Cryptology ePrint Archive: Report 2013/692

Faster Compact Diffie-Hellman: Endomorphisms on the x-line

Craig Costello and Huseyin Hisil and Benjamin Smith

Abstract: Abstract: We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie–Hellman Key Exchange at the 128-bit security level. The algorithms are compact (using only x-coordinates), run in constant time with uniform execution patterns, and do not distinguish between the curve and its quadratic twist; they thus have a built-in measure of side-channel resistance. (For comparison, we also implement two faster but non-constant-time algorithms.) The core of our construction is a suite of two-dimensional differential addition chains driven by efficient endomorphism decompositions, built on curves selected from a family of Q-curve reductions over F_{p^2} with p = 2^{127}-1. We include state-of-the-art experimental results for twist-secure, constant-time, x-coordinate-only scalar multiplication.

Category / Keywords: implementation / Elliptic curve cryptography, scalar multiplication, twist-secure, side channel attacks, endomorphism, Kummer variety, addition chains, Montgomery curve

Original Publication (with minor differences): IACR-EUROCRYPT-2014

Date: received 24 Oct 2013, last revised 19 Mar 2014

Contact author: craigco at microsoft com

Available format(s): PDF | BibTeX Citation

Version: 20140319:191540 (All versions of this report)

Short URL: ia.cr/2013/692

Discussion forum: Show discussion | Start new discussion