Journal of Cryptology

, Volume 32, Issue 3, pp 867–894 | Cite as

Koblitz Curves over Quadratic Fields

  • Thomaz OliveiraEmail author
  • Julio López
  • Daniel Cervantes-Vázquez
  • Francisco Rodríguez-Henríquez


In this work, we retake an old idea that Koblitz presented in his landmark paper (Koblitz, in: Proceedings of CRYPTO 1991. LNCS, vol 576, Springer, Berlin, pp 279–287, 1991), where he suggested the possibility of defining anomalous elliptic curves over the base field \({\mathbb {F}}_4\). We present a careful implementation of the base and quadratic field arithmetic required for computing the scalar multiplication operation in such curves. We also introduce two ordinary Koblitz-like elliptic curves defined over \({\mathbb {F}}_4\) that are equipped with efficient endomorphisms. To the best of our knowledge, these endomorphisms have not been reported before. In order to achieve a fast reduction procedure, we adopted a redundant trinomial strategy that embeds elements of the field \({\mathbb {F}}_{4^{m}},\) with m a prime number, into a ring of higher order defined by an almost irreducible trinomial. We also suggest a number of techniques that allow us to take full advantage of the native vector instructions of high-end microprocessors. Our software library achieves the fastest timings reported for the computation of the timing-protected scalar multiplication on Koblitz curves, and competitive timings with respect to the speed records established recently in the computation of the scalar multiplication over binary and prime fields.


Public-key cryptography Elliptic curve cryptosystem Implementation 



We thank Diego Aranha for pointing out the work of Naccache, Smart, and Stern on sensitive information leak related to projective coordinates.


  1. 1.
    AMD Technology, AMD64 architecture programmer’s manual, Volume 1: Application programming. 24592 3.21.
  2. 2.
    ANSSI, Les Règles et recommandations concernant le choix et le dimensionnement des mécanismes cryptographiques. Agence nationale de la sécurit des systèmes dinformation (2014).
  3. 3.
    D.F. Aranha, A. Faz-Hernández, J. López, F. Rodríguez-Henríquez, Faster implementation of scalar multiplication on Koblitz curves, in Proceedings of LATINCRYPT 2012. LNCS, vol. 7533 (Springer, Berlin, 2012), pp. 177–193Google Scholar
  4. 4.
    D.F. Aranha, J.López, D. Hankerson, Efficient software implementation of binary field arithmetic using vector instruction sets, in Proceedings of LATINCRYPT 2010. LNCS, vol. 6212 (Springer, Berlin, 2010), pp. 144–161Google Scholar
  5. 5.
    A.U. Ay, E. Öztürk, F. Rodríguez-Henríquez, E. Savaş, Design and implementation of a constant-time FPGA accelerator for fast elliptic curve cryptography, in ReConFig 2016 (IEEE, Piscataway, 2016), pp. 1–8Google Scholar
  6. 6.
    R. Barbulescu, P. Gaudry, A. Joux, E. Thomé, A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic, in Proceedings of EUROCRYPT 2014. LNCS, vol. 8441 (Springer, Berlin, 2014), pp. 1–16Google Scholar
  7. 7.
    P. Belgarric, P.-A. Fouque, G. Macario-Rat, M. Tibouchi, Side-channel analysis of Weierstrass and Koblitz curve ECDSA on Android smartphones, in Proceedings of CT-RSA 2016. LNCS, vol. 9610 (Springer, Berlin, 2016), pp. 236–252Google Scholar
  8. 8.
    D.J. Bernstein, C. Chuengsatiansup, T. Lange, P. Schwabe, Kummer strikes back: new DH speed records, in Proceedings of ASIACRYPT 2014. LNCS, vol. 8873 (Springer, Berlin, 2014), pp. 317–337Google Scholar
  9. 9.
    D.J. Bernstein, T.L. (eds.), eBACS: ECRYPT benchmarking of cryptographic systems. Accessed 14 Dec 2016
  10. 10.
    D.J. Bernstein, S. Engels, T. Lange, R. Niederhagen, C. Paar, P. Schwabe, R. Zimmermann, Faster discrete logarithms on FPGAs. Cryptology ePrint Archive, Report 2016/382 (2016).
  11. 11.
    D.J. Bernstein, T. Lange, eBACS: ECRYPT benchmarking of cryptographic systems. Accessed 12 Dec 2016
  12. 12.
    D.J. Bernstein, T. Lange, SafeCurves: choosing safe curves for elliptic-curve cryptography. Accessed 14 Dec 2016
  13. 13.
    J. Beuchat, N. Brisebarre, J. Detrey, E. Okamoto, F. Rodríguez-Henríquez, A comparison between hardware accelerators for the modified Tate pairing over \({{\mathbb{F}}}_{2^m}\) and \({\mathbb{F}}_{3^m}\), in Proceedings of Pairing 2008. LNCS, vol. 5209 (Springer, Berlin, 2008), pp. 297–315Google Scholar
  14. 14.
    J. Beuchat, J. Detrey, N. Estibals, E. Okamoto, F. Rodríguez-Henríquez, Fast architectures for the \(\eta _{T}\) pairing over small-characteristic supersingular elliptic curves. IEEE Trans. Comput. 60(2), 266–281 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    J. Beuchat, E. López-Trejo, L. Martínez-Ramos, S. Mitsunari, F. Rodríguez-Henríquez, Multi-core implementation of the Tate pairing over supersingular elliptic curves, in Proceedings of CANS 2009. LNCS, vol. 5888 (Springer, Berlin, 2009), pp. 413–432Google Scholar
  16. 16.
    I.F. Blake, R. Fuji-Hara, R.C. Mullin, S.A. Vanstone, Computing logarithms in finite fields of characteristic two. SIAM J. Algebr. Discrete Methods 5, 276–285 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    S. Blake-Wilson, N. Bolyard, V. Gupta, C. Hawk, B. Moeller, Elliptic curve cryptography (ECC) cipher suites for transport layer security (TLS). RFC 4492. Internet Engineering Task Force (IETF) (2006).
  18. 18.
    M. Bluhm, S. Gueron, Fast software implementation of binary elliptic curve cryptography. J. Cryptogr. Eng. 5(3), 215–226 (2015)CrossRefGoogle Scholar
  19. 19.
    D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing, in Proceedings of CRYPTO 2001. LNCS, vol. 2139 (Springer, Berlin, 2001), pp. 213–229Google Scholar
  20. 20.
    J.W. Bos, C. Costello, P. Longa, M. Naehrig, Selecting elliptic curves for cryptography: an efficiency and security analysis. J. Cryptogr. Eng. 6(4), 259–286 (2016)CrossRefGoogle Scholar
  21. 21.
    R.P. Brent, P. Zimmermann, Algorithms for finding almost irreducible and almost primitive trinomials, in Primes and Misdemeanours: Lectures in Honour of the Sixtieth Birthday of Hugh Cowie Williams (Fields Institute, Toronto, 2003), p. 212Google Scholar
  22. 22.
    N.M. Clift, Calculating optimal addition chains. Computing 91(3), 265–284 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inf. Theory 30(4), 587–593 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    C. Costello, P. Longa, Four\(({\mathbb{Q}}\)): four-dimensional decompositions on a \(({\mathbb{Q}}\))-curve over the Mersenne prime, in Proceedings of ASIACRYPT 2015. LNCS, vol. 9452 (Springer, Berlin, 2015), pp. 214–235Google Scholar
  25. 25.
    T. Dierks, E. Rescorla, The transport layer security (TLS) protocol version 1.2. RFC 5246. Internet Engineering Task Force (IETF) (2008).
  26. 26.
    C. Doche, Redundant trinomials for finite fields of characteristic 2, in Proceedings of ACISP 2005. LNCS, vol. 3574 (Springer, Berlin, 2005), pp. 122–133Google Scholar
  27. 27.
    ECRYPT II, Ecrypt II yearly report on algorithms and keysizes (2011–2012). Katholieke Universiteit Leuven (KUL) (2012).
  28. 28.
    A. Enge, P. Gaudry. A general framework for subexponential discrete logarithm algorithms. Acta Arith. 102, 83–103 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    J. Faugère, L. Perret, C. Petit, G. Renault. Improving the complexity of index calculus algorithms in elliptic curves over binary fields, in Proceedings of EUROCRYPT 2012. LNCS, vol. 7237 (Springer, Berlin 2012), pp. 27–44Google Scholar
  30. 30.
    S.D. Galbraith, P. Gaudry, Recent progress on the elliptic curve discrete logarithm problem. Des. Codes Cryptogr. 78(1), 51–72 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    S.D. Galbraith, S.W. Gebregiyorgis, Summation polynomial algorithms for elliptic curves in characteristic two, in Proceedings of INDOCRYPT 2014. LNCS, vol. 8885 (Springer, Berlin, 2014), pp. 409–427Google Scholar
  32. 32.
    S.D. Galbraith, X. Lin, M. Scott, Endomorphisms for faster elliptic curve cryptography on a large class of curves, in Proceedings of EUROCRYPT 2009. LNCS, vol. 5479 (Springer, Berlin, 2009), pp. 518–535Google Scholar
  33. 33.
    S.D. Galbraith, N.P. Smart, A cryptographic application of Weil descent, in Proceedings of Cryptography and Coding. LNCS, vol. 1746 (Springer, Berlin, 1999), pp. 191–200Google Scholar
  34. 34.
    R.P. Gallant, R.J. Lambert, S.A. Vanstone, Improving the parallelized pollard lambda search on anomalous binary curves. Math. Comput. 69(232), 1699–1705 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    P. Gaudry, Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44(12), 1690–1702 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    P. Gaudry, F. Hess, N.P. Smart, Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15, 19–46 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  37. 37.
    D. Genkin, L. Valenta, Y. Yarom, May the fourth be with you: a microarchitectural side channel attack on several real-world applications of curve25519. Cryptology ePrint Archive, Report 2017/806 (2017).
  38. 38.
    R. Granger, T. Kleinjung, J. Zumbrägel, On the powers of 2. Cryptology ePrint Archive, Report 2014/300 (2014).
  39. 39.
    D. Hankerson, K. Karabina, A. Menezes, Analyzing the Galbraith–Lin–Scott point multiplication method for elliptic curves over binary fields. IEEE Trans. Comput. 58(10), 1411–1420 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  40. 40.
    D. Hankerson, A.J. Menezes, S. Vanstone, Guide to Elliptic Curve Cryptography (Springer, Secaucus, 2003)zbMATHGoogle Scholar
  41. 41.
    F. Hess, Generalising the GHS attack on the elliptic curve discrete logarithm problem. LMS J. Comput. Math. 7, 167–192 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  42. 42.
    Y.-J. Huang, C. Petit, N. Shinohara, T. Takagi, On generalized first fall degree assumptions. Cryptology ePrint Archive, Report 2015/358 (2015).
  43. 43.
    Intel Corporation, Intel 64 and IA-32 architectures software developers manual, 253665-064US (2017)Google Scholar
  44. 44.
    T. Itoh, S. Tsujii, A fast algorithm for computing multiplicative inverses in GF\((2^m)\) using normal bases. Inf. Comput. 78(3), 171–177 (1988)CrossRefzbMATHGoogle Scholar
  45. 45.
    A. Joux, A one round protocol for tripartite Diffie–Hellman, in Proceedings of ANTS-IV. LNCS, vol. 1838 (Springer, Berlin, 2000), pp. 385–394Google Scholar
  46. 46.
    A. Joux, A one round protocol for tripartite Diffie–Hellman. J. Cryptol. 17(4), 263–276 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  47. 47.
    A. Joux, A new index calculus algorithm with complexity \(L(1/4+o(1))\) in small characteristic, in Proceedings of SAC 2013. LNCS, vol. 8282 (Springer, Berlin, 2014), pp. 355–379Google Scholar
  48. 48.
    M. Joye, M. Tunstall, Exponent recoding and regular exponentiation algorithms, in AFRICACRYPT 2009. LNCS, vol. 5580 (Springer, Berlin, 2009), pp. 334–349Google Scholar
  49. 49.
    K. Karabina, Point decomposition problem in binary elliptic curves. Cryptology ePrint Archive, Report 2015/319 (2015).
  50. 50.
    E. Knudsen, Elliptic scalar multiplication using point halving, in Proceedings of ASIACRYPT 99. LNCS, vol. 1716 (Springer, Berlin, 1999), pp. 135–149Google Scholar
  51. 51.
    N. Koblitz, Elliptic curve cryptosystems. Math. Comput. 48, 203–9 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  52. 52.
    N. Koblitz, Constructing elliptic curve cryptosystems in characteristic 2, in Proceedings of CRYPTO 90. LNCS, vol. 537 (1990), pp. 156–167Google Scholar
  53. 53.
    N. Koblitz, CM-curves with good cryptographic properties, in Proceedings of CRYPTO 1991. LNCS, vol. 576 (Springer, Berlin, 1991), pp. 279–287Google Scholar
  54. 54.
    N. Koblitz, A. Menezes, A riddle wrapped in an enigma. Cryptology ePrint Archive, Report 2015/1018 (2015)
  55. 55.
    P.C. Kocher, J. Jaffe, B. Jun, Differential power analysis, in Proceedings of CRYPTO 99. LNCS, vol. 1666 (Springer, Berlin, 1999), pp. 388–397Google Scholar
  56. 56.
    P. Longa, F. Sica, Four-dimensional Gallant–Lambert–Vanstone scalar multiplication. J. Cryptol. 27(2), 248–283 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  57. 57.
    M. Maurer, A. Menezes, E. Teske, Analysis of the GHS Weil descent attack on the ECDLP over characteristic two finite fields of composite degree, in Proceedings of INDOCRYPT 2001. LNCS, vol. 2247 (Springer, Berlin, 2001), pp. 195–213Google Scholar
  58. 58.
    A. Menezes, T. Okamoto, S. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39, 1639–1646 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  59. 59.
    A. Menezes, T. Okamoto, S.A. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, in STOC 91 (ACM, New York, 1992), pp. 80–89Google Scholar
  60. 60.
    A. Menezes, M. Qu, Analysis of the Weil descent attack of Gaudry, Hess and Smart, in Proceedings of CT-RSA 2001. LNCS, vol. 2020 (Springer, Berlin, 2001), pp. 308–318Google Scholar
  61. 61.
    A. Menezes, S.A. Vanstone, The implementation of elliptic curve cryptosystems, in Proceedings of AUSCRYPT 90. LNCS, vol. 453 (Springer, Berlin, 1990), pp. 2–13Google Scholar
  62. 62.
    V. Miller, Uses of elliptic curves in cryptography, in Proceedings of CRYPTO 85. LNCS, vol. 218 (Springer, Berlin, 1985), pp. 417–426Google Scholar
  63. 63.
    P. Montgomery, Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48, 243–264 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  64. 64.
    D. Naccache, N.P. Smart, J. Stern, Projective coordinates leak, in Proceedings of EUROCRYPT 2004. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 257–267Google Scholar
  65. 65.
    National Institute of Standards and Technology, Recommended elliptic curves for federal government use. NIST special publication (1999).
  66. 66.
    National Institute of Standards and Technology, FIPS PUB 186-4: Digital Signature Standard (DSS). Federal Information Processing Standards (2013).
  67. 67.
    National Security Agency, The case for elliptic curve cryptography, Oct 2005.
  68. 68.
    P.Q. Nguyen, I.E. Shparlinski, The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptogr. 30, 201–217 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  69. 69.
    T. Oliveira, D.F. Aranha, J.L. Hernandez, F. Rodríguez-Henríquez, Fast point multiplication algorithms for binary elliptic curves with and without precomputation, in Proceedings of SAC 2014. LNCS, vol. 8781 (Springer, Berlin, 2014), pp. 324–344Google Scholar
  70. 70.
    T. Oliveira, D.F. Aranha, J. López, F, Rodríguez-Henríquez, Improving the performance of the GLS254. Presentation at CHES 2016 rump session (2016)Google Scholar
  71. 71.
    T. Oliveira, J. López, D.F. Aranha, F. Rodríguez-Henríquez, Two is the fastest prime: lambda coordinates for binary elliptic curves. J. Cryptogr. Eng. 4(1), 3–17 (2014)CrossRefGoogle Scholar
  72. 72.
    T. Oliveira, J. López, F. Rodríguez-Henríquez, The Montgomery ladder on binary elliptic curves. Cryptology ePrint Archive, Report 2017/350 (2017).
  73. 73.
    D. Page, Theoretical use of cache memory as a cryptanalytic side-channel. Cryptology ePrint Archive, Report 2002/169 (2002).
  74. 74.
    G. Paoloni, How to benchmark code execution times on Intel IA-32 and IA-64 instruction set architectures. Technical report, Intel Corporation (2010)Google Scholar
  75. 75.
    C. Petit, M. Kosters, A. Messeng, Algebraic approaches for the elliptic curve discrete logarithm problem over prime fields, in Proceedings of PKC 2016. LNCS, vol. 9615 (Springer, Berlin, 2016), pp. 3–18Google Scholar
  76. 76.
    R. Sakai, K. Ohgishi, M. Kasahara, Cryptosystems based on pairing over elliptic curve (in Japanese), in The 2001 Symposium on Cryptography and Information Security (2001)Google Scholar
  77. 77.
    R. Schroeppel, Cryptographic elliptic curve apparatus and method. US Patent 2002/6490352 B1 (2000)Google Scholar
  78. 78.
    M. Scott, Optimal irreducible polynomials for \(GF(2^m)\) arithmetic. Cryptology ePrint Archive, Report 2007/192 (2007).
  79. 79.
    I. Semaev, Summation polynomials and the discrete logarithm problem on elliptic curves. Cryptology ePrint Archive, Report 2004/031 (2004).
  80. 80.
    I. Semaev, New algorithm for the discrete logarithm problem on elliptic curves. Cryptology ePrint Archive, Report 2015/310 (2015).
  81. 81.
    J.A. Solinas, An improved algorithm for arithmetic on a family of elliptic curves, in Proceedings of CRYPTO 97. LNCS, vol. 1294 (Springer, Berlin, 1997), pp. 357–371Google Scholar
  82. 82.
    J.A. Solinas, Efficient arithmetic on Koblitz curves. Des. Codes Cryptogr. 19(2–3), 195–249 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  83. 83.
    J. Tate, Endomorphisms of abelian varieties over finite fields. Invent. Math. 22, 134–144 (1966)MathSciNetCrossRefzbMATHGoogle Scholar
  84. 84.
    J. Taverne, A. Faz-Hernández, D.F. Aranha, F. Rodríguez-Henríquez, D. Hankerson, J. López, Software implementation of binary elliptic curves: impact of the carry-less multiplier on scalar multiplication, in Proceedings of CHES 2011. LNCS, vol. 6917 (Springer, Berlin, 2011), pp. 108–123Google Scholar
  85. 85.
    W.R. Trost, G. Xu, On the optimal pre-computation of window \(\tau \)-NAF for Koblitz curves. Cryptology ePrint Archive, Report 2014/664 (2014).
  86. 86.
    Y. Tsunoo, E. Tsujihara, K. Minematsu, H. Miyauchi, Cryptanalysis of block ciphers implemented on computers with cache, in International Symposium on Information Theory and Its Applications (IEEE Information Theory Society, 2002), pp. 803–806Google Scholar
  87. 87.
    M.D. Velichka, M.J. Jacobson Jr., A. Stein, Computing discrete logarithms in the Jacobian of high-genus hyperelliptic curves over even characteristic finite fields. Math. Comput. 83(286), 935–963 (2014)Google Scholar
  88. 88.
    A. Weimerskirch, C. Paar, Generalizations of the Karatsuba algorithm for efficient implementations. Cryptology ePrint Archive, Report 2006/224 (2006).
  89. 89.
    E. Wenger, P. Wolfger, Solving the discrete logarithm of a 113-Bit Koblitz curve with an FPGA cluster, in Proceedings of SAC 2014. LNCS, vol. 8781 (Springer, Berlin, 2014), pp. 363–379Google Scholar
  90. 90.
    E. Wenger, P. Wolfger, Harder, better, faster, stronger: elliptic curve discrete logarithm computations on FPGAs. J. Cryptogr. Eng. 6(4), 287–297 (2016)CrossRefGoogle Scholar
  91. 91.
    M.J. Wiener, R.J. Zuccherato, Faster attacks on elliptic curve cryptosystems, in Proceedings of SAC 98. LNCS, vol. 1556 (Springer, Berlin, 1999), pp. 190–200Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Thomaz Oliveira
    • 1
    Email author
  • Julio López
    • 2
  • Daniel Cervantes-Vázquez
    • 1
  • Francisco Rodríguez-Henríquez
    • 1
  1. 1.Computer Science DepartmentCINVESTAV-IPNMexico CityMexico
  2. 2.Institute of ComputingUniversity of CampinasCampinasBrazil

Personalised recommendations