Binary Kummer Line

The idea of the Kummer line was introduced by Gaudry and Lubicz [ 22 ]. Karati and Sarkar [ 31 ] proposed three efficient Kummer lines over prime fields, and [ 31 , 40 ] show that they are faster than Curve 25519 [ 4 ]. In this work, we explore the problem of secure and efficient scalar multiplications using the Kummer lines over binary fields compared to Koblitz curves, binary Edwards curves, and Weierstrass curves. In this article, we provide the first concrete proposal for binary Kummer line: BKL 251 over the field F 2 251 , and it offers 124.5-bit security that is the same as that of BEd 251 [ 8 ] and CURVE 2251 [ 51 ]. BKL 251 has small curve parameters and a small base point. We implement BKL 251 using the instruction PCLMULQDQ of modern Intel processors and a software BBK 251 for batch computation of scalar multiplications using the bitslicing technique. We also provide the first implementation of Edwards curve BEd 251 [ 8 ] using the PCLMULQDQ , best to our knowledge. Thus this work complements the works of [ 5 , 8 ]. All the implemented software compute scalar multiplications in constant time using Montgomery ladders. For the right-to-left Montgomery ladder scalar multiplication, each ladder step of a binary Kummer line needs fewer field operations than an Edwards curve. In the case of the left-to-right Montgomery ladder, a Kummer line and an Edwards curve have almost the same number of field operations. Our experimental results show that left-to-right Montgomery scalar multiplications of BKL 251 are 9.63 % and 0.52 % faster than those of BEd 251 for fixed-base and variable-base, respectively. Left-to-right Montgomery scalar multiplication for the variable-base of BKL 251 is 39.74 % , 23.25 % , and 32.92 % faster than those of the curves CURVE 2251 , K - 283 , and B - 283 , respectively. Using the right-to-left Montgomery ladder with precomputation, BKL 251 achieves a 17.84 % speedup over BEd 251 for fixed-base scalar multiplication. For a batch computation, BBK 251 performs comparatively the same (slightly faster) as the BBE 251 and sect 283 r 1 . Our experiments reveal that scalar multiplications on BKL 251 and BEd 251 are (approximately) 65% faster than one scalar multiplication (after scaling down) of batch software BBK 251 and BBE 251 .