Two is Greater than One

In this paper we highlight the benefits of using genus-2 curves in public-key cryptography. Compared to the standardized genus-1 curves, or elliptic curves, arithmetic on genus-2 curves is typically more involved but allows us to work with moduli of half the size. We give a taxonomy of the best known techniques to realize genus-2 based cryptography, which includes fast formulas on the Kummer surface and efficient 4-dimensional GLV decompositions. By studying different modular arithmetic approaches on these curves, we present a range of genus-2 implementations. Our implementation on the Kummer surface breaks the 120 thousand cycle barrier which sets a new software speed record at the 128-bit security level for side-channel resistant scalar multiplications compared to all previous genus-1 and genus-2 implementations.

[1]  T. Acar,et al.  Modular Reduction without Pre-computation for Special Moduli , 2010 .

[2]  Iwan M. Duursma,et al.  Speeding up the Discrete Log Computation on Curves with Automorphisms , 1999, ASIACRYPT.

[3]  D. Bernstein Differential addition chains , 2006 .

[4]  Tibor Juhas The use of elliptic curves in cryptography , 2007 .

[5]  Alfred Menezes,et al.  Software Implementation of the NIST Elliptic Curves Over Prime Fields , 2001, CT-RSA.

[6]  R. Schoof Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p , 1985 .

[7]  K. Lauter,et al.  A CRT ALGORITHM FOR CONSTRUCTING GENUS 2 CURVES OVER FINITE FIELDS , 2004, math/0405305.

[8]  Ed Dawson,et al.  Twisted Edwards Curves Revisited , 2008, IACR Cryptol. ePrint Arch..

[9]  P. V. Wamelen Computing with the analytic Jacobian of a genus 2 curve , 2006 .

[10]  Jongin Lim,et al.  Speeding Up Point Multiplication on Hyperelliptic Curves with Efficiently-Computable Endomorphisms , 2002, EUROCRYPT.

[11]  Craig Costello,et al.  Group Law Computations on Jacobians of Hyperelliptic Curves , 2011, IACR Cryptol. ePrint Arch..

[12]  M. Stam,et al.  Speeding up subgroup cryptosystems , 2003 .

[13]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[14]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[15]  Burton S. Kaliski,et al.  The Montgomery Inverse and Its Applications , 1995, IEEE Trans. Computers.

[16]  Patrick Longa,et al.  Four-Dimensional Gallant–Lambert–Vanstone Scalar Multiplication , 2011, Journal of Cryptology.

[17]  Leonard M. Adleman,et al.  A Subexponential Algorithm for Discrete Logarithms over Hyperelliptic Curves of Large Genus over GF(q) , 1999, Theor. Comput. Sci..

[18]  Frederik Vercauteren,et al.  Speeding Up Bipartite Modular Multiplication , 2010, WAIFI.

[19]  Katsuyuki Takashima,et al.  A New Type of Fast Endomorphisms on Jacobians of Hyperelliptic Curves and Their Cryptographic Application , 2006, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[20]  Jaap Top,et al.  Explicit Hyperelliptic Curves With Real Multiplication and Permutation Polynomials , 1991, Canadian Journal of Mathematics.

[21]  D. Chudnovsky,et al.  Sequences of numbers generated by addition in formal groups and new primality and factorization tests , 1986 .

[22]  Andreas Enge,et al.  Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time , 2002, Math. Comput..

[23]  J. Olivos,et al.  Speeding up the computations on an elliptic curve using addition-subtraction chains , 1990, RAIRO Theor. Informatics Appl..

[24]  Emilia Käsper Fast Elliptic Curve Cryptography in OpenSSL , 2011, Financial Cryptography Workshops.

[25]  Arjen K. Lenstra,et al.  Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction , 2012, Int. J. Appl. Cryptogr..

[26]  Joppe W. Bos High-Performance Modular Multiplication on the Cell Processor , 2010, WAIFI.

[27]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[28]  Arjen K. Lenstra,et al.  Generating RSA Moduli with a Predetermined Portion , 1998, ASIACRYPT.

[29]  Claus Diem On the discrete logarithm problem in class groups of curves , 2011, Math. Comput..

[30]  Tetsuya Takahashi,et al.  Counting Points for Hyperelliptic Curves of Type y2= x5 + ax over Finite Prime Fields , 2003, Selected Areas in Cryptography.

[31]  Pierrick Gaudry,et al.  The mpFq library and implementing curve-based key exchanges , 2007 .

[32]  Chae Hoon Lim,et al.  More Flexible Exponentiation with Precomputation , 1994, CRYPTO.

[33]  Francisco Rodríguez-Henríquez,et al.  Faster Implementation of Scalar Multiplication on Koblitz Curves , 2012, LATINCRYPT.

[34]  Michael Hamburg,et al.  Fast and compact elliptic-curve cryptography , 2012, IACR Cryptol. ePrint Arch..

[35]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[36]  J. Pila Frobenius maps of Abelian varieties and finding roots of unity in finite fields , 1990 .

[37]  Tanja Lange,et al.  Analysis and optimization of elliptic-curve single-scalar multiplication , 2007, IACR Cryptol. ePrint Arch..

[38]  Chae Hoon Lim,et al.  Speeding Up Elliptic Scalar Multiplication with Precomputation , 1999, ICISC.

[39]  Éric Schost,et al.  Genus 2 point counting over prime fields , 2012, J. Symb. Comput..

[40]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[41]  Annegret Weng,et al.  Constructing hyperelliptic curves of genus 2 suitable for cryptography , 2003, Math. Comput..

[42]  N. Koblitz,et al.  Lattice basis reduction, Jacobi sums and hyperelliptic cryptosystems , 1998, Bulletin of the Australian Mathematical Society.

[43]  Pierrick Gaudry,et al.  WITH APPLICATION TO , 2002 .

[44]  Pierrick Gaudry,et al.  Algorithmique des courbes hyperelliptiques et applications à la cryptologie , 2000 .

[45]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[46]  Pierrick Gaudry,et al.  Counting Points on Genus 2 Curves with Real Multiplication , 2011, IACR Cryptol. ePrint Arch..

[47]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[48]  Y. Tsai,et al.  On addition chains , 1992 .

[49]  Samir Siksek,et al.  A Fast Diffie—Hellman Protocol in Genus 2 , 2013, Journal of Cryptology.

[50]  Michael Scott,et al.  Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves , 2009, Journal of Cryptology.

[51]  Benjamin A. Smith,et al.  Efficiently Computable Endomorphisms for Hyperelliptic Curves , 2006, ANTS.

[52]  Romain Cosset Factorization with genus 2 curves , 2010, Math. Comput..

[53]  Pierrick Gaudry,et al.  Fast genus 2 arithmetic based on Theta functions , 2007, J. Math. Cryptol..

[54]  Michael J. Wiener,et al.  Faster Attacks on Elliptic Curve Cryptosystems , 1998, Selected Areas in Cryptography.

[55]  Pierrick Gaudry,et al.  An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves , 2000, EUROCRYPT.

[56]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[57]  Paul B. van Wamelen,et al.  Examples of genus two CM curves defined over the rationals , 1999, Math. Comput..

[58]  Jean-François Mestre Couples de Jacobiennes isogenes de courbes hyperelliptiques de genre arbitraire , 2009, 0902.3470.