Fast, uniform, and compact scalar multiplication for elliptic curves and genus 2 Jacobians with applications to signature schemes

We give a general framework for uniform, constant-time one-and two-dimensional scalar multiplication algorithms for elliptic curves and Jacobians of genus 2 curves that operate by projecting to the x-line or Kummer surface, where we can exploit faster and more uniform pseudomultiplication, before recovering the proper "signed" output back on the curve or Jacobian. This extends the work of L{\'o}pez and Dahab, Okeya and Sakurai, and Brier and Joye to genus 2, and also to two-dimensional scalar multiplication. Our results show that many existing fast pseudomultiplication implementations (hitherto limited to applications in Diffie--Hellman key exchange) can be wrapped with simple and efficient pre-and post-computations to yield competitive full scalar multiplication algorithms, ready for use in more general discrete logarithm-based cryptosystems, including signature schemes. This is especially interesting for genus 2, where Kummer surfaces can outperform comparable elliptic curve systems. As an example, we construct an instance of the Schnorr signature scheme driven by Kummer surface arithmetic

Fast genus 2 arithmetic based on Theta functions

descriptionInternational audienceIn 1986, D. V. Chudnovsky and G. V. Chudnovsky proposed to use formulae coming from Theta functions for the arithmetic in Jacobians of genus 2 curves. We follow this idea and derive fast formulae for the scalar multiplication in the Kummer surface associated to a genus 2 curve, using a Montgomery ladder. Our formulae can be used to design very efficient genus 2 cryptosystems that should be faster than elliptic curve cryptosystems in some hardware configurations

Computing supersingular isogenies on Kummer surfaces

We apply Scholten\u27s construction to give explicit isogenies between the Weil restriction of supersingular Montgomery curves with full rational 2-torsion over $GF(p^2)$ and corresponding abelian surfaces over $GF(p)$. Subsequently, we show that isogeny-based public key cryptography can exploit the fast Kummer surface arithmetic that arises from the theory of theta functions. In particular, we show that chains of 2-isogenies between elliptic curves can instead be computed as chains of Richelot (2,2)-isogenies between Kummer surfaces. This gives rise to new possibilities for efficient supersingular isogeny-based cryptography

Fast Cryptography in Genus 2

In this paper we highlight the benefits of using genus 2 curves in public-key cryptography. Compared to the standardized genus 1 curves, or elliptic curves, arithmetic on genus 2 curves is typically more involved but allows us to work with moduli of half the size. We give a taxonomy of the best known techniques to realize genus 2 based cryptography, which includes fast formulas on the Kummer surface and efficient 4-dimensional GLV decompositions. By studying different modular arithmetic approaches on these curves, we present a range of genus 2 implementations. On a single core of an Intel Core i7-3520M (Ivy Bridge), our implementation on the Kummer surface breaks the 125 thousand cycle barrier which sets a new software speed record at the 128-bit security level for constant-time scalar multiplications compared to all previous genus 1 and genus 2 implementations

Kummer for Genus One over Prime Order Fields

This work considers the problem of fast and secure scalar multiplication using curves of genus one defined over a field of prime order. Previous work by Gaudry and Lubicz in 2009 had suggested the use of the associated Kummer line to speed up scalar multiplication. In the present work, we explore this idea in detail. The first task is to obtain an elliptic curve in Legendre form which satisfies necessary security conditions such that the associated Kummer line has small parameters and a base point with small coordinates. It turns out that the ladder step on the Kummer line supports parallelism and can be implemented very efficiently in constant time using the single-instruction multiple-data (SIMD) operations available in modern processors. For the 128-bit security level, this work presents three Kummer lines denoted as $K_1:={\sf KL2519(81,20)}$, $K_2:={\sf KL25519(82,77)}$ and $K_3:={\sf KL2663(260,139)}$ over the three primes $2^{251}-9$, $2^{255}-19$ and $2^{266}-3$ respectively. Implementations of scalar multiplications for all three Kummer lines using Intel intrinsics have been done and the code is publicly available. Timing results on the Skylake and the Haswell processors of Intel indicate that both fixed base and variable base scalar multiplications for $K_1$ and $K_2$ are faster than those achieved by {\sf Sandy2x}, which is a highly optimised SIMD implementation in assembly of the well known {\sf Curve25519}; for example, on Skylake, variable base scalar multiplication on $K_1$ is faster than {\sf Curve25519} by about 30\%. On Skylake, both fixed base and variable base scalar multiplication for $K_3$ are faster than {\sf Sandy2x}; whereas on Haswell, fixed base scalar multiplication for $K_3$ is faster than {\sf Sandy2x} while variable base scalar multiplication for both $K_3$ and {\sf Sandy2x} take roughly the same time. In fact, on Skylake, $K_3$ is both faster and also offers about 5 bits of higher security compared to {\sf Curve25519}. In practical terms, the particular Kummer lines that are introduced in this work are serious candidates for deployment and standardisation. We further illustrate the usefulness of the proposed Kummer lines by instantiating the quotient Digital Signature Algorithm (qDSA) on all the three Kummer lines

A fast Diffie-Hellman protocol in genus 2

In this paper it is shown how the multiplication by M map on the Kummer surface of a curve of genus 2 defined over F-q can be used to construct a Diffie-Hellman protocol. We show that this map can be computed using only additions and multiplications in F-q. In particular we do not use any divisions, polynomial arithmetic, or square root functions in F-q, hence this may be easier to implement than multiplication by M on the Jacobian. In addition we show that using the Kummer surface does not lead to any loss in security