Sylvain Duquesne

FPGA implementation of pairings using residue number system and lazy reduction

Recently, a lot of progress has been made in the implementation of pairings in both hardware and software. In this paper, we present two FPGA-based high speed pairing designs using the Residue Number System and lazy reduction. We show that by combining RNS, which is naturally suitable for parallel architectures, and lazy reduction, which performs one reduction for multiple multiplications, the speed of pairing computation in hardware can be largely increased. The results show that both designs achieve higher speed than previous designs. The fastest version computes an optimal ate pairing at 126-bit security level in 0.573 ms, which is 2 times faster than all previous hardware implementations at the same security level.

Improving the arithmetic of elliptic curves in the Jacobi model

The use of elliptic curve cryptosystems on embedded systems has been becoming widespread for some years. Therefore the resistance of such cryptosystems to side-channel attacks is becoming crucial. Several techniques have recently been developed. One of these consists in finding a representation of the elliptic curve such that formulae for doubling and addition are the same. Until now, one of the best results has been obtained by using the Jacobi model. In this Letter, we improve the arithmetic of elliptic curves in the Jacobi model and we relax some conditions required to work efficiently on this model. We thus obtained the fastest unified addition formulae for elliptic curve cryptography (assuming that the curve has a 2-torsion point).

Montgomery Scalar Multiplication for Genus 2 Curves

Using powerful tools on genus 2 curves like the Kummer variety, we generalize the Montgomery method for scalar multiplication to the jacobian of these curves. Previously this method was only known for elliptic curves. We obtain an algorithm that is competitive compared to the usual methods of scalar multiplication and that has additional properties such as resistance to timings attacks. This algorithm has very important applications in cryptography using hyperelliptic curves and more particularly for people interested in cryptography on smart cards.

Updating Key Size Estimations for Pairings

Recent progress on NFS imposed a new estimation of the security of pairings. In this work we study the best attacks against some of the most popular pairings and propose new key sizes using an analysis which is more precise than the analysis in a recent article of Menezes, Sarkar and Singh. We also select pairing-friendly curves for standard security levels.

Traces of the Group Law on the Kummer Surface of a Curve of Genus 2 in Characteristic 2

In the early 1990s, Flynn gave an explicit description of the Jacobian of a genus 2 hyperelliptic curve in order to perform efficient arithmetic on these objects. In this paper, we give a generalization of Flynn’s work when the ground field has characteristic 2. More precisely, we give an explicit description of the Kummer surface. We also give and explain how we found, using symbolic computations, explicit formulas for the structure of the group law on the Jacobian preserved on the Kummer surface. Finally, we use these new objects to give a very fast scalar multiplication algorithm for hyperelliptic curve cryptography in characteristic 2.

Montgomery Ladder for All Genus 2 Curves in Characteristic 2

Using the Kummer surface, we generalize Montgomery ladder for scalar multiplication to the Jacobian of genus 2 curves in characteristic 2. Previously this method was known for elliptic curves and for genus 2 curves in odd characteristic. We obtain an algorithm that is competitive compared to usual methods of scalar multiplication and that has additional properties such as resistance to simple side-channel attacks. Moreover it provides a significant speed-up of scalar multiplication in many cases. This new algorithm has very important applications in cryptography using hyperelliptic curves and more particularly for people interested in cryptography on embedded systems (such as smart cards).

Memory-saving computation of the pairing final exponentiation on BN curves

Abstract Tate pairing computation is made of two steps. The first one, the Miller loop, is an exponentiation in the group of points of an elliptic curve. The second one, the final exponentiation, is an exponentiation in the multiplicative group of a large finite field extension. In this paper, we describe and improve efficient methods for computing the hardest part of this second step for the most popular curves in pairing-based cryptography, namely Barreto–Naehrig curves. We present the methods given in the literature and their complexities. However, the necessary memory resources are not always given whereas it is an important constraint in restricted environments for practical implementations. Therefore, we determine the memory resources required by these known methods and we present new variants which require less memory resources (up to 37 %). Moreover, some of these new variants are providing algorithms which are also more efficient than the original ones.

Tate pairing computation on jacobi's elliptic curves

We propose for the first time the computation of the Tate pairing on Jacobi intersection curves. For this, we use the geometric interpretation of the group law and the quadratic twist of Jacobi intersection curves to obtain a doubling step formula which is efficient but not competitive compared to the case of Weierstrass curves, Edwards curves and Jacobi quartic curves. As a second contribution, we improve the doubling and addition steps in Millers algorithm to compute the Tate pairing on the special Jacobi quartic elliptic curve Y2=dX4+Z4. We use the birational equivalence between Jacobi quartic curves and Weierstrass curves together with a specific point representation to obtain the best result to date among all the curves with quartic twists. In particular for the doubling step in Millers algorithm, we obtain a theoretical gain between 6% and 21%, depending on the embedding degree and the extension field arithmetic, with respect to Weierstrass curves [6] and Jacobi quartic curves [23].

Arithmetic of Hyperelliptic Curves.

In Chapter 1 we introduced the discrete logarithm problem and showed that the main operation in a public-key cryptosystem is the computation of scalar multiples in a cyclic group. Chapter 9 showed how the computation of scalar multiples can be reduced to a sequence of additions and doublings in the group. Hence, for an efficient system we need to have groups with efficient group laws. In Chapter 13 we detailed the arithmetic on elliptic curves. This chapter deals with hyperelliptic curves, which can be seen as a generalization of elliptic curves. We first give a brief overview of the main properties of hyperelliptic curves repeating the definitions for the convenience of the reader. The details can be found in Chapter 4 . In the applications, group elements must be stored and transmitted. For restricted environments or restricted bandwidth it might be useful to use compression even though recovering the original coordinates needs some efforts. Accordingly, we consider compression techniques. The main emphasis of this chapter is put on the arithmetic properties, i.e., on algorithms to perform the group operation. We state Cantor’s algorithm, which works for arbitrary ground field and genus of the curve. To obtain better performance one needs to fix the genus and develop explicit formulas as for elliptic curves (cf. Chapters 13.2 and 13.3). We first specialize to considering curves of genus 2 , separately over finite fields of odd and then of even characteristic. For both cases we give formulas for different coordinate systems, namely affine, projective, and new coordinates. The latter two systems allow us to avoid inversions in the group operation. For odd characteristic we also state two possible generalizations of Montgomery coordinates (cf. Section 13.2.3); for even characteristic there is no such generalization yet. Also for genus 3 hyperelliptic curves, explicit formulas have been proposed. We give explicit formulas in affine coordinates in Section 14.6. Also nonhyperelliptic curves of genus 3 have been proposed for cryptographic applications. The final section gives references to these publications and also for genus 4 hyperelliptic curves before we conclude with a comparison and timings.

Integral Points on Elliptic Curves Defined by Simplest Cubic Fields

Let f(X) be a cubic polynomial defining a simplest cubic field in the senseof Shanks. We study integral points on elliptic curves of the form y2 = f(X). We compute the complete list of integral points on these curves for the values of the parameter below 1000. We prove that this list is exhaustive by using the methods of Tzanakis and de Weger, together with bounds on linear forms in elliptic logarithms due to S. David. Finally, we analyze this list and we prove in the general case the phenomena that we have observed. In particular, we find all integral points on the curve when the rank is equal to 1.