Four-Dimensional Gallant-Lambert-Vanstone Scalar Multiplication

Abstract

The GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) computes any multiple kP of a point P of prime order n lying on an elliptic curve with a low-degree endomorphism (called GLV curve) over Fp as [kP = k1P + k2(P), |k1|,|k2|≤ C1 n] for some explicit constant C1>0. Recently, Galbraith, Lin and Scott (EUROCRYPT 2009) extended this method to all curves over Fp2 which are twists of curves defined over Fp. We show in this work how to merge the two approaches in order to get, for twists of any GLV curve over Fp2, a four-dimensional decomposition together with fast endomorphisms , over Fp2 acting on the group generated by a point P of prime order n, resulting in a proved decomposition for any scalar k∈[1,n] kP=k1P+ k2(P)+ k3(P) + k4(P) with i (|ki|)< C2\, n1/4 for some explicit C2>0. Furthermore, taking the best C1, C2, we get C2/C1<408, independently of the curve, ensuring a constant relative speedup. We also derive new families of GLV curves, corresponding to those curves with degree 3 endomorphisms.