Compact Elliptic Curve Scalar Multiplication with a Secure Generality

Elliptic curve cryptosystems (ECCs) are widely used because of their short key size. ECCs can ensure sufficient security with shorter keys, using less memory to reduce parameters. Hence, ECCs are typically used in IoT devices. The dominant computation of an ECC is scalar multiplication Q = kP for P ∈ E(Fq). Thus, the security and efficiency of scalar multiplication are paramount. To render secure ECCs, complete addition (CA) formulae can be employed for secure scalar multiplication algorithms. However, this requires significant memory; thus, it is not suitable for compact devices. Several types of coordinates exist for elliptic curves such as affine, Jacobian, Projective and so on. The CA formulae are not based on affine coordinates and, thus, require considerable memory. In this study, we achieve a compact ECC by focusing on affine coordinates. In fact, affine coordinates are highly advantageous in terms of memory but require many if statements for scalar multiplication owing to exceptional points. We propose two scalar multiplication algorithms with the extended affine formulae to delete some exceptional inputs for scalar multiplication. Our two algorithms reduce memory cost up to 37% or 21%. In many cases such as NIST elliptic curves, our two algorithms are the most efficient if I M < 12, for the ratio of computational cost of inversion and multiplication. The experiment shows that our algorithms can compute the elliptic curve scalar multiplication correctly and efficiently.


Introduction
Elliptic curve cryptosystems (ECCs) are widely used because of their short key size. ECCs can ensure sufficient security with shorter keys, using less memory to reduce parameters. Hence, ECCs are typically used for Internet-of-things (IoT) devices [2]. The dominant computation of ECCs is scalar multiplication Q = kP for P ∈ E(F q ). Thus, the security and efficiency of the scalar multiplication are paramount.
Studies of secure elliptic curve scalar multiplication algorithms can be divided into two categories. The first research direction is to find efficient and secure scalar multiplication algorithms [3], [4], [5], [6], [7]. The second direction is to find efficient and secure coordinates with addition formulae [8], [9], [10], [11], [12]. Several types of coordinates for elliptic curves exist (such as affine, Jacobian, or Projective). Although it appears that we only need to combine scalar multiplication algorithms with coordinates, it is not simple because some scalar multiplications require branches when the addition formulae are applied to them. Branches introduce simple power analysis (SPA). For example, in the case of affine or Jacobian coordinates, both doubling and addition formulae exist for two inputs of P and Q. That is, when the scalar multiplication algorithm employs addition formulae in affine or Jacobian coordinates, we need to verify whether the two 1 Graduate School of Engineering, Osaka University, Suita, Osaka 565-0871, Japan miyaji@comm.eng.osaka-u.ac.jp input points are equal. In fact, not only the condition P = Q but also other input points such as O + P, P − P, and 2P = O become exceptional inputs. Hence, researchers have investigated complete addition (CA) formulae [8], [9], [10], which can be computed for any two input points. Further, new methods have been proposed by combining a scalar multiplication algorithm with CA formulae to protect the elliptic curve scalar multiplication from a side channel attack (SCA) [13]. CA formulae operate well to exclude such branches. However, CA formulae are not efficient from the memory and computational standpoints. Particularly, CA formulae are not based on affine coordinates and, thus, require significant memory.
In this study, we achieve a compact ECC by focusing on affine coordinates. Although affine coordinates are highly advantageous in terms of memory, they require if statements for scalar multiplication owing to exceptional points. We adopt two approaches. First, we examine a scalar multiplication with the input point and scalar k by defining three notions: generality of k (a scalar multiplication algorithm can operate on any input scalar k), secure generality (a scalar multiplication algorithm can resist SCA with generality of k), and executable coordinates (coordinates with elliptic curve addition formulae, which can be used to a scalar multiplication algorithm without introducing if statements). Subsequently, we demonstrate that Joye's rightto-left (RL) 2-ary algorithm (Algorithm 2) [4] satisfies the secure generality but that Joye's double-add algorithm (Algorithm 1) [3] does not satisfy secure generality. Further, we verify coordinates that become executable. Second, we improve Joye's RL 2-ary algorithm to reduce exceptional point inputs and the limitations of input k. We extend the affine to delete some exceptional inputs for scalar multiplication. Subsequently, we propose a new scalar multiplication, Algorithm 9, by combining our improved Joye's RL 2-ary algorithm with affine formulae and our extended affine formulae. In this paper, combinations of affine formulae and extended affine formulae are called (extended) affine in short. We propose Algorithm 10 to enhance the efficiency of Algorithm 9 by 2-bit scanning using the affine double and quadruple formulae (DQ) [14] that can compute both 2P and 4P simultaneously with only one inversion computation. Finally, we do a theoretical analysis of our algorithms and implement them. Algorithms 9 and 10 with (extended) affine reduce memory cost by 37% and 21% compared with Algorithm 2 with CA formulae, respectively. As for computational cost, we evaluate all algorithms by estimating the number of modulo multiplication (M), modulo square (S ), multiplication with parameters a and b (ma and mb), addition (A), and inversion (I). In summary, when omitting the computational cost of ma, mb, and A, Algorithm 10 with (extended) affine is the most efficient if 7.2 < I M < 9.3, Algorithm 9 with (extended) affine is the most efficient if I M < 7.2, and Algorithm 2 with CA formulae is the most efficient if I M > 9.3. In many cases, such as national institute of standards and technology (NIST) elliptic curves, we can only omit the computational cost of ma and A. Then, Algorithm 10 with (extended) affine is the most efficient if 7.2 < I M < 12, Algorithm 9 with (extended) affine is the most efficient if I M < 7.2, and Algorithm 2 with CA formulae is the most efficient if I M > 12. Experiments on NIST P224, P256, and P384 using GNU MP 6.1.2 show that both Algorithms 9 and 10 with (extended) affine can compute elliptic curve scalar multiplication more efficiently than Algorithm 2 with CA formulae. This paper is organized as follows. First, we describe related work in Section 2. In Section 3, we examine a scalar multiplication algorithm from the point of input scalar k, defining three new notions. Subsequently, we extend the affine addition formulae in Section 4. We improve Joye's RL 2-ary algorithm to Algorithms 9 and 10 in Section 5. We analyze Algorithms 9 and 10 with (extended) affine from the theoretical and experimental point of view and compare them with Algorithm 2 with CA formulae in Section 6. We conclude our work in Section 7.

Related Work
Studies of efficient and secure elliptic curve scalar multiplication algorithms can be divided into two categories. The first one is efficient and secure scalar multiplication algorithms [3], [4], [5], [6], [7]. We focus on the RL algorithms in this paper. The second one is to find efficient and secure coordinates with elliptic curve addition formulae [8], [9], [10], [11], [12]. Although CA formulae operate well to exclude the branches, which introduce simple power analysis (SPA), they are not efficient from the memory and computational standpoints.

Scalar Multiplication
Joye's double-add algorithm, Algorithm 1 can regularly compute scalar multiplications, scanning a scalar from least significant bit (LSB) to most significant bit (MSB) [3]. As for Joye's regular RL 2-ary algorithm (Algorithm 2) [4], it can compute regularly without dummy operations. Thus, in Joye's regular RL 2-ary algorithm, security issues depend on the elliptic curve addition formulae. If we use addition formulae on affine or Jacobian coordinates, branches to avoid additions of two inputs (such as P + P, P − P, and O + P) and the doubling of P with 2P = O exist. Branches result in SCA, specifically the SPA. Hence, upon implementation, we should use "if statements" carefully. Meanwhile, if we use CA formulae [9], then we exclude "if statements" but sacrifice memory and computational efficiency. The Joye's regular 2-ary algorithm in Ref. [4] is improved from Algorithm 2 by assuming that the MSB of the input scalar is always "1". However, it cannot compute scalar multiplications correctly when the scalar begins with "0". Thus we focus on Algorithm 2.

Complete Addition (CA) Formulae
Izu and Takagi proposed the x-only differential addition and doubling formulae [8], which proved to be exceptional only if both input coordinates of x and z are 0 [13]. These addition formulae are applied to the Montgomery ladder in which after the computation of the x-coordinate, the y-coordinate can be recovered by the formula of Ebeid and Lambert [15].
Renes et al. proposed complete addition formulae for prime order elliptic curves [9]. Based on the theorems of Bosma and Lenstra [16], the complete addition formulae for an elliptic curve E(F p ) without points of order two can be obtained. Note that E(F p ) with prime order excludes the points of order two. Thus, we can use the complete addition formulae on E(F p ) with prime order. The authors also mentioned that if the complete addition formulae were used in an application, their efficiency could be improved based on specific parameters and further computation. However, they remain costly.
Wronski presented a new idea to obtain complete addition formulae for an elliptic curve E S W /F p in the short Weierstrass form [10]. We can expand E S W /F p to E S W /F p 2 and subsequently obtain the isomorphism ϕ from E S W /F p 2 to the twisted Hessian curve E tH /F p 2 when both conditions of 3|#E S W /F q 2 and q ≡ 1 (mod 3) are satisfied. Using the arithmetic on E tH /F p 2 , we can compute the elliptic curve scalar multiplication more quickly. After kP was computed on the twisted Hessian curve E tH /F p 2 , we can use ϕ −1 to transform kP to a real result kP on E S W /F p . Further, the addition formulae on the twisted Hessian curve E tH /F p 2 may be complete when parameter a of the twisted Hessian curve E tH /F p 2 : ax 3 + y 3 + 1 = dxy is not a cube in F q . Table 1 summarizes the addition formulae including the CA formulae, where M, S , I, and A are the costs for one field multiplication, square, inversion, and addition, respectively. Further, ma and mb are the costs for multiplication to a and b, respectively.
Assuming that S = 0.8M and ignoring the computational cost of ma, mb, and A, the computational cost of ADD + DBL in the CA formulae is 24M. Subsequently, the computational cost of ADD + DBL in affine is more efficient than that in the CA forc 2020 Information Processing Society of Japan Table 1 Computational complexity of elliptic curve addition formulae.

Method
Conditions ADD DBL Memory x-only addition [8] x− or z-coordinate 0 8M + 2S 5M + 3S 10 Complete addition [9] 2 #E(F p ) [2] 6: A ← A + P 7: return A mulae or Jacobian when I < 8.8M or I < 8M. Meanwhile, the computational cost of ADD + DBL in Jacobian is always more efficient than that in the complete addition by 1.6M.

Exceptional Inputs in Scalar Multiplication
This section analyzes two algorithms (Algorithms 1-2) with an input scalar k = ł−1 i=0 k i 2 i (in binary) and an elliptic curve point P from the following three aspects: generality of k, secure generality, and executable coordinates.

Generality of k
We define the generality of k as follows. The scalar multiplication should compute kP for ∀k ∈ Z/NZ, where k ∈ {0, 1} ł and N is the order of P. Subsequently, it includes a case where the MSB of k is zero (k ł−1 = 0). We say that a scalar multiplication satisfies the generality of k if it can operate for any ∀k ∈ Z/NZ with k ł−1 = 0 or k ł−1 = 1. Let us investigate whether Algorithms 1-2 satisfy the generality of input scalar k. The Joye's double-add algorithm (Algorithm 1) can operate for any input scalar ∀k ∈ Z/NZ with k ł−1 = 0 or k ł−1 = 1. It is obvious that Algorithm 1 can compute kP correctly when k ł−1 = 1. Algorithm 1 scans the scalar from right and reads "0"s at the end if k ł−1 = 0. The "0"s read at the end do not change the value saved in R[0], which is the final correct computation result. In sum-mary, Algorithm 1 can compute kP correctly with any input scalar ∀k ∈ Z/NZ with k ł−1 = 0 or k ł−1 = 1.
Joye's RL m-ary algorithm satisfies generality of k, implying that it can compute kP for any input ∀k ∈ Z/NZ with k ł−1 = 0 or k ł−1 = 1. The proof is given in Appendix A.1. We herein focus on the case of m = 2, which is described by Algorithm 2.

Secure Generality
We define the notion of the secure generality added to the generality of k as follows. If a scalar multiplication can compute kP regularly without dummy operations satisfying generality of k for ∀k ∈ Z/NZ with k ł−1 = 0 or k ł−1 = 1, where N is the order of P, then we say that such an algorithm satisfies the secure generality.
Algorithm 2 executes the same computations of addition and doubling without any dummy operation for every bit of scalar. It is regular without dummy operations for any k; thus, it satisfies the secure generality. Algorithm 1 also executes the same computations of addition and doubling without any dummy operations until the final input bit k ł−1 of a scalar k. Its final step in the main loop becomes a dummy operation when processing becomes a dummy operation. Thus, we can know whether the scalar begins with "0"s by inserting safe-error to If the result does not change, then the MSB of the scalar is "0". Thus, Algorithm 1 does not satisfy the secure generality.

Executable Coordinates
Let us define the notion of coordinates in a scalar multiplication algorithm. If the coordinates can be executed for an algorithm for ∀k ∈ Z/NZ without exceptional inputs, we say that coordinates are executable coordinates for the algorithm, where N is the order of P in E(F p ). This notion is important because even if a scalar multiplication algorithm satisfies secure generality, we must choose executable coordinates.
Let us investigate the executable coordinates in Algorithm 1. Algorithm 1 requires addition or doubling formulae with O. This is why neither affine nor Jacobian coordinates are executable. Let us investigate Algorithm 2. Algorithm 2 contains exceptional inputs k. R [1] and R [2] are initialized as O, and A is initialized as P in Step 1. In the main loop, O + P appears independent of k in Step 3. It is obvious that O + P, P + P, and −P + P are computed when k = 1, 2, 0 in the aggregation and final correction, respectively. In summary, Algorithm 2 has to compute addition with O independent to k, P + P if k = 2, and P − P if k = 0. Neither the affine nor Jacobian coordinates can compute all of O + P, P + P, and −P + P. Meanwhile, CA formulae [9] are executable coordinates. As shown in Section 2, we must sacrifice computational c 2020 Information Processing Society of Japan and memory cost if we use CA formulae.
We herein focus on Algorithm 2, as it satisfies the secure generality of k. Specifically, we improve it by adapting it to affine coordinates that requires a small memory. Jacobian coordinates are also executable for our new Algorithms 9-10.

Extended Affine Addition Formulae
Affine formulae are advantageous because of less memory usage. The computational cost, however, depends on the ratio of inversion cost to multiplication cost.
The detailed algorithms are shown in Algorithms 4 and 5. It is noteworthy that both Algorithms 4 and 5 can retain the value of the input point of P, which can be used continually as the next input. Affine formulae have exceptional points. O cannot be represented explicitly, while it is described as a point at infinity. Thus, affine formulae cannot compute O + P = O, P − P = O, or 2P = O. The addition formula cannot compute P + P, which can only be computed by the doubling formula. When implementing affine formulae, branches are required to avoid such exceptional points. We want to fully utilize affine formulae because they reduce memory. Scalar multiplication algorithms should satisfy the secure generality in Section 3; thus, they are suitable for any k ∈ Z/NZ, which includes a special case of k = 0. Algorithm 2 satisfies the secure generality but the affine coordinates are not executable on them.
Thus, we extend the affine formulae in such a way that they can compute exceptional computations of P − P = O and 2P = O. The corresponding operations are shown in Algorithms 6 and 7, which can compute P − P = O and 2P = O when E(F p ) does not include a point (0, 0). For example, E(F p ) without two-torsion points satisfies the condition, including the prime order elliptic curve on the Weierstrass form. Importantly, both Algorithms 6 and 7 retain the value of the input point of P similar to Algorithms 4 and 5. Let us explain our idea of the extended affine
The extended affine addition formula is transformed from the original affine addition formula by extracting the factor of (x 2 − x 1 ) −1 . The computational cost of Algorithm 6 is 6M + S + I and its memory cost is seven field elements. The extended affine doubling formula is transformed from the original affine doubling formula by extracting (2y 1 ) −1 . The computational cost of Algorithm 7 is 4M + 4S + I and its memory cost is also seven field elements.

Algorithm 6 Extended affine addition
Input: P = (x 1 , y 1 ) and Q = (x 2 , y 2 ) Output: P, P + Q 1: t 0 ← (x 2 − x 1 ) −1 2: y 2 ← y 2 − y 1 3: Proof 1 Firstly we prove that Algorithm 6 can compute P + Q = O and O + O = O correctly. When computing P + Q = O (for example P = (x 1 , y 1 ) = (x, y) and Q = (x 2 , y 2 ) = (x, −y)), the inversion of zero ((x 2 − x 1 ) = (x − x) = 0) has to be computed. As we stated, by the extended Euclidean algorithm, or by using Fermat's little theorem, we obtain zero for the inversion of zero. This demonstrates that by our Algorithm 6, we can compute P + Q = O: Further, extracting the factor of (2y 1 ) −1 does not affect the doubling of other points. The y-coordinate of P becomes zero only when 2P = O. The variant of the affine doubling formula is exception-free, implying that it can compute the doubling of all points on E(F p ), which does not include the point (0, 0). Importantly, the original affine addition formulae cannot compute P + P, P + Q = O, P + O, and 2P = O, while our extended affine addition formulae can compute P + Q = O and 2P = O correctly. The Jacobian and Projective addition formulae can compute P + Q = O and 2P = O correctly. Thus, both coordinates become "executable coordinates" in our Algorithms 9-10, where extended affine coordinates are "executable coordinates". This implies that if our algorithms perform well on the extended affine to compute elliptic curve scalar multiplications, our approach can be easily extended to the Jacobian addition formulae or Projective addition formulae.

Secure and Efficient RL Elliptic Curve Scalar Multiplication
We improve Algorithm 2 and propose Algorithms 9 and 10, which avoid exceptional inputs such as P + P, P + O, P − P, and 2P = O with a two-torsion point P. Then, we combine Al-gorithms 9 and 10 with (extended) affine to secure elliptic curve scalar multiplication algorithms.
We also enhance the efficiency of our method by two-bit scanning using the affine double and quadruple formulae (DQformula) [14], which can compute both 2P and 4P simultaneously with only one inversion computation, denoted by {2P, 4P} ← DQ(P). Thus, the computational cost of obtaining both 2P and 4P in affine coordinates is t({2P, 4P} ← P) = 8M + 8S + I. We revise the details of operations in Algorithm 8 to optimize the use of memory. In fact, the necessary memory in the DQ-formula is improved to 10 field elements.
First, we improve Algorithm 2 to obtain the new 2-ary RL algorithm 9 and combine it with two-bit scanning to obtain the new two-bit 2-ary RL algorithm 10. For Algorithm 10, we adjust the length of |k| to be odd by padding "0" in front of input scalar |k|. Thus, two-bit scanning can operate well for even or odd length of |k|. Both Algorithms 9 and 10 assume that k ∈ Z/NZ is in . Actually, k is determined by modulo N; thus, this is a natural setting. This technique ensures that our algorithms exclude exceptional points exactly, as shown in Theorem 2. Then, k is represented by 2:

Algorithm 9 New 2-ary RL algorithm
added to the final result in the final step of our algorithms. Thus, we avoid the exceptional computation in the original final correction, A ← A + P, of Algorithm 2.
Step 3 of Algorithms 9 and 10 helps to avoid the exceptional computations of P + P or P − P if A is initialized as P. The final correction adjusts the excess computations by Step 3 in Algorithms 9 and 10.
Next, we explain the (extended) affine (ordinary and our extended version) that is used in Algorithms 9 and 10. The original affine coordinates are used in Steps 1-9 of Algorithm 9 and Steps 1-11 of Algorithm 10. Our extended affine formulae are used only once in Step 10 of Algorithm 9 and Step 12 of Algorithm 10. Actually, extended affine is necessary only for k = 0. If k = 0 is surely excluded from the input, then we can use only ordinary affine in the whole Algorithms 9 and 10. Our Algorithms 9 and 10 satisfy generality of k and secure generality. Theorem 2 proves that Algorithms 9-10 avoid all exceptional computations of (extended) affine when k ∈ [− N 2 , N 2 ]. Theorem 2 Let E(F p ) be an elliptic curve without twotorsion points. Let P ∈ E(F p ), P O be an elliptic curve point, whose order is N 3. Then, Algorithms 9 and 10 using (extended) affine can compute kP correctly for any input k ∈ [− N 2 , N 2 ] without introducing conditional statements.
Proof 2 We prove that all three parts exclude the exceptional computations of affine coordinates, which are additions of P ± P and O+ P, and doubling of 2P = O. The doubling of 2P = O does not appear in the algorithms because of the assumption that E(F p ) is without two-torsion points. Thus, we only focus on exceptional additions.
In the initialization, R[0] and R [1] initialized as (P x , −P y ) and (P x , P y ) are "odd" scalar points such as (2t + 1)P, t ∈ Z. A initialized as ((2P) x , (2P) y ) is an "even" scalar point such as (2t)P, t ∈ Z. It is obvious that R[0] ← −P + 2P or R [1] ← P + 2P in Step 4 can be computed correctly by the original affine addition formula if N 3.

2) R[0]
O is always updated as an "odd" scalar point with a smaller scalar than A after one loop computation. 3) R [1] O is also always updated as an "odd" scalar point. If |k| = {1} ł , R [1] is always with a larger scalar than A and is updated to (2 ł + 1)P, (2 ł +1) ≤ N at the end of main loop. If N = (2 ł +1) then |k| = {1} ł , which is larger than N 2 , cannot be a valid input. Thus, R[1] may be with a larger scalar than A but never equals to NP = O. In summary, R[0], R [1], A O are scalar points of P whose scalars are never over N. Therefore, during the main loop, the exceptional computations O + P and P + Q = O does not appear. The exceptional addition P+P does not appear because that the "odd" scalar point (R[.]) can never be the same point as the "even" scalar point (A). The computations in the main loop exclude the exceptional computations of affine coordinates.
In the final correction, the exceptional computation O + P does not appear in Step 9 of Algorithm 9. Because after the main loop, R[k 0 ] O is shown. The exceptional computation P + P does not appear in Step 9 of Algorithm 9. R[k 0 ] is an "odd" scalar point and −P = (N − 1)P is an "even" scalar point. They cannot be the same.
Step 9 of Algorithm 9 computes P − P = O when only k 0 = 0. However, we can put a "0" in front of |k| to avoid this. This additional "0" causes R[0] ← R[0] + 2 ł P which can also be computed correctly and A is updated as (2 ł+1 )P. In Step 10 of The two-bit scanning version analysis proceeds in an analogous way.

Theoretical Analysis
We analyze the computational and memory cost of Algorithms 9 and 10 with (extended) affine and Algorithm 2 with CA formulae, which is shown in Table 2. The memory cost counts the number of F p elements, including the memory used in the addition formulae. As for computational cost, we evaluate all algorithms by estimating the number of modulo multiplication (M), modulo square (S ), multiplication with parameters a and b (ma and mb), addition (A), and inversion (I). The total computational cost of Algorithm 2 with CA formulae is (ł + 1)24M if we ignore the computational cost of ma, mb, and A. Assuming the c 2020 Information Processing Society of Japan    Table 3.
As for the memory cost, Algorithms 9 and 10 can reduce that of Algorithm 2 with CA formulae by 37% and 21%, respectively.

Experimental Results
We have implemented Algorithms 9 and 10 with (extended) affine and Algorithm 2 with CA formulae on NIST P-224, P-256, and P-384, which are shown in Table 4. We randomly generate 10 5 test scalars during the interval of [− N 2 , N 2 ], where N is the order of the point P. The experimental platform uses C programming language with GNU MP 6.1.2 and Intel (R) Core (TM) i7-8650U CPU @ 1.90 GHz 2.11 GHz personal computer with 16.0 GB RAM 64-bit; the operating system is Windows 10. Table 5 shows the average scalar multiplication time of Algorithms 9 and 10 with (extended) affine and Algorithm 2 with CA formulae. Table 5 shows that Algorithms 9 and 10 reduce the computational time of Algorithm 2 by 28.39% and 29.62%, 20.04% and 25.28%, and 6.53% and 14.72%, over NIST P-224, P-256, and P-384, respectively.
As we have already established, the efficiency of our algorithms depends on the ratio I M . Our Algorithm 10 is the most efficient in our experiment, although the ratio I M in the GNU MP library is approximately between 4 and 7 in Table 6. Function calls and the number of loops may cost time. Algorithm 10 has

Conclusion
We have proposed two new secure and compact RL elliptic curve scalar multiplication Algorithms 9 and 10 with (extended) affine coordinates. Our algorithms have generality of k and secure generality and can exclude exceptional computations of O + P, P − P = O, and P + P. Our extended affine coordinates can compute P − P = O and 2P = O by introducing a point (0, 0) as O when an elliptic curve E(F p ) (0, 0). From the theoretical point of view, our results can be summarized as follows. When omitting the computational cost of ma, mb, and A, Algorithm 10 with (extended) affine is the most efficient if 7.2 < I M < 9.3, Algorithm 9 with (extended) affine is the most efficient if I M < 7.2, and Algorithm 2 with CA formulae is the most efficient if I M > 9.3. In many cases, such as for NIST elliptic curves, we can only omit the computational cost of ma and A. In this case, Algorithm 10 with (extended) affine is the most efficient if 7.2 < I M < 12, Algorithm 9 with (extended) affine is the most efficient if I M < 7.2, and Algorithm 2 with CA formulae is the most efficient if I M > 12. Algorithms 9 and 10 with (extended) affine can reduce the memory of Algorithm 2 with CA formulae by 37% and 21%, respectively.

Editor's Recommendation
This paper proposes efficient algorithms for elliptic curve cryptography (ECC), which yet secure against side-channel attacks. In ECC, side-channel information mainly leaks from the fact that conventional formulae for ECC operations need to handle the point at infinity as an exceptional input. Previous works therefore proposed new formulae to circumvent such exception. In contrast with them, the paper proposes to handle the point at infinity as a point (0, 0) and shows conventional Affine formula can properly handle the point as usual input. The paper also provides a theoretical analysis of security and efficiency, and shows superiority compared with previous works. The paper gives a new approach for secure ECC implementations and thus is selected as a recommended paper.