Faster Compact Diffie–Hellman: Endomorphisms on the x-line

  • Craig Costello
  • Huseyin Hisil
  • Benjamin Smith
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8441)


We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie–Hellman Key Exchange at the 128-bit security level. The algorithms are compact (using only x-coordinates), run in constant time with uniform execution patterns, and do not distinguish between the curve and its quadratic twist; they thus have a built-in measure of side-channel resistance. (For comparison, we also implement two faster but non-constant-time algorithms.) The core of our construction is a suite of two-dimensional differential addition chains driven by efficient endomorphism decompositions, built on curves selected from a family of ℚ-curve reductions over \(\mathbb{F}_{p^2}\) with p = 2127 − 1. We include state-of-the-art experimental results for twist-secure, constant-time, x-coordinate-only scalar multiplication.


Elliptic curve cryptography scalar multiplication twist-secure side channel attacks endomorphism Kummer variety addition chains Montgomery curve 


  1. 1.
    Azarderakhsh, R., Karabina, K.: A new double point multiplication algorithm and its application to binary elliptic curves with endomorphisms. IEEE Trans. Comput. 99, 1 (2013) (preprints)Google Scholar
  2. 2.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)CrossRefzbMATHMathSciNetGoogle Scholar
  3. 3.
    Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Bernstein, D.J.: Differential addition chains (February 2006),
  5. 5.
    Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM Conference on Computer and Communications Security, pp. 967–980. ACM (2013)Google Scholar
  6. 6.
    Bernstein, D.J., Lange, T.: Explicit-formulas database, (accessed October 10, 2013)
  7. 7.
    Bernstein, D.J., Lange, T.: SafeCurves: choosing safe curves for elliptic-curve cryptography, (accessed October 16, 2013)
  8. 8.
    Bernstein, D.J., Lange, T.: eBACS: ECRYPT Benchmarking of Cryptographic Systems, (accessed September 28, 2013)
  9. 9.
    Bernstein, D.J., Lange, T., Schwabe, P.: On the correct use of the negation map in the Pollard rho method. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 128–146. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Bos, J.W., Costello, C., Hisil, H., Lauter, K.: Fast cryptography in genus 2. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 194–210. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Brainpool: ECC Brainpool standard curves and curve generation (October 2005),
  12. 12.
    Certicom Research: Standards for Efficient Cryptography 2 (SEC 2) (January 2010),
  13. 13.
    Fouque, P.A., Lercier, R., Réal, D., Valette, F.: Fault attack on elliptic curve Montgomery ladder implementation. In: Breveglieri, L., Gueron, S., Koren, I., Naccache, D., Seifert, J.P. (eds.) FDTC, pp. 92–98. IEEE Computer Society (2008)Google Scholar
  14. 14.
    Frey, G., Müller, M., Rück, H.G.: The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Trans. Inform. Theory 45(5), 1717–1719 (1999)CrossRefzbMATHMathSciNetGoogle Scholar
  15. 15.
    Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Cryptology 24(3), 446–469 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  16. 16.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comp. 44(12), 1690–1702 (2009)CrossRefzbMATHMathSciNetGoogle Scholar
  18. 18.
    Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptology 15(1), 19–46 (2002)CrossRefMathSciNetGoogle Scholar
  19. 19.
    Hamburg, M.: Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309 (2012),
  20. 20.
    Kaib, M.: The Gauß lattice basis reduction algorithm succeeds with any norm. In: Budach, L. (ed.) FCT 1991. LNCS, vol. 529, pp. 275–286. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  21. 21.
    Koblitz, N.: CM-curves with good cryptographic properties. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 279–287. Springer, Heidelberg (1992)Google Scholar
  22. 22.
    Menezes, A., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inform. Theory 39(5), 1639–1646 (1993)CrossRefzbMATHMathSciNetGoogle Scholar
  23. 23.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comp. 48(177), 243–264 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
  24. 24.
    Montgomery, P.L.: Evaluating recurrences of form X m + n = f(X m, X n, X m − n) via Lucas chains (1992),
  25. 25.
    Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inform. Theory 24(1), 106–110 (1978)CrossRefzbMATHMathSciNetGoogle Scholar
  26. 26.
    Pollard, J.M.: Monte Carlo methods for index computation (mod p). Math. Comp. 32(143), 918–924 (1978)zbMATHMathSciNetGoogle Scholar
  27. 27.
    Satoh, T., Araki, K.: Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Comment. Math. Univ. St. Pauli 47(1), 81–92 (1998)zbMATHMathSciNetGoogle Scholar
  28. 28.
    Schoof, R.: Counting points on elliptic curves over finite fields. J. Théor. Nombres Bordeaux 7(1), 219–254 (1995)CrossRefzbMATHMathSciNetGoogle Scholar
  29. 29.
    Semaev, I.: Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p. Math. Comp. 67(221), 353–356 (1998)CrossRefzbMATHMathSciNetGoogle Scholar
  30. 30.
    Smart, N.P.: The discrete logarithm problem on elliptic curves of trace one. J. Cryptology 12(3), 193–196 (1999)CrossRefzbMATHMathSciNetGoogle Scholar
  31. 31.
    Smart, N.P.: How secure are elliptic curves over composite extension fields? In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 30–39. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  32. 32.
    Smith, B.: Families of fast elliptic curves from ℚ-curves. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 61–78. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  33. 33.
    Solinas, J.A.: An improved algorithm for arithmetic on a family of elliptic curves. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 357–371. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  34. 34.
    Stam, M.: Speeding up subgroup cryptosystems. Ph.D. thesis, Technische Universiteit Eindhoven (2003)Google Scholar
  35. 35.
    Straus, E.G.: Addition chains of vectors. Amer. Math. Monthly 71, 806–808 (1964)MathSciNetGoogle Scholar
  36. 36.
    Wiener, M.J., Zuccherato, R.J.: Faster attacks on elliptic curve cryptosystems. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 190–200. Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Craig Costello
    • 1
  • Huseyin Hisil
    • 2
  • Benjamin Smith
    • 3
    • 4
  1. 1.Microsoft ResearchRedmondUSA
  2. 2.Yasar UniversityIzmirTurkey
  3. 3.INRIA (Équipe-projet GRACE)France
  4. 4.LIX (Laboratoire d’Informatique), École polytechniqueFrance

Personalised recommendations