## Abstract

This work considers the problem of fast and secure scalar multiplication using curves of genus one defined over a field of prime order. Previous work by Gaudry and Lubicz (Finite Fields Appl 15(2):246–260, 2009) had suggested the use of the associated Kummer line to speed up scalar multiplication. In the present work, we explore this idea in detail. The first task is to obtain an elliptic curve in Legendre form which satisfies necessary security conditions such that the associated Kummer line has small parameters and a base point with small coordinates. It turns out that the ladder step on the Kummer line supports parallelism and can be implemented very efficiently in constant time using the single-instruction multiple-data (SIMD) operations available in modern processors. For the 128-bit security level, this work presents three Kummer lines denoted as \(K_1:=\mathsf{KL2519(81,20)}\), \(K_2:=\mathsf{KL25519(82,77)}\) and \(K_3:=\mathsf{KL2663(260,139)}\) over the three primes \(2^{251}-9\), \(2^{255}-19\) and \(2^{266}-3\), respectively. Implementations of scalar multiplications for all three Kummer lines using Intel intrinsics have been done, and the code is publicly available. Timing results on the Skylake and the Haswell processors of Intel indicate that both fixed base and variable base scalar multiplications for \(K_1\) and \(K_2\) are faster than those achieved by Sandy2x, which is a highly optimised SIMD implementation in assembly of the well-known Curve25519. On Skylake, both fixed base and variable base scalar multiplications for \(K_3\) are faster than Sandy2x, whereas on Haswell, fixed base scalar multiplication for \(K_3\) is faster than Sandy2x while variable base scalar multiplication for both \(K_3\) and Sandy2x takes roughly the same time. In practical terms, the particular Kummer lines that are introduced in this work are serious candidates for deployment and standardisation. We further illustrate the usefulness of the proposed Kummer lines by instantiating the quotient Digital Signature Algorithm on all the three Kummer lines.

This is a preview of subscription content, access via your institution.

## Notes

https://moderncrypto.org/mail-archive/curves/2015/000637.html, accessed on September 1, 2018.

A reviewer has pointed out that explicit formulas for the square-only setting appear at https://hyperelliptic.org/EFD/g1p/auto-edwards-yzsquared.html#ladder-ladd-2006-g (accessed on September 1, 2018).

https://safecurves.cr.yp.to/disc.html, accessed on September 1, 2018.

https://cr.yp.to/ecdh.html, accessed on September 1, 2018.

Downloaded from https://bench.cr.yp.to/supercop/supercop-20160910.tar.xz (last accessed on September 1, 2018). We used crypto_scalarmult(q,n,p) to measure variable base scalar multiplication and crypto_scalarmult_base(q,n) to measure fixed base scalar multiplication.

https://moderncrypto.org/mail-archive/curves/2015/000637.html, accessed on September 1, 2018.

https://bench.cr.yp.to/results-dh.html, accessed on September 1, 2018.

## References

J. Barwise, P. Eklof, Lefschetz’s principle.

*Journal of Algebra*.**13**(4), 554–570 (1969)D. J. Bernstein, Curve25519: New Diffie-Hellman speed records. in

*Public Key Cryptography - PKC*, volume 3958 of*Lecture Notes in Computer Science*, (Springer, 2006), pp. 207–228D. J. Bernstein, Elliptic vs. hyperelliptic, part I.

*Talk at ECC*. (2006)D.J. Bernstein, C. Chuengsatiansup, T. Lange, P. Schwabe, Kummer strikes back: New DH speed records. in

*Advances in Cryptology - ASIACRYPT*, volume 8873 of*Lecture Notes in Computer Science*, (Springer, 2014), pp. 317–337D. J. Bernstein, T. Lange, Safecurves: choosing safe curves for elliptic-curve cryptography. http://safecurves.cr.yp.to/index.html, accessed on September 1, (2018)

Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, Bo-Yin Yang, High-speed high-security signatures. in Bart Preneel and Tsuyoshi Takagi, editors,

*Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28–October 1, 2011. Proceedings*, volume 6917 of*Lecture Notes in Computer Science*, (Springer, 2011), pp. 124–142Daniel J, Bernstein and Peter Schwabe. NEON crypto. in Emmanuel Prouff and Patrick Schaumont, editors,

*Cryptographic Hardware and Embedded Systems - CHES 2012 - 14th International Workshop, Leuven, Belgium, September 9–12, 2012. Proceedings*, volume 7428 of*Lecture Notes in Computer Science*, (Springer, 2012), pp. 320–339Guido Bertoni, Jean-Sébastien Coron, editors.

*Cryptographic Hardware and Embedded Systems - CHES 2013 - 15th International Workshop, Santa Barbara, CA, USA, August 20–23, 2013. Proceedings*, volume 8086 of*Lecture Notes in Computer Science*, (Springer, 2013)Joppe W. Bos, Craig Costello, Hüseyin Hisil, Kristin E. Lauter, Fast cryptography in genus 2. in

*Advances in Cryptology - EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26–30, 2013. Proceedings*, volume 7881 of*Lecture Notes in Computer Science*, (Springer, 2013), pp. 194–210Joppe W. Bos, Craig Costello, Hüseyin Hisil, Kristin E. Lauter, High-performance scalar multiplication using 8-dimensional GLV/GLS decomposition. in

*Bertoni and Coron [10]*, pp. 331–348Brainpool, ECC standard. http://www.ecc-brainpool.org/ecc-standard.htm

Tung Chou, Sandy2x: New Curve25519 speed records. in Orr Dunkelman and Liam Keliher, editors,

*Selected Areas in Cryptography - SAC 2015 - 22nd International Conference, Sackville, NB, Canada, August 12–14, 2015, Revised Selected Papers*, volume 9566 of*Lecture Notes in Computer Science*, (Springer, 2015), pp. 145–160R. Cosset, Factorization with genus 2 curves.

*Mathematics of Computation*.**79**(270),1191–1208 (2010)C. Costello, P. Longa, Four(\({\mathbb{Q}}\)): Four-dimensional decompositions on a \({\mathbb{Q}}\)-curve over the Mersenne prime. in

*Advances in Cryptology - ASIACRYPT Part I*, volume 9452 of*Lecture Notes in Computer Science*, (Springer, 2015), pp. 214–235Craig Costello, Hüseyin Hisil, Benjamin Smith, Faster compact Diffie-Hellman: Endomorphisms on the x-line. in Phong Q. Nguyen and Elisabeth Oswald, editors,

*Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings*, volume 8441 of*Lecture Notes in Computer Science*, (Springer, 2014), pp. 183–200Neil Costigan, Peter Schwabe, Fast elliptic-curve cryptography on the cell broadband engine. in Bart Preneel, editor,

*Progress in Cryptology - AFRICACRYPT 2009, Second International Conference on Cryptology in Africa, Gammarth, Tunisia, June 21–25, 2009. Proceedings*, volume 5580 of*Lecture Notes in Computer Science*, (Springer, 2009), pp. 368–385Curve25519. Wikipedia page on Curve25519. https://en.wikipedia.org/wiki/Curve25519, accessed on September 1, (2018)

M. J. Dworkin, SHA-3 standard: Permutation-based hash and extendable-output functions.

*Technical report, National Institute of Standards and Technology (NIST)*. (2015). http://www.nist.gov/manuscript-publication-search.cfm?pub_id=919061Armando Faz-Hernández, Patrick Longa, Ana H. Sánchez, Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves. in Josh Benaloh, editor,

*Topics in Cryptology - CT-RSA 2014 - The Cryptographer’s Track at the RSA Conference 2014, San Francisco, CA, USA, February 25–28, 2014. Proceedings*, volume 8366 of*Lecture Notes in Computer Science*, (Springer, 2014), pp. 1–27Armando Faz-Hernández, Julio López, Fast implementation of Curve25519 using AVX2. in Kristin E. Lauter and Francisco Rodríguez-Henríquez, editors,

*Progress in Cryptology - LATINCRYPT 2015 - 4th International Conference on Cryptology and Information Security in Latin America, Guadalajara, Mexico, August 23–26, 2015, Proceedings*, volume 9230 of*Lecture Notes in Computer Science*, (Springer, 2015), pp. 329–345E.V. Flynn, Formulas for Kummer on genus 2. http://people.maths.ox.ac.uk/flynn/genus2/kummer/, accessed on September 1, (2018)

E.V. Flynn, The group law on the Jacobian of a curve of genus 2.

*J. reine angew. Math.**439*,45–69(1993)Code for Kummer Line Computations. https://github.com/skarati/KummerLineV02

Code for qDSA on Kummer Line. https://github.com/skarati/qDSA

G. Frey, H.-G. Rück, The strong Lefschetz principle in algebraic geometry.

*Manuscripta Mathematica*.**55**(3), 385–401 (1986)P. Gaudry, Fast genus 2 arithmetic based on theta functions.

*J. Mathematical Cryptology*.**1**(3), 243–265 (2007)P. Gaudry. Personal communication. (2016)

P. Gaudry, D. Lubicz, The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines.

*Finite Fields and Their Applications*.**15**(2), 246–260 (2009)P. Gaudry, É. Schost, Genus 2 point counting over prime fields.

*J. Symb. Comput.***47**(4), 368–400 (2012)S. Gueron, Software optimizations for cryptographic primitives on general purpose x86\_64 platforms.

*Tutorial at IndoCrypt*. (2011)Shay Gueron, Vlad Krasnov, Fast prime field elliptic-curve cryptography with 256-bit primes.

*J. Cryptographic Engineering*.**5**(2), 141–151 (2015)Darrel Hankerson, Koray Karabina, Alfred Menezes, Analyzing the Galbraith-Lin-Scott point multiplication method for elliptic curves over binary fields.

*IEEE Trans. Computers*.**58**(10), 1411–1420 (2009)Huseyin Hisil, Joost Renes, On kummer lines with full rational 2-torsion and their usage in cryptography. Cryptology ePrint Archive, Report 2018/839, (2018). https://eprint.iacr.org/2018/839

Jun ichi Igusa.

*Theta functions*. Springer, 1972.Sabyasachi Karati, Palash Sarkar, Kummer for genus one over prime order fields. in

*Takagi and Peyrin [50]*, pp. 3–32Neal Koblitz, Elliptic curve cryptosystems.

*Math. Comp.**48*(177), 203–209 (1987)Neal Koblitz, Hyperelliptic cryptosystems.

*J. Cryptology*.**1**(3), 139–150 (1989)Chae Hoon Lim, Pil Joong Lee, A key recovery attack on discrete log-based schemes using a prime order subgroupp. in Burton S. Kaliski Jr., editor,

*Advances in Cryptology - CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 1997, Proceedings*, volume 1294 of*Lecture Notes in Computer Science*, (Springer, 1997), pp. 249–263Patrick Longa, Francesco Sica, Four-dimensional Gallant-Lambert-Vanstone scalar multiplication. in Xiaoyun Wang and Kazue Sako, editors,

*Advances in Cryptology - ASIACRYPT 2012 - 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2–6, 2012. Proceedings*, volume 7658 of*Lecture Notes in Computer Science*, (Springer, 2012), pp. 718–739Victor S. Miller, Use of elliptic curves in cryptography. in

*Advances in Cryptology - CRYPTO’85, Santa Barbara, California, USA, August 18–22, 1985, Proceedings*, (Springer, Berlin Heidelberg, 1985), pp. 417–426Peter L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization.

*Mathematics of Computation*.**48**(177), 243–264 (1987)Peter L. Montgomery, Five, six, and seven-term karatsuba-like formulae.

*IEEE Trans. Computers*.**54**(3), 362–369 (2005)D. Mumford.

*Tata lectures on theta I*. Progress in Mathematics 28. Birkh äuser, 1983.U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-3. http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf, 2009.

Thomaz Oliveira, Julio López, Diego F. Aranha, Francisco Rodríguez-Henríquez, Lambda coordinates for binary elliptic curves. in

*Bertoni and Coron [8]*, pp. 311–330Thomaz Oliveira, Julio López, Francisco Rodríguez-Henríquez, Software implementation of Koblitz curves over quadratic fields. in Benedikt Gierlichs and Axel Y. Poschmann, editors,

*Cryptographic Hardware and Embedded Systems - CHES 2016 - 18th International Conference, Santa Barbara, CA, USA, August 17–19, 2016, Proceedings*, volume 9813 of*Lecture Notes in Computer Science*, (Springer, 2016), pp. 259–279Joost Renes, Benjamin Smith, qDSA: Small and secure digital signatures with curve-based Diffie-Hellman key pairs. in

*Takagi and Peyrin [50]*, pp. 273–302Certicom Research. SEC 2: Recommended elliptic curve domain parameters. http://www.secg.org/sec2-v2.pdf, (2010)

Nigel P. Smart, Samir Siksek, A fast Diffie-Hellman protocol in genus 2.

*J. Cryptology*.**12**(1), 67–73 (1999)Tsuyoshi Takagi, Thomas Peyrin, editors.

*Advances in Cryptology - ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3–7, 2017, Proceedings, Part II*, volume 10625 of*Lecture Notes in Computer Science*, (Springer, 2017)NUMS: Nothing up my sleeve. https://tools.ietf.org/html/draft-black-tls-numscurves-00

## Acknowledgements

We would like to thank Pierrick Gaudry for helpful comments and clarifying certain confusion regarding conversion from Kummer line to elliptic curve. We would also like to thank Peter Schwabe for clarifying certain implementation issues regarding Curve25519 and Kummer surface computation in genus 2. Thanks to Alfred Menezes, René Struik, Patrick Longa, the reviewers of Asiacrypt 2017, and the reviewers of the present paper for comments.

## Author information

### Authors and Affiliations

### Corresponding author

## Additional information

Communicated by Frederik Vercauteren.

### Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

An earlier version of this work appeared as [35], and was recommended by the program chairs of the conference for invitation to the Journal of Cryptology. Sabyasachi Karati: Part of the work was done while the author was a post-doctoral fellow at the Turing Laboratory of the Indian Statistical Institute.

## Rights and permissions

## About this article

### Cite this article

Karati, S., Sarkar, P. Kummer for Genus One Over Prime-Order Fields.
*J Cryptol* **33**, 92–129 (2020). https://doi.org/10.1007/s00145-019-09320-4

Received:

Revised:

Published:

Issue Date:

DOI: https://doi.org/10.1007/s00145-019-09320-4

### Keywords

- Elliptic curve cryptography
- Kummer line
- Montgomery curve
- Scalar multiplication