Miyaji Laboratory

Elliptic curve cryptosystems (ECCs) are cryptographic schemes based on the elliptic curve discrete logarithm problem. Compared with other cryptosystems such as RSA, ECCs can achieve the required level of security with much shorter key lengths. For this reason, ECCs are expected to be widely used in IoT devices with limited memory resources; however, further improvements in performance require more compact and efficient cryptographic techniques. The core operation of ECCs is scalar multiplication of a point on an elliptic curve, for which both security and efficiency are crucial. From a security perspective, countermeasures against physical attacks known as side-channel attacks are essential, and it is required that the execution time be independent of the secret key. Representative scalar multiplication algorithms that are both fast and resistant to side-channel attacks include the Montgomery ladder and the Joye ladder, which are widely used. Moreover, for elliptic curves in the general Weierstrass form, the elliptic curve GLS254 defined over a finite field of characteristic two possesses efficiently computable endomorphisms, which enable acceleration of scalar multiplication. In this study, we propose more efficient scalar multiplication methods that maintain resistance to side-channel attacks. The first approach improves ladder-based methods on elliptic curves in Weierstrass form, and the second approach enhances scalar multiplication on GLS254 by exploiting its endomorphisms. In the addition formulas used for scalar multiplication, instead of computing each variable independently, we directly compute intermediate values that can be obtained with fewer operations, thereby reducing the overall computational cost of the addition formulas. As a result, for Proposed Method 1, compared with the previously most computationally efficient Hambrug method, a reduction in computational cost of 3.8% was achieved when S = 0.8M and 6.6% when S = 0.67M, where M and S denote multiplications and squarings, respectively. Furthermore, Proposed Method 2 achieved an 8.1% speedup compared with the previously most computationally efficient Pornin method.