69 research outputs found

    Four-Dimensional Gallant-Lambert-Vanstone Scalar Multiplication

    Get PDF
    The GLV method of Gallant, Lambert and Vanstone~(CRYPTO 2001) computes any multiple kPkP of a point PP of prime order nn lying on an elliptic curve with a low-degree endomorphism Φ\Phi (called GLV curve) over Fp\mathbb{F}_p as kP=k1P+k2Φ(P)kP = k_1P + k_2\Phi(P), with max{k1,k2}C1n\max\{|k_1|,|k_2|\}\leq C_1\sqrt n for some explicit constant C1>0C_1>0. Recently, Galbraith, Lin and Scott (EUROCRYPT 2009) extended this method to all curves over Fp2\mathbb{F}_{p^2} which are twists of curves defined over Fp\mathbb{F}_p. We show in this work how to merge the two approaches in order to get, for twists of any GLV curve over Fp2\mathbb{F}_{p^2}, a four-dimensional decomposition together with fast endomorphisms Φ,Ψ\Phi, \Psi over Fp2\mathbb{F}_{p^2} acting on the group generated by a point PP of prime order nn, resulting in a proven decomposition for any scalar k[1,n]k\in[1,n] given by kP=k1P+k2Φ(P)+k3Ψ(P)+k4ΨΦ(P)kP=k_1P+ k_2\Phi(P)+ k_3\Psi(P) + k_4\Psi\Phi(P), with maxi(ki)0\max_i (|k_i|)0. Remarkably, taking the best C1,C2C_1, C_2, we obtain C2/C1<412C_2/C_1<412, independently of the curve, ensuring in theory an almost constant relative speedup. In practice, our experiments reveal that the use of the merged GLV-GLS approach supports a scalar multiplication that runs up to 50\% faster than the original GLV method. We then improve this performance even further by exploiting the Twisted Edwards model and show that curves originally slower may become extremely efficient on this model. In addition, we analyze the performance of the method on a multicore setting and describe how to efficiently protect GLV-based scalar multiplication against several side-channel attacks. Our implementations improve the state-of-the-art performance of point multiplication for a variety of scenarios including side-channel protected and unprotected cases with sequential and multicore execution

    Easy scalar decompositions for efficient scalar multiplication on elliptic curves and genus 2 Jacobians

    Get PDF
    The first step in elliptic curve scalar multiplication algorithms based on scalar decompositions using efficient endomorphisms-including Gallant-Lambert-Vanstone (GLV) and Galbraith-Lin-Scott (GLS) multiplication, as well as higher-dimensional and higher-genus constructions-is to produce a short basis of a certain integer lattice involving the eigenvalues of the endomorphisms. The shorter the basis vectors, the shorter the decomposed scalar coefficients, and the faster the resulting scalar multiplication. Typically, knowledge of the eigenvalues allows us to write down a long basis, which we then reduce using the Euclidean algorithm, Gauss reduction, LLL, or even a more specialized algorithm. In this work, we use elementary facts about quadratic rings to immediately write down a short basis of the lattice for the GLV, GLS, GLV+GLS, and Q-curve constructions on elliptic curves, and for genus 2 real multiplication constructions. We do not pretend that this represents a significant optimization in scalar multiplication, since the lattice reduction step is always an offline precomputation---but it does give a better insight into the structure of scalar decompositions. In any case, it is always more convenient to use a ready-made short basis than it is to compute a new one

    Families of fast elliptic curves from Q-curves

    Get PDF
    We construct new families of elliptic curves over \FF_{p^2} with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant-Lambert-Vanstone (GLV) and Galbraith-Lin-Scott (GLS) endomorphisms. Our construction is based on reducing \QQ-curves-curves over quadratic number fields without complex multiplication, but with isogenies to their Galois conjugates-modulo inert primes. As a first application of the general theory we construct, for every p>3p > 3, two one-parameter families of elliptic curves over \FF_{p^2} equipped with endomorphisms that are faster than doubling. Like GLS (which appears as a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when pp is fixed. Unlike GLS, we also offer the possibility of constructing twist-secure curves. Among our examples are prime-order curves equipped with fast endomorphisms, with almost-prime-order twists, over \FF_{p^2} for p=21271p = 2^{127}-1 and p=225519p = 2^{255}-19

    The Q-curve construction for endomorphism-accelerated elliptic curves

    Get PDF
    We give a detailed account of the use of Q\mathbb{Q}-curve reductions to construct elliptic curves over F_p2\mathbb{F}\_{p^2} with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant--Lambert--Vanstone (GLV) and Galbraith--Lin--Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when pp is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over F_p2\mathbb{F}\_{p^2} equipped with efficient endomorphisms for every p \textgreater{} 3, and exhibit examples of twist-secure curves over F_p2\mathbb{F}\_{p^2} for the efficient Mersenne prime p=21271p = 2^{127}-1.Comment: To appear in the Journal of Cryptology. arXiv admin note: text overlap with arXiv:1305.540

    Easy scalar decompositions for efficient scalar multiplication on elliptic curves and genus 2 Jacobians

    Get PDF
    International audienceThe first step in elliptic curve scalar multiplication algorithms based on scalar decompositions using efficient endomorphisms---including Gallant--Lambert--Vanstone (GLV) and Galbraith--Lin--Scott (GLS) multiplication, as well as higher-dimensional and higher-genus constructions---is to produce a short basis of a certain integer lattice involving the eigenvalues of the endomorphisms. The shorter the basis vectors, the shorter the decomposed scalar coefficients, and the faster the resulting scalar multiplication. Typically, knowledge of the eigenvalues allows us to write down a long basis, which we then reduce using the Euclidean algorithm, Gauss reduction, LLL, or even a more specialized algorithm. In this work, we use elementary facts about quadratic rings to immediately write down a short basis of the lattice for the GLV, GLS, GLV+GLS, and Q-curve constructions on elliptic curves, and for genus 2 real multiplication constructions. We do not pretend that this represents a significant optimization in scalar multiplication, since the lattice reduction step is always an offline precomputation---but it does give a better insight into the structure of scalar decompositions. In any case, it is always more convenient to use a ready-made short basis than it is to compute a new one

    Implementing 4-Dimensional GLV Method on GLS Elliptic Curves with j-Invariant 0

    Get PDF
    The Gallant-Lambert-Vanstone (GLV) method is a very efficient technique for accelerating point multiplication on elliptic curves with efficiently computable endomorphisms. Galbraith, Lin and Scott (J. Cryptol. 24(3), 446-469 (2011)) showed that point multiplication exploiting the 2-dimensional GLV method on a large class of curves over GF(p^2) was faster than the standard method on general elliptic curves over GF(p), and left as an open problem to study the case of 4-dimensional GLV on special curves (e.g., j(E) = 0) over GF(p^2). We study the above problem in this paper. We show how to get the 4-dimensional GLV decomposition with proper decomposed coefficients, and thus reduce the number of doublings for point multiplication on these curves to only a quarter. The resulting implementation shows that the 4-dimensional GLV method on a GLS curve runs in about 0.78 the time of the 2-dimensional GLV method on the same curve and in between 0.78-0.87 the time of the 2-dimensional GLV method using the standard method over GF(p). In particular, our implementation reduces by up to 27% the time of the previously fastest implementation of point multiplication on x86-64 processors due to Longa and Gebotys (CHES2010)

    FourQ: four-dimensional decompositions on a Q-curve over the Mersenne prime

    Get PDF
    We introduce FourQ, a high-security, high-performance elliptic curve that targets the 128-bit security level. At the highest arithmetic level, cryptographic scalar multiplications on FourQ can use a four-dimensional Gallant-Lambert-Vanstone decomposition to minimize the total number of elliptic curve group operations. At the group arithmetic level, FourQ admits the use of extended twisted Edwards coordinates and can therefore exploit the fastest known elliptic curve addition formulas over large prime characteristic fields. Finally, at the finite field level, arithmetic is performed modulo the extremely fast Mersenne prime p=21271p=2^{127}-1. We show that this powerful combination facilitates scalar multiplications that are significantly faster than all prior works. On Intel\u27s Broadwell, Haswell, Ivy Bridge and Sandy Bridge architectures, our software computes a variable-base scalar multiplication in 50,000, 56,000, 69,000 cycles and 72,000 cycles, respectively; and, on the same platforms, our software computes a Diffie-Hellman shared secret in 80,000, 88,000, 104,000 cycles and 112,000 cycles, respectively. These results show that, in practice, FourQ is around four to five times faster than the original NIST P-256 curve and between two and three times faster than curves that are currently under consideration as NIST alternatives, such as Curve25519

    Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and their Implementation on GLV-GLS Curves (Extended Version)

    Get PDF
    We propose efficient algorithms and formulas that improve the performance of side-channel protected elliptic curve computations with special focus on scalar multiplication exploiting the Gallant-Lambert-Vanstone (CRYPTO 2001) and Galbraith-Lin-Scott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.\u27s recoding to the GLV setting, we derive new regular algorithms for variable-base scalar multiplication that offer protection against simple side-channel and timing attacks. Secondly, we propose an efficient, side-channel protected algorithm for fixed-base scalar multiplication which combines Feng et al.\u27s recoding with Lim-Lee\u27s comb method. Thirdly, we propose an efficient technique that interleaves ARM and NEON-based multiprecision operations over an extension field to improve performance of GLS curves on modern ARM processors. Finally, we showcase the efficiency of the proposed techniques by implementing a state-of-the-art GLV-GLS curve in twisted Edwards form defined over GF(p^2), which supports a four dimensional decomposition of the scalar and is fully protected against timing attacks. Analysis and performance results are reported for modern x64 and ARM processors. For instance, we compute a variable-base scalar multiplication in 89,000 and 244,000 cycles on an Intel Ivy Bridge and an ARM Cortex-A15 processor (respect.); using a precomputed table of 6KB, we compute a fixed-base scalar multiplication in 49,000 and 116,000 cycles (respect.); and using a precomputed table of 3KB, we compute a double scalar multiplication in 115,000 and 285,000 cycles (respect.). The proposed techniques represent an important improvement of the state-of-the-art performance of elliptic curve computations, and allow us to set new speed records in several modern processors. The techniques also reduce the cost of adding protection against timing attacks in the computation of GLV-based variable-base scalar multiplication to below 10%

    Fast ECDH Key Exchange Using Twisted Edwards Curves with an Efficiently Computable Endomorphism

    Get PDF
    It is widely accepted that public-key cryptosystems play a major role in the security arena of the Internet of Things (IoT), but they need to be implemented efficiently to not deplete the scarce resources of battery-operated devices such as wireless sensor nodes. This paper describes a highly-optimized software implementation of scalar multiplication for Elliptic Curve Diffie-Hellman (ECDH) key exchange on resource-limited IoT devices that achieves fast execution times along with reasonably small code size and RAM consumption. Our software uses a special class of elliptic curves, namely twisted Edwards curves with an efficiently computable endomorphism similar to that of the so- called Gallant-Lambert-Vanstone (GLV) curves. This allows us to combine the main advantage of the GLV model, which is an efficiently-computable endomorphism to speed up variable-base scalar multiplication, with the fast and complete addition rules of the (twisted) Edwards model. We implemented variable-base scalar multiplication for static ECDH on two such curves, one over a 159-bit and the second over a 207-bit pseudo-Mersenne prime field, respectively, and evaluated their execution time on a 16-bit MSP430F1611 processor. The arithmetic operations in the prime field do not contain operand-dependent conditional statements (in particular no "if-then-else" clauses) and also the scalar multiplication follows a fixed execution path for a given (static) scalar. A variable-base scalar multiplication on curves over the 159 and 207-bit field takes about 2.63 and 4.84 million clock cycles, respectively, on an MSP430F1611 processor. These results compare favorably with the Montgomery ladder on the equivalent Montgomery curves, which is almost 50% slower

    Integer Sub-Decomposition (Isd) Method For Elliptic Curve Scalar Multiplication

    Get PDF
    Dalam kajian ini, kaedah baru yang dipanggil sub-peleraian integer (ISD) berdasarkan prinsip Gallant, Lambert dan Vanstone (GLV) bagi mengira perkalian skalar kP berbentuk lengkung elips E melebihi kawasan terbatas utama Fp yang mempunyai pengiraan endomorphisms ψj yang efisyen bagi j = 1; 2, menghasilkan nilai yang dihitung sebelum ini untuk λ jP, di mana λ j ∈ [1;n−1] telah dicadangkan. Jurang utama dalam kaedah GLV telah ditangani dengan menggunakan kaedah ISD. Skalar k dalam kaedah ISD telah dibahagikan dengan menggunakan rumusan k ≡ k11+k12λ1+k21+k22λ2 (mod n); dengan max{|k11|; |k12|} ≤ √ n dan max{|k21|; |k22|} ≤ √ n. Oleh yang demikian formula perkalian kP scalar ISD boleh dinyatakan seperti berikut: kP = k11P+k12ψ1(P)+k21P+k22ψ2(P): In this study, a new method called integer sub-decomposition (ISD) based on the Gallant, Lambert, and Vanstone (GLV) method to compute the scalar multiplication kP of the elliptic curve E over prime finite field Fp that have efficient computable endomorphisms ψj for j = 1; 2, resulting in pre-computed values of λ jP, where λ j ∈ [1;n−1] has been proposed. The major gaps in the GLV method are addressed using the ISD method. The scalar k, on the ISD method is decomposed using the formulation k ≡ k11+k12λ1+k21+k22λ2 (mod n); with max{|k11|; |k12|} ≤ √ n and max{|k21|; |k22|} ≤ √n. Thus, the ISD scalar multiplication kP formula can be expressed as follows: kP = k11P+k12ψ1(P)+k21P+k22ψ2(P)
    corecore