Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV–GLS curves (extended version)

Abstract

We propose efficient algorithms and formulas that improve the performance of side channel protected elliptic curve computations with special focus on scalar multiplication exploiting the Gallant–Lambert–Vanstone (CRYPTO 2001) and Galbraith–Lin–Scott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.’s recoding to the GLV setting, we derive new regular algorithms for variable-base scalar multiplication that offer protection against simple side-channel and timing attacks. Secondly, we propose an efficient, side-channel protected algorithm for fixed-base scalar multiplication which combines Feng et al.’s recoding with Lim-Lee’s comb method. Thirdly, we propose an efficient technique that interleaves ARM and NEON-based multiprecision operations over an extension field to improve performance of GLS curves on modern ARM processors. Finally, we showcase the efficiency of the proposed techniques by implementing a state-of-the-art GLV–GLS curve in twisted Edwards form defined over \(\mathbb {F}_{p^2}\), which supports a four-dimensional decomposition of the scalar and is fully protected against timing attacks. Analysis and performance results are reported for modern \(\times \)64 and ARM processors. For instance, we compute a variable-base scalar multiplication in 89,000 and 244,000 cycles on an Intel Ivy Bridge and an ARM Cortex-A15 processor (respect.); using a precomputed table of 6KB, we compute a fixed-base scalar multiplication in 49,000 and 116,000 cycles (respect.); and using a precomputed table of 3KB, we compute a double-scalar multiplication in 115,000 and 285,000 cycles (respect.). The proposed techniques represent an important improvement of the state-of-the-art performance of elliptic curve computations, and allow us to set new speed records in several modern processors. The techniques also reduce the cost of adding protection against timing attacks in the computation of GLV-based variable-base scalar multiplication to below 10 %. This work is the extended version of a publication that appeared at CT-RSA (Faz-Hernández et al. Topics in Cryptology, CT-RSA 2014, vol. 8366, pp. 1–27 2014).

Appendices

Appendix A: Comb method using the modified LSB-set representation

Let \(t\) be the bitlength of the prime subgroup order \(r\). Assume that \(k \in [1,r-1]\) is partitioned in \(w\) consecutive parts of \(d\) digits each, and each part is partitioned in \(v\) strings of \(e\) digits each, padding \(k\) with \((dw-t)\) zeros to the left, where \(l = dw, d = ev\) and \(e = \lceil t/wv \rceil \). The modified LSB-set representation of \(k\) is given by

$$\begin{aligned} k = c \cdot 2^l + \sum \limits _{i=0}^{l-1} b_i 2^i \equiv (c, b_{l-1}, \ldots , b_0)_{m\text {LSB-set}}, \end{aligned}$$

(2)

where \(b_i \in \{1,-1\}\) for \(0 \le i<d\), and \(b_i \in \{0,b_{i \,\,{\hbox {mod}}\,\, d}\}\) for \(d \le i \le l-1\). If \(wv \mid t\) then the carry bit \(c \in \{0,1\}\). Otherwise, \(c\) is always zero. Disregarding the carry bit, rewrite the representation (2) in matrix form as follows:

$$\begin{aligned} \begin{array}{rcl} k' &{}=&{} k - c \cdot 2^l \\ &{}\equiv &{} \begin{bmatrix} K^0 \\ \vdots \\ K^{w'} \\ \vdots \\ K^{w-1} \end{bmatrix} \equiv \begin{bmatrix} K^0_{v-1} &{}\cdots &{}K^0_{v'} &{}\cdots &{}K^0_0 \\ \vdots &{}&{}\vdots &{}&{}\vdots \\ K^{w'}_{v-1} &{}\cdots &{}K^{w'}_{v'} &{}\cdots &{}K^{w'}_0 \\ \vdots &{}&{}\vdots &{}&{}\vdots \\ K^{w-1}_{v-1} &{}\cdots &{}K^{w-1}_{v'} &{}\cdots &{}K^{w-1}_0 \end{bmatrix}\\ &{}\equiv &{}\displaystyle \sum \limits _{w'=0}^{w-1} K^{w'} 2^{dw'} \end{array}\quad \quad \end{aligned}$$

(3)

where each \(K^{w'}\) consists of \(v\) strings of \(e\) digits each. Let the \(v'\)-th string in a given \(K^{w'}\) be denoted by \(K^{w'}_{v'}\), and the \(e'\)-th digit in a given \(K^{w'}_{v'}\) be denoted by \(K^{w'}_{v',e'}\), such that \(K^{w'}_{v',e'} = b_{dw'+ev'+e'}\). Then, to compute the scalar multiplication, we have

$$\begin{aligned} k'P&= \displaystyle \sum \limits _{w'=0}^{w-1} K^{w'} 2^{dw'} P = \sum \limits _{w'=0}^{w-1} \sum \limits _{v'=0}^{v-1} K^{w'}_{v'} 2^{ev'} 2^{dw'} P\nonumber \\&= \displaystyle \sum \limits _{w'=0}^{w-1} \sum \limits _{v'=0}^{v-1} \sum \limits _{e'=0}^{e-1} K^{w'}_{v',e'} 2^{e'} 2^{ev'} 2^{dw'} P. \end{aligned}$$

(4)

Assuming that \(P[w'] = 2^{dw'} P\) for \(0 \le w' \le w-1\), then

$$\begin{aligned} k'P&= \sum \limits _{e'=0}^{e-1} 2^{e'} \left( \sum \limits _{v'=0}^{v-1} \sum \limits _{w'=0}^{w-1} K^{w'}_{v',e'} 2^{ev'} P[w']\right) \nonumber \\&= \sum \limits _{e'=0}^{e-1} 2^{e'} \left( \sum \limits _{v'=0}^{v-1} 2^{ev'} \left( K^0_{v',e'} P[0] \right. \right. \nonumber \\&\left. \left. + \sum \limits _{w'=1}^{w-1} K^{w'}_{v',e'} P[w']\right) \right) . \end{aligned}$$

(5)

Recall that by definition of the \(m\)LSB-set representation \(K^0_{v',e'} \in \{1,-1\}\) and \(K^{w'}_{v',e'} \in \{0,K^0_{v',e'}\}\) for \(1 \le w' \le w-1\), for a given pair of indices \((v',e')\). Assume that the following values are precomputed for all \(0 \le u < 2^{w-1}\) and \(0 \le v' < v\)

$$\begin{aligned} P[u][v']&= 2^{ev'}(P[0] + u_0 P[1] + \dots + u_{w-2} P[w-1]) \nonumber \\&= 2^{ev'}(1 + u_0 2^d + \ldots + u_{w-2} 2^{(w-1)d}) P, \end{aligned}$$

(6)

where \(u = (u_{w-2}, \ldots , u_0)_2\). Then, \(k'P\) can be rewritten as:

$$\begin{aligned} k'P = \sum \limits _{e'=0}^{e-1} 2^{e'} \left( \sum \limits _{v'=0}^{v-1} s_{v',e'} P[\mathbb {K}_{v',e'}][v'] \right) , \end{aligned}$$

(7)

where digit-columns \(\mathbb {K}_{v',e'} = [K^{w-1}_{v',e'}, \ldots , K^2_{v',e'} , K^1_{v',e'}]\) \(\equiv | K^{w-1}_{v',e'} 2^{w-2} + \cdots + K^2_{v',e'} 2 + K^1_{v',e'} |\), and the sign \(s_{v',e'} = K^0_{v',e'} \in \{1,-1\}\).

Based on Eq. (7), \(k'P\) can be computed from left-to-right using precomputed points (6) together with a variant of the double-and-add algorithm (see Algorithm 5). The final result is obtained after a final correction computing \(kP = k'P + c \cdot 2^{wd}P\) using the precomputed value \(2^{wd}P\).

Appendix B: Formulas for endomorphisms \(\Phi \) and \(\Psi \) on curve Ted127-glv4

Let \(P = (X_1,Y_1,Z_1)\) be a point in homogeneous projective coordinates on a twisted Edwards curve with Eq. (1), \(u = 1+i\) be a quadratic non-residue in \(\mathbb {F}_{p^2}\), and \(\zeta _8 = u/\sqrt{2}\) be a primitive 8th root of unity. Then, we can compute \(\Phi (P) = (X_2,Y_2,Z_2,T_2)\) as follows:

$$\begin{aligned} X_2&= -X_1 \left( \alpha Y_1^2 + \theta Z_1^2 \right) \left[ \mu Y_1^2 - \phi Z_1^2 \right] \\ Y_2&= 2Y_1 Z_1^2 \left[ \phi Y_1^2 + \gamma Z_1^2 \right] \\ Z_2&= 2Y_1 Z_1^2 \left[ \mu Y_1^2 - \phi Z_1^2 \right] \\ T_2&= -X_1 \left( \alpha Y_1^2 + \theta Z_1^2 \right) \left[ \phi Y_1^2 + \gamma Z_1^2 \right] \end{aligned}$$

where \(\alpha = \zeta _8^3 + 2\zeta _8^2 + \zeta _8, \;\theta = \zeta _8^3 - 2\zeta _8^2 + \zeta _8, \;\mu = 2\zeta _8^3 + \zeta _8^2 - 1, \;\gamma = 2\zeta _8^3 - \zeta _8^2 + 1\) and \(\phi = \zeta _8^2 - 1\). For curve Ted127-glv4, we have the fixed values

$$\begin{aligned} \zeta _8&= 1 + Ai,&\mu&= (A-1) + (A+1)i,&\theta&= A + Bi, \\ \alpha&= A + 2i,&\gamma&= (A+1) + (A-1)i,&\phi&= B+1 + i, \end{aligned}$$

where \(A \!=\!143485135153817520976780139629062568752\), \( B = 170141183460469231731687303715884099729\).

Computing an endomorphism \(\Phi \) with the formula above costs \(12m + 2s + 5a\) or only \(8m + 1s + 5a\) if \(Z_1 = 1\). Similarly, we can compute \(\Psi (P) = (X_2,Y_2,Z_2,T_2)\) as follows:

$$\begin{aligned} X_2&= \zeta _8 X_1^p Y_1^p,&Y_2&= Z_1^{p^2},\\ Z_2&= Y_1^p Z_1^p,&T_2&= \zeta _8 X_1^p Z_1^p. \end{aligned}$$

Given the value for \(\zeta _8\) on curve Ted127-glv4 computing an endomorphism \(\Psi \) with the formula above costs approximately \(3m + 1s + 2M + 5A\) or only \(1m + 2M + 4A\) if \(Z_1 = 1\).

Appendix C: Algorithms for quadratic extension field operations exploiting interleaved ARM/NEON operations

Algorithms targeting ARM platforms for multiplication and squaring over \(\mathbb {F}_{p^2}\), with \(p = 2^{127}-c\), are detailed by Algorithms 13 and 14, respectively. These algorithms exploit functions interleaving ARM/NEON-based operations, namely double_mul_neonarm, triple_mul_neonarm and double_red_neonarm, which are detailed in Algorithms 8, 9 and 10, respectively.

Appendix D: Cost of fixed-base scalar multiplication using the \(m\)LSB-set comb method

In Table 6, we present estimated costs in terms of multiplications over \(\mathbb {F}_{p^2}\) per bit for fixed-base scalar multiplication on curve Ted127-glv4 using the \(m\)LSB-set comb method (Algorithm 5). Precomputed points are stored as \((x,y)\) coordinates (“affine”) or as \((x+y, y-x,2t)\) coordinates (“extended”). Best results for a given memory requirement are in bold

Table 6 Cost (in \(\mathbb {F}_{p^2}\) multiplications per bit) of fixed-base scalar multiplication using the \(m\)LSB-set representation on curve Ted127-glv4

Appendix E: Cost of fixed/variable-base double-scalar multiplication on curve Ted127-glv4 using \(w\)NAF with interleaving

In Table 7, we present estimated costs in terms of multiplications over \(\mathbb {F}_{p^2}\) per bit for fixed/variable-base double-scalar multiplication on curve Ted127-glv4 using \(w\)-NAF with interleaving. Precomputations for the fixed base are stored as \((x,y)\) coordinates (“affine”) or as \((x+y, y-x,2t)\) coordinates (“extended”). The window size \(w_{1,j}\) for each sub-scalar \(j\), number of points and memory listed in the first column correspond to requirements for the fixed base. For the variable base, we fix \(w_2=4\), corresponding to the use of 16 precomputed points (see Sect. 6). Best results for a given money requirement are in bold

Table 7 Cost (in \(\mathbb {F}_{p^2}\) multiplications per bit) of fixed/variable-base double-scalar multiplication on curve Ted127-glv4 using \(w\)-NAF with interleaving, \(w_2 = 4\), 16 “ephemeral” precomputed points