EP1038371A1 - Transformation methods for optimizing elliptic curve cryptographic computations - Google Patents

Abstract

The present invention provides a transformation method for obtaining optimized hardware and software implementations of elliptic curve cryptographic systems, including elliptic curve encryption, decryption, and signature functions. The method is applicable to any elliptic curve group G defined over any field F. More specifically, the present invention is characterized by speeding up the elliptic curve point multiplication operation, which consists of the calculation Q = eP, where P is a member of G and e is an integer. This is achieved by transforming P = (x, y) to a point P' = (x', y') in order to compute Q' = (u, v = eP'). The point P' is not necessarily on the elliptic curve, but by performing calculation on P' and transforming the resulting Q' back into G, it may be possible to calculate Q more efficiently than utilizing a direct method. The present invention also includes a method for optimizing the calculation of cryptographic operations involving arbitrary expressions in finite field arithmetic through a transformation method that permits the use of any field F in an efficient manner. The invention includes a method for optimizing arbitrary finite calculation in any finite field. The present invention teaches a set of transformations of cryptographic calculations that allows the use of other known techniques that have only been applicable to certain limited special cases prior to this invention.

Description

TRANSFORMATION METHODS FOR OPTIMIZING

ELLIPTIC CURVE CRYPTOGRAPHIC COMPUTATIONS

TECHNICAL FIELD OF INVENTION The present invention relates to software and hardware implementation of elliptic curve cryptographic systems, in particular, and systems that require computation of calculations involving a finite number of arbitrary field operations within a finite field, in general

BACKGROUND OF THE INVENTION In the modern information-based society, the need for global computer and network security is becoming increasingly urgent Cryptographic systems are fundamental tools used to build systems that ensure privacy, trust, and access control in such diverse areas as electronic commerce, corporate security, digital distribution of intellectual property, and national security, among others "Public-key" cryptographic systems, in turn, provide essential capabilities needed in systems requiring secure exchange of information between entities (people or computer systems) that may have never exchanged data with one another before Most modern information systems, including the Internet, fit this description As an example, while a consumer may have never had any contacts with a particular on-line vendor, he or she should be able to purchase an item from that vendor in a secure manner Public-key cryptosystems enable such purchases through providing capabilities such as encryption, decryption, digital signatures, and signature verification In public-key cryptography, an entity interested in receiving secure messages from others publishes his or her "public key " Others use this public-key to encrypt messages they send to the entity These messages can be decrypted only through the use of a "private key" which is known only to the entity The entity can also use this private key to digitally ^'"sign" a piece of data Others, in turn, can use the public key to verify the signature and ascertain that the data was indeed signed by the signing entity.

The security of a public-key cryptosystem depends on how difficult it is to derive a private key from its associated, known public key. The more complex it is to mathematically derive the private key, the more time it takes a computer to "break" a public key by "guessing" its corresponding private key. Today, the most commonly used public-key cryptography system is the RSA public-key cryptosystem. The relationship between RSA's public and private keys is governed by the mathematics of factorization of large composite integers. RSA public and private keys are large integers represented as a binary bit pattern. The longer a key, the harder it is and the longer it takes a computer to break it by deriving its private key. For example, modern advances in factorization algorithms and distributed computing have made breaking 400-bit RSA keys possible. Breaking an RSA key of length 1024 or 2048 bits, however, is thought to be virtually impossible given the computing resources available today. To retain an acceptable level of security, modern systems have been using longer RSA keys. Since performing public-key cryptography using longer keys requires more computing resources, it is economically ideal to use an alternative public-key cryptosystem that provides the same level of security with shorter keys. Over the last decade, Elliptic Curve Cryptography ("ECC") has emerged as one possible alternative for an effective cryptosystem. ECC offers the same level of security as RSA with keys that are one-sixth the length of RSA keys. Until now, however, existing software implementations of ECC have been too inefficient to be commercially viable. In order to be commercially viable, ECC needs to allow the same functionality as RSA at comparable speeds, as well as lower costs of implementation in hardware and software. Efficient ECC will enable implementation of many envisioned modern systems that would otherwise be economically infeasible As such, much research has been focused on achieving efficient ECC in the academia and industry. The most common approach to achieving efficient ECC is briefly described below. To perform public-key cryptography, ECC methods take advantage of specific features of mathematical "groups" called "elliptic curves." An elliptic curve is related to and "constructed over" a mathematical "field." Any finite field can be chosen to construct an elliptic curve, but the exact choice of the field significantly affects the properties of the elliptic curve and the efficiency of computer implementations that represent the "operations" defined within that elliptic curve. One of the most computationally intense operations used in all ECC implementations is known as "elliptic curve point multiplication." Point multiplication requires the computation of eP, where P is a "point" in the elliptic curve and e is a positive integer. This operation is central to many elliptic curve cryptography functions, including encryption, decryption, random number generation, key-exchange, digital signing, and signature verification.

Over the last decade, a debate has been carried on in the cryptography community over which categories of fields provide the best choices for use with ECC. Two broad categories of fields, called GF(p) and GF(2^k) have been chosen by the Institute of Electrical and Electronics Engineers (IEEE) as international standards for Elliptic Curve Cryptography. While most academic and commercial research today is concentrated on implementing ECC over either GF(p) or GF(2^k), the exact advantages or disadvantages of each choice with respect to cryptography is not clearly understood at this point. Furthermore, both GF(p) and GF(2^k) encompass countless particular individual member fields within them. Each individual member field has its own properties that affect the computational characteristics of an ECC implementation. Furthermore, given a particular individual member field within GF(p) or GF(2^k), numerous elliptic "curves" can be constructed over such field. The choice of the curve, too, affects the computational characteristics of the resulting ECC implementation.

Prior attempts for creating efficient ECC implementations have usually been based on finding either specific individual member fields in GF(2^k) or GF(p) or specific curves defined over such individual member fields which possess ^"special" mathematical or computational properties These special properties would then be exploited to optimize ECC computations This approach does not attempt to achieve efficient ECC across all mathematical fields Rather, it concentrates on carefully choosing a particular field so that a specific mathematical or computational technique can be deployed to achieve efficient ECC computations An example of this is the proposal by Agnew, et al to utilize a method called "Normal

Basis" to achieve fast ECC in particular fields in GF(2^k) While, most academic and industry research has focused on using an alternate method known as "Polynomial Basis" for fields in GF(2^k), the use of Normal Basis in six particular fields within GF(2^k) has allowed commercialization of a particular implementation of ECC One disadvantage of this approach is that key lengths are limited to the six values allowed by those particular fields

MATHEMATICAL BACKGROUND OF THE INVENTION

This Section presents a list of some of the mathematical terms that are used in this document Some key concepts that can be useful in following the methodology of the invention are also briefly described in this Section The descriptions in this Section are not meant to be mathematically precise or rigorous

Sets

A "set" is any collection of objects, including mathematical and physical objects Often, a set is represented in print by enclosing a comma-separated list of the objects that make up the set within the curly brackets, "{" and "}" For example, let F represent the set of all non-negative integers smaller than 7 That set can be written as E = {0, 1, 2, 3, 4, 5, 6} An object that belongs to a set is a "member" or "element" of the set In another example, E denotes the set of all polynomials of order 4, and pfx) represents the specific polynomial x⁴ + x² - x + \ Since pCx) is a

polynomial of order 4, then pfx is an element of/- In mathematical shorthand, /.fø. e h, where the symbol "e" is commonly read as "belongs to" or "is a member of " A particular set S is a

"subset" of another set E if every element of the set S is also an element of the set E This is

denoted by the shorthand notation S c E For instance {5, 1, 3} cr {0, 1, 2, 3, 4, 5, 6} The "<z"

symbol is read as "is a subset of" Every set is a subset of itself Given any set S, then S c S

Mappings

A "mapping" is a relationship that associates each member of a set with a particular member of another set For instance, T can be defined as the relationship that "maps" each member of the set of all human beings to the integer that represents that person's age If Tom is 32 years old, then T( Tom ) = 32 is written to denote the relationship that T establishes between the integer 32 and the human being Tom 32 is said to be the "image" of Tom "under" the mapping T

In another example, let p be a prime number, n denote any non-negative integer, and r denote the integer remainder which results when n is divided by p A mathematical shorthand for this is r = n modp For instance, if . = 7 and n = 15, then r = 15 mod 7 = 1, which is the

remainder of 15 divided by 7, since 15 = 2 - 7 - 1 A mapping T may be constructed between the

set of all non-negative integers N= {0, 1, 2, 3, } and the set R = {0, 1, 2, 3, 4, 5, 6, 7, 8} in

the following manner given that p = 7 and given any non-negative integer n e N, let T(n) = r = n

modp. Thus, T(37) = r = 37 mod 7 = 2. Note that regardless of what value n takes, T(n) is an

integer less than 7 In other words, given any n e N, then T(n) e R. By convention, T is said to

map the set N "into" the set R This is denoted in shorthand as T: N →R, which is read, ' is a

mapping from the set N into the set R " N is referred to as the "domain" of the mapping T, while R is said to be the "range" of the mapping T

The "image" of the set N under the mapping 7^' is the unique subset of R where every element is an image of at least one element of N In other words, if F denotes the image of N

under T, then, given any element y e F, there exists at least one element x e N, such that T(x) =

y. Since the remainder of the division of any positive integer by 7 is one of the numbers from 0 to

6, the image of N under T in the above example is the set F = { 0, 1, 2, 3, 4, 5, 6}. Since E α R

(recall that R = {0, 1, 2, 3, 4, 5, 6, 7, 8}), and no element of N is mapped to any element of R

outside of F, then Tis also a mapping from N into E. In other words, T: N ->F. Since every

member of E is an image of some element of N under T, then Tis said to map N'Onto" E. Sometimes, the word "transformation" is used to refer to a mapping.

Set Operations

An "ordered pair" is a mathematical notion that references pairs of objects under circumstances where one needs to keep track of which object is the "first" element of the pair and which object is the "second" element of the pair. For instance, the set of all pairs of husbands and wives is a set of ordered pairs, whose members can be represented by the notation (x, y), where x is an element of the set of all husbands, and_ is an element of the set of all wives. Let X and Y be any arbitrary sets. The "cross product" of X and Y is the set of all ordered pairs whose first elements come from X and whose second elements come from Y. In mathematical parlance, the

cross product oϊX and Y is written as X x Y and is defined by the set of all ordered pairs (x, y),

where x e X, may e Y. As an example, let X = {0,1 } and 7- {0,1,2}, then X χ Y= {(0, 0), (0, 1), (0, 2), (1, 0), (1, 1), (1, 2)}

Given any set S, then a mapping from S x S into S can be referred to as a "binary set

operation" defined within S (the word binary underscores the fact that each element of the domain of the mapping is an ordered pair.) For instance, let E = {0, 1, 2, 3, 4, 5, 6}. Next,

construct a mapping T: F xF —> F as follows: given any ordered pair (x, y) e F x F, where x e F and v e /-^', let the image of (x, y) under The the integer that is the result of calculating the expression (x + y) mod 7. In other words, let T( (x, y) ) = (x + y) mod 7. It is relatively straightforward to verify that the range of T is in fact the set F. For example, T( (4, 6) ) = (4 + 6) mod 7 = 10 mod 7 = 3. Regardless of the value of x + y, the integer which is the result of the expression (x + y) mod 7 is the remainder of a division by 7 and therefore an integer between 0 and 6, and a member of E. Hence, Eis a binary set operation defined within E.

For the sake of convenience, when working with a given binary operation T, the construct

T((x, y)) is often written as x ^■ y. The symbol "•" is called the "binary operator" and is used to

represent the binary operation T. For instance, given the above definition for T, instead of writing

T((4, 6)) = 3, one writes 4 ^■ 6 = (4 -r 6) mod 7 = 3. Other symbols may also be used as binary

operator symbols. Two other commonly used such symbols are + and θ. The two members of the set S that make up the ordered pair that a binary operation maps into another member of the set S are the "operands" in the operation, which, in turn, is said to "operate on" the operands. For

example, in the equation, 4 - 6 = 3, the operands are 4 and 6.

Groups

A "group" is a set G together with a binary operation "•" defined within the set G such

that the following three conditions are satisfied:

(i) Given x, y, z e G, then x • (y ^■ z) = (x ■ y) ■ z. This is known as the associative

property of the group .

(ii) There exists a unique element / e G, such that x • / = / • x = x, for all x e G. The

element / is referred to as the "identity" element in G.

(iii) Given any x e G, there exists an element x^~' e G, such that x ■ x^~~ = 1. The

element x^-/ is referred to as the "inverse" of x under the • operation The • operation is referred to as the "group operation." It is the existence of the group operation ^•

defined within the set G that allows G to be a group. In fact, G is said to be group under the •

operation. An "Abelian" group is a group G such that given any x, y e G, then x -y = y ■ x.

As an example of an Abelian group, consider the set E = { 1, 2, 3, 4, 5, 6} together with

the operation • given by or defined as x -y = (x -y) mod 7 for all elements x, y e E (the second "^■" represents the common operation of integer multiplication.) It is known that E is a group under

this "multiplication operation." To demonstrate this, Table 1, which contains the values of x -y =

(x -y) mod 7 for all possible combinations of elements x, y e E, is constructed below. To look up

the value of x • y using the table, locate the cell that is at the intersection of the row whose label is

the value of x with the column whose label is the value of v.

Table 2. The Multiplication Operation in F = {1, 2, 3, 4, 5, 6} Given by x y = (x -y) mod 7

As an example, note that if x = 5 and y = 6, the table gives x -y = 2. To verify the

accuracy of this, note that x • v =5 • 6 = (5 ^■ 6) mod 7 = 30 mod 7 = 2.

Given the above definitions for • and E, the task of verifying that E is a group is

tantamount to verifying that conditions (i), (ii), and (iii) above are satisfied:

(i) Condition (i) provides that x • (y ■ z) = (x ^■ y) ^■ z. Using x=3, y=5 and z=2,

consider that 3 ■ (5 ■ 2) - 3 ■ ((5 ■ 2) mod 7) 3 ■ (10 mod 7) = 3 ■ 3 - (3 ■ 3)

mod 7 9 mod 7 = 2: and that (3 ■ 5) A ((3 ■ 5) mod 7) ■ 2 - (15 mod 7) ■ 2 / • 2 -- (1 ■ 2) mod 7 -- 2 mod 7 ^ 2. Therefore, (3 ^■ 5) ^■ 2 = 3 ^■ (5 ^■ 2).

(ii) Table 1 demonstrates that the identity element of F under the group operation • is

1. For, as the table shows, x • / = / • x = / for all x e E.

(iii) Using Table 1, the following values for the inverse, x^"', of each element x of E

(where x • x^'1 = /) can be derived: A = /, 2^'' = 4, 3^~' = 5, 4^"' = 3, 5^'' = 3, and

6^'' = 1.

(iv) Examining Table 1 also establishes that for all x, y e F, x -y = y ^■ x. Hence, E is an

Abelian group under the multiplication operation.

Sometimes, the symbol + is used to denote the group operation in F. In such cases, the

inverse of any element x G E under + is denoted by -x rather than x^~' . As another example of an

Abelian group, consider the set F = {0, 1, 2, 3, 4, 5, 6} together with the operation + given by or

defined as x -¹- y = (x + y) mod 7 for all elements x, v G F (the second "+" represents the common operation of integer addition.) It is known that E is a group under this "addition operation." To demonstrate this, Table 2, which contains the values of x - y = (x + y) mod 7 for all possible

combinations of elements x, y e E, is constructed below.

Table 2. The Addition Operation in F = {0, 1, 2, 3, 4, 5, 6} Given by x +y = (x +y) mod 7

As an example, note that if x = 5 and_ = 6, the table gives x - y = 4. To verify the accuracy of this, note that x y 5 ^■ 6 (5 - 6) mod 7 11 mod 7 4. Given the above definitions for + and E, the task of verifying that E is a group is tantamount to verifying that conditions (i), (ii), and (iii) above are satisfied.

(i) As an example of condition (i) holding, consider that (3 + 5) + 2 = ((3 ~ 5) mod 7)

+ 2 = (8 mod 7) + 2 = 1 + 2 = y 2) mod 7 = 3 mod 7 = 3; and that 3 + (5 + 2)

= 3 + ((5 + 2) mod 7) = 3 + (7 mod 7) = 3 + 0 = (3 + 0) mod 7 = 3 mod 7 = 3.

Therefore, (3 + 5) + 2 = 3 + (5 + 2).

(ii) Table 2 demonstrates that the identity element of E under the group operation -ι- is

0. For, as the table shows, x + 0 = 0 + x = 0 for all x e F. (iii) Using Table 2, the following values for the inverse, -x, of each element x of E (where x - (~x) = 0) can be derived: -0 = 0, -1 = 6, -2 = 5, -3 = 4, -4 = 3, -5 =

2, and -6 = 1.

(iv) Examining Table 2 also establishes that for all x, y e F, x + y = y - x. Hence, F is an Abelian group under the addition operation.

Fields

A "field" is a set E together with two binary set operations + and • defined within E such

that the following conditions are met:

(i) E is an Abelian group under the + operation. The + operation is referred to as the "addition operation" of the field. The identity element of the field under the

addition operation is denoted as 0. Given any element x e E, the inverse of x under

the addition operation of the field is denoted by -x, which is referred to as the "additive inverse" of x. (ii) If 0 were to be removed from the set F, the resulting set would be an Abelian

group under the • operation. The • operation is referred to as the "multiplication operation" of the field. The identity element of the field under the multiplication operation is denoted as 1, which is an element of F distinct from 0. Given any

element x G E, the inverse of x under the multiplication operation of the field is

denoted by x^~l , which is referred to as the "multiplicative inverse" of x.

(iii) Given any x G E, then x • 0 = 0 ^■ x = 0.

(iv) Given any x . z e E, then x ^■ (y + z) = (x ^■ y) + (x ■ z). This is known as the

"distributive property" of the field. An example of a field is the set F = {0, 1, 2, 3, 4, 5, 6} together with the + operation

defined as x + y = (x + y) mod 7 and the ^■ operation defined as x -y = (x -y) mod 7 for all x, y &

F. It is known that F forms a field under these addition and multiplication operations. To demonstrate this fact, it is necessary to show that the four conditions described above are satisfied. Conditions (i) and (ii) where shown to be satisfied in the previous Section. Condition (iii) is evident from the Table 3, below.

Table 3. The Multiplication Operation in F = {0, 1, 2, 3, 4, 5, 6}

As an example of condition (iv) holding, we will show that 3 ■ (5 + 6) = (3 ^■ 5) + (3 ■ 6).

Indeed, 3 ■ (5 + 6) = (3 ■ ((5 - 6) mod 7)) mod 7 = (3 ■ (11 mod 7)) mod 7 = (3 ^■ 4) mod 7 = 12

mod 7 = 5, while, (3 ■ 5) + (3 ^■ 6) = (((3 ^■ 5) mod 7) - ((3 ■ 6) mod 7)) mod 7 = ((15 mod 7) -

(18 mod 7)) mod 7 = (1 + 4 ) mod 7 = 5 mod 7 = 5, too. A field F is a "finite field" if it has a finite number of elements. The field F above is a specific example of a family of finite fields known as GF(p), where/, is any prime number. Given a particular prime number/?, GF(p) is defined as the set {0, 1, ..., p~l} of non-negative integers less than ., together with the addition operation + given by integer addition modp, and the

multiplication operation • given by integer multiplication modp. The field F used in the above

example is the field GF(7) .

Field Arithmetic

The mathematical concept of fields is an abstraction of the familiar "rational" number system. The rationals are the set of all integers together with all numbers that can be represented as a fraction whose nominator and denominator are both non-zero integers. The set of all rational numbers can in fact be shown to be a field under the common operations of addition and multiplication of fractions. As such, common mathematical techniques of arithmetic have also been carried over to the more abstract domain of fields. Given a particular field E, mathematical field theory allows the writing and evaluation of "valid" arithmetic expressions and equations whose constants and variables "come from the field, " i.e. are members of E.

For instance, consider the equation^ = (2 ■ x) →- /. The set of all ordered pairs (x, y) of

rational numbers that satisfy this equation includes such elements as (0, 1), (2, 5), (4, 9), and (3.45, 7.9). However, since the constants in this equation, 2 and /, are also members of the field

GF(7), the "expression" (2 ■ x) + 1 is a valid expression in GF(7), meaning that as long as the

value that is substituted for x in the expression is a member of GF(7), it is guaranteed that the expression will "evaluate" to a valid member oϊGF(7). As such, the equation itself is a valid equation in GF(7), too. In fact, the set of all "solutions" to this equation, i.e. the set of all ordered pairs that satisfy the equation in GF(7), is equal to {(0, 1), (1, 3), (2, 5), (3, 0), (4, 2), (5, 4), (6,

6)}. To facilitate working with more complicated expressions, a few mathematical shorthands

are utilized in field arithmetic. Given any field E, any element x e F, and any positive integer k,

the expression x^k represents that unique element of E which results when x is multiplied by itself k

times using the multiplication operation in E. In other words x^k = x ^■ x ^■ ... ^■ x, where there are k-1

many • operators in the expression. By convention, x° is defined to be equal to 1.

Given any integer k and any element x in E, the expression kx represents that unique element of E which results when x is added to itself k many times using the addition operation in F. In other words, kx = x ^ x ... + x, where there are k-1 many + operators in the expression.

Given c a constant in E and x a variable defined over E, the expression c ■ x is commonly

written as ex. Furthermore, given x and y, any two elements of E, the expression x - (~y) is commonly written as x - y.

Given a field E and any element x in F, the task of computing x's additive inverse, -x, or

x's multiplicative inverse, x^~' , may be computationally intense. It is possible to view the task of computing the inverse of x as a set operation. A "unary set operation" T defined within a set S is a mapping from S onto S. The word unary underscores the fact that unlike binary set operations, the domain of T is made up of single, individual members of S. Given any element x of S, let T

map x to x In other words, let T(x) = x^'1 Then 7^" is a unary set operation.

Given a particular field F and an integer k, a polynomial p(x) of order k defined over F is an expression of the ϊormp(x) = a_kx - + ... = x + a₀. In this definition, x is a variable in F, meaning that before the expression is evaluated, some particular element of E must be substituted for x in the expression. The particular member of E which is substituted for x is the

value that x is "bound" to. The α,'s (0 ≤i ≤k) are known as the "polynomial coefficients" oϊp(x)

and are constants in F, meaning that they are chosen before a value for x is selected, and that regardless of the value that x takes on. the values of the polynomial coefficients remain the same When F = GF(2), the set of all polynomials of degree k defined over GF(2) is referred to as GF(2^k). It is known that given any k greater than 1, specific addition and multiplication operations can be defined within GF(2^k) in such a way so that GF(2^k) forms a field under such operations. The set GF(2^k) is the set of all polynomials of order k whose polynomial coefficients are either 0 or 1. For instance, p(x) = x^J - x^"A / is a member of GF(2^:>) whose polynomial coefficients are given by a₅ = 1, a₄ = 0, a₃ = 0, a₂ = /, _; = 0, and a₀ = 1.

Optimizing Field Arithmetic Calculations

In addition to the fields of information security and cryptography, there are numerous other problems in business and science, which are either based on or utilize the mathematics of finite fields. Computer applications dealing with such problems often need to carry out calculations involving finite field arithmetic. This often takes the form of evaluating a mathematical expression/involving a finite number of constants, variables, coefficients and operations defined within a finite field E. Note that variables and constants must be members of the field E, but coefficients may take any integer value. Coefficients, such as the 5 in the expression x - 5 y, are not elements of the field F, and merely represent a shorthand notation for repeated addition, in this case 5y = 2y + 2y ^J- y, where 2 y = y y. Since computational efficiency is of concern, we will assume that if the same quantity occurs in more than one part of

an expression, such as (x₂ -xi) ^~' does above, each such quantity is only computed once. Also,

without loss of generality, the expression/ can and will be assumed to be in fully reduced form, in which all calculations in the expression that involve only constants have already been performed, and the resulting constants substituted into the expression.

As an example of such an expression, let E G GF(p), let x_t , x₂ , yi , y₂ be variables defined

in E, let a be a constant that is some element from E, and define, f = ( (y2 -yO ^■ fa -^χύ ^~' ) ^■ ( (A - a) ^■ fa -xt) ^~' ) -x, - 5 x₂ Since the only variables and constants in the expression/ are x_ , x₂, y_t , y and a, the expression/ involves a finite number of field elements. Furthermore, the expression/ involves four unary

additive inversion operations to calculate -x_t , -x₂ , -y_ , and -a, a single unary multiplicative

inversion operation to calculate fa -x_t) ^'' ^', three binary multiplication operations, three binary

addition operations to calculate 5 x₂, four binary addition operations to calculate the expressions

in parentheses, and two binary addition operations to calculate (...) -x_; -5 x₂. Hence, the

expression /involves a finite number of field operations, too. Consequently, when the expression/ is evaluated, that is, when the calculations specified in the expression/ are carried out, the result of the calculation is going to be a single element in the field E.

Any given expression/ defined within a finite field E is usually composed of "subexpressions." Any part of the expression/ which by itself is a valid expression in E is a

subexpression of/ For instance, the expression s = fa -x,) ^"' is a valid expression in E, if both x₂

and xi are members of E. Therefore s = fa -x ^'' is a subexpression of the expression/ = ( (y₂ -

y ^■ fa -Xι) ^~' ) ^■ ( (y -yO ^■ fa - x_) ^'' ) - x, -x₂. Some of the other subexpressions of/ are 5 =

Xi , s = -yi, and s = (y₂ -y ^■ fa -X\) ^~' . Note, however, that and s = x₂ -x_) ^~' ) -Xi is not a subexpression of because s is not a valid expression in E. Every expression/is a subexpression of itself.

Given an expression/ defined within a finite field F, the task of evaluating the expression f can be computationally intense. Techniques that allow efficient calculation of such expressions in computer software and/or hardware may have significant business and scientific value. Given the exact nature of the applications such calculations occur in, different criteria may be used to determine what exactly constitutes an "efficient" calculation. In certain applications, it may be desirable to optimize calculations so that higher computation speeds are achieved. In other applications, it may be important to optimize for minimal use of silicon area in hardware implementations Still other applications may benefit from optimization that allow parallel computation of the calculations In particular, the inversion operation, which in the fields GF(p) and GF(2^k) uses the Fermat method, is computationally very intensive To avoid this, methods of formulating problems in "projective coordinates" have been developed, by Menezes and others, which allow calculations to be reformulated in a manner that removes the need to perform any inversion operations, usually at the expense of increasing the number of other operations

The Montgomery Algorithm In 1985, P L Montgomery published an algorithm which can be used to optimize the task

of computing an expression of the form/ = a ■ b ^■ r^'1, where a, b, and r are elements of a field F

G GF(p) and • is the multiplication operation in E Since 1985, some work in industry and academia has been focused on extending the use of the Montgomery algorithm to expressions of a

more general form than/ = a ^■ b ^■ r ^~' To facilitate discussion of such efforts, this patent defines

the term "Montgomery Canonical Form " Given a particular element r of a field F, an expression/ in E is recursively defined to be in the Montgomery Canonical Form with respect to r as such, (i) An expression/is in the Montgomery Canonical Form with respect to r, if it does not contain any field multiplication operations and also does not contain r That is, if no

subexpression s exists of the form s = s_ ■ s₂, where s_t and s₂ are subexpressions of/ For

example, the expression/ = (x_t ~ x/ - a) and the expression/ = x/ are both in the

Montgomery Canonical Form with respect to r (ii) An expression/is in the Montgomery Canonical Form with respect to r, if it can be

written in the form of/ / ^•/ ^• r ^~' ^', where/ and/2 are both subexpressions of/ which

are themselves in the Montgomery Canonical Form with respect to r Note that to determine whether or not an expression is in Montgomery Canonical Form with respect to r, the expression is to be considered in isolation. For example, the expression/ = (x_\ +

Xι + x,) ■ X] ■ A is in the Montgomery Canonical Form with respect to r. However, / = x,

• fa - xi) ^■ A¹ is not in the Montgomery Canonical Form with respect to r, since although

fa - x₂) ■ r^~' is in the Montgomery Canonical Form with respect to r, the single factor of

r^'1 cannot simultaneously be considered to be part of the subexpression fa ■ x₂) ■ r^~' and

also of the whole expression, so fa - x₂) is not in the Montgomery Canonical Form with

respect to r. (iii) An expression/ is in the Montgomery Canonical Form with respect to r, if it can be

written in the form of/ = (s) ^~' ^■ r ² where s is a subexpression of/ which is itself in the

Montgomery Canonical Form with respect to r. For example, the expression/ = fa -x

^"' ■ r² is in the Montgomery Canonical Form with respect to r. And finally,

(iv) The expression/is in the Montgomery Canonical Form with respect to r, if whenever

there exists a subexpression 5 of/ which can be written as s = si ^■ s₂, where s; and s₂ are subexpressions of/ which are both in the Montgomery Canonical Form with respect to r,

then there exists a unique subexpression s₃ of/ such that s₃ = si ^■ s₂ ■ r For example, the

expression/ =

(((x, - X; + xi) - xi - r^~' + a) - z • r^~') ^■ (((x₁ ^ x/ + Xi) • xy • r^~' + a) ^■ z ^■ r^~') • A - X/ - X

is in the Montgomery Canonical Form with respect to r.

Given a field E e GF(p) and an element r G E, the Montgomery algorithm can be applied

effectively to optimize computation of any expression/ in E which is in the Montgomery Canonical Form with respect to r. Given an arbitrary expression/ then, there may be efficiencies

gained by "transforming" the expression/ into some other expression/' (read as "f prime") which is in Montgomery Canonical Form. During the past decade .and a half an innumerable number of expressions involving a finite number of operations within finite fields in GF(p) have been encountered within the confines of specific applications in business and academia. In some instances, researchers and engineers have transformed certain such expressions into other expressions which are in the Montgomery Canonical Form, and which are therefore faster to compute. Until the present invention, however, no general method for transforming any arbitrary expression involving a finite number of field operations in GF(p) into an expression that is in Montgomery Canonical Form with respect to some r in GF(p) has been known.

A particular expression that is commonly encountered in business and academic applications involving fields in GF(p) is one of the form/ = x^k, where k is some positive integer

and x is an element in F G GF(p). Calculating/ = x^k is known as the exponentiation of x. It is well known that a particular "substitution technique" described in the next section in this document can

be applied to the expression/ = x to transform it into another expression,/' which is in Montgomery Canonical Form with respect to some particular element r in F. The Montgomery

algorithm is commonly applied to the resulting expression/' to provide an efficient method for

exponentiation of x.

Although the Montgomery algorithm has been used for over a decade for fast exponentiation in GF(p), no method for extending its speed improvements to general finite field calculations has been available until the present invention.

In 1998, C. K. Koc and T. Acar published an algorithm which can be used to optimize the

task of computing an expression of the form/ = a ^■ b - r ^~' , where a, b, and r are elements of a

field E G GF(2^k) and • is the multiplication operation in F. This algorithm is referred to as the

Montgomery Algorithm in GF(2 ). The Montgomery Algorithm in GF(2^k) has been applied in the past to speed up exponentiation in GF(2 ) in a manner analogous to the method used for speeding up exponentiation in GFfp). Until the present invention, however, no method for extending the speed improvements of this algorithm to general finite field calculations has been available.

Substitution Technique

This section describes a particular substitution technique that is often used to manipulate expressions involving elements and operations defined within a field F. The technique involves replacing all instances of a specific pattern of operations and/or operands in/ with another specific pattern. As an example, let x and y represent any member of E and let a, b, c, and r be specific

elements in F. Then, if all occurrences of the pattern x -y in/= (a ^■ b) -r (c ^■ b) are replaced by

the pattern x -y ■ r, the resulting expression/' is given by/' = (a ^■ b ^■ r) ÷ (c • b ^■ r). To facilitate discussion of the technique, let s be an expression that represents the pattern that is to be replaced. The expression 5 is called the "source" expression. Let t be an expression that represents the pattern that s is replaced with. The expression t is called the "target" expression. The rest of this section describes how the current substitution technique is applied to three simple types of source expressions.

Case 1 The source expression involves no operators

In this case, the source expression s is given by 5 -" x, where x stands for any single variable within the expression/ The substitution technique simply replaces all occurrences of the variable represented by the source expression s by the pattern given by the target expression t.

Case 2. The source expression involves a single unary operator

In this case, the source expression is given either by 5 = -x or s = x^~', where x stands for any subexpression of the expression/ Here, the substitution technique calls for constructing the set S of all subexpressions of/that "match" the source expression .v. In other words, the set S is given by the set of all subexpressions s of the expression/which are of the form s = x or 5 = A¹ , where x is itself a subexpression of/. Note that given any two subexpressions of/in the set S, one may be a subexpression of the other. The substitution technique works by replacing each member of the set S by the corresponding pattern given by the target expression t, except that before the substitution technique is applied to any member s of the set S, it is first applied to any other members of S that s is a subexpression of.

Case 3. The source expression involves a single binary operator

In this case, the source expression is given either by s = x + y or s = x -y, where x and y

stand for any subexpressions of the expression/ Here, the substitution technique calls for constructing the set S of all subexpressions of/ that "match" the source expression s. In other words, the set S is given by the set of all subexpressions s of the expression/ which are of the

form s = x ~ y or s = x -y, where x and y are themselves subexpressions of/ Note that given any two subexpressions of/ in the set S, one may be a subexpression of the other. The substitution technique works by replacing each member of the set S by the corresponding pattern given by the target expression t, except that before the substitution technique is applied to any member 5 of the set S, it is first applied to any other members of S that 5 is a subexpression of.

A substitution technique similar to this has been used in business and industry in the past in a two-step process to transform instances of simple expressions, of the form/ = x^k , into another

expression/' which is in Montgomery Canonical Form. To illustrate an example, this will be

demonstrated for the case when k = 4, which means that the expression/is given by/ = x⁴ = x • x

• x • x ^■= ((x ^■ x) ^■ x ) ^■ x.

(i) Let the source expression s be given by s x ■ y Let the target expression t be given by t - x -y ■ r^~', where r is a constant in the field F. Applying the substitution technique to the

expression/ = ((x ^■ x) ^■ x) ^■ x yields the expression/' - ((x ^■ x ^■ A¹) ^■ x ^■ r^~') ■ x ^■ A¹.

Note that the expression/' is in the Montgomery Canonical Form, since every

subexpression of/' enclosed in parenthesis is in the Montgomery Canonical Form with

respect to r. Because of this, the following step can allow the Montgomery algorithm to be applied to efficiently calculate/', (ii) Let the source expression s be given by s = x, where x stands for a variable or constant in

/ Let the target expression t be given by t = x ^■ r. Applying the substitution technique to

replace every occurrence of x with x • r in the expression/ = ((x • x ^■ r^~') ^■ x ^■ r^~l) • x ■ r^"1

yields the expression/' = (((x • r) • (x ■ r) • A¹) ■ (x ■ r) ^■ A¹) ■ (x ■ r) ■ A¹..

This substitution technique allows efficient computation of/ =^■ x , because it can be shown that

the expression/is equivalent to/ = /' ^• rA To see this in the case k = 4, note that

/' = (((x ■ r) ■ (x ■ r) ■ A¹) ■ (x ■ r) ^■ A¹) ■ (x ■ r) ■ f^l

= ((x ■ r ■ x ■ r ■ r^'1) ■ x ^■ r- r ') • x • r ^■ r^~'

= ((r ■ x ■ x ■ r ■ r^~') ■ x ^■ r- r^'! ) ^■ x ■ r • r^~'

= ((r • x ■ x ■ 1) ■ x • 1) ^■ x ^■ 1 = ((r ^■ x ^■ x) ^■ x ) ^■ x = r ^■ (((x ^■ x) ■ x) ■ x) = r • x⁴

Therefore,/' • r^~' = r ■ x⁴ ■ r^~! = x^{4 ■} r ^■ r^~' = x⁴ ■ 1 = x⁴ =/ Since/' is in the Montgomery

Canonical Form with respect to r, it is in general more efficient to compute/' • A¹, which itself is

in the Montgomery Canonical Form, than it is to compute/ directly.

Elliptic Curve Groups

An elliptic curve, G, is a mathematical group that is constructed over a specific field F, according to a specific set of rules that depend on the exact nature of E. In general, G is a subset

of /^' x F, and the operation in G is defined in terms of the field operations ^• and • on the elements of F that constitute the ordered-pair elements of G. The two most commonly studied classes of elliptic curves are those constructed over fields belonging to GF(p) or GF(2^k).

Elliptic Curves over GFφ) An elliptic curve over GF(p) is defined by selected parameters a and b (both members of

GF(p)) as the set of the all ordered pairs (x, y) that are solutions to the equation y² = x³ + ax + b,

where x, y are members of GF(p) together with an extra point O, usually named as the point at infinity. It is assumed that/? is a prime number greater than 3 and a, b in GFφ) are selected such

that 4a³ - 27b² ≠ O in GF(p). It has been well established that points on the elliptic curve and O

form an Abelian group with respect to the following point addition rules: Equations A

1. 0 + 0 = 0

2. (x, y) + 0 = fa y)

3. (x, y) (x,-y) = O

4. Addition of two distinct points: (xι,y - fa,y ) = (x ,yι)

I __^■ (y₂ -y,) - (x₂ ~Xι) ^~l

x = (L, • L,) —X] — x₂

5. Doubling of a point: (x,,y,) + (x,,y,) = (x₃,y₃)

L = (3x, ■ x, + a) ■ (2y,)^~!

x₃ = (L - L) - (2x,)

y₃ = L - fa -x₃) -y,

where the operations ^■ , -, - , and inverse (^'') are performed in the field GFφ). The above rules define the method by which two points on the elliptic curve are "added" to get a third point These equations will be referred to in the future as Equation A

Example

The elliptic curve equation y = x -*- x - / over the field GF(23) will be illustrated It

turns out there are 28 points on the curve including the special point O These points are

Point O

(0,1) and (0,22) (1, 7) and (1,16)

(3.10) and (3,13) (4,0)

(5,4) and (5,19) (6,4) and (6,19)

(7.11) and (7,12) (9, 7) and (9, 16) (11,3) and (11,20)

(12,4) and (12,19) (13, 7) and (13,16) (17,3) and (17,20) (18,3) and (18,20) (19,5) and (19, 18)

For example, (1, 7) is on the elliptic curve because it satisfies the equation y² = x x + 1 in the field GF(23) (that is, modulo 23) because 7² = 1³ + 1 + 1 mod 23, 49 = 3 mod 23, and 3 = 3 mod 23

The point addition of (3, 10) and (9, 7) is computed using arithmetic modulo 23, or the field arithmetic of GF(23) L = (7-10) ^■ (9-3)-' = ( -3) ^■ 6^~' -- ( -3) ^■ 4 = -72 - //

x₃ = (11 ■ 11) - 3 - 9 = 121 - 12 = 109 = 17

y₃ = (11 ■ (3-17) ) - 10 = -164 = 20

Therefore, the addition of (3, 10) and (9, 7) equals (17,20). This example illustrates that the addition of two points on the curve using the above rules gives a third point on the curve.

Elliptic Curves over GF(2^k)

A non-supersingular elliptic curve over the field GF(2 ) is defined by the parameters a and

b in GF(2^k), with b ≠ 0, as the set of solutions (x, y) to the equation y² ^ xy = x³ + ax² + b

together with the extra point O. This set of points form a group with respect to the addition rules: Equations B /. 0 0 = 0

2. fa y) - 0 = fa y)

3. (x, y) - fa x÷y) = O 4. Addition of two distinct points: (xi.y - fa,y₂) -= fa,y3)

x₃ = (L ^■ L) - L -t- Xι - x₂ -¹- a

y₃ = (L ■ fa + x₃) ) + x₃ + y,

5. Doubling of a point: (xι,yι) + (xi.yi) = (X3,y-i) x = x/ • x/ ÷ b ^■ (xf^]) ^■ (x\^~ )

y₃ = x, ^■ x, + (x, + y, ^■ x,^'1) ^• x -r x₃

Point Multiplication

An elliptic curve cryptographic operation, whether it is an encryption, a decryption, a signature, or a key-pass operation, always involves the computation of eR given e and R, where P is a point on the curve and e is a positive integer The reverse of this operation, 1 e , the computation of e given P and eR is known to be very difficult This is called the elliptic curve discrete logarithm problem, for which no efficient algorithm is currently known Since the addition operation in the elliptic curve group, G, is defined using a series of field operations from the underlying field, F, given two points P and 0 in G, computation of R - O or

R -+- R requires computation of a series of operations in the field In particular, if E G GF(2^k), the

equations 4 above show that computation of R 0 requires one field inversion, three field multiplications, and nine field additions On the other hand, the computation ofP P requires one field inversion, three field multiplications and five field additions, as demonstrated by equations 5

If e is about 500 bits in length, the number of elliptic curve operations (additions and doublings) necessary to calculate eR can be shown to be about 750 Each elliptic curve operation

involves several (about 15-20) finite field operations If the value of k (from E G GF(2^k ) is also high (>100), these computations consume a significant amount of time, particularly in software Therefore, fast hardware and software implementations of elliptic curve point multiplications are highly desirable in cryptography

The following example in GF(23) illustrates various approaches that can be taken towards optimizing the calculation of eR Let e = 18 and R (3, 10) Then eR = 18(3, 10) can be calculated by successively adding (3, 10) to itself 18 times using group addition as defined in equation A R -^>- P + - R (18 copies ofR), which requires 17 elliptic curve point addition operations

However, there are faster algorithms known as "exponentiation methods," one example of which is a "binary method," shown below, which allows 18P to be computed as Step 1 (P) (P) 2P Step 2: (2P) - (2P) = 4P

Step 3: (4P) + (4P) = 8P

Step 4: (8P) - (8P) = 16P

Step 5: (16P) + (2P) =18P Thus, only 5 point additions, or group operations, are utilized. The partial results as well s the final results are points on the curve as illustrated below:

Step 1 : R - P = 2P (3,10) + (3, 10) = (7, 12)

Step 2: 2P + 2P = 4P (7, 12) - (7, 12) = (17, 3)

Step 3: 4P - 4P = 8P (17,3) - (17,3) = (13,16) Step 4: 8P - 8P = 16P (13, 16) - (13, 16)= (5, 19)

Step 5. i6R ÷ 2P =18P (5, 19) - (7, 12) = (6,19)

Thus, 18(3,10) is (6,19). The elliptic curve discrete logarithm problem then becomes: knowing (3,10) and (6, 19) and that (6, 19) is an integer multiple of (3,10), what is this integer? The integer used for this example is equal to 18.

Given the binary representation of e as eA_/ei_₂...e₂e/eo, the computation of eR can be

accomplished using the binary method or any other M-ary method. For example, in order to

compute 0 = eP, the binary method proceeds as follows.

for i = k - / downto 0

Q := Q + Q if e, = / then > := O + R return O.

Therefore, the computation of 0 is performed by a series of elliptic curve point doublings (Q • Q Q) and point additions (O : - 0 - P). SUMMARY OF THE INVENTION

The present invention optimizes the calculation of Elliptic Curve Cryptography computations through a transformation method that permits the use of any elliptic curve defined over any field F in a secure and efficient manner. The invention includes a method and apparatus for producing an elliptic curve point multiplication product, 0 = eP. The invention utilizes an arbitrary integer e, and a point P on an elliptic curve group G defined over a field E, where the group G is a subset of the field F crossed with the field E. The present invention constructs a set

G', a mapping from G into the set G . a mapping T^~] from G'onto G, and an operation ®

defined on G such that (a) given the point P, T¹ ( T(P) ) = P, and (b) P P = r'(P'® P)' , where

P' = T(P). An elliptic curve point multiplication product 0 is produced by transforming the point

R to the point R' using the mapping T, performing the operation θ on the point P' to determine

the point O' = e P' , and transforming the point 0' to the product 0 using the mapping T' . The

product 0 is used in an elliptic curve cryptographic operation. The present invention also includes a method for optimizing the calculation of cryptographic operations involving arbitrary expressions in finite field arithmetic through a transformation method that permits the use of any field F in an efficient manner. The invention includes a method for transforming any arbitrary finite calculation in any finite field into a canonical form in which other previously known algorithms can be applied, thereby achieving increased calculation speed and efficiency. The present invention teaches a set of transformations of the cryptographic calculations that allows the use of other known techniques that have only been applicable to certain limited special cases prior to this invention. DETAILED DESCRIPTION OF THE INVENTION

The present invention provides a method for optimizing ECC computations for any curve in any field through focusing on one of the most computationally intense operations used in all ECC implementations, known as "elliptic curve point multiplication." Point multiplication requires the computation of eR, where R is a point in the elliptic curve and e is a positive integer. This operation is central to many elliptic curve cryptography functions, including encryption, decryption, random number generation, key-exchange, digital signing, and signature verification. The present invention achieves efficient ECC by providing a methodology for optimizing the implementation of the elliptic curve point multiplication operation. The present invention can be utilized to implement ECC over any curve in any field, including all individual member fields in GFφ) and GF(2^k).

The present invention further provides a methodology for optimizing computation of calculations involving a finite number of arbitrary field operations within any finite field. These calculations play a key role in computer implementations of numerous systems, including elliptic curve crypto systems.

The present invention provides a "transformation method" which can be used to enable optimized implementations of elliptic curve cryptographic systems in hardware and software. The present invention, because it employs a reversible transformation applied to the elements of the elliptic group, does not in any way alter the fundamental security properties of the mathematical algorithm used to perform the elliptic curve cryptography. The security of the overall ECC algorithm is determined by the choice of elliptic curve equations, number representation, arithmetic algorithms and other implementation aspects. As long as these choices are made according to reliable standards, the security of the implementation is not affected by use of the present invention The present invention can be used in any and all potential ECC applications, ranging from software for secure distribution of digital products such as movies and songs to hardware chips embedded in consumer electronic products such as cellular phones and smart cards The cost- saving potential of the present invention can significantly enhance existing commercial applications and make previously infeasible business opportunities economically viable.

Section A

Given G cF x F, an elliptic curve defined over the field F, the present invention provides an improved method to optimize the computation of eR, where e is an integer and R is an element

of G

The present invention includes.

(1) construction of a set G'and a method for representation of the members of G' in

software and/or hardware;

(2) construction of and implementing an algorithm for a first mapping, T, from G into the

set G ' in software and/or hardware,

(3) construction of and implementing an algorithm for a second mapping, T^~' , which acts

as the inverse of T, from G'onto G, in software and/or hardware, and

(4) construction of and implementing an algorithm, in software and/or hardware, for a set

operation ® , defined in G' For each invention, the following three conditions are satisfied.

(i) given any R e G, then T^l ( T(P) ) = P,

(ii) given any two points P and S in G, then R S = T^!(P' Θ S where R' = T(P) and S'

= T(S), and

(iii) G ' T, Θ, and T^l and the corresponding algorithms are chosen such that given P,, P₂,

... . R\ e G, where N is an integer, computation of T¹ ( T(P,) θ T(P₂) φ ... 9 T(I J) is in general more optimized than computation of P, - P₂ - ... - R_l .

In other words, the present invention computes Q = eP by first transforming the given

point P to a transformed point R' using the algorithm for the first mapping T, then calculating the

multiple sum 0' = eR'using a "transformed," more computationally optimized version of the

elliptic curve addition operation ( θ ) in the transformed domain, and finally transforming O'back

to 0 using the algorithm for the second mapping, T¹. Note that satisfaction of the conditions (i)

and (ii) above ensures that this method can be applied to any point R belonging to G.

Under certain circumstances, when G' T, T' ^', and θ are chosen carefully, it is possible to

optimize computation of the point multiplication operation. Depending on the number of point additions to be performed, the additional cost of transforming the elements of G may or may not

outweigh the improvements due to more optimized calculations in the transformed domain G '

Secήon B

The present invention further provides a particular method for construction of G' T, and

T^~' that can be applied to any elliptic curve group G.

Since G is a subset of E xF, points in G can be written as ordered pairs (x, y), where x and_v are elements of the field E. The present invention provides that a particular member r of E is first selected. The element r may be selected to be any member of the field F. Let t be the

mapping from G into E xE that maps any point P = (x, y) in G to some point R = fa, y)' in G '.

The present invention provides that t(P) = t((x, y)) = (x ^■ r, y ^■ r) = R . Since x, y, and r are all

members of E, so are x • r arΛy ^■ r. The present invention provides that G'is the image of G

under l. In other words, G'is the set of all elements of E xEthat have a point in G mapped to

them by t. The present invention further provides that Tϊs the transformation from G onto G'such

that given any point P in G, then T(P) = t(P) = P' While P' = (x', y)' is necessarily a member F x F, it is not necessarily a point in the elliptic curve group, G. R'can be obtained by computing x' =

x ■ r and_y' = y ^■ r.

Let Q'he any element of G' Since G'a F x F, we can write O' = (u v), where z/'and v'

are members of E. Since G'is the image of G under t, then there must exist u and v, two elements

of E, such that (u, v) e G and u ' = it ^■ r and v' = v ^• r. Since w, v, and r are all members of the

field F, then u = u' ^■ r^~' and v = v' ^• A, where A is the inverse of r under the multiplicative

operation of E. Therefore, one can construct an inverse transformation T^~' : G' → G by letting T¹

map 0' = (u v , any element of G' to (u' ^■ A ^', v' • r^~!).

In formal terms, this more detailed embodiment of the present invention includes the steps of:

(1) constructing G'as the subset of E xF which is the image of G under the mapping t: G

— F xF, where t is constructed by first selecting any element r of F, and then letting t( fa y) ) =

(x ■ r, y ■ r), where • is the multiplicative operation in F;

(2) constructing the first mapping T: G → G' by letting T(P) = t(P), where R is any point

in G; and

(3) constructing the second mapping T^~': G ' → G by letting T¹ ( (u v) ) =

(u' - A¹ , v' ■ A¹), where (u v') is any element of G'

Given the above choices for G' T, and T^! , it may be possible to optimize calculation of

eR may through careful definition of a θ operation in G'and careful selection of r. Certain values

of r, for instance, may provide faster software implementations, while others may enable more algorithmic parallelism.

Section C

Another detailed embodiment of the present invention applies the methods of Sections A and B to the elliptic curves defined over the specific fields belonging to GFφ). In this

embodiment, a new transformed operation θ is constructed such that conditions (i), (ii), and (iii)

in Section A are satisfied.

The present invention includes a method for optimizing calculations of eR when E is an

individual member field of GFφ). In this embodiment, G is an elliptic curve group over E e

GFφ), and G' T, T¹ are constructed in accordance with the method of the invention described in

Section B, above, through choosing an arbitrary element r of E. The present invention constructs

a "transformed" operation θ in G'as follows. Given any two elements of G' (x_t ' yi and fa',

y₂)', then the present invention defines (xi ' y_t)' © fa', y₂) to be given by (x₃ y₃), where

Equations A'

'=(y₂'-y_l)' .z'.r-¹

x₃ = L, • L • r — X_/ — x₂

Using the above definition of® for the operation of the "addition" of elements of G' the

present invention derives the following set of field equations for the operation of adding any

"point" fa ',yι) in G'to itself:

fa '.y. © (x,',y₁ = fa', y₃ , where

L'= ((xι'+ x,'+x,') -x,' ^■ A + a) -z'-r^'1

It is now shown how the present invention ensures that G' T, T¹ , and © together satisfy conditions (i), (ii), and (iii) set forth in Section A

(i) Let R be any point in the elliptic curve group G Then there exist some elements x and y of

F such that P = fa y). Then T^l ( T(P) ) = T' '( T( (x, y) ) ) = T¹ ( (x ^■ r, y ^■ r) ) = (x ^■ r ■

r^~', y ^■ r ^■ r^~') = (x, y) = R. Therefore, Condition (i) in Section A is satisfied.

(ii) Given any two points R and S in G, then we need to show that R - S = T'(P' © S ,

where P'= T(P) and S' = T(S). Let R = (x,, y,), P'=fa ', y,), S = fa, y^,S'= fa', y₂),

Q = R - S = fa, y₃) and 0' = P' S' = fa', y₃ . Then, applying the rules for point addition in the elliptic curve group given by Equations A, the coordinates of 0 are given

by x₃ = L ^■ L-Xi -x and y₃- L ^■ (xj - x₃) - y where L = (y₂ - y_t) ■ z, and z = fa - x,)^'1

Equations A' above, on the other hand, give the coordinates for O ' As such, it can be shown that,

=z-r

L' =(y₂'~y,')-z'.r->

= fa -r-y, -r) ^■ (z -r) ^•/^■"' = L r

x = L. • L • r — X — x₂

= (L -r) ■ (L -r) -r^~' -x, ■ r - x₂ ■ r = (L ^■ L - Xι - x₂) ^■ r = x₃ -r

= (L ■ r) ■ (xi ■ r - x₃ ■ r) ■ r^~' -y_-r = (L -(x,-x₃)-yι) -r = y -r

Therefore, (x₃'_t y₃ = (x₃ ^■ r, y₃ ^■ r), which implies that R' ΦS' = T(P ~ S), as required.

Hence, Condition (ii) in Section A is satisfied

(iii) The present invention has provided a method for the selection of ' 7^', Φ, and A and their corresponding algorithms in a manner such that given P,, P₂, ... , R._v e G, where N is

an integer, computation of T^~' ( T(P,) © T(P₂) © ... Φ T(Pχ)) is in general more

optimized than computation of P, = P₂ ÷ ... + P_N. To verify this, note that calculation of

T(P,) Φ T(P ) © ... © T(Psj) involves repeated application of the expressions in

Equations A'. Note, however, that these expressions are in the Montgomery Canonical

Form with respect to r. As such, the Montgomery Algorithm in GF(p) can be readily

applied to the calculation of T(P ® T(P₂) © ... Φ T(P_N) to create an optimized

hardware and/or software implementation. Therefore, Condition (ii) in Section A is satisfied.

Section D

Another detailed embodiment of the present invention applies the methods of Sections A and B to the elliptic curves defined over the specific fields belonging to GF(2^k) . In this

embodiment, a new transformed operation Φ is constructed such that conditions (i), (ii), and (iii)

in Section A are satisfied.

The present invention further includes a method for optimizing calculations of eR when F

is an individual member field oϊGF(2^k). In this embodiment, G is an elliptic curve group over F e

GF(2^k), and G', T, ¹ are constructed in accordance with the method of the invention described in Section B, above, through choosing an arbitrary element r of F. The present invention

constructs a "transformed" operation Φ in G ' as follows. Given any two elements of G ' say (xi '

yi ) ' and fa ', y₂) ' , then the present invention defines (xj ^r, yι ) © fa ', y ) to be given by (x₃ ' y₃ ),

where

Equations B^f

A (x4 ^• x4)-' - r L'yy,'- y4) -z'-y

x₃'= (L'-L'-A¹ ) τ-L'+x,A x₂'+ a'

Using the above definition of© for the operation of the addition of points in G' the

present invention derives the following set of field equations for the operation of "doubling a

point", i.e. adding a point (xj ' yi in G'to itself:

(x, :yι)®(x,:y, = fa', y₃ where z'=(x,')-Ar² x =x,'-x,'-A - (z'-z'y') -b' y' y₃'=x,'.χ_l'y^l -faAyy-z'-A¹) -x -A - x₃'

It is now shown how the present invention ensures that G ' T, T' , and © together satisfy

conditions (i), (ii), and (iii) set forth in Section A.

(i) Let R be any point in the elliptic curve group G. Then there exist some elements x anάy of

EsuchthatR - fay). Then T^!(T(P)) = r'(T((x,y))) = T¹ ( (x ^■ r, y ^■ r) ) = (x -r ^■

r^~', y ■ r ^■ A¹) = (x, y) = P. Therefore, Condition (i) in Section A is satisfied,

(ii) Given any two points R and S in G, then we need to show that R -r S = T^l(P' © S ,

where P'= T(P) and S' = T(S). Let R = (x,, y,), P' = fa ',y, ), S = fa, y₂), S' = fa', y₂),

0 = R -*- S = (x₃, y₃) and Q ' = P'+ S' = (x₃', y₃)'. Then, applying the rules for point addition in the elliptic curve group given by Equations A, the coordinates of 0 are given

by x₃ = L ■ L ^- L + xi + x₂ - a anάy₃ = L ^■ (x_t - x₃) + x₃ + y where L = (y; + y₂) ■ z,

and z = (xi - x)^~' . Equations A' above, on the other hand, give the coordinates for 0'. As

such, it can be shown that,

z' (x,' x₂'y' -r² -= (x, - x₂) ^~' ^■ r z ^■ r

' = (yι +y₂) -z -r = L -r

-I x₃ L'-L'-A ~L'+Xι'-x₂' a = (L ■ r) ^■ (L ^■ r) ■ r^~' + L ^■ r - x, ^■ r - x₂ • r - a ' ^■ r

= (L ^■ L - L + X_/ + x₂ + a') ^■ r = x₃ ^■ r

y₃'=L'-fa' x₃) χ₃A_yι'

= y₃-r

Therefore, we have (x₃',y = fa ^■ r, y₃ ^■ r) which implies that R' © S' = T(P S), as

required. Hence, Condition (ii) in Section A is satisfied.

(iii) The present invention has provided a method for the selection of G ' T, Φ, and T^~' and

their corresponding algorithms in a manner such that given P,, P₂ P_N e G, where N is

an integer, computation of T^~'( T(PJ φ T(P₂) Φ ... © T(P_N)) is in general more

optimized than computation of P, ^ P₂ ^■+^■ ... -*- R.v. To verify this, note that calculation of

T(P,) Φ T(P₂) © ... © T(P_N) involves repeated application of the expressions in

Equations B'. Note, however, that these expressions are in the Montgomery Canonical

Form with respect to r. As such, the Montgomery Algorithm in GF(2^k) can be readily

applied to the calculation of T(P,) © T(P₂) © ... © T(P_N) to create an optimized

hardware and/or software implementation. Therefore, Condition (ii) in Section A is

satisfied.

Section E

The present invention further provides a method for achieving higher efficiencies when utilizing the methods of Sections C and D above by providing specific choices of r

The present invention works with any element r in the field F over which the elliptic curve group G is defined. The exact choice of the element r, however, affects the computational characteristics of the resulting calculations. The present invention teaches that the selection of r can optimize specific aspects of a software and/or hardware implementation within specific computer environments For instance, choosing r to be a multiple of 32 can have beneficial effects

on 32-bit computers Given a particular selection of r, the calculation ofa - b - r^'1 may be done in

more than one way, some of which may be more computationally efficient. The following selections of r are preferred. 1 Field GFφ) r is selected as the smallest power of 2 that is larger than/?

2 Field GFφ) r can be selected as the product of k prime numbers, which gives the resulting algorithm a high degree of parallelism.

3. Field GF(2^k) r is selected as x^k modnfa, where n(x) is the irreducible polynomial generating the field GF(2 ) Other selections of r for different fields are also possible The transformation algorithms work independently of this selection.

Section F

The present invention further provides a method for optimizing calculation of a finite number of arbitrary field operations over any finite field Let/be a valid expression defined within

E involving a finite number of variables, and a finite number of the field operations * , - , -, and ^~'

The present invention provides a method for optimizing computation of/ which includes carrying out the following steps in sequence (1) Select r to be any single element of the field F The element r, a constant, will be used to transform the expression / into a new expression/' through applying a series of substitutions in accordance with the substitution technique described earlier in this document If the expression/ already contains a constant or variable denoted by the symbol r, then rename the symbol r in this step-by-step procedure to some unique value, and interpret the subsequent steps of this procedure as if r were renamed appropriately in them Note that the expression/ may coincidentally contain constants or variables that may have the same field value as the selected element r, without affecting this procedure Subsequent steps of this procedure will rely on the expression/being initially free of "primed" symbols such as d' or j ' ' If the expression/ initially contains any variables or constants which are denoted by "primed" symbols, then replace each primed variable or constant symbol with a unique unprimed name Subsequent substitution steps of this procedure will employ source expressions containing primed symbols, which by convention in this patent are not allowed to match symbols that are not primed Note that source expressions containing unprimed symbols, such as x, are allowed by convention in this patent to match variable symbols or constant symbols which may be either primed or unprimed

(2) Transform the expression/ into the expression/ by replacing all occurrences of the source expression x with the target expression x ' In this substitution, x denotes a variable or constant occurring in the expression/ This replaces all variables and constants with primed symbols Note that this occurs without affecting any coefficients that may exist in the expression/

(3) Transform the expression/ into the expression/₂ by replacing all occurrences of the

source expression x -y with the target expression x ® y In this substitution, x and y

denote subexpressions of/, which should contain only primed symbols, and ® is used as an alternate symbol to represent the multiplication operation in the field F. The purpose of

this step is to label as ® all of the original • operators occurring in the expression/ to

distinguish them from the ^• operators that will be introduced into the transformed expression during the following steps of this method. (4) Transform the expression/₂ into the expression/^ by replacing all occurrences of the

source expression x^~' with the target expression x^~' ^■ r ². In this substitution, x denotes a

subexpression of/₂.

(5) Transform the expression/₃ into the expression , by replacing all occurrences of the

source expression x <8> y with the target expression x • y • r^~' . In this substitution, x and y

denote subexpressions of/.

(6) Transform the expression/^ into the expression/' by replacing all occurrences of the

source expression x ' with the target expression x- r. In this substitution, x ' denotes a primed variable or primed constant occurring in the expression/^, specifically excluding all instances of the unprimed constant r. The effect of this step is to replace every primed symbol with its unprimed form multiplied by r.

Upon completion of the above steps, the expression/ is transformed into a new expression

/'. The present invention has carefully specified the preceding steps in such a way as to ensure that

/ = /' • r^~' . To prove this, the result is demonstrated for the four special cases when/ = x - y, f =

x -y, f = x -y, and/ = x^~' , where x and y are elements in the field F. The general result follows

from the commutative, associative and distributive properties of the field.

Case 1 Transformed Addition

Let/ - x - y Applying the substitution method of the present invention to the expression

/results in the transformed expression/' x - r ^• y ^■ r To see that/ /' ^■ A, note that/ x y (x - y) - r ■ r^~' = (x ■ r ~ y ■ r) ■ r^~! f' - r^~

Case 2 Transformed Subtraction

Let/= x - y Applying the substitution method of the present invention to the expression/

results in the transformed expression/' = x ^• r -y ^■ r To see that/ = /' • A , note that/ = x -y =

(x -y) ■ r ■ r^~' = (x r -y ■ r) ■ r^~l =f' - r^~'

Case 3 Transformed Multiplication

Let/ - x -y Applying the substitution method of the present invention to the expression/

results in the transformed expression/' = (x ^■ r) • (y ^■ r) ^■ r^"' . To see that/ =/' • r^~', note that/ =

x • y = x -y • r^{2 ■} r^~2 = x • y ^• r ^■ r ^■ r^~] • r^~' = x - r -y - r - r^~' ■ r^~' = (x ■ r) ■ (y ■ r) ■ r^~! - r^~] =/' •

A.

Case 4 Transformed Inversion

Let/ = xA Applying the substitution method of the present invention to the expression/

results in the transformed expression/' = (x ^■ r) ^~' ^■ r To see that/ = f ■ r^~' , note that/ = x^~' ■ r²

■ A² = x^~' ■ r^~' ■ r² ■ A¹ = (x ■ r) ^" r² ■ A =/' • A¹.

Thus, the present invention provides a method to transform any expression/ involving a

finite number of field operations within a finite field F into the form/' • A Furthermore, the

expression/' ^• r^~' constructed by the present invention is guaranteed to be in the Montgomery

Canonical Form To verify this, note that (i) the substitution steps of the method of the present invention ensure that if the original expression/ includes any subexpressions that are of the form x

^■ \ . such subexpressions are transformed into the form (x ^■ rj ^■ (y ^■ r) ^■ A, which is in the Montgomery Canonical Form, and (ii) whenever the substitution steps of the method of the present invention introduce a new multiplication operation into the transformed expression, such operation brings with it a single additional operand which is always a power of r, thus preserving the Montgomery Canonical Form of the subexpression it is introduced into. Depending on the exact nature of E, and the number of the multiplication operations in the

expression/ and the exact number and nature of the operations involved in the calculation of/'

computation of the expression/' • r^~l may be more efficient than direct computation of the

expression/ This is particularly likely, when the field E is a member of either GFφ) or GF(2^k).

For, in such instances, the Montgomery Algorithm can be applied to the expression/' • r^~' to

ensure optimized computation of the value that the expression/ evaluates to

Section G

The present invention may also be used with "projective coordinates," which are used to eliminate the need for performing inversion For example, in projective coordinates, a point on the elliptic curve group G has 3 coordinate values, (xi, y ∑i) while the affine coordinates requires only two values: (x_it yi).

For example, for elliptic curves defined over GF(2^k), given the distinct points P and 0 expressed in projective coordinates'

Q := fa, y₂, z₂) the projective coordinates of the sum of 2 points on the elliptic curve are.

P Q := fa, y₃, z₃) using the following addition rules.

B = y₂ ^■ z, - y,

C = A + B

D=A².(A ^a-z₁) + z₁-B-C

x₃=A -D

y₃ = C-D + A²-(B-x,+A -y

This computation requires 13 field multiplications, and no inversions.

Similarly, the addition formulae for computing 2P is given as.

A = Xy -z,

x₃= A B

y₃ = x⁴ -A -r B ^■ (x² + yi -zi + A)

z₃=A³

This computation requires 7 field multiplications, and no inversions.

Thus, the use of projective coordinates eliminate the inversions at the expense of storing 3

GF(2^k) values to represent R and performing a few more multiplications.

The present invention can also be used in conjunction with projective coordinates. The

addition rules would then be modified as follows.

A' = x₂'.z,'.r^~' +x,'

B' = y₂'-z,'y' +y,'

C'=A'+B'

D'=(A'-A'y') -(A'+ a'-zA-r^'1) ^■ r^~' _^ (zy-B'-A¹) -C'-A¹

x₃' A'-D'-r'

y4 C'AJ'-A¹ - (A'-A'-A¹) ^■ (B' ■ x,' ^■ 4^! A' ■ y,' ■ A¹ ) ■ A¹

Similarly the rules for computing 2P are modified as

B'= (((b'.z,' - y) .z,'y') -z ¹) -z ^! +(fa' -x ^]) -xyy¹) -x ¹ x₃' = A ' - B' y'

B ' ■ (x, ' ^■ x, ' ^■ y + y, ' ^■ z, ' ^■ y + A ^■ y

IMPLEMENT A TION The present invention may be implemented on any conventional or general purpose PC computer system. It may also be used in conjunction with any network system, including the Internet. A preferred embodiment of a computer system for implementing this invention is an Intel Pentium II PC 233 MHz, running Windows NT 4.0.

The present invention can be implemented in any programming language including C and Java. The following are examples of pseudo code suitable for implementing the present invention.

Setup: a, b : Parameters of the elliptic curve (EC) F : The field upon which the EC is based Either GF(p) or GF(2^k)

* field multiplication

+ field addition field subtraction

-1 field inversion P=(P(x), P(y)) : A point on the EC P(x) & P(y) are affine coordinates

Algorithm Identifier: ExpPoint Input : e : k-bit integer

P : Point on the EC, P = (P(x), P (y) ) Output: Q : Point on the EC, Q = (Q (x) , Q (y) ) Q := eP = (P+P+...+P) (e times P) function ExpPoint begin

/* Transform P to P' using r */ P* (x) = P(x) * r P' (y) = P(y) * r

/* Start with O' point at infinity */ Q' = O' /* Binary method loop */ for i=k-l downto 0 do

Q' := DoublePoint (Q' ) if e_i=l then Q' := AddPoint(Q'_; P') /* Transform Q' to Q using r */ Q(x) = Q' (x) * r^"^

Q(y) = Q' ⁽y⁾ return Q end

Algorithm Identifier: AddPoint

Input : P ' Transformed Point on the EC

Q' Transformed Point on the EC

Output : T ' Transformed Point on the EC T" = P' + Q' using the EC point addition rules function AddPoint begin

/* If the underlying field is GF(p) */ lambda' = Multiply ( (Q ' (y) - P'(y)), Inverse (Q ' (x) - P'(x)) T' (x) = Multiply (lambda' , lambda') - P'(x) - Q'(x) T' (y) = Multiply (lambda ' , (P' (x) - T'(x))) - P'(y) return T /* If the underlying field is GF(2^k) */ lambda' = Multiply ( (P ' (y) + Q'(y)), Inverse (P ' (x) + Q'(x))) T' (x) = Multiply (lambda' , lambda') + lambda' + P'(x) + Q'(x) a'

T' (y) = Multiply (lambda' , (P¹ (x) + T" (x) ) ) + T' (x) + P' (y) return T end

Algorithm Identifier: DoublePoint Input: P' : Transformed Point on the EC Output: T' : Transformed Point on the EC T' := P' + P using the EC point doubling rules function DoublePoint begin

/* If the underlying field is GF (p) */ lambda' = Multiply (Multiply (3P ' (x) , P ' (x) ) + a'), Inverse (2P' (y) ) )

T' (x) = Multiply ( lambda ' , lambda') - 2P'(x) T' (y) = Multiply (lambda ' , (P'(x) - T'(x))) - P'(y) return T /* Else if the underlying field is GF(2^k) */ T' (x) = Multiply (P¹ (x) , P'(x)) +

Multiply (b', Multiply (Inverse (P ' (x) , P'(x)))) T' (y) = Multiply (P' (x) , P'(x)) +

Multiply (P ' (x) + Multiply (P ' (y) , Inverse (P ' (x) )) , T" (x) ) + T' (x) return T end

Algorithm Identifier: Inverse Input : u: Field element Output: t: Field element function Inverse begin t = u ^λ * r^z return t end

Algorithm Identifier: Multiply Input : u, v: Field elements Output: t: Field element function Multiply begin t = u * v * r return t end

A number of references describe the mathematical background for the present invention Those references include P L Montgomery, Modular multiplication without trial division,

"Mathematics of Computation," 44(170) 519-521, April 1985, D E Knuth, "The Art of

Computer Programming Seminumerical Algorithms," volume 2, Second edition, Reading, MA

Addison-Wesley, 1981, C K Koc and T Acar, Montgomery multiplication in GF(2^k),

"Proceedings of Third Annual Workshop on Selected Areas in Cryptography," pages 95-106,

Queen's University, Kingston, Ontario, Canada, August 15-16, 1996, C K Koc and T Acar ,

Fast software exponentiation in GF(2^k), "Proceedings, 13th Symposium on Computer

Arithmetic," pages 225-231, Asilomar, California, July 6-9, 1997, Los Alamitos, CA IEEE Computer Society Press, J C Bajard, L S Didier, and P Kornerup, An RNS Montgomery multiplication algorithm, "Proceedings, 13th Symposium on Computer Arithmetic," pages

234-239, Asilomar, California, July 6-9, 1997, Los Alamitos, CA IEEE Computer Society

Press, D R Stinson "Cryptography Theory and Practice," CRC Press, 1995, V Miller, Uses of

elliptic curves in cryptography, "Advances in Cryptology - CRYPTO 85, Proceedings," pages

417-426, New York, NY Springer- Verlag, 1985, N Koblitz, Elliptic curve cryptosy stems,

"Mathematics of Computation," 48 203-209, 1987, N Koblitz, "A Course in Number Theory and

Cryptography," New York, NY Springer- Verlag, 1987, A J Menezes, "Elliptic Curve Public

Key Cryptosystems," Boston, MA Kluwer Academic Publishers, 1993, R L Rivest, A Shamir, and L Adleman, A Method for Obtaining Digital Signatures and Public-key Cryptosystems," Communications of the ACM, 21(2) 120-126, 1978, T Beth, M Frisch, and G J Simmons,

Public-key Cryptography State of the Art and Future Directions Springer- Verlag, NY, 1991 ,

IEEE Working Group P1363, Working Draft. IEEE 1363 Standard for RSA, Diffie-Hellman and

Related Public-key Cryptography In preparation, 1995, RSA Laboratories, Answers to

Frequently Asked Questions about Today's Cryptography Version 3 0, 1996, G B Agnew, R C

Mullin, I M Onyszchuk, and S A Vanstone, An implementation of a fast public-key

cryptosystem Journal of Cryptology, 3(2):63-79, 1991 All of these publications are herein

incorporated by reference as if each individual publication were specifically and individually set forth herein

Having described and illustrated the principles of our invention with reference to a preferred embodiment, it will be apparent that the invention can be modified in arrangement and detail without departing from such principles As such, it should be recognized that the detailed embodiment is illustrative only and should not be taken as limiting the scope of our invention Rather, we claim as our invention all such embodiments as may fall within the scope and spirit of the following claims and equivalents thereto.

Claims

We claim

1. A method for producing an elliptic curve point multiplication product, 0 = eP, using

an arbitrary integer e, a point R on an elliptic curve group G defined over a field F, where G crE

x E, comprising the steps of:

constructing a set G ' ;

constructing a mapping Efrom G into the set G' constructing a mapping T¹ from G'onto

G, and constructing an operation © defined on G' such that (a) given R e G, T^~'( T(P) ) = P, and

(b) R-R = r'(P'® P), where R' = T(P);

producing an elliptic curve point multiplication product 0 by transforming the point R to

the point R ' using the mapping T, performing the operation Φ on the point R ' to determine the

point O' = e P', transforming the point 0' to the product Q using the mapping T^~'; and

using the product 0 in a cryptographic operation.

2. The method of claim 1 wherein the set G, the set G', the mapping T, the operation

Φ, and the mapping T¹ are constructed such that given P,, P₂, ..., R.v e G, where N is an integer,

the computation of T^~'( T(P,) © T(P₂) © ... φ T(P_N)) is more efficient than the computation of P,

A; ÷ ... - R.v.

3. The method of claim 1 wherein: the mapping Eis constructed by selecting any element r of the field E, and defining Eas T:

(x, y) -> (x - r, y - r), where R = (x, y) e G, and • is the multiplication operator in F; and

the mapping T is constructed by defining T: (ιι,v) — > (u ■ A¹, v • r^'!), where R' = (u,v) e

G .

4 The method of claim 3 wherein the field F is a member of GF(p)

5 The method of claim 4 wherein the element r is selected as the smallest power of 2 that is larger than p

6 The method of claim 4 wherein the element r is selected as the product of prime

numbers

7 The method of claim 4 wherein the operation Φ is constructed such that the

addition of two points in the set G'is given by fa:y₃) = fa:y₁)'®fa:y₂),

L'=(y₂'-_yι) .z'.r-¹,

x₃' = L' ■ L' ■ r^~' -xι'-x₂ and

8 The method of claim 4 wherein the operation © is constructed such that the

doubling of a point in the set G'is given by

fa',y_l ®fa:y_l') = fa:y₃), z'=(yι'+y₁T' -r, L'=((x_l'+x₁'+x_I')-x_I'.r^'1 -a) ■ z' -r^~l ,

x₃'=L'-L'y¹ - x,'- x,', and

9 The method of claim 4 wherein the Montgomery Algorithm in GF(p) is utilized to

perform the operation ® on the point R' to determine the point Q' = e P'

10 The method of claim 3 wherein the field F is a member of GF(2)

11 The method of claim 10, wherein the operation ® is constructed such that the

addition of two points in the set G'is given by

fay3) = (^χ, ι)®fay₂),

L'=(y_I'-y₂ . z'-y,

x₃'= (L'-L'-A¹ ) _^ L'+x,'~x₂'-a', and

12. The method of claim 10, wherein the operation © is constructed such that the

doubling of a point is given by

x₃'=x,'-x,'y' -r (z'-z'y') -b -A, and

y₃' = x, ' ^■ x, ' ■ r^'1 + (x,'+ y_t ' ^■ z' ■ r^~') ■ x₃' ■ A + x₃'.

13 The method of claim 10 wherein the element r is selected as x* mod n(x), where n(x) is the irreducible polynomial generating the field GF(2^k)

14 The method of claim 10 wherein the Montgomery Algorithm in GF(2^k) is utilized to perform the operation © on the point P' to determine the point O' e P'

15 The method of claim 1 wherein the step of performing the operation Φ on the

point R ' utilizes a binary method

16 The method of claim 1 wherein the step of performing the operation Φ on the

point R' utilizes an M-ary method

17 The method of claim 1 wherein the elements of sets G and G ' are implemented

using Projective Coordinates

18 A method for optimizing the calculation of an expression f = f(xι, ., x, x , wherein the expression /is comprised of a finite number of arbitrary field operations over any finite field E, and x;, ..., x, , ..., x„ are all elements of E, comprising the steps of selecting an element r, a constant, from the field E,

transforming the expression/ f(xι, , x, , . ., X_rJ to the/' f'fa ' , x,' , „ by replacing all occurrences of x in the expression /with x ', giving/, where x denotes a variable or constant of/ ,

replacing all occurrences of x-y in the expression/ with x ® y, giving/₂,

where x and y denote subexpressions of/ ,

replacing all occurrences of x^~' in the expression f₂ with x^~' ^■ r² , giving/,

where x denotes a subexpression of/₂,

replacing all occurrences of x ® y in the expression/, with x y • r^~ ,

giving f₄, where x anά denote subexpressions of/, and replacing all occurrences of x ' in the expression/, with x • r; giving/ ', where x denotes a primed variable or primed constant in/;

determining/ =/' • m^~ '; and

using /' • m^'1 to calculate/in a cryptographic operation.

19. The method of claim 18 wherein each instance of x' -y' • m^~! is computed using the

Montgomery Algorithm when the set F is a member of GF(p).

20. The method of claim 18 wherein each instance of x' -y' ^■ m^'1 is computed using the

Montgomery Algorithm in GF(2^k) when the set F is a member of GF(2^k).

21. A method for producing an elliptic curve point addition product, Q = P - R, using

a point R on an elliptic curve group G defined over a field E, where G aF xF, comprising the

steps of:

constructing a set G ' ;

constructing a mapping Tϊrom G into the set G' constructing a mapping T^~' from G'onto

G, and constructing an operation Φ defined on G'; such that (a) given R e G, T'( T(P) ) = R, and

(b) R+R = T'(P'® P), where R'= T(P); and

producing an elliptic curve point addition product O by transforming the point R to the

point R' using the mapping T, performing the operation © on the point R' and the point R' to

determine the point 0' , transforming the point 0' to the product Q using the mapping T^~'; and

using the product O in a cryptographic operation.

22. A method for producing an elliptic curve point addition product, O P S, using points R and S on an elliptic curve group G defined over a field E, where G crE xF, comprising

the steps of: constructing a set G ' ;

constructing a mapping T from G into the set G ' constructing a mapping T^l from G ' onto

G, and constructing an operation Φ defined on G'; such that (a) given R e G, T^~'( T(P) ) = P, and

(b) R-S = rYR'Φ SO, where R' = T(P) and S' = T(S); and

producing an elliptic curve point addition product Q by transforming the point R to the

point R' using the mapping T, by transforming the point S to the point S' using the mapping T,

performing the operation Φ on the point R' and the point S' to determine the point O',

transforming the point 0 ' to the product O using the mapping T^~' ; and using the product Q in a cryptographic operation.

23. Apparatus for producing an elliptic curve point multiplication product, Q = eR, using an arbitrary integer e, a point R on an elliptic curve group G defined over a field E, where G

crE x F, comprising:

means for constructing a set G ' ,

means for constructing a mapping T from G into the set G ' constructing a mapping T^~'

from G'onto G, and constructing an operation Φ defined on G'; such that (a) given R e G, T^~'(

T(P) ) = P, and (b) R+R = r'(P'® P)' , where R' = T(P); and

means for producing an elliptic curve point multiplication product Q by transforming the

point R to the point R' using the mapping T, performing the operation © on the point R' to

determine the point Q' = e P', transforming the point 0' to the product Q using the mapping

r'; and

means for using the product 0 in a cryptographic operation.