Journal of Cryptology

, Volume 29, Issue 1, pp 28–60 | Cite as

Fast Cryptography in Genus 2

  • Joppe W. Bos
  • Craig Costello
  • Huseyin Hisil
  • Kristin Lauter
Article

Abstract

In this paper, we highlight the benefits of using genus 2 curves in public-key cryptography. Compared to the standardized genus 1 curves, or elliptic curves, arithmetic on genus 2 curves is typically more involved but allows us to work with moduli of half the size. We give a taxonomy of the best known techniques to realize genus 2-based cryptography, which includes fast formulas on the Kummer surface and efficient four-dimensional GLV decompositions. By studying different modular arithmetic approaches on these curves, we present a range of genus 2 implementations. On a single core of an Intel Core i7-3520M (Ivy Bridge), our implementation on the Kummer surface breaks the 125 thousand cycle barrier which sets a new software speed record at the 128-bit security level for constant-time scalar multiplications compared to all previous genus 1 and genus 2 implementations.

Notes

Acknowledgments

We wish to thank Pierrick Gaudry for his Kummer help when this project began, Dan Bernstein and Tanja Lange for several fruitful discussions during the preparation of this work, Patrick Longa for his advice on optimizing the GLV routines and extensive comments on this work, Michael Naehrig for proofreading early versions of this paper, and the anonymous Eurocrypt reviewers for their useful comments.

We make note of several works that have appeared since this paper was submitted. The follow-up work in [7] pointed out that our online Kummer implementation contained a mistake which might leak secret information to side-channel adversaries. We updated the code accordingly(http://hhisil.yasar.edu.tr/files/hisil20140312genus2.tar.gz) and the subsequent performance numbers are stated in Table 2. We would like to thank the authors for finding this mistake. In addition, the authors of [7] tailored the use of vector instructions to give a solid boost to the performance of the Kummer surface routine described in Sect. 5, and subsequently, their accompanying implementation currently offers the fastest constant-time scalar multiplications over large prime fields. Finally, the overall Diffie–Hellman speed record at the 128-bit security level was recently claimed by Aranha et al. [56], who use a binary field elliptic curve equipped with an endomorphism to achieve highly efficient, constant-time scalar multiplications in around 60,000 clock cycles on the Haswell architecture.

References

  1. 1.
    T. Acar, D. Shumow, Modular reduction without pre-computation for special moduli. Technical report, Microsoft Research, 2010Google Scholar
  2. 2.
    L. Adleman, J. DeMarrais, M. Huang, A subexponential algorithm for discrete logarithms over hyperelliptic curves of large genus over GF(q). Theor. Comput. Sci. 226(1–2), 7–18 (1999)Google Scholar
  3. 3.
    D.F. Aranha, A. Faz-Hernández, J. López, F. Rodríguez-Henríquez, Faster implementation of scalar multiplication on Koblitz curves, in A. Hevia, G. Neven, editors, LATINCRYPT. Lecture Notes in Computer Science, vol. 7533 (Springer, 2012), pp. 177–193Google Scholar
  4. 4.
    D.J. Bernstein, Curve25519: New Diffie–Hellman speed records, in M. Yung, Y. Dodis, A. Kiayias, T. Malkin, editors, Public Key Cryptography—PKC 2006. Lecture Notes in Computer Science, vol. 3958 (Springer, Heidelberg, 2006), pp. 207–228Google Scholar
  5. 5.
    D.J. Bernstein, Differential addition chains. URL: http://cr.yp.to/ecdh/diffchain-20060219.pdf, February 2006
  6. 6.
    D.J. Bernstein, Elliptic vs. Hyperelliptic, part I. Talk at ECC (slides at http://cr.yp.to/talks/2006.09.20/slides.pdf,), September 2006
  7. 7.
    D.J. Bernstein, C. Chuengsatiansup, T. Lange, P. Schwabe, Kummer strikes back: new DH speed records. Cryptology ePrint Archive, Report 2014/134, 2014. http://eprint.iacr.org/
  8. 8.
    D.J. Bernstein, N. Duif, T. Lange, P. Schwabe, B.-Y. Yang, High-speed high-security signatures, in B. Preneel, T. Takagi, editors, CHES. Lecture Notes in Computer Science, vol. 6917 (Springer, 2011), pp. 124–142Google Scholar
  9. 9.
    D.J. Bernstein, T. Lange, Analysis and optimization of elliptic-curve single-scalar multiplication, in G.L. Mullen, D. Panario, I.E. Shparlinski, editors, Finite Fields and Applications. Contemporary Mathematics Series, vol. 461 (American Mathematical Society, 2008), pp. 1–19Google Scholar
  10. 10.
    D.J. Bernstein, T. Lange (editors), eBACS: ECRYPT Benchmarking of Cryptographic Systems. http://bench.cr.yp.to, accessed 4 October 2012
  11. 11.
    J.W. Bos, High-performance modular multiplication on the Cell processor, in M.A. Hasan, T. Helleseth, editors, Arithmetic of Finite Fields - WAIFI 2010. Lecture Notes in Computer Science, vol. 6087 (Springer, Heidelberg, 2010), pp. 7–24Google Scholar
  12. 12.
    J.W. Bos, C. Costello, A. Miele, Elliptic and hyperelliptic curves: A practical security analysis, in H. Krawczyk, editor, Public Key Cryptography—PKC 2014. Lecture Notes in Computer Science, vol. 8383 (Springer, 2014), pp. 203–220Google Scholar
  13. 13.
    J.W. Bos, M.E. Kaihara, T. Kleinjung, A.K. Lenstra, P.L. Montgomery, Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. Int. J. Appl. Cryptogr. 2(3), 212–228 (2012)Google Scholar
  14. 14.
    A. Brauer, On addition chains. Bull. Am. Math. Soc. 45, 736–739 (1939)Google Scholar
  15. 15.
    M. Brown, D. Hankerson, J.López, A. Menezes, Software implementation of the NIST elliptic curves over prime fields, in D. Naccache, editor, CT-RSA. Lecture Notes in Computer Science, vol. 2020 (Springer, Heidelberg, 2001), pp. 250–265Google Scholar
  16. 16.
    J. Buhler, N. Koblitz, Lattice basis reduction, Jacobi sums and hyperelliptic cryptosystems. Bull. Aust. Math. Soc. 58(1), 147–154 (1998)Google Scholar
  17. 17.
    D.V. Chudnovsky, G.V. Chudnovsky, Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Adv. Appl. Math. 7, 385–434 (1986)Google Scholar
  18. 18.
    R. Cosset, Factorization with genus 2 curves. Math. Comput. 79(270), 1191–1208 (2010)Google Scholar
  19. 19.
    C. Costello, K. Lauter, Group law computations on Jacobians of hyperelliptic curves, in A. Miri, S. Vaudenay, editors, Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 7118 (Springer, 2011), pp. 92–117Google Scholar
  20. 20.
    C. Diem, On the discrete logarithm problem in class groups of curves. Math. Comput. 80, 443–475 (2011)Google Scholar
  21. 21.
    I.M. Duursma, P. Gaudry, F. Morain, Speeding up the discrete log computation on curves with automorphisms, in K.-Y. Lam, E. Okamoto, C. Xing, editors, Asiacrypt 1999. Lecture Notes in Computer Science, vol. 1716 (Springer, Heidelberg, 1999), pp. 103–121Google Scholar
  22. 22.
    K. Eisentrager, K. Lauter, A CRT algorithm for constructing genus 2 curves over finite fields. AGCT-11 (2007)Google Scholar
  23. 23.
    A. Enge, Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time. Math. Comput. 71, 729–742 (2002)Google Scholar
  24. 24.
    E. Furukawa, M. Kawazoe, T. Takahashi, Counting points for hyperelliptic curves of type \(\text{ y }^{\text{2 }}= \text{ x }^{\text{5 }}\) + ax over finite prime fields, in M. Matsui, R.J. Zuccherato, editors, Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 3006 (Springer, 2003), pp. 26–41Google Scholar
  25. 25.
    S.D. Galbraith, X. Lin, M. Scott, Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Cryptol. 24(3), 446–469 (2011)Google Scholar
  26. 26.
    R.P. Gallant, R.J. Lambert, S.A. Vanstone, Faster point multiplication on elliptic curves with efficient endomorphisms, in J. Kilian, editor, CRYPTO. Lecture Notes in Computer Science, vol. 2139 (Springer, 2001), pp. 190–200Google Scholar
  27. 27.
    P. Gaudry, An algorithm for solving the discrete log problem on hyperelliptic curves. Eurocrypt, 1807, 19–34 (2000)Google Scholar
  28. 28.
    P. Gaudry, Algorithmique des courbes hyperelliptiques et applications à la cryptologie. PhD thesis, École polytechnique. http://www.lix.polytechnique.fr/Labo/Pierrick.Gaudry/publis/ (2000)
  29. 29.
    P. Gaudry, Fast genus 2 arithmetic based on theta functions. J. Math. Cryptol. JMC 1(3), 243–265 (2007)Google Scholar
  30. 30.
    P. Gaudry, Genus 2 formulae based on Theta functions and their implementation. Talk at ECC http://mathsci.ucd.ie/gmg/ECC2007Talks/ecc07-gaudry2.pdf, September 2007
  31. 31.
    P. Gaudry, Personal communication (2011)Google Scholar
  32. 32.
    P. Gaudry, T. Houtmann, D.R. Kohel, C. Ritzenthaler, A. Weng, The 2-adic CM method for genus 2 curves with application to cryptography, in X. Lai, K. Chen, editors, ASIACRYPT. Lecture Notes in Computer Science, vol. 4284 (Springer, 2006), pp. 114–129Google Scholar
  33. 33.
    P. Gaudry, D.R. Kohel, B.A. Smith, Counting points on genus 2 curves with real multiplication, in D.H. Lee, X. Wang, editors,ASIACRYPT. Lecture Notes in Computer Science, vol. 7073 (Springer, 2011), pp. 504–519Google Scholar
  34. 34.
    P. Gaudry, É. Schost, Genus 2 point counting over prime fields. J. Symb. Comput. 47(4), 368–400 (2012)Google Scholar
  35. 35.
    P. Gaudry, E. Thomé, The mp\(\mathbb{F}_q\) library and implementing curve-based key exchanges, in Software Performance Enhancement for Encryption and Decryption—SPEED 2007, pp. 49–64 (2007). www.loria.fr/~gaudry/publis/mpfq.pdf
  36. 36.
    M. Hamburg, Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309, 2012. http://eprint.iacr.org/
  37. 37.
    H. Hisil, K.K.-H. Wong, G. Carter, E. Dawson, Twisted Edwards curves revisited, in J. Pieprzyk, editor, Asiacrypt 2008. Lecture Notes in Computer Science, vol. 5350 (Springer, Heidelberg, 2008), pp. 326–343Google Scholar
  38. 38.
    B.S. Kaliski Jr, The Montgomery inverse and its applications. IEEE Trans. Comput. 44(8), 1064–1065 (1995)Google Scholar
  39. 39.
    E. Käsper, Fast elliptic curve cryptography in OpenSSL, in G. Danezis, S. Dietrich, K. Sako, editors, Financial Cryptography Workshops. Lecture Notes in Computer Science, vol. 7126 (Springer, 2012) pp. 27–39Google Scholar
  40. 40.
    M. Knežević, F. Vercauteren, I. Verbauwhede, Speeding up bipartite modular multiplication, in M. Hasan, T. Helleseth, editors, Arithmetic of Finite Fields - WAIFI 2010. Lecture Notes in Computer Science, vol. 6087 (Springer, Berlin / Heidelberg, 2010), pp. 166–179Google Scholar
  41. 41.
    N. Koblitz, Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)Google Scholar
  42. 42.
    P.C. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems, in N. Koblitz, editor, Crypto 1996. Lecture Notes in Computer Science, vol. 1109 (Springer, Heidelberg, 1996), pp. 104–113Google Scholar
  43. 43.
    D.R. Kohel, Databases for Elliptic Curves and Higher Dimensional Analogues (Echidna). http://echidna.maths.usyd.edu.au/kohel/dbs/
  44. 44.
    D.R. Kohel, B.A. Smith, Efficiently computable endomorphisms for hyperelliptic curves, in F. Hess, S. Pauli, M.E. Pohst, editors, ANTS. Lecture Notes in Computer Science, vol. 4076 (Springer, 2006), pp. 495–509Google Scholar
  45. 45.
    A.K. Lenstra, Generating RSA moduli with a predetermined portion, in K. Ohta, D. Pei, editors, Asiacrypt’98. Lecture Notes in Computer Science, vol. 1514 (Springer, Berlin/Heidelberg, 1998), pp. 1–10Google Scholar
  46. 46.
    C.H. Lim, H.S. Hwang, Speeding up elliptic scalar multiplication with precomputation, in J. Song, editor, Information Security and Cryptology—ICISC’99. Lecture Notes in Computer Science, vol. 1787 (Springer, 2000), pp. 102–119Google Scholar
  47. 47.
    C.H. Lim, P.J. Lee, More flexible exponentiation with precomputation, in Y. Desmedt, editor, CRYPTO. Lecture Notes in Computer Science, vol. 839 (Springer, 1994), pp. 95–107Google Scholar
  48. 48.
    P. Longa, F. Sica, Four-dimensional Gallant–Lambert–Vanstone scalar multiplication, in X. Wang, K. Sako, editors, Asiacrypt 2012. Lecture Notes in Computer Science, vol. 7658 (Springer, 2012), pp. 718–739Google Scholar
  49. 49.
    J.-F. Mestre, Couples de jacobiennes isogenes de courbes hyperelliptiques. Preprint, arXiv http://arxiv.org/abs/0902.3470, or see http://www.lix.polytechnique.fr/ smith/Mestre--families.pdf (2009)
  50. 50.
    V.S. Miller, Use of elliptic curves in cryptography, in H.C. Williams, editor, Crypto 1985. Lecture Notes in Computer Science, vol. 218 (Springer, Heidelberg, 1986), pp. 417–426Google Scholar
  51. 51.
    P.L. Montgomery, Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985)Google Scholar
  52. 52.
    P.L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)Google Scholar
  53. 53.
    P.L. Montgomery, Evaluating recurrences of form \(x_{m+n}=f(x_m, x_n, x_{m-n})\) via lucas chains. ftp://ftp.cwi.nl/pub/pmontgom/Lucas.ps.gz (1992)
  54. 54.
    F. Morain, J. Olivos, Speeding up the computations on an elliptic curve using addition–subtraction chains. Inform. Théor. Appl. Theor. Inform. Appl. 24, 531–544 (1990)Google Scholar
  55. 55.
    National Security Agency, Fact sheet NSA Suite B Cryptography. http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml (2009)
  56. 56.
    T. Oliveira, J.López, D.F. Aranha, F. Rodríguez-Henríquez, Two is the fastest prime: lambda coordinates for binary elliptic curves. J. Cryptogr. Eng. 4(1), 3–17 (2014)Google Scholar
  57. 57.
    T. Oliveira, F. Rodríguez-Henríquez, J.López, New timings for scalar multiplication using a new set of coordinates. Rump session talk at ECC 2012 October 2012 (2012)Google Scholar
  58. 58.
    Y.-H. Park, S. Jeong, J. Lim, Speeding up point multiplication on hyperelliptic curves with efficiently-computable endomorphisms, in L.R. Knudsen, editor, EUROCRYPT. Lecture Notes in Computer Science, vol. 2332 (Springer, 2002), pp. 197–208Google Scholar
  59. 59.
    J. Pila. Frobenius maps of abelian varieties and finding roots of unity in finite fields. Math. Comput. 55(192), 745–763 (1990)Google Scholar
  60. 60.
    J.M. Pollard, Monte Carlo methods for index computation (mod \(p\)). Math. Comput. 32(143), 918–924 (1978)Google Scholar
  61. 61.
    A. Scholz, Aufgabe 253. Jahresbericht der deutschen Mathematiker-Vereingung 47, 41–42 (1937)Google Scholar
  62. 62.
    R. Schoof, Elliptic curves over finite fields and the computation of square roots mod p. Math. Comput. 44(170), 483–494 (1985)Google Scholar
  63. 63.
    D. Shanks, Class number, a theory of factorization, and genera, in D.J. Lewis, editor, Symposia in Pure Mathematics, vol. 20 (American Mathematical Society, 1971), pp. 415–440Google Scholar
  64. 64.
    N.P. Smart, S. Siksek, A fast Diffie–Hellman protocol in genus 2. J. Cryptol. 12(1), 67–73 (1999)Google Scholar
  65. 65.
    J.A. Solinas, Generalized Mersenne numbers. Technical Report CORR 99–39, Centre for Applied Cryptographic Research, University of Waterloo (1999)Google Scholar
  66. 66.
    M. Stam, Speeding up Subgroup Cryptosystems. PhD thesis, Technische Universiteit Eindhoven, May 2003 (2003)Google Scholar
  67. 67.
    K. Takashima, A new type of fast endomorphisms on Jacobians of hyperelliptic curves and their cryptographic application. IEICE Trans. 89-A(1), 124–133 (2006)Google Scholar
  68. 68.
    E.G. Thurber, On addition chains \(l(mn)\le l(n)-b\) and lower bounds for \(c(r)\). Duke Math. J. 40, 907–913 (1973)Google Scholar
  69. 69.
    U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-3, 2009. http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
  70. 70.
    P.B. van Wamelen, Examples of genus two CM curves defined over the rationals. Math. Comput. 68(225), 307–320 (1999)Google Scholar
  71. 71.
    P.B. van Wamelen, Computing with the analytic Jacobian of a genus 2 curve, in W. Bosma, J. Cannon, M. Bronstein, A.M. Cohen, H. Cohen, D. Eisenbud, B. Sturmfels, editors, Discovering Mathematics with Magma. Algorithms and Computation in Mathematics, vol. 19 (Springer, Berlin Heidelberg, 2006), pp. 117–135Google Scholar
  72. 72.
    A. Weng, Constructing hyperelliptic curves of genus 2 suitable for cryptography. Math. Comput. 72(241), 435–458 (2003)Google Scholar
  73. 73.
    M.J. Wiener, R.J. Zuccherato, Faster attacks on elliptic curve cryptosystems, in S. Tavares, H. Meijer, editors, Selected Areas in Cryptography—(SAC) 1998. Lecture Notes in Computer Science, vol. 1556 (Springer New York, 1999), pp. 190–200Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Joppe W. Bos
    • 1
  • Craig Costello
    • 1
  • Huseyin Hisil
    • 2
  • Kristin Lauter
    • 3
  1. 1.Microsoft ResearchRedmondUSA
  2. 2.Yasar UniversityIzmirTurkey
  3. 3.Microsoft ResearchRedmondUSA

Personalised recommendations