Application of Montgomery’s Trick to Scalar Multiplication for Elliptic and Hyperelliptic Curves Using a Fixed Base Point Pradeep Kumar Mishra and Palash Sarkar Cryptology Research Group, Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata-700108, INDIA Abstract. We propose a scalar multiplication algorithm for elliptic and hyperelliptic curve cryptosystems, which uses affine arithmetic and is re- sistant against simple power attacks. Also, using a modification of known techniques the algorithm can be made immune against differential power attacks. The algorithm uses Montgomery’s trick and a precomputed ta- ble consisting of multiples of the base point. Consequently, the algorithm is useful in a scenario where the base point is fixed, like Elgamal encryp- tion or signature generation. Under such circumstances, for hyperelliptic curves, the algorithm compares favourably with other known algorithms over all fields. For elliptic curves, under similar circumstances, the al- gorithm performs better than other algorithms over prime fields. The increase in speed is due to a proper application of Montgomery’s trick to efficiently perform the simultaneous inversion of several field elements. Keywords : elliptic curves, hyperelliptic curves, scalar multipi- cation, field inversion, explicit formulae, side-channel attacks. 1 Introduction Elliptic curve cryptosystems (ECC) in recent years are gradually being inducted into many standards like ANSI, IEEE, NIST etc. The main advantage of these cryptosystems is that the key size is quite small in comparison to other cryp- tosystems like RSA, making these suitable for resource constrained devices, like smart card. Hyperelliptic curve cryptosystems (HECC) are also attractive, as the underlying field size is smaller and there are many more curves to choose from. ECC has already established itself as a popular public key cryptosystem. However, computational complexity of the HECC has till now come in the way of its commercial utilisation. Several research groups around the world have now diverted their attention to HECC to reduce its complexity and make it available for popular applications. Both ECC and HECC are based on the discrete logarithm problem. The underlying group in ECC is provided by the set of points on the curve over a finite field on which an additive group operation is defined. On the other hand, F. Bao et al. (Eds.): PKC 2004, LNCS 2947, pp. 41–54, 2004. c  International Association for Cryptologic Research 2004