Advertisement

Kummer for Genus One Over Prime-Order Fields

  • Sabyasachi KaratiEmail author
  • Palash Sarkar
Article
  • 22 Downloads

Abstract

This work considers the problem of fast and secure scalar multiplication using curves of genus one defined over a field of prime order. Previous work by Gaudry and Lubicz (Finite Fields Appl 15(2):246–260, 2009) had suggested the use of the associated Kummer line to speed up scalar multiplication. In the present work, we explore this idea in detail. The first task is to obtain an elliptic curve in Legendre form which satisfies necessary security conditions such that the associated Kummer line has small parameters and a base point with small coordinates. It turns out that the ladder step on the Kummer line supports parallelism and can be implemented very efficiently in constant time using the single-instruction multiple-data (SIMD) operations available in modern processors. For the 128-bit security level, this work presents three Kummer lines denoted as \(K_1:=\mathsf{KL2519(81,20)}\), \(K_2:=\mathsf{KL25519(82,77)}\) and \(K_3:=\mathsf{KL2663(260,139)}\) over the three primes \(2^{251}-9\), \(2^{255}-19\) and \(2^{266}-3\), respectively. Implementations of scalar multiplications for all three Kummer lines using Intel intrinsics have been done, and the code is publicly available. Timing results on the Skylake and the Haswell processors of Intel indicate that both fixed base and variable base scalar multiplications for \(K_1\) and \(K_2\) are faster than those achieved by Sandy2x, which is a highly optimised SIMD implementation in assembly of the well-known Curve25519. On Skylake, both fixed base and variable base scalar multiplications for \(K_3\) are faster than Sandy2x, whereas on Haswell, fixed base scalar multiplication for \(K_3\) is faster than Sandy2x while variable base scalar multiplication for both \(K_3\) and Sandy2x takes roughly the same time. In practical terms, the particular Kummer lines that are introduced in this work are serious candidates for deployment and standardisation. We further illustrate the usefulness of the proposed Kummer lines by instantiating the quotient Digital Signature Algorithm on all the three Kummer lines.

Keywords

Elliptic curve cryptography Kummer line Montgomery curve Scalar multiplication 

Notes

Acknowledgements

We would like to thank Pierrick Gaudry for helpful comments and clarifying certain confusion regarding conversion from Kummer line to elliptic curve. We would also like to thank Peter Schwabe for clarifying certain implementation issues regarding Curve25519 and Kummer surface computation in genus 2. Thanks to Alfred Menezes, René Struik, Patrick Longa, the reviewers of Asiacrypt 2017, and the reviewers of the present paper for comments.

References

  1. 1.
    J. Barwise, P. Eklof, Lefschetz’s principle. Journal of Algebra. 13(4), 554–570 (1969)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    D. J. Bernstein, Curve25519: New Diffie-Hellman speed records. in Public Key Cryptography - PKC, volume 3958 of Lecture Notes in Computer Science, (Springer, 2006), pp. 207–228Google Scholar
  3. 3.
    D. J. Bernstein, Elliptic vs. hyperelliptic, part I. Talk at ECC. (2006)Google Scholar
  4. 4.
    D.J. Bernstein, C. Chuengsatiansup, T. Lange, P. Schwabe, Kummer strikes back: New DH speed records. in Advances in Cryptology - ASIACRYPT, volume 8873 of Lecture Notes in Computer Science, (Springer, 2014), pp. 317–337Google Scholar
  5. 5.
    D. J. Bernstein, T. Lange, Safecurves: choosing safe curves for elliptic-curve cryptography. http://safecurves.cr.yp.to/index.html, accessed on September 1, (2018)
  6. 6.
    Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, Bo-Yin Yang, High-speed high-security signatures. in Bart Preneel and Tsuyoshi Takagi, editors, Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28–October 1, 2011. Proceedings, volume 6917 of Lecture Notes in Computer Science, (Springer, 2011), pp. 124–142Google Scholar
  7. 7.
    Daniel J, Bernstein and Peter Schwabe. NEON crypto. in Emmanuel Prouff and Patrick Schaumont, editors, Cryptographic Hardware and Embedded Systems - CHES 2012 - 14th International Workshop, Leuven, Belgium, September 9–12, 2012. Proceedings, volume 7428 of Lecture Notes in Computer Science, (Springer, 2012), pp. 320–339Google Scholar
  8. 8.
    Guido Bertoni, Jean-Sébastien Coron, editors. Cryptographic Hardware and Embedded Systems - CHES 2013 - 15th International Workshop, Santa Barbara, CA, USA, August 20–23, 2013. Proceedings, volume 8086 of Lecture Notes in Computer Science, (Springer, 2013)Google Scholar
  9. 9.
    Joppe W. Bos, Craig Costello, Hüseyin Hisil, Kristin E. Lauter, Fast cryptography in genus 2. in Advances in Cryptology - EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26–30, 2013. Proceedings, volume 7881 of Lecture Notes in Computer Science, (Springer, 2013), pp. 194–210Google Scholar
  10. 10.
    Joppe W. Bos, Craig Costello, Hüseyin Hisil, Kristin E. Lauter, High-performance scalar multiplication using 8-dimensional GLV/GLS decomposition. in Bertoni and Coron [10], pp. 331–348Google Scholar
  11. 11.
  12. 12.
    Tung Chou, Sandy2x: New Curve25519 speed records. in Orr Dunkelman and Liam Keliher, editors, Selected Areas in Cryptography - SAC 2015 - 22nd International Conference, Sackville, NB, Canada, August 12–14, 2015, Revised Selected Papers, volume 9566 of Lecture Notes in Computer Science, (Springer, 2015), pp. 145–160Google Scholar
  13. 13.
    R. Cosset, Factorization with genus 2 curves. Mathematics of Computation. 79(270),1191–1208 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    C. Costello, P. Longa, Four(\({\mathbb{Q}}\)): Four-dimensional decompositions on a \({\mathbb{Q}}\)-curve over the Mersenne prime. in Advances in Cryptology - ASIACRYPT Part I, volume 9452 of Lecture Notes in Computer Science, (Springer, 2015), pp. 214–235Google Scholar
  15. 15.
    Craig Costello, Hüseyin Hisil, Benjamin Smith, Faster compact Diffie-Hellman: Endomorphisms on the x-line. in Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings, volume 8441 of Lecture Notes in Computer Science, (Springer, 2014), pp. 183–200Google Scholar
  16. 16.
    Neil Costigan, Peter Schwabe, Fast elliptic-curve cryptography on the cell broadband engine. in Bart Preneel, editor, Progress in Cryptology - AFRICACRYPT 2009, Second International Conference on Cryptology in Africa, Gammarth, Tunisia, June 21–25, 2009. Proceedings, volume 5580 of Lecture Notes in Computer Science, (Springer, 2009), pp. 368–385Google Scholar
  17. 17.
    Curve25519. Wikipedia page on Curve25519. https://en.wikipedia.org/wiki/Curve25519, accessed on September 1, (2018)
  18. 18.
    M. J. Dworkin, SHA-3 standard: Permutation-based hash and extendable-output functions. Technical report, National Institute of Standards and Technology (NIST). (2015). http://www.nist.gov/manuscript-publication-search.cfm?pub_id=919061
  19. 19.
    Armando Faz-Hernández, Patrick Longa, Ana H. Sánchez, Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves. in Josh Benaloh, editor, Topics in Cryptology - CT-RSA 2014 - The Cryptographer’s Track at the RSA Conference 2014, San Francisco, CA, USA, February 25–28, 2014. Proceedings, volume 8366 of Lecture Notes in Computer Science, (Springer, 2014), pp. 1–27Google Scholar
  20. 20.
    Armando Faz-Hernández, Julio López, Fast implementation of Curve25519 using AVX2. in Kristin E. Lauter and Francisco Rodríguez-Henríquez, editors, Progress in Cryptology - LATINCRYPT 2015 - 4th International Conference on Cryptology and Information Security in Latin America, Guadalajara, Mexico, August 23–26, 2015, Proceedings, volume 9230 of Lecture Notes in Computer Science, (Springer, 2015), pp. 329–345Google Scholar
  21. 21.
    E.V. Flynn, Formulas for Kummer on genus 2. http://people.maths.ox.ac.uk/flynn/genus2/kummer/, accessed on September 1, (2018)
  22. 22.
    E.V. Flynn, The group law on the Jacobian of a curve of genus 2. J. reine angew. Math. 439,45–69(1993)MathSciNetzbMATHGoogle Scholar
  23. 23.
    Code for Kummer Line Computations. https://github.com/skarati/KummerLineV02
  24. 24.
    Code for qDSA on Kummer Line. https://github.com/skarati/qDSA
  25. 25.
    G. Frey, H.-G. Rück, The strong Lefschetz principle in algebraic geometry. Manuscripta Mathematica. 55(3), 385–401 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    P. Gaudry, Fast genus 2 arithmetic based on theta functions. J. Mathematical Cryptology. 1(3), 243–265 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    P. Gaudry. Personal communication. (2016)Google Scholar
  28. 28.
    P. Gaudry, D. Lubicz, The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines. Finite Fields and Their Applications. 15(2), 246–260 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    P. Gaudry, É. Schost, Genus 2 point counting over prime fields. J. Symb. Comput. 47(4), 368–400 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    S. Gueron, Software optimizations for cryptographic primitives on general purpose x86\_64 platforms. Tutorial at IndoCrypt. (2011)Google Scholar
  31. 31.
    Shay Gueron, Vlad Krasnov, Fast prime field elliptic-curve cryptography with 256-bit primes. J. Cryptographic Engineering. 5(2), 141–151 (2015)CrossRefGoogle Scholar
  32. 32.
    Darrel Hankerson, Koray Karabina, Alfred Menezes, Analyzing the Galbraith-Lin-Scott point multiplication method for elliptic curves over binary fields. IEEE Trans. Computers. 58(10), 1411–1420 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    Huseyin Hisil, Joost Renes, On kummer lines with full rational 2-torsion and their usage in cryptography. Cryptology ePrint Archive, Report 2018/839, (2018). https://eprint.iacr.org/2018/839
  34. 34.
    Jun ichi Igusa. Theta functions. Springer, 1972.Google Scholar
  35. 35.
    Sabyasachi Karati, Palash Sarkar, Kummer for genus one over prime order fields. in Takagi and Peyrin [50], pp. 3–32Google Scholar
  36. 36.
    Neal Koblitz, Elliptic curve cryptosystems. Math. Comp. 48(177), 203–209 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  37. 37.
    Neal Koblitz, Hyperelliptic cryptosystems. J. Cryptology. 1(3), 139–150 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Chae Hoon Lim, Pil Joong Lee, A key recovery attack on discrete log-based schemes using a prime order subgroupp. in Burton S. Kaliski Jr., editor, Advances in Cryptology - CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 1997, Proceedings, volume 1294 of Lecture Notes in Computer Science, (Springer, 1997), pp. 249–263Google Scholar
  39. 39.
    Patrick Longa, Francesco Sica, Four-dimensional Gallant-Lambert-Vanstone scalar multiplication. in Xiaoyun Wang and Kazue Sako, editors, Advances in Cryptology - ASIACRYPT 2012 - 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2–6, 2012. Proceedings, volume 7658 of Lecture Notes in Computer Science, (Springer, 2012), pp. 718–739Google Scholar
  40. 40.
    Victor S. Miller, Use of elliptic curves in cryptography. in Advances in Cryptology - CRYPTO’85, Santa Barbara, California, USA, August 18–22, 1985, Proceedings, (Springer, Berlin Heidelberg, 1985), pp. 417–426Google Scholar
  41. 41.
    Peter L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation. 48(177), 243–264 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  42. 42.
    Peter L. Montgomery, Five, six, and seven-term karatsuba-like formulae. IEEE Trans. Computers. 54(3), 362–369 (2005)CrossRefzbMATHGoogle Scholar
  43. 43.
    D. Mumford. Tata lectures on theta I. Progress in Mathematics 28. Birkh äuser, 1983.Google Scholar
  44. 44.
    U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-3. http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf, 2009.
  45. 45.
    Thomaz Oliveira, Julio López, Diego F. Aranha, Francisco Rodríguez-Henríquez, Lambda coordinates for binary elliptic curves. in Bertoni and Coron [8], pp. 311–330Google Scholar
  46. 46.
    Thomaz Oliveira, Julio López, Francisco Rodríguez-Henríquez, Software implementation of Koblitz curves over quadratic fields. in Benedikt Gierlichs and Axel Y. Poschmann, editors, Cryptographic Hardware and Embedded Systems - CHES 2016 - 18th International Conference, Santa Barbara, CA, USA, August 17–19, 2016, Proceedings, volume 9813 of Lecture Notes in Computer Science, (Springer, 2016), pp. 259–279Google Scholar
  47. 47.
    Joost Renes, Benjamin Smith, qDSA: Small and secure digital signatures with curve-based Diffie-Hellman key pairs. in Takagi and Peyrin [50], pp. 273–302Google Scholar
  48. 48.
    Certicom Research. SEC 2: Recommended elliptic curve domain parameters. http://www.secg.org/sec2-v2.pdf, (2010)
  49. 49.
    Nigel P. Smart, Samir Siksek, A fast Diffie-Hellman protocol in genus 2. J. Cryptology. 12(1), 67–73 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  50. 50.
    Tsuyoshi Takagi, Thomas Peyrin, editors. Advances in Cryptology - ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3–7, 2017, Proceedings, Part II, volume 10625 of Lecture Notes in Computer Science, (Springer, 2017)Google Scholar
  51. 51.

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.School of Computer SciencesNational Institute of Science Education and ResearchBhubaneswarIndia
  2. 2.Applied Statistics UnitIndian Statistical InstituteKolkataIndia

Personalised recommendations