Secure GLS recomposition for sum-of-square cofactors

Abstract

The GLV/GLS technique speeds up scalar multiplications on elliptic curves endowed with an efficiently computable endomorphism: a scalar multiplication by a full-size scalar becomes a double scalar multiplication by half-size scalars, which is significantly faster. However, this requires to first decompose the original scalar into an appropriate linear combination of half-size scalars using reduction in a low-dimensional lattice. Since a reduced basis of the lattice can be precomputed, this is typically fast, but it tends to leak a lot of side-channel information about the scalar. To avoid this issue, Aranha et al. (ASIACRYPT 2014) proposed to use “recomposition” instead, i.e. choose the two half-sized scalars at random in a suitable interval, defining a corresponding full-size scalar implicitly. If the statistical distance to uniform of the distribution of that scalar is negligible, the recomposition method is secure and avoids any of the leakage of GLV/GLS decomposition. The original paper obtained the statistical distance result for GLS curves of prime order. In this work, we extend their proof to GLS curves having a cofactor which can be written as a sum of two squares. This shows in particular how to obtain secure recomposition for (twisted) Edwards GLS curves and the fast binary curve GLS254 of Oliveira et al. (CHES 2013), as these curves have cofactor 4 and 2 respectively.