Informatics Educational Institutions & Programs

FourQ
Developer(s)	Microsoft Research
Initial release	2015; 9 years ago
Stable release	v3.1
Repository	github.com/microsoft/FourQlib
Written in	C
Operating system	Windows 10, Linux
Platform	IA-32, x86-64, ARM32, ARM64
Type	Elliptic-curve cryptographic library
License	MIT License
Website	www.microsoft.com/en-us/research/project/fourqlib/

In cryptography, FourQ is an elliptic curve developed by Microsoft Research. It is designed for key agreements schemes (elliptic-curve Diffie–Hellman) and digital signatures (Schnorr), and offers about 128 bits of security.^[1] It is equipped with a reference implementation made by the authors of the original paper. The open source implementation is called FourQlib and runs on Windows and Linux and is available for x86, x64, and ARM.^[2] It is licensed under the MIT License and the source code is available on GitHub.^[3]

Its name is derived from the four dimensional Gallant–Lambert–Vanstone scalar multiplication, which allows high performance calculations.^[4] The curve is defined over a two dimensional extension of the prime field defined by the Mersenne prime $2^{127}-1$ .

History

The curve was published in 2015 by Craig Costello and Patrick Longa from Microsoft Research on ePrint.^[1]

The paper was presented in Asiacrypt in 2015 in Auckland, New Zealand, and consequently a reference implementation was published on Microsoft's website.^[2]

There were some efforts to standardize usage of the curve under IETF; these efforts were withdrawn in late 2017.^[5]

Mathematical properties

The curve is defined by a twisted Edwards equation

-x^{2}+y^{2}=1+dx^{2}y^{2}

$d$ is a non-square in $\mathbb {F} _{p^{2}}$ , where $p$ is the Mersenne prime $2^{127}-1$ .

In order to avoid small subgroup attacks,^[6] all points are verified to lie in an N-torsion subgroup of the elliptic curve, where N is specified as a 246-bit prime dividing the order of the group.

The curve is equipped with two nontrivial endomorphisms: $\psi$ related to the $p$ -power Frobenius map, and $\phi$ , a low degree efficiently computable endomorphism (see complex multiplication).

Cryptographic properties

Security

The currently best known discrete logarithm attack is the generic Pollard's rho algorithm, requiring about $2^{122.5}$ group operations on average. Therefore, it typically belongs to the 128 bit security level.

In order to prevent timing attacks, all group operations are done in constant time, i.e. without disclosing information about key material.^[1]

Efficiency

Most cryptographic primitives, and most notably ECDH, require fast computation of scalar multiplication, i.e. $[k]P$ for a point $P$ on the curve and an integer $k$ , which is usually thought as distributed uniformly at random over $\{0,\ldots ,N-1\}$ .

Since we look at a prime order cyclic subgroup, one can write scalars $\lambda _{\psi },\lambda _{\phi }$ such that $\psi (P)=[\lambda _{\psi }]P$ and $\phi (P)=[\lambda _{\phi }]P$ for every point $P$ in the N-torsion subgroup.

Hence, for a given $k$ we may write

k=a_{1}+a_{2}\lambda _{\phi }+a_{3}\lambda _{\psi }+a_{4}\lambda _{\phi }\lambda _{\psi }{\pmod {N}}

If we find small $a_{i}$ , we may compute $[k]P$ quickly by utilizing the implied equation

[k]P=[a_{1}]P+[a_{2}]\phi (P)+[a_{3}]\psi (P)+[a_{4}]\phi (\psi (P))

Babai rounding technique^[7] is used to find small $a_{i}$ . For FourQ it turns that one can guarantee an efficiently computable solution with $a_{i}<2^{64}$ .

Moreover, as the characteristic of the field is a Mersenne prime, modulations can be carried efficiently.

Both properties (four dimensional decomposition and Mersenne prime characteristic), alongside usage of fast multiplication formulae (extended twisted Edwards coordinates), make FourQ the currently fastest elliptic curve for the 128 bit security level.

Uses

FourQ is implemented in the cryptographic library CIRCL, published by Cloudflare.^[8]

References

^ ^a ^b ^c Costello, Craig; Longa, Patrick (2015). "FourQ: four-dimensional decompositions on a Q-curve over the Mersenne prime". Retrieved 23 May 2019. {{cite journal}}: Cite journal requires |journal= (help)
^ ^a ^b "FourQlib". Microsoft Research. Retrieved 23 May 2019.
^ "References". GitHub. 4 October 2021.
^ Longa, Patrick; Sica, Francesco (2011). "Four-Dimensional Gallant–Lambert–Vanstone Scalar Multiplication". arXiv:1106.5149. Retrieved 23 May 2019. {{cite journal}}: Cite journal requires |journal= (help)
^ Ladd, Watson; Longa, Patrick; Barnes, Richard (27 March 2017). "draft-ladd-cfrg-4q-01". Ietf Datatracker. Retrieved 23 May 2019.
^ van Oorschot, Paul C.; Wiener, Michael J. (1996). "On Diffie-Hellman Key Agreement with Short Exponents". Advances in Cryptology — EUROCRYPT '96. Lecture Notes in Computer Science. Vol. 1070. Springer Berlin Heidelberg. pp. 332–343. doi:10.1007/3-540-68339-9_29. ISBN 978-3-540-61186-8.
^ Babai, L. (1 March 1986). "On Lovász' lattice reduction and the nearest lattice point problem". Combinatorica. 6 (1): 1–13. doi:10.1007/BF02579403. ISSN 1439-6912. S2CID 7914792.
^ "Introducing CIRCL". blog.cloudflare.com. 20 June 2019. Retrieved 28 July 2019.

External links

Reference implementation by Microsoft

[4q-1] Costello, Craig; Longa, Patrick (2015). "FourQ: four-dimensional decompositions on a Q-curve over the Mersenne prime". Retrieved 23 May 2019. {{cite journal}}: Cite journal requires |journal= (help)

[msf-2] "FourQlib". Microsoft Research. Retrieved 23 May 2019.

[3] "References". GitHub. 4 October 2021.

[4] Longa, Patrick; Sica, Francesco (2011). "Four-Dimensional Gallant–Lambert–Vanstone Scalar Multiplication". arXiv:1106.5149. Retrieved 23 May 2019. {{cite journal}}: Cite journal requires |journal= (help)

[5] Ladd, Watson; Longa, Patrick; Barnes, Richard (27 March 2017). "draft-ladd-cfrg-4q-01". Ietf Datatracker. Retrieved 23 May 2019.

[6] van Oorschot, Paul C.; Wiener, Michael J. (1996). "On Diffie-Hellman Key Agreement with Short Exponents". Advances in Cryptology — EUROCRYPT '96. Lecture Notes in Computer Science. Vol. 1070. Springer Berlin Heidelberg. pp. 332–343. doi:10.1007/3-540-68339-9_29. ISBN 978-3-540-61186-8.

[7] Babai, L. (1 March 1986). "On Lovász' lattice reduction and the nearest lattice point problem". Combinatorica. 6 (1): 1–13. doi:10.1007/BF02579403. ISSN 1439-6912. S2CID 7914792.

[8] "Introducing CIRCL". blog.cloudflare.com. 20 June 2019. Retrieved 28 July 2019.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]