Journal of Cryptology

, Volume 27, Issue 2, pp 248–283 | Cite as

Four-Dimensional Gallant–Lambert–Vanstone Scalar Multiplication

  • Patrick Longa
  • Francesco Sica


The GLV method of Gallant, Lambert, and Vanstone (CRYPTO 2001) computes any multiple kP of a point P of prime order n lying on an elliptic curve with a low-degree endomorphism Φ (called GLV curve) over \(\mathbb{F}_{p}\) as
$$kP = k_1P + k_2\varPhi(P) \quad\text{with } \max \bigl\{ |k_1|,|k_2| \bigr\} \leq C_1\sqrt{n} $$
for some explicit constant C 1>0. Recently, Galbraith, Lin, and Scott (EUROCRYPT 2009) extended this method to all curves over \(\mathbb{F}_{p^{2}}\) which are twists of curves defined over \(\mathbb{F}_{p}\). We show in this work how to merge the two approaches in order to get, for twists of any GLV curve over \(\mathbb{F}_{p^{2}}\), a four-dimensional decomposition together with fast endomorphisms Φ,Ψ over \(\mathbb{F}_{p^{2}}\) acting on the group generated by a point P of prime order n, resulting in a proven decomposition for any scalar k∈[1,n] given by
$$kP=k_1P+ k_2\varPhi(P)+ k_3\varPsi(P) + k_4\varPsi\varPhi(P) \quad \text{with } \max_i \bigl(|k_i| \bigr)< C_2\, n^{1/4} $$
for some explicit C 2>0. Remarkably, taking the best C 1,C 2, we obtain C 2/C 1<412, independently of the curve, ensuring in theory an almost constant relative speedup. In practice, our experiments reveal that the use of the merged GLV–GLS approach supports a scalar multiplication that runs up to 1.5 times faster than the original GLV method. We then improve this performance even further by exploiting the Twisted Edwards model and show that curves originally slower may become extremely efficient on this model. In addition, we analyze the performance of the method on a multicore setting and describe how to efficiently protect GLV-based scalar multiplication against several side-channel attacks. Our implementations improve the state-of-the-art performance of scalar multiplication on elliptic curves over large prime characteristic fields for a variety of scenarios including side-channel protected and unprotected cases with sequential and multicore execution.

Key words

Elliptic curves GLV–GLS method Scalar multiplication Twisted Edwards curve Side-channel protection Multicore computation 



We thank the reviewers, Mike Scott and Dan Bernstein for their helpful comments. Also, we would like to thank Diego Aranha for his advice on multicore programming, Joppe Bos for his help on looking for efficient chains for implementing modular inversion, and Craig Costello and Kristin Lauter for helping us to detect a typo on a curve parameter in a previous paper version.


  1. [1]
    D.F. Aranha, A. Faz-Hernandez, J. Lopez, F. Rodriguez-Henriquez, Faster implementation of scalar multiplication on Koblitz curves, in Proceedings of Latincrypt 2012. LNCS, vol. 7533 (Springer, Berlin, 2012), pp. 177–193 CrossRefGoogle Scholar
  2. [2]
    D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, Twisted Edwards curves, in Proceedings of AFRICACRYPT 2008, ed. by S. Vaudenay. LNCS, vol. 5023 (Springer, Berlin, 2008), pp. 389–405 CrossRefGoogle Scholar
  3. [3]
    D.J. Bernstein, N. Duif, T. Lange, P. Schwabe, B.-Y. Yang, High-speed high-security signatures, in Proceedings of CHES 2011, ed. by B. Preneel, T. Takagi. LNCS, vol. 6917 (Springer, Berlin, 2011), pp. 124–142 Google Scholar
  4. [4]
    D.J. Bernstein, Curve25519: New Diffie–Hellman speed records, in Proceedings of PKC 2006. LNCS, vol. 3958 (Springer, Berlin, 2006), pp. 207–228 Google Scholar
  5. [5]
    D.J. Bernstein, CPU traps and pitfalls. Talk at Emerging Topics in Cryptographic Design and Cryptanalysis, Pythagorion, Samos, 2007. Available at:
  6. [6]
    J. Bos, C. Costello, H. Hisil, K. Lauter, Two is greater than one. Cryptology ePrint Archive, Report 2012/670, 2012. Available at:
  7. [7]
    D. Brumley, D. Boneh, Remote timing attacks are practical, in Proceedings of the 12th USENIX Security Symposium, ed. by S. Mangard, F.-X. Standaert. LNCS, vol. 6225 (Springer, Berlin, 2003), pp. 80–94 Google Scholar
  8. [8]
    H. Cohen, A Course in Computational Algebraic Number Theory. Graduate Texts in Mathematics, vol. 138 (Springer, Berlin, 1996) Google Scholar
  9. [9]
    G. Cornacchia, Su di un metodo per la risoluzione in numeri interi dell’equazione \(\sum_{h=0}^{n}C_{h}x^{n-h}y^{h}=P\). G. Mat. Battaglini 46, 33–90 (1908) Google Scholar
  10. [10]
    H. Edwards, A normal form for elliptic curves. Bull. Am. Math. Soc. 44, 393–422 (2007) CrossRefzbMATHGoogle Scholar
  11. [11]
    S.D. Galbraith, X. Lin, M. Scott, Endomorphisms for faster elliptic curve cryptography on a large class of curves, in Proceedings of EUROCRYPT 2009, ed. by A. Joux. LNCS, vol. 5479 (Springer, Berlin, 2009), pp. 518–535 Google Scholar
  12. [12]
    S.D. Galbraith, X. Lin, M. Scott, Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Cryptol. 24(3), 446–469 (2011) CrossRefzbMATHMathSciNetGoogle Scholar
  13. [13]
    R.P. Gallant, J.L. Lambert, S.A. Vanstone, Faster point multiplication on elliptic curves with efficient endomorphisms, in Advances in Cryptology—Proceedings of CRYPTO 2001, ed. by J. Kilian. LNCS, vol. 2139 (Springer, Berlin, 2001), pp. 190–200 CrossRefGoogle Scholar
  14. [14]
    M. Hamburg, Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309, 2012. Available at:
  15. [15]
    H. Hisil, K. Wong, G. Carter, E. Dawson, Twisted Edwards curves revisited, in Proceedings of ASIACRYPT 2008, ed. by J. Pieprzyk. LNCS, vol. 5350 (Springer, Berlin, 2008), pp. 326–343 CrossRefGoogle Scholar
  16. [16]
    Z. Hu, P. Longa, M. Xu, Implementing 4-dimensional GLV method on GLS elliptic curves with j-invariant 0. Des. Codes Cryptogr. 63(3), 331–343 (2012). Also in Cryptology ePrint Archive, Report 2011/315, CrossRefzbMATHMathSciNetGoogle Scholar
  17. [17]
    M. Joye, M. Tunstall, Exponent recoding and regular exponentiation algorithms, in Proceedings of Africacrypt 2003, ed. by M. Joye. LNCS, vol. 5580 (Springer, Berlin, 2009), pp. 334–349 Google Scholar
  18. [18]
    E. Kasper, Fast elliptic curve cryptography in OpenSSL, in 2nd Workshop on Real-Life Cryptographic Protocols and Standardization (2011) Google Scholar
  19. [19]
    P.C. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems, in Advances in Cryptology—Proceedings of CRYPTO 1996, ed. by N. Koblitz. LNCS, vol. 1109 (Springer, Berlin, 1996), pp. 104–113 Google Scholar
  20. [20]
    A.K. Lenstra, H.W. Lenstra Jr., L. Lovász, Factoring polynomials with rational coefficients. Math. Ann. 261, 513–534 (1982) CrossRefGoogle Scholar
  21. [21]
    P. Longa, Elliptic curve cryptography at high speeds. Talk at the 15th Workshop on Elliptic Curve Cryptography (ECC 2011), INRIA, France, 2011. Available at:
  22. [22]
    P. Longa, High-speed elliptic curve and pairing-based cryptography. PhD thesis, University of Waterloo, 2011. Available at:
  23. [23]
    P. Longa, C. Gebotys, Efficient techniques for high-speed elliptic curve cryptography, in Proceedings of CHES 2010, ed. by S. Mangard, F.-X. Standaert. LNCS, vol. 6225 (Springer, Berlin, 2010), pp. 80–94 Google Scholar
  24. [24]
    P. Longa, A. Miri, New composite operations and precomputation scheme for elliptic curve cryptosystems over prime fields, in Proceedings of PKC 2008, ed. by R. Cramer. LNCS, vol. 4939 (Springer, Berlin, 2008), pp. 229–247 Google Scholar
  25. [25]
    F. Morain, Courbes elliptiques et tests de primalité. PhD thesis, Université de Lyon I, 1990. Available at:, Chap. 2: On Cornacchia’s algorithm (joint with J.-L. Nicolas)
  26. [26]
    P.Q. Nguyen, D. Stehlé, Low-dimensional lattice basis reduction revisited, in Algorithmic Number Theory, Proceedings of 6th International Symposium, ANTS-VI, Burlington, VT, USA, 13–18 June 2004, ed. by D.A. Buell. LNCS, vol. 3076 (Springer, Berlin, 2004), pp. 338–357 CrossRefGoogle Scholar
  27. [27]
    K. Okeya, T. Takagi, The width-w NAF method provides small memory and fast elliptic curve scalars multiplications against side-channel attacks, in Proceedings of CT-RSA 2003, ed. by M. Joye. LNCS, vol. 2612 (Springer, Berlin, 2003), pp. 328–342 Google Scholar
  28. [28]
    F. Rodriguez-Henriquez, Private communication, 2012 Google Scholar
  29. [29]
    F. Sica, M. Ciet, J.-J. Quisquater, Analysis of the Gallant–Lambert–Vanstone method based on efficient endomorphisms: Elliptic and hyperelliptic curves, in Selected Areas in Cryptography, 9th Annual International Workshop, SAC 2002, ed. by H. Heys, K. Nyberg. LNCS, vol. 2595 (Springer, Berlin, 2002), pp. 21–36 Google Scholar
  30. [30]
    H.M. Stark, Class-numbers of complex quadratic fields, in Modular Functions of One Variable, I, Proc. Internat. Summer School, Univ. Antwerp, Antwerp, 1972. Lecture Notes in Mathematics, vol. 320 (Springer, Berlin, 1973), pp. 153–174 CrossRefGoogle Scholar
  31. [31]
    J. Taverne, A. Faz-Hernandez, D.F. Aranha, F. Rodriguez-Henriquez, D. Hankerson, J. Lopez, Speeding scalar multiplication over binary elliptic curves using the new carry-less multiplication instruction. J. Cryptograph. Eng. 1, 187–199 (2011) CrossRefGoogle Scholar
  32. [32]
    Z. Zhou, Z. Hu, M. Xu, W. Song, Efficient 3-dimensional GLV method for faster point multiplication on some GLS elliptic curves. Inf. Process. Lett. 77(262), 1075–1104 (2010) MathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  1. 1.Microsoft ResearchRedmondUSA
  2. 2.School of Science and TechnologyNazarbayev UniversityAstanaKazakhstan

Personalised recommendations