Faster Compact Diffie–Hellman: Endomorphisms on the x-line

  • Craig Costello
  • Huseyin Hisil
  • Benjamin Smith
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8441)

Abstract

We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie–Hellman Key Exchange at the 128-bit security level. The algorithms are compact (using only x-coordinates), run in constant time with uniform execution patterns, and do not distinguish between the curve and its quadratic twist; they thus have a built-in measure of side-channel resistance. (For comparison, we also implement two faster but non-constant-time algorithms.) The core of our construction is a suite of two-dimensional differential addition chains driven by efficient endomorphism decompositions, built on curves selected from a family of ℚ-curve reductions over \(\mathbb{F}_{p^2}\) with p = 2127 − 1. We include state-of-the-art experimental results for twist-secure, constant-time, x-coordinate-only scalar multiplication.

Keywords

Elliptic curve cryptography scalar multiplication twist-secure side channel attacks endomorphism Kummer variety addition chains Montgomery curve 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Azarderakhsh, R., Karabina, K.: A new double point multiplication algorithm and its application to binary elliptic curves with endomorphisms. IEEE Trans. Comput. 99, 1 (2013) (preprints)Google Scholar
  2. 2.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)CrossRefMATHMathSciNetGoogle Scholar
  3. 3.
    Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Bernstein, D.J.: Differential addition chains (February 2006), http://cr.yp.to/ecdh/diffchain-20060219.pdf
  5. 5.
    Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM Conference on Computer and Communications Security, pp. 967–980. ACM (2013)Google Scholar
  6. 6.
    Bernstein, D.J., Lange, T.: Explicit-formulas database, http://www.hyperelliptic.org/EFD/ (accessed October 10, 2013)
  7. 7.
    Bernstein, D.J., Lange, T.: SafeCurves: choosing safe curves for elliptic-curve cryptography, http://safecurves.cr.yp.to (accessed October 16, 2013)
  8. 8.
    Bernstein, D.J., Lange, T.: eBACS: ECRYPT Benchmarking of Cryptographic Systems, http://bench.cr.yp.to (accessed September 28, 2013)
  9. 9.
    Bernstein, D.J., Lange, T., Schwabe, P.: On the correct use of the negation map in the Pollard rho method. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 128–146. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Bos, J.W., Costello, C., Hisil, H., Lauter, K.: Fast cryptography in genus 2. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 194–210. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Brainpool: ECC Brainpool standard curves and curve generation (October 2005), http://www.ecc-brainpool.org/download/Domain-parameters.pdf
  12. 12.
    Certicom Research: Standards for Efficient Cryptography 2 (SEC 2) (January 2010), http://www.secg.org/collateral/sec2_final.pdf
  13. 13.
    Fouque, P.A., Lercier, R., Réal, D., Valette, F.: Fault attack on elliptic curve Montgomery ladder implementation. In: Breveglieri, L., Gueron, S., Koren, I., Naccache, D., Seifert, J.P. (eds.) FDTC, pp. 92–98. IEEE Computer Society (2008)Google Scholar
  14. 14.
    Frey, G., Müller, M., Rück, H.G.: The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Trans. Inform. Theory 45(5), 1717–1719 (1999)CrossRefMATHMathSciNetGoogle Scholar
  15. 15.
    Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Cryptology 24(3), 446–469 (2011)CrossRefMATHMathSciNetGoogle Scholar
  16. 16.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comp. 44(12), 1690–1702 (2009)CrossRefMATHMathSciNetGoogle Scholar
  18. 18.
    Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptology 15(1), 19–46 (2002)CrossRefMathSciNetGoogle Scholar
  19. 19.
    Hamburg, M.: Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309 (2012), http://eprint.iacr.org/
  20. 20.
    Kaib, M.: The Gauß lattice basis reduction algorithm succeeds with any norm. In: Budach, L. (ed.) FCT 1991. LNCS, vol. 529, pp. 275–286. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  21. 21.
    Koblitz, N.: CM-curves with good cryptographic properties. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 279–287. Springer, Heidelberg (1992)Google Scholar
  22. 22.
    Menezes, A., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inform. Theory 39(5), 1639–1646 (1993)CrossRefMATHMathSciNetGoogle Scholar
  23. 23.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comp. 48(177), 243–264 (1987)CrossRefMATHMathSciNetGoogle Scholar
  24. 24.
    Montgomery, P.L.: Evaluating recurrences of form X m + n = f(X m, X n, X m − n) via Lucas chains (1992), ftp.cwi.nl/pub/pmontgom/lucas.ps.gz
  25. 25.
    Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inform. Theory 24(1), 106–110 (1978)CrossRefMATHMathSciNetGoogle Scholar
  26. 26.
    Pollard, J.M.: Monte Carlo methods for index computation (mod p). Math. Comp. 32(143), 918–924 (1978)MATHMathSciNetGoogle Scholar
  27. 27.
    Satoh, T., Araki, K.: Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Comment. Math. Univ. St. Pauli 47(1), 81–92 (1998)MATHMathSciNetGoogle Scholar
  28. 28.
    Schoof, R.: Counting points on elliptic curves over finite fields. J. Théor. Nombres Bordeaux 7(1), 219–254 (1995)CrossRefMATHMathSciNetGoogle Scholar
  29. 29.
    Semaev, I.: Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p. Math. Comp. 67(221), 353–356 (1998)CrossRefMATHMathSciNetGoogle Scholar
  30. 30.
    Smart, N.P.: The discrete logarithm problem on elliptic curves of trace one. J. Cryptology 12(3), 193–196 (1999)CrossRefMATHMathSciNetGoogle Scholar
  31. 31.
    Smart, N.P.: How secure are elliptic curves over composite extension fields? In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 30–39. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  32. 32.
    Smith, B.: Families of fast elliptic curves from ℚ-curves. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 61–78. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  33. 33.
    Solinas, J.A.: An improved algorithm for arithmetic on a family of elliptic curves. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 357–371. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  34. 34.
    Stam, M.: Speeding up subgroup cryptosystems. Ph.D. thesis, Technische Universiteit Eindhoven (2003)Google Scholar
  35. 35.
    Straus, E.G.: Addition chains of vectors. Amer. Math. Monthly 71, 806–808 (1964)MathSciNetGoogle Scholar
  36. 36.
    Wiener, M.J., Zuccherato, R.J.: Faster attacks on elliptic curve cryptosystems. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 190–200. Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Craig Costello
    • 1
  • Huseyin Hisil
    • 2
  • Benjamin Smith
    • 3
    • 4
  1. 1.Microsoft ResearchRedmondUSA
  2. 2.Yasar UniversityIzmirTurkey
  3. 3.INRIA (Équipe-projet GRACE)France
  4. 4.LIX (Laboratoire d’Informatique), École polytechniqueFrance

Personalised recommendations