCA, which
is based on the analysis of a single execution trace of a
scalar multiplication, to guess the secret key by revealing
the sequence in the execution of point operations.
Extensive research has been carried out to yield effective
countermeasures. Among them, we could mention indis-
tinguishable operations via dummy instructions, scalar
multiplication with a fixed sequence of group operations
(for example, Coron’s countermeasure double-and-add-
always method [15]), unified addition and doubling
formulas (for example, the Jacobi and Hessian forms [16],
[17], [18]), and side-channel atomicity [19]. The first two
methods are, in general, highly expensive and quite
susceptible to fault attacks. Using unified addition and
doubling formulas has the drawback of being expensive or
relying on special curves that are different from the ones
specified by international standards. A highly efficient
variation of the scalar multiplication with a fixed sequence
of group operations is based on the Montgomery Ladder
[21], [22], [23]. However, similarly to the unified operation
approach, the most efficient version of the Montgomery
Ladder also relies on a nonstandardized curve form,
namely, the Montgomery curve. Side-channel atomicity,
proposed by Chevallier-Mames et al. [19], dissolves point
operations into small homogenous blocks, known as atomic
blocks, which cannot be distinguished from each other
through simple side-channel analysis because each one
contains the same pattern of basic field operations.
Furthermore, atomic blocks are made sufficiently small to
make this approach inexpensive. It is important to note that,
as pointed out in [19], if the leaking of the Hamming weight
of the scalar is an issue, it can be avoided by applying some
technique such as blinding. Also, we assume that transi-
tions between blocks are carefully implemented to avoid the
distinction of the different point operations. If the previous
assumption cannot be met, then it could be advisable to
consider the approach given in [20] and make the point
operations have the same number of field operations.
However, notice that this extra measure would introduce
a significant overhead into the side-channel atomicity
strategy. Chevallier-Mames et al. [19] proposed the Multi-
plication-Addition-Negation-Addition (M-A-N-A) structure
to build SSCA-protected formulas over prime fields.
However, the main drawback of the traditional M-A-N-A
IEEE TRANSACTIONS ON COMPUTERS, VOL. 57, NO. 3, MARCH 2008
structure is that it relies on the assumption that field
multiplication and squaring are indistinguishable from each
other. In software implementations, timing and power
consumption have been shown to be quite different for
these operations, making them directly distinguishable
through power analysis [7], [9]. The next attack can be
conceived in such a case. By observing only one EM or
power trace, an attacker may be able to detect which
portions of the scalar multiplication are in fact executing a
squaring. With that knowledge, he/she can now gain access
to the point doubling/addition sequence (and, conse-
quently, to the secret key), given that the atomic addition
has far more multiplications than squarings and its pattern
of squaring/multiplications is very different from the
pattern for the atomic doubling. Hardware platforms can
be thought to be invulnerable to this attack when one
hardware multiplier executes both field squarings and
multiplications. However, some studies suggest that higher
order DSCA attacks [24] can reveal differences between
those operations by detecting data-dependent information
through the observation of multiple sample times in the
power trace. For instance, Walter [25] proposed a high-order
DPA attack to defeat an RSA implementation by distinguish-
ing multiplications with precomputed points from squarings
and multiplications with random numbers through power
analysis. This work suggests that, similarly, power traces of
multiplications with random numbers can be distinguished
from power traces of squarings. These conclusions can be
directly applied to ECC cryptosystems and exploited to
implement the attack described previously. Although more
research is required to assess the effectiveness of these and
related attacks in hardware implementations, the smart
developer would take into account some precautions when
implementing side-channel atomicity [24, Section 29.4].
In this work (see Section 5), we exploit the flexibility
given by our technique of replacing multiplications by
squarings to propose a more efficient atomic structure that
effectively takes into account squarings in its formulation.
The latter makes our atomic operations not only faster but
also invulnerable to the potential attack described in this
section. The increase in speed comes from the fact that
squarings are generally less expensive than multiplications
and that our improved atomic structure permits us to pack
more field operations in one atomic block.
1.2 Parallel Architectures
In recent years, a new paradigm has arisen in the design
concept with the appearance of multiprocessor/parallel
architectures, which can execute several operations simul-
taneously. This topic is becoming increasingly important
since single-processor design is reaching its limits in terms
of clock frequency. Among several parallel architectures,
Single-Instruction Multiple-Data (SIMD) has became highly
attractive since it generally avoids the higher hardware
complexity needed in parallel architectures such as super-
scalar computers by leaving to the programmer the task of
parallelizing the program execution. Hence, we can already
find SIMD-based schemes in many popular processors such
as Pentium, SPARC, and PowerPC.
Similarly to other systems, ECC can be adapted to
parallel architectures at different algorithmic levels. We
LONGA AND MIRI: FAST AND FLEXIBLE ELLIPTIC CURVE POINT ARITHMETIC OVER PRIME FIELDS
focus our efforts to parallelize ECC formulas at the point
arithmetic level. In this regard, Aoki et al. [26] and Izu and
Takagi [27] introduced efficient parallel point operations
targeting SIMD-based processors. In [27], the authors
presented formulas for two-processor architectures. The
authors in [26] introduced modified Jacobian coordinates
ðX; Y ; Z; Z 2 Þ to develop fast parallel formulas for platforms
that can execute two and three operations simultaneously.
Its parallel formulas are, to our knowledge, the fastest.
However, the limitation of the previous works is that they
rely on traditional point operation formulas, which are
restricted to a fixed number of squarings and multiplica-
tions. The methodology of replacing multiplications intro-
duced in this work will be shown to allow the development
of superior parallel operations that are more efficient for
multiprocessor/parallel execution. In this regard, we
propose faster parallel formulas that are able to execute
three and four operations simultaneously (see Section 6).
The previous approach targets unprotected implementa-
tions where side-channel analysis is not a concern. How-
ever, as previously stated, portable devices should be
protected against SCA. In the last part of the present work,
we deal with SSCA-protected implementations for parallel
architectures. Similar efforts can be found in the literature.
In [21] and [22], the authors presented efficient parallel
schemes on generic curves over prime fields using the
Montgomery Ladder, which is intrinsically protected
against SSCA because every iteration in the main loop
involves one doubling and one addition. An advantage of
this method is that the formulas involve computation with
the x-coordinate only. In particular, Fischer et al. [21]
presented a more attractive scheme since it parallelizes
doublings and additions at the field operation level,
whereas Izu and Takagi [22] parallelizes at the point
operation level in every iteration of the main loop. The
latter has the limitation that the cost of every iteration is
determined by the most costly point operation, namely,
addition. Later, Izu and Takagi [23] improved the previous
proposals and introduced a unified Doubling-Addition
formula for the Montgomery Ladder method. The compo-
site formula was then efficiently parallelized. In [28],
Mishra proposed a pipelined approach for generic curves
over prime fields using the standard point arithmetic. In
this scheme, each point operation is protected against SSCA
using atomicity and the atomic block execution is done
through a pipeline, where up to two atomic blocks can be
computed simultaneously. Because a pipelined atomic
operation can begin its execution before the previous
atomic operation is complete, the total throughput is
significantly reduced to a few atomic blocks.
In this work (see Section 7), we propose a faster two-
processor SSCA-protected scheme that introduces further
cost reductions by using the enhanced atomic structure
with squarings introduced in Section 5. As previously
explained, our atomic structure not only offers true
protection against SSCA by distinguishing multiplications
from squarings but also allows us to pack more field
operations in each block.
For the rest of this work, M, S, and A, in italics, stand for
the computing costs of field multiplication, squaring, and
291
addition or subtraction, respectively. To simplify our cost
analyses in the different sections, we will consider two
possible scenarios:
1. The first scenario involves software-based imple-
mentations where squaring is faster than multi-
plication. In this case, we consider 1S ¼ 0:6M or
1S ¼ 0:8M.
2. The second scenario involves implementations on
hardware platforms or when some built-in hard-
ware is used to accelerate EC-operations (for
example, using a modular hardware multiplier
[29]). In this case, a multiplier executes both
squaring and multiplication and, consequently, the
ratio S=M is fixed to one.
Although A=M ratios widely vary from application to
application, to simplify comparisons, we consider a low
ratio for applications where multiplications are not favored
by a fast hardware multiplier. In such a case, we use
1A  0:05M, as achieved in [11]. If that is not the case, it can
happen that the cost of an addition is not negligible. In this
case, we will consider the ratio achieved in [30], 1A  0:2M.
This paper is organized as follows: In Section 2, we
introduce some basic concepts about ECC and present, for
comparison purposes, the traditional point operation for-
mulas. In Section 3, we present our innovative methodology
and, in Section 4, we apply it to develop fast formulas for
the case of point doubling, general addition, mixed
addition, and tripling. In Section 5, new atomic structures
are used to develop atomic formulas for the previous fast
point operations. We then analyze in Section 6 the case of
parallel architectures and develop SIMD-based formulas
with three and four simultaneous operations. In Section 7,
we continue with parallel architectures, but this time to
develop an SSCA-protected scheme that computes two
operations simultaneously. We end with some conclusions
about the work presented in Section 8.
2 PRELIMINARIES
An elliptic curve E over a field K is defined by the general
Weierstrass equation:
E : y2 þ a1 xy þ a3 y ¼ x3 þ a2 x2 þ a4 x þ a6 ; ð1Þ
where a1 , a2 , a3 , a4 , a6 2 K.
The set of pairs ðx; yÞ that solves (1) and the point at
infinity O, which is the identity for the group law, form
an abelian group. This group of points is used to
implement ECC.
We can define ECC over different finite fields. In
particular, we will work with a prime field IFp (the field
with p elements, where p is a large prime). In this case, the
general Weierstrass equation simplifies to the following:
E : y2 ¼ x3 þ ax2 þ b; ð2Þ
where a; b 2 IFp and  ¼ 4a3 þ 27b2 6¼ 0.
Let E be the elliptic curve over the finite field IFp . We can
represent the main operation in ECC, namely, scalar
multiplication, as Q ¼ dP , where P and Q are points in
EðIFp Þ and d is the secret scalar. Several algorithms, such as
292
binary, NAF, and sliding window methods, among many
others, have been proposed to compute the scalar multi-
plication efficiently. In general, these methods rely on the
execution of a given sequence of point doubling ð2P Þ and
addition operations ðP þ QÞ. Recent methods such as scalar
multiplication based on the ternary/binary method [4] or
double-base chains [3] introduced the tripling of a point
ð3P Þ as an additional point operation.
The representation of points on the curve E with affine
coordinates ðx; yÞ introduces field inversions into the
computation of point doubling and point addition. Inver-
sions over prime fields are the most expensive field
operation and are avoided as much as possible. Projective
coordinates ðX; Y ; ZÞ solve that problem by adding the
third coordinate Z to replace inversions with a few other
field operations.
In the present work, we will work with Jacobian
coordinates, a special case of projective coordinates that
has yielded very efficient point formulas. In the case of
addition, we will also consider the most efficient case that is
obtained by adding two points in different point represen-
tations. In particular, we will analyze the case when one
point is represented in Jacobian coordinates and the second
point in affine coordinates (mixed addition with Jacobian-
affine coordinates).
In the following sections, we introduce the traditional
point operation formulas, which can later be used for
comparison to our proposed fast operations. It is important
to note that some additional improvements in computa-
tional costs have been proposed for the tripling formulas.
2.1 Point Doubling in Jacobian Coordinates
Let P ¼ ðX1 ; Y1 ; Z1 Þ be a point in Jacobian coordinates on
the elliptic curve E. The point doubling 2P ¼ ðX3 ; Y3 ; Z3 Þ
can be computed by the following traditional formula:
X3 ¼ 2  2; Y3 ¼ ð  X3 Þ  8Y14 ; Z3 ¼ 2Y1 Z1 ; ð3Þ
where  ¼ 3X12 þ aZ14 ,  ¼ 4X1 Y12 .
Thus, the cost of a doubling is 4M þ 6S. Without loss of
generality [1], we can consider the efficient case with a ¼
3 (see (2)). In that case,  is more efficiently computed as
follows:
   traditional formulas given in Section 2, one field multi-
3X12 þ aZ14 ¼ 3 X1 þ Z12 X1  Z12 : ð4Þ
By using (4), the cost of a doubling is reduced to
4M þ 4S.
2.2 Point Addition in Jacobian Coordinates
Let P ¼ ðX1 ; Y1 ; Z1 Þ and Q ¼ ðX2 ; Y2 ; Z2 Þ be points in
Jacobian coordinates on the elliptic curve E. The point
addition P þ Q ¼ ðX3 ; Y3 ; Z3 Þ can be computed by
 
X3 ¼ 2   3  2Z22 X1  2 ; Y3 ¼  Z22 X1  2  X3  Z23 Y1  3 ;
Z3 ¼ Z1 Z2 ;
ð5Þ
where  ¼ Z13 Y2
 Z23 Y1 ,
¼ Z12 X2
 Z22 X1 .
Given (5), the cost of the general addition is 12M þ 4S.
IEEE TRANSACTIONS ON COMPUTERS, VOL. 57, NO. 3, MARCH 2008
2.3 Mixed Addition in Jacobian-Affine Coordinates
Let P ¼ ðX1 ; Y1 ; Z1 Þ and Q ¼ ðX2 ; Y2 Þ be two points in
Jacobian and affine coordinates, respectively, on the elliptic
curve E. The mixed addition P þ Q ¼ ðX3 ; Y3 ; Z3 Þ is
traditionally obtained as follows:
 
X3 ¼ 2   3  2X1  2 ; Y3 ¼  X1  2  X3  Y1  3 ;
Z3 ¼ Z1 ;
with
 ¼ Z13 Y2  Y1 ;  ¼ Z12 X2  X1 : ð6Þ
With (6), the cost of a mixed addition is fixed in 8M þ 3S.
2.4 Point Tripling in Jacobian Coordinates
Dimitrov et al. [3] introduced a fast tripling formula that
costs 10M þ 6S. Let P ¼ ðX1 ; Y1 ; Z1 Þ be a point in Jacobian
coordinates on the elliptic curve E. The point tripling 3P ¼
ðX3 ; Y3 ; Z3 Þ can be computed with the following:
 
X3 ¼ 8Y12 ð  Þ þ X1 !2 ; Y3 ¼ Y1 4ð   Þð2  Þ  !3 ;
Z3 ¼ Z1 !;
ð7Þ
where  ¼ !;  ¼ 8Y14 ,  ¼ 3X12 þ aZ14 , ! ¼ 12X1 Y12  2 .
We first remark that the same formula can be more
efficiently implemented with 9M þ 7S. On the other hand,
Dimitrov et al. [3] proposed accelerating the computation
by avoiding intermediate operations during computation of
the term aZ 4 when repeated triplings are to be computed.
This idea is based on a similar approach given in [2] with
their modified Jacobian coordinates. However, it is straight-
forward to note that applying another well-known techni-
que (fixing a ¼ 3) actually gives the best performance.
Thus, by computing  using the factorization technique
given in (4), we reduce the cost of the tripling to 9M þ 5S.
3 OUR FLEXIBLE METHODOLOGY
The next algebraic substitution holds for any elements a, b
in a prime field:
1h i
ab ¼ ða þ bÞ2 a2  b2 : ð8Þ
2
The first observation is that, if we apply (8) to the
plication would be replaced by three squarings, three
addition/subtractions, and one division by two. Conse-
quently, a direct replacement would be inefficient if we
consider 1S ¼ 0:8M or 1S ¼ 0:6M. However, we will show
that redundancy in the ECC point arithmetic formulas over
prime fields avoids the necessity of computing two out of
the three squarings.
We still have to deal with the division by two. A direct
solution is to transform it to its inverse 21 mod p.
However, this value is expected to be a very large number
and consequently requires, at worst, a whole field multi-
plication to complete the execution according to (8).
To solve this problem more efficiently, we propose
choosing another representative from the projective equiva-
lence class that inserts multiples of two into the formula.
LONGA AND MIRI: FAST AND FLEXIBLE ELLIPTIC CURVE POINT ARITHMETIC OVER PRIME FIELDS
The equivalence class denoted by ðX : Y : ZÞ that
contains the projective coordinates ðX; Y ; ZÞ is [1]
ðX : Y : ZÞ ¼ fðc X; d Y ; ZÞ :  2 K  ; c; d 2 ZZþ g:
If we define  ¼ 2, the previous strategy efficiently
inserts multiples of two into the formula, which permits the
transformation of the original algebraic substitution (8) to
the next form for an “even” field multiplication, eliminating
the division by two:
2ab ¼ ða þ bÞ2 a2  b2 : ð10Þ
Our flexible methodology can be summarized in two
steps:
1. Modify, if necessary, the point formula by inserting
multiples of two via the selection of the following
representative of the equivalence class for Jacobian
coordinates:
ðX : Y : ZÞ ¼ fð22 X; 23 Y ; 2ZÞg: ð11Þ
2. Replace inserted or existing “even” field multi-
plications by applying the algebraic substitution
given in (10), depending on the requirements of the
targeted application.
The high flexibility of this methodology permits us to
optimally adapt the point formulas to each application in
such a way that the maximum cost reduction is achieved.
In particular, we will show that substitutions in Step 2 of
our methodology are closely related to the targeted
application. For instance, in unprotected sequential opera-
tions (see Section 4), we must replace one “even” multi-
plication by only one squaring so that the cost (and number
of operations) is kept to the minimum possible, while, in
parallel implementations (see Section 6), in some cases, we
can replace one “even” multiplication by up to two
squarings to take advantage of the multiple processing
units and, in this way, reduce the cost further.
4 FAST POINT ARITHMETIC
In this section, we apply the methodology introduced in
Section 3 to derive fast formulas for ECC point operations.
As explained previously, to achieve maximum gain in a
sequential software-based implementation, we should re-
place one multiplication for only one squaring.
4.1 Fast Point Doubling
Observing (3), we can easily detect two multiplications that
can be directly replaced by squarings using the algebraic
substitution (10): Z3 ¼ 2Y1 Z1 and  ¼ 4X1 Y12 . Obviously, we
do not have to worry about divisions by two in this case:
Z3 ¼ 2Y1 Z1 ¼ ðY1 þ Z1 Þ2 Y12  Z12 ;
 2
 ¼ 4X1 Y12 ¼ 2½ X1 þ Y12 X12  Y14 :
Note that each of the previous multiplications is replaced
by only one squaring and some extra additions since the
rest of the squarings (Y12 , Z12 , X12 , and Y14 ) are already
computed in the doubling formula. No other multiplication
293
can be efficiently replaced by squarings because it would
add more than one squaring to the formula. The revised
doubling formula is given as follows:
ð9Þ
X3 ¼ 2  2; Y3 ¼ ð  X3 Þ  8Y14 ;
ð12Þ
Z3 ¼ ðY1 þ Z1 Þ2 Y12  Z12 ;
where
h 2 i
 ¼ 3X12 þ aZ14 ;  ¼ 2 X1 þ Y12 X12  Y14 :
Given (12), the cost of a doubling is reduced from 4M þ
6S to 2M þ 8S, trading two field squarings for two
multiplications.
If we fix a ¼ 3, there is a computing reduction by
applying the factorization technique in (4). Note that
computation of X12 is avoided and, consequently, comput-
ing  ¼ 2½ðX1 þ Y12 Þ2  X12  Y14  is not an improvement
anymore since one multiplication would be replaced by two
squarings instead of only one. The doubling formula when
a ¼ 3 is given as follows:
X3 ¼ 2  2; Y3 ¼ ð  X3 Þ  8Y14 ;
ð13Þ
Z3 ¼ ðY1 þ Z1 Þ2 Y12  Z12 ;
  
where  ¼ 3 X1 þ Z12 X1  Z12 ,  ¼ 4X1 Y12 .
Additionally, the cost of a doubling is reduced from
4M þ 4S to 3M þ 5S.
Further improvement can be achieved for implementa-
tions where squaring is relatively cheap in comparison with
multiplication (that is, 1S ¼ 0:6M). In this case, considering
a as sparse (sparse meaning very low Hamming weight),
(12) is the most efficient doubling formula with a cost of
only 1M þ 8S, given that multiplication by the constant a
can be computed with a few inexpensive field additions.
This is even more efficient than the case a ¼ 3 and less
restrictive in the choice of a.
4.2 Fast Point Addition
By observing (5), we can quickly detect one multiplication
that can be replaced by one squaring using the algebraic
substitution (8): Z1 Z2 in Z3 . However, this term lacks a
multiple of two to avoid the division by two. To solve this
problem, we follow the methodology given in Section 3.
Thus, the formula is first transformed as follows:
X3 ¼ 2  4 3  8Z22 X1  2 ;
 
Y3 ¼  4Z22 X1 2  X3  8Z23 Y1  3 ; ð14Þ
Z3 ¼ 2Z1 Z2 ;
 3 
where  ¼ 2 Z1 Y2  Z23 Y1 ,  ¼ Z12 X2  Z22 X1 .
In this modified formula, the term Z1 Z2 has been
replaced by 2Z1 Z2 , allowing the computation
2Z1 Z2 ¼ ðZ1 þ Z2 Þ2 Z12  Z22 :
Thus, the new addition formula is given as follows:
X3 ¼ 2  4 3  8Z22 X1 2 ;
 
Y3 ¼  Z22 X1 2  X3  Z23 Y1  3 ; ð15Þ
Z3 ¼ ;
294 IEEE TRANSACTIONS ON COMPUTERS, VOL. 57, NO. 3, MARCH 2008

where TABLE 1
  Cost of the Proposed Fast Point Operations
 ¼ 2 Z13 Y2  Z23 Y1 ; in Comparison with Traditional Formulas
 ¼ Z12 X2  Z22 X1 ;
 ¼ ðZ1 þ Z2 Þ2 Z12  Z22 :
Given (15), the cost of an addition is reduced to
11M þ 5S, trading one multiplication for one squaring in
the traditional formula.

4.3 Fast Mixed Addition

By following the same methodology, we achieve the next
revised formula for the mixed addition:
 
X3 ¼ 2  4 3  8X1  2 ; Y3 ¼  4X1 2  X3  8Y1  3 ;
Z3 ¼ ðZ1 þ  Þ2 Z12   2 ;
ð16Þ
 3  2
where  ¼ 2 Z1 Y2  Y1 ,  ¼ Z1 X2  X1 . w ¼ number of repeated triplings.
Note that the term Z3 ¼ 2Z1  (from (14), Z2 ¼ 1) has
been replaced by Z3 ¼ ðZ1 þ Þ2  Z12   2 , reducing the
where
cost to 7M þ 4S.
2 ¼ ð þ !Þ2 2  !2 ; 2 ¼ 16Y14 ;
4.4 Fast Point Tripling    ð18Þ
Substituting squarings for multiplications gives the greatest  ¼ 3 X1 þ Z12 X1  Z12 ; ! ¼ 12X1 Y12  2 :
increase in speed in the tripling formula, given the rich In this case, the cost of the tripling is further reduced to
redundancy found in this operation. If we apply our flexible 7M þ 7S.
methodology to (7), the new tripling operation can be Table 1 summarizes our achievements to this point. We
expressed as follows: distinguish three cases: when a has any possible value (first
X3 ¼ 16Y12 ð2  2Þ þ 4X1 !2 ; column, general case), when a is defined as sparse (second
  column), and when a ¼ 3 (third column).
Y3 ¼ 8Y1 ð2  2 Þð4  2Þ  !3 ; ð17Þ As can be seen, our formulas replace expensive multi-
Z3 ¼ ðZ1 þ !Þ2 Z12  !2 ; plications by squarings. In some highly efficient cases such
as the proposed fast tripling, we replace up to four
multiplications with four squarings in the original formula
where
given in [3]. We remark that the improvement is more
2 ¼ ð þ !Þ2 2  !2 ; 2 ¼ 16Y14 ; significant in applications where squarings are relatively
very cheap in comparison to multiplications (that is,
 ¼ 3X12 þ aZ14 ; ! ¼ 6½ðX1 þ Y12 Þ2  X12  Y14   2 : 1S ¼ 0:6M). Also, we point out that defining a as sparse
does not represent the most efficient case for the traditional
Thus, the cost of a tripling has been efficiently reduced operations. However, in our fast point formulas, defining a
from 10M þ 6S to 6M þ 10S. as sparse yields a doubling and a tripling that are more
A more efficient result is achieved by fixing a as a sparse efficient than the general case or when a ¼ 3 if 1S ¼ 0:6M.
number. In that case, the cost is further reduced to In addition, Dimitrov et al. [3] proposed a repeated
5M þ 10S. tripling formula that efficiently trades one multiplication for
Again, for the case when a ¼ 3, there is an additional two squarings at every repeated tripling. However, we can
reduction if we compute  using the factorization technique see in Table 1 that our fast tripling, without extra
given in (4). Note that the computation of X12 is avoided modifications needed, is more efficient if consecutive
and, consequently, computing ! ¼ 12X1 Y12  2 as 6½ðX1 þ triplings are to be computed. For instance, if 1S ¼ 0:8M,
Y12 Þ2  X12  Y14   2 is not an improvement anymore since the formula proposed in [3] needs ð14:2w þ 0:6Þ field
one multiplication would be replaced by two squarings multiplications, while our formula only requires ð14wÞ field
instead of only one. multiplications. If 1S ¼ 0:6M, the advantage of our formula
Thus, the revised tripling formula when a ¼ 3 is given is further increased. Furthermore, the reader must note that
as follows: more efficient repeated triplings can be computed when our
formula fixes a as sparse or a ¼ 3.
X3 ¼ 16Y12 ð2  2Þ þ 4X1 !2 ;
  5 SSCA-PROTECTED OPERATIONS
Y3 ¼ 8Y1 ð2  2 Þð4  2Þ  !3 ;
Z3 ¼ ðZ1 þ !Þ2 Z12  !2 ; Atomic blocks were originally M-A-N-A-based structures
for the case of point operations over prime fields [19]. For
LONGA AND MIRI: FAST AND FLEXIBLE ELLIPTIC CURVE POINT ARITHMETIC OVER PRIME FIELDS
efficiency purposes, squarings and multiplications are
considered to be side-channel equivalent [3], [19], [28]
and, consequently, the atomic block efficiency heavily
depends on the cost of the multiplication. The general
assumption is that multiplication and squaring are indis-
tinguishable from a side-channel analysis point of view.
However, as explained in Section 1, that is not generally the
case. Hence, an efficient atomic block should consider
squaring in its structure. With previous atomic formulas,
such a consideration would have been very inefficient and
expensive. However, the flexible methodology presented in
this work permits modification of the point formulas in
such a way that allows us to easily balance the number of
squarings and multiplications and thus introduces squar-
ings into the formulation. In this work, we present an
innovative atomic structure based on Squaring-Negation-
Addition-Multiplication-Negation-Addition-Addition (S-N-
A-M-N-A-A) to build the point operations. We remark that
this new structure is more efficient and truly protects
against SSCAs because it takes into account the differences
between field squarings and multiplications.
To achieve cheaper atomic operations with the proposed
atomic structure, we first have to try to balance the number of
squarings and multiplications in a given formula. The latter is
intended for minimizing the overall cost of each atomic
operation. For instance, a traditional mixed addition costs
8M þ 3S and, thus, its atomic form using S-N-A-M-N-A-A
would require at least eight blocks since there is a
maximum of one multiplication per block. If we otherwise
“balance” the number of squarings and multiplications, say,
to 6M þ 6S, then the requirement of the atomic implemen-
tation is reduced to only six blocks.
In the next paragraphs, we follow the previous approach
in combination with our methodology of replacing multi-
plications by squarings to derive cheaper operations using
the new atomic structure, first, for the case of scalar
multiplication using only radix 2 for the scalar expansion
(for example, traditional NAF and wNAF [1]) and then for
the case of expansions including ternary bases (for example,
double-base chains [3]).
5.1 Case with Binary Bases
In the traditional point doubling formula, we observe that
the number of multiplications and squarings is already
balanced with the minimum number of operations when
considering a ¼ 3 (3): 4M þ 4S. Thus, working with the
aforementioned atomic structure (S-N-A-M-N-A-A), four
atomic blocks are sufficient to accommodate the balanced
doubling formula as each atomic block contains one field
multiplication and one field squaring. Therefore, the cost of
the atomic doubling is 4M þ 4S. The details are shown in
Appendix A (which can be found in the Computer Society
Digital Library at http://computer.org/tc/archives.htm).
For the case of mixed addition, we have the fast formula
(16) whose cost is 7M þ 4S. We first need to balance the
number of operations. That can be achieved if one multi-
plication is replaced by two squarings as follows:
2Z13 Y2 ¼ ðZ13 þ Y2 Þ2  Z16  Y22 , with the term Y22 precom-
puted. Thus, the balanced formula is given as follows:
295
 
X3 ¼ 2  4 3  8X1  2 ; Y3 ¼  4X1  2  X3  8Y1  3 ;
Z3 ¼ ðZ1 þ  Þ2 Z12   2 ;
ð19Þ
 2
where  ¼ Z13 þ Y2 Z16  Y22  2Y1 ,  ¼ Z12 X2  X1 .
The cost is now 6M þ 6S, containing the minimum
possible number of operations when the number of field
multiplications and that of squarings are equivalent. The
cost of the atomic addition is fixed at 6M þ 6S as only six
atomic blocks are required to accommodate (19). The details
of the atomic addition formula are shown in Appendix B,
which can be found in the Computer Society Digital Library
at http://computer.org/tc/archives.htm.
5.2 Case with Ternary Bases
Scalar multiplications that take advantage of ternary bases
to accelerate computations [3], [4] require the tripling of a
point besides doubling and addition. Given the high
number of field additions found in the tripling formula
(see (7), (17), and (18)), it is not possible to accommodate
this operation with the optimal number of atomic blocks
using the proposed S-N-A-M-N-A-A structure. Thus, an
additional field addition per atomic block has been added
to the previous atomic structure to permit the optimal
performance: S-N-A-A-M-N-A-A. In this way, we can
accommodate the tripling formula without requiring extra
multiplications or squarings, resulting in the cheapest
atomic implementation known to date.
In the following paragraphs, we present the modified
atomic operations for scalar multiplications that require
triplings, additions, and doublings, as is the case of the
double-base chain algorithm.
In the case of the tripling operation, the optimal balance
between multiplications and squarings can be found in (18),
when a ¼ 3, with a cost of 7M þ 7S. Then, seven atomic
blocks would be required to accommodate all of these
operations. However, because of the internal dependences
between field operations in the tripling formula, one extra
block is necessary, making a total of eight atomic blocks. If
repeated triplings are computed, it is possible to reduce the
cost to ð7w þ 1ÞM þ ð7w þ 1ÞS, where w is the number of
repeated triplings, by merging the last block of the current
tripling with the first block of the following tripling, saving
one field multiplication and one field squaring at every
additional tripling operation. The details of the atomic
tripling and atomic repeated tripling are presented in
Appendix C, which can be found in the Computer Society
Digital Library at http://computer.org/tc/archives.htm.
In addition, point doubling and addition operations
must be modified according to the new atomic structure to
make them suitable for scalar multiplications that include
triplings in their computation. Basically, four and six extra
additions have to be added to the (S-N-A-M-N-A-A)-based
atomic doubling and mixed addition in Section 5.1, as
detailed in Appendices A and B, which can be found in the
Computer Society Digital Library at http://computer.org/
tc/archives.htm.
5.3 Performance Comparison
Chevallier-Mames at al. [19] proposed atomic doublings
and additions built with 10 and 16 M-A-N-A atomic blocks,
296
TABLE 2
Cost of the Proposed and Previous Atomic Operations
(Scalar Multiplications Using Radix 2)
TABLE 3
Cost of the Proposed and Previous Atomic Operations
(Scalar Multiplications Using Radices 2 and 3)
w ¼ number of repeated doublings or triplings.
respectively. Thus, a doubling costs 10M þ 20A and an
addition, 16M þ 32A. Mishra [28] presented an improved
atomic operation for the case of mixed addition. The
number of atomic blocks for addition was reduced to 11,
with a total cost of 11M þ 22A. Later, Dimitrov et al. [3]
presented a fast tripling formula with 16 atomic blocks
using the same atomic structure, with a total cost of
16M þ 32A. In comparison, our enhanced atomic structure
based on multiplication and squaring shows reduced costs
in all cases. Table 2 summarizes the performance of the new
formulas when only point addition and doubling are used,
as is the case for the traditional binary and NAF methods.
For the case where ternary bases are included into the
computation of the scalar multiplication, Table 3 sum-
marizes our results.
As we can see in both tables, our atomic operations
achieve reduced computing costs by minimizing the
number of required field additions and replacing squarings
for multiplications in comparison to previous atomic
operations using M-A-N-A, including cases where some
savings can be achieved by the successive execution of
doublings or triplings.
Remarkably, we also observe that, even in applications
where squarings are considered as costly as multiplications
(that is, 1S ¼ 1M, if the same hardware multiplier is used to
perform multiplication and squaring), our S-N-A-M-N-A-A-
based atomic doubling and repeated doubling present a
reduction of at least two field multiplications and four field
additions. In the case of triplings, the cost would be the same
ð16M þ 32AÞ, but, when repeated triplings are computed, our
approach is again superior, reducing the required number of
multiplications and additions from ð15w þ 1ÞM þ ð30w þ
2ÞA to ð14w þ 2ÞM þ ð28w þ 4ÞA, which means an overall
reduction of ðw  1Þ field multiplications and 2ð2w  1Þ
field additions. Point addition is still one multiplication
more expensive than the traditional formulas. However, we
expect that such a disadvantage is minimized due to the
IEEE TRANSACTIONS ON COMPUTERS, VOL. 57, NO. 3, MARCH 2008
TABLE 4
Performance of New Atomic Operations in Comparison with
Previous Atomic Formulas (NAF Method, n ¼ 160 bits)
scarce occurrence of these operations during the scalar
multiplication.
To have a more precise idea of the improvement that can
be achieved with our atomic operations, we compare the
performance when using a traditional scalar multiplication
with the NAF method and scalar d of length n ¼ 160 bits.
NAF has a nonzero density of approximately 1/3 [1]. Thus,
for a 160-bit NAF scalar multiplication, one approximately
requires 159D + 53A. The number of required operations
when using the new atomic formulas and the best previous
atomic operations in [3], [19], [28] are detailed in Table 4 for
the case where a hardware multiplier executes both multi-
plications and squarings ð1S ¼ 1MÞ and for the most
common cases in software implementations (1S ¼ 0:6M
and 1S ¼ 0:8M).
As can be seen in Table 4, our atomic operations perform
significantly better than the previous operations in all of the
studied scenarios. For instance, let us consider the case of an
implementation using a modular hardware multiplier. In
such a case, we have 1S ¼ 1M and an A=M ratio as high as
0.2. Then, the new M-N-A-M-N-A-A structure presents a
reduction of about 18.5 percent in comparison with a NAF
scalar multiplication using previous atomic operations.
Now, let us consider the case of an efficient software
implementation such as the one presented in [5], [11], where
addition is very cheap. In that case, we set 1A ¼ 0:05M.
Then, our approach presents significant reductions of about
22.2 percent ðS=M ¼ 0:8Þ and 30.2 percent ðS=M ¼ 0:6Þ.
6 PARALLEL POINT OPERATIONS
In this section, we show that our methodology of replacing
multiplications, proposed in Section 3, permits flexibly
modifying point doubling, addition, and tripling formulas
to make them more efficient when implemented in a
parallel architecture such as SIMD. In the following, we
present formulas to compute three and four operations in
parallel. It is important to note that, in the four-processor
case, one multiplication can be replaced by up to two
squarings since more computing resources are available
and the introduction of squarings would permit reducing
the costs further.
Also, a new coordinate system that takes advantage
of the inserted squarings and thus minimizes computing
costs in parallel implementations is introduced:
ðX; Y ; Z; X2 ; Z 2 ; Z 3 =Z 4 Þ. The fourth coordinate, X 2 , will be
required for doublings and triplings and the sixth coordi-
nate will be Z 3 if the current operation is an addition and Z 4
if the current operation is a doubling or tripling.
LONGA AND MIRI: FAST AND FLEXIBLE ELLIPTIC CURVE POINT ARITHMETIC OVER PRIME FIELDS
TABLE 5
Three-Processor Point Doubling
(a) Z33 if the next operation is a point addition and Z34 if the next operation
is a doubling or tripling.
6.1 Three-Processor Formulas
For the parallel doubling operation, we use the fast formula
(12), considering a ¼ 3 for optimal performance. How-
ever, we do not use the factorization technique given in (4),
with the objective of taking advantage of the new
coordinate system that already includes X2 and Z 4 as
precomputed terms. The parallel doubling formula is
shown in Table 5. Only squarings and multiplications are
shown. For a detailed description, the reader is referred to
Appendix D, which can be found in the Computer Society
Digital Library at http://computer.org/tc/archives.htm.
The total cost of the parallel doubling is 1M þ 2S þ 11A.
This cost is reduced by one addition to 1M þ 2S þ 10A if
repeated doublings are being computed or the following
operation is a tripling. This reduction is possible because
the last three-parallel operations of the doubling can be
merged with the first three-parallel operations of the
following doubling or tripling.
For the parallel addition formula, we consider the
efficient case with mixed coordinates given by the fast
addition formula (15). The parallel addition formula is
shown in Table 6, with a cost of 3M þ 2S þ 8A. This cost is
reduced by one addition to 3M þ 2S þ 7A if a doubling or
tripling is computed right after the addition. Similarly to the
three-processor doubling, the last three-parallel operations
of the addition can be merged with the first three-parallel
operations of the following doubling or tripling (see
Appendix E, which can be found in the Computer Society
Digital Library at http://computer.org/tc/archives.htm,
for details).
TABLE 6
Three-Processor Point Addition
297
TABLE 7
Three-Processor Point Tripling
(a) Z33 if the next operation is a point addition and Z34 if the next operation
is a doubling or tripling.
For the parallel tripling operation, we consider (17) with
a ¼ 3. The parallel tripling formula is shown in Table 7
and, similarly to the doubling case, a is defined as sparse
with a fixed value of 3, but the factorization technique in
(4) is not applied to achieve the maximal utilization of the
introduced coordinate system. The total cost of the parallel
tripling is 3M þ 3S þ 14A (see Appendix F, which can be
found in the Computer Society Digital Library at http://
computer.org/tc/archives.htm, for further details).
6.2 Four-Processor Formulas
For the parallel doubling formula and similarly to the case
of three processors, we use (12) with a ¼ 3 and avoid the
factorization technique (4). However, this time, we can
maximize processor utilization by replacing additional
multiplications by two squarings. As was discussed
previously, in a sequential architecture, this would lead to
higher costs. However, we remark that this strategy leads to
further computing time reduction in four-processor archi-
tectures since not all processors are being used all the time
and extra squarings can be accommodated by inactive
processors. Before proceeding, we have to modify the fast
doubling formula (12) to make it suitable for more squaring-
for-multiplication replacements. The revised formula
would be defined as follows if we apply the strategy given
in Section 3:
X3 ¼ 42  8; Y3 ¼ 2ð4  X3 Þ  64Y14 ;
h i ð20Þ
Z3 ¼ 2 ðY1 þ Z1 Þ2 Y12  Z12 ;
where  ¼ 3X12 þ aZ14 , 4 ¼ 8½ðX1 þ Y12 Þ2  X12  Y14 , and
2ð4  X3 Þ is computed as
ð þ 4  X3 Þ2 2  ð4  X3 Þ2 :
Although the number of squarings (and the cost for the
sequential implementation) has been increased in (20), in a
four-processor architecture this leads to higher processor
utilization and a reduced or nil number of multiplications.
The parallel doubling formula is shown in Table 8, with a total
cost of 3S þ 13A (see Appendix G, which can be found in the
Computer Society Digital Library at http://computer.org/
tc/archives.htm, for further details). If the following
298 IEEE TRANSACTIONS ON COMPUTERS, VOL. 57, NO. 3, MARCH 2008

TABLE 8 TABLE 10
Four-Processor Point Doubling Four-Processor Point Tripling

(a) Z33 if the next operation is a point addition and Z34 if the next operation
is a doubling or tripling.

operation is an addition, then the cost is slightly increased
to 1M þ 2S þ 13A because we need to compute Z33 in the
third step, Processor 2.
Additionally, the cost is reduced by two field additions
to 3S þ 11A if repeated doublings are performed or the
following operation is a tripling because the last two four-
parallel field operations can be merged with the first two
four-parallel operations of the following doubling or
tripling.
In the case of point addition, we use the fast mixed
addition given by (16). Following the strategy previously
applied to the doubling formula, we modify (16) as follows:
 
X3 ¼ 42  4 3  8X1  2 ; Y3 ¼ 2 4X1  2  X3  8Y1  3 ;
2
Z3 ¼ ðZ1 þ  Þ Z12 2
 ;
ð21Þ
where  ¼ Z13 Y2  Y1 ,  ¼ Z12 X2  X1 , 2Y1  is computed as
ðY1 þ Þ2  Y12   2 and 2ð4X1  2  X3 Þ is computed as
ð þ 4X1  2  X3 Þ2  2  ð4X1  2  X3 Þ2 .
The parallel addition formula is presented in Table 9 (see
Appendix H, which can be found in the Computer Society
Digital Library at http://computer.org/tc/archives.htm,
for more details). Its total cost is 2M þ 2S þ 9A. If the
following operation is a doubling or tripling, the cost is
reduced by two additions to 2M þ 2S þ 7A.
In the case of the tripling, this operation can be
implemented with the fast formula given by (17), fixing
a ¼ 3. We again follow the strategy applied to doubling
and addition and show that, in this case, the replacement of
all multiplications by squarings leads to the lowest cost.
Formula (16) is modified as follows:
TABLE 9
Four-Processor Mixed Addition
(a) Z33 if the next operation is a point addition and Z34 if the next operation
is a doubling or tripling.
X3 ¼ 16Y12 ð2  2Þ þ 4X1 !2 ; Y3 ¼ 4Y1 ;
ð22Þ
Z3 ¼ ðZ1 þ !Þ 2
Z12 2
! ;
where
2 ¼ ð þ !Þ2 2  !2 ; 2 ¼ 16Y14 ;
 ¼ 3X12 þ aZ14 ; ! ¼ 6½ðX1 þ Y12 Þ2  X12  Y14   2 ;
 ¼ 2ð2  2Þð4  2Þ  2!3 :
The next multiplications are computed as follows:
4X1 !2 ¼ 2½ðX1 þ !2 Þ2  X12  !4 ;
2!3 ¼ ð! þ !2 Þ2  !2  !4 ;
 2
16Y12 ð2  2Þ ¼ 8Y12 þ 2  2 64Y14  ð2  2Þ2 ;
4Y1  ¼ ð4Y1 þ Þ2 16Y12  2 ;
2ð2  2 Þð4  2Þ ¼ 4 2  ð2  2Þ2 ð4  2Þ2 :
The parallel tripling formula has a total cost of 6S þ 17A
(Table 10; see Appendix I, which can be found in the
Computer Society Digital Library at http://computer.org/
tc/archives.htm). If the operation following a tripling is an
addition, the cost is slightly increased to 1M þ 5S þ 17A.
On the other hand, the cost is reduced by two additions to
6S þ 15A if repeated triplings are performed or the
following operation is a doubling.
6.3 Performance Comparison
Table 11 summarizes the cost of the parallel point
operations presented for the cases when three and four
operations are executed simultaneously on an SIMD-based
architecture. The results are compared to previous propo-
sals given in [26] and [27]. The most efficient scenario was
given in [26], which developed cheaper three-processor
SIMD doubling and mixed addition operations using the
modified coordinate system ðX; Y ; Z; Z 2 Þ. Similarly to our
case, they used a ¼ 3 for the doubling formula without
applying the factorization technique in (4). However, our
flexible methodology has allowed further cost reductions by
replacing some costly multiplications for squarings. This
permits the reduction of doublings to 1M þ 2S in the case of
three-parallel operations, in comparison to the cost of 2M þ
1S for the doubling given in [26]. For instance, for an n-bit
LONGA AND MIRI: FAST AND FLEXIBLE ELLIPTIC CURVE POINT ARITHMETIC OVER PRIME FIELDS
TABLE 11
Comparison of Different Parallel
and Sequential Point Operations
NAF scalar multiplication, with an approximate cost of ðn 
1Þ doublings and ðn=3Þ additions, the formula in [26] would
require roughly 3:3nM þ 1nS, whereas our formulas
require 2nM þ 2:6nS. When 1S ¼ 0:8M, there are no
significant differences between both formulas (about
661M each if n ¼ 160). However, for the case 1S ¼ 0:6M,
the formula in [26] costs 627M and ours only costs 574M. In
comparison to costs using traditional sequential formulas
(described in Section 2), 1; 712M (if 1S ¼ 0:8M) and 1; 552M
(if 1S ¼ 0:6M), we get computing reductions of about
61 percent and 63 percent, respectively. In comparison with
our fast sequential formulas presented in Section 4, 1; 657M
(if 1S ¼ 0:8M) and 1; 455M (if 1S ¼ 0:6M), we get comput-
ing reductions of about 60 percent and 61 percent,
respectively.
For the tripling, we have proposed, to our knowledge,
the first approach for a parallel implementation. On a three-
processor SIMD scheme, the proposed tripling performs
twice as fast as a sequential implementation. For instance, if
1S ¼ 0:8M, the traditional tripling in [3] costs 14:8M and
our fast tripling in a sequential fashion, 12:6M. In contrast,
the proposed three-processor tripling only costs 5:4M.
Furthermore, our methodology makes point operations
suitable for architectures that compute four operations
simultaneously. We have further reduced our three-parallel
formulas, which are the most efficient to our knowledge, to
achieve faster four-parallel formulas by trading one squar-
ing for one multiplication in the case of a doubling,
reducing one field multiplication in the case of mixed
addition, and trading three squarings for three multi-
plications in the case of a tripling. For comparison purposes,
if we consider a 160-bit NAF scalar multiplication, our four-
processor formulas would require approximately 584M (if
1S ¼ 0:8M) and 478M (if 1S ¼ 0:6M). That means reduc-
tions of about 11 percent and 17 percent for each case,
respectively, in comparison with the three-processor im-
plementation. In comparison with the traditional sequential
approach, we obtain reductions of about 66 percent and
70 percent for each case, respectively, which means that the
four-processor scheme is about three times faster than the
traditional sequential implementation.
On a four-processor scheme, the proposed tripling
formula performs almost three times faster than the
sequential operation. For instance, if 1S ¼ 0:8M, the
proposed four-processor tripling costs, in most cases, ð6SÞ
299
4:8M, the tripling given in [3] costs 14:8M, and our fast
tripling in a sequential fashion costs 12:6M.
7 PARALLEL SSCA-PROTECTED POINT
OPERATIONS
Operations presented in the previous section are oriented to
achieving the maximum speedup on SIMD-based implemen-
tations when SCA attacks are not a problem. In the present
section, we propose a scheme with two-processor point
operations protected against SSCA. Again, atomicity has
been used to achieve the required level of security. We have
investigated dependences among field operations in each
point operation and concluded that architectures that are
designed for executing two operations simultaneously are
more efficiently exploited if squarings are also considered in
the formula. Throughout this paper, our highly flexible
methodology has been applied to yield improved formulas
that permit the efficient introduction of squarings into the
atomic block structure, as was shown in Section 5. Thus, our
scheme arranges two field operations in parallel at each step,
following the atomic structure given by S-N-A-A-M-N-A-A
(introduced in Section 5.2), which has been found to
efficiently accommodate all of the point operations in two-
processor architectures. In the following, we call a block a
parallel atomic block if it is able to execute two operations in
parallel and follows the aforementioned atomic structure to
protect against SSCA.
In the next paragraphs, we describe each parallel point
operation. For each formula, the order of execution has been
carefully arranged to yield the lowest cost.
As explained in Section 5, to achieve minimum costs, we
require formulas with a balanced number of field multi-
plications and squarings. For the case of doubling, the
traditional formula given by (3), with a ¼ 3, is already
balanced, with a cost of 4M þ 4S. Thus, we only require two
parallel atomic blocks as each of these is capable of executing
two field multiplications and two field squarings. The cost of
the two-parallel atomic doubling is fixed at 2M þ 2S þ 8A.
The details of this operation are shown in Appendix J,
which can be found in the Computer Society Digital Library
at http://computer.org/tc/archives.htm.
For the case of mixed addition, in Section 5, we derived
the balanced formula (19) with a cost of 6M þ 6S. We use
this formula to obtain our two-parallel atomic addition with
only four parallel atomic blocks. Thus, the total cost of the
two-parallel addition is given by 4M þ 4S þ 16A (see
further details in Appendix K, which can be found in the
Computer Society Digital Library at http://computer.org/
tc/archives.htm).
Similarly, in Section 4, we presented a balanced tripling
formula given by (18) with a cost of 7M þ 7S. Using this
formula, we derive a two-parallel tripling protected against
SSCA with five parallel atomic blocks and a fixed cost in
5M þ 5S þ 20A (see Appendix L, which can be found in the
Computer Society Digital Library at http://computer.org/
tc/archives.htm).
In Table 12, we show a sample execution of consecutive
tripling, doubling, and addition operations in our proposed
two-parallel SSCA-protected scheme, where one point
300
TABLE 12
EC Point Operations in the Proposed Two-Parallel
SSCA-Protected Scheme
(a) Atomic point addition. (b) Atomic point doubling. (c) Atomic point
tripling.
operation is executed in parallel at a time. We denote the
parallel atomic block x executed by processor y by x; y. Five,
two, and four parallel atomic blocks are required to complete a
tripling, a doubling, and an addition, respectively.
7.1 Performance Comparison
Several efforts to protect parallel implementations against
SSCA can be found in the literature. In [21] and [22], the
authors presented efficient parallel SSCA-protected schemes
using the Montgomery Ladder method over prime fields. In
general, for an n-bit scalar multiplication, the Montgomery
ladder method requires ðn  1Þ iterations. Fischer et al. [21]
presented a parallel doubling and addition execution with a
cost of 10M þ 8A. Thus, the scalar multiplication would cost
10ðn  1ÞM þ 8ðn  1ÞA. If n ¼ 160 bits, then the total cost is
1; 590M þ 1; 272A. On the other hand, the method given in
[22] fixes the cost of every iteration to one point addition.
The doubling and addition formulas in [22] cost 6M þ 3S þ
6A and 8M þ 2S þ 7A, respectively. Since one extra
doubling is required to complete the scalar multiplication,
the cost of the scalar multiplication using the Montgomery
Ladder would be one doubling and ðn  1Þ additions,
which is equivalent to ðn ¼ 160Þ
ð6M þ 3S þ 6AÞ þ ðn  1Þð8M þ 2S þ 7AÞ ¼
1; 278M þ 321S þ 1; 119A:
Later, Izu and Takagi [23] improved the proposals in [21]
and [22] and proposed a unified Doubling-Addition
formula for the Montgomery Ladder. The composite
formula was efficiently parallelized with a cost of
7M þ 2S þ 8A. Thus, a scalar multiplication would cost
ðn ¼ 160Þ
ðn  1Þð7M þ 2S þ 8AÞ ¼ 1; 113M þ 318S þ 1; 272A:
In [28], Mishra proposed a pipelined approach for generic
curves over prime fields using the standard point arithmetic.
IEEE TRANSACTIONS ON COMPUTERS, VOL. 57, NO. 3, MARCH 2008
The pipeline scheme was protected against SSCA using
atomicity. Because a pipelined atomic operation can begin
its execution before the previous atomic operation is
complete, the total throughput is reduced to only six atomic
blocks. In this work, each atomic block had the traditional
M-A-N-A structure. Since the cost of using the NAF method
is ðn  1Þ doublings and ðn=3Þ additions, the pipelined
method costs 10 þ 6ðn þ n=3  2Þ atomic blocks [28], which
is equivalent to 1,278 atomic blocks when n ¼ 160. As each
atomic block contains one multiplication and two additions,
the total cost of this method is fixed at 1; 278M þ 2; 556M.
In contrast to [28], our proposed parallel SSCA-protected
scheme introduces further cost reductions by including
squarings in the atomic structure. As was shown in the
previous sections, our atomic structure not only offers true
protection against SSCA by distinguishing multiplications
from squarings, but also allows us to pack more field
operations per block. Furthermore, our parallel approach is
shown to be superior to the pipelined one in [28]. The
pipeline reduces the throughput to six atomic blocks by
beginning each point operation as soon as possible, with a
maximum of two processes being computed simulta-
neously. Hence, the main obstacle to achieving cheaper
execution is given by interoperation dependencies (depen-
dencies found between consecutive point operations). In
contrast, our approach parallelizes field operations inside
each point operation and, hence, the cost of the atomic
formulas is mainly defined by intraoperation dependencies
(dependencies inside each point operation). We have
carefully analyzed both kinds of dependency and con-
cluded that interoperation dependencies in the point
arithmetic over prime fields are more restrictive. Thus,
even though throughput is effectively reduced to six atomic
blocks (about six field multiplications) in [28], with the
parallel approach, we have doublings and additions that are
executed with only 2M þ 2S and 4M þ 4S, respectively.
The reader must note that doublings are more frequently
required in efficient scalar multiplication methods and,
hence, our method would be superior even in the case
1S ¼ 1M, making our approach not only more secure but
also faster in hardware-based implementations.
In an n-bit NAF scalar multiplication, our scheme costs
2ðn  1Þ þ 4ðn=3Þ atomic blocks since doublings and addi-
tions require two and four parallel atomic blocks, respec-
tively. Consequently, if n ¼ 160, it requires 531 parallel
atomic blocks. Since each parallel atomic block costs one
multiplication, one squaring, and four additions, the total
cost would be 531M þ 531S þ 2; 124A. Table 13 compares
the performance of previous parallel and protected meth-
ods against that of the proposed two-parallel SSCA-
protected scheme for three possible scenarios: hardware-
assisted implementations ð1S ¼ 1MÞ; considering that
multiplication is very efficient and, thus, addition is not
negligible ð1A ¼ 0:2MÞ; and software-based implementa-
tions where squaring is generally cheaper (1S ¼ 0:6M or
0:8M). For the latter, we consider that addition can be made
very fast in comparison to multiplication ð1A ¼ 0:05MÞ.
As can be seen in Table 13, our approach introduces
significant cost reductions in all of the studied cases. For
instance, it reduces costs by approximately 12 percent,
LONGA AND MIRI: FAST AND FLEXIBLE ELLIPTIC CURVE POINT ARITHMETIC OVER PRIME FIELDS
TABLE 13
Comparison of Performance of
Parallel SSCA-Protected Methods with n ¼ 160
26 percent, and 30 percent for the three presented cases,
respectively, when compared to the best parallel method
using the Montgomery Ladder [23]. In comparison with the
pipelined scheme [28], our parallel approach introduces
reductions of approximately 17 percent, 25 percent, and
32 percent.
For comparison purposes, sequential atomic methods are
also presented. In that case, our scheme introduces
speedups of about 40 percent, 43 percent, and 43 percent
for the three studied cases, respectively, in comparison with
the new atomic implementation proposed in Section 5. The
improvements are as high as 51 percent, 56 percent, and
60 percent if compared with the traditional atomic
implementation based on M-A-N-A.
8 CONCLUSION
We have presented a highly flexible methodology to derive
fast formulas for the doubling, tripling, and addition
operations, where some multiplications have been effi-
ciently replaced by squarings with optimization purposes.
Furthermore, we have shown that parallel schemes such as
SIMD can greatly benefit from this flexible technique. For
instance, a 160-bit NAF scalar multiplication with intro-
duced three and four-parallel SIMD operations reduces
computing costs by approximately 63 percent and 70 per-
cent, respectively, when compared with the traditional
sequential approach. Also, we have protected our formulas
against SSCA using innovative and highly efficient atomic
structures where squarings have also been included. We
have shown new atomic formulas that are cheaper and,
more importantly, offer true protection against SSCA. For
instance, in the scalar multiplication using NAF, our atomic
blocks speed up the computation by up to 30 percent in
contrast to previous atomic implementations. Finally, by
using the new atomic structure, a highly efficient two-
parallel SSCA-protected scheme has been presented with a
computing reduction of up to 32 percent in the scalar
multiplication, in comparison with the previous best
method using NAF.
301
APPENDIX
Appendices of this work can be found in the
Computer Society Digital Library at http://computer.
org/tc/archives.htm.
ACKNOWLEDGMENTS
The authors would like to thank the Natural Sciences and
Engineering Research Council of Canada (NSERC) for
partially supporting this work and the reviewers for their
valuable comments.
REFERENCES
[1] D. Hankerson, A. Menezes, and S. Vanstone, Guide to Elliptic Curve
Cryptography. Springer, 2004.
[2] H. Cohen, A. Miyaji, and T. Ono, “Efficient Elliptic Curve
Exponentiation Using Mixed Coordinates,” Advances in Cryptology
—Proc. ASIACRYPT ’98, pp. 51-65, 1998.
[3] V. Dimitrov, L. Imbert, and P.K. Mishra, “Efficient and Secure
Elliptic Curve Point Multiplication Using Double-Base Chains,”
Advances in Cryptology—Proc. ASIACRYPT ’05, pp. 59-78, 2005.
[4] M. Ciet, M. Joye, K. Lauter, and P.L. Montgomery, “Trading
Inversions for Multiplications in Elliptic Curve Cryptography,”
Designs, Codes, and Cryptography, vol. 39, no. 2, pp. 189-206, 2006.
[5] D. Bernstein, “High-Speed Diffie-Hellman, Part 2,” presentation at
INDOCRYPT ’06, tutorial session, 2006.
[6] M. Brown, D. Hankerson, J. Lopez, and A. Menezes, “Software
Implementation of the NIST Elliptic Curves over Prime Fields,”
Topics in Cryptology—CT-RSA ’01, pp. 250-265, 2001.
[7] J. Großschädl, R. Avanzi, E. Savas, and S. Tillich, “Energy-Efficient
Software Implementation of Long Integer Modular Arithmetic,”
Proc. Seventh Int’l Workshop Cryptographic Hardware and Embedded
Systems, pp. 75-90, 2005.
[8] C.H. Lim and H.S. Hwang, “Fast Implementation of Elliptic Curve
Arithmetic in GFðpm Þ,” Proc. Third Int’l Workshop Practice and
Theory in Public Key Cryptography, pp. 405-421, 2000.
[9] C.H. Gebotys and R.J. Gebotys, “Secure Elliptic Curve Implemen-
tations: An Analysis of Resistance to Power-Attacks in a DSP
Processor,” Proc. Fifth Int’l Workshop Cryptographic Hardware and
Embedded Systems, pp. 114-128, 2003.
[10] R. Avanzi, “Aspects of Hyperelliptic Curves over Large Prime
Fields in Software Implementations,” Proc. Sixth Int’l Workshop
Cryptographic Hardware and Embedded Systems, pp. 148-162, 2004.
[11] D. Bernstein, “Curve25519: New Diffie-Hellman Speed Records,”
Proc. Ninth Int’l Conf. Theory and Practice of Public Key Cryptography,
pp. 229-240, 2006.
[12] N. Gura, A. Patel, A. Wander, H. Eberle, and S.C. Shantz,
“Comparing Elliptic Curve Cryptography and RSA on 8-Bit
CPUs,” Proc. Sixth Int’l Workshop Cryptographic Hardware and
Embedded Systems, pp. 119-132, 2004.
[13] A. Woodbury, “Efficient Algorithms for Elliptic Curve Crypto-
systems on Embedded Systems,” MSc thesis, Worcester Poly-
technic Inst., 2001.
[14] R. Avanzi, “Side Channel Attacks on Implementations of Curve-
Based Cryptographic Primitives,” Cryptology ePrint Archive,
Report 2005/017, http://eprint.iacr.org/, 2005.
[15] J.S. Coron, “Resistance against Differential Power Analysis for
Elliptic Curve Cryptosystems,” Proc. First Int’l Workshop Crypto-
graphic Hardware and Embedded Systems, pp. 292-302, 1999.
[16] P.Y. Liardet and N.P. Smart, “Preventing SPA/DPA in ECC
Systems Using the Jacobi Form,” Proc. Third Int’l Workshop
Cryptographic Hardware and Embedded Systems, pp. 401-411, 2001.
[17] O. Billet and M. Joye, “The Jacobi Model of an Elliptic Curve and
Side-Channel Analysis,” Cryptology ePrint Archive, Report 2002/
125, http://eprint.iacr.org/2002/125/, 2002.
[18] N.P. Smart, “The Hessian Form of an Elliptic Curve,” Proc. Third
Int’l Workshop Cryptographic Hardware and Embedded Systems,
pp. 118-125, 2001.
[19] B. Chevallier-Mames, M. Ciet, and M. Joye, “Low-Cost Solutions
for Preventing Simple Side-Channel Analysis: Side-Channel
Atomicity,” IEEE Trans. Computers, vol. 53, no. 6, pp. 760-768,
June 2004.
302
[20] L. Batina, N. Mentens, B. Preneel, and I. Verbauwhede, “Balanced
Point Operations for Side-Channel Protection of Elliptic Curve
Cryptography,” IEE Proc.—Information Security, vol. 152, no. 1,
pp. 57-65, 2005.
[21] W. Fischer, C. Giraud, E.W. Knudsen, and J.-P. Seifert, “Parallel
Scalar Multiplication on General Elliptic Curves over IFp Hedged
against Non-Differential Side-Channel Attacks,” IACR ePrint
Archive, Report 2002/007, http://www.iacr.org, 2002.
[22] T. Izu and T. Takagi, “A Fast Parallel Elliptic Curve Multiplication
Resistant against Side Channel Attacks,” Proc. Fifth Int’l Workshop
Practice and Theory in Public Key Cryptosystems, pp. 280-296, 2002.
[23] T. Izu and T. Takagi, “Fast Elliptic Curve Multiplications Resistant
against Side Channel Attacks,” IEICE Trans. Fundamentals,
vol. E88-A, no. 1, pp. 161-171, 2005.
[24] R. Avanzi, H. Cohen, C. Doche, G. Frey, T. Lange, K. Nguyen, and
F. Vercauteren, Handbook of Elliptic and Hyperelliptic Curve
Cryptography. CRC Press, 2005.
[25] C.D. Walter, “Sliding Windows Succumbs to Big Mac Attack,”
Proc. Third Int’l Workshop Cryptographic Hardware and Embedded
Systems, pp. 286-299, 2001.
[26] K. Aoki, F. Hoshino, T. Kobayashi, and H. Oguro, “Elliptic Curve
Arithmetic Using SIMD,” Proc. Fourth Int’l Conf. Information
Security, pp. 235-247, 2001.
[27] T. Izu and T. Takagi, “Fast Elliptic Curve Multiplications with
SIMD Operations,” Proc. Fourth Int’l Conf. Information and Comm.
Security, pp. 217-230, 2002.
[28] P.K. Mishra, “Pipelined Computation of Scalar Multiplication in
Elliptic Curve Cryptosystems,” IEEE Trans. Computers, vol. 55,
no. 8, pp. 1000-1010, Aug. 2006.
[29] S.B. Xu and L. Batina, “Efficient Implementation of Elliptic Curve
Cryptosystems on an ARM7 with Hardware Accelerator,” Proc.
Third Int’l Conf. Information and Comm. Security, pp. 266-279, 2001.
[30] K. Itoh, M. Takenaka, N. Torii, S. Temma, and Y. Kurihara, “Fast
Implementation of Public-Key Cryptography on a DSP
TMS320C6201,” Proc. First Int’l Workshop Cryptographic Hardware
and Embedded Systems, pp. 61-72, 1999.
IEEE TRANSACTIONS ON COMPUTERS, VOL. 57, NO. 3, MARCH 2008
Patrick Longa received the BSc degree in
electrical engineering from the Catholic Univer-
sity of Peru in 1999 and the MSc degree from
the University of Ottawa, where he conducted
research in cryptography and DSP. Currently, he
is beginning his PhD studies in electrical and
computer engineering at the University of Water-
loo. He worked as a researcher at the Catholic
University of Peru and the Navy Industrial
Services (SIMA). He is the author of eight
research papers. His research interests include (curve-based) crypto-
graphy, security on portable devices, and computer architectures for
signal processing and cryptography.
Ali Miri received the BSc and MSc degrees in
mathematics from the University of Toronto in
1991 and 1993, respectively, and the PhD
degree in electrical and computer engineering
from the University of Waterloo in 1998. He is
currently an associate professor with the School
of Information Technology and Engineering
(SITE) and the Department of Mathematics
and Statistics at the University of Ottawa,
Canada. He is also the director of the Computa-
tional Laboratory in Coding and Cryptography (CLiCC), University of
Ottawa. His research interests include coding and information theory,
applied number theory, and cryptography. He is a member of the
Professional Engineers Ontario and the ACM and a senior member of
the IEEE.
. For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/publications/dlib.