complete addition laws for all elliptic curves over
play

Complete addition laws for all elliptic curves over finite fields - PDF document

Oct 07, 2023 •349 likes •768 views

Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Joint work with: Tanja Lange Technische Universiteit Eindhoven Memories of graduate school Early 1990s,

  1. Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of Illinois at Chicago NSF ITR–0716498 Joint work with: Tanja Lange Technische Universiteit Eindhoven

  2. Memories of graduate school Early 1990s, Berkeley: Hendrik Lenstra teaches a rather strange course on algebraic number theory.

  3. Memories of graduate school Early 1990s, Berkeley: Hendrik Lenstra teaches a rather strange course on algebraic number theory. His central objects of study: orders in number fields. Primes, class groups, etc.

  4. Memories of graduate school Early 1990s, Berkeley: Hendrik Lenstra teaches a rather strange course on algebraic number theory. His central objects of study: orders in number fields. Primes, class groups, etc. Normal textbooks and courses focus on maximal orders, i.e., orders without singularities: “Have a non-maximal Z [ x ] =f ? Yikes! Blow it up!”

  5. Edwards curves 2007 Edwards: Every elliptic curve over Q is birationally equivalent to x 2 + y 2 = a 2 (1 + x 2 y 2 ) a 2 Q � f 0 ; � 1 ; � i g . for some x 2 + y 2 = a 2 (1 + x 2 y 2 ) has neutral element (0 ; a ), addition x 1 ; y 1 ) + ( x 2 ; y 2 ) = ( x 3 ; y 3 ) with ( x 1 y 2 + y 1 x 2 x 3 = a (1 + x 1 x 2 y 1 y 2 ), y 1 y 2 � x 1 x 2 y 3 = a (1 � x 1 x 2 y 1 y 2 ).

  6. 2007 Bernstein–Lange: k , Over a non-binary finite field x 2 + y 2 = 2 (1 + dx 2 y 2 ) covers more elliptic curves. � with ; d 2 k d 4 Here 6 = 1. x 1 y 2 + y 1 x 2 x 3 = (1 + dx 1 x 2 y 1 y 2 ), y 1 y 2 � x 1 x 2 y 3 = (1 � dx 1 x 2 y 1 y 2 ). = 1. Then Can always take 10 M + 1 S + 1 D for addition, 3 M + 4 S for doubling. Latest news, comparisons: hyperelliptic.org/EFD

  7. Completeness 2007 Bernstein–Lange: d is not a square in k then If f ( x; y ) 2 k � k : x 2 + y 2 = 2 (1 + dx 2 y 2 ) g is a commutative group under this addition law. The denominators (1 + dx 1 x 2 y 1 y 2 ), (1 � dx 1 x 2 y 1 y 2 ) are never zero. No exceptional cases!

  8. Compare to Weierstrass form y 2 = x 3 + a 4 x + a 6 . Standard explicit formulas for Weierstrass addition have several different cases: “chord”; “tangent”; vertical chord; etc. Conventional wisdom: Beyond genus 0, explicit formulas for multiplication in class group always need case distinctions.

  9. 1995 Bosma–Lenstra theorem: “The smallest cardinality of a complete system of addition laws E equals two.” on

  10. 1995 Bosma–Lenstra theorem: “The smallest cardinality of a complete system of addition laws E equals two.” : : : meaning: on Any addition formula E for a Weierstrass curve in projective coordinates must have exceptional cases E ( k ) � E ( k ), where in k = algebraic closure of k .

  11. 1995 Bosma–Lenstra theorem: “The smallest cardinality of a complete system of addition laws E equals two.” : : : meaning: on Any addition formula E for a Weierstrass curve in projective coordinates must have exceptional cases E ( k ) � E ( k ), where in k = algebraic closure of k . Edwards addition formula has E ( k ) exceptional cases for : : : but not for E ( k ). E ( k ). We do computations in

  12. Completeness eases implementations, avoids some cryptographic problems. What about elliptic curves without points of order 4? What about elliptic curves over binary fields? Continuing project (B.–L.): E , For every elliptic curve E find complete addition law for with best possible speeds. Complete laws are useful even if slower than Edwards!

  13. Some Newton polygons � � � � � � � � � � � � � � � � � � � � � � � � � Short Weierstrass � � � � � � � � � � � � � � � � � � � � � � � � � � Jacobi quartic � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � Hessian � � � � � � � � � � � � � � � � � � � � Edwards 1893 Baker: genus is generically number of interior points. 2000 Poonen–Rodriguez-Villegas classified genus-1 polygons.

  14. How to generalize Edwards? Design decision: want x and in y . quadratic in Design decision: want x $ y symmetry. d 20 d 21 d 22 d 10 d 11 d 21 d 00 d 10 d 20 d 00 + d 10 ( x + y ) + Curve shape d 11 xy + d 20 ( x 2 + y 2 ) + d 21 xy ( x + y ) + d 22 x 2 y 2 = 0.

  15. d 22 = 0: Suppose that � d 20 d 21 d 10 d 11 d 21 d 00 d 10 d 20 ) (1 ; 1) is an Genus 1 ) d 21 interior point 6 = 0. Homogenize: d 00 Z 3 + d 10 ( X + Y ) Z 2 + d 11 X Y Z + d 20 ( X 2 + Y 2 ) Z + d 21 X Y ( X + Y ) = 0.

  16. 1 are ( X : Y : 0) Points at d 21 X Y ( X + Y ) = 0: i.e., with � 1 : 0). (1 : 0 : 0), (0 : 1 : 0), (1 : Study (1 : 0 : 0) by setting y = Y =X , z = Z =X in homogeneous curve equation: d 00 z 3 + d 10 (1 + y ) z 2 + d 11 y z + d 20 (1 + y 2 ) z + d 21 y (1 + y ) = 0. y Nonzero coefficient of so (1 : 0 : 0) is nonsingular. Addition law cannot be complete k is tiny). (unless

  17. d 22 So we require 6 = 0. 1 are ( X : Y : 0) Points at d 22 X 2 Y 2 = 0: i.e., with (1 : 0 : 0), (0 : 1 : 0). Study (1 : 0 : 0) again: d 00 z 4 + d 10 (1 + y ) z 3 + d 11 y z 2 + d 20 (1 + y 2 ) z 2 + d 21 y (1 + y ) z + d 22 y 2 = 0. ; y ; z are 0 Coefficients of 1 so (1 : 0 : 0) is singular.

  18. y = uz , divide by z 2 Put to blow up singularity: d 00 z 2 + d 10 (1 + uz ) z + d 11 uz + d 20 (1 + u 2 z 2 ) + d 21 u (1 + uz ) + d 22 u 2 = 0. z = 0 to find Substitute points above singularity: d 20 + d 21 u + d 22 u 2 = 0. We require the quadratic d 20 + d 21 u + d 22 u 2 k . to be irreducible in Special case: complete Edwards, � du 2 irreducible in k . 1

  19. d 20 In particular 6 = 0: d 20 d 21 d 22 d 10 d 11 d 21 d 00 d 10 d 20 Design decision: Explore a deviation from Edwards. ; 0). Choose neutral element (0 d 00 = 0; d 10 6 = 0. Can vary neutral element. Warning: bad choice can produce surprisingly expensive negation.

  20. Now have a Newton polygon for generalized Edwards curves: d 20 d 21 d 22 d 10 d 11 d 21 � � � � � d 10 d 20 � � � � x; y By scaling and scaling curve equation d 10 ; d 11 ; d 20 ; d 21 ; d 22 can limit to three degrees of freedom.

  21. 2008 B.–L.–Rezaeian Farashahi: complete addition law for “binary Edwards curves” d 1 ( x + y ) + d 2 ( x 2 + y 2 ) = x + x 2 )( y + y 2 ). ( Covers all ordinary elliptic curves n for n � 3. over F 2 Also surprisingly fast, d 1 = d 2 . especially if

  22. 2008 B.–L.–Rezaeian Farashahi: complete addition law for “binary Edwards curves” d 1 ( x + y ) + d 2 ( x 2 + y 2 ) = x + x 2 )( y + y 2 ). ( Covers all ordinary elliptic curves n for n � 3. over F 2 Also surprisingly fast, d 1 = d 2 . especially if 2009 B.–L.: complete addition law for another specialization covering all the “NIST curves” over non-binary fields.

  23. 78751018041117 25 2 54 5 42 0 99 9 9 54 76717646453854 50 6 08 1 46 3 02 0 2 84 139565117585920 1 7 99 Consider, e.g., the curve x 2 + y 2 = x + y + txy + dx 2 y 2 d = � 1 and with t = 410583637251521 4 21 2 93 2 61 2 97 8 0 047268409114441 0 15 9 93 7 25 5 54 8 3 p = 2 256 � 2 224 + p where 525631403946740 12 9 1 over F � 1. 2 192 + 2 96 d is non-square in F p . Note: Birationally equivalent to standard “NIST P-256” curve v 2 = u 3 � 3 u + a 6 where a 6 = .

  24. An addition law for x 2 + y 2 = x + y + txy + dx 2 y 2 , d is not a square: complete if x 1 + x 2 + ( t � 2) x 1 x 2 + x 1 � y 1 )( x 2 � y 2 ) + ( dx 2 x 2 y 1 + x 2 y 2 � y 1 y 2 ) x 3 = 1 ( � 2 dx 1 x 2 y 2 � ; 1 dx 2 x 2 + y 2 + ( t � 2) x 2 y 2 ) 1 ( y 1 + y 2 + ( t � 2) y 1 y 2 + y 1 � x 1 )( y 2 � x 2 ) + ( dy 2 y 2 x 1 + y 2 x 2 � x 1 x 2 ) y 3 = 1 ( � 2 dy 1 y 2 x 2 � . 1 dy 2 y 2 + x 2 + ( t � 2) y 2 x 2 ) 1 (

  25. Note on computing addition laws: An easy Magma script uses Riemann–Roch to find addition law given a curve shape. Are those laws nice? No! Find lower-degree laws by Monagan–Pearce algorithm, ISSAC 2006; or by evaluation at random points on random curves. Are those laws complete? No! But always seems easy to find complete addition laws among low-degree laws where denominator constant term 6 = 0.

  26. Birational equivalence from x 2 + y 2 = x + y + txy + dx 2 y 2 to v 2 � ( t + 2) uv + dv = u 3 � ( t +2) u 2 � du +( t +2) d v 2 � ( t + 2) uv + dv = i.e. u 2 � d )( u � ( t + 2)): ( u = ( dxy + t + 2) = ( x + y ); t + 2) 2 � d ) x v = (( t + 2) xy + x + y . ( t + 2 square, d not: Assuming only exceptional point is (0 ; 0), mapping to 1 . x = v = ( u 2 � d ); Inverse: y = (( t + 2) u � v � d ) = ( u 2 � d ).

  27. Completeness x 1 + x 2 + ( t � 2) x 1 x 2 + x 1 � y 1 )( x 2 � y 2 ) + ( dx 2 x 2 y 1 + x 2 y 2 � y 1 y 2 ) x 3 = 1 ( � 2 dx 1 x 2 y 2 � ; 1 dx 2 x 2 + y 2 + ( t � 2) x 2 y 2 ) 1 ( y 1 + y 2 + ( t � 2) y 1 y 2 + y 1 � x 1 )( y 2 � x 2 ) + ( dy 2 y 2 x 1 + y 2 x 2 � x 1 x 2 ) y 3 = 1 ( � 2 dy 1 y 2 x 2 � . 1 dy 2 y 2 + x 2 + ( t � 2) y 2 x 2 ) 1 ( Can denominators be 0?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Complete addition laws for elliptic curves D. J. Bernstein University of Illinois at Chicago

Complete addition laws for elliptic curves D. J. Bernstein University of Illinois at Chicago

Complete addition laws for elliptic curves D. J. Bernstein University of Illinois at Chicago Tanja Lange Technische Universiteit Eindhoven Weierstrass coordinates k with 2 Fix a field 6 = 0. a; b 2 k with 4 a 3 + 27 b 2 Fix 6 = 0.

1.02k views • 50 slides
Addition laws on elliptic curves D. J. Bernstein University of Illinois at Chicago Joint work

Addition laws on elliptic curves D. J. Bernstein University of Illinois at Chicago Joint work

Addition laws on elliptic curves D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven 2007.01.10, 09:00 (yikes!), Leiden University, part of Mathematics: Algorithms and

983 views • 63 slides
Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla Batina 1 1 Radboud University, Digital Security, Nijmegen, The Netherlands j.renes,lejla@cs.ru.nl 2 Microsoft Research, Redmond, USA

481 views • 27 slides
Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla Batina 1 j.renes@cs.ru.nl 1 Radboud University, Nijmegen, The Netherlands 2 Microsoft Research, Redmond, USA 16 February 2016 16 February 2016 1 /

642 views • 62 slides
ELLIPTIC CURVES By Jessica and Sushi WHAT ARE ELLIPTIC CURVES?! ADDING POINTS! Adding points

ELLIPTIC CURVES By Jessica and Sushi WHAT ARE ELLIPTIC CURVES?! ADDING POINTS! Adding points

ELLIPTIC CURVES By Jessica and Sushi WHAT ARE ELLIPTIC CURVES?! ADDING POINTS! Adding points is not the same addition as 1+1=2. The addition of points is the production of a third point using two already known points Properties of

503 views • 22 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School before ECC September 2006 Elliptic curves An elliptic curve E over a field K is given by a Weierstra equation Y 2 + h ( X ) Y = f ( X ) with h, f

416 views • 13 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
Diffusion model Developing diffusion model: kinetic strength of the heat cycle The

Diffusion model Developing diffusion model: kinetic strength of the heat cycle The

Diffusion model Developing diffusion model: kinetic strength of the heat cycle The transformation of pearlite to austenite The homogenization of austenite Volume fraction of martensite Hardness of transformed surface layer

93 views • 7 slides
Vertical Visibility among Parallel Polygons in Three Dimensions GD 2015 Radoslav Fulek (IST,

Vertical Visibility among Parallel Polygons in Three Dimensions GD 2015 Radoslav Fulek (IST,

Vertical Visibility among Parallel Polygons in Three Dimensions GD 2015 Radoslav Fulek (IST, Austria), Rado s Radoi ci c (CUNY) Visibility clique Visibility clique We consider a finite set S of translates/homothetes of two dimensional

822 views • 71 slides
Regular Sequences Eric Rowland School of Computer Science University of Waterloo, Ontario,

Regular Sequences Eric Rowland School of Computer Science University of Waterloo, Ontario,

Regular Sequences Eric Rowland School of Computer Science University of Waterloo, Ontario, Canada September 5, 2011 Eric Rowland (University of Waterloo) Regular Sequences September 5, 2011 1 / 38 Outline Motivation and basic properties 1

507 views • 38 slides
Building a Coreless Internet Without Ripping Out the Core (goodell@eecs.harvard.edu) Geoffrey

Building a Coreless Internet Without Ripping Out the Core (goodell@eecs.harvard.edu) Geoffrey

Building a Coreless Internet Without Ripping Out the Core (goodell@eecs.harvard.edu) Geoffrey Goodell (sob@harvard.edu) Scott Bradner (mema@eecs.harvard.edu) Mema Roussopoulos VE R I TAS Harvard University HOTNETS-IV: 14 November 2005 1

590 views • 35 slides
HoneySAP Who really wants your money? M ARTIN G ALLO M ARCH 2015 P A G E AGENDA SAP SAP

HoneySAP Who really wants your money? M ARTIN G ALLO M ARCH 2015 P A G E AGENDA SAP SAP

HoneySAP Who really wants your money? M ARTIN G ALLO M ARCH 2015 P A G E AGENDA SAP SAP security Threat landscape Have Needs Honeypots HoneySAP Approach Goal Design Architecture Services Integration Example profiles Demo

748 views • 45 slides
Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Overview Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots What can you do with them? Claire OShea Problems with honeypots COMP 290 Spring 2005 Overview Motivation Examples of

645 views • 15 slides
Using Honeypots for Security Operations Jim Barlow <jbarlow@ncsa.uiuc.edu> Head of

Using Honeypots for Security Operations Jim Barlow <jbarlow@ncsa.uiuc.edu> Head of

Using Honeypots for Security Operations Jim Barlow <jbarlow@ncsa.uiuc.edu> Head of Security Operations and Incident Response National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign National

229 views • 20 slides
Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

CPS-SPC 16 @ Vienna AU Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O. T IPPENHAUER daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1 Overview In this

922 views • 25 slides

More recommend