Paper 2024/1985

Endomorphisms for Faster Cryptography on Elliptic Curves of Moderate CM Discriminants

Dimitri Koshelev, University of Lleida
Antonio Sanso, Ethereum Foundation
Abstract

This article generalizes the widely-used GLV decomposition for (multi-)scalar multiplication to a much broader range of elliptic curves with moderate CM discriminant \( D < 0 \). Previously, it was commonly believed that this technique can only be applied efficiently for small values of \( D \) (e.g., up to \( 100 \)). In practice, curves with \( j \)-invariant \( 0 \) are most frequently employed, as they have the smallest possible \( D = -3 \). However, $j = 0$ curves are either too suspicious for conservative government regulators (e.g., for Russian ones, which prefer $D = -619$) or unavailable under imposed extra restrictions in a series of cryptographic settings. The article thus participates in the decade-long development of numerous curves with moderate \( D \) in the context of zk-SNARKs. Such curves are typically derived from others, which limits the ability to generate them while controlling the magnitude of \( D \).

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint.
Keywords
binary quadratic formselliptic curve cryptographyideal class groupsisogeny loops(multi-)scalar multiplication
Contact author(s)
dimitri koshelev @ gmail com
antonio sanso @ ethereum org
History
2025-04-02: last of 2 revisions
2024-12-08: received
See all versions
Short URL
https://ia.cr/2024/1985
License
No rights reserved
CC0

BibTeX 

@misc{cryptoeprint:2024/1985,
      author = {Dimitri Koshelev and Antonio Sanso},
      title = {Endomorphisms for Faster Cryptography on Elliptic Curves of Moderate {CM} Discriminants},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1985},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1985}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.