Abstract
Random Euclidean addition chain generation has proven to be an efficient low memory and SPA secure alternative to standard ECC scalar multiplication methods in the context of fixed base point (Herbaut et al. in Progress in Cryptology-INDOCRYPT 2010, volume 6498 of LNCS. Springer, Berlin, pp 238–261, 2010). In this work, we show how to generalize this method to random point scalar multiplication on elliptic curves with an efficiently computable endomorphism. In order to do so, we generalize results from [21] on the relation of random Euclidean chains generation and elliptic curve point distribution obtained from those chains. We propose a software implementation of our method on various platforms to illustrate the impact of our approach. For that matter, we provide a comprehensive study of the practical computational cost of the modular multiplication when using Java and C standard libraries developed for the arithmetic over large integers.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Acıiçmez, O., Brumley, B.B., Grabher, P.: New results on instruction cache attacks. In: Proceedings of CHES (2010)
Baldwin, B., Goundar, R.R., Hamilton, M., Marnane, W.P.: Co–z ECC scalar multiplications for hardware, software and hardware-software co-design on embedded systems. J. Cryptogr. Eng. 2(4), 221–240 (2012)
Benger, N., Pol, J., Smart, N.P., Yarom, Y.: ooh aah... just a little bit: A small amount of side channel can go a long way. In: Proceedings of CHES 2014, volume 8731, pp. 75–92, New York, NY, USA. Springer, New York (2014)
Bernstein, D.J., Lange, T.: Explicit-Formulas Database. https://www.hyperelliptic.org/EFD/
Brauer, A.: On addition chains. Bull. Am. Math. Soc. 45(10), 736–739 (1939)
Brumley, B.B.: Faster software for fast endomorphisms. In: Constructive Side-Channel Analysis and Secure Design—6th International Workshop, COSADE 2015, pp. 127–140 (2015)
Brumley, B.B., Hakala, R.M.: Cache-timing template attacks. In: Advances in Cryptology—ASIACRYPT 2009: 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, pp. 667–684. Springer, Berlin (2009)
Cohen, H., Frey, G., Avanzi, R.M., Doche, C., Lange, T., Nguyen, K., Vercauteren, F.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman & Hall/CRC, Boca Raton (2006)
Costello, C., Hisil, H., Smith, B.: Faster compact Diffie–Hellman: endomorphisms on the x-line. In: Advances in Cryptology—EUROCRYPT 2014, pp. 183–200. Springer (2014)
Costello, C., Longa, P.: Four\(\mathbb{Q}\): four-dimensional decompositions on a \(\mathbb{Q}\)-curve over the Mersenne prime. In: Proceedings of the 21st International Conference on the Theory and Application of Cryptology and Information Security on Advances in cryptology—ASIACRYPT 2015. Part I. Auckland, New Zealand, November 29 – December 3, 2015, pp. 214–235. Springer, Berlin (2015)
Sica, F., Ciet, M., Quisquater, J-J.: Analysis of the Gallant–Lambert–Vanstone method based on efficient endomorphisms: elliptic and hyperelliptic curves. In: Selected Areas in Cryptography, volume 2595 of LNCS, pp. 21–36. Springer (2003)
Faz-Hernández, A., Longa, P., Sánchez, A.H.: Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves (extended version). J. Cryptogr. Eng. 5(1), 31–52 (2015)
Galbraith, S., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Cryptol. 24(3), 446–469 (2011)
Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. In: Advances in Cryptology—EUROCRYPT 2009, volume 5479 of LNCS, pp. 518–535. Springer, Berlin (2009)
Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Advances in Cryptology—CRYPTO, volume 2139 of LNCS, pp. 190–200. Springer (2001)
Goundar, R.R., Joye, M., Miyaji, A.: Co–Z addition formulae and binary ladders on elliptic curves—(extended abstract). In: Cryptographic Hardware and Embedded Systems, CHES 2010, pp. 65–79 (2010)
Goundar, R.R., Joye, M.: Inversion-free arithmetic on elliptic curves through isomorphisms. J. Cryptogr. Eng. 6, 1–13 (2016)
Goundar, Raveen R., Joye, Marc, Miyaji, Atsuko, Rivain, Matthieu, Venelli, Alexandre: Scalar multiplication on Weierstraß elliptic curves from co–z arithmetic. J. Cryptogr. Eng. 1(2), 161–176 (2011)
Guillevic, A., Ionica, S.: Four-dimensional GLV via the weil restriction. In: Advances in Cryptology - ASIACRYPT 2013, pp. 79–96 (2013)
Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer, Berlin (2004)
Herbaut, F., Liardet, P.-Y., Méloni, N., Téglia, Y., Véron, P.: Random euclidean addition chain generation and its application to point multiplication. In: Progress in Cryptology—INDOCRYPT 2010, volume 6498 of LNCS, pp. 238–261. Springer, Heidelberg (2010)
Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Advances in cryptology—ASIACRYPT 2008. In: Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, Australia, December 7–11, 2008, pp. 326–343. Springer, Berlin (2008)
Hutter, M., Joye, M., Sierra, Y.: Memory-constrained implementations of elliptic curve cryptography in co–Z coordinate representation. In: Progress in Cryptology—AFRICACRYPT 2011, pp. 170–187 (2011)
Käsper, E.: Fast elliptic curve cryptography in openssl. In: Proceedings of the 2011 International Conference on Financial Cryptography and Data Security, FC’11, pp. 27–39. Springer (2012)
Liu, Zhe, Wang, Husen, Großschädl, Johann, Hu, Zhi, Verbauwhede, Ingrid: Vlsi implementation of double-base scalar multiplication on a twisted edwards curve with an efficiently computable endomorphism. IACR Cryptol. ePrint Arch. 2015, 421 (2015)
Longa, P., Miri, A.: New Composite Operations and Precomputation Scheme for Elliptic Curve Cryptosystems over Prime Fields, pp. 229–247. Springer, Berlin (2008)
Longa, Patrick, Sica, Francesco: Four-dimensional Gallant–Lambert–Vanstone scalar multiplication. J. Cryptol. 27(2), 248–283 (2014)
Meloni, N.: New point addition formulae for ECC applications. In: Arithmetic of Finite Fields, volume 4547 of LNCS, pp. 189–201. Springer, Berlin (2007)
Möller, B.: Improved techniques for fast exponentiation. In: Information Security and Cryptology—ICISC 2002, volume 2587 of LNCS, pp. 298–312. Springer, Heidelberg (2003)
Montgomery, P.L.: Evaluating recurrences of form \(x\_{m+n}= f(x\_m,x\_n,x\_{m-n})\) via Lucas chains (1983). https://cr.yp.to/bib/1992/montgomery-lucas.pdf
Park, Y.-H., Jeong, S., Kim, C., Lim, J.: An alternate decomposition of an integer for faster point multiplication on certain elliptic curves. In: Public Key Cryptography, volume 2274 of LNCS, pp. 323–334. Springer, Heidelberg (2002)
Smith, B.: Families of fast elliptic curves from \(\mathbb{q}\)-curves. In: Advances in Cryptology - ASIACRYPT 2013, pp. 61–78 (2013)
Solinas, J.A.: Low-weight binary representations for pairs of integers. Technical report, University of Waterloo. Department of Combinatorics and Optimization (2001)
Thurber, E.G.: On addition chains \(l(mn)\le l(n) -b\) and lower bounds for \(c(r)\). Duke Math. J. 40, 907–913 (1973)
Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 719–732, San Diego, CA. USENIX Association (2014)
Acknowledgements
We would like to thank the referees for their careful reading and their helpful comments.
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A: Benchmark platforms
All our source codes and collected results are available on GitHub: https://github.com/eacElliptic.
The characteristics of the platforms we used for our benchmarks are the following:
-
Android platform : Wiko Cik Peax 2 phone, with MediaTek MT6589 CPU (4 -core ARM Cortex-A7, 1.21 GHz), Android Version : 4.1.2, API Level 16.
-
Java platform : Intel Core I5-4210U 4-core 1.7Ghz, Broadwell technology, JDK 1.7.0_79, Ubuntu 14.04 LTS.
-
C platform : Intel Core I5-4210U 4-core 1.7Ghz, Broadwell technology, gcc 5.2.1, gmp 6.1.0, Ubuntu 14.04 LTS.
From various benchmarks, when the CPU models are exactly the same, it seems that on a given task Broadwell technology is better than Haswell technology by 5 percent to 10 percent or so. The Intel Turbo Boost technology has been disabled on the x64 platform so that the frequency of the processor be constant.
To collect the various execution results we have used the following tools:
-
Android platform: the startMethodTracing and the stopMethodTracing of the Debug class to generate trace logs, and the System.currentTimeMillis() method to measure execution time,
-
Java platform: the profiler provided with Netbeans IDE (v. 8.1) and the System.currentTimeMillis() method,
-
C platform: the clock.gettime() system call with CLOCK_PROCESS_CPUTIME_ID option, and taskset to bind our running process to only one processor.
Appendix B: Algorithms
Appendix C: Anatomy of a modular multiplication
Anatomy of a C function computing a modular multiplication over 256-bit integers using Gnu MP (obtained from gprof)
Anatomy of a Java method computing a modular multiplication over 256-bit integers using Big Integer Java library on an x64 platform (obtained from Netbeans profiler)
Rights and permissions
About this article
Cite this article
Dosso, Y., Herbaut, F., Méloni, N. et al. Euclidean addition chains scalar multiplication on curves with efficient endomorphism. J Cryptogr Eng 8, 351–367 (2018). https://doi.org/10.1007/s13389-018-0190-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-018-0190-0