The Q-curve construction for endomorphism-accelerated elliptic curves

TL;DR

This paper introduces a new method using $ ext{Q}$-curves to construct elliptic curves with efficient endomorphisms over $ ext{F}_{p^2}$, enhancing cryptographic acceleration and security options compared to existing techniques.

Contribution

It presents a novel $ ext{Q}$-curve reduction technique for constructing elliptic curves with efficient endomorphisms, broadening the range of secure, twist-secure curves available for cryptography.

Findings

Constructed families of elliptic curves with efficient endomorphisms for all $p > 3$.

Demonstrated twist-secure curves over $ ext{F}_{p^2}$ for $p=2^{127}-1$.

Enhanced cryptographic efficiency and security options compared to previous methods.

Abstract

We give a detailed account of the use of $\mathbb{Q}$-curve reductions to construct elliptic curves over $\mathbb{F}\_{p^2}$ with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant--Lambert--Vanstone (GLV) and Galbraith--Lin--Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when \(p\) is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over $\mathbb{F}\_{p^2}$ equipped with efficient endomorphisms for every $p \textgreater{} 3$, and exhibit examples of twist-secure curves over $\mathbb{F}\_{p^2}$ for the efficient Mersenne prime $p = 2^{127}-1$.