On the optimal parameter choice for elliptic curve cryptosystems using isogeny

Toru Akishita, Tsuyoshi Takagi

Research output: Contribution to journalArticle

9 Citations (Scopus)

Abstract

The isogeny for elliptic curve cryptosystems was initially used for the efficient improvement of order counting methods. Recently, Smart proposed the countermeasure using isogeny for resisting the refined differential power analysis by Goubin (Goubin's attack). In this paper, we examine the countermeasure using isogeny against zero-value point (ZVP) attack that is generalization of Goubin's attack. We show that some curves require higher order of isogeny to prevent ZVP attack. Moreover, we prove that this countermeasure cannot transfer a class of curve to the efficient curve that is secure against ZVP attack. This class satisfies that the curve order is odd and (-3/p) = -1 for the base field p, and includes three SECG curves. In the addition, we compare some efficient algorithms that are secure against both Goubin's attack and ZVP attack, and present the most efficient method of computing the scalar multiplication for each curve from SECG. Finally, we discuss another improvement for the efficient scalar multiplication, namely the usage of the point (0, y) for the base point of curve parameters. We are able to improve about 11% for double-and-add-always method, when the point (0, y) exists in the underlying curve or its isogeny.

Original languageEnglish
Pages (from-to)346-359
Number of pages14
JournalLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume2947
Publication statusPublished - Dec 1 2004

Fingerprint

Elliptic Curve Cryptosystem
Isogeny
Optimal Parameter
Cryptography
Attack
Curve
Countermeasures
Scalar multiplication
Zero
Differential Power Analysis
Counting
Efficient Algorithms
Odd
Higher Order
Computing

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

@article{966f82466ccd491491154724058cfd27,
title = "On the optimal parameter choice for elliptic curve cryptosystems using isogeny",
abstract = "The isogeny for elliptic curve cryptosystems was initially used for the efficient improvement of order counting methods. Recently, Smart proposed the countermeasure using isogeny for resisting the refined differential power analysis by Goubin (Goubin's attack). In this paper, we examine the countermeasure using isogeny against zero-value point (ZVP) attack that is generalization of Goubin's attack. We show that some curves require higher order of isogeny to prevent ZVP attack. Moreover, we prove that this countermeasure cannot transfer a class of curve to the efficient curve that is secure against ZVP attack. This class satisfies that the curve order is odd and (-3/p) = -1 for the base field p, and includes three SECG curves. In the addition, we compare some efficient algorithms that are secure against both Goubin's attack and ZVP attack, and present the most efficient method of computing the scalar multiplication for each curve from SECG. Finally, we discuss another improvement for the efficient scalar multiplication, namely the usage of the point (0, y) for the base point of curve parameters. We are able to improve about 11{\%} for double-and-add-always method, when the point (0, y) exists in the underlying curve or its isogeny.",
author = "Toru Akishita and Tsuyoshi Takagi",
year = "2004",
month = "12",
day = "1",
language = "English",
volume = "2947",
pages = "346--359",
journal = "Lecture Notes in Computer Science",
issn = "0302-9743",
publisher = "Springer Verlag",

}

TY - JOUR

T1 - On the optimal parameter choice for elliptic curve cryptosystems using isogeny

AU - Akishita, Toru

AU - Takagi, Tsuyoshi

PY - 2004/12/1

Y1 - 2004/12/1

N2 - The isogeny for elliptic curve cryptosystems was initially used for the efficient improvement of order counting methods. Recently, Smart proposed the countermeasure using isogeny for resisting the refined differential power analysis by Goubin (Goubin's attack). In this paper, we examine the countermeasure using isogeny against zero-value point (ZVP) attack that is generalization of Goubin's attack. We show that some curves require higher order of isogeny to prevent ZVP attack. Moreover, we prove that this countermeasure cannot transfer a class of curve to the efficient curve that is secure against ZVP attack. This class satisfies that the curve order is odd and (-3/p) = -1 for the base field p, and includes three SECG curves. In the addition, we compare some efficient algorithms that are secure against both Goubin's attack and ZVP attack, and present the most efficient method of computing the scalar multiplication for each curve from SECG. Finally, we discuss another improvement for the efficient scalar multiplication, namely the usage of the point (0, y) for the base point of curve parameters. We are able to improve about 11% for double-and-add-always method, when the point (0, y) exists in the underlying curve or its isogeny.

AB - The isogeny for elliptic curve cryptosystems was initially used for the efficient improvement of order counting methods. Recently, Smart proposed the countermeasure using isogeny for resisting the refined differential power analysis by Goubin (Goubin's attack). In this paper, we examine the countermeasure using isogeny against zero-value point (ZVP) attack that is generalization of Goubin's attack. We show that some curves require higher order of isogeny to prevent ZVP attack. Moreover, we prove that this countermeasure cannot transfer a class of curve to the efficient curve that is secure against ZVP attack. This class satisfies that the curve order is odd and (-3/p) = -1 for the base field p, and includes three SECG curves. In the addition, we compare some efficient algorithms that are secure against both Goubin's attack and ZVP attack, and present the most efficient method of computing the scalar multiplication for each curve from SECG. Finally, we discuss another improvement for the efficient scalar multiplication, namely the usage of the point (0, y) for the base point of curve parameters. We are able to improve about 11% for double-and-add-always method, when the point (0, y) exists in the underlying curve or its isogeny.

UR - http://www.scopus.com/inward/record.url?scp=23044482179&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=23044482179&partnerID=8YFLogxK

M3 - Article

VL - 2947

SP - 346

EP - 359

JO - Lecture Notes in Computer Science

JF - Lecture Notes in Computer Science

SN - 0302-9743

ER -