# Four-Dimensional Gallant–Lambert–Vanstone Scalar Multiplication

Article

First Online:

- 566 Downloads
- 7 Citations

## Abstract

The GLV method of Gallant, Lambert, and Vanstone (CRYPTO 2001) computes any multiple for some explicit constant for some explicit

*kP*of a point*P*of prime order*n*lying on an elliptic curve with a low-degree endomorphism*Φ*(called GLV curve) over \(\mathbb{F}_{p}\) as$$kP = k_1P + k_2\varPhi(P) \quad\text{with } \max \bigl\{ |k_1|,|k_2| \bigr\} \leq C_1\sqrt{n} $$

*C*_{1}>0. Recently, Galbraith, Lin, and Scott (EUROCRYPT 2009) extended this method to all curves over \(\mathbb{F}_{p^{2}}\) which are twists of curves defined over \(\mathbb{F}_{p}\). We show in this work how to merge the two approaches in order to get, for twists of any GLV curve over \(\mathbb{F}_{p^{2}}\), a four-dimensional decomposition together with fast endomorphisms*Φ*,*Ψ*over \(\mathbb{F}_{p^{2}}\) acting on the group generated by a point*P*of prime order*n*, resulting in a proven decomposition for any scalar*k*∈[1,*n*] given by$$kP=k_1P+ k_2\varPhi(P)+ k_3\varPsi(P) + k_4\varPsi\varPhi(P) \quad \text{with } \max_i \bigl(|k_i| \bigr)< C_2\, n^{1/4} $$

*C*_{2}>0. Remarkably, taking the best*C*_{1},*C*_{2}, we obtain*C*_{2}/*C*_{1}<412, independently of the curve, ensuring in theory an almost constant relative speedup. In practice, our experiments reveal that the use of the merged GLV–GLS approach supports a scalar multiplication that runs up to 1.5 times faster than the original GLV method. We then improve this performance even further by exploiting the Twisted Edwards model and show that curves originally slower may become extremely efficient on this model. In addition, we analyze the performance of the method on a multicore setting and describe how to efficiently protect GLV-based scalar multiplication against several side-channel attacks. Our implementations improve the state-of-the-art performance of scalar multiplication on elliptic curves over large prime characteristic fields for a variety of scenarios including side-channel protected and unprotected cases with sequential and multicore execution.## Key words

Elliptic curves GLV–GLS method Scalar multiplication Twisted Edwards curve Side-channel protection Multicore computation## Notes

### Acknowledgements

We thank the reviewers, Mike Scott and Dan Bernstein for their helpful comments. Also, we would like to thank Diego Aranha for his advice on multicore programming, Joppe Bos for his help on looking for efficient chains for implementing modular inversion, and Craig Costello and Kristin Lauter for helping us to detect a typo on a curve parameter in a previous paper version.

## References

- [1]D.F. Aranha, A. Faz-Hernandez, J. Lopez, F. Rodriguez-Henriquez, Faster implementation of scalar multiplication on Koblitz curves, in
*Proceedings of Latincrypt 2012*. LNCS, vol. 7533 (Springer, Berlin, 2012), pp. 177–193 CrossRefGoogle Scholar - [2]D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, Twisted Edwards curves, in
*Proceedings of AFRICACRYPT 2008*, ed. by S. Vaudenay. LNCS, vol. 5023 (Springer, Berlin, 2008), pp. 389–405 CrossRefGoogle Scholar - [3]D.J. Bernstein, N. Duif, T. Lange, P. Schwabe, B.-Y. Yang, High-speed high-security signatures, in
*Proceedings of CHES 2011*, ed. by B. Preneel, T. Takagi. LNCS, vol. 6917 (Springer, Berlin, 2011), pp. 124–142 Google Scholar - [4]D.J. Bernstein, Curve25519: New Diffie–Hellman speed records, in
*Proceedings of PKC 2006*. LNCS, vol. 3958 (Springer, Berlin, 2006), pp. 207–228 Google Scholar - [5]D.J. Bernstein, CPU traps and pitfalls. Talk at Emerging Topics in Cryptographic Design and Cryptanalysis, Pythagorion, Samos, 2007. Available at: http://cr.yp.to/talks/2007.05.04/slides.pdf
- [6]J. Bos, C. Costello, H. Hisil, K. Lauter, Two is greater than one. Cryptology ePrint Archive, Report 2012/670, 2012. Available at: http://eprint.iacr.org/2012/670
- [7]D. Brumley, D. Boneh, Remote timing attacks are practical, in
*Proceedings of the 12th USENIX Security Symposium*, ed. by S. Mangard, F.-X. Standaert. LNCS, vol. 6225 (Springer, Berlin, 2003), pp. 80–94 Google Scholar - [8]H. Cohen,
*A Course in Computational Algebraic Number Theory*. Graduate Texts in Mathematics, vol. 138 (Springer, Berlin, 1996) Google Scholar - [9]G. Cornacchia, Su di un metodo per la risoluzione in numeri interi dell’equazione \(\sum_{h=0}^{n}C_{h}x^{n-h}y^{h}=P\).
*G. Mat. Battaglini***46**, 33–90 (1908) Google Scholar - [10]H. Edwards, A normal form for elliptic curves.
*Bull. Am. Math. Soc.***44**, 393–422 (2007) CrossRefzbMATHGoogle Scholar - [11]S.D. Galbraith, X. Lin, M. Scott, Endomorphisms for faster elliptic curve cryptography on a large class of curves, in
*Proceedings of EUROCRYPT 2009*, ed. by A. Joux. LNCS, vol. 5479 (Springer, Berlin, 2009), pp. 518–535 Google Scholar - [12]S.D. Galbraith, X. Lin, M. Scott, Endomorphisms for faster elliptic curve cryptography on a large class of curves.
*J. Cryptol.***24**(3), 446–469 (2011) CrossRefzbMATHMathSciNetGoogle Scholar - [13]R.P. Gallant, J.L. Lambert, S.A. Vanstone, Faster point multiplication on elliptic curves with efficient endomorphisms, in
*Advances in Cryptology—Proceedings of CRYPTO 2001*, ed. by J. Kilian. LNCS, vol. 2139 (Springer, Berlin, 2001), pp. 190–200 CrossRefGoogle Scholar - [14]M. Hamburg, Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309, 2012. Available at: http://eprint.iacr.org/2012/309
- [15]H. Hisil, K. Wong, G. Carter, E. Dawson, Twisted Edwards curves revisited, in
*Proceedings of ASIACRYPT 2008*, ed. by J. Pieprzyk. LNCS, vol. 5350 (Springer, Berlin, 2008), pp. 326–343 CrossRefGoogle Scholar - [16]Z. Hu, P. Longa, M. Xu, Implementing 4-dimensional GLV method on GLS elliptic curves with
*j*-invariant 0.*Des. Codes Cryptogr.***63**(3), 331–343 (2012). Also in Cryptology ePrint Archive, Report 2011/315, http://eprint.iacr.org/2011/315 CrossRefzbMATHMathSciNetGoogle Scholar - [17]M. Joye, M. Tunstall, Exponent recoding and regular exponentiation algorithms, in
*Proceedings of Africacrypt 2003*, ed. by M. Joye. LNCS, vol. 5580 (Springer, Berlin, 2009), pp. 334–349 Google Scholar - [18]E. Kasper, Fast elliptic curve cryptography in OpenSSL, in
*2nd Workshop on Real-Life Cryptographic Protocols and Standardization*(2011) Google Scholar - [19]P.C. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems, in
*Advances in Cryptology—Proceedings of CRYPTO 1996*, ed. by N. Koblitz. LNCS, vol. 1109 (Springer, Berlin, 1996), pp. 104–113 Google Scholar - [20]A.K. Lenstra, H.W. Lenstra Jr., L. Lovász, Factoring polynomials with rational coefficients.
*Math. Ann.***261**, 513–534 (1982) CrossRefGoogle Scholar - [21]P. Longa, Elliptic curve cryptography at high speeds. Talk at the 15th Workshop on Elliptic Curve Cryptography (ECC 2011), INRIA, France, 2011. Available at: http://ecc2011.loria.fr/slides/longa.pdf
- [22]P. Longa, High-speed elliptic curve and pairing-based cryptography. PhD thesis, University of Waterloo, 2011. Available at: http://hdl.handle.net/10012/5857
- [23]P. Longa, C. Gebotys, Efficient techniques for high-speed elliptic curve cryptography, in
*Proceedings of CHES 2010*, ed. by S. Mangard, F.-X. Standaert. LNCS, vol. 6225 (Springer, Berlin, 2010), pp. 80–94 Google Scholar - [24]P. Longa, A. Miri, New composite operations and precomputation scheme for elliptic curve cryptosystems over prime fields, in
*Proceedings of PKC 2008*, ed. by R. Cramer. LNCS, vol. 4939 (Springer, Berlin, 2008), pp. 229–247 Google Scholar - [25]F. Morain, Courbes elliptiques et tests de primalité. PhD thesis, Université de Lyon I, 1990. Available at: http://www.lix.polytechnique.fr/Labo/Francois.Morain/Articles/publisfm.php, Chap. 2: On Cornacchia’s algorithm (joint with J.-L. Nicolas)
- [26]P.Q. Nguyen, D. Stehlé, Low-dimensional lattice basis reduction revisited, in
*Algorithmic Number Theory, Proceedings of 6th International Symposium, ANTS-VI*, Burlington, VT, USA, 13–18 June 2004, ed. by D.A. Buell. LNCS, vol. 3076 (Springer, Berlin, 2004), pp. 338–357 CrossRefGoogle Scholar - [27]K. Okeya, T. Takagi, The width-
*w*NAF method provides small memory and fast elliptic curve scalars multiplications against side-channel attacks, in*Proceedings of CT-RSA 2003*, ed. by M. Joye. LNCS, vol. 2612 (Springer, Berlin, 2003), pp. 328–342 Google Scholar - [28]F. Rodriguez-Henriquez, Private communication, 2012 Google Scholar
- [29]F. Sica, M. Ciet, J.-J. Quisquater, Analysis of the Gallant–Lambert–Vanstone method based on efficient endomorphisms: Elliptic and hyperelliptic curves, in
*Selected Areas in Cryptography, 9th Annual International Workshop, SAC 2002*, ed. by H. Heys, K. Nyberg. LNCS, vol. 2595 (Springer, Berlin, 2002), pp. 21–36 Google Scholar - [30]H.M. Stark, Class-numbers of complex quadratic fields, in
*Modular Functions of One Variable, I, Proc. Internat. Summer School*, Univ. Antwerp, Antwerp, 1972. Lecture Notes in Mathematics, vol. 320 (Springer, Berlin, 1973), pp. 153–174 CrossRefGoogle Scholar - [31]J. Taverne, A. Faz-Hernandez, D.F. Aranha, F. Rodriguez-Henriquez, D. Hankerson, J. Lopez, Speeding scalar multiplication over binary elliptic curves using the new carry-less multiplication instruction.
*J. Cryptograph. Eng.***1**, 187–199 (2011) CrossRefGoogle Scholar - [32]Z. Zhou, Z. Hu, M. Xu, W. Song, Efficient 3-dimensional GLV method for faster point multiplication on some GLS elliptic curves.
*Inf. Process. Lett.***77**(262), 1075–1104 (2010) MathSciNetGoogle Scholar

## Copyright information

© International Association for Cryptologic Research 2013