Endomorphisms for Faster Cryptography on Elliptic Curves of Moderate CM Discriminants

Dimitri Koshelev; Antonio Sanso

Paper 2024/1985

Endomorphisms for Faster Cryptography on Elliptic Curves of Moderate CM Discriminants

Dimitri Koshelev, University of Lleida

Antonio Sanso, Ethereum Foundation

Abstract

This article generalizes the widely-used GLV decomposition for (multi-)scalar multiplication to a much broader range of elliptic curves with moderate CM discriminant $D < 0$ . Previously, it was commonly believed that this technique can only be applied efficiently for small values of $D$ (e.g., up to $100$ ). In practice, curves with $j$ -invariant $0$ are most frequently employed, as they have the smallest possible $D = - 3$ . However, $j = 0$ curves are either too suspicious for conservative government regulators (e.g., for Russian ones, which prefer $D = - 619$ ) or unavailable under imposed extra restrictions in a series of cryptographic settings. The article thus participates in the decade-long development of numerous curves with moderate in the context of zk-SNARKs. Such curves are typically derived from others, which limits the ability to generate them while controlling the magnitude of .

Metadata

Available format(s): PDF
Category: Implementation
Publication info: Preprint.
Keywords: binary quadratic forms elliptic curve cryptography ideal class groups isogeny loops (multi-)scalar multiplication
Contact author(s): dimitri koshelev @ gmail com
antonio sanso @ ethereum org
History: 2025-04-02: last of 2 revisions; 2024-12-08: received; See all versions
Short URL: https://ia.cr/2024/1985
License: CC0

BibTeX

@misc{cryptoeprint:2024/1985,
      author = {Dimitri Koshelev and Antonio Sanso},
      title = {Endomorphisms for Faster Cryptography on Elliptic Curves of Moderate {CM} Discriminants},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1985},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1985}
}