## Abstract

This work considers the problem of fast and secure scalar multiplication using curves of genus one defined over a field of prime order. Previous work by Gaudry and Lubicz (Finite Fields Appl 15(2):246–260, 2009) had suggested the use of the associated Kummer line to speed up scalar multiplication. In the present work, we explore this idea in detail. The first task is to obtain an elliptic curve in Legendre form which satisfies necessary security conditions such that the associated Kummer line has small parameters and a base point with small coordinates. It turns out that the ladder step on the Kummer line supports parallelism and can be implemented very efficiently in constant time using the single-instruction multiple-data (SIMD) operations available in modern processors. For the 128-bit security level, this work presents three Kummer lines denoted as \(K_1:=\mathsf{KL2519(81,20)}\), \(K_2:=\mathsf{KL25519(82,77)}\) and \(K_3:=\mathsf{KL2663(260,139)}\) over the three primes \(2^{251}-9\), \(2^{255}-19\) and \(2^{266}-3\), respectively. Implementations of scalar multiplications for all three Kummer lines using Intel intrinsics have been done, and the code is publicly available. Timing results on the Skylake and the Haswell processors of Intel indicate that both fixed base and variable base scalar multiplications for \(K_1\) and \(K_2\) are faster than those achieved by Sandy2x, which is a highly optimised SIMD implementation in assembly of the well-known Curve25519. On Skylake, both fixed base and variable base scalar multiplications for \(K_3\) are faster than Sandy2x, whereas on Haswell, fixed base scalar multiplication for \(K_3\) is faster than Sandy2x while variable base scalar multiplication for both \(K_3\) and Sandy2x takes roughly the same time. In practical terms, the particular Kummer lines that are introduced in this work are serious candidates for deployment and standardisation. We further illustrate the usefulness of the proposed Kummer lines by instantiating the quotient Digital Signature Algorithm on all the three Kummer lines.

## Keywords

Elliptic curve cryptography Kummer line Montgomery curve Scalar multiplication## Notes

### Acknowledgements

We would like to thank Pierrick Gaudry for helpful comments and clarifying certain confusion regarding conversion from Kummer line to elliptic curve. We would also like to thank Peter Schwabe for clarifying certain implementation issues regarding Curve25519 and Kummer surface computation in genus 2. Thanks to Alfred Menezes, René Struik, Patrick Longa, the reviewers of Asiacrypt 2017, and the reviewers of the present paper for comments.

## References

- 1.J. Barwise, P. Eklof, Lefschetz’s principle.
*Journal of Algebra*.**13**(4), 554–570 (1969)MathSciNetCrossRefzbMATHGoogle Scholar - 2.D. J. Bernstein, Curve25519: New Diffie-Hellman speed records. in
*Public Key Cryptography - PKC*, volume 3958 of*Lecture Notes in Computer Science*, (Springer, 2006), pp. 207–228Google Scholar - 3.D. J. Bernstein, Elliptic vs. hyperelliptic, part I.
*Talk at ECC*. (2006)Google Scholar - 4.D.J. Bernstein, C. Chuengsatiansup, T. Lange, P. Schwabe, Kummer strikes back: New DH speed records. in
*Advances in Cryptology - ASIACRYPT*, volume 8873 of*Lecture Notes in Computer Science*, (Springer, 2014), pp. 317–337Google Scholar - 5.D. J. Bernstein, T. Lange, Safecurves: choosing safe curves for elliptic-curve cryptography. http://safecurves.cr.yp.to/index.html, accessed on September 1, (2018)
- 6.Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, Bo-Yin Yang, High-speed high-security signatures. in Bart Preneel and Tsuyoshi Takagi, editors,
*Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28–October 1, 2011. Proceedings*, volume 6917 of*Lecture Notes in Computer Science*, (Springer, 2011), pp. 124–142Google Scholar - 7.Daniel J, Bernstein and Peter Schwabe. NEON crypto. in Emmanuel Prouff and Patrick Schaumont, editors,
*Cryptographic Hardware and Embedded Systems - CHES 2012 - 14th International Workshop, Leuven, Belgium, September 9–12, 2012. Proceedings*, volume 7428 of*Lecture Notes in Computer Science*, (Springer, 2012), pp. 320–339Google Scholar - 8.Guido Bertoni, Jean-Sébastien Coron, editors.
*Cryptographic Hardware and Embedded Systems - CHES 2013 - 15th International Workshop, Santa Barbara, CA, USA, August 20–23, 2013. Proceedings*, volume 8086 of*Lecture Notes in Computer Science*, (Springer, 2013)Google Scholar - 9.Joppe W. Bos, Craig Costello, Hüseyin Hisil, Kristin E. Lauter, Fast cryptography in genus 2. in
*Advances in Cryptology - EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26–30, 2013. Proceedings*, volume 7881 of*Lecture Notes in Computer Science*, (Springer, 2013), pp. 194–210Google Scholar - 10.Joppe W. Bos, Craig Costello, Hüseyin Hisil, Kristin E. Lauter, High-performance scalar multiplication using 8-dimensional GLV/GLS decomposition. in
*Bertoni and Coron [10]*, pp. 331–348Google Scholar - 11.Brainpool, ECC standard. http://www.ecc-brainpool.org/ecc-standard.htm
- 12.Tung Chou, Sandy2x: New Curve25519 speed records. in Orr Dunkelman and Liam Keliher, editors,
*Selected Areas in Cryptography - SAC 2015 - 22nd International Conference, Sackville, NB, Canada, August 12–14, 2015, Revised Selected Papers*, volume 9566 of*Lecture Notes in Computer Science*, (Springer, 2015), pp. 145–160Google Scholar - 13.R. Cosset, Factorization with genus 2 curves.
*Mathematics of Computation*.**79**(270),1191–1208 (2010)MathSciNetCrossRefzbMATHGoogle Scholar - 14.C. Costello, P. Longa, Four(\({\mathbb{Q}}\)): Four-dimensional decompositions on a \({\mathbb{Q}}\)-curve over the Mersenne prime. in
*Advances in Cryptology - ASIACRYPT Part I*, volume 9452 of*Lecture Notes in Computer Science*, (Springer, 2015), pp. 214–235Google Scholar - 15.Craig Costello, Hüseyin Hisil, Benjamin Smith, Faster compact Diffie-Hellman: Endomorphisms on the x-line. in Phong Q. Nguyen and Elisabeth Oswald, editors,
*Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings*, volume 8441 of*Lecture Notes in Computer Science*, (Springer, 2014), pp. 183–200Google Scholar - 16.Neil Costigan, Peter Schwabe, Fast elliptic-curve cryptography on the cell broadband engine. in Bart Preneel, editor,
*Progress in Cryptology - AFRICACRYPT 2009, Second International Conference on Cryptology in Africa, Gammarth, Tunisia, June 21–25, 2009. Proceedings*, volume 5580 of*Lecture Notes in Computer Science*, (Springer, 2009), pp. 368–385Google Scholar - 17.Curve25519. Wikipedia page on Curve25519. https://en.wikipedia.org/wiki/Curve25519, accessed on September 1, (2018)
- 18.M. J. Dworkin, SHA-3 standard: Permutation-based hash and extendable-output functions.
*Technical report, National Institute of Standards and Technology (NIST)*. (2015). http://www.nist.gov/manuscript-publication-search.cfm?pub_id=919061 - 19.Armando Faz-Hernández, Patrick Longa, Ana H. Sánchez, Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves. in Josh Benaloh, editor,
*Topics in Cryptology - CT-RSA 2014 - The Cryptographer’s Track at the RSA Conference 2014, San Francisco, CA, USA, February 25–28, 2014. Proceedings*, volume 8366 of*Lecture Notes in Computer Science*, (Springer, 2014), pp. 1–27Google Scholar - 20.Armando Faz-Hernández, Julio López, Fast implementation of Curve25519 using AVX2. in Kristin E. Lauter and Francisco Rodríguez-Henríquez, editors,
*Progress in Cryptology - LATINCRYPT 2015 - 4th International Conference on Cryptology and Information Security in Latin America, Guadalajara, Mexico, August 23–26, 2015, Proceedings*, volume 9230 of*Lecture Notes in Computer Science*, (Springer, 2015), pp. 329–345Google Scholar - 21.E.V. Flynn, Formulas for Kummer on genus 2. http://people.maths.ox.ac.uk/flynn/genus2/kummer/, accessed on September 1, (2018)
- 22.E.V. Flynn, The group law on the Jacobian of a curve of genus 2.
*J. reine angew. Math.**439*,45–69(1993)MathSciNetzbMATHGoogle Scholar - 23.Code for Kummer Line Computations. https://github.com/skarati/KummerLineV02
- 24.Code for qDSA on Kummer Line. https://github.com/skarati/qDSA
- 25.G. Frey, H.-G. Rück, The strong Lefschetz principle in algebraic geometry.
*Manuscripta Mathematica*.**55**(3), 385–401 (1986)MathSciNetCrossRefzbMATHGoogle Scholar - 26.P. Gaudry, Fast genus 2 arithmetic based on theta functions.
*J. Mathematical Cryptology*.**1**(3), 243–265 (2007)MathSciNetCrossRefzbMATHGoogle Scholar - 27.P. Gaudry. Personal communication. (2016)Google Scholar
- 28.P. Gaudry, D. Lubicz, The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines.
*Finite Fields and Their Applications*.**15**(2), 246–260 (2009)MathSciNetCrossRefzbMATHGoogle Scholar - 29.P. Gaudry, É. Schost, Genus 2 point counting over prime fields.
*J. Symb. Comput.***47**(4), 368–400 (2012)MathSciNetCrossRefzbMATHGoogle Scholar - 30.S. Gueron, Software optimizations for cryptographic primitives on general purpose x86\_64 platforms.
*Tutorial at IndoCrypt*. (2011)Google Scholar - 31.Shay Gueron, Vlad Krasnov, Fast prime field elliptic-curve cryptography with 256-bit primes.
*J. Cryptographic Engineering*.**5**(2), 141–151 (2015)CrossRefGoogle Scholar - 32.Darrel Hankerson, Koray Karabina, Alfred Menezes, Analyzing the Galbraith-Lin-Scott point multiplication method for elliptic curves over binary fields.
*IEEE Trans. Computers*.**58**(10), 1411–1420 (2009)MathSciNetCrossRefzbMATHGoogle Scholar - 33.Huseyin Hisil, Joost Renes, On kummer lines with full rational 2-torsion and their usage in cryptography. Cryptology ePrint Archive, Report 2018/839, (2018). https://eprint.iacr.org/2018/839
- 34.Jun ichi Igusa.
*Theta functions*. Springer, 1972.Google Scholar - 35.Sabyasachi Karati, Palash Sarkar, Kummer for genus one over prime order fields. in
*Takagi and Peyrin [50]*, pp. 3–32Google Scholar - 36.Neal Koblitz, Elliptic curve cryptosystems.
*Math. Comp.**48*(177), 203–209 (1987)MathSciNetCrossRefzbMATHGoogle Scholar - 37.Neal Koblitz, Hyperelliptic cryptosystems.
*J. Cryptology*.**1**(3), 139–150 (1989)MathSciNetCrossRefzbMATHGoogle Scholar - 38.Chae Hoon Lim, Pil Joong Lee, A key recovery attack on discrete log-based schemes using a prime order subgroupp. in Burton S. Kaliski Jr., editor,
*Advances in Cryptology - CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 1997, Proceedings*, volume 1294 of*Lecture Notes in Computer Science*, (Springer, 1997), pp. 249–263Google Scholar - 39.Patrick Longa, Francesco Sica, Four-dimensional Gallant-Lambert-Vanstone scalar multiplication. in Xiaoyun Wang and Kazue Sako, editors,
*Advances in Cryptology - ASIACRYPT 2012 - 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2–6, 2012. Proceedings*, volume 7658 of*Lecture Notes in Computer Science*, (Springer, 2012), pp. 718–739Google Scholar - 40.Victor S. Miller, Use of elliptic curves in cryptography. in
*Advances in Cryptology - CRYPTO’85, Santa Barbara, California, USA, August 18–22, 1985, Proceedings*, (Springer, Berlin Heidelberg, 1985), pp. 417–426Google Scholar - 41.Peter L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization.
*Mathematics of Computation*.**48**(177), 243–264 (1987)MathSciNetCrossRefzbMATHGoogle Scholar - 42.Peter L. Montgomery, Five, six, and seven-term karatsuba-like formulae.
*IEEE Trans. Computers*.**54**(3), 362–369 (2005)CrossRefzbMATHGoogle Scholar - 43.D. Mumford.
*Tata lectures on theta I*. Progress in Mathematics 28. Birkh äuser, 1983.Google Scholar - 44.U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-3. http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf, 2009.
- 45.Thomaz Oliveira, Julio López, Diego F. Aranha, Francisco Rodríguez-Henríquez, Lambda coordinates for binary elliptic curves. in
*Bertoni and Coron [8]*, pp. 311–330Google Scholar - 46.Thomaz Oliveira, Julio López, Francisco Rodríguez-Henríquez, Software implementation of Koblitz curves over quadratic fields. in Benedikt Gierlichs and Axel Y. Poschmann, editors,
*Cryptographic Hardware and Embedded Systems - CHES 2016 - 18th International Conference, Santa Barbara, CA, USA, August 17–19, 2016, Proceedings*, volume 9813 of*Lecture Notes in Computer Science*, (Springer, 2016), pp. 259–279Google Scholar - 47.Joost Renes, Benjamin Smith, qDSA: Small and secure digital signatures with curve-based Diffie-Hellman key pairs. in
*Takagi and Peyrin [50]*, pp. 273–302Google Scholar - 48.Certicom Research. SEC 2: Recommended elliptic curve domain parameters. http://www.secg.org/sec2-v2.pdf, (2010)
- 49.Nigel P. Smart, Samir Siksek, A fast Diffie-Hellman protocol in genus 2.
*J. Cryptology*.**12**(1), 67–73 (1999)MathSciNetCrossRefzbMATHGoogle Scholar - 50.Tsuyoshi Takagi, Thomas Peyrin, editors.
*Advances in Cryptology - ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3–7, 2017, Proceedings, Part II*, volume 10625 of*Lecture Notes in Computer Science*, (Springer, 2017)Google Scholar - 51.NUMS: Nothing up my sleeve. https://tools.ietf.org/html/draft-black-tls-numscurves-00