In this work we analyse the GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) which uses a fast endomorphism Φ with minimal polynomial X 2 + rX + s to compute any multiple kP of a point P of order n lying on an elliptic curve. First we fill in a gap in the proof of the bound of the kernel K vectors of the reduction map f : (i, j) → i + λj (mod n). In particular, we prove the GLV decomposition with explicit constantNext we improve on this bound and give the best constant in the given examples for the quantity sup k,n max{|k1|, |k2|}/ √ n. Independently Park, Jeong, Kim, and Lim (PKC 2002) have given similar but slightly weaker bounds. Finally we provide the first explicit bounds for the GLV method generalised to hyperelliptic curves as described in Park, Jeong and Lim (EU-ROCRYPT 2002).
Abstract. The GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) computes any multiple kP of a point P of prime order n lying on an elliptic curve with a low-degree endomorphism Φ (called GLV curve) over Fp as kP = k1P + k2Φ(P ), with max{|k1|, |k2|} ≤ C1 √ n for some explicit constant C1 > 0. Recently, Galbraith, Lin and Scott (EUROCRYPT 2009) extended this method to all curves over F p 2 which are twists of curves defined over Fp. We show in this work how to merge the two approaches in order to get, for twists of any GLV curve over F p 2 , a four-dimensional decomposition together with fast endomorphisms Φ, Ψ over F p 2 acting on the group generated by a point P of prime order n, resulting in a proven decomposition for any scalar k ∈ [1, n] given byfor some explicit C2 > 0. Remarkably, taking the best C1, C2, we obtain C2/C1 < 412, independently of the curve, ensuring in theory an almost constant relative speedup. In practice, our experiments reveal that the use of the merged GLV-GLS approach supports a scalar multiplication that runs up to 50% faster than the original GLV method. We then improve this performance even further by exploiting the Twisted Edwards model and show that curves originally slower may become extremely efficient on this model. In addition, we analyze the performance of the method on a multicore setting and describe how to efficiently protect GLV-based scalar multiplication against several side-channel attacks. Our implementations improve the state-of-the-art performance of point multiplication for a variety of scenarios including side-channel protected and unprotected cases with sequential and multicore execution.
Dedicated to Preda Mihȃilescu on occasion of the birth of his daughter Seraina.Abstract. Let E be an elliptic curve defined over F2n. The inverse operation of point doubling, called point halving, can be done up to three times as fast as doubling. Some authors have therefore proposed to perform a scalar multiplication by an "halve-and-add" algorithm, which is faster than the classical double-and-add method. If the coefficients of the equation defining the curve lie in a small subfield of F2n , one can use the Frobenius endomorphism τ of the field extension to replace doublings. Since the cost of τ is negligible if normal bases are used, the scalar multiplication is written in "base τ " and the resulting "τ -and-add" algorithm gives very good performance. For elliptic Koblitz curves, this work combines the two ideas for the first time to achieve a novel decomposition of the scalar. This gives a new scalar multiplication algorithm which is up to 14.29% faster than the Frobenius method, without any additional precomputation.
Abstract. It has been recently acknowledged [4,6,9] that the use of double bases representations of scalars n, that is an expression of the form n = È e,s,t (−1) e A s B t can speed up significantly scalar multiplication on those elliptic curves where multiplication by one base (say B) is fast. This is the case in particular of Koblitz curves and supersingular curves, where scalar multiplication can now be achieved in o(log n) curve additions. Previous literature dealt basically with supersingular curves (in characteristic 3, although the methods can be easily extended to arbitrary characteristic), where A, B ∈ N. Only [4] attempted to provide a similar method for Koblitz curves, where at least one base must be non-real, although their method does not seem practical for cryptographic sizes (it is only asymptotic), since the constants involved are too large. We provide here a unifying theory by proposing an alternate recoding algorithm which works in all cases with optimal constants. Furthermore, it can also solve the until now untreatable case where both A and B are nonreal. The resulting scalar multiplication method is then compared to standard methods for Koblitz curves. It runs in less than log n/ log log n elliptic curve additions, and is faster than any given method with similar storage requirements already on the curve K-163, with larger improvements as the size of the curve increases, surpassing 50% with respect to the τ -NAF for the curves K-409 and K-571. With respect of windowed methods, that can approach our speed but require O(log(n)/ log log(n)) precomputations for optimal parameters, we offer the advantage of a fixed, small memory footprint, as we need storage for at most two additional points.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.