# Fast Cryptography in Genus 2

- 686 Downloads
- 1 Citations

## Abstract

In this paper, we highlight the benefits of using genus 2 curves in public-key cryptography. Compared to the standardized genus 1 curves, or elliptic curves, arithmetic on genus 2 curves is typically more involved but allows us to work with moduli of half the size. We give a taxonomy of the best known techniques to realize genus 2-based cryptography, which includes fast formulas on the Kummer surface and efficient four-dimensional GLV decompositions. By studying different modular arithmetic approaches on these curves, we present a range of genus 2 implementations. On a single core of an Intel Core i7-3520M (Ivy Bridge), our implementation on the Kummer surface breaks the 125 thousand cycle barrier which sets a new software speed record at the 128-bit security level for constant-time scalar multiplications compared to all previous genus 1 and genus 2 implementations.

## Notes

### Acknowledgments

We wish to thank Pierrick Gaudry for his Kummer help when this project began, Dan Bernstein and Tanja Lange for several fruitful discussions during the preparation of this work, Patrick Longa for his advice on optimizing the GLV routines and extensive comments on this work, Michael Naehrig for proofreading early versions of this paper, and the anonymous Eurocrypt reviewers for their useful comments.

We make note of several works that have appeared since this paper was submitted. The follow-up work in [7] pointed out that our online Kummer implementation contained a mistake which might leak secret information to side-channel adversaries. We updated the code accordingly(http://hhisil.yasar.edu.tr/files/hisil20140312genus2.tar.gz) and the subsequent performance numbers are stated in Table 2. We would like to thank the authors for finding this mistake. In addition, the authors of [7] tailored the use of vector instructions to give a solid boost to the performance of the Kummer surface routine described in Sect. 5, and subsequently, their accompanying implementation currently offers the fastest constant-time scalar multiplications over large prime fields. Finally, the overall Diffie–Hellman speed record at the 128-bit security level was recently claimed by Aranha et al. [56], who use a binary field elliptic curve equipped with an endomorphism to achieve highly efficient, constant-time scalar multiplications in around 60,000 clock cycles on the Haswell architecture.

## References

- 1.T. Acar, D. Shumow, Modular reduction without pre-computation for special moduli. Technical report, Microsoft Research, 2010Google Scholar
- 2.L. Adleman, J. DeMarrais, M. Huang, A subexponential algorithm for discrete logarithms over hyperelliptic curves of large genus over GF(q).
*Theor. Comput. Sci.***226**(1–2), 7–18 (1999)Google Scholar - 3.D.F. Aranha, A. Faz-Hernández, J. López, F. Rodríguez-Henríquez, Faster implementation of scalar multiplication on Koblitz curves, in A. Hevia, G. Neven, editors,
*LATINCRYPT*. Lecture Notes in Computer Science, vol. 7533 (Springer, 2012), pp. 177–193Google Scholar - 4.D.J. Bernstein, Curve25519: New Diffie–Hellman speed records, in M. Yung, Y. Dodis, A. Kiayias, T. Malkin, editors,
*Public Key Cryptography—PKC 2006*. Lecture Notes in Computer Science, vol. 3958 (Springer, Heidelberg, 2006), pp. 207–228Google Scholar - 5.D.J. Bernstein, Differential addition chains. URL: http://cr.yp.to/ecdh/diffchain-20060219.pdf, February 2006
- 6.D.J. Bernstein, Elliptic vs. Hyperelliptic, part I. Talk at ECC (slides at http://cr.yp.to/talks/2006.09.20/slides.pdf,), September 2006
- 7.D.J. Bernstein, C. Chuengsatiansup, T. Lange, P. Schwabe, Kummer strikes back: new DH speed records. Cryptology ePrint Archive, Report 2014/134, 2014. http://eprint.iacr.org/
- 8.D.J. Bernstein, N. Duif, T. Lange, P. Schwabe, B.-Y. Yang, High-speed high-security signatures, in B. Preneel, T. Takagi, editors,
*CHES*. Lecture Notes in Computer Science, vol. 6917 (Springer, 2011), pp. 124–142Google Scholar - 9.D.J. Bernstein, T. Lange, Analysis and optimization of elliptic-curve single-scalar multiplication, in G.L. Mullen, D. Panario, I.E. Shparlinski, editors,
*Finite Fields and Applications*.*Contemporary Mathematics Series*, vol. 461 (American Mathematical Society, 2008), pp. 1–19Google Scholar - 10.D.J. Bernstein, T. Lange (editors), eBACS: ECRYPT Benchmarking of Cryptographic Systems. http://bench.cr.yp.to, accessed 4 October 2012
- 11.J.W. Bos, High-performance modular multiplication on the Cell processor, in M.A. Hasan, T. Helleseth, editors,
*Arithmetic of Finite Fields - WAIFI 2010*. Lecture Notes in Computer Science, vol. 6087 (Springer, Heidelberg, 2010), pp. 7–24Google Scholar - 12.J.W. Bos, C. Costello, A. Miele, Elliptic and hyperelliptic curves: A practical security analysis, in H. Krawczyk, editor,
*Public Key Cryptography—PKC 2014*. Lecture Notes in Computer Science, vol. 8383 (Springer, 2014), pp. 203–220Google Scholar - 13.J.W. Bos, M.E. Kaihara, T. Kleinjung, A.K. Lenstra, P.L. Montgomery, Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction.
*Int. J. Appl. Cryptogr.***2**(3), 212–228 (2012)Google Scholar - 14.
- 15.M. Brown, D. Hankerson, J.López, A. Menezes, Software implementation of the NIST elliptic curves over prime fields, in D. Naccache, editor,
*CT-RSA*. Lecture Notes in Computer Science, vol. 2020 (Springer, Heidelberg, 2001), pp. 250–265Google Scholar - 16.J. Buhler, N. Koblitz, Lattice basis reduction, Jacobi sums and hyperelliptic cryptosystems.
*Bull. Aust. Math. Soc.***58**(1), 147–154 (1998)Google Scholar - 17.D.V. Chudnovsky, G.V. Chudnovsky, Sequences of numbers generated by addition in formal groups and new primality and factorization tests.
*Adv. Appl. Math.***7**, 385–434 (1986)Google Scholar - 18.
- 19.C. Costello, K. Lauter, Group law computations on Jacobians of hyperelliptic curves, in A. Miri, S. Vaudenay, editors,
*Selected Areas in Cryptography*. Lecture Notes in Computer Science, vol. 7118 (Springer, 2011), pp. 92–117Google Scholar - 20.C. Diem, On the discrete logarithm problem in class groups of curves.
*Math. Comput.***80**, 443–475 (2011)Google Scholar - 21.I.M. Duursma, P. Gaudry, F. Morain, Speeding up the discrete log computation on curves with automorphisms, in K.-Y. Lam, E. Okamoto, C. Xing, editors,
*Asiacrypt 1999*. Lecture Notes in Computer Science, vol. 1716 (Springer, Heidelberg, 1999), pp. 103–121Google Scholar - 22.K. Eisentrager, K. Lauter, A CRT algorithm for constructing genus 2 curves over finite fields.
*AGCT-11*(2007)Google Scholar - 23.A. Enge, Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time.
*Math. Comput.***71**, 729–742 (2002)Google Scholar - 24.E. Furukawa, M. Kawazoe, T. Takahashi, Counting points for hyperelliptic curves of type \(\text{ y }^{\text{2 }}= \text{ x }^{\text{5 }}\) + ax over finite prime fields, in M. Matsui, R.J. Zuccherato, editors,
*Selected Areas in Cryptography*. Lecture Notes in Computer Science, vol. 3006 (Springer, 2003), pp. 26–41Google Scholar - 25.S.D. Galbraith, X. Lin, M. Scott, Endomorphisms for faster elliptic curve cryptography on a large class of curves.
*J. Cryptol.***24**(3), 446–469 (2011)Google Scholar - 26.R.P. Gallant, R.J. Lambert, S.A. Vanstone, Faster point multiplication on elliptic curves with efficient endomorphisms, in J. Kilian, editor,
*CRYPTO*. Lecture Notes in Computer Science, vol. 2139 (Springer, 2001), pp. 190–200Google Scholar - 27.P. Gaudry, An algorithm for solving the discrete log problem on hyperelliptic curves.
*Eurocrypt*,**1807**, 19–34 (2000)Google Scholar - 28.P. Gaudry, Algorithmique des courbes hyperelliptiques et applications à la cryptologie. PhD thesis, École polytechnique. http://www.lix.polytechnique.fr/Labo/Pierrick.Gaudry/publis/ (2000)
- 29.P. Gaudry, Fast genus 2 arithmetic based on theta functions.
*J. Math. Cryptol. JMC***1**(3), 243–265 (2007)Google Scholar - 30.P. Gaudry, Genus 2 formulae based on Theta functions and their implementation. Talk at ECC http://mathsci.ucd.ie/gmg/ECC2007Talks/ecc07-gaudry2.pdf, September 2007
- 31.P. Gaudry, Personal communication (2011)Google Scholar
- 32.P. Gaudry, T. Houtmann, D.R. Kohel, C. Ritzenthaler, A. Weng, The 2-adic CM method for genus 2 curves with application to cryptography, in X. Lai, K. Chen, editors,
*ASIACRYPT*. Lecture Notes in Computer Science, vol. 4284 (Springer, 2006), pp. 114–129Google Scholar - 33.P. Gaudry, D.R. Kohel, B.A. Smith, Counting points on genus 2 curves with real multiplication, in D.H. Lee, X. Wang, editors,
*ASIACRYPT*. Lecture Notes in Computer Science, vol. 7073 (Springer, 2011), pp. 504–519Google Scholar - 34.P. Gaudry, É. Schost, Genus 2 point counting over prime fields.
*J. Symb. Comput.***47**(4), 368–400 (2012)Google Scholar - 35.P. Gaudry, E. Thomé, The mp\(\mathbb{F}_q\) library and implementing curve-based key exchanges, in
*Software Performance Enhancement for Encryption and Decryption—SPEED 2007*, pp. 49–64 (2007). www.loria.fr/~gaudry/publis/mpfq.pdf - 36.M. Hamburg, Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309, 2012. http://eprint.iacr.org/
- 37.H. Hisil, K.K.-H. Wong, G. Carter, E. Dawson, Twisted Edwards curves revisited, in J. Pieprzyk, editor,
*Asiacrypt 2008*. Lecture Notes in Computer Science, vol. 5350 (Springer, Heidelberg, 2008), pp. 326–343Google Scholar - 38.B.S. Kaliski Jr, The Montgomery inverse and its applications.
*IEEE Trans. Comput.***44**(8), 1064–1065 (1995)Google Scholar - 39.E. Käsper, Fast elliptic curve cryptography in OpenSSL, in G. Danezis, S. Dietrich, K. Sako, editors,
*Financial Cryptography Workshops*. Lecture Notes in Computer Science, vol. 7126 (Springer, 2012) pp. 27–39Google Scholar - 40.M. Knežević, F. Vercauteren, I. Verbauwhede, Speeding up bipartite modular multiplication, in M. Hasan, T. Helleseth, editors,
*Arithmetic of Finite Fields - WAIFI 2010*. Lecture Notes in Computer Science, vol. 6087 (Springer, Berlin / Heidelberg, 2010), pp. 166–179Google Scholar - 41.
- 42.P.C. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems, in N. Koblitz, editor,
*Crypto 1996*. Lecture Notes in Computer Science, vol. 1109 (Springer, Heidelberg, 1996), pp. 104–113Google Scholar - 43.D.R. Kohel, Databases for Elliptic Curves and Higher Dimensional Analogues (Echidna). http://echidna.maths.usyd.edu.au/kohel/dbs/
- 44.D.R. Kohel, B.A. Smith, Efficiently computable endomorphisms for hyperelliptic curves, in F. Hess, S. Pauli, M.E. Pohst, editors,
*ANTS*. Lecture Notes in Computer Science, vol. 4076 (Springer, 2006), pp. 495–509Google Scholar - 45.A.K. Lenstra, Generating RSA moduli with a predetermined portion, in K. Ohta, D. Pei, editors,
*Asiacrypt’98*. Lecture Notes in Computer Science, vol. 1514 (Springer, Berlin/Heidelberg, 1998), pp. 1–10Google Scholar - 46.C.H. Lim, H.S. Hwang, Speeding up elliptic scalar multiplication with precomputation, in J. Song, editor,
*Information Security and Cryptology—ICISC’99*. Lecture Notes in Computer Science, vol. 1787 (Springer, 2000), pp. 102–119Google Scholar - 47.C.H. Lim, P.J. Lee, More flexible exponentiation with precomputation, in Y. Desmedt, editor,
*CRYPTO*. Lecture Notes in Computer Science, vol. 839 (Springer, 1994), pp. 95–107Google Scholar - 48.P. Longa, F. Sica, Four-dimensional Gallant–Lambert–Vanstone scalar multiplication, in X. Wang, K. Sako, editors,
*Asiacrypt 2012*. Lecture Notes in Computer Science, vol. 7658 (Springer, 2012), pp. 718–739Google Scholar - 49.J.-F. Mestre, Couples de jacobiennes isogenes de courbes hyperelliptiques. Preprint, arXiv http://arxiv.org/abs/0902.3470, or see http://www.lix.polytechnique.fr/ smith/Mestre--families.pdf (2009)
- 50.V.S. Miller, Use of elliptic curves in cryptography, in H.C. Williams, editor,
*Crypto 1985*. Lecture Notes in Computer Science, vol. 218 (Springer, Heidelberg, 1986), pp. 417–426Google Scholar - 51.P.L. Montgomery, Modular multiplication without trial division.
*Math. Comput.***44**(170), 519–521 (1985)Google Scholar - 52.P.L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization.
*Math. Comput.***48**(177), 243–264 (1987)Google Scholar - 53.P.L. Montgomery, Evaluating recurrences of form \(x_{m+n}=f(x_m, x_n, x_{m-n})\) via lucas chains. ftp://ftp.cwi.nl/pub/pmontgom/Lucas.ps.gz (1992)
- 54.F. Morain, J. Olivos, Speeding up the computations on an elliptic curve using addition–subtraction chains.
*Inform. Théor. Appl. Theor. Inform. Appl.***24**, 531–544 (1990)Google Scholar - 55.National Security Agency, Fact sheet NSA Suite B Cryptography. http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml (2009)
- 56.T. Oliveira, J.López, D.F. Aranha, F. Rodríguez-Henríquez, Two is the fastest prime: lambda coordinates for binary elliptic curves.
*J. Cryptogr. Eng.***4**(1), 3–17 (2014)Google Scholar - 57.T. Oliveira, F. Rodríguez-Henríquez, J.López, New timings for scalar multiplication using a new set of coordinates. Rump session talk at ECC 2012 October 2012 (2012)Google Scholar
- 58.Y.-H. Park, S. Jeong, J. Lim, Speeding up point multiplication on hyperelliptic curves with efficiently-computable endomorphisms, in L.R. Knudsen, editor,
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 2332 (Springer, 2002), pp. 197–208Google Scholar - 59.J. Pila. Frobenius maps of abelian varieties and finding roots of unity in finite fields.
*Math. Comput.***55**(192), 745–763 (1990)Google Scholar - 60.J.M. Pollard, Monte Carlo methods for index computation (mod \(p\)).
*Math. Comput.***32**(143), 918–924 (1978)Google Scholar - 61.A. Scholz, Aufgabe 253.
*Jahresbericht der deutschen Mathematiker-Vereingung***47**, 41–42 (1937)Google Scholar - 62.R. Schoof, Elliptic curves over finite fields and the computation of square roots mod p.
*Math. Comput.***44**(170), 483–494 (1985)Google Scholar - 63.D. Shanks, Class number, a theory of factorization, and genera, in D.J. Lewis, editor,
*Symposia in Pure Mathematics*, vol. 20 (American Mathematical Society, 1971), pp. 415–440Google Scholar - 64.N.P. Smart, S. Siksek, A fast Diffie–Hellman protocol in genus 2.
*J. Cryptol.***12**(1), 67–73 (1999)Google Scholar - 65.J.A. Solinas, Generalized Mersenne numbers. Technical Report CORR 99–39, Centre for Applied Cryptographic Research, University of Waterloo (1999)Google Scholar
- 66.M. Stam,
*Speeding up Subgroup Cryptosystems*. PhD thesis, Technische Universiteit Eindhoven, May 2003 (2003)Google Scholar - 67.K. Takashima, A new type of fast endomorphisms on Jacobians of hyperelliptic curves and their cryptographic application.
*IEICE Trans.***89-A**(1), 124–133 (2006)Google Scholar - 68.E.G. Thurber, On addition chains \(l(mn)\le l(n)-b\) and lower bounds for \(c(r)\).
*Duke Math. J.***40**, 907–913 (1973)Google Scholar - 69.U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-3, 2009. http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
- 70.P.B. van Wamelen, Examples of genus two CM curves defined over the rationals.
*Math. Comput.***68**(225), 307–320 (1999)Google Scholar - 71.P.B. van Wamelen, Computing with the analytic Jacobian of a genus 2 curve, in W. Bosma, J. Cannon, M. Bronstein, A.M. Cohen, H. Cohen, D. Eisenbud, B. Sturmfels, editors,
*Discovering Mathematics with Magma*. Algorithms and Computation in Mathematics, vol. 19 (Springer, Berlin Heidelberg, 2006), pp. 117–135Google Scholar - 72.A. Weng, Constructing hyperelliptic curves of genus 2 suitable for cryptography.
*Math. Comput.***72**(241), 435–458 (2003)Google Scholar - 73.M.J. Wiener, R.J. Zuccherato, Faster attacks on elliptic curve cryptosystems, in S. Tavares, H. Meijer, editors,
*Selected Areas in Cryptography—(SAC) 1998*. Lecture Notes in Computer Science, vol. 1556 (Springer New York, 1999), pp. 190–200Google Scholar