14 research outputs found
Endomorphisms for faster elliptic curve cryptography on a large class of curves
Efficiently computable homomorphisms allow elliptic curve point
multiplication to be accelerated using the Gallant-Lambert-Vanstone
(GLV) method.
We extend results of Iijima, Matsuo, Chao and Tsujii which give
such homomorphisms
for a large class of elliptic curves by working over quadratic extensions
and demonstrate that these results can be applied to the
GLV method.
Our implementation runs in between 0.70 and 0.84 the time
of the previous best methods for elliptic
curve point multiplication on curves without small class number
complex multiplication. Further speedups are
possible when using more special curves
Families of fast elliptic curves from Q-curves
We construct new families of elliptic curves over \FF_{p^2} with
efficiently computable endomorphisms, which can be used to accelerate elliptic
curve-based cryptosystems in the same way as Gallant-Lambert-Vanstone (GLV) and
Galbraith-Lin-Scott (GLS) endomorphisms. Our construction is based on reducing
\QQ-curves-curves over quadratic number fields without complex
multiplication, but with isogenies to their Galois conjugates-modulo inert
primes. As a first application of the general theory we construct, for every
, two one-parameter families of elliptic curves over \FF_{p^2}
equipped with endomorphisms that are faster than doubling. Like GLS (which
appears as a degenerate case of our construction), we offer the advantage over
GLV of selecting from a much wider range of curves, and thus finding secure
group orders when is fixed. Unlike GLS, we also offer the possibility of
constructing twist-secure curves. Among our examples are prime-order curves
equipped with fast endomorphisms, with almost-prime-order twists, over
\FF_{p^2} for and
Easy scalar decompositions for efficient scalar multiplication on elliptic curves and genus 2 Jacobians
The first step in elliptic curve scalar multiplication algorithms based on
scalar decompositions using efficient endomorphisms-including
Gallant-Lambert-Vanstone (GLV) and Galbraith-Lin-Scott (GLS) multiplication, as
well as higher-dimensional and higher-genus constructions-is to produce a short
basis of a certain integer lattice involving the eigenvalues of the
endomorphisms. The shorter the basis vectors, the shorter the decomposed scalar
coefficients, and the faster the resulting scalar multiplication. Typically,
knowledge of the eigenvalues allows us to write down a long basis, which we
then reduce using the Euclidean algorithm, Gauss reduction, LLL, or even a more
specialized algorithm. In this work, we use elementary facts about quadratic
rings to immediately write down a short basis of the lattice for the GLV, GLS,
GLV+GLS, and Q-curve constructions on elliptic curves, and for genus 2 real
multiplication constructions. We do not pretend that this represents a
significant optimization in scalar multiplication, since the lattice reduction
step is always an offline precomputation---but it does give a better insight
into the structure of scalar decompositions. In any case, it is always more
convenient to use a ready-made short basis than it is to compute a new one
Point compression for the trace zero subgroup over a small degree extension field
Using Semaev's summation polynomials, we derive a new equation for the
-rational points of the trace zero variety of an elliptic curve
defined over . Using this equation, we produce an optimal-size
representation for such points. Our representation is compatible with scalar
multiplication. We give a point compression algorithm to compute the
representation and a decompression algorithm to recover the original point (up
to some small ambiguity). The algorithms are efficient for trace zero varieties
coming from small degree extension fields. We give explicit equations and
discuss in detail the practically relevant cases of cubic and quintic field
extensions.Comment: 23 pages, to appear in Designs, Codes and Cryptograph
A Comparison of Double Point Multiplication Algorithms and their Implementation over Binary Elliptic Curves
Efficient implementation of double point multiplication is crucial for elliptic curve cryptographic systems. We revisit three recently proposed simultaneous double point multiplication algorithms. We propose hardware architectures for these algorithms, and provide a comparative analysis of their performance. We implement the proposed architectures on Xilinx Virtex-4 FPGA, and report on the area and time results . Our results indicate that differential addition chain based algorithms are better suited to compute double point multiplication over binary elliptic curves for both high performance and resource constrained applications
The Pairing Computation on Edwards Curves
We propose an elaborate geometry approach to explain the group law on twisted Edwards curves which are seen as the intersection of quadric surfaces in place. Using the geometric
interpretation of the group law, we obtain the Miller function for Tate pairing computation on twisted Edwards curves. Then we present the explicit formulae for pairing computation on twisted Edwards curves. Our formulae for the doubling step are a little faster than that proposed by Arène et al. Finally, to improve the efficiency of pairing computation, we present twists of degrees 4 and 6 on twisted Edwards curves
Generalised Mersenne Numbers Revisited
Generalised Mersenne Numbers (GMNs) were defined by Solinas in 1999 and
feature in the NIST (FIPS 186-2) and SECG standards for use in elliptic curve
cryptography. Their form is such that modular reduction is extremely efficient,
thus making them an attractive choice for modular multiplication
implementation. However, the issue of residue multiplication efficiency seems
to have been overlooked. Asymptotically, using a cyclic rather than a linear
convolution, residue multiplication modulo a Mersenne number is twice as fast
as integer multiplication; this property does not hold for prime GMNs, unless
they are of Mersenne's form. In this work we exploit an alternative
generalisation of Mersenne numbers for which an analogue of the above property
--- and hence the same efficiency ratio --- holds, even at bitlengths for which
schoolbook multiplication is optimal, while also maintaining very efficient
reduction. Moreover, our proposed primes are abundant at any bitlength, whereas
GMNs are extremely rare. Our multiplication and reduction algorithms can also
be easily parallelised, making our arithmetic particularly suitable for
hardware implementation. Furthermore, the field representation we propose also
naturally protects against side-channel attacks, including timing attacks,
simple power analysis and differential power analysis, which is essential in
many cryptographic scenarios, in constrast to GMNs.Comment: 32 pages. Accepted to Mathematics of Computatio
Elliptic and Hyperelliptic Curves: A Practical Security Analysis
Motivated by the advantages of using elliptic curves for discrete logarithm-based public-key cryptography, there is an active research area investigating the potential of using hyperelliptic curves of genus 2. For both types of curves, the best known algorithms to solve the discrete logarithm problem are generic attacks such as Pollard rho, for which it is well-known that the algorithm can be sped up when the target curve comes equipped with an efficiently computable automorphism. In this paper we incorporate all of the known optimizations (including those relating to the automorphism group) in order to perform a systematic security assessment of two elliptic curves and two hyperelliptic curves of genus 2. We use our software framework to give concrete estimates on the number of core years required to solve the discrete logarithm problem on four curves that target the 128-bit security level: on the standardized NIST CurveP-256, on a popular curve from the Barreto-Naehrig family, and on their respective analogues in genus 2. © 2014 Springer-Verlag Berlin Heidelberg
Diversity and Transparency for ECC
Generating and standardizing elliptic curves to use
them in a cryptographic context is a hard task.
In this note, we don’t make an explicit proposal
for an elliptic curve, but we deal with the following
issues.
Security: We give a list of criteria that should be
satisfied by a secure elliptic curve. Although a few
of these criteria are incompatible, we detail what we
think are the best choices for optimal security.
Transparency: We sketch a way to generate a
curve in a fully transparent way so that it can be
trusted and not suspected to belong to a (not publicly
known to be) vulnerable class. In particular, since the
computational cost of verifying the output of such a
process may be quite high, we sketch out the format
of a certificate that eases the computations. We think
that this format might deserve being standardized