2014
DOI: 10.1007/978-3-642-55220-5_11
|View full text |Cite
|
Sign up to set email alerts
|

Faster Compact Diffie–Hellman: Endomorphisms on the x-line

Abstract: Abstract.We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie-Hellman Key Exchange at the 128-bit security level. The algorithms are compact (using only x-coordinates), run in constant time with uniform execution patterns, and do not distinguish between the curve and its quadratic twist; they thus have a built-in measure of side-channel resistance. (For comparison, we also implement two faster but non-constant-time algorithms.) The core of our construction is a suite… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

1
26
0

Year Published

2014
2014
2019
2019

Publication Types

Select...
7
1

Relationship

1
7

Authors

Journals

citations
Cited by 26 publications
(27 citation statements)
references
References 29 publications
1
26
0
Order By: Relevance
“…Our speeds also solidly beat all available ECC software, including [8], [11], and [17]; solidly beat the Sandy Bridge/Ivy Bridge ECC speeds claimed in [28], [32], and [35]; and are even faster than the previous Sandy Bridge/Ivy Bridge DH record claimed in [19], namely 96000/92000 cycles using unpublished software for GLV+GLS ECC. The only high-security DH speed faster than ours in the literature is the 60000 Haswell cycles claimed in [35] for a GLS curve over a binary field.…”
Section: Introductionsupporting
confidence: 73%
See 1 more Smart Citation
“…Our speeds also solidly beat all available ECC software, including [8], [11], and [17]; solidly beat the Sandy Bridge/Ivy Bridge ECC speeds claimed in [28], [32], and [35]; and are even faster than the previous Sandy Bridge/Ivy Bridge DH record claimed in [19], namely 96000/92000 cycles using unpublished software for GLV+GLS ECC. The only high-security DH speed faster than ours in the literature is the 60000 Haswell cycles claimed in [35] for a GLS curve over a binary field.…”
Section: Introductionsupporting
confidence: 73%
“…Of course, the security assessment above was aided by the availability of the source code from [13] and [17]. For comparison, the public has no easy way to check the "constant time" claims for the software in [19], so for users the only safe assumption is that the claims are not correct.…”
Section: Introductionmentioning
confidence: 99%
“…In [18] we see that E is equipped with an efficiently computable endomorphism ψ of degree 2p, which acts on E(F p 2 )[r] as [λ] where λ 2 ≡ −2 (mod r). The classic Gallant-Lambert-Vanstone (GLV) technique [25] could be used to compute 1-dimensional scalar multipications [k]P as 2-dimensional multiplications [m]P ⊕ [n](ψ(P )), with m and n of roughly 128 bits.…”
Section: Higher-dimensional Ladder Analoguesmentioning
confidence: 99%
“…We leave a gap between our radix and 2 32 to speed up multiplications, as explained above, but this makes computation of x mod p quite painful for the NIST primes p. The NIST primes are also suitable for a much smaller radix, namely 2 16 , but that radix would make our multiplications considerably slower.…”
Section: 2mentioning
confidence: 99%
“…See, for example, the recent DH software from [24], [32], [13], [19], and [16]. However, a corner of the DH literature uses a smaller radix, with the goal of delaying carries, the same way that hardware multipliers typically use carry-save adders.…”
Section: Introductionmentioning
confidence: 99%