FourQ | |
FourQ | |
Developer: | Microsoft Research |
Latest Release Version: | v3.1 |
Programming Language: | C |
Operating System: | Windows 10, Linux |
Platform: | IA-32, x86-64, ARM32, ARM64 |
Genre: | Elliptic-curve cryptographic library |
License: | MIT License |
In cryptography, FourQ is an elliptic curve developed by Microsoft Research. It is designed for key agreements schemes (elliptic-curve Diffie–Hellman) and digital signatures (Schnorr), and offers about 128 bits of security.[1] It is equipped with a reference implementation made by the authors of the original paper. The open source implementation is called FourQlib and runs on Windows and Linux and is available for x86, x64, and ARM.[2] It is licensed under the MIT License and the source code is available on GitHub.[3]
2127-1
The curve was published in 2015 by Craig Costello and Patrick Longa from Microsoft Research on ePrint.[1]
The paper was presented in Asiacrypt in 2015 in Auckland, New Zealand, and consequently a reference implementation was published on Microsoft's website.[2]
There were some efforts to standardize usage of the curve under IETF; these efforts were withdrawn in late 2017.[5]
The curve is defined by a twisted Edwards equation
-x2+y2=1+dx2y2
d
F | |
p2 |
p
2127-1
In order to avoid small subgroup attacks,[6] all points are verified to lie in an N-torsion subgroup of the elliptic curve, where N is specified as a 246-bit prime dividing the order of the group.
The curve is equipped with two nontrivial endomorphisms:
\psi
p
\phi
The currently best known discrete logarithm attack is the generic Pollard's rho algorithm, requiring about
2122.5
In order to prevent timing attacks, all group operations are done in constant time, i.e. without disclosing information about key material.[1]
Most cryptographic primitives, and most notably ECDH, require fast computation of scalar multiplication, i.e.
[k]P
P
k
\{0,\ldots,N-1\}
Since we look at a prime order cyclic subgroup, one can write scalars
λ\psi,λ\phi
\psi(P)=[λ\psi]P
\phi(P)=[λ\phi]P
P
Hence, for a given
k
k=a1+a2λ\phi+a3λ\psi+a4λ\phiλ\psi\pmodN
ai
[k]P
[k]P=[a1]P+[a2]\phi(P)+[a3]\psi(P)+[a4]\phi(\psi(P))
ai
ai<264
Moreover, as the characteristic of the field is a Mersenne prime, modulations can be carried efficiently.
Both properties (four dimensional decomposition and Mersenne prime characteristic), alongside usage of fast multiplication formulae (extended twisted Edwards coordinates), make FourQ the currently fastest elliptic curve for the 128 bit security level.
FourQ is implemented in the cryptographic library CIRCL, published by Cloudflare.[8]