Paper 2016/366

\(\mu\)Kummer: efficient hyperelliptic signatures and key exchange on microcontrollers

Joost Renes, Peter Schwabe, Benjamin Smith, and Lejla Batina


We describe the design and implementation of efficient signature and key-exchange schemes for the AVR~ATmega and ARM Cortex~M0 microcontrollers, targeting the 128-bit security level. Our algorithms are based on an efficient Montgomery ladder scalar multiplication on the Kummer surface of Gaudry and Schost's genus-2 hyperelliptic curve, combined with the Jacobian point recovery technique of Chung, Costello, and Smith. Our results are the first to show the feasibility of software-only hyperelliptic cryptography on constrained platforms, and represent a significant improvement on the elliptic-curve state-of-the-art for both key exchange and signatures on these architectures. Notably, our key-exchange scalar-multiplication software runs in under 9520k cycles on the ATmega and under 2640k cycles on the Cortex M0, improving on the current speed records by 32% and 75% respectively.

Available format(s)
Publication info
Published by the IACR in CHES 2016
Hyperelliptic curve cryptographyKummer surfaceAVR ATmegaARM Cortex M0
Contact author(s)
j renes @ cs ru nl
2017-01-26: last of 3 revisions
2016-04-12: received
See all versions
Short URL
Creative Commons Attribution


      author = {Joost Renes and Peter Schwabe and Benjamin Smith and Lejla Batina},
      title = {\(\mu\)Kummer: efficient hyperelliptic signatures and key exchange on microcontrollers},
      howpublished = {Cryptology ePrint Archive, Paper 2016/366},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.