Fast Cryptography in Genus 2

  • Joppe W. Bos
  • Craig Costello
  • Huseyin Hisil
  • Kristin Lauter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7881)


In this paper we highlight the benefits of using genus 2 curves in public-key cryptography. Compared to the standardized genus 1 curves, or elliptic curves, arithmetic on genus 2 curves is typically more involved but allows us to work with moduli of half the size. We give a taxonomy of the best known techniques to realize genus 2 based cryptography, which includes fast formulas on the Kummer surface and efficient 4-dimensional GLV decompositions. By studying different modular arithmetic approaches on these curves, we present a range of genus 2 implementations. On a single core of an Intel Core i7-3520M (Ivy Bridge), our implementation on the Kummer surface breaks the 120 thousand cycle barrier which sets a new software speed record at the 128-bit security level for constant-time scalar multiplications compared to all previous genus 1 and genus 2 implementations.


Elliptic Curve Elliptic Curf Scalar Multiplication Lookup Table Minimal Polynomial 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Acar, T., Shumow, D.: Modular reduction without pre-computation for special moduli. Technical report, Microsoft Research (2010)Google Scholar
  2. 2.
    Adleman, L., DeMarrais, J., Huang, M.: A subexponential algorithm for discrete logarithms over hyperelliptic curves of large genus over GF(q). Theoretical Computer Science 226(1-2), 7–18 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  3. 3.
    Aranha, D.F., Faz-Hernández, A., López, J., Rodríguez-Henríquez, F.: Faster implementation of scalar multiplication on Koblitz curves. In: Hevia, A., Neven, G. (eds.) LATINCRYPT 2012. LNCS, vol. 7533, pp. 177–193. Springer, Heidelberg (2012)Google Scholar
  4. 4.
    Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J.: Elliptic vs. Hyperelliptic, part I. Talk at ECC, slides at (September 2006),
  6. 6.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J., Lange, T.: Analysis and optimization of elliptic-curve single-scalar multiplication. In: Finite Fields and Applications. Contemporary Mathematics Series, vol. 461, pp. 1–19. American Mathematical Society (2008)Google Scholar
  8. 8.
    Bernstein, D.J., Lange, T. (eds). eBACS: ECRYPT Benchmarking of Cryptographic Systems, (accessed October 4, 2012)
  9. 9.
    Bos, J.W.: High-performance modular multiplication on the Cell processor. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 7–24. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Bos, J.W., Costello, C., Hisil, H., Lauter, K.: Two is greater than one. Cryptology ePrint Archive, Report 2012/670 (2012),
  11. 11.
    Bos, J.W., Kaihara, M.E., Kleinjung, T., Lenstra, A.K., Montgomery, P.L.: Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. Int. J. of Applied Cryptography 2(3), 212–228 (2012)MathSciNetzbMATHCrossRefGoogle Scholar
  12. 12.
    Brauer, A.: On addition chains. Bulletin of the American Mathematical Society 45, 736–739 (1939)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Brown, M., Hankerson, D., López, J., Menezes, A.: Software implementation of the NIST elliptic curves over prime fields. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 250–265. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Buhler, J., Koblitz, N.: Lattice basis reduction, Jacobi sums and hyperelliptic cryptosystems. Bull. of the Australian Math. Soc. 58(1), 147–154 (1998)MathSciNetzbMATHCrossRefGoogle Scholar
  15. 15.
    Chudnovsky, D.V., Chudnovsky, G.V.: Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Advances in Applied Mathematics 7, 385–434 (1986)MathSciNetzbMATHCrossRefGoogle Scholar
  16. 16.
    Cosset, R.: Factorization with genus 2 curves. Math. Comp. 79(270), 1191–1208 (2010)MathSciNetzbMATHCrossRefGoogle Scholar
  17. 17.
    Costello, C., Lauter, K.: Group law computations on Jacobians of hyperelliptic curves. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 92–117. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Diem, C.: On the discrete logarithm problem in class groups of curves. Math. Comp. 80, 443–475 (2011)MathSciNetzbMATHCrossRefGoogle Scholar
  19. 19.
    Duursma, I.M., Gaudry, P., Morain, F.: Speeding up the discrete log computation on curves with automorphisms. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 103–121. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  20. 20.
    Enge, A.: Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time. Math. Comp. 71, 729–742 (2002)MathSciNetzbMATHCrossRefGoogle Scholar
  21. 21.
    Furukawa, E., Kawazoe, M., Takahashi, T.: Counting points for hyperelliptic curves of type y2= x5 + ax over finite prime fields. In: SAC 2003. LNCS, vol. 3006, pp. 26–41. Springer, Heidelberg (2003)Google Scholar
  22. 22.
    Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Cryptology 24(3), 446–469 (2011)MathSciNetzbMATHCrossRefGoogle Scholar
  23. 23.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Gaudry, P.: An algorithm for solving the discrete log problem on hyperelliptic curves. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 19–34. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  25. 25.
    Gaudry, P.: Algorithmique des courbes hyperelliptiques et applications à la cryptologie. PhD thesis, École polytechnique (2000),
  26. 26.
    Gaudry, P.: Fast genus 2 arithmetic based on theta functions. Journal of Mathematical Cryptology 1(3), 243–265 (2007)MathSciNetzbMATHCrossRefGoogle Scholar
  27. 27.
    Gaudry, P.: Personal communication (2011)Google Scholar
  28. 28.
    Gaudry, P., Kohel, D.R., Smith, B.A.: Counting points on genus 2 curves with real multiplication. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 504–519. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  29. 29.
    Gaudry, P., Schost, É.: Genus 2 point counting over prime fields. J. Symb. Comp. 47(4), 368–400 (2012)MathSciNetzbMATHCrossRefGoogle Scholar
  30. 30.
    Gaudry, P., Thomé, E.: The mp\(\mathbb{F}_q\) library and implementing curve-based key exchanges. In: SPEED 2007, pp. 49–64 (2007),
  31. 31.
    Hamburg, M.: Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309 (2012),
  32. 32.
    Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  33. 33.
    Kaliski Jr., B.S.: The Montgomery inverse and its applications. IEEE Transactions on Computers 44(8), 1064–1065 (1995)zbMATHCrossRefGoogle Scholar
  34. 34.
    Käsper, E.: Fast elliptic curve cryptography in openSSL. In: Danezis, G., Dietrich, S., Sako, K. (eds.) FC 2011 Workshops 2011. LNCS, vol. 7126, pp. 27–39. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  35. 35.
    Knežević, M., Vercauteren, F., Verbauwhede, I.: Speeding up bipartite modular multiplication. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 166–179. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  36. 36.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comp. 48(177), 203–209 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  37. 37.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  38. 38.
    Kohel, D.R., Smith, B.A.: Efficiently computable endomorphisms for hyperelliptic curves. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 495–509. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  39. 39.
    Lenstra, A.K.: Generating RSA moduli with a predetermined portion. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 1–10. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  40. 40.
    Longa, P., Sica, F.: Four-dimensional Gallant-Lambert-Vanstone scalar multiplication. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 718–739. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  41. 41.
    Mestre, J.-F.: Couples de Jacobiennes isogenes de courbes hyperelliptiques. Preprint, arXiv (2009),
  42. 42.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  43. 43.
    Montgomery, P.L.: Modular multiplication without trial division. Math. Comp. 44(170), 519–521 (1985)MathSciNetzbMATHCrossRefGoogle Scholar
  44. 44.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comp. 48(177), 243–264 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  45. 45.
    Morain, F., Olivos, J.: Speeding up the computations on an elliptic curve using addition-subtraction chains. Informatique Théorique et Applications/Theoretical Informatics and Applications 24, 531–544 (1990)MathSciNetzbMATHGoogle Scholar
  46. 46.
    National Security Agency. Fact sheet NSA Suite B Cryptography (2009),
  47. 47.
    Oliveira, T., Rodríguez-Henríquez, F., López, J.: New timings for scalar multiplication using a new set of coordinates. In: Rump Session Talk at ECC 2012 (2012)Google Scholar
  48. 48.
    Park, Y.-H., Jeong, S., Lim, J.: Speeding up point multiplication on hyperelliptic curves with efficiently-computable endomorphisms. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 197–208. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  49. 49.
    Pollard, J.M.: Monte Carlo methods for index computation (mod p). Math. Comp. 32(143), 918–924 (1978)MathSciNetzbMATHGoogle Scholar
  50. 50.
    Scholz, A.: Aufgabe 253. Jahresbericht der deutschen Mathematiker-Vereingung 47, 41–42 (1937)Google Scholar
  51. 51.
    Smart, N.P., Siksek, S.: A fast Diffie-Hellman protocol in genus 2. J. Cryptology 12(1), 67–73 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  52. 52.
    Solinas, J.A.: Generalized Mersenne numbers. Technical Report CORR 99–39, Centre for Applied Cryptographic Research, University of Waterloo (1999)Google Scholar
  53. 53.
    Takashima, K.: A new type of fast endomorphisms on Jacobians of hyperelliptic curves and their cryptographic application. IEICE Trans. 89-A(1), 124–133 (2006)Google Scholar
  54. 54.
    Tautz, W., Top, J., Verberkmoes, A.: Explicit hyperelliptic curves with real multiplication and permutation polynomials. Canad. J. Math 43(5), 1055–1064 (1991)MathSciNetzbMATHCrossRefGoogle Scholar
  55. 55.
    Thurber, E.G.: On addition chains l(mn) ≤ l(n) − b and lower bounds for c(r). Duke Mathematical Journal 40, 907–913 (1973)MathSciNetzbMATHCrossRefGoogle Scholar
  56. 56.
    U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-3 (2009),
  57. 57.
    van Wamelen, P.: Computing with the analytic Jacobian of a genus 2 curve. In: Discovering Mathematics with Magma. Algorithms and Computation in Mathematics, vol. 19, pp. 117–135. Springer, Heidelberg (2006)Google Scholar
  58. 58.
    Wiener, M.J., Zuccherato, R.J.: Faster attacks on elliptic curve cryptosystems. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 190–200. Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Joppe W. Bos
    • 1
  • Craig Costello
    • 1
  • Huseyin Hisil
    • 2
  • Kristin Lauter
    • 1
  1. 1.Microsoft ResearchRedmondUSA
  2. 2.Yasar UniversityIzmirTurkey

Personalised recommendations