Families of fast elliptic curves from Q-curves

We construct new families of elliptic curves over \FF_{p^2} with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant-Lambert-Vanstone (GLV) and Galbraith-Lin-Scott (GLS) endomorphisms. Our construction is based on reducing \QQ-curves-curves over quadratic number fields without complex multiplication, but with isogenies to their Galois conjugates-modulo inert primes. As a first application of the general theory we construct, for every $p > 3$, two one-parameter families of elliptic curves over \FF_{p^2} equipped with endomorphisms that are faster than doubling. Like GLS (which appears as a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when $p$ is fixed. Unlike GLS, we also offer the possibility of constructing twist-secure curves. Among our examples are prime-order curves equipped with fast endomorphisms, with almost-prime-order twists, over \FF_{p^2} for $p = 2^{127}-1$ and $p = 2^{255}-19$

The Q-curve construction for endomorphism-accelerated elliptic curves

We give a detailed account of the use of $\mathbb{Q}$-curve reductions to construct elliptic curves over $\mathbb{F}\_{p^2}$ with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant--Lambert--Vanstone (GLV) and Galbraith--Lin--Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when $p$ is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over $\mathbb{F}\_{p^2}$ equipped with efficient endomorphisms for every p \textgreater{} 3, and exhibit examples of twist-secure curves over $\mathbb{F}\_{p^2}$ for the efficient Mersenne prime $p = 2^{127}-1$.Comment: To appear in the Journal of Cryptology. arXiv admin note: text overlap with arXiv:1305.540

Isogeny-based post-quantum key exchange protocols

The goal of this project is to understand and analyze the supersingular isogeny Diffie Hellman (SIDH), a post-quantum key exchange protocol which security lies on the isogeny-finding problem between supersingular elliptic curves. In order to do so, we first introduce the reader to cryptography focusing on key agreement protocols and motivate the rise of post-quantum cryptography as a necessity with the existence of the model of quantum computation. We review some of the known attacks on the SIDH and finally study some algorithmic aspects to understand how the protocol can be implemented

Four-Dimensional Gallant-Lambert-Vanstone Scalar Multiplication

The GLV method of Gallant, Lambert and Vanstone~(CRYPTO 2001) computes any multiple $kP$ of a point $P$ of prime order $n$ lying on an elliptic curve with a low-degree endomorphism $\Phi$ (called GLV curve) over $\mathbb{F}_p$ as $kP = k_1P + k_2\Phi(P)$, with $\max\{|k_1|,|k_2|\}\leq C_1\sqrt n$ for some explicit constant $C_1>0$. Recently, Galbraith, Lin and Scott (EUROCRYPT 2009) extended this method to all curves over $\mathbb{F}_{p^2}$ which are twists of curves defined over $\mathbb{F}_p$. We show in this work how to merge the two approaches in order to get, for twists of any GLV curve over $\mathbb{F}_{p^2}$, a four-dimensional decomposition together with fast endomorphisms $\Phi, \Psi$ over $\mathbb{F}_{p^2}$ acting on the group generated by a point $P$ of prime order $n$, resulting in a proven decomposition for any scalar $k\in[1,n]$ given by $kP=k_1P+ k_2\Phi(P)+ k_3\Psi(P) + k_4\Psi\Phi(P)$, with $\max_i (|k_i|)0$. Remarkably, taking the best $C_1, C_2$, we obtain $C_2/C_1<412$, independently of the curve, ensuring in theory an almost constant relative speedup. In practice, our experiments reveal that the use of the merged GLV-GLS approach supports a scalar multiplication that runs up to 50\% faster than the original GLV method. We then improve this performance even further by exploiting the Twisted Edwards model and show that curves originally slower may become extremely efficient on this model. In addition, we analyze the performance of the method on a multicore setting and describe how to efficiently protect GLV-based scalar multiplication against several side-channel attacks. Our implementations improve the state-of-the-art performance of point multiplication for a variety of scenarios including side-channel protected and unprotected cases with sequential and multicore execution

Efficient and Secure ECDSA Algorithm and its Applications: A Survey

Public-key cryptography algorithms, especially elliptic curve cryptography (ECC)and elliptic curve digital signature algorithm (ECDSA) have been attracting attention frommany researchers in different institutions because these algorithms provide security andhigh performance when being used in many areas such as electronic-healthcare, electronicbanking,electronic-commerce, electronic-vehicular, and electronic-governance. These algorithmsheighten security against various attacks and the same time improve performanceto obtain efficiencies (time, memory, reduced computation complexity, and energy saving)in an environment of constrained source and large systems. This paper presents detailedand a comprehensive survey of an update of the ECDSA algorithm in terms of performance,security, and applications

Fast Cryptography in Genus 2

In this paper we highlight the benefits of using genus 2 curves in public-key cryptography. Compared to the standardized genus 1 curves, or elliptic curves, arithmetic on genus 2 curves is typically more involved but allows us to work with moduli of half the size. We give a taxonomy of the best known techniques to realize genus 2 based cryptography, which includes fast formulas on the Kummer surface and efficient 4-dimensional GLV decompositions. By studying different modular arithmetic approaches on these curves, we present a range of genus 2 implementations. On a single core of an Intel Core i7-3520M (Ivy Bridge), our implementation on the Kummer surface breaks the 125 thousand cycle barrier which sets a new software speed record at the 128-bit security level for constant-time scalar multiplications compared to all previous genus 1 and genus 2 implementations

Methodological Fundamentalism: or why Batterman’s Different Notions of ‘Fundamentalism’ may not make a Difference

I argue that the distinctions Robert Batterman (2004) presents between ‘epistemically fundamental’ versus ‘ontologically fundamental’ theoretical approaches can be subsumed by methodologically fundamental procedures. I characterize precisely what is meant by a methodologically fundamental procedure, which involves, among other things, the use of multilinear graded algebras in a theory’s formalism. For example, one such class of algebras I discuss are the Clifford (or Geometric) algebras. Aside from their being touted by many as a “unified mathematical language for physics,” (Hestenes (1984, 1986) Lasenby, et. al. (2000)) Finkelstein (2001, 2004) and others have demonstrated that the techniques of multilinear algebraic ‘expansion and contraction’ exhibit a robust regularizablilty. That is to say, such regularization has been demonstrated to remove singularities, which would otherwise appear in standard field-theoretic, mathematical characterizations of a physical theory. I claim that the existence of such methodologically fundamental procedures calls into question one of Batterman’s central points, that “our explanatory physical practice demands that we appeal essentially to (infinite) idealizations” (2003, 7) exhibited, for example, by singularities in the case of modeling critical phenomena, like fluid droplet formation. By way of counterexample, in the field of computational fluid dynamics (CFD), I discuss the work of Mann & Rockwood (2003) and Gerik Scheuermann, (2002). In the concluding section, I sketch a methodologically fundamental procedure potentially applicable to more general classes of critical phenomena appearing in fluid dynamics

The endomorphism ring problem and supersingular isogeny graphs

Supersingular isogeny graphs, which encode supersingular elliptic curves and their isogenies, have recently formed the basis for a number of post-quantum cryptographic protocols. The study of supersingular elliptic curves and their endomorphism rings has a long history and is intimately related to the study of quaternion algebras and their maximal orders. In this thesis, we give a treatment of the theory of quaternion algebras and elliptic curves over finite fields as these relate to supersingular isogeny graphs and computational problems on such graphs, in particular, consolidating and surveying results in the research literature. We also perform some numerical experiments on supersingular isogeny graphs and establish a number of refined upper bounds on supersingular elliptic curves with small non-integer endomorphisms