Four-Dimensional Gallant-Lambert-Vanstone Scalar Multiplication

TL;DR

This paper introduces a four-dimensional scalar decomposition method for elliptic curve cryptography, combining previous approaches to achieve faster computations on twists of GLV curves over p^2 with explicit bounds and new curve families.

Contribution

It merges two prior methods to produce a four-dimensional decomposition with explicit bounds, enabling faster scalar multiplication on a broader class of elliptic curves.

Findings

Achieves a four-dimensional decomposition for twists of any GLV curve over p^2.

Provides explicit bounds with a constant speedup factor less than 408.

Derives new families of GLV curves with degree 3 endomorphisms.

Abstract

The GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) computes any multiple $kP$ of a point $P$ of prime order $n$ lying on an elliptic curve with a low-degree endomorphism $\Phi$ (called GLV curve) over $\mathbb{F}_p$ as [kP = k_1P + k_2\Phi(P), \quad\text{with} \max{|k_1|,|k_2|}\leq C_1\sqrt n] for some explicit constant $C_1>0$. Recently, Galbraith, Lin and Scott (EUROCRYPT 2009) extended this method to all curves over $\mathbb{F}_{p^2}$ which are twists of curves defined over $\mathbb{F}_p$. We show in this work how to merge the two approaches in order to get, for twists of any GLV curve over $\mathbb{F}_{p^2}$, a four-dimensional decomposition together with fast endomorphisms $\Phi, \Psi$ over $\mathbb{F}_{p^2}$ acting on the group generated by a point $P$ of prime order $n$, resulting in a proved decomposition for any scalar $k\in[1,n]$ $$ kP=k_1P+ k_2\Phi(P)+ k_3\Psi(P) + k_4\Psi\Phi(P)\quad \text{with} \max_i (|k_i|)< C_2\, n^{1/4} $$ for some explicit $C_2>0$. Furthermore, taking the best $C_1, C_2$, we get $C_2/C_1<408$, independently of the curve, ensuring a constant relative speedup. We also derive new families of GLV curves, corresponding to those curves with degree 3 endomorphisms.