Cryptology ePrint Archive: Report 2013/692

Faster Compact Diffie-Hellman: Endomorphisms on the x-line

Craig Costello and Huseyin Hisil and Benjamin Smith

Abstract: We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie–Hellman Key Exchange at the 128-bit security level. The algorithms are compact (using only x-coordinates), run in constant time with uniform execution patterns, and do not distinguish between the curve and its quadratic twist; they thus have a built-in measure of side- channel resistance. The core of our construction is a suite of two-dimensional differential addition chains driven by efficient endomorphism decompositions, built on curves selected from a family of Q-curve reductions over F_{p^2} with p = 2^{127}-1. We include state-of-the-art experimental results for twist-secure, constant-time, x-coordinate-only scalar multiplication.

Category / Keywords: implementation / Elliptic curve cryptography, scalar multiplication, twist-secure, side channel attacks, endomorphism, Kummer variety, addition chains, Montgomery curve

Date: received 24 Oct 2013, last revised 29 Oct 2013

Contact author: craigco at microsoft com

Available format(s): PDF | BibTeX Citation

Version: 20131029:153003 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]