binary edwards curves
play

Binary Edwards Curves Reza Rezaeian Farashahi Dept. of Mathematics - PowerPoint PPT Presentation

Jan 03, 2023 •233 likes •721 views

Binary Edwards Curves Reza Rezaeian Farashahi Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Bernstein (University of Illinois at Chicago) Tanja Lange (TU Eindhoven) and ECC, Sep 24, 2008 ( Dept. of Mathematics

  1. Binary Edwards Curves Reza Rezaeian Farashahi Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Bernstein (University of Illinois at Chicago) Tanja Lange (TU Eindhoven) and ECC, Sep 24, 2008 ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 1 / 25

  2. Edwards curves Edwards generalized single example x 2 + y 2 = 1 − x 2 y 2 by Euler/Gauss to whole class of curves. He showed that– after some field extensions – every elliptic curve over a field F with char( F ) � = 2 is birationally equivalent to one in the form E c : x 2 + y 2 = c 2 (1 + x 2 y 2 ) , where c ∈ F , c 5 � = c . The simple addition law on this form is given by � x 1 y 2 + y 1 x 2 y 1 y 2 − x 1 x 2 � ( x 1 , y 1 ) , ( x 2 , y 2 ) �→ c (1 + x 1 x 2 y 1 y 2 ) , . c (1 − x 1 x 2 y 1 y 2 ) Bernstein and Lange generalized to the form E d : x 2 + y 2 = 1 + dx 2 y 2 , where d � = 0 , d 4 � = 1 . Every elliptic curve with point of order 4 is birationally equivalent to an Edwards curve. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 2 / 25

  3. Edwards curves Edwards generalized single example x 2 + y 2 = 1 − x 2 y 2 by Euler/Gauss to whole class of curves. He showed that– after some field extensions – every elliptic curve over a field F with char( F ) � = 2 is birationally equivalent to one in the form E c : x 2 + y 2 = c 2 (1 + x 2 y 2 ) , where c ∈ F , c 5 � = c . The simple addition law on this form is given by � x 1 y 2 + y 1 x 2 y 1 y 2 − x 1 x 2 � ( x 1 , y 1 ) , ( x 2 , y 2 ) �→ c (1 + x 1 x 2 y 1 y 2 ) , . c (1 − x 1 x 2 y 1 y 2 ) Bernstein and Lange generalized to the form E d : x 2 + y 2 = 1 + dx 2 y 2 , where d � = 0 , d 4 � = 1 . Every elliptic curve with point of order 4 is birationally equivalent to an Edwards curve. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 2 / 25

  4. Edwards curves The addition law on E d : x 2 + y 2 = 1 + dx 2 y 2 is given by � x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 � ( x 1 , y 1 ) , ( x 2 , y 2 ) �→ . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 3 / 25

  5. Properties of Edwards curves Neutral element is (0 , 1) ; this is an affine point. − ( x 1 , y 1 ) = ( − x 1 , y 1 ) . (0 , − 1) has order 2 ; (1 , 0) and ( − 1 , 0) have order 4 . Addition law produces correct result also for doubling. Unified group operations! Very fast point addition 10M + 1S + 1D. (Even faster with Inverted Edwards coordinates.) Dedicated doubling formulas need only 3M + 4S. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 4 / 25

  6. Complete addition law If d is not a square the denominators 1 + dx 1 x 2 y 1 y 2 and 1 − dx 1 x 2 y 1 y 2 are never 0 ; addition law is complete. Edwards addition law allows omitting all checks Neutral element is affine point on curve. Addition works to add P and P . Addition works to add P and − P . Addition just works to add P and any Q . Only complete addition law in the literature. No exceptional points, completely uniform group operations. The set of curves with complete addition law is not complete! We need Edwards curve in characteristic 2! Even characteristic much more interesting for hardware . . . and soon also in software, cf. Intel’s and Sun’s current announcements to include binary instructions. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 5 / 25

  7. Complete addition law If d is not a square the denominators 1 + dx 1 x 2 y 1 y 2 and 1 − dx 1 x 2 y 1 y 2 are never 0 ; addition law is complete. Edwards addition law allows omitting all checks Neutral element is affine point on curve. Addition works to add P and P . Addition works to add P and − P . Addition just works to add P and any Q . Only complete addition law in the literature. No exceptional points, completely uniform group operations. The set of curves with complete addition law is not complete! We need Edwards curve in characteristic 2! Even characteristic much more interesting for hardware . . . and soon also in software, cf. Intel’s and Sun’s current announcements to include binary instructions. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 5 / 25

  8. Complete addition law If d is not a square the denominators 1 + dx 1 x 2 y 1 y 2 and 1 − dx 1 x 2 y 1 y 2 are never 0 ; addition law is complete. Edwards addition law allows omitting all checks Neutral element is affine point on curve. Addition works to add P and P . Addition works to add P and − P . Addition just works to add P and any Q . Only complete addition law in the literature. No exceptional points, completely uniform group operations. The set of curves with complete addition law is not complete! We need Edwards curve in characteristic 2! Even characteristic much more interesting for hardware . . . and soon also in software, cf. Intel’s and Sun’s current announcements to include binary instructions. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 5 / 25

  9. The design of Binary Edwards Curves How to design a worthy binary partner? Our wish-list after studying and experimenting with mostly small modifications of odd Edwards: A binary Edwards curve should be a binary elliptic curve. look like an Edwards curve (in odd characteristic). have a complete addition law. have easy negation. have efficient doubling. have efficient additions. cover most ordinary binary elliptic curves. ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 6 / 25

  10. Newton Polygons, in odd characteristic y y 2 = x 3 + ax + b • Short Weierstrass: x y by 2 = x 3 + ax 2 + x • Montgomery: x y y 2 = x 4 + 2 ax 2 + 1 • Jacobi quartic: x y x 3 + y 3 + 1 = 3 dxy • Hessian: x y x 2 + y 2 = 1 + dx 2 y 2 • Edwards: x ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 7 / 25

  11. The design choices (I) Let E B is defined by F ( x, y ) = 0 . E B should look like Edwards curve; so, deg x ( F ) ≤ 2 and deg y ( F ) ≤ 2 ; so, 2 2 a i,j x i y j = 0 . � � E B : F ( x, y ) = y i =0 j =0 a 0 , 2 a 1 , 2 a 2 , 2 E B should have symmetric formulas, so a 0 , 1 a 1 , 1 a 2 , 1 a i,j = a j,i . E B should be elliptic, so a 2 , 2 � = 0 or a 0 , 0 a 1 , 0 a 2 , 0 x a 1 , 2 = a 2 , 1 � = 0 . If a 2 , 2 = 0 , and a 1 , 2 = a 2 , 1 � = 0 then there are three points at infinity. Moreover the addition law can not be complete (for sufficiently large fields). ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 8 / 25

  12. The design choices (I) Let E B is defined by F ( x, y ) = 0 . E B should look like Edwards curve; so, deg x ( F ) ≤ 2 and deg y ( F ) ≤ 2 ; so, 2 2 a i,j x i y j = 0 . � � E B : F ( x, y ) = y i =0 j =0 a 2 , 0 a 2 , 1 a 2 , 2 E B should have symmetric formulas, so a 1 , 0 a 1 , 1 a 2 , 1 a i,j = a j,i . E B should be elliptic, so a 2 , 2 � = 0 or a 0 , 0 a 1 , 0 a 2 , 0 x a 1 , 2 = a 2 , 1 � = 0 . If a 2 , 2 = 0 , and a 1 , 2 = a 2 , 1 � = 0 then there are three points at infinity. Moreover the addition law can not be complete (for sufficiently large fields). ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 8 / 25

  13. The design choices (I) Let E B is defined by F ( x, y ) = 0 . E B should look like Edwards curve; so, deg x ( F ) ≤ 2 and deg y ( F ) ≤ 2 ; so, 2 2 a i,j x i y j = 0 . � � E B : F ( x, y ) = y i =0 j =0 a 2 , 0 a 2 , 1 E B should have symmetric formulas, so a 1 , 0 a 1 , 1 a 2 , 1 a i,j = a j,i . E B should be elliptic, so a 2 , 2 � = 0 or a 0 , 0 a 1 , 0 a 2 , 0 x a 1 , 2 = a 2 , 1 � = 0 . If a 2 , 2 = 0 , and a 1 , 2 = a 2 , 1 � = 0 then there are three points at infinity. Moreover the addition law can not be complete (for sufficiently large fields). ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 8 / 25

  14. The design choices(II) So, a 2 , 2 = 1 (scale by a 2 , 2 ) . The projective model of 2 2 a i,j x i y j = 0 � � E B : y i =0 j =0 a 2 , 0 a 2 , 1 1 is defined by a 1 , 0 a 1 , 1 a 2 , 1 2 2 a i,j X i Y j Z 4 − i − j = 0 . � � a 0 , 0 a 1 , 0 a 2 , 0 x i =0 j =0 Put Z = 0 to find the points at infinity. Then, X 2 Y 2 = 0 ; so (0 : 1 : 0) and (1 : 0 : 0) are the points at infinity of E B . ( Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Ber Reza Rezaeian Farashahi Binary Edwards Curves ECC, Sep 24, 2008 9 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 09.05.2008 joint work with Reza Rezaeian Farashahi, Eindhoven

571 views • 33 slides
Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 12.08.2008 joint work with Reza Rezaeian Farashahi, Eindhoven D. J. Bernstein

428 views • 27 slides
Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at Chicago (Joint work with Tanja Lange) Cohen Schoof ECPC Lenstra ECM Miller Bosma Koblitz Goldwasser/Kilian ECC

294 views • 27 slides
Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange Eindhoven University Ruhr-Universitt of Technology Bochum Overview Elliptic Curves Hyperelliptic Curves HEC of Genus 2

473 views • 33 slides
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and Christiane Peters Paper at

1.02k views • 28 slides
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology The 12th Workshop on Elliptic Curve Cryptography 22 September 2008 Joint work with Daniel J. Bernstein, Tanja Lange and Christiane Peters Paper

650 views • 27 slides
Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux Dugardin, Sylvain Guilley, Martin Moreau, Zakaria Najm, Pablo Rauzy PROOFS 2016 - Santa Barbara, CA Introduction Eve Communications Alice Bob Channel

726 views • 60 slides
Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net

Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net

Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net ) Tanja Lange ( tue.nl ) Christiane Peters ( tue.nl ) Thanks to: NSF ITR0716498 IST2002507932 ECRYPT INRIA Lorraine, LORIA Todays

190 views • 15 slides
Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p index calculus Classic F needs to check smoothness < p . of many positive integers Smooth integer: integer > y . with no prime divisors y

475 views • 8 slides
Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Index Calculus Method Small char Finite Fields 9234 bits Impact on Pairings Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in F 2 4 1223 and F 2 12 367 ) Jens Zumbr agel Institute of

367 views • 32 slides
Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org joint work with Daniel J. Bernstein 10.11.2007 http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange p. 1 Do

787 views • 51 slides
Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves C. Negre and J.M. Robert april 8, 2015 1 / 39 Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic

781 views • 75 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Today Edge detection and matching process the image gradient to find curves/contours

Today Edge detection and matching process the image gradient to find curves/contours

1/25/2017 Edges and Binary Image Analysis Thurs Jan 26 Kristen Grauman UT Austin Today Edge detection and matching process the image gradient to find curves/contours comparing contours Binary image analysis blobs and

976 views • 60 slides
On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

1.32k views • 105 slides
CS599: Algorithm Design in Strategic Settings Fall 2012 Lecture 11: Ironing and Approximate

CS599: Algorithm Design in Strategic Settings Fall 2012 Lecture 11: Ironing and Approximate

CS599: Algorithm Design in Strategic Settings Fall 2012 Lecture 11: Ironing and Approximate Mechanism Design in Single-Parameter Bayesian Settings Instructor: Shaddin Dughmi Outline Recap 1 Non-regular Distributions: Ironing 2 Implications

569 views • 33 slides
Strengthening CTE for the 21st Century Act (Perkins V) Federal Funding Conference March 2020 1

Strengthening CTE for the 21st Century Act (Perkins V) Federal Funding Conference March 2020 1

Strengthening CTE for the 21st Century Act (Perkins V) Federal Funding Conference March 2020 1 About the Session Objectives: Learn about the new Perkins V Legislation for Career and Technical Education. Learn about requirements of

565 views • 42 slides
Profit maximization. To pea or not to pea. 4$ for peas. 2$ bushel of carrots. x 1 - to pea! x 2

Profit maximization. To pea or not to pea. 4$ for peas. 2$ bushel of carrots. x 1 - to pea! x 2

Profit maximization. To pea or not to pea. 4$ for peas. 2$ bushel of carrots. x 1 - to pea! x 2 to carrot ? Money 4 x 1 + 2 x 2 maximize max4 x 1 + 2 x 2 . max4 x 1 + 2 x 2 Carrots take 2 unit of water/bushel. Plant Carrots or Peas? 2 x 1 40

242 views • 5 slides
Progressive Dynamic Utilities with given optimal portfolio El Karoui Nicole & MRAD Mohamed

Progressive Dynamic Utilities with given optimal portfolio El Karoui Nicole & MRAD Mohamed

Progressive Dynamic Utilities with given optimal portfolio El Karoui Nicole & MRAD Mohamed UnivParis VI / cole Polytechnique,CMAP elkaroui@cmapx.polytechnique.fr with the financial support of the "Fondation du Risque" and

562 views • 32 slides
The Central Curve in Linear Programming Bernd Sturmfels UC Berkeley and MATHEON Berlin joint work

The Central Curve in Linear Programming Bernd Sturmfels UC Berkeley and MATHEON Berlin joint work

The Central Curve in Linear Programming Bernd Sturmfels UC Berkeley and MATHEON Berlin joint work with Jesus De Loera and Cynthia Vinzant Linear Programming Maximize c T x subject to A x = b and x 0 primal : Minimize b T y subject to A T y

1.13k views • 20 slides
Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime

Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime

Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime Characteristic Fields K. Jrvinen 1 , A. Miele 2 , R. Azarderakhsh 3 , and P . Longa 4 1 Aalto University 2 Intel Corporation 3 Rochester Institute of

831 views • 81 slides
The Future of Global Health Financing: Hope vs. Reality in the Push for Universal Health

The Future of Global Health Financing: Hope vs. Reality in the Push for Universal Health

The Future of Global Health Financing: Hope vs. Reality in the Push for Universal Health Coverage April 25, 2019 Most See Major Role For U.S. in Improving Health in Developing Countries, Especially Democrats Do you think the U.S. should take

253 views • 7 slides
Address Subcommittee February 8, 2017 1:00 2:30 PM Eastern Census HQ, Suitland, MD Meeting

Address Subcommittee February 8, 2017 1:00 2:30 PM Eastern Census HQ, Suitland, MD Meeting

Address Subcommittee February 8, 2017 1:00 2:30 PM Eastern Census HQ, Suitland, MD Meeting Agenda 1:00 Welcome and Meeting Goals Update on Theme Definition 1:10 Address Subcommittee Charter Review and revise 1:45 NAD Federal

598 views • 23 slides

More recommend