Fast, uniform, and compact scalar multiplication for elliptic curves and genus 2 Jacobians with applications to signature schemes

We give a general framework for uniform, constant-time one-and two-dimensional scalar multiplication algorithms for elliptic curves and Jacobians of genus 2 curves that operate by projecting to the x-line or Kummer surface, where we can exploit faster and more uniform pseudomultiplication, before recovering the proper "signed" output back on the curve or Jacobian. This extends the work of L{\'o}pez and Dahab, Okeya and Sakurai, and Brier and Joye to genus 2, and also to two-dimensional scalar multiplication. Our results show that many existing fast pseudomultiplication implementations (hitherto limited to applications in Diffie--Hellman key exchange) can be wrapped with simple and efficient pre-and post-computations to yield competitive full scalar multiplication algorithms, ready for use in more general discrete logarithm-based cryptosystems, including signature schemes. This is especially interesting for genus 2, where Kummer surfaces can outperform comparable elliptic curve systems. As an example, we construct an instance of the Schnorr signature scheme driven by Kummer surface arithmetic

Easy scalar decompositions for efficient scalar multiplication on elliptic curves and genus 2 Jacobians

The first step in elliptic curve scalar multiplication algorithms based on scalar decompositions using efficient endomorphisms-including Gallant-Lambert-Vanstone (GLV) and Galbraith-Lin-Scott (GLS) multiplication, as well as higher-dimensional and higher-genus constructions-is to produce a short basis of a certain integer lattice involving the eigenvalues of the endomorphisms. The shorter the basis vectors, the shorter the decomposed scalar coefficients, and the faster the resulting scalar multiplication. Typically, knowledge of the eigenvalues allows us to write down a long basis, which we then reduce using the Euclidean algorithm, Gauss reduction, LLL, or even a more specialized algorithm. In this work, we use elementary facts about quadratic rings to immediately write down a short basis of the lattice for the GLV, GLS, GLV+GLS, and Q-curve constructions on elliptic curves, and for genus 2 real multiplication constructions. We do not pretend that this represents a significant optimization in scalar multiplication, since the lattice reduction step is always an offline precomputation---but it does give a better insight into the structure of scalar decompositions. In any case, it is always more convenient to use a ready-made short basis than it is to compute a new one

On the image of a noncommutative polynomial

Let $F$ be an algebraically closed field of characteristic zero. We consider the question which subsets of $M_n(F)$ can be images of noncommutative polynomials. We prove that a noncommutative polynomial $f$ has only finitely many similarity orbits modulo nonzero scalar multiplication in its image if and only if $f$ is power-central. The union of the zero matrix and a standard open set closed under conjugation by $GL_n(F)$ and nonzero scalar multiplication is shown to be the image of a noncommutative polynomial. We investigate the density of the images with respect to the Zariski topology. We also answer Lvov's conjecture for multilinear Lie polynomials of degree at most 4 affirmatively.Comment: 13 pages, accepted for publication in J. Algebr

{0, 1, 3}-NAF representation and algorithms for lightweight elliptic curve cryptosystem in Lopez Dahab model

Elliptic curve scalar multiplications is the most time-consuming and costly operation in elliptic curve cryptosystem. The scalar multiplication involves computation of Q = kP where k is a scalar multiplier, and P and Q are points on an elliptic curve. This computation can be improved by reducing the Hamming weight of the scalar multiplier k. The Hamming weight of k represents the number of nonzero digits in the scalar multiplier. This paper proposes a new scalar representation in non-adjacent form (NAF) using the digits 0, 1 and 3. This paper also proposes an algorithm for converting from a binary to {0,1,3}-NAF representation. Comparative analysis between the proposed NAF and the traditional NAF with digit {-1,0,1} is carried out. At average case, the proposes {0,1,3}-NAF representation has a lower Hamming weight than the traditional NAF. In our analysis, we use the {0,1,3}-NAF representation in the scalar multiplication operation. The average number of point addition operations in the scalar multiplication is considerably reduced compared to the addition-subtraction scalar multiplication algorithm

Secure and Efficient RNS Approach for Elliptic Curve Cryptography

Scalar multiplication, the main operation in elliptic curve cryptographic protocols, is vulnerable to side-channel (SCA) and fault injection (FA) attacks. An efficient countermeasure for scalar multiplication can be provided by using alternative number systems like the Residue Number System (RNS). In RNS, a number is represented as a set of smaller numbers, where each one is the result of the modular reduction with a given moduli basis. Under certain requirements, a number can be uniquely transformed from the integers to the RNS domain (and vice versa) and all arithmetic operations can be performed in RNS. This representation provides an inherent SCA and FA resistance to many attacks and can be further enhanced by RNS arithmetic manipulation or more traditional algorithmic countermeasures. In this paper, extending our previous work, we explore the potentials of RNS as an SCA and FA countermeasure and provide an description of RNS based SCA and FA resistance means. We propose a secure and efficient Montgomery Power Ladder based scalar multiplication algorithm on RNS and discuss its SCAFA resistance. The proposed algorithm is implemented on an ARM Cortex A7 processor and its SCA-FA resistance is evaluated by collecting preliminary leakage trace results that validate our initial assumptions