Analysis of the Gallant-Lambert-Vanstone Method Based on Efficient Endomorphisms: Elliptic and Hyperelliptic Curves

摘要

In this work we analyse the GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) which uses a fast endomorphismΦwith minimal polynomial X~2 + rX + s to compute any multiple kP of a point P of order n lying on an elliptic curve. First we fill in a gap in the proof of the bound of the kernelκvectors of the reduction map f: (i, j) → i +λj (mod n). In particular, we prove the GLV decomposition with explicit constant kP = k_1P + k_2Φ(P), with max{|k_1| , |k_2|}≤(1+|r|+s)~(1/2) n~(1/2) Next we improve on this bound and give the best constant in the given examples for the quantity sup_(k,n) max{|k_1|, |k_2|}~(1/2) Independently Park, Jeong, Kim, and Lim (PKC 2002) have given similar but slightly weaker bounds. Finally we provide the first explicit bounds for the GLV method generalised to hyperelliptic curves as described in Park, Jeong and Lim (EU-ROCRYPT 2002).