Abstract
This paper explores the potential for using genusĀ 2 curves over quadratic extension fields in cryptography, motivated by the fact that they allow for an 8-dimensional scalar decomposition when using a combination of the GLV/GLS algorithms. Besides lowering the number of doublings required in a scalar multiplication, this approach has the advantage of performing arithmetic operations in a 64-bit ground field, making it an attractive candidate for embedded devices. We found cryptographically secure genusĀ 2 curves which, although susceptible to index calculus attacks, aim for the standardized 112-bit security level. Our implementation results on both high-end architectures (Ivy Bridge) and low-end ARM platforms (Cortex-A8) highlight the practical benefits of this approach.
Chapter PDF
Similar content being viewed by others
References
Acar, T., Shumow, D.: Modular reduction without pre-computation for special moduli. Technical report, Microsoft Research (2010)
Adleman, L., DeMarrais, J., Huang, M.: A subexponential algorithm for discrete logarithms over hyperelliptic curves of large genus over GF(q). Theoretical Computer ScienceĀ 226(1-2), 7ā18 (1999)
Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., LĆ³pez, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol.Ā 6632, pp. 48ā68. Springer, Heidelberg (2011)
Beagle Board. BeagleBoard-xM System Reference Manual (2013), http://beagleboard.org/static/BBxMSRM_latest.pdf
Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol.Ā 3958, pp. 207ā228. Springer, Heidelberg (2006)
Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT Benchmarking of Cryptographic Systems, http://bench.cr.yp.to (accessed March 1, 2013)
Bernstein, D.J., Schwabe, P.: NEON crypto. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol.Ā 7428, pp. 320ā339. Springer, Heidelberg (2012)
Bos, J.W., Costello, C., Hisil, H., Lauter, K.: Fast cryptography in genus 2. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol.Ā 7881, pp. 194ā210. Springer, Heidelberg (2013)
Bos, J.W., Costello, C., Hisil, H., Lauter, K.: High-performance scalar multiplication using 8-dimensional GLV/GLS decomposition. Cryptology ePrint Archive, Report 2013/146 (2013), http://eprint.iacr.org/
Buhler, J., Koblitz, N.: Lattice basis reduction, Jacobi sums and hyperelliptic cryptosystems. Bul. of the Australian Mathematical SocietyĀ 58(1), 147ā154 (1998)
Diem, C.: The GHS attack in odd characteristic. J. Ramanujan Math. Soc.Ā 18(1), 1ā32 (2003)
Diem, C.: On the discrete logarithm problem in elliptic curves. Compositio MathematicaĀ 147(01), 75ā104 (2011)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information TheoryĀ 22(6), 644ā654 (1976)
Faz-Hernandez, A., Longa, P., Sanchez, A.H.: Keep calm and stay with one (and pā> 3). Cryptology ePrint Archive, Report 2013/158 (2013)
Frey, G.: How to disguise an elliptic curve (Weil descent). Talk at ECC: slides available at http://cacr.uwaterloo.ca/conferences/1998/ecc98/frey.ps (September 1998)
Galbraith, S.D.: Weil descent of Jacobians. Discrete Applied MathematicsĀ 128(1), 165ā180 (2003)
Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. CryptologyĀ 24(3), 446ā469 (2011)
Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol.Ā 2139, pp. 190ā200. Springer, Heidelberg (2001)
Gaudry, P.: An algorithm for solving the discrete log problem on hyperelliptic curves. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol.Ā 1807, pp. 19ā34. Springer, Heidelberg (2000)
Gaudry, P.: Fast genus 2 arithmetic based on theta functions. Journal of Mathematical Cryptology JMCĀ 1(3), 243ā265 (2007)
Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput.Ā 44(12), 1690ā1702 (2009)
Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. CryptologyĀ 15(1), 19ā46 (2002)
Gaudry, P., ThomĆ©, E., ThĆ©riault, N., Diem, C.: A double large prime variation for small genus hyperelliptic index calculus. Math. Comput.Ā 76(257), 475ā492 (2007)
Goren, E.Z., Lauter, K.E.: Genus 2 curves with complex multiplication. International Mathematics Research NoticesĀ 2012(5), 1068ā1142 (2012)
Hamburg, M.: Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309 (2012), http://eprint.iacr.org/
Iijima, T., Momose, F., Chao, J.: Classification of elliptic/hyperelliptic curves with weak coverings against GHS attack without isogeny condition. Cryptology ePrint Archive, Report 2009/613 (2009), http://eprint.iacr.org/
KƤsper, E.: Fast elliptic curve cryptography in OpenSSL. In: Danezis, G., Dietrich, S., Sako, K. (eds.) FC 2011 Workshops. LNCS, vol.Ā 7126, pp. 27ā39. Springer, Heidelberg (2012)
KneževiÄ, M., Vercauteren, F., Verbauwhede, I.: Speeding up bipartite modular multiplication. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol.Ā 6087, pp. 166ā179. Springer, Heidelberg (2010)
Koblitz, N.: Elliptic curve cryptosystems. Mathematics of ComputationĀ 48(177), 203ā209 (1987)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol.Ā 1109, pp. 104ā113. Springer, Heidelberg (1996)
Lenstra, A.K.: Generating RSA moduli with a predetermined portion. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol.Ā 1514, pp. 1ā10. Springer, Heidelberg (1998)
Lim, C.H., Lee, P.J.: More flexible exponentiation with precomputation. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol.Ā 839, pp. 95ā107. Springer, Heidelberg (1994)
Longa, P., Sica, F.: Four-dimensional Gallant-Lambert-Vanstone scalar multiplication. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol.Ā 7658, pp. 718ā739. Springer, Heidelberg (2012)
Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol.Ā 218, pp. 417ā426. Springer, Heidelberg (1986)
Momose, F., Chao, J.: Scholten forms and elliptic/hyperelliptic curves with weak Weil restrictions. Cryptology ePrint Archive, Report 2005/277 (2005)
Montgomery, P.L.: Modular multiplication without trial division. Mathematics of ComputationĀ 44(170), 519ā521 (1985)
Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of ComputationĀ 48(177), 243ā264 (1987)
Morozov, S., Tergino, C., Schaumont, P.: System integration of elliptic curve cryptography on an OMAP platform. In: IEEE 9th Symposium on Application Specific Processors ā SASP, pp. 52ā57. IEEE Computer Society (2011)
Nagao, K.-I.: Decomposition attack for the Jacobian of a hyperelliptic curve over an extension field. In: Hanrot, G., Morain, F., ThomĆ©, E. (eds.) ANTS-IX 2010. LNCS, vol.Ā 6197, pp. 285ā300. Springer, Heidelberg (2010)
National Institute of Standards and Technology. Special publication 800-57: Recommendation for key management part 1: General (revised), http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
National Security Agency. The case for elliptic curve cryptography (2009), http://www.nsa.gov/business/programs/elliptic_curve.shtml
Park, Y.-H., Jeong, S., Lim, J.: Speeding up point multiplication on hyperelliptic curves with efficiently-computable endomorphisms. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol.Ā 2332, pp. 197ā208. Springer, Heidelberg (2002)
Pollard, J.M.: Monte Carlo methods for index computation (mod p). Mathematics of ComputationĀ 32(143), 918ā924 (1978)
Solinas, J.A.: Generalized Mersenne numbers. Technical Report CORR 99ā39, Centre for Applied Cryptographic Research, University of Waterloo (1999)
ThĆ©riault, N.: Weil descent attack for Kummer extensions. J. Ramanujan Math. Soc.Ā 18(3), 218ā312 (2003)
U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-3 (2009), http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
Walter, C.D.: Montgomery exponentiation needs no final subtractions. Electronics LettersĀ 35(21), 1831ā1832 (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Ā© 2013 International Association for Cryptologic Research
About this paper
Cite this paper
Bos, J.W., Costello, C., Hisil, H., Lauter, K. (2013). High-Performance Scalar Multiplication Using 8-Dimensional GLV/GLS Decomposition. In: Bertoni, G., Coron, JS. (eds) Cryptographic Hardware and Embedded Systems - CHES 2013. CHES 2013. Lecture Notes in Computer Science, vol 8086. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40349-1_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-40349-1_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40348-4
Online ISBN: 978-3-642-40349-1
eBook Packages: Computer ScienceComputer Science (R0)