Fast Cryptography in Genus 2

  • Joppe W. Bos
  • Craig Costello
  • Huseyin Hisil
  • Kristin Lauter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7881)

Abstract

In this paper we highlight the benefits of using genus 2 curves in public-key cryptography. Compared to the standardized genus 1 curves, or elliptic curves, arithmetic on genus 2 curves is typically more involved but allows us to work with moduli of half the size. We give a taxonomy of the best known techniques to realize genus 2 based cryptography, which includes fast formulas on the Kummer surface and efficient 4-dimensional GLV decompositions. By studying different modular arithmetic approaches on these curves, we present a range of genus 2 implementations. On a single core of an Intel Core i7-3520M (Ivy Bridge), our implementation on the Kummer surface breaks the 120 thousand cycle barrier which sets a new software speed record at the 128-bit security level for constant-time scalar multiplications compared to all previous genus 1 and genus 2 implementations.

References

  1. 1.
    Acar, T., Shumow, D.: Modular reduction without pre-computation for special moduli. Technical report, Microsoft Research (2010)Google Scholar
  2. 2.
    Adleman, L., DeMarrais, J., Huang, M.: A subexponential algorithm for discrete logarithms over hyperelliptic curves of large genus over GF(q). Theoretical Computer Science 226(1-2), 7–18 (1999)MathSciNetMATHCrossRefGoogle Scholar
  3. 3.
    Aranha, D.F., Faz-Hernández, A., López, J., Rodríguez-Henríquez, F.: Faster implementation of scalar multiplication on Koblitz curves. In: Hevia, A., Neven, G. (eds.) LATINCRYPT 2012. LNCS, vol. 7533, pp. 177–193. Springer, Heidelberg (2012)Google Scholar
  4. 4.
    Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J.: Elliptic vs. Hyperelliptic, part I. Talk at ECC, slides at (September 2006), http://cr.yp.to/talks/2006.09.20/slides.pdf
  6. 6.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J., Lange, T.: Analysis and optimization of elliptic-curve single-scalar multiplication. In: Finite Fields and Applications. Contemporary Mathematics Series, vol. 461, pp. 1–19. American Mathematical Society (2008)Google Scholar
  8. 8.
    Bernstein, D.J., Lange, T. (eds). eBACS: ECRYPT Benchmarking of Cryptographic Systems, http://bench.cr.yp.to (accessed October 4, 2012)
  9. 9.
    Bos, J.W.: High-performance modular multiplication on the Cell processor. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 7–24. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Bos, J.W., Costello, C., Hisil, H., Lauter, K.: Two is greater than one. Cryptology ePrint Archive, Report 2012/670 (2012), http://eprint.iacr.org/
  11. 11.
    Bos, J.W., Kaihara, M.E., Kleinjung, T., Lenstra, A.K., Montgomery, P.L.: Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. Int. J. of Applied Cryptography 2(3), 212–228 (2012)MathSciNetMATHCrossRefGoogle Scholar
  12. 12.
    Brauer, A.: On addition chains. Bulletin of the American Mathematical Society 45, 736–739 (1939)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Brown, M., Hankerson, D., López, J., Menezes, A.: Software implementation of the NIST elliptic curves over prime fields. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 250–265. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Buhler, J., Koblitz, N.: Lattice basis reduction, Jacobi sums and hyperelliptic cryptosystems. Bull. of the Australian Math. Soc. 58(1), 147–154 (1998)MathSciNetMATHCrossRefGoogle Scholar
  15. 15.
    Chudnovsky, D.V., Chudnovsky, G.V.: Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Advances in Applied Mathematics 7, 385–434 (1986)MathSciNetMATHCrossRefGoogle Scholar
  16. 16.
    Cosset, R.: Factorization with genus 2 curves. Math. Comp. 79(270), 1191–1208 (2010)MathSciNetMATHCrossRefGoogle Scholar
  17. 17.
    Costello, C., Lauter, K.: Group law computations on Jacobians of hyperelliptic curves. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 92–117. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Diem, C.: On the discrete logarithm problem in class groups of curves. Math. Comp. 80, 443–475 (2011)MathSciNetMATHCrossRefGoogle Scholar
  19. 19.
    Duursma, I.M., Gaudry, P., Morain, F.: Speeding up the discrete log computation on curves with automorphisms. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 103–121. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  20. 20.
    Enge, A.: Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time. Math. Comp. 71, 729–742 (2002)MathSciNetMATHCrossRefGoogle Scholar
  21. 21.
    Furukawa, E., Kawazoe, M., Takahashi, T.: Counting points for hyperelliptic curves of type y2= x5 + ax over finite prime fields. In: SAC 2003. LNCS, vol. 3006, pp. 26–41. Springer, Heidelberg (2003)Google Scholar
  22. 22.
    Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Cryptology 24(3), 446–469 (2011)MathSciNetMATHCrossRefGoogle Scholar
  23. 23.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Gaudry, P.: An algorithm for solving the discrete log problem on hyperelliptic curves. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 19–34. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  25. 25.
    Gaudry, P.: Algorithmique des courbes hyperelliptiques et applications à la cryptologie. PhD thesis, École polytechnique (2000), http://www.lix.polytechnique.fr/Labo/Pierrick.Gaudry/publis/
  26. 26.
    Gaudry, P.: Fast genus 2 arithmetic based on theta functions. Journal of Mathematical Cryptology 1(3), 243–265 (2007)MathSciNetMATHCrossRefGoogle Scholar
  27. 27.
    Gaudry, P.: Personal communication (2011)Google Scholar
  28. 28.
    Gaudry, P., Kohel, D.R., Smith, B.A.: Counting points on genus 2 curves with real multiplication. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 504–519. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  29. 29.
    Gaudry, P., Schost, É.: Genus 2 point counting over prime fields. J. Symb. Comp. 47(4), 368–400 (2012)MathSciNetMATHCrossRefGoogle Scholar
  30. 30.
    Gaudry, P., Thomé, E.: The mp\(\mathbb{F}_q\) library and implementing curve-based key exchanges. In: SPEED 2007, pp. 49–64 (2007), http://www.loria.fr/~gaudry/publis/mpfq.pdf
  31. 31.
    Hamburg, M.: Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309 (2012), http://eprint.iacr.org/
  32. 32.
    Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  33. 33.
    Kaliski Jr., B.S.: The Montgomery inverse and its applications. IEEE Transactions on Computers 44(8), 1064–1065 (1995)MATHCrossRefGoogle Scholar
  34. 34.
    Käsper, E.: Fast elliptic curve cryptography in openSSL. In: Danezis, G., Dietrich, S., Sako, K. (eds.) FC 2011 Workshops 2011. LNCS, vol. 7126, pp. 27–39. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  35. 35.
    Knežević, M., Vercauteren, F., Verbauwhede, I.: Speeding up bipartite modular multiplication. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 166–179. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  36. 36.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comp. 48(177), 203–209 (1987)MathSciNetMATHCrossRefGoogle Scholar
  37. 37.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  38. 38.
    Kohel, D.R., Smith, B.A.: Efficiently computable endomorphisms for hyperelliptic curves. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 495–509. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  39. 39.
    Lenstra, A.K.: Generating RSA moduli with a predetermined portion. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 1–10. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  40. 40.
    Longa, P., Sica, F.: Four-dimensional Gallant-Lambert-Vanstone scalar multiplication. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 718–739. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  41. 41.
    Mestre, J.-F.: Couples de Jacobiennes isogenes de courbes hyperelliptiques. Preprint, arXiv (2009), http://arxiv.org/abs/0902.3470
  42. 42.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  43. 43.
    Montgomery, P.L.: Modular multiplication without trial division. Math. Comp. 44(170), 519–521 (1985)MathSciNetMATHCrossRefGoogle Scholar
  44. 44.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comp. 48(177), 243–264 (1987)MathSciNetMATHCrossRefGoogle Scholar
  45. 45.
    Morain, F., Olivos, J.: Speeding up the computations on an elliptic curve using addition-subtraction chains. Informatique Théorique et Applications/Theoretical Informatics and Applications 24, 531–544 (1990)MathSciNetMATHGoogle Scholar
  46. 46.
    National Security Agency. Fact sheet NSA Suite B Cryptography (2009), http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
  47. 47.
    Oliveira, T., Rodríguez-Henríquez, F., López, J.: New timings for scalar multiplication using a new set of coordinates. In: Rump Session Talk at ECC 2012 (2012)Google Scholar
  48. 48.
    Park, Y.-H., Jeong, S., Lim, J.: Speeding up point multiplication on hyperelliptic curves with efficiently-computable endomorphisms. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 197–208. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  49. 49.
    Pollard, J.M.: Monte Carlo methods for index computation (mod p). Math. Comp. 32(143), 918–924 (1978)MathSciNetMATHGoogle Scholar
  50. 50.
    Scholz, A.: Aufgabe 253. Jahresbericht der deutschen Mathematiker-Vereingung 47, 41–42 (1937)Google Scholar
  51. 51.
    Smart, N.P., Siksek, S.: A fast Diffie-Hellman protocol in genus 2. J. Cryptology 12(1), 67–73 (1999)MathSciNetMATHCrossRefGoogle Scholar
  52. 52.
    Solinas, J.A.: Generalized Mersenne numbers. Technical Report CORR 99–39, Centre for Applied Cryptographic Research, University of Waterloo (1999)Google Scholar
  53. 53.
    Takashima, K.: A new type of fast endomorphisms on Jacobians of hyperelliptic curves and their cryptographic application. IEICE Trans. 89-A(1), 124–133 (2006)Google Scholar
  54. 54.
    Tautz, W., Top, J., Verberkmoes, A.: Explicit hyperelliptic curves with real multiplication and permutation polynomials. Canad. J. Math 43(5), 1055–1064 (1991)MathSciNetMATHCrossRefGoogle Scholar
  55. 55.
    Thurber, E.G.: On addition chains l(mn) ≤ l(n) − b and lower bounds for c(r). Duke Mathematical Journal 40, 907–913 (1973)MathSciNetMATHCrossRefGoogle Scholar
  56. 56.
    U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-3 (2009), http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
  57. 57.
    van Wamelen, P.: Computing with the analytic Jacobian of a genus 2 curve. In: Discovering Mathematics with Magma. Algorithms and Computation in Mathematics, vol. 19, pp. 117–135. Springer, Heidelberg (2006)Google Scholar
  58. 58.
    Wiener, M.J., Zuccherato, R.J.: Faster attacks on elliptic curve cryptosystems. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 190–200. Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Joppe W. Bos
    • 1
  • Craig Costello
    • 1
  • Huseyin Hisil
    • 2
  • Kristin Lauter
    • 1
  1. 1.Microsoft ResearchRedmondUSA
  2. 2.Yasar UniversityIzmirTurkey

Personalised recommendations