Analysis of the Gallant-Lambert-Vanstone Method Based on Efficient Endomorphisms: Elliptic and Hyperelliptic Curves

In this work we analyse the GLVmethod of Gallant, Lambert and Vanstone (CRYPTO 2001) which uses a fast endomorphism Φ with minimal polynomial X + rX+ s to compute any multiple kP of a point P of order n lying on an elliptic curve. First we fill in a gap in the proof of the bound of the kernel K vectors of the reduction map f : (i, j) 7→ i+λj (mod n). In particular, we prove the GLV decomposition with explicit constant kP = k1P + k2Φ(P ), with max{|k1|, |k2|} ≤ √ 1 + |r|+ s √ n . Next we improve on this bound and give the best constant in the given examples for the quantity supk,nmax{|k1|, |k2|}/ √ n. Independently Park, Jeong, Kim, and Lim (PKC 2002) have given similar but slightly weaker bounds. Finally we provide the first explicit bounds for the GLV method generalised to hyperelliptic curves as described in Park, Jeong and Lim (EUROCRYPT 2002).