The Gallant-Lambert-Vanstone Decomposition Revisited

The Gallant-Lambert-Vanstone method accelerates the computation of scalar multiplication [k]P of a point (or a divisor) P of prime order r on some algebraic curve (or its Jacobian) by using an efficient endomorphism phi on such curve. Suppose phi has minimal polynomial h(x) = Sigma(d)(i=0) a(i)x(i) is an element of Z[x], the question how to efficiently decompose the scalar k as [k] P = Sigma(d-1)(i=0)[k(i)]phi(i) (P) with max(i) log vertical bar k(i)vertical bar approximate to 1/d log r has drawn a lot of attention. In this paper we show the link between the lattice based decomposition and the division in Z[phi] decomposition, and propose a hybrid method to decompose k with max(i) vertical bar k(i)vertical bar <= 2((d-5)/4) d(dN(h))((d-1)/2)r(1/d), where N(h) = Sigma(d-1)(i=0) a(i)(2). In particular, we give explicit and efficient GLV decompositions for some genus 1 and 2 curves with efficient endomorphisms through decomposing the Frobenius map in Z[phi], which also indicate that the complex multiplication usually implies good properties for GLV decomposition. Our results well support the GLV method for faster implementations of scalar multiplications on desired curves.http://gateway.webofknowledge.com/gateway/Gateway.cgi?GWVersion=2&SrcApp=PARTNER_APP&SrcAuth=LinksAMR&KeyUT=WOS:000345588100013&DestLinkType=FullRecord&DestApp=ALL_WOS&UsrCustomerID=8e1609b174ce4e31116a60747a720701Computer Science, Theory & MethodsEICPCI-S(ISTP)