Four-Dimensional GLV via the Weil Restriction

Guillevic, Aurore; Ionica, Sorina

doi:10.1007/978-3-642-42033-7_5

Cited by 18 publications

(18 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the case of binary GLS elliptic curves, Oliveira et al [35] report the implementation of a curve exploiting the 2-GLV method. More recently, Guillevic and Ionica [18] show how to exploit the 4-GLV method on certain genus one curves defined over F p 2 and genus two curves defined over F p ; and Smith [39] proposes a new family of elliptic curves that support 2-GLV decompositions.…”

Section: The Glv and Gls Methodsmentioning

confidence: 99%

“…Later, in [16] Galbraith et al showed how to exploit the Frobenius endomorphism to enable the use of the GLV approach on a wider set of curves defined over the quadratic extension field F p 2 . Since then, significant research has been performed to improve the performance [30,24] and to explore the applicability to other settings [20,35] or to higher dimensions on genus one curves [24,31,18] and genus two curves [8,9,18]. Unfortunately, most of the work and comparisons with other approaches have been carried out with unprotected algorithms and implementations.…”

Section: Introductionmentioning

confidence: 99%

“…Moreover, it does not require dummy operations, making it resilient to safe-error attacks [42,43], and can be used as basis for realizing constanttime implementations that guard against timing attacks [26,11,2,36]. In addition, we present different variants of the technique that are intended for different scenarios exploiting simple or complex GLV decompositions, and thus provide algorithms that have broad applicability to many settings using GLV, GLS, or a combination of both [16,20,30,24,31,35,8,9,18,39]. In comparison with the best previous approaches, the method improves the computing performance especially during the potentially expensive precomputation stage, and allows us to save at least half of the storage requirement for precomputed values without impacting performance.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Faz-Hernández

Longa

Sánchez

2014

Topics in Cryptology – CT-RSA 2014

View full text Add to dashboard Cite

We propose efficient algorithms and formulas that improve the performance of side channel protected elliptic curve computations with special focus on scalar multiplication exploiting the Gallant-Lambert-Vanstone (CRYPTO 2001) and Galbraith-Lin-Scott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.'s recoding to the GLV setting, we derive new regular algorithms for variable-base scalar multiplication that offer protection against simple side-channel and timing attacks. Secondly, we propose an efficient, sidechannel protected algorithm for fixed-base scalar multiplication which combines Feng et al.'s recoding with Lim-Lee's comb method. Thirdly, we propose an efficient technique that interleaves ARM and NEON-based multiprecision operations over an extension field to improve performance of GLS curves on modern ARM processors. Finally, we showcase the efficiency of the proposed techniques by implementing a state-of-the-art GLV-GLS curve in twisted Edwards form defined over F p 2 , which supports a four dimensional decomposition of the scalar and is fully protected against timing attacks. Analysis and performance results are reported for modern x64 and ARM processors. For instance, we compute a variable-base scalar multiplication in 89,000 and 244,000 cycles on an Intel Ivy Bridge and an ARM Cortex-A15 processor (respect.); using a precomputed table of 6KB, we compute a fixed-base scalar multiplication in 49,000 and 116,000 cycles (respect.); and using a precomputed table of 3KB, we compute a double scalar multiplication in 115,000 and 285,000 cycles (respect.). The proposed techniques represent an important improvement of the state-ofthe-art performance of elliptic curve computations, and allow us to set new speed records in several modern processors. The techniques also reduce the cost of adding protection against timing attacks in the computation of GLV-based variable-base scalar multiplication to below 10%. This work is the extended version of a publication that appeared at CT-RSA 2014 [12].

show abstract

Section: The Glv and Gls Methodsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Faz-Hernández

Longa

Sánchez

2014

Topics in Cryptology – CT-RSA 2014

View full text Add to dashboard Cite

show abstract

“…It has the advantages to make the scalar multiplication regular (one doubling and one addition per scalar bit) and to reduce the storage requirement as only the points P and P + φ(P ) need to be stored. The GLV method has later been extended to a larger set of curves defined over F p 2 [14,32,19,27] which are endowed by more than one endomorphism. In this case additional performance gains can be achieved, whereas it implies the need of more memory.…”

Section: Curve With Efficient Endomorphismmentioning

confidence: 99%

Euclidean addition chains scalar multiplication on curves with efficient endomorphism

et al. 2018

View full text Add to dashboard Cite

To cite this version:Fangan-Yssouf Dosso, Fabien Herbaut, Nicolas Méloni, Pascal Véron. Euclidean addition chains scalar multiplication on curves with efficient endomorphism. Journal of Cryptographic Engineering, Springer, In press, <10.1007/s13389-018-0190-0>. Noname manuscript No. (will be inserted by the editor) Euclidean addition chains scalar multiplication on curves with efficient endomorphismThis is a pre-print of an article published in "Journal of Cryptographic Engineering". The final authenticated version is available online at: https://doi.org/10.1007/s13389-018-0190-0.the date of receipt and acceptance should be inserted later Abstract Random Euclidean addition chain generation has proven to be an efficient low memory and SPA secure alternative to standard ECC scalar multiplication methods in the context of fixed base point [21]. In this work, we show how to generalize this method to random point scalar multiplication on elliptic curves with an efficiently computable endomorphism. In order to do so we generalize results from [21] on the relation of random Euclidean chains generation and elliptic curve point distribution obtained from those chains. We propose a software implementation of our method on various platforms to illustrate the impact of our approach. For that matter, we provide a comprehensive study of the practical computational cost of the modular multiplication when using Java and C standard libraries developed for the arithmetic over large integers.

show abstract

“…Combinations of ρ and ψ may be used for four-dimensional scalar decompositions; for example, the endomorphisms [1], ρ, ψ, ρψ can be used as a basis for the 4-dimensional decomposition techniques elaborated by Longa and Sica in [18]. In fact, reducing these CM fibres modulo a well-chosen p turns out to form a simple alternative construction for some of the curves investigated by Guillevic and Ionica in [14]: the twisted curve E From the point of view of scalar multiplication, using CM fibres of these families allows us to pass from 2-dimensional to 4-dimensional scalar decompositions, with a consequent speedup. However, in restricting to CM fibres we also re-impose the chief drawback of GLV on ourselves: that is, as explained in the introduction, we cannot hope to find secure (and twist-secure) curves over F p 2 when p is fixed.…”

Section: Degree One: Gls As a Degenerate Casementioning

confidence: 99%

Families of Fast Elliptic Curves from ℚ-curves

Smith

2013

Advances in Cryptology - ASIACRYPT 2013

View full text Add to dashboard Cite

Abstract. We construct new families of elliptic curves over F p 2 with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant-LambertVanstone (GLV) and Galbraith-Lin-Scott (GLS) endomorphisms. Our construction is based on reducing quadratic Q-curves (curves defined over quadratic number fields, without complex multiplication, but with isogenies to their Galois conjugates) modulo inert primes. As a first application of the general theory we construct, for every prime p > 3, two one-parameter families of elliptic curves over F p 2 equipped with endomorphisms that are faster than doubling. Like GLS (which appears as a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when p is fixed. Unlike GLS, we also offer the possibility of constructing twist-secure curves. Among our examples are prime-order curves over F p 2 , equipped with fast endomorphisms, and with almostprime-order twists, for the particularly efficient primes p = 2 127 − 1 and p = 2 255 − 19.

show abstract

Four-Dimensional GLV via the Weil Restriction

Cited by 18 publications

References 17 publications

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Euclidean addition chains scalar multiplication on curves with efficient endomorphism

Families of Fast Elliptic Curves from ℚ-curves

Contact Info

Product

Resources

About