edwards coordinates for elliptic curves part 1
play

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange - PowerPoint PPT Presentation

Dec 14, 2022 •261 likes •787 views

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org joint work with Daniel J. Bernstein 10.11.2007 http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange p. 1 Do

  1. Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org joint work with Daniel J. Bernstein 10.11.2007 http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 1

  2. Do you know how to add on a circle? Let k be a field with 2 � = 0 . { ( x, y ) ∈ k × k | x 2 + y 2 = 1 } http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 2

  3. Do you know how to add on a circle? Let k be a field with 2 � = 0 . { ( x, y ) ∈ k × k | x 2 + y 2 = 1 } is a commutative group with ( x 1 , y 1 ) ⊕ ( x 2 , y 2 ) = ( x 3 , y 3 ) , where x 3 = x 1 y 2 + y 1 x 2 and y 3 = y 1 y 2 − x 1 x 2 . Polar coordinates and trigonometric identities readily show that the result is on the curve. Associativity of the addition boils down to associativity of addition of angles. Look, an addition law! But it’s not elliptic; index calculus work efficiently. http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 2

  4. Now add on an elliptic curve An elliptic curve: http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 3

  5. Now add on an elliptic curve An elliptic curve: x 2 + y 2 = a 2 (1 + x 2 y 2 ) http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 3

  6. Now add on an elliptic curve x 2 + y 2 = a 2 (1 + x 2 y 2 ) elliptic? use z = y (1 − a 2 x 2 ) /a to obtain z 2 = x 4 − ( a 2 + 1 /a 2 ) x 2 + 1 . http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 3

  7. Now add on an elliptic curve Let k be a field with 2 � = 0 and let a ∈ k with a 5 � = a . There is an – almost everywhere defined – operation on the set { ( x, y ) ∈ k × k | x 2 + y 2 = a 2 (1 + x 2 y 2 ) } as ( x 1 , y 1 ) ⊕ ( x 2 , y 2 ) = ( x 3 , y 3 ) defined by the Edwards addition law x 1 y 2 + y 1 x 2 y 1 y 2 − x 1 x 2 x 3 = a (1 + x 1 x 2 y 1 y 2 ) and y 3 = a (1 − x 1 x 2 y 1 y 2 ) . Numerators like in addition on circle! Where do these curves come from? http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 3

  8. Long, long ago . . . http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 4

  9. Euler 1761 “ Observationes de Comparatione Arcuum Curvarum Irrectificabilium” y 2 = 1 − nx 2 1 1 − x 2 ⇔ x 2 + y 2 = 1 + nx 2 y 2 . http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 5

  10. Euler 1761 Euler gives doubling and (special) addition for ( a, A ) on a 2 + A 2 = 1 − a 2 A 2 . http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 6

  11. Gauss, posthumously Gauss gives general addition for arbitrary points on 1 = s 2 + c 2 + s 2 c 2 . http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 7

  12. Ex uno plura Harold M. Edwards, Bulletin of the AMS, 44 , 393–422, 2007 x 2 + y 2 = a 2 (1 + x 2 y 2 ) , a 5 � = a describes an elliptic curve. Every elliptic curve can be written in this form – over some extension field. Ur-elliptic curve x 2 + y 2 = 1 − x 2 y 2 needs √− 1 ∈ k transform. Edwards gives above-mentioned addition law for this generalized form, shows equivalence with Weierstrass form, proves addition law, gives theta parameterization . . . http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 8

  13. Edwards curves over finite fields We do not necessarily have √− 1 ∈ k ! The example curve x 2 + y 2 = 1 − x 2 y 2 from Euler and Gauss is not always an Edwards curve. Solution: change the definition of Edwards curves. Introduce further parameter d to cover more curves x 2 + y 2 = c 2 (1 + dx 2 y 2 ) , c, d � = 0 , dc 4 � = 1 . c 4 ¯ At least one of c, d small: if c 4 d = ¯ d then x 2 + y 2 = c 2 (1 + dx 2 y 2 ) and x 2 + y 2 = ¯ c 2 (1 + ¯ dx 2 y 2 ) isomorphic. We can always choose c = 1 (and do so in the sequel). d = ( c 4 d ) − 1 gives quadratic twist (might be c 4 ¯ ¯ isomorphic). http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 9

  14. Addition on Edwards curves � x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 � ( x 1 , y 1 ) ⊕ ( x 2 , y 2 ) = 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 Neutral element is http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 10

  15. Addition on Edwards curves � x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 � ( x 1 , y 1 ) ⊕ ( x 2 , y 2 ) = 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 Neutral element is (0 , 1) , this is an affine point! http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 10

  16. Addition on Edwards curves � x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 � ( x 1 , y 1 ) ⊕ ( x 2 , y 2 ) = 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 Neutral element is (0 , 1) , this is an affine point! − ( x 1 , y 1 ) = http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 10

  17. Addition on Edwards curves � x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 � ( x 1 , y 1 ) ⊕ ( x 2 , y 2 ) = 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 Neutral element is (0 , 1) , this is an affine point! − ( x 1 , y 1 ) =( − x 1 , y 1 ) . http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 10

  18. Addition on Edwards curves � x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 � ( x 1 , y 1 ) ⊕ ( x 2 , y 2 ) = 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 Neutral element is (0 , 1) , this is an affine point! − ( x 1 , y 1 ) =( − x 1 , y 1 ) . (0 , − 1) has order 2 , ( ± 1 , 0) have order 4 , so not every elliptic curve can be transformed to an Edwards curve over k — but every curve with a point of order 4 can! Our Asiacrypt 2007 paper makes explicit the birational equivalence between a curve in Edwards form and in Weierstrass form. See also our newelliptic page. http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 10

  19. Nice features of the addition law � x 1 y 2 + y 1 x 2 � , y 1 y 2 − x 1 x 2 P ⊕ Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 11

  20. Nice features of the addition law � x 1 y 2 + y 1 x 2 � , y 1 y 2 − x 1 x 2 P ⊕ Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 � x 1 y 1 + y 1 x 1 � , y 1 y 1 − x 1 x 1 [2] P = . 1 + dx 1 x 1 y 1 y 1 1 − dx 1 x 1 y 1 y 1 http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 11

  21. Nice features of the addition law � x 1 y 2 + y 1 x 2 � , y 1 y 2 − x 1 x 2 P ⊕ Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 � x 1 y 1 + y 1 x 1 � , y 1 y 1 − x 1 x 1 [2] P = . 1 + dx 1 x 1 y 1 y 1 1 − dx 1 x 1 y 1 y 1 Addition law also works for doubling (compare that to curves in Weierstrass form!) Can show: denominator never 0 for non-square d . http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 11

  22. Nice features of the addition law � x 1 y 2 + y 1 x 2 � , y 1 y 2 − x 1 x 2 P ⊕ Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 � x 1 y 1 + y 1 x 1 � , y 1 y 1 − x 1 x 1 [2] P = . 1 + dx 1 x 1 y 1 y 1 1 − dx 1 x 1 y 1 y 1 Addition law also works for doubling (compare that to curves in Weierstrass form!) Can show: denominator never 0 for non-square d . Explicit formulas for addition/doubling: Z 1 · Z 2 ; B = A 2 ; C = X 1 · X 2 ; D = Y 1 · Y 2 ; A = E = ( X 1 + Y 1 ) · ( X 2 + Y 2 ) − C − D ; F = d · C · D ; X P ⊕ Q = A · E · ( B − F ); Y P ⊕ Q = A · ( D − C ) · ( B + F ); Z P ⊕ Q = ( B − F ) · ( B + F ) . http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 11

  23. Nice features of the addition law � x 1 y 2 + y 1 x 2 � , y 1 y 2 − x 1 x 2 P ⊕ Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 � x 1 y 1 + y 1 x 1 � , y 1 y 1 − x 1 x 1 [2] P = . 1 + dx 1 x 1 y 1 y 1 1 − dx 1 x 1 y 1 y 1 Addition law also works for doubling (compare that to curves in Weierstrass form!) Can show: denominator never 0 for non-square d . Explicit formulas for addition/doubling: Z 1 · Z 2 ; B = A 2 ; C = X 1 · X 2 ; D = Y 1 · Y 2 ; A = E = ( X 1 + Y 1 ) · ( X 2 + Y 2 ) − C − D ; F = d · C · D ; X P ⊕ Q = A · E · ( B − F ); Y P ⊕ Q = A · ( D − C ) · ( B + F ); Z P ⊕ Q = ( B − F ) · ( B + F ) . Needs 10M + 1S + 1D + 7A. http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 11

  24. Strongly unified group operations Addition formulas work also for doubling. Addition in Weierstrass form y 2 = x 3 + a 4 x + a 6 , involves computation � ( y 2 − y 1 ) / ( x 2 − x 1 ) if x 1 � = x 2 , λ = (3 x 2 else. 1 + a 4 ) / (2 y 1 ) division by zero if first form is accidentally used for doubling. Strongly unified addition laws remove some checks from the code. Help against simple side-channel attacks. Attacker sees uniform sequence of identical group operations, no information on secret scalar given (assuming the field operations are handled appropriately). http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 12

  25. Unified Projective coordinates Brier, Joye 2002 Idea: unify how the slope is computed. improved in Brier, Déchène, and Joye 2004 ( x 1 + x 2 ) 2 − x 1 x 2 + a 4 + y 1 − y 2 λ = y 1 + y 2 + x 1 − x 2 � y 1 − y 2 ( x 1 , y 1 ) � = ± ( x 2 , y 2 ) x 1 − x 2 = 3 x 2 1 + a 4 ( x 1 , y 1 ) = ( x 2 , y 2 ) 2 y 1 Multiply numerator & denominator by x 1 − x 2 to see this. Proposed formulae can be generalized to projective coordinates. Some special cases may occur, but with very low probability, e. g. x 2 = y 1 + y 2 + x 1 . Alternative equation for this case. http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange – p. 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at Chicago (Joint work with Tanja Lange) Cohen Schoof ECPC Lenstra ECM Miller Bosma Koblitz Goldwasser/Kilian ECC

294 views • 27 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
Stein Elliptic Curves over Q ( 5) William Stein, University of Washington (This is part of

Stein Elliptic Curves over Q ( 5) William Stein, University of Washington (This is part of

Curves Over Q ( 5) Stein Elliptic Curves over Q ( 5) William Stein, University of Washington (This is part of the NSF-funded AIM FRG project on Databases of L -functions) February 2011 Curves Over Q ( 5) Stein 1. Finding

536 views • 34 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is

Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is

Curves Over Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is part of the NSF-funded AIM FRG project on Databases of L -functions. This talk had much valuable input from Noam Elkies, John Voight,

567 views • 40 slides
Complete addition laws for elliptic curves D. J. Bernstein University of Illinois at Chicago

Complete addition laws for elliptic curves D. J. Bernstein University of Illinois at Chicago

Complete addition laws for elliptic curves D. J. Bernstein University of Illinois at Chicago Tanja Lange Technische Universiteit Eindhoven Weierstrass coordinates k with 2 Fix a field 6 = 0. a; b 2 k with 4 a 3 + 27 b 2 Fix 6 = 0.

1.02k views • 50 slides
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology The 12th Workshop on Elliptic Curve Cryptography 22 September 2008 Joint work with Daniel J. Bernstein, Tanja Lange and Christiane Peters Paper

650 views • 27 slides
Lecture 13, part II: Modularity of elliptic curves and Fermats Last Theorem (an overview)

Lecture 13, part II: Modularity of elliptic curves and Fermats Last Theorem (an overview)

Lecture 13, part II: Modularity of elliptic curves and Fermats Last Theorem (an overview) June 9, 2020 1 / 10 Local zeta functions X algebraic variety { F p , N m : # X p F p m q m 1 , 2 , . . . 8 T m Z X p T q : exp

218 views • 10 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
NOvA: Case for more protons Mark Messier Indiana University Fermilab Physics Advisory Committee

NOvA: Case for more protons Mark Messier Indiana University Fermilab Physics Advisory Committee

NOvA: Case for more protons Mark Messier Indiana University Fermilab Physics Advisory Committee 10 November 2016 1 Outline FY2016 Run Summary I. Beam and Detector status II. Physics results charged-current disappearance

412 views • 38 slides
Unit 10: Contract Administration: Loss and Expense D39PZ: Procurement and Contracts 2 2 Claims

Unit 10: Contract Administration: Loss and Expense D39PZ: Procurement and Contracts 2 2 Claims

...last week (or things you should now understand) the difference between the Date for Completion and the Completion Date the SBC/Q process by which the Date for Completion / Completion Date can be changed (i.e. Adjustment of the

540 views • 31 slides
Financial Results Presentation Q2 FY12: Quarter ended 30 September 2011 10 November 2011 Chua

Financial Results Presentation Q2 FY12: Quarter ended 30 September 2011 10 November 2011 Chua

Financial Results Presentation Q2 FY12: Quarter ended 30 September 2011 10 November 2011 Chua Sock Koong Group CEO Forward looking statement important note The following presentation contains forward looking statements by the management of

465 views • 28 slides
Constraint Satisfaction Problems B: Constraint Propagation, Structure CS271P, Winter Quarter,

Constraint Satisfaction Problems B: Constraint Propagation, Structure CS271P, Winter Quarter,

Constraint Satisfaction Problems B: Constraint Propagation, Structure CS271P, Winter Quarter, 2019 Introduction to Artificial Intelligence Prof. Richard Lathrop Read Beforehand: R&N 6.1-6.4, except 6.3.3 You Should Know Node

1.07k views • 87 slides
Exponential Growth and Decay 10/28/2011 Antiderivative of 1 / x 1 / x : ln( x ): Antiderivative of

Exponential Growth and Decay 10/28/2011 Antiderivative of 1 / x 1 / x : ln( x ): Antiderivative of

Exponential Growth and Decay 10/28/2011 Antiderivative of 1 / x 1 / x : ln( x ): Antiderivative of 1 / x 1 / x : ln( x ): ln | x | : Antiderivative of 1 / x 1 / x : So 1 ln( x ): x dx = ln | x | + C ln | x | : Warm up: Decide whether each

916 views • 62 slides
Degree of commutativity of infinite groups ... or how I learnt about rational growth and ends of

Degree of commutativity of infinite groups ... or how I learnt about rational growth and ends of

Introduction & Motivation Right-angled Artin groups Groups with infinitely many ends Degree of commutativity of infinite groups ... or how I learnt about rational growth and ends of groups Motiejus Valiunas University of Southampton

372 views • 22 slides
Oligomorphic permutation groups: growth rates and algebras Peter J. Cameron

Oligomorphic permutation groups: growth rates and algebras Peter J. Cameron

Oligomorphic permutation groups: growth rates and algebras Peter J. Cameron p.j.cameron@qmul.ac.uk Gregynog Mathematics Colloquium22 May 2007 The definition Examples, 2 Consider the group S r acting on the disjoint union Let G be a permutation

304 views • 4 slides
Supercritical causal maps: geodesics and simple random walk Thomas Budzinski ENS Paris et

Supercritical causal maps: geodesics and simple random walk Thomas Budzinski ENS Paris et

Supercritical causal maps: geodesics and simple random walk Thomas Budzinski ENS Paris et Universit Paris Saclay Journe Cartes, Orsay 11 Avril 2018 Thomas Budzinski Supercritical causal maps Supercritical causal maps Let t be an infinite

799 views • 54 slides

More recommend