nach oben

Erschienen in:

2017 | OriginalPaper | Buchkapitel

Kummer for Genus One over Prime Order Fields

verfasst von : Sabyasachi Karati, Palash Sarkar

Erschienen in: Advances in Cryptology – ASIACRYPT 2017

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

This work considers the problem of fast and secure scalar multiplication using curves of genus one defined over a field of prime order. Previous work by Gaudry and Lubicz in 2009 had suggested the use of the associated Kummer line to speed up scalar multiplication. In this work, we explore this idea in detail. The first task is to obtain an elliptic curve in Legendre form which satisfies necessary security conditions such that the associated Kummer line has small parameters and a base point with small coordinates. In turns out that the ladder step on the Kummer line supports parallelism and can be implemented very efficiently in constant time using the single-instruction multiple-data (SIMD) operations available in modern processors. For the 128-bit security level, this work presents three Kummer lines denoted as \(K_1:=\mathsf{KL2519(81,20)}\), \(K_2:=\mathsf{KL25519(82,77)}\) and \(K_3:=\mathsf{KL2663(260,139)}\) over the three primes \(2^{251}-9\), \(2^{255}-19\) and \(2^{266}-3\) respectively. Implementations of scalar multiplications for all the three Kummer lines using Intel intrinsics have been done and the code is publicly available. Timing results on the recent Skylake and the earlier Haswell processors of Intel indicate that both fixed base and variable base scalar multiplications for \(K_1\) and \(K_2\) are faster than those achieved by Sandy2x which is a highly optimised SIMD implementation in assembly of the well known Curve25519; for example, on Skylake, variable base scalar multiplication on \(K_1\) is faster than Curve25519 by about 25%. On Skylake, both fixed base and variable base scalar multiplication for \(K_3\) are faster than Sandy2x; whereas on Haswell, fixed base scalar multiplication for \(K_3\) is faster than Sandy2x while variable base scalar multiplication for both \(K_3\) and Sandy2x take roughly the same time. In fact, on Skylake, \(K_3\) is both faster and also offers about 5 bits of higher security compared to Curve25519. In practical terms, the particular Kummer lines that are introduced in this work are serious candidates for deployment and standardisation.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nächstes Kapitel ABE with Tag Made Easy

https://moderncrypto.org/mail-archive/curves/2015/000637.html.

Downloaded from https://bench.cr.yp.to/supercop/supercop-20160910.tar.xz. We used crypto_scalarmult(q,n,p) to measure variable base scalar multiplication and crypto_scalarmult_base(q,n) to measure fixed base scalar multiplication.

Barwise, J., Eklof, P.: Lefschetz’s principle. J. Algebra 13(4), 554–570 (1969)MathSciNetCrossRefMATH

Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_14 CrossRef

Bernstein, D.J.: Elliptic vs. hyperelliptic, part I. Talk at ECC (2006)

Bernstein, D.J., Chuengsatiansup, C., Lange, T., Schwabe, P.: Kummer strikes back: new DH speed records. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 317–337. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_17

Bernstein, D.J., Lange, T.: Safecurves: choosing safe curves for elliptic-curve cryptography. http://safecurves.cr.yp.to/index.html. Accessed 15 Sept 2016

Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_9 CrossRef

Bernstein, D.J., Schwabe, P.: NEON crypto. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 320–339. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_19 CrossRef

Bertoni, G., Coron, J.-S. (eds.): CHES 2013. LNCS, vol. 8086. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1 MATH

Bos, J.W., Costello, C., Hisil, H., Lauter, K.: Fast cryptography in genus 2. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 194–210. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_12 CrossRef

10.

Bos, J.W., Costello, C., Hisil, H., Lauter, K.E.: High-performance scalar multiplication using 8-dimensional GLV/GLS decomposition. In: Bertoni, G., Coron, J.-S. (eds.) [8], pp. 331–348 (2013)

11.

Brainpool: ECC standard. http://www.ecc-brainpool.org/ecc-standard.htm

12.

Chou, T.: Sandy2x: new curve25519 speed records. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 145–160. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31301-6_8 CrossRef

13.

Cosset, R.: Factorization with genus 2 curves. Math. Comput. 79(270), 1191–1208 (2010)MathSciNetCrossRefMATH

14.

Costello, C., Longa, P.: Four\(\mathbb{Q}\): four-dimensional decompositions on a \(\mathbb{Q}\)-curve over the Mersenne Prime. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 214–235. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_10 CrossRef

15.

Costello, C., Hisil, H., Smith, B.: Faster compact Diffie–Hellman: endomorphisms on the x-line. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 183–200. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_11 CrossRef

16.

Costigan, N., Schwabe, P.: Fast elliptic-curve cryptography on the cell broadband engine. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 368–385. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2_23 CrossRef

17.

Curve25519: Wikipedia page on Curve25519. https://en.wikipedia.org/wiki/Curve25519. Accessed 15 Sept 2016

18.

Faz-Hernández, A., Longa, P., Sánchez, A.H.: Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 1–27. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_1 CrossRef

19.

Faz-Hernández, A., López, J.: Fast implementation of curve25519 using AVX2. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 329–345. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22174-8_18 CrossRef

20.

Code for Kummer Line Computations. Provided as part of the auxiliary supporting material corresponding to this submission. The code is also publicly available

21.

Frey, G., Rück, H.-G.: The strong lefschetz principle in algebraic geometry. Manuscripta Math. 55(3), 385–401 (1986)MathSciNetCrossRefMATH

22.

Gaudry, P., Lubicz, D.: The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines. Finite Fields Appl. 15(2), 246–260 (2009)MathSciNetCrossRefMATH

23.

Gaudry, P., Schost, É.: Genus 2 point counting over prime fields. J. Symb. Comput. 47(4), 368–400 (2012)MathSciNetCrossRefMATH

24.

Gueron, S.: Software optimizations for cryptographic primitives on general purpose x86_64 platforms. Tutorial at IndoCrypt (2011)

25.

Gueron, S., Krasnov, V.: Fast prime field elliptic-curve cryptography with 256-bit primes. J. Cryptogr. Eng. 5(2), 141–151 (2015)CrossRef

26.

Hankerson, D., Karabina, K., Menezes, A.: Analyzing the Galbraith-Lin-Scott point multiplication method for elliptic curves over binary fields. IEEE Trans. Comput. 58(10), 1411–1420 (2009)MathSciNetCrossRefMATH

27.

Igusa, J.: Theta Functions. Springer, Heidelberg (1972)CrossRefMATH

28.

Karati, S., Sarkar, P.: Kummer for genus one over prime order fields. IACR Cryptology ePrint Archive 2016:938 (2016)

29.

Koblitz, N.: Elliptic curve cryptosystems. Math. Comp. 48(177), 203–209 (1987)MathSciNetCrossRefMATH

30.

Koblitz, N.: Hyperelliptic cryptosystems. J. Cryptol. 1(3), 139–150 (1989)MathSciNetCrossRefMATH

31.

Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052240

32.

Longa, P., Sica, F.: Four-dimensional Gallant-Lambert-Vanstone scalar multiplication. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 718–739. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_43 CrossRef

33.

Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_31 CrossRef

34.

Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)MathSciNetCrossRefMATH

35.

Montgomery, P.L.: Five, six, and seven-term karatsuba-like formulae. IEEE Trans. Comput. 54(3), 362–369 (2005)CrossRefMATH

36.

Mumford, D.: Tata Lectures on Theta I. Progress in Mathematics 28. Birkh äuser, Basel (1983)CrossRefMATH

37.

U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-3 (2009). http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf

38.

Oliveira, T., López, J., Aranha, D.F., Rodríguez-Henríquez, F.: Lambda coordinates for binary elliptic curves. In: Bertoni, G., Coron, J.-S. (eds.) [8], pp. 311–330 (2013)

39.

Oliveira, T., López, J., Rodríguez-Henríquez, F.: Software implementation of Koblitz curves over quadratic fields. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 259–279. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_13

40.

Certicom Research: SEC 2: Recommended elliptic curve domain parameters (2010). http://www.secg.org/sec2-v2.pdf

41.

NUMS: Nothing up my sleeve. https://tools.ietf.org/html/draft-black-tls-numscurves-00

Titel: Kummer for Genus One over Prime Order Fields
verfasst von: Sabyasachi Karati
Palash Sarkar
Verlag: Springer International Publishing
Buch: Advances in Cryptology – ASIACRYPT 2017
Print ISBN: 978-3-319-70696-2

Electronic ISBN: 978-3-319-70697-9

Copyright-Jahr: 2017
DOI: https://doi.org/10.1007/978-3-319-70697-9_1

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner