Analyzing the Galbraith-Lin-Scott Point Multiplication Method for Elliptic Curves over Binary Fields

Hankerson, Darrel; Karabina, Koray; Menezes, Alfred

doi:10.1109/tc.2009.61

Cited by 44 publications

(26 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Later, in [16] Galbraith et al showed how to exploit the Frobenius endomorphism to enable the use of the GLV approach on a wider set of curves defined over the quadratic extension field F p 2 . Since then, significant research has been performed to improve the performance [30,24] and to explore the applicability to other settings [20,35] or to higher dimensions on genus one curves [24,31,18] and genus two curves [8,9,18]. Unfortunately, most of the work and comparisons with other approaches have been carried out with unprotected algorithms and implementations.…”

Section: Introductionmentioning

confidence: 99%

“…Moreover, it does not require dummy operations, making it resilient to safe-error attacks [42,43], and can be used as basis for realizing constanttime implementations that guard against timing attacks [26,11,2,36]. In addition, we present different variants of the technique that are intended for different scenarios exploiting simple or complex GLV decompositions, and thus provide algorithms that have broad applicability to many settings using GLV, GLS, or a combination of both [16,20,30,24,31,35,8,9,18,39]. In comparison with the best previous approaches, the method improves the computing performance especially during the potentially expensive precomputation stage, and allows us to save at least half of the storage requirement for precomputed values without impacting performance.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Faz-Hernández

Longa

Sánchez

2014

Topics in Cryptology – CT-RSA 2014

View full text Add to dashboard Cite

We propose efficient algorithms and formulas that improve the performance of side channel protected elliptic curve computations with special focus on scalar multiplication exploiting the Gallant-Lambert-Vanstone (CRYPTO 2001) and Galbraith-Lin-Scott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.'s recoding to the GLV setting, we derive new regular algorithms for variable-base scalar multiplication that offer protection against simple side-channel and timing attacks. Secondly, we propose an efficient, sidechannel protected algorithm for fixed-base scalar multiplication which combines Feng et al.'s recoding with Lim-Lee's comb method. Thirdly, we propose an efficient technique that interleaves ARM and NEON-based multiprecision operations over an extension field to improve performance of GLS curves on modern ARM processors. Finally, we showcase the efficiency of the proposed techniques by implementing a state-of-the-art GLV-GLS curve in twisted Edwards form defined over F p 2 , which supports a four dimensional decomposition of the scalar and is fully protected against timing attacks. Analysis and performance results are reported for modern x64 and ARM processors. For instance, we compute a variable-base scalar multiplication in 89,000 and 244,000 cycles on an Intel Ivy Bridge and an ARM Cortex-A15 processor (respect.); using a precomputed table of 6KB, we compute a fixed-base scalar multiplication in 49,000 and 116,000 cycles (respect.); and using a precomputed table of 3KB, we compute a double scalar multiplication in 115,000 and 285,000 cycles (respect.). The proposed techniques represent an important improvement of the state-ofthe-art performance of elliptic curve computations, and allow us to set new speed records in several modern processors. The techniques also reduce the cost of adding protection against timing attacks in the computation of GLV-based variable-base scalar multiplication to below 10%. This work is the extended version of a publication that appeared at CT-RSA 2014 [12].

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Faz-Hernández

Longa

Sánchez

2014

Topics in Cryptology – CT-RSA 2014

View full text Add to dashboard Cite

show abstract

“…In a quadratic extension, the equation λ 2 + λ = c + Tr(c) can be solved for c = c 0 + c 1 u ∈ F 2 2 m by computing two half-traces in F 2 m , as described in [20]. First, solve λ 2 1 + λ 1 = c 1 to obtain λ 1 , and then solve …”

Section: Implementation Aspectsmentioning

confidence: 99%

Binary Elligator Squared

Aranha

Fouque

Qian

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Applications of elliptic curve cryptography to anonymity, privacy and censorship circumvention call for methods to represent uniformly random points on elliptic curves as uniformly random bit strings, so that, for example, ECC network traffic can masquerade as random traffic.At ACM CCS 2013, Bernstein et al. proposed an efficient approach, called "Elligator," to solving this problem for arbitrary elliptic curve-based cryptographic protocols, based on the use of efficiently invertible maps to elliptic curves. Unfortunately, such invertible maps are only known to exist for certain classes of curves, excluding in particular curves of prime order and curves over binary fields. A variant of this approach, "Elligator Squared," was later proposed by Tibouchi (FC 2014) supporting not necessarily injective encodings to elliptic curves (and hence a much larger class of curves), but, although some rough efficiency estimates were provided, it was not clear how an actual implementation of that approach would perform in practice.In this paper, we show that Elligator Squared can indeed be implemented very efficiently with a suitable choice of curve encodings. More precisely, we consider the binary curve setting (which was not discussed in Tibouchi's paper), and implement the Elligator Squared bit string representation algorithm based on a suitably optimized version of the Shallue-van de Woestijne characteristic 2 encoding, which we show can be computed using only multiplications, trace and half-trace computations, and a few inversions.On the fast binary curve of Oliveira et al. (CHES 2013), our implementation runs in an average of only 22850 Haswell cycles, making uniform bit string representations possible for a very reasonable overhead-much smaller even than Elligator on Edwards curves.As a side contribution, we also compare implementations of Elligator and Elligator Squared on a curve supported by Elligator, namely Curve25519. We find that generating a random point and its uniform bitstring representation is around 35-40% faster with Elligator for protocols using a fixed base point (such as static ECDH), but 30-35% faster with Elligator Squared in the case of a variable base point (such as ElGamal encryption). Both are significantly slower than our binary curve implementation.

show abstract

“…There is an efficient point halving algorithm for binary fields [1,5,8,9,10] that is used to perform efficient scalar multiplication for elliptic curves over binary fields. However, there is no known point halving algorithm for elliptic curves defined over prime fields [11].…”

Section: Binary Division Algorithmmentioning

confidence: 99%

Binary Division Attack for Elliptic Curve Discrete Logarithm Problem

Verkhovsky

Polyakov

2014

TNC

View full text Add to dashboard Cite

Elliptic curve cryptography (ECC) is an approach to public key cryptography (PKC) that is based on algebraic operations with elliptic curves defined over finite fields. Security of elliptic curve cryptography is based on the hardness of the elliptic curve discrete logarithm problem (ECDLP). Although there is no theoretical proof that ECDLP is intractable, no general-purpose sub-exponential running time algorithm has been found for solving the ECDLP if the elliptic curve parameters are chosen properly. In this study, we develop a new security attack based on the binary division of elliptic curve points over prime fields that may be used to solve the ECDLP when the order q of elliptic curve satisfies the congruence q = 2 (mod 4). To perform the binary division, we devise a novel algorithm of point halving on elliptic curves defined over prime fields that applies to the cases when q = 1 (mod 2) and q = 2 (mod 4). The binary division attack has exponential worst-case asymptotic time complexity but in certain practical cases can be used to solve the ECDLP in a relatively efficient way. We therefore make a recommendation to avoid the case of q = 2 (mod 4) in elliptic curve cryptosystems.

show abstract

Analyzing the Galbraith-Lin-Scott Point Multiplication Method for Elliptic Curves over Binary Fields

Cited by 44 publications

References 30 publications

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Binary Elligator Squared

Binary Division Attack for Elliptic Curve Discrete Logarithm Problem

Contact Info

Product

Resources

About