Paper 2013/692

Faster Compact Diffie-Hellman: Endomorphisms on the x-line

Craig Costello, Huseyin Hisil, and Benjamin Smith

Abstract

Abstract: We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie–Hellman Key Exchange at the 128-bit security level. The algorithms are compact (using only x-coordinates), run in constant time with uniform execution patterns, and do not distinguish between the curve and its quadratic twist; they thus have a built-in measure of side-channel resistance. (For comparison, we also implement two faster but non-constant-time algorithms.) The core of our construction is a suite of two-dimensional differential addition chains driven by efficient endomorphism decompositions, built on curves selected from a family of Q-curve reductions over F_{p^2} with p = 2^{127}-1. We include state-of-the-art experimental results for twist-secure, constant-time, x-coordinate-only scalar multiplication.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
A minor revision of an IACR publication in EUROCRYPT 2014
Keywords
Elliptic curve cryptographyscalar multiplicationtwist-secureside channel attacksendomorphismKummer varietyaddition chainsMontgomery curve
Contact author(s)
craigco @ microsoft com
History
2014-03-19: last of 3 revisions
2013-10-28: received
See all versions
Short URL
https://ia.cr/2013/692
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/692,
      author = {Craig Costello and Huseyin Hisil and Benjamin Smith},
      title = {Faster Compact Diffie-Hellman: Endomorphisms on the x-line},
      howpublished = {Cryptology ePrint Archive, Paper 2013/692},
      year = {2013},
      note = {\url{https://eprint.iacr.org/2013/692}},
      url = {https://eprint.iacr.org/2013/692}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.