Four Dimensional Decompositions on a Q-Curve Over the Mersenne

Four-dimensional decompositions on a -curve

Joint work with Patrick Longa http://research.microsoft.com/pubs/246916/main.pdf “NIST should generate a new set of elliptic curves […] and should incorporate the latest knowledge…” [Edward Felten, VCAT document, page 9]. “NIST should generate a new set of elliptic curves […] and should incorporate the latest knowledge…” [Edward Felten, VCAT document, page 9].

Some 21st century ECC milestones

2001: CM endomorphisms [GLV01]

2007: Edwards curves [Edw07,BL07]

2008: Twisted Edwards coordinates [BBJ+08,HCWD08]

2009: Frobenius endomorphisms [GLS09]

2013: Q-curve endomorphisms [Smi13] “NIST should generate a new set of elliptic curves […] and should incorporate the latest knowledge…” [Edward Felten, VCAT document, page 9].

Some 21st century ECC milestones

2001: CM endomorphisms [GLV01]

2007: Edwards curves [Edw07,BL07]

2008: Twisted Edwards coordinates [BBJ+08,HCWD08]

2009: Frobenius endomorphisms [GLS09]

2013: Q-curve endomorphisms [Smi13] “I don't care about a performance difference unless it is at least a factor of two.” [Phillip Hallam-Baker, CFRG mailing list, 12 Mar 2015, 3 Feb 2015,…]. “I don't care about a performance difference unless it is at least a factor of two.” [Phillip Hallam-Baker, CFRG mailing list, 12 Mar 2015, 3 Feb 2015,…].

#cycles(NUMS,curve25519,etc) #cycles( ) ≫ 2.5

#cycles(NIST Curvep256) #cycles( ) ≫ 4.5 “Minimize tensions between speed, simplicity, & security.” [Daniel J. Bernstein, CFRG mailing list, 1 Aug 2014, 21 Nov 2014, …]. “Minimize tensions between speed, simplicity, & security.” [Daniel J. Bernstein, CFRG mailing list, 1 Aug 2014, 21 Nov 2014, …].

speed

3 speed 푇3 푇1 푇푖 = 0 푖=1

simplicity 푇2 security The curve

2 2 2 2 퐸/ 픽푝2: −푥 + 푦 = 1 + 푑푥 푦 , 푑 = 125317048443780598345676279555970305165 ⋅ 푖 + 4205857648805777768770 #퐸 = 392 ⋅ 푁 , where 푁 is a 246-bit prime The curve

2 2 2 2 퐸/ 픽푝2: −푥 + 푦 = 1 + 푑푥 푦 , 푑 = 125317048443780598345676279555970305165 ⋅ 푖 + 4205857648805777768770 #퐸 = 392 ⋅ 푁 , where 푁 is a 246-bit prime

• Fastest (large char) ECC addition laws are complete on 퐸 • 퐸 is a degree-2 Q-curve: endomorphism 휓 • 퐸 has CM by order of 퐷 = −40: endomorphism 휙 256 • 휓 푃 = 휆휓 푃 and 휙 푃 = 휆휙 푃 for all 푃 ∈ 퐸[푁] and 푚 ∈ [0,2 )

푚 ↦ 푎1, 푎2, 푎3, 푎4

푚 푃 = 푎1 푃 + 푎2 휙 푃 + 푎3 휓 푃 + 푎4 휓(휙(푃)) Security aspects

• Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁 Security aspects

• Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁

• Unlike typical GLV and GLS endomorphisms, no speedup in rho from 휓 and 휙 Security aspects

• Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁

• Unlike typical GLV and GLS endomorphisms, no speedup in rho from 휓 and 휙

• 픽푝2 safe against index calculus/Weil descent Security aspects

• Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁

• Unlike typical GLV and GLS endomorphisms, no speedup in rho from 휓 and 휙

• 픽푝2 safe against index calculus/Weil descent

• Large MOV degree and trace of Frobenius Security aspects

• Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁

• Unlike typical GLV and GLS endomorphisms, no speedup in rho from 휓 and 휙

• 픽푝2 safe against index calculus/Weil descent

• Large MOV degree and trace of Frobenius

• Yes, small discriminant (퐷 = −40), just like other standardized curves 푠푒푐푝192푘1, 푠푒푐푝224푘1, 푠푒푐푝256푘1 (Bitcoin’s curve) Optimal Scalar Decompositions

푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. Optimal Scalar Decompositions

푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. 푚 = 64840569332679984426672436340494668739430332089137885001096300239355695153788

푎1 = 14445124749170047041 푎2 = 11638376461179115075 푎3 = 5032911711680286358 푎4 = 881092582828842431 Optimal Scalar Decompositions