International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: Halving on Binary Edwards Curves

Qiping Lin
Fangguo Zhang
Search ePrint
Search Google
Abstract: Edwards curves have attracted great interest for their efficient addition and doubling formulas. Furthermore, the addition formulas are strongly unified or even complete, i.e., work without change for all inputs. In this paper, we propose the first halving algorithm on binary Edwards curves, which can be used for scalar multiplication. We present a point halving algorithm on binary Edwards curves in case of $d_1\neq d_2$. The halving algorithm costs about $3I+5M+4S$, which is slower than the doubling one. We also give a theorem to prove that the binary Edwards curves have no minimal two-torsion in case of $d_1= d_2$, and we briefly explain how to achieve the point halving algorithm using an improved algorithm in this case. Finally, we apply our halving algorithm in scalar multiplication with $\omega$-coordinate using Montgomery ladder.
  title={Halving on Binary Edwards Curves},
  booktitle={IACR Eprint archive},
  keywords={public-key cryptography / elliptic curve cryptosystem},
  note={ 14735 received 5 Jan 2010, last revised 5 May 2010},
  author={Qiping Lin and Fangguo Zhang},