Twisted \({\mu }_4\)-Normal Form for Elliptic Curves

We introduce the twisted \(\varvec{\mu }_4\)-normal form for elliptic curves, deriving in particular addition algorithms with complexity \(9{\mathbf {M}}+ 2{\mathbf {S}}\) and doubling algorithms with complexity \(2{\mathbf {M}}+ 5{\mathbf {S}}+ 2{\mathbf {m}}\) over a binary field. Every ordinary elliptic curve over a finite field of characteristic 2 is isomorphic to one in this family. This improvement to the addition algorithm, applicable to a larger class of curves, is comparable to the \(7{\mathbf {M}}+ 2{\mathbf {S}}\) achieved for the \(\varvec{\mu }_4\)-normal form, and replaces the previously best known complexity of \(13{\mathbf {M}}+ 3{\mathbf {S}}\) on López-Dahab models applicable to these twisted curves. The derived doubling algorithm is essentially optimal, without any assumption of special cases. We show moreover that the Montgomery scalar multiplication with point recovery carries over to the twisted models, giving symmetric scalar multiplication adapted to protect against side channel attacks, with a cost of \(4{\mathbf {M}}+ 4{\mathbf {S}}+ 1{\mathbf {m}}_t + 2{\mathbf {m}}_c\) per bit. In characteristic different from 2, we establish a linear isomorphism with the twisted Edwards model over the base field. This work, in complement to the introduction of \(\varvec{\mu }_4\)-normal form, fills the lacuna in the body of work on efficient arithmetic on elliptic curves over binary fields, explained by this common framework for elliptic curves in \(\varvec{\mu }_4\)-normal form over a field of any characteristic. The improvements are analogous to those which the Edwards and twisted Edwards models achieved for elliptic curves over finite fields of odd characteristic and extend \(\varvec{\mu }_4\)-normal form to cover the binary NIST curves.