research-article

On Kummer Lines with Full Rational 2-torsion and Their Usage in Cryptography

Authors:
Huseyin Hisil

Yasar University, Agacli Yol, Bornova, Izmir, Turkey

Yasar University, Agacli Yol, Bornova, Izmir, Turkey
View Profile

,
Joost Renes

Radboud University, Nijmegen, The Netherlands

Radboud University, Nijmegen, The Netherlands
View Profile

Authors Info & Claims

ACM Transactions on Mathematical Software Volume 45 Issue 4Article No.: 39pp 1–17https://doi.org/10.1145/3361680

Published:09 December 2019Publication History

ACM Transactions on Mathematical Software

Abstract

A paper by Karati and Sarkar at Asiacrypt’17 has pointed out the potential for Kummer lines in genus 1, by observing that their SIMD-friendly arithmetic is competitive with the status quo. A more recent preprint explores the connection with (twisted) Edwards curves. In this article, we extend this work and significantly simplify the treatment of Karati and Sarkar. We show that their Kummer line is the x-line of a Montgomery curve translated by a point of order two, and exhibit a natural isomorphism to the y-line of a twisted Edwards curve. Moreover, we show that the Kummer line presented by Gaudry and Lubicz can be obtained via the action of a point of order two on the y-line of an Edwards curve. The maps connecting these curves and lines are all very simple. As a result, a cryptographic implementation can use the arithmetic that is optimal for its instruction set at negligible cost.

References

D. J. Bernstein. 2006a. Curve25519: New Diffie–Hellman speed records. In Proceedings of the 9th International Conference on Theory and Practice of Public-Key Cryptography. 207--228. DOI:https://doi.org/10.1007/11745853_14Google ScholarDigital Library
D. J. Bernstein. 2006b. Elliptic vs. Hyperelliptic, part I. Talk at ECC (Slides retrieved from http://cr.yp.to/talks/2006.09.20/slides.pdf).Google Scholar
D. J. Bernstein, P. Birkner, M. Joye, T. Lange, and C. Peters. 2008. Twisted Edwards curves. In Proceedings of the 1st International Conference on Cryptology in Africa (Lecture Notes in Computer Science), S. Vaudenay (Ed.), Vol. 5023. Springer, 389--405. DOI:https://doi.org/10.1007/978-3-540-68164-9_26Google Scholar
D. J. Bernstein, C. Chuengsatiansup, T. Lange, and P. Schwabe. 2014. Kummer strikes back: New DH speed records. In Proceedings of the 20th International Conference on the Theory and Application of Cryptology and Information Security, Palash Sarkar and Tetsu Iwata (Eds.). Springer Berlin, 317--337. DOI:https://doi.org/10.1007/978-3-662-45611-8_17Google Scholar
D. J. Bernstein and T. Lange. 2007. Faster addition and doubling on elliptic curves. In Proceedings of the 13th International Conference on the Theory and Application of Cryptology and Information Security. 29--50. DOI:https://doi.org/10.1007/978-3-540-76900-2_3Google Scholar
D. J. Bernstein and T. Lange. 2015. Explicit-Formulas Database. Retrieved from: http://hyperelliptic.org/EFD/g1p/auto-edwards-yzsquared.html.Google Scholar
W. Bosma, J. Cannon, and C. Playoust. 1997. The Magma algebra system. I. The user language. J. Symbol. Comput. 24, 3--4 (1997), 235--265. DOI:https://doi.org/10.1006/jsco.1996.0125Google ScholarDigital Library
W. Castryck, S. D. Galbraith, and R. R. Farashahi. 2008. Efficient arithmetic on elliptic curves using a mixed Edwards-Montgomery representation. Cryptology ePrint Archive, Report 2008/218. Retrieved from: http://eprint.iacr.org/2008/218.Google Scholar
T. Chou. 2015. Sandy2x. Message on the curves mailing list at Retrieved from: https://moderncrypto.org/mail-archive/curves/2015/000637.html.Google Scholar
D. V. Chudnovsky and G. V. Chudnovsky. 1986. Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Adv. Appl. Math. 7, 4 (1986), 385--434.Google ScholarDigital Library
J. S. Coron. 1999. Resistance against differential power analysis for elliptic curve cryptosystems. In Proceedings of the Cryptographic Hardware and Embedded Systems Conference (CHES’99), Çetin K. Koç and C. Paar (Eds.), Vol. 1717. 292--302.Google ScholarCross Ref
C. Costello and P. Longa. 2015. FourQ: Four-dimensional decompositions on a Q-curve over the Mersenne prime. In Proceedings of the 21st International Conference on the Theory and Application of Cryptology and Information Security. 214--235. DOI:https://doi.org/10.1007/978-3-662-48797-6_10Google Scholar
W. Diffie and M. E. Hellman. 1976. New directions in cryptography. IEEE Trans. Inform. Theor. 22, 6 (1976), 644--654. DOI:https://doi.org/10.1109/TIT.1976.1055638Google ScholarDigital Library
M. Düll, B. Haase, G. Hinterwälder, M. Hutter, C. Paar, A. H. Sánchez, and P. Schwabe. 2015. High-speed Curve25519 on 8-bit, 16-bit, and 32-bit microcontrollers. Design, Codes and Cryptog. 77, 2 (2015). Retrieved from: http://cryptojedi.org/papers/#mu25519.Google Scholar
H. M. Edwards. 2007. A normal form for elliptic curves. Bull. Amer. Math. Soc. 44, 3 (July 2007), 393--422.Google ScholarCross Ref
R. R. Farashahi and S. G. Hosseini. 2017. Differential addition on twisted Edwards curves. In Proceedings of the 22nd Australasian Conference on Information Security and Privacy (ACISP’17). 366--378. DOI:https://doi.org/10.1007/978-3-319-59870-3_21Google Scholar
R. R. Farashahi, D. Moody, and H. Wu. 2012. Isomorphism classes of Edwards curves over finite fields. Finite Fields Their Appl. 18, 3 (2012), 597--612. DOI:https://doi.org/10.1016/j.ffa.2011.12.004Google ScholarCross Ref
R. R. Farashahi and I. E. Shparlinski. 2010. On the number of distinct elliptic curves in some families. Des. Codes Cryptog. 54, 1 (2010), 83--99. DOI:https://doi.org/10.1007/s10623-009-9310-2Google ScholarDigital Library
A. Faz-Hernández and J. López. 2015. Fast implementation of Curve25519 using AVX2. In Proceedings of the 4th International Conference on Cryptology and Information Security in Latin America. 329--345. DOI:https://doi.org/10.1007/978-3-319-22174-8_18Google Scholar
S. D. Galbraith. 2012. Mathematics of Public Key Cryptography. Cambridge University Press. Retrieved from: https://www.math.auckland.ac.nz/ sgal018/crypto-book/crypto-book.html.Google Scholar
P. Gaudry. 2006. Variants of the Montgomery form based on theta functions. Retrieved from: http://www.fields.utoronto.ca/audio/06-07/number_theory/gaudry/.Google Scholar
P. Gaudry. 2007. Fast genus 2 arithmetic based on Theta functions. J. Math. Cryptol. 1, 3 (2007), 243--265.Google ScholarCross Ref
P. Gaudry and D. Lubicz. 2009. The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines. Finite Fields Their Appl. 15, 2 (2009), 246--260. DOI:https://doi.org/10.1016/j.ffa.2008.12.006Google ScholarDigital Library
H. Hisil. 2010. Elliptic Curves, Group Law, and Efficient Computation. Ph.D. Dissertation. Queensland University of Technology.Google Scholar
H. Hisil, K. K. Wong, G. Carter, and E. Dawson. 2008. Twisted Edwards curves revisited. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Josef Pieprzyk (Ed.). Springer Berlin, 326--343.Google Scholar
S. Karati and P. Sarkar. 2017a. Connecting Legendre with Kummer and Edwards. Cryptology ePrint Archive, Report 2017/1205. Retrieved from: https://eprint.iacr.org/2017/1205.Google Scholar
S. Karati and P. Sarkar. 2017b. Kummer for genus one over prime order fields. In Proceedings of the 23rd International Conference on the Theory and Applications of Cryptology and Information Security. 3--32. DOI:https://doi.org/10.1007/978-3-319-70697-9_1Google Scholar
N. Koblitz. 1987. Elliptic curve cryptosystems. Math. Comp. 48 (1987), 203--209.Google ScholarDigital Library
V. Miller. 1986. Use of elliptic curves in cryptography. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security. Lecture Notes in Computer Science, Vol. 218. Springer Berlin, 417--426.Google ScholarCross Ref
P. L. Montgomery. 1987. Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48, 177 (1987), 243--264.Google ScholarCross Ref
J. Renes. 2018. Computing isogenies between Montgomery curves using the action of (0, 0). In Proceedings of the International Conference on Post-Quantum Cryptography. Lecture Notes in Computer Science, Vol. 10786. Springer, 229--247. Retrieved from: https://ia.cr/2017/1198.Google Scholar
J. Renes and B. Smith. 2017. qDSA: Small and secure digital signatures with curve-based Diffie--Hellman key pairs. In Proceedings of the 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Tsuyoshi Takagi and Thomas Peyrin (Eds.). Springer International Publishing, 273--302. DOI:https://doi.org/10.1007/978-3-319-70697-9_10Google Scholar
J. H. Silverman. 2009. The Arithmetic of Elliptic Curves, 2nd Edition. Springer. Retrieved from: http://link.springer.com/book/10.1007%2F978-0-387-09494-6.Google Scholar
A. Takahashi, M. Tibouchi, and M. Abe. 2018. New Bleichenbacher Records: Practical Fault Attacks on qDSA Signatures. Cryptology ePrint Archive, Report 2018/396. Retrieved from: https://eprint.iacr.org/2018/396.Google Scholar
The Sage Developers. 2018. SageMath, the Sage Mathematics Software System (version 8.1). Retrieved from: https://sagemath.org.Google Scholar

Index Terms

On Kummer Lines with Full Rational 2-torsion and Their Usage in Cryptography
1. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques
      1. Public key encryption

Recommendations

Twisted Edwards curves
AFRICACRYPT'08: Proceedings of the Cryptology in Africa 1st international conference on Progress in cryptology

This paper introduces "twisted Edwards curves," a generalization of the recently introduced Edwards curves; shows that twisted Edwards curves include more curves over finite fields, and in particular every elliptic curve in Montgomery form; shows how to ...
Read More
Binary Kummer Line
Applied Cryptography and Network Security
Abstract
The idea of the Kummer line was introduced by Gaudry and Lubicz [22]. Karati and Sarkar [31] proposed three efficient Kummer lines over prime fields, and [31, 40] show that they are faster than $Curve 25519$ [4]. In this work, we explore the problem ... $_{^{}}$
Read More
How to Construct CSIDH on Edwards Curves
Topics in Cryptology – CT-RSA 2020
Abstract
CSIDH is an isogeny-based key exchange protocol proposed by Castryck, Lange, Martindale, Panny, and Renes in 2018. CSIDH is based on the ideal class group action on -isomorphism classes of Montgomery curves. In order to calculate the class group ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Mathematical Software Volume 45, Issue 4
December 2019
207 pages
ISSN:0098-3500
EISSN:1557-7295
DOI:10.1145/3375544
Editors:
Zhaojun Bai
University of California at Davis, USA
,
Wolfgang Bangerth
Colorado State University, USA
Issue’s Table of Contents
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 9 December 2019
- Accepted: 1 September 2019
- Revised: 1 August 2019
- Received: 1 January 2019
Published in toms Volume 45, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Edwards curves
Kummer lines
Montgomery curves
Montgomery ladder
digital signatures
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 4
  Total Citations
  View Citations
- 149
  Total Downloads
- Downloads (Last 12 months)13
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

On Kummer Lines with Full Rational 2-torsion and Their Usage in Cryptography

ACM Transactions on Mathematical Software

Abstract

References

Cited By

Index Terms

Recommendations

Twisted Edwards curves

Binary Kummer Line

How to Construct CSIDH on Edwards Curves