Four-Dimensional Gallant-Lambert-Vanstone Scalar Multiplication

  • Patrick Longa
  • Francesco Sica
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7658)

Abstract

The GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) computes any multiple kP of a point P of prime order n lying on an elliptic curve with a low-degree endomorphism Φ (called GLV curve) over \(\mathbb{F}_p\) as \(kP = k_1P + k_2\Phi(P), \text{with } \max\{|k_1|,|k_2|\}\leq C_1\sqrt n\), for some explicit constant C1 > 0. Recently, Galbraith, Lin and Scott (EUROCRYPT 2009) extended this method to all curves over \(\mathbb{F}_{p^2}\) which are twists of curves defined over \(\mathbb{F}_p\). We show in this work how to merge the two approaches in order to get, for twists of any GLV curve over \(\mathbb{F}_{p^2}\), a four-dimensional decomposition together with fast endomorphisms Φ, Ψ over \(\mathbb{F}_{p^2}\) acting on the group generated by a point P of prime order n, resulting in a proven decomposition for any scalar k ∈ [1,n] given by kP = k1P + k2Φ(P) + k3Ψ(P) + k4ΨΦ(P)  with max i (|ki|) < C2n1/4, for some explicit C2 > 0. Remarkably, taking the best C1, C2, we obtain C2/C1 < 412, independently of the curve, ensuring in theory an almost constant relative speedup. In practice, our experiments reveal that the use of the merged GLV-GLS approach supports a scalar multiplication that runs up to 50% times faster than the original GLV method. We then improve this performance even further by exploiting the Twisted Edwards model and show that curves originally slower may become extremely efficient on this model. In addition, we analyze the performance of the method on a multicore setting and describe how to efficiently protect GLV-based scalar multiplication against several side-channel attacks. Our implementations improve the state-of-the-art performance of point multiplication for a variety of scenarios including side-channel protected and unprotected cases with sequential and multicore execution.

Keywords

Elliptic curves GLV-GLS method scalar multiplication Twisted Edwards curve side-channel protection multicore computation 

References

  1. 1.
    Aranha, D.F., Faz-Hernández, A., López, J., Rodríguez-Henríquez, F.: Faster Implementation of Scalar Multiplication on Koblitz Curves. In: Hevia, A., Neven, G. (eds.) LatinCrypt 2012. LNCS, vol. 7533, pp. 177–193. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  2. 2.
    Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards Curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-Speed High-Security Signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. In: Mangard, S., Standaert, F.-X. (eds.) Proceedings of the 12th USENIX Security Symposium. LNCS, vol. 6225, pp. 80–94. Springer (2003)Google Scholar
  5. 5.
    Cohen, H.: A Course in Computational Algebraic Number Theory. Graduate Texts in Mathematics, vol. 138. Springer (1996)Google Scholar
  6. 6.
    Cornacchia, G.: Su di un metodo per la risoluzione in numeri interi dell’equazione \(\sum_{h=0}^nC_hx^{n-h}y^h=P\). Giornale di Mathematiche di Battaglini 46, 33–90 (1908)Google Scholar
  7. 7.
    Edwards, H.: A normal form for elliptic curves. Bulletin of the American Mathematical Society 44, 393–422 (2007)MATHCrossRefGoogle Scholar
  8. 8.
    Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 518–535. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Cryptology 24(3), 446–469 (2011)MathSciNetMATHCrossRefGoogle Scholar
  10. 10.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Hamburg, M.: Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309 (2012), http://eprint.iacr.org/2012/309
  12. 12.
    Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted Edwards Curves Revisited. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Hu, Z., Longa, P., Xu, M.: Implementing 4-dimensional GLV method on GLS elliptic curves with j-invariant 0. Designs, Codes and Cryptography 63(3), 331–343 (2012); also in Cryptology ePrint Archive, Report 2011/315, http://eprint.iacr.org/2011/315 MathSciNetMATHCrossRefGoogle Scholar
  14. 14.
    Joye, M., Tunstall, M.: Exponent Recoding and Regular Exponentiation Algorithms. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 334–349. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Kasper, E.: Fast elliptic curve cryptography in openssl. In: 2nd Workshop on Real-Life Cryptographic Protocols and Standardization (2011)Google Scholar
  16. 16.
    Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  17. 17.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Ann. 261, 513–534 (1982)Google Scholar
  18. 18.
    Longa, P.: High-speed elliptic curve and pairing-based cryptography. PhD thesis, University of Waterloo (2011), http://hdl.handle.net/10012/5857
  19. 19.
    Longa, P., Gebotys, C.: Efficient Techniques for High-Speed Elliptic Curve Cryptography. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 80–94. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  20. 20.
    Longa, P., Miri, A.: New Composite Operations and Precomputation Scheme for Elliptic Curve Cryptosystems over Prime Fields. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 229–247. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Longa, P., Sica, F.: Four-dimensional Gallant-Lambert-Vanstone scalar multiplication (full version). Cryptology ePrint Archive, Report 2011/608 (2012), http://eprint.iacr.org/2011/608
  22. 22.
    Morain, F.: Courbes elliptiques et tests de primalité. PhD thesis, Université de Lyon I (1990), http://www.lix.polytechnique.fr/Articles/english.html; Chapter 2: On Cornacchia’s algorithm (joint with J-L. Nicolas)
  23. 23.
    Nguyên, P.Q., Stehlé, D.: Low-Dimensional Lattice Basis Reduction Revisited. In: Buell, D.A. (ed.) ANTS 2004. LNCS, vol. 3076, pp. 338–357. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    Okeya, K., Takagi, T.: The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar Multiplications Secure against Side Channel Attacks. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 328–342. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  25. 25.
    Sica, F., Ciet, M., Quisquater, J.-J.: Analysis of the Gallant-Lambert-Vanstone Method Based on Efficient Endomorphisms: Elliptic and Hyperelliptic Curves. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 21–36. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  26. 26.
    Stark, H.M.: Class-numbers of Complex Quadratic Fields. In: Modular functions of one variable, I (Proc. Internat. Summer School, Univ. Antwerp, Antwerp, 1972). Lecture Notes in Mathematics, vol. 320, pp. 153–174. Springer, Berlin (1973)Google Scholar
  27. 27.
    Taverne, J., Faz-Hernández, A., Aranha, D.F., Rodríguez-Henríquez, F., Hankerson, D., López, J.: Software Implementation of Binary Elliptic Curves: Impact of the Carry-Less Multiplier on Scalar Multiplication. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 108–123. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  28. 28.
    Zhou, Z., Hu, Z., Xu, M., Song, W.: Efficient 3-dimensional GLV method for faster point multiplication on some GLS elliptic curves. Inf. Proc. Lett. 77(262), 1075–1104 (2010)MathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Patrick Longa
    • 1
  • Francesco Sica
    • 2
  1. 1.Microsoft ResearchUSA
  2. 2.Nazarbayev UniversityKazakhstan

Personalised recommendations