Skip to main content

Kummer for Genus One Over Prime-Order Fields


This work considers the problem of fast and secure scalar multiplication using curves of genus one defined over a field of prime order. Previous work by Gaudry and Lubicz (Finite Fields Appl 15(2):246–260, 2009) had suggested the use of the associated Kummer line to speed up scalar multiplication. In the present work, we explore this idea in detail. The first task is to obtain an elliptic curve in Legendre form which satisfies necessary security conditions such that the associated Kummer line has small parameters and a base point with small coordinates. It turns out that the ladder step on the Kummer line supports parallelism and can be implemented very efficiently in constant time using the single-instruction multiple-data (SIMD) operations available in modern processors. For the 128-bit security level, this work presents three Kummer lines denoted as \(K_1:=\mathsf{KL2519(81,20)}\), \(K_2:=\mathsf{KL25519(82,77)}\) and \(K_3:=\mathsf{KL2663(260,139)}\) over the three primes \(2^{251}-9\), \(2^{255}-19\) and \(2^{266}-3\), respectively. Implementations of scalar multiplications for all three Kummer lines using Intel intrinsics have been done, and the code is publicly available. Timing results on the Skylake and the Haswell processors of Intel indicate that both fixed base and variable base scalar multiplications for \(K_1\) and \(K_2\) are faster than those achieved by Sandy2x, which is a highly optimised SIMD implementation in assembly of the well-known Curve25519. On Skylake, both fixed base and variable base scalar multiplications for \(K_3\) are faster than Sandy2x, whereas on Haswell, fixed base scalar multiplication for \(K_3\) is faster than Sandy2x while variable base scalar multiplication for both \(K_3\) and Sandy2x takes roughly the same time. In practical terms, the particular Kummer lines that are introduced in this work are serious candidates for deployment and standardisation. We further illustrate the usefulness of the proposed Kummer lines by instantiating the quotient Digital Signature Algorithm on all the three Kummer lines.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4


  1., accessed on September 1, 2018.

  2. A reviewer has pointed out that explicit formulas for the square-only setting appear at (accessed on September 1, 2018).

  3., accessed on September 1, 2018.

  4., accessed on September 1, 2018.

  5. Downloaded from (last accessed on September 1, 2018). We used crypto_scalarmult(q,n,p) to measure variable base scalar multiplication and crypto_scalarmult_base(q,n) to measure fixed base scalar multiplication.

  6., accessed on September 1, 2018.

  7., accessed on September 1, 2018.


  1. J. Barwise, P. Eklof, Lefschetz’s principle. Journal of Algebra. 13(4), 554–570 (1969)

    Article  MathSciNet  Google Scholar 

  2. D. J. Bernstein, Curve25519: New Diffie-Hellman speed records. in Public Key Cryptography - PKC, volume 3958 of Lecture Notes in Computer Science, (Springer, 2006), pp. 207–228

  3. D. J. Bernstein, Elliptic vs. hyperelliptic, part I. Talk at ECC. (2006)

  4. D.J. Bernstein, C. Chuengsatiansup, T. Lange, P. Schwabe, Kummer strikes back: New DH speed records. in Advances in Cryptology - ASIACRYPT, volume 8873 of Lecture Notes in Computer Science, (Springer, 2014), pp. 317–337

  5. D. J. Bernstein, T. Lange, Safecurves: choosing safe curves for elliptic-curve cryptography., accessed on September 1, (2018)

  6. Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, Bo-Yin Yang, High-speed high-security signatures. in Bart Preneel and Tsuyoshi Takagi, editors, Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28–October 1, 2011. Proceedings, volume 6917 of Lecture Notes in Computer Science, (Springer, 2011), pp. 124–142

  7. Daniel J, Bernstein and Peter Schwabe. NEON crypto. in Emmanuel Prouff and Patrick Schaumont, editors, Cryptographic Hardware and Embedded Systems - CHES 2012 - 14th International Workshop, Leuven, Belgium, September 9–12, 2012. Proceedings, volume 7428 of Lecture Notes in Computer Science, (Springer, 2012), pp. 320–339

  8. Guido Bertoni, Jean-Sébastien Coron, editors. Cryptographic Hardware and Embedded Systems - CHES 2013 - 15th International Workshop, Santa Barbara, CA, USA, August 20–23, 2013. Proceedings, volume 8086 of Lecture Notes in Computer Science, (Springer, 2013)

  9. Joppe W. Bos, Craig Costello, Hüseyin Hisil, Kristin E. Lauter, Fast cryptography in genus 2. in Advances in Cryptology - EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26–30, 2013. Proceedings, volume 7881 of Lecture Notes in Computer Science, (Springer, 2013), pp. 194–210

  10. Joppe W. Bos, Craig Costello, Hüseyin Hisil, Kristin E. Lauter, High-performance scalar multiplication using 8-dimensional GLV/GLS decomposition. in Bertoni and Coron [10], pp. 331–348

  11. Brainpool, ECC standard.

  12. Tung Chou, Sandy2x: New Curve25519 speed records. in Orr Dunkelman and Liam Keliher, editors, Selected Areas in Cryptography - SAC 2015 - 22nd International Conference, Sackville, NB, Canada, August 12–14, 2015, Revised Selected Papers, volume 9566 of Lecture Notes in Computer Science, (Springer, 2015), pp. 145–160

  13. R. Cosset, Factorization with genus 2 curves. Mathematics of Computation. 79(270),1191–1208 (2010)

    Article  MathSciNet  Google Scholar 

  14. C. Costello, P. Longa, Four(\({\mathbb{Q}}\)): Four-dimensional decompositions on a \({\mathbb{Q}}\)-curve over the Mersenne prime. in Advances in Cryptology - ASIACRYPT Part I, volume 9452 of Lecture Notes in Computer Science, (Springer, 2015), pp. 214–235

  15. Craig Costello, Hüseyin Hisil, Benjamin Smith, Faster compact Diffie-Hellman: Endomorphisms on the x-line. in Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings, volume 8441 of Lecture Notes in Computer Science, (Springer, 2014), pp. 183–200

  16. Neil Costigan, Peter Schwabe, Fast elliptic-curve cryptography on the cell broadband engine. in Bart Preneel, editor, Progress in Cryptology - AFRICACRYPT 2009, Second International Conference on Cryptology in Africa, Gammarth, Tunisia, June 21–25, 2009. Proceedings, volume 5580 of Lecture Notes in Computer Science, (Springer, 2009), pp. 368–385

  17. Curve25519. Wikipedia page on Curve25519., accessed on September 1, (2018)

  18. M. J. Dworkin, SHA-3 standard: Permutation-based hash and extendable-output functions. Technical report, National Institute of Standards and Technology (NIST). (2015).

  19. Armando Faz-Hernández, Patrick Longa, Ana H. Sánchez, Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves. in Josh Benaloh, editor, Topics in Cryptology - CT-RSA 2014 - The Cryptographer’s Track at the RSA Conference 2014, San Francisco, CA, USA, February 25–28, 2014. Proceedings, volume 8366 of Lecture Notes in Computer Science, (Springer, 2014), pp. 1–27

  20. Armando Faz-Hernández, Julio López, Fast implementation of Curve25519 using AVX2. in Kristin E. Lauter and Francisco Rodríguez-Henríquez, editors, Progress in Cryptology - LATINCRYPT 2015 - 4th International Conference on Cryptology and Information Security in Latin America, Guadalajara, Mexico, August 23–26, 2015, Proceedings, volume 9230 of Lecture Notes in Computer Science, (Springer, 2015), pp. 329–345

  21. E.V. Flynn, Formulas for Kummer on genus 2., accessed on September 1, (2018)

  22. E.V. Flynn, The group law on the Jacobian of a curve of genus 2. J. reine angew. Math.439,45–69(1993)

    MathSciNet  MATH  Google Scholar 

  23. Code for Kummer Line Computations.

  24. Code for qDSA on Kummer Line.

  25. G. Frey, H.-G. Rück, The strong Lefschetz principle in algebraic geometry. Manuscripta Mathematica. 55(3), 385–401 (1986)

    Article  MathSciNet  Google Scholar 

  26. P. Gaudry, Fast genus 2 arithmetic based on theta functions. J. Mathematical Cryptology. 1(3), 243–265 (2007)

    Article  MathSciNet  Google Scholar 

  27. P. Gaudry. Personal communication. (2016)

  28. P. Gaudry, D. Lubicz, The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines. Finite Fields and Their Applications. 15(2), 246–260 (2009)

    Article  MathSciNet  Google Scholar 

  29. P. Gaudry, É. Schost, Genus 2 point counting over prime fields. J. Symb. Comput.47(4), 368–400 (2012)

    Article  MathSciNet  Google Scholar 

  30. S. Gueron, Software optimizations for cryptographic primitives on general purpose x86\_64 platforms. Tutorial at IndoCrypt. (2011)

  31. Shay Gueron, Vlad Krasnov, Fast prime field elliptic-curve cryptography with 256-bit primes. J. Cryptographic Engineering. 5(2), 141–151 (2015)

    Article  Google Scholar 

  32. Darrel Hankerson, Koray Karabina, Alfred Menezes, Analyzing the Galbraith-Lin-Scott point multiplication method for elliptic curves over binary fields. IEEE Trans. Computers. 58(10), 1411–1420 (2009)

    Article  MathSciNet  Google Scholar 

  33. Huseyin Hisil, Joost Renes, On kummer lines with full rational 2-torsion and their usage in cryptography. Cryptology ePrint Archive, Report 2018/839, (2018).

  34. Jun ichi Igusa. Theta functions. Springer, 1972.

  35. Sabyasachi Karati, Palash Sarkar, Kummer for genus one over prime order fields. in Takagi and Peyrin [50], pp. 3–32

  36. Neal Koblitz, Elliptic curve cryptosystems. Math. Comp.48(177), 203–209 (1987)

    Article  MathSciNet  Google Scholar 

  37. Neal Koblitz, Hyperelliptic cryptosystems. J. Cryptology. 1(3), 139–150 (1989)

    Article  MathSciNet  Google Scholar 

  38. Chae Hoon Lim, Pil Joong Lee, A key recovery attack on discrete log-based schemes using a prime order subgroupp. in Burton S. Kaliski Jr., editor, Advances in Cryptology - CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 1997, Proceedings, volume 1294 of Lecture Notes in Computer Science, (Springer, 1997), pp. 249–263

  39. Patrick Longa, Francesco Sica, Four-dimensional Gallant-Lambert-Vanstone scalar multiplication. in Xiaoyun Wang and Kazue Sako, editors, Advances in Cryptology - ASIACRYPT 2012 - 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2–6, 2012. Proceedings, volume 7658 of Lecture Notes in Computer Science, (Springer, 2012), pp. 718–739

  40. Victor S. Miller, Use of elliptic curves in cryptography. in Advances in Cryptology - CRYPTO’85, Santa Barbara, California, USA, August 18–22, 1985, Proceedings, (Springer, Berlin Heidelberg, 1985), pp. 417–426

  41. Peter L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation. 48(177), 243–264 (1987)

    Article  MathSciNet  Google Scholar 

  42. Peter L. Montgomery, Five, six, and seven-term karatsuba-like formulae. IEEE Trans. Computers. 54(3), 362–369 (2005)

    Article  Google Scholar 

  43. D. Mumford. Tata lectures on theta I. Progress in Mathematics 28. Birkh äuser, 1983.

    Book  Google Scholar 

  44. U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-3., 2009.

  45. Thomaz Oliveira, Julio López, Diego F. Aranha, Francisco Rodríguez-Henríquez, Lambda coordinates for binary elliptic curves. in Bertoni and Coron [8], pp. 311–330

  46. Thomaz Oliveira, Julio López, Francisco Rodríguez-Henríquez, Software implementation of Koblitz curves over quadratic fields. in Benedikt Gierlichs and Axel Y. Poschmann, editors, Cryptographic Hardware and Embedded Systems - CHES 2016 - 18th International Conference, Santa Barbara, CA, USA, August 17–19, 2016, Proceedings, volume 9813 of Lecture Notes in Computer Science, (Springer, 2016), pp. 259–279

  47. Joost Renes, Benjamin Smith, qDSA: Small and secure digital signatures with curve-based Diffie-Hellman key pairs. in Takagi and Peyrin [50], pp. 273–302

  48. Certicom Research. SEC 2: Recommended elliptic curve domain parameters., (2010)

  49. Nigel P. Smart, Samir Siksek, A fast Diffie-Hellman protocol in genus 2. J. Cryptology. 12(1), 67–73 (1999)

    Article  MathSciNet  Google Scholar 

  50. Tsuyoshi Takagi, Thomas Peyrin, editors. Advances in Cryptology - ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3–7, 2017, Proceedings, Part II, volume 10625 of Lecture Notes in Computer Science, (Springer, 2017)

  51. NUMS: Nothing up my sleeve.

Download references


We would like to thank Pierrick Gaudry for helpful comments and clarifying certain confusion regarding conversion from Kummer line to elliptic curve. We would also like to thank Peter Schwabe for clarifying certain implementation issues regarding Curve25519 and Kummer surface computation in genus 2. Thanks to Alfred Menezes, René Struik, Patrick Longa, the reviewers of Asiacrypt 2017, and the reviewers of the present paper for comments.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Sabyasachi Karati.

Additional information

Communicated by Frederik Vercauteren.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

An earlier version of this work appeared as [35], and was recommended by the program chairs of the conference for invitation to the Journal of Cryptology. Sabyasachi Karati: Part of the work was done while the author was a post-doctoral fellow at the Turing Laboratory of the Indian Statistical Institute.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Karati, S., Sarkar, P. Kummer for Genus One Over Prime-Order Fields. J Cryptol 33, 92–129 (2020).

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI:


  • Elliptic curve cryptography
  • Kummer line
  • Montgomery curve
  • Scalar multiplication