Advertisement

High-Performance Scalar Multiplication Using 8-Dimensional GLV/GLS Decomposition

  • Joppe W. Bos
  • Craig Costello
  • Huseyin Hisil
  • Kristin Lauter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8086)

Abstract

This paper explores the potential for using genus 2 curves over quadratic extension fields in cryptography, motivated by the fact that they allow for an 8-dimensional scalar decomposition when using a combination of the GLV/GLS algorithms. Besides lowering the number of doublings required in a scalar multiplication, this approach has the advantage of performing arithmetic operations in a 64-bit ground field, making it an attractive candidate for embedded devices. We found cryptographically secure genus 2 curves which, although susceptible to index calculus attacks, aim for the standardized 112-bit security level. Our implementation results on both high-end architectures (Ivy Bridge) and low-end ARM platforms (Cortex-A8) highlight the practical benefits of this approach.

Keywords

Elliptic Curf Lookup Table Hyperelliptic Curve Quadratic Extension Elliptic Curve Cryptography 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Acar, T., Shumow, D.: Modular reduction without pre-computation for special moduli. Technical report, Microsoft Research (2010)Google Scholar
  2. 2.
    Adleman, L., DeMarrais, J., Huang, M.: A subexponential algorithm for discrete logarithms over hyperelliptic curves of large genus over GF(q). Theoretical Computer Science 226(1-2), 7–18 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  3. 3.
    Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 48–68. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Beagle Board. BeagleBoard-xM System Reference Manual (2013), http://beagleboard.org/static/BBxMSRM_latest.pdf
  5. 5.
    Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT Benchmarking of Cryptographic Systems, http://bench.cr.yp.to (accessed March 1, 2013)
  7. 7.
    Bernstein, D.J., Schwabe, P.: NEON crypto. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 320–339. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. 8.
    Bos, J.W., Costello, C., Hisil, H., Lauter, K.: Fast cryptography in genus 2. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 194–210. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  9. 9.
    Bos, J.W., Costello, C., Hisil, H., Lauter, K.: High-performance scalar multiplication using 8-dimensional GLV/GLS decomposition. Cryptology ePrint Archive, Report 2013/146 (2013), http://eprint.iacr.org/
  10. 10.
    Buhler, J., Koblitz, N.: Lattice basis reduction, Jacobi sums and hyperelliptic cryptosystems. Bul. of the Australian Mathematical Society 58(1), 147–154 (1998)MathSciNetzbMATHCrossRefGoogle Scholar
  11. 11.
    Diem, C.: The GHS attack in odd characteristic. J. Ramanujan Math. Soc. 18(1), 1–32 (2003)MathSciNetzbMATHGoogle Scholar
  12. 12.
    Diem, C.: On the discrete logarithm problem in elliptic curves. Compositio Mathematica 147(01), 75–104 (2011)MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  14. 14.
    Faz-Hernandez, A., Longa, P., Sanchez, A.H.: Keep calm and stay with one (and p > 3). Cryptology ePrint Archive, Report 2013/158 (2013)Google Scholar
  15. 15.
    Frey, G.: How to disguise an elliptic curve (Weil descent). Talk at ECC: slides available at http://cacr.uwaterloo.ca/conferences/1998/ecc98/frey.ps (September 1998)
  16. 16.
    Galbraith, S.D.: Weil descent of Jacobians. Discrete Applied Mathematics 128(1), 165–180 (2003)MathSciNetzbMATHCrossRefGoogle Scholar
  17. 17.
    Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Cryptology 24(3), 446–469 (2011)MathSciNetzbMATHCrossRefGoogle Scholar
  18. 18.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Gaudry, P.: An algorithm for solving the discrete log problem on hyperelliptic curves. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 19–34. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  20. 20.
    Gaudry, P.: Fast genus 2 arithmetic based on theta functions. Journal of Mathematical Cryptology JMC 1(3), 243–265 (2007)MathSciNetzbMATHGoogle Scholar
  21. 21.
    Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44(12), 1690–1702 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  22. 22.
    Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptology 15(1), 19–46 (2002)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Gaudry, P., Thomé, E., Thériault, N., Diem, C.: A double large prime variation for small genus hyperelliptic index calculus. Math. Comput. 76(257), 475–492 (2007)zbMATHCrossRefGoogle Scholar
  24. 24.
    Goren, E.Z., Lauter, K.E.: Genus 2 curves with complex multiplication. International Mathematics Research Notices 2012(5), 1068–1142 (2012)MathSciNetzbMATHGoogle Scholar
  25. 25.
    Hamburg, M.: Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309 (2012), http://eprint.iacr.org/
  26. 26.
    Iijima, T., Momose, F., Chao, J.: Classification of elliptic/hyperelliptic curves with weak coverings against GHS attack without isogeny condition. Cryptology ePrint Archive, Report 2009/613 (2009), http://eprint.iacr.org/
  27. 27.
    Käsper, E.: Fast elliptic curve cryptography in OpenSSL. In: Danezis, G., Dietrich, S., Sako, K. (eds.) FC 2011 Workshops. LNCS, vol. 7126, pp. 27–39. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  28. 28.
    Knežević, M., Vercauteren, F., Verbauwhede, I.: Speeding up bipartite modular multiplication. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 166–179. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  29. 29.
    Koblitz, N.: Elliptic curve cryptosystems. Mathematics of Computation 48(177), 203–209 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  30. 30.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  31. 31.
    Lenstra, A.K.: Generating RSA moduli with a predetermined portion. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 1–10. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  32. 32.
    Lim, C.H., Lee, P.J.: More flexible exponentiation with precomputation. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 95–107. Springer, Heidelberg (1994)Google Scholar
  33. 33.
    Longa, P., Sica, F.: Four-dimensional Gallant-Lambert-Vanstone scalar multiplication. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 718–739. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  34. 34.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  35. 35.
    Momose, F., Chao, J.: Scholten forms and elliptic/hyperelliptic curves with weak Weil restrictions. Cryptology ePrint Archive, Report 2005/277 (2005)Google Scholar
  36. 36.
    Montgomery, P.L.: Modular multiplication without trial division. Mathematics of Computation 44(170), 519–521 (1985)MathSciNetzbMATHCrossRefGoogle Scholar
  37. 37.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48(177), 243–264 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  38. 38.
    Morozov, S., Tergino, C., Schaumont, P.: System integration of elliptic curve cryptography on an OMAP platform. In: IEEE 9th Symposium on Application Specific Processors – SASP, pp. 52–57. IEEE Computer Society (2011)Google Scholar
  39. 39.
    Nagao, K.-I.: Decomposition attack for the Jacobian of a hyperelliptic curve over an extension field. In: Hanrot, G., Morain, F., Thomé, E. (eds.) ANTS-IX 2010. LNCS, vol. 6197, pp. 285–300. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  40. 40.
    National Institute of Standards and Technology. Special publication 800-57: Recommendation for key management part 1: General (revised), http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
  41. 41.
    National Security Agency. The case for elliptic curve cryptography (2009), http://www.nsa.gov/business/programs/elliptic_curve.shtml
  42. 42.
    Park, Y.-H., Jeong, S., Lim, J.: Speeding up point multiplication on hyperelliptic curves with efficiently-computable endomorphisms. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 197–208. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  43. 43.
    Pollard, J.M.: Monte Carlo methods for index computation (mod p). Mathematics of Computation 32(143), 918–924 (1978)MathSciNetzbMATHGoogle Scholar
  44. 44.
    Solinas, J.A.: Generalized Mersenne numbers. Technical Report CORR 99–39, Centre for Applied Cryptographic Research, University of Waterloo (1999)Google Scholar
  45. 45.
    Thériault, N.: Weil descent attack for Kummer extensions. J. Ramanujan Math. Soc. 18(3), 218–312 (2003)Google Scholar
  46. 46.
    U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-3 (2009), http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
  47. 47.
    Walter, C.D.: Montgomery exponentiation needs no final subtractions. Electronics Letters 35(21), 1831–1832 (1999)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Joppe W. Bos
    • 1
  • Craig Costello
    • 1
  • Huseyin Hisil
    • 2
  • Kristin Lauter
    • 1
  1. 1.Microsoft ResearchRedmondUSA
  2. 2.Yasar UniversityIzmirTurkey

Personalised recommendations