Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Faz-Hernández, Armando; Longa, Patrick; Sánchez, Ana H.

doi:10.1007/978-3-319-04852-9_1

Cited by 47 publications

(41 citation statements)

References 37 publications

(120 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our speeds also solidly beat all available ECC software, including [8], [11], and [17]; solidly beat the Sandy Bridge/Ivy Bridge ECC speeds claimed in [28], [32], and [35]; and are even faster than the previous Sandy Bridge/Ivy Bridge DH record claimed in [19], namely 96000/92000 cycles using unpublished software for GLV+GLS ECC. The only high-security DH speed faster than ours in the literature is the 60000 Haswell cycles claimed in [35] for a GLS curve over a binary field.…”

Section: Introductionsupporting

confidence: 73%

“…For comparison, the public has no easy way to check the "constant time" claims for the software in [19], so for users the only safe assumption is that the claims are not correct. If that software is deployed somewhere then an attacker can be expected to do the necessary reverse-engineering work to discover and exploit the timing variability.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Kummer Strikes Back: New DH Speed Records

Bernstein

Chuengsatiansup

Lange

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. This paper introduces high-security constant-time variable-base-point Diffie-Hellman software using just 274593 Cortex-A8 cycles, 91460 Sandy Bridge cycles, 90896 Ivy Bridge cycles, or 72220 Haswell cycles. The only higher speed appearing in the literature for any of these platforms is a claim of 60000 Haswell cycles for unpublished software performing arithmetic on a binary elliptic curve.The new speeds rely on a synergy between (1) state-of-the-art formulas for genus-2 hyperelliptic curves and (2) a modern trend towards vectorization in CPUs. The paper introduces several new techniques for efficient vectorization of Kummer-surface computations.

show abstract

Section: Introductionsupporting

confidence: 73%

Section: Introductionmentioning

confidence: 99%

Kummer Strikes Back: New DH Speed Records

Bernstein

Chuengsatiansup

Lange

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…More specifically, there are scalar recoding algorithms (cf. [24,16]) that seemingly make it possible to implement the Jac1271 or GLV128c routines such that scalar multiplications on random inputs will run in constant time with probability exponentially close to 1. However, in order to guard against active adversaries and to be considered truly constant-time, the routines should be guaranteed to execute identically and run correctly for all combinations of integer scalars and input points; this means the explicit formulas must be able to handle input combinations in J C that are not "general" in the sense of Assumption 1.…”

Section: Methodsmentioning

confidence: 99%

Jacobian Coordinates on Genus 2 Curves

Hışıl

Costello

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. This paper presents a new projective coordinate system and new explicit algorithms which together boost the speed of arithmetic in the divisor class group of genus 2 curves. The proposed formulas generalise the use of Jacobian coordinates on elliptic curves, and their application improves the speed of performing cryptographic scalar multiplications in Jacobians of genus 2 curves over prime fields by an approximate factor of 1.25x. For example, on a single core of an Intel Core i7-3770M (Ivy Bridge), we show that replacing the previous best formulas with our new set improves the cost of generic scalar multiplications from 243,000 to 195,000 cycles, and drops the cost of specialised GLV-style scalar multiplications from 166,000 to 129,000 cycles.

show abstract

“…The authors of [6,12,35] propose ways to speed up cryptography using the NEON vector instructions. Intel's SSE2 vector instruction set extension is used to compute pairings in [15] and multiply big numbers in [21].…”

Section: Related Workmentioning

confidence: 99%

Montgomery Multiplication Using Vector Instructions

Bos

Montgomery

Shumow

et al. 2014

Selected Areas in Cryptography -- SAC 2013

View full text Add to dashboard Cite

Abstract. In this paper we present a parallel approach to compute interleaved Montgomery multiplication. This approach is particularly suitable to be computed on 2-way single instruction, multiple data platforms as can be found on most modern computer architectures in the form of vector instruction set extensions. We have implemented this approach for tablet devices which run the x86 architecture (Intel Atom Z2760) using SSE2 instructions as well as devices which run on the ARM platform (Qualcomm MSM8960, NVIDIA Tegra 3 and 4) using NEON instructions. When instantiating modular exponentiation with this parallel version of Montgomery multiplication we observed a performance increase of more than a factor of 1.5 compared to the sequential implementation in OpenSSL for the classical arithmetic logic unit on the Atom platform for 2048-bit moduli.

show abstract

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Cited by 47 publications

References 37 publications

Kummer Strikes Back: New DH Speed Records

Kummer Strikes Back: New DH Speed Records

Jacobian Coordinates on Genus 2 Curves

Montgomery Multiplication Using Vector Instructions

Contact Info

Product

Resources

About