Paper 2016/938

Kummer for Genus One over Prime Order Fields

Sabyasachi Karati and Palash Sarkar

Abstract

This work considers the problem of fast and secure scalar multiplication using curves of genus one defined over a field of prime order. Previous work by Gaudry and Lubicz in 2009 had suggested the use of the associated Kummer line to speed up scalar multiplication. In the present work, we explore this idea in detail. The first task is to obtain an elliptic curve in Legendre form which satisfies necessary security conditions such that the associated Kummer line has small parameters and a base point with small coordinates. It turns out that the ladder step on the Kummer line supports parallelism and can be implemented very efficiently in constant time using the single-instruction multiple-data (SIMD) operations available in modern processors. For the 128-bit security level, this work presents three Kummer lines denoted as , and over the three primes , and respectively. Implementations of scalar multiplications for all three Kummer lines using Intel intrinsics have been done and the code is publicly available. Timing results on the Skylake and the Haswell processors of Intel indicate that both fixed base and variable base scalar multiplications for and are faster than those achieved by {\sf Sandy2x}, which is a highly optimised SIMD implementation in assembly of the well known {\sf Curve25519}; for example, on Skylake, variable base scalar multiplication on is faster than {\sf Curve25519} by about 30\%. On Skylake, both fixed base and variable base scalar multiplication for are faster than {\sf Sandy2x}; whereas on Haswell, fixed base scalar multiplication for is faster than {\sf Sandy2x} while variable base scalar multiplication for both and {\sf Sandy2x} take roughly the same time. In fact, on Skylake, is both faster and also offers about 5 bits of higher security compared to {\sf Curve25519}. In practical terms, the particular Kummer lines that are introduced in this work are serious candidates for deployment and standardisation. We further illustrate the usefulness of the proposed Kummer lines by instantiating the quotient Digital Signature Algorithm (qDSA) on all the three Kummer lines.

Metadata
Available format(s)
PDF
Publication info
A major revision of an IACR publication in ASIACRYPT 2017
Keywords
elliptic curve cryptographyKummer lineMontgomery curvescalar multiplication
Contact author(s)
sabyasachi karati @ gmail com
History
2019-02-06: last of 8 revisions
2016-09-29: received
See all versions
Short URL
https://ia.cr/2016/938
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2016/938,
      author = {Sabyasachi Karati and Palash Sarkar},
      title = {Kummer for Genus One over Prime Order Fields},
      howpublished = {Cryptology {ePrint} Archive, Paper 2016/938},
      year = {2016},
      url = {https://eprint.iacr.org/2016/938}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.