Results 1  10
of
22
Efficient and secure algorithms for GLVbased scalar multiplication and their implementation on GLVGLS curves (or Keep Calm . . . )
, 2013
"... We propose efficient algorithms and formulas that improve the performance of sidechannel protected elliptic curve computations, with special focus on scalar multiplication exploiting the GallantLambertVanstone (CRYPTO 2001) and GalbraithLinScott (EUROCRYPT 2009) methods. Firstly, by adapting ..."
Abstract

Cited by 22 (5 self)
 Add to MetaCart
We propose efficient algorithms and formulas that improve the performance of sidechannel protected elliptic curve computations, with special focus on scalar multiplication exploiting the GallantLambertVanstone (CRYPTO 2001) and GalbraithLinScott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.’s recoding to the GLV setting, we derive new regular algorithms for variablebase scalar multiplication that offer protection against simple sidechannel and timing attacks. Secondly, we propose an efficient algorithm for fixedbase scalar multiplication that is also protected against sidechannel attacks by combining Feng et al.’s recoding with LimLee’s comb method. Thirdly, we propose an efficient technique that interleaves ARMbased and NEONbased multiprecision operations over an extension field, as typically found on GLS curves and pairing computations, to improve performance on modern ARM processors. Finally, we showcase the efficiency of the proposed techniques by implementing a stateoftheart GLVGLS curve in twisted Edwards form defined over F p 2, which supports a four dimensional decomposition of the scalar and is fully protected against timing attacks. Analysis and performance results are reported for modern x64 and ARM processors. For instance, using a precomputed table of only 512 bytes, we compute a variablebase scalar multiplication in 92,000 and 244,000 cycles on an Intel Ivy Bridge and an ARM CortexA15 processor (respect.); using an offline precomputed
Kummer strikes back: new DH speed records
 In Cryptology ePrint Archive, Report 2014/134
, 2014
"... Abstract. This paper introduces highsecurity constanttime variablebasepoint Diffie–Hellman soft ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
Abstract. This paper introduces highsecurity constanttime variablebasepoint Diffie–Hellman soft
FourDimensional GLV via the Weil Restriction
"... The GallantLambertVanstone (GLV) algorithm uses efficiently computable endomorphisms to accelerate the computation of scalar multiplication of points on an abelian variety. Freeman and Satoh proposed for cryptographic use two families of genus 2 curves defined over Fp which have the property that ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
The GallantLambertVanstone (GLV) algorithm uses efficiently computable endomorphisms to accelerate the computation of scalar multiplication of points on an abelian variety. Freeman and Satoh proposed for cryptographic use two families of genus 2 curves defined over Fp which have the property that the corresponding Jacobians are (2, 2)isogenous over an extension field to a product of elliptic curves defined over F p 2. We exploit the relationship between the endomorphism rings of isogenous abelian varieties to exhibit efficiently computable endomorphisms on both the genus 2 Jacobian and the elliptic curve. This leads to a four dimensional GLV method on Freeman and Satoh’s Jacobians and on two new families of elliptic curves defined over F p 2.
Faster implementation of scalar multiplication on Koblitz curves
 SANTIAGO, CHILE
, 2012
"... We design a stateoftheart software implementation of field and elliptic curve arithmetic in standard Koblitz curves at the 128bit security level. Field arithmetic is carefully crafted by using the best formulae and implementation strategies available, and the increasingly common native support t ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
We design a stateoftheart software implementation of field and elliptic curve arithmetic in standard Koblitz curves at the 128bit security level. Field arithmetic is carefully crafted by using the best formulae and implementation strategies available, and the increasingly common native support to binary field arithmetic in modern desktop computing platforms. The ith power of the Frobenius automorphism on Koblitz curves is exploited to obtain new and faster interleaved versions of the wellknown τNAF scalar multiplication algorithm. The usage of the τ ⌊m/3 ⌋ and τ ⌊m/4 ⌋ maps are employed to create analogues of the 3and 4dimensional GLV decompositions and in general, the ⌊m/s⌋th power of the Frobenius automorphism is applied as an analogue of an sdimensional GLV decomposition. The effectiveness of these techniques is illustrated by timing the scalar multiplication operation for fixed, random and multiple points. To our knowledge, our library was the first to compute a random point scalar multiplication in less than 10 5 clock cycles among all curves with or without endomorphisms defined over binary or prime fields. The results of our optimized implementation suggest a tradeoff between speed, compliance with the published standards and sidechannel protection. Finally, we estimate the performance of curvebased cryptographic protocols instantiated using the proposed techniques and compare our results to related work. Key words: Efficient software implementation, Koblitz elliptic curves, scalar multiplication. 1
Elliptic and Hyperelliptic Curves: a Practical Security Analysis
"... Abstract. Motivated by the advantages of using elliptic curves for discrete logarithmbased publickey cryptography, there is an active research area investigating the potential of using hyperelliptic curves of genus 2. For both types of curves, the best known algorithms to solve the discrete logari ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Motivated by the advantages of using elliptic curves for discrete logarithmbased publickey cryptography, there is an active research area investigating the potential of using hyperelliptic curves of genus 2. For both types of curves, the best known algorithms to solve the discrete logarithm problem are generic attacks such as Pollard rho, for which it is wellknown that the algorithm can be sped up when the target curve comes equipped with an efficiently computable automorphism. For the first time, we perform a systematic security assessment of elliptic curves and hyperelliptic curves of genus 2, by incorporating all of the known optimizations. We use our software framework to give concrete estimates on the number of core years required to solve the discrete logarithm problem on four curves that target the 128bit security level: on the standardized NIST CurveP256, on a popular curve from the BarretoNaehrig family, and on their respective analogues in genus 2. 1
Curve41417: Karatsuba revisited
"... Abstract. This paper introduces constanttime ARM CortexA8 ECDH software that (1) is faster than the fastest ECDH option in the latest version of OpenSSL but (2) achieves a security level above 2200 using a prime above 2400. For comparison, this OpenSSL ECDH option is not constanttime and has a se ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper introduces constanttime ARM CortexA8 ECDH software that (1) is faster than the fastest ECDH option in the latest version of OpenSSL but (2) achieves a security level above 2200 using a prime above 2400. For comparison, this OpenSSL ECDH option is not constanttime and has a security level of only 280. The new speeds are achieved in a quite different way from typical primefield ECC software: they rely on a synergy between Karatsuba’s method and choices of radix smaller than the CPU word size.
FourQ: fourdimensional decompositions on a Qcurve over the Mersenne prime
"... Abstract. We introduce FourQ, a highsecurity, highperformance elliptic curve that targets the 128bit security level. At the highest arithmetic level, cryptographic scalar multiplications on FourQ can use a fourdimensional GallantLambertVanstone decomposition to minimize the total number of ell ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce FourQ, a highsecurity, highperformance elliptic curve that targets the 128bit security level. At the highest arithmetic level, cryptographic scalar multiplications on FourQ can use a fourdimensional GallantLambertVanstone decomposition to minimize the total number of elliptic curve group operations. At the group arithmetic level, FourQ admits the use of extended twisted Edwards coordinates and can therefore exploit the fastest known elliptic curve addition formulas over large prime characteristic fields. Finally, at the finite field level, arithmetic is performed modulo the extremely fast Mersenne prime p = 2127 − 1. We show that this powerful combination facilitates scalar multiplications that are significantly faster than all prior works. On Intel’s Haswell, Ivy Bridge and Sandy Bridge architectures, our software computes a variablebase scalar multiplication in 59,000, 71,000 cycles and 74,000 cycles, respectively; and, on the same platforms, our software computes a DiffieHellman shared secret in 92,000, 110,000 cycles and 116,000 cycles, respectively. These results show that, in practice, FourQ is around four to five times faster than the original NIST P256 curve and between two and three times faster than curves that are currently under consideration as NIST alternatives, such as Curve25519. 1
Point compression for the trace zero subgroup over a small degree extension field
, 2014
"... Point compression for the trace zero subgroup over a small degree extension field∗ ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Point compression for the trace zero subgroup over a small degree extension field∗
Two is the fastest prime
"... Abstract. In this work we present the λcoordinates, a new system for representing points in binary elliptic curves. We also provide efficient elliptic curve operations based on the new representation and timing results of our software implementation over the field F 2 254. As a result, we improved ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this work we present the λcoordinates, a new system for representing points in binary elliptic curves. We also provide efficient elliptic curve operations based on the new representation and timing results of our software implementation over the field F 2 254. As a result, we improved the known speed records for protected/unprotected single/multicore software implementations of the randompoint elliptic curve scalar multiplication at the 128bit security level. When implemented on a Sandy Bridge 3.4GHz Intel Xeon processor, our software is able to compute a single/multicore unprotected scalar multiplication in 72,300 and 47,900 clock cycles, respectively; and a protected singlecore scalar multiplication in 114,800 cycles. These numbers improve by 2% on the newer Ivy Bridge platform. 1
Sandy2x: New Curve25519 Speed Records
"... Abstract. This paper sets speed records on wellknown Intel chips for the Curve25519 ellipticcurve DiffieHellman scheme and the Ed25519 digital signature scheme. In particular, it takes only 159 128 Sandy Bridge cycles or 156 995 Ivy Bridge cycles to compute a DiffieHellman shared ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper sets speed records on wellknown Intel chips for the Curve25519 ellipticcurve DiffieHellman scheme and the Ed25519 digital signature scheme. In particular, it takes only 159 128 Sandy Bridge cycles or 156 995 Ivy Bridge cycles to compute a DiffieHellman shared