The Q -curve Construction for Endomorphism-Accelerated Elliptic Curves

Benjamin Smith

doi:10.1007/s00145-015-9210-8

The Q -curve Construction for Endomorphism-Accelerated Elliptic Curves

Benjamin Smith

Research output: Contribution to journal › Article › peer-review

Abstract

We give a detailed account of the use of Q-curve reductions to construct elliptic curves over Fp2 with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant–Lambert–Vanstone (GLV) and Galbraith–Lin–Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves and thus finding secure group orders when p is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over Fp2 equipped with efficient endomorphisms for every p> 3 , and exhibit examples of twist-secure curves over Fp2 for the efficient Mersenne prime p= 2 ¹²⁷- 1.

Original language	English
Pages (from-to)	806-832
Number of pages	27
Journal	Journal of Cryptology
Volume	29
Issue number	4
DOIs	https://doi.org/10.1007/s00145-015-9210-8
Publication status	Published - 1 Oct 2016

Keywords

Elliptic curve cryptography
Endomorphism
Exponentiation
GLS
GLV
Q-curves
Scalar decomposition
Scalar multiplication

Access to Document

10.1007/s00145-015-9210-8

Cite this

@article{46671f5ab6034c34b7d158e398d9934e,

title = "The Q -curve Construction for Endomorphism-Accelerated Elliptic Curves",

abstract = "We give a detailed account of the use of Q-curve reductions to construct elliptic curves over Fp2 with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant–Lambert–Vanstone (GLV) and Galbraith–Lin–Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves and thus finding secure group orders when p is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over Fp2 equipped with efficient endomorphisms for every p> 3 , and exhibit examples of twist-secure curves over Fp2 for the efficient Mersenne prime p= 2 127- 1.",

keywords = "Elliptic curve cryptography, Endomorphism, Exponentiation, GLS, GLV, Q-curves, Scalar decomposition, Scalar multiplication",

author = "Benjamin Smith",

note = "Publisher Copyright: {\textcopyright} 2015, International Association for Cryptologic Research.",

year = "2016",

month = oct,

day = "1",

doi = "10.1007/s00145-015-9210-8",

language = "English",

volume = "29",

pages = "806--832",

journal = "Journal of Cryptology",

issn = "0933-2790",

number = "4",

}

TY - JOUR

T1 - The Q -curve Construction for Endomorphism-Accelerated Elliptic Curves

AU - Smith, Benjamin

PY - 2016/10/1

Y1 - 2016/10/1

N2 - We give a detailed account of the use of Q-curve reductions to construct elliptic curves over Fp2 with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant–Lambert–Vanstone (GLV) and Galbraith–Lin–Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves and thus finding secure group orders when p is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over Fp2 equipped with efficient endomorphisms for every p> 3 , and exhibit examples of twist-secure curves over Fp2 for the efficient Mersenne prime p= 2 127- 1.

AB - We give a detailed account of the use of Q-curve reductions to construct elliptic curves over Fp2 with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant–Lambert–Vanstone (GLV) and Galbraith–Lin–Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves and thus finding secure group orders when p is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over Fp2 equipped with efficient endomorphisms for every p> 3 , and exhibit examples of twist-secure curves over Fp2 for the efficient Mersenne prime p= 2 127- 1.

KW - Elliptic curve cryptography

KW - Endomorphism

KW - Exponentiation

KW - GLS

KW - GLV

KW - Q-curves

KW - Scalar decomposition

KW - Scalar multiplication

U2 - 10.1007/s00145-015-9210-8

DO - 10.1007/s00145-015-9210-8

M3 - Article

AN - SCOPUS:84938632918

SN - 0933-2790

VL - 29

SP - 806

EP - 832

JO - Journal of Cryptology

JF - Journal of Cryptology

IS - 4

ER -

The Q -curve Construction for Endomorphism-Accelerated Elliptic Curves

Abstract

Keywords

Access to Document

Fingerprint

Cite this