Fast Scalar Multiplication for Elliptic Curves over Prime Fields by Efficiently Computable Formulas

This paper addresses fast scalar multiplication for elliptic curves over finite fields. In the first part of the paper, we obtain several efficiently computable formulas for basic elliptic curves arithmetic in the family of twisted Edwards curves over prime fields. Our $2Q+P$ formula saves about $2.8$ field multiplications, and our $5P$ formula saves about $4.2$ field multiplications in standard projective coordinate systems, compared to the latest existing results. In the second part of the paper, we formulate bucket methods for the DAG-based and the tree-based abstract ideas. We propose systematically finding a near optimal chain for multi-base number systems (MBNS). These proposed bucket methods take significantly less time to find a near optimal chain, compared to an optimal chain. We conducted extensive experiments to compare the performance of the MBNS methods (e.g., greedy, ternary/binary, multi-base NAF, tree-based, rDAG-based, and bucket). Our proposed formulas were integrated in these methods. Our results show our work had an important role in advancing the efficiency of scalar multiplication

Efficient algorithms for pairing-based cryptosystems

We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger characteristics.We also propose faster algorithms for scalar multiplication in characteristic 3 and square root extraction over Fpm, the latter technique being also useful in contexts other than that of pairing-based cryptography

Multi-Base Chains for Faster Elliptic Curve Cryptography

This research addresses a multi-base number system (MBNS) for faster elliptic curve cryptography (ECC). The emphasis is on speeding up the main operation of ECC: scalar multiplication (tP). Mainly, it addresses the two issues of using the MBNS with ECC: deriving optimized formulas and choosing fast methods. To address the first issue, this research studies the optimized formulas (e.g., 3P, 5P) in different elliptic curve coordinate systems over prime and binary fields. For elliptic curves over prime fields, affine Weierstrass, Jacobian Weierstrass, and standard twisted Edwards coordinate systems are reviewed. For binary elliptic curves, affine, Lambda-projective, and twisted mu4-normal coordinate systems are reviewed. Additionally, whenever possible, this research derives several optimized formulas for these coordinate systems. To address the second issue, this research theoretically and experimentally studies the MBNS methods with respect to the average chain length, the average chain cost, and the average conversion cost. The reviewed MBNS methods are greedy, ternary/binary, multi-base NAF, tree-based, and rDAG-based. The emphasis is on these methods\u27 techniques to convert integer t to multi-base chains. Additionally, this research develops bucket methods that advance the MBNS methods. The experimental results show that the MBNS methods with the optimized formulas, in general, have good improvements on the performance of scalar multiplication, compared to the single-base number system methods

Isogeny-based post-quantum key exchange protocols

The goal of this project is to understand and analyze the supersingular isogeny Diffie Hellman (SIDH), a post-quantum key exchange protocol which security lies on the isogeny-finding problem between supersingular elliptic curves. In order to do so, we first introduce the reader to cryptography focusing on key agreement protocols and motivate the rise of post-quantum cryptography as a necessity with the existence of the model of quantum computation. We review some of the known attacks on the SIDH and finally study some algorithmic aspects to understand how the protocol can be implemented

Four-dimensional GLV via the Weil restriction

The Gallant-Lambert-Vanstone (GLV) algorithm uses efficiently computable endomorphisms to accelerate the computation of scalar multiplication of points on an abelian variety. Freeman and Satoh proposed for cryptographic use two families of genus 2 curves defined over \F_{p} which have the property that the corresponding Jacobians are $(2,2)$-isogenous over an extension field to a product of elliptic curves defined over \F_{p^2}. We exploit the relationship between the endomorphism rings of isogenous abelian varieties to exhibit efficiently computable endomorphisms on both the genus 2 Jacobian and the elliptic curve. This leads to a four dimensional GLV method on Freeman and Satoh\u27s Jacobians and on two new families of elliptic curves defined over \F_{p^2}

Efficient hash maps to G2 on BLS curves

When a pairing e:G1×G2→GT, on an elliptic curve E defined over a finite field Fq, is exploited for an identity-based protocol, there is often the need to hash binary strings into G1 and G2. Traditionally, if E admits a twist E~ of order d, then G1=E(Fq)∩E[r], where r is a prime integer, and G2=E~(Fqk/d)∩E~[r], where k is the embedding degree of E w.r.t. r. The standard approach for hashing into G2 is to map to a general point P∈E~(Fqk/d) and then multiply it by the cofactor c=#E~(Fqk/d)/r. Usually, the multiplication by c is computationally expensive. In order to speed up such a computation, two different methods—by Scott et al. (International conference on pairing-based cryptography. Springer, Berlin, pp 102–113, 2009) and by Fuentes-Castaneda et al. (International workshop on selected areas in cryptography)—have been proposed. In this paper we consider these two methods for BLS pairing-friendly curves having k∈{12,24,30,42,48}, providing efficiency comparisons. When k=42,48, the application of Fuentes et al. method requires expensive computations which were infeasible for the computational power at our disposal. For these cases, we propose hashing maps that we obtained following Fuentes et al. idea.publishedVersio

Efficient hash maps to G2 on BLS curves

When a pairing e:G1×G2→GT, on an elliptic curve E defined over a finite field Fq, is exploited for an identity-based protocol, there is often the need to hash binary strings into G1 and G2. Traditionally, if E admits a twist E~ of order d, then G1=E(Fq)∩E[r], where r is a prime integer, and G2=E~(Fqk/d)∩E~[r], where k is the embedding degree of E w.r.t. r. The standard approach for hashing into G2 is to map to a general point P∈E~(Fqk/d) and then multiply it by the cofactor c=#E~(Fqk/d)/r. Usually, the multiplication by c is computationally expensive. In order to speed up such a computation, two different methods—by Scott et al. (International conference on pairing-based cryptography. Springer, Berlin, pp 102–113, 2009) and by Fuentes-Castaneda et al. (International workshop on selected areas in cryptography)—have been proposed. In this paper we consider these two methods for BLS pairing-friendly curves having k∈{12,24,30,42,48}, providing efficiency comparisons. When k=42,48, the application of Fuentes et al. method requires expensive computations which were infeasible for the computational power at our disposal. For these cases, we propose hashing maps that we obtained following Fuentes et al. idea

Fast Scalar Multiplication for Elliptic Curves over Binary Fields by Efficiently Computable Formulas

This paper considers efficient scalar multiplication of elliptic curves over binary fields with a twofold purpose. Firstly, we derive the most efficient $3P$ formula in $\lambda$-projective coordinates and $5P$ formula in both affine and $\lambda$-projective coordinates. Secondly, extensive experiments have been conducted to test various multi-base scalar multiplication methods (e.g., greedy, ternary/binary, multi-base NAF, and tree-based) by integrating our fast formulas. The experiments show that our $3P$ and $5P$ formulas had an important role in speeding up the greedy, the ternary/binary, the multi-base NAF, and the tree-based methods over the NAF method. We also establish an efficient $3P$ formula for Koblitz curves and use it to construct an improved set for the optimal pre-computation of window TNAF

Counting points on hyperelliptic curves with explicit real multiplication in arbitrary genus

We present a probabilistic Las Vegas algorithm for computing the local zeta function of a genus-$g$ hyperelliptic curve defined over $\mathbb F_q$ with explicit real multiplication (RM) by an order $\Z[\eta]$ in a degree-$g$ totally real number field. It is based on the approaches by Schoof and Pila in a more favorable case where we can split the $\ell$-torsion into $g$ kernels of endomorphisms, as introduced by Gaudry, Kohel, and Smith in genus 2. To deal with these kernels in any genus, we adapt a technique that the author, Gaudry, and Spaenlehauer introduced to model the $\ell$-torsion by structured polynomial systems. Applying this technique to the kernels, the systems we obtain are much smaller and so is the complexity of solving them. Our main result is that there exists a constant $c>0$ such that, for any fixed $g$, this algorithm has expected time and space complexity $O((\log q)^{c})$ as $q$ grows and the characteristic is large enough. We prove that $c\le 9$ and we also conjecture that the result still holds for $c=7$.Comment: To appear in Journal of Complexity. arXiv admin note: text overlap with arXiv:1710.0344