Four-Dimensional Gallant-Lambert-Vanstone Scalar Multiplication (Full version)

The GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) computes any multiple kP of a point P of prime order n lying on an elliptic curve with a low-degree endomorphism Φ (called GLV curve) over GF(p) as kP = k1P + k2Φ(P), with max|k1|,|k2| 1 n^(1/2) for some explicit constant C1>0. Recently, Galbraith, Lin and Scott (EUROCRYPT 2009) extended this method to all curves over GF(p2) which are twists of curves defined over GF(p). We show in this work how to merge the two approaches in order to get, for twists of any GLV curve over GF(p2), a four-dimensional decomposition together with fast endomorphisms Φ, Ψ over GF(p2) acting on the group generated by a point P of prime order n, resulting in a proven decomposition for any scalar k ∈ [1,n] given by kP=k1P+ k2Φ(P)+ k3Ψ(P) + k4ΨΦ(P), with maxi (|ki|)2 n^(1/4) for some explicit C2>0. Remarkably, taking the best C1, C2, we obtain C2/C1