On the Optimal Parameter Choice for Elliptic Curve Cryptosystems Using Isogeny
Summary :
Isogeny for elliptic curve cryptosystems was initially used for efficient improvement of order counting methods. Recently, Smart proposed a countermeasure using isogeny for resisting a refined differential power analysis by Goubin (Goubin's attack). In this paper, we examine a countermeasure using isogeny against zero-value point (ZVP) attack that is generalization of Goubin's attack. We show that some curves require higher order of isogeny to prevent ZVP attack. Moreover, we prove that the class of curves that satisfies (-3/p) = 1 and whose order is odd cannot be mapped by isogeny to curves with a = -3 and secure against ZVP attack. We point out that three SECG curves are in this class. In the addition, we compare some efficient algorithms that are secure against both Goubin's attack and ZVP attack, and present the most efficient method of computing a scalar multiplication for each curve from SECG. Finally, we discuss another improvement for an efficient scalar multiplication, namely the usage of a point (0,y) for a base point of curve parameters. We are able to improve about 11% for double-and-add-always method, when the point (0,y) exists in an underlying curve or its isogeny.
- Publication
- IEICE TRANSACTIONS on Fundamentals Vol.E88-A No.1 pp.140-146
- Publication Date
- 2005/01/01
- Publicized
- Online ISSN
- DOI
- 10.1093/ietfec/e88-a.1.140
- Type of Manuscript
- Special Section PAPER (Special Section on Cryptography and Information Security)
- Category
- Tamper-Resistance
Authors
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Toru AKISHITA, Tsuyoshi TAKAGI, "On the Optimal Parameter Choice for Elliptic Curve Cryptosystems Using Isogeny" in IEICE TRANSACTIONS on Fundamentals,
vol. E88-A, no. 1, pp. 140-146, January 2005, doi: 10.1093/ietfec/e88-a.1.140.
Abstract: Isogeny for elliptic curve cryptosystems was initially used for efficient improvement of order counting methods. Recently, Smart proposed a countermeasure using isogeny for resisting a refined differential power analysis by Goubin (Goubin's attack). In this paper, we examine a countermeasure using isogeny against zero-value point (ZVP) attack that is generalization of Goubin's attack. We show that some curves require higher order of isogeny to prevent ZVP attack. Moreover, we prove that the class of curves that satisfies (-3/p) = 1 and whose order is odd cannot be mapped by isogeny to curves with a = -3 and secure against ZVP attack. We point out that three SECG curves are in this class. In the addition, we compare some efficient algorithms that are secure against both Goubin's attack and ZVP attack, and present the most efficient method of computing a scalar multiplication for each curve from SECG. Finally, we discuss another improvement for an efficient scalar multiplication, namely the usage of a point (0,y) for a base point of curve parameters. We are able to improve about 11% for double-and-add-always method, when the point (0,y) exists in an underlying curve or its isogeny.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1093/ietfec/e88-a.1.140/_p
Copy
@ARTICLE{e88-a_1_140,
author={Toru AKISHITA, Tsuyoshi TAKAGI, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={On the Optimal Parameter Choice for Elliptic Curve Cryptosystems Using Isogeny},
year={2005},
volume={E88-A},
number={1},
pages={140-146},
abstract={Isogeny for elliptic curve cryptosystems was initially used for efficient improvement of order counting methods. Recently, Smart proposed a countermeasure using isogeny for resisting a refined differential power analysis by Goubin (Goubin's attack). In this paper, we examine a countermeasure using isogeny against zero-value point (ZVP) attack that is generalization of Goubin's attack. We show that some curves require higher order of isogeny to prevent ZVP attack. Moreover, we prove that the class of curves that satisfies (-3/p) = 1 and whose order is odd cannot be mapped by isogeny to curves with a = -3 and secure against ZVP attack. We point out that three SECG curves are in this class. In the addition, we compare some efficient algorithms that are secure against both Goubin's attack and ZVP attack, and present the most efficient method of computing a scalar multiplication for each curve from SECG. Finally, we discuss another improvement for an efficient scalar multiplication, namely the usage of a point (0,y) for a base point of curve parameters. We are able to improve about 11% for double-and-add-always method, when the point (0,y) exists in an underlying curve or its isogeny.},
keywords={},
doi={10.1093/ietfec/e88-a.1.140},
ISSN={},
month={January},}
Copy
TY - JOUR
TI - On the Optimal Parameter Choice for Elliptic Curve Cryptosystems Using Isogeny
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 140
EP - 146
AU - Toru AKISHITA
AU - Tsuyoshi TAKAGI
PY - 2005
DO - 10.1093/ietfec/e88-a.1.140
JO - IEICE TRANSACTIONS on Fundamentals
SN -
VL - E88-A
IS - 1
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - January 2005
AB - Isogeny for elliptic curve cryptosystems was initially used for efficient improvement of order counting methods. Recently, Smart proposed a countermeasure using isogeny for resisting a refined differential power analysis by Goubin (Goubin's attack). In this paper, we examine a countermeasure using isogeny against zero-value point (ZVP) attack that is generalization of Goubin's attack. We show that some curves require higher order of isogeny to prevent ZVP attack. Moreover, we prove that the class of curves that satisfies (-3/p) = 1 and whose order is odd cannot be mapped by isogeny to curves with a = -3 and secure against ZVP attack. We point out that three SECG curves are in this class. In the addition, we compare some efficient algorithms that are secure against both Goubin's attack and ZVP attack, and present the most efficient method of computing a scalar multiplication for each curve from SECG. Finally, we discuss another improvement for an efficient scalar multiplication, namely the usage of a point (0,y) for a base point of curve parameters. We are able to improve about 11% for double-and-add-always method, when the point (0,y) exists in an underlying curve or its isogeny.
ER -
English
