Binary Kummer Line

Gaudry and Lubicz introduced the idea of Kummer line in 2009, and Karati and Sarkar proposed three Kummer lines over prime fields in 2017. In this work, we explore the problem of secure and efficient scalar multiplications on binary field using Kummer line and investigate the possibilities of speedups using Kummer line compared to Koblitz curves, binary Edwards curve and Weierstrass curves. We propose a binary Kummer line $\mathsf{BKL}251$ over binary field $\mathbb{F}_{2^{251}}$ where the associated elliptic curve satisfies the required security conditions and offers 124.5-bit security which is the same as that of Binary Edwards curve $\mathsf{BEd251}$ and Weierstrass curve $\mathsf{CURVE2251}$. $\mathsf{BKL}251$ has small curve parameter and small base point. We implement our software of $\mathsf{BKL}l251$ using the instruction ${\tt PCLMULQDQ}$ of modern Intel processors and batch software $\mathsf{BBK251}$ using bitslicing technique. For fair comparison, we also implement the software $\mathsf{BEd}251$ for binary Edwards curve. In both the implementations, scalar multiplications take constant time which use Montgomery ladders. In case of left-to-right Montgomery ladder, both the Kummer line and Edwards curve have almost the same number of field operations. For right-to-left Montgomery ladder scalar multiplication, each ladder step of binary Kummer line needs less number of field operations compared to Edwards curve. Our experimental results show that left-to-right Montgomery scalar multiplications of $\mathsf{BKL}251$ are $9.63\%$ and $0.52\%$ faster than those of $\mathsf{BEd}251$ for fixed-base and variable-base, respectively. Left-to-right Montgomery scalar multiplication for variable-base of $\mathsf{BKL}251$ is 39.74\%, 23.25\% and 32.92\% faster than those of the curves $\mathsf{CURVE2251}$, K-283 and B-283 respectively. Using right-to-left Montgomery ladder with precomputation, $\mathsf{BKL}251$ achieves 17.84\% speedup over $\mathsf{BEd}251$ for fixed-base scalar multiplication. For batch computation, $\mathsf{BBK251}$ has comparatively the same (slightly faster) performance as $\mathsf{BBE251}$ and $\mathsf{sect283r1}$. Also it is clear from our experiments that scalar multiplications on $\mathsf{BKL}251$ and $\mathsf{BEd251}$ are (approximately) 65\% faster than one scalar multiplication (after scaling down) of batch software $\mathsf{BBK251}$ and $\mathsf{BBE251}$

Connecting Legendre with Kummer and Edwards

Scalar multiplication on Legendre form elliptic curves can be speeded up in two ways. One can perform the bulk of the computation either on the associated Kummer line or on an appropriate twisted Edwards form elliptic curve. This paper provides details of moving to and from between Legendre form elliptic curves and associated Kummer line and moving to and from between Legendre form elliptic curves and related twisted Edwards form elliptic curves. Further, concrete twisted Edwards form elliptic curves are identified which correspond to known Kummer lines at the 128-bit security level which provide very fast scalar multiplication on modern architectures supporting SIMD operations

Kummer for Genus One over Prime Order Fields

This work considers the problem of fast and secure scalar multiplication using curves of genus one defined over a field of prime order. Previous work by Gaudry and Lubicz in 2009 had suggested the use of the associated Kummer line to speed up scalar multiplication. In the present work, we explore this idea in detail. The first task is to obtain an elliptic curve in Legendre form which satisfies necessary security conditions such that the associated Kummer line has small parameters and a base point with small coordinates. It turns out that the ladder step on the Kummer line supports parallelism and can be implemented very efficiently in constant time using the single-instruction multiple-data (SIMD) operations available in modern processors. For the 128-bit security level, this work presents three Kummer lines denoted as $K_1:={\sf KL2519(81,20)}$, $K_2:={\sf KL25519(82,77)}$ and $K_3:={\sf KL2663(260,139)}$ over the three primes $2^{251}-9$, $2^{255}-19$ and $2^{266}-3$ respectively. Implementations of scalar multiplications for all three Kummer lines using Intel intrinsics have been done and the code is publicly available. Timing results on the Skylake and the Haswell processors of Intel indicate that both fixed base and variable base scalar multiplications for $K_1$ and $K_2$ are faster than those achieved by {\sf Sandy2x}, which is a highly optimised SIMD implementation in assembly of the well known {\sf Curve25519}; for example, on Skylake, variable base scalar multiplication on $K_1$ is faster than {\sf Curve25519} by about 30\%. On Skylake, both fixed base and variable base scalar multiplication for $K_3$ are faster than {\sf Sandy2x}; whereas on Haswell, fixed base scalar multiplication for $K_3$ is faster than {\sf Sandy2x} while variable base scalar multiplication for both $K_3$ and {\sf Sandy2x} take roughly the same time. In fact, on Skylake, $K_3$ is both faster and also offers about 5 bits of higher security compared to {\sf Curve25519}. In practical terms, the particular Kummer lines that are introduced in this work are serious candidates for deployment and standardisation. We further illustrate the usefulness of the proposed Kummer lines by instantiating the quotient Digital Signature Algorithm (qDSA) on all the three Kummer lines

K2SN-MSS: An Efficient Post-Quantum Signature (Full Version)

With the rapid development of quantum technologies, quantum-safe cryptography has found significant attention. Hash-based signature schemes have been in particular of interest because of (i) the importance of digital signature as the main source of trust on the Internet, (ii) the fact that the security of these signatures relies on existence of one-way functions, which is the minimal assumption for signature schemes, and (iii) they can be efficiently implemented. Basic hash-based signatures are for a single message, but have been extended for signing multiple messages. In this paper we design a Multi-message Signature Scheme (MSS) based on an existing One-Time Signature (OTS) that we refer to as KSN-OTS. KSN uses SWIFFT, an additive homomorphic lattice-based hash function family with provable one-wayness property, as the one-way-function and achieves a short signature. We prove security of our proposed signature scheme in a new strengthened security model (multi-target multi-function) of MSS, determine the system parameters for 512 bit classical (256 bit quantum) security, and compare parameter sizes of our scheme against XMSS, a widely studied hash based MSS that has been a candidate for NIST standardization of post-quantum signature scheme. We give an efficient implementation of our scheme using Intel SIMD (Single Instruction Multiple Data) instruction set. For this, we first implement SWIFFT computation using a SIMD parallelization of Number Theoretic Transform (NTT) of elements of the ring \mathbb{Z}_p[X]/(X^\n+1), that can support different levels of parallelization. We compare efficiency of this implementation with a comparable (security level) implementation of XMSS and show its superior performance on a number of efficiency parameters

Using Randomizers for Batch Verification of ECDSA Signatures

Abstract. Randomizers are popularly used to prevent various types of attacks on batch-verification schemes. Recently, several algorithms based upon symbolic computation are proposed for the batch verification of ECDSA signatures. In this article, we demonstrate that the concept of randomizers can be easily embedded in these symbolic-computation algorithms. The performance degradation caused by randomizers is comparable with that associated with ECDSA*