Roberto Maria Avanzi

Handbook of Elliptic and Hyperelliptic Curve Cryptography

Preface Introduction to Public-Key Cryptography Mathematical Background Algebraic Background Background on p-adic Numbers Background on Curves and Jacobians Varieties Over Special Fields Background on Pairings Background on Weil Descent Cohomological Background on Point Counting Elementary Arithmetic Exponentiation Integer Arithmetic Finite Field Arithmetic Arithmetic of p-adic Numbers Arithmetic of Curves Arithmetic of Elliptic Curves Arithmetic of Hyperelliptic Curves Arithmetic of Special Curves Implementation of Pairings Point Counting Point Counting on Elliptic and Hyperelliptic Curves Complex Multiplication Computation of Discrete Logarithms Generic Algorithms for Computing Discrete Logarithms Index Calculus Index Calculus for Hyperelliptic Curves Transfer of Discrete Logarithms Applications Algebraic Realizations of DL Systems Pairing-Based Cryptography Compositeness and Primality Testing-Factoring Realizations of DL Systems Fast Arithmetic Hardware Smart Cards Practical Attacks on Smart Cards Mathematical Countermeasures Against Side-Channel Attacks Random Numbers-Generation and Testing References

Aspects of Hyperelliptic Curves over Large Prime Fields in Software Implementations

We present an implementation of elliptic curves and of hyperelliptic curves of genus 2 and 3 over prime fields. To achieve a fair comparison between the different types of groups, we developed an ad-hoc arithmetic library, designed to remove most of the overheads that penalize implementations of curve-based cryptography over prime fields. These overheads get worse for smaller fields, and thus for larger genera for a fixed group size. We also use techniques for delaying modular reductions to reduce the amount of modular reductions in the formulae for the group operations. The result is that the performance of hyperelliptic curves of genus 2 over prime fields is much closer to the performance of elliptic curves than previously thought. For groups of 192 and 256 bits the difference is about 14% and 15% respectively.

Energy-efficient software implementation of long integer modular arithmetic

This paper investigates performance and energy characteristics of software algorithms for long integer arithmetic. We analyze and compare the number of RISC-like processor instructions (e.g. single-precision multiplication, addition, load, and store instructions) required for the execution of different algorithms such as Schoolbook multiplication, Karatsuba and Comba multiplication, as well as Montgomery reduction. Our analysis shows that a combination of Karatsuba-Comba multiplication and Montgomery reduction (the so-called KCM method) allows to achieve better performance than other algorithms for modular multiplication. Furthermore, we present a simple model to compare the energy-efficiency of arithmetic algorithms. This model considers the clock cycles and average current consumption of the base instructions to estimate the overall amount of energy consumed during the execution of an algorithm. Our experiments, conducted on a StrongARM SA-1100 processor, indicate that a 1024-bit KCM multiplication consumes about 22% less energy than other modular multiplication techniques.

A note on the signed sliding window integer recoding and a left-to-right analogue

Addition-subtraction-chains obtained from signed digit recodings of integers are a common tool for computing multiples of random elements of a group where the computation of inverses is a fast operation. Cohen and Solinas independently described one such recoding, the ω-NAF. For scalars of the size commonly used in cryptographic applications, it leads to the current scalar multiplication algorithm of choice. However, we could find no formal proof of its optimality in the literature. This recoding is computed right-to-left. We solve two open questions regarding the ω-NAF. We first prove that the ω-NAF is a redundant radix-2 recoding of smallest weight among all those with integral coefficients smaller in absolute value than 2ω−1. Secondly, we introduce a left-to-right recoding with the same digit set as the ω-NAF, generalizing previous results. We also prove that the two recodings have the same (optimal) weight. Finally, we sketch how to prove similar results for other recodings.

The Complexity of Certain Multi-Exponentiation Techniques in Cryptography

Abstract We describe, analyze and compare some combinations of multi-exponentiation algorithms with representations of the exponents. We are especially interested in the case where the inversion of group elements is fast: this is true for example for elliptic curves, groups of rational divisor classes of hyperelliptic curves, trace zero varieties and XTR. The methods can also be used for computing single exponentiations in groups which admit an appropriate automorphism satisfying a monic equation of small degree over the integers.

Countermeasures against Differential Power Analysis for Hyperelliptic Curve Cryptosystems

In this paper we describe some countermeasures against differential side-channel attacks on hyperelliptic curve cryptosystems. The techniques are modelled on the corresponding ones for elliptic curves. The first method consists in picking a random group isomorphic to the one where we are supposed to compute, transferring the computation to the random group and then pulling the result back. The second method consists in altering the internal representation of the divisors on the curve in a random way. The impact of the recent attack of L. Goubin is assessed and ways to avoid it are proposed.

Extending scalar multiplication using double bases

It has been recently acknowledged [4,6,9] that the use of double bases representations of scalars n, that is an expression of the form n = ∑e, s, t (–1)eAsBt can speed up significantly scalar multiplication on those elliptic curves where multiplication by one base (say B) is fast. This is the case in particular of Koblitz curves and supersingular curves, where scalar multiplication can now be achieved in o(logn) curve additions. Previous literature dealt basically with supersingular curves (in characteristic 3, although the methods can be easily extended to arbitrary characteristic), where A,B ∈ℕ. Only [4] attempted to provide a similar method for Koblitz curves, where at least one base must be non-real, although their method does not seem practical for cryptographic sizes (it is only asymptotic), since the constants involved are too large. We provide here a unifying theory by proposing an alternate recoding algorithm which works in all cases with optimal constants. Furthermore, it can also solve the until now untreatable case where both A and B are non-real. The resulting scalar multiplication method is then compared to standard methods for Koblitz curves. It runs in less than logn/loglogn elliptic curve additions, and is faster than any given method with similar storage requirements already on the curve K-163, with larger improvements as the size of the curve increases, surpassing 50% with respect to the τ-NAF for the curves K-409 and K-571. With respect of windowed methods, that can approach our speed but require O(log(n)/loglog(n)) precomputations for optimal parameters, we offer the advantage of a fixed, small memory footprint, as we need storage for at most two additional points.

Scalar multiplication on koblitz curves using double bases

The paper is an examination of double-base decompositions of integers n, namely expansions loosely of the form

Rethinking low genus hyperelliptic Jacobian arithmetic over binary fields: interplay of field arithmetic and explicit formulæ

n = \sum_{i,j} \pm A^iB^j

Minimality of the hamming weight of the τ-NAF for Koblitz curves and improved combination with point halving

for some base {A,B}. This was examined in previous works [5,6], in the case when A,B lie in ℕ. We show here how to extend the results of [5] to Koblitz curves over binary fields. Namely, we obtain a sublinear scalar algorithm to compute, given a generic positive integer n and an elliptic curve point P, the point nP in time