The gallant-lambert-vanstone decomposition revisited

Abstract

The Gallant-Lambert-Vanstone method accelerates the computation of scalar multiplication [k]P of a point (or a divisor) P of prime order r on some algebraic curve (or its Jacobian) by using an efficient endomorphism φ on such curve. Suppose φ has minimal polynomial (formula displayed), the question how to efficiently decompose the scalar k as [k]P = (formula displayed) with maxi log |ki| ≈ (formula displayed) log r has drawn a lot of attention. In this paper we show the link between the lattice based decomposition and the division in Z[φ] decomposition, and propose a hybrid method to decompose k with maxi (formula displayed), where (formula displayed). In particular, we give explicit and efficient GLV decompositions for some genus 1 and 2 curves with efficient endomorphisms through decomposing the Frobenius map in Z[φ], which also indicate that the complex multiplication usually implies good properties for GLV decomposition. Our results well support the GLV method for faster implementations of scalar multiplications on desired curves.