Aztek has implemented a GLV-variant of Pippenger. In short, the GLV method makes use of the endomorphism (having equivalent scalar lambda) by decomposing a scalar k into k = k1 * lambda + k2, with k1 and k2 of half the size of the modulus. (See Gallant, Lambert, Vanstone 2001 or the corrected analyis of Quisquater, et al 2002 for a detailed description on the decomposition.) With this decomposition one can replace the initial instance for a multi-scalar multiplication by one having the double number of base points (the original ones plus their endomorphism image) but scalars of half the size.
@DDT92 Let us estimate the performance improvement using this technique.
Aztek has implemented a GLV-variant of Pippenger. In short, the GLV method makes use of the endomorphism (having equivalent scalar
lambda) by decomposing a scalarkintok = k1 * lambda + k2, withk1andk2of half the size of the modulus. (See Gallant, Lambert, Vanstone 2001 or the corrected analyis of Quisquater, et al 2002 for a detailed description on the decomposition.) With this decomposition one can replace the initial instance for a multi-scalar multiplication by one having the double number of base points (the original ones plus their endomorphism image) but scalars of half the size.@DDT92 Let us estimate the performance improvement using this technique.