Binary Kummer Line.

The idea of the Kummer line was introduced by Gaudry and Lubicz [22]. Karati and Sarkar [31] proposed three efficient Kummer lines over prime fields, and [31, 40] show that they are faster than $$\textsf{Curve25519}$$  [4]. In this work, we explore the problem of secure and efficient scalar multiplications using the Kummer lines over binary fields compared to Koblitz curves, binary Edwards curves, and Weierstrass curves. In this article, we provide the first concrete proposal for binary Kummer line: $$\textsf{BKL}251$$ over the field $$\mathbb {F}_{2^{251}}$$ , and it offers 124.5-bit security that is the same as that of $$\textsf{BEd251}$$  [8] and $$\textsf{CURVE2251}$$  [51]. $$\textsf{BKL}251$$ has small curve parameters and a small base point. We implement $$\textsf{BKL}251$$ using the instruction $$\texttt{PCLMULQDQ}$$ of modern Intel processors and a software $$\textsf{BBK251}$$ for batch computation of scalar multiplications using the bitslicing technique. We also provide the first implementation of Edwards curve $$\textsf{BEd}251$$  [8] using the $$\texttt{PCLMULQDQ}$$ , best to our knowledge. Thus this work complements the works of [5, 8]. All the implemented software compute scalar multiplications in constant time using Montgomery ladders. For the right-to-left Montgomery ladder scalar multiplication, each ladder step of a binary Kummer line needs fewer field operations than an Edwards curve. In the case of the left-to-right Montgomery ladder, a Kummer line and an Edwards curve have almost the same number of field operations. Our experimental results show that left-to-right Montgomery scalar multiplications of $$\textsf{BKL}251$$ are $$9.63\%$$ and $$0.52\%$$ faster than those of $$\textsf{BEd}251$$ for fixed-base and variable-base, respectively. Left-to-right Montgomery scalar multiplication for the variable-base of $$\textsf{BKL}251$$ is $$39.74\%$$ , $$23.25\%$$ , and $$32.92\%$$ faster than those of the curves $$\textsf{CURVE2251}$$ , $$\mathsf {K-283}$$ , and $$\mathsf {B-283}$$ , respectively. Using the right-to-left Montgomery ladder with precomputation, $$\textsf{BKL}251$$ achieves a $$17.84\%$$ speedup over $$\textsf{BEd}251$$ for fixed-base scalar multiplication. For a batch computation, $$\textsf{BBK251}$$ performs comparatively the same (slightly faster) as the $$\textsf{BBE251}$$ and $$\textsf{sect283r1}$$ . Our experiments reveal that scalar multiplications on $$\textsf{BKL}251$$ and $$\textsf{BEd251}$$ are (approximately) 65% faster than one scalar multiplication (after scaling down) of batch software $$\textsf{BBK251}$$ and $$\textsf{BBE251}$$ .