\(\mu \)Kummer: Efficient Hyperelliptic Signatures and Key Exchange on Microcontrollers

  • Joost Renes
  • Peter Schwabe
  • Benjamin Smith
  • Lejla Batina
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9813)


We describe the design and implementation of efficient signature and key-exchange schemes for the AVR ATmega and ARM Cortex M0 microcontrollers, targeting the 128-bit security level. Our algorithms are based on an efficient Montgomery ladder scalar multiplication on the Kummer surface of Gaudry and Schost’s genus-2 hyperelliptic curve, combined with the Jacobian point recovery technique of Chung, Costello, and Smith. Our results are the first to show the feasibility of software-only hyperelliptic cryptography on constrained platforms, and represent a significant improvement on the elliptic-curve state-of-the-art for both key exchange and signatures on these architectures. Notably, our key-exchange scalar-multiplication software runs in under 9520k cycles on the ATmega and under 2640k cycles on the Cortex M0, improving on the current speed records by 32 % and 75 % respectively.


Hyperelliptic curve cryptography Kummer surface AVR ATmega ARM Cortex M0 


  1. 1.
    Bernstein, D.J.: Elliptic vs. hyperelliptic, part 1 (2006). http://cr.yp.to/talks/2006.09.20/slides.pdf
  2. 2.
    Bos, J.W., Costello, C., Hisil, H., Lauter, K.: Fast cryptography in genus 2. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 194–210. Springer, Heidelberg (2013). https://eprint.iacr.org/2012/670.pdf CrossRefGoogle Scholar
  3. 3.
    Bernstein, D.J., Chuengsatiansup, C., Lange, T., Schwabe, P.: Kummer strikes back: new DH speed records. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 317–337. Springer, Heidelberg (2014). https://cryptojedi.org/papers/#kummer Google Scholar
  4. 4.
    Costello, C., Longa, P.: Four\(\mathbb{Q}\): four-dimensional decompositions on a\(\mathbb{Q}\)-curve over the mersenne prime. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 214–235. Springer, Heidelberg (2015). https://eprint.iacr.org/2015/565 CrossRefGoogle Scholar
  5. 5.
    Batina, L., Hwang, D., Hodjat, A., Preneel, B., Verbauwhede, I.: Hardware/Software Co-design for Hyperelliptic Curve Cryptography (HECC) on the 8051 \(\mu P\). In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 106–118. Springer, Heidelberg (2005). https://www.iacr.org/archive/ches2005/008.pdf CrossRefGoogle Scholar
  6. 6.
    Hodjat, A., Batina, L., Hwang, D., Verbauwhede, I.: HW/SW co-design of a hyperelliptic curve cryptosystem using amicrocode instruction set coprocessor. Integr. VLSI J. 40, 45–51 (2007). https://www.cosic.esat.kuleuven.be/publications/article-622.pdf CrossRefGoogle Scholar
  7. 7.
    Düll, M., Haase, B., Hinterwälder, G., Hutter, M., Paar, C., Sánchez, A.H., Schwabe, P.: High-speed curve25519 on 8-bit, 16-bit and 32-bit microcontrollers. Des. Codes Crypt. 77, 493–514 (2015). http://cryptojedi.org/papers/#mu25519 MathSciNetCrossRefMATHGoogle Scholar
  8. 8.
    Costello, C., Chung, P.N., Smith, B.: Fast, uniform, and compact scalar multiplication for elliptic curves and genus 2 Jacobians with applications to signature schemes.Cryptology ePrint Archive, Report 2015/983 (2015). https://eprint.iacr.org/2015/983
  9. 9.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2, 77–89 (2012). https://cryptojedi.org/papers/ed25519 CrossRefMATHGoogle Scholar
  10. 10.
    Nascimento, E., López, J., Dahab, R.: Efficient and secure elliptic curve cryptography for 8-bit AVR microcontrollers. In: Chakraborty, R.S., Schwabe, P., Solworth, J. (eds.) SPACE 2015. LNCS, vol. 9354, pp. 289–309. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  11. 11.
    Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)Google Scholar
  12. 12.
    Dworkin, M.J.:SHA-3 standard: Permutation-based hash and extendable-outputfunctions.Technical report, National Institute of Standards and Technology(NIST) (2015). http://www.nist.gov/manuscript-publication-search.cfm?pub_id=919061
  13. 13.
    Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight securityreductions.In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, pp. 155–164. ACM (2003). https://www.cs.umd.edu/~jkatz/papers/CCCS03_sigs.pdf
  14. 14.
    Vitek, J., Naccache, D., Pointcheval, D., Vaudenay, S.: Computational alternatives to random number generators. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 72–80. Springer, Heidelberg (1999). https://www.di.ens.fr/ pointche/Documents/Papers/1998_sac.pdf CrossRefGoogle Scholar
  15. 15.
    Bernstein, D.J.: Differential addition chains (2006). http://cr.yp.to/ecdh/diffchain-20060219.pdf
  16. 16.
    Stam, M.: Speeding up subgroup cryptosystems. Ph.D. thesis, Technische Universiteit Eindhoven (2003). http://alexandria.tue.nl/extra2/200311829.pdf?q=subgroup
  17. 17.
    Hutter, M., Schwabe, P.: Multiprecision multiplication on AVR revisited. J. Cryptogr. Eng. 5, 201–214 (2015). http://cryptojedi.org/papers/#avrmul
  18. 18.
    Gaudry, P., Schost, E.: Genus 2 point counting over prime fields. J Symb Comput 47, 368–400 (2012). https://cs.uwaterloo.ca/~eschost/publications/countg2.pdf
  19. 19.
    Hisil, H., Costello, C.: Jacobian coordinates on genus 2 curves. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 338–357. Springer, Heidelberg (2014). https://eprint.iacr.org/2014/385.pdf Google Scholar
  20. 20.
    Stahlke, C.: Point compression on jacobians of hyperelliptic curves over\(\mathbb{F}_q\).Cryptology ePrint Archive, Report 2004/030 (2004). https://eprint.iacr.org/2004/030
  21. 21.
    Chudnovsky, D.V., Chudnovsky, G.V.: Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Adv. Appl. Math. 7, 385–434 (1986)MathSciNetCrossRefMATHGoogle Scholar
  22. 22.
    Cosset, R.: Applications of theta functions for hyperelliptic curvecryptography.Ph.D. thesis, Université Henri Poincaré - Nancy I (2011). https://tel.archives-ouvertes.fr/tel-00642951/file/main.pdf
  23. 23.
    Gaudry, P.: Fast genus 2 arithmetic based on theta functions. J. Math. Cryptol. 1, 243–265 (2007). https://eprint.iacr.org/2005/314/ MathSciNetCrossRefMATHGoogle Scholar
  24. 24.
    López, J., Dahab, R.: Fast multiplication on elliptic curves over \(GF\)(2\(_{\rm m}\)) without precomputation. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 316–327. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  25. 25.
    Okeya, K., Sakurai, K.: Efficient elliptic curve cryptosystems from a scalar multiplication algorithm with recovery of the \(y\)-Coordinate on a Montgomery-Form Elliptic Curve. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 126–141. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  26. 26.
    Brier, E., Joye, M.: Weierstra elliptic curves and side-channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 335–345. Springer, Heidelberg (2002). http://link.springer.com/content/pdf/10.1007%2F3-540-45664-3_24.pdf
  27. 27.
    Cassels, J.W.S., Flynn, E.V.: Prolegomena to a Middlebrow Arithmetic of Curves of Genus 2, vol. 230. Cambridge University Press, Cambridge (1996)CrossRefMATHGoogle Scholar
  28. 28.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The keccak sponge function family (2016). http://keccak.noekeon.org/
  29. 29.
    Liu, Z., Wenger, E., Großschädl, J.: MoTE-ECC: energy-scalable elliptic curve cryptography for wireless sensor networks. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 361–379. Springer, Heidelberg (2014). https://online.tugraz.at/tug_online/voe_main2.getvolltext?pCurrPk=77985 Google Scholar
  30. 30.
    Hutter, M., Schwabe, P.: NaCl on 8-bit AVR microcontrollers. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 156–172. Springer, Heidelberg (2013). http://cryptojedi.org/papers/#avrnacl
  31. 31.
    Wenger, E., Unterluggauer, T., Werner, M.: 8/16/32 shades of elliptic curve cryptography on embedded processors. In: Paul, G., Vaudenay, S. (eds.) INDOCRYPT 2013. LNCS, vol. 8250, pp. 244–261. Springer, Heidelberg (2013). https://online.tugraz.at/tug_online/voe_main2.getvolltext?pCurrPk=72486 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Joost Renes
    • 1
  • Peter Schwabe
    • 1
  • Benjamin Smith
    • 2
  • Lejla Batina
    • 1
  1. 1.Digital Security GroupRadboud UniversityNijmegenThe Netherlands
  2. 2.INRIA and Laboratoire d’Informatique de l’École polytechnique (LIX)PalaiseauFrance

Personalised recommendations