faster formulas for elliptic curves
play

Faster formulas for elliptic curves Hseyin H sl - PowerPoint PPT Presentation

Aug 11, 2023 •256 likes •825 views

Faster formulas for elliptic curves Hseyin H sl hisil.huseyin@gmail.com www.huseyinhisil.net ECC2010, Redmond Hseyin H sl () October 19, 2010 1 / 36 Faster formulas for elliptic curves (A roadmap for formula-hunters)

  1. Faster formulas for elliptic curves Hüseyin Hı¸ sıl hisil.huseyin@gmail.com www.huseyinhisil.net ECC2010, Redmond Hüseyin Hı¸ sıl () October 19, 2010 1 / 36

  2. Faster formulas for elliptic curves (A roadmap for formula-hunters) Hüseyin Hı¸ sıl hisil.huseyin@gmail.com www.huseyinhisil.net ECC2010, Redmond Hüseyin Hı¸ sıl () October 19, 2010 1 / 36

  3. Faster formulas for elliptic curves (A roadmap for formula-hunters) (A roadmap for lazy formula-hunters) Hüseyin Hı¸ sıl hisil.huseyin@gmail.com www.huseyinhisil.net ECC2010, Redmond Hüseyin Hı¸ sıl () October 19, 2010 1 / 36

  4. Outline Overview 1 Automated tools 2 Inversion-free point addition 3 Conclusion 4 Hüseyin Hı¸ sıl () October 19, 2010 2 / 36

  5. The classics 1 [CC86] Chudnovsky and Chudnovsky. Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Advances in Applied Mathematics, 1986. 2 [Mon87] Montgomery. Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation, 1987. 3 [CMO98] Cohen, Miyaji, and Ono. Efficient elliptic curve exponentiation using mixed coordinates. ASIACRYPT’98. Hüseyin Hı¸ sıl () October 19, 2010 3 / 36

  6. Remarkable strikes aganist the cubic 1 [LS01] Liardet and Smart, Preventing SPA/DPA in ECC systems using the Jacobi form. CHES 2001. 2 [BL07b] Bernstein and Lange, Faster addition and doubling on elliptic curves. ASIACRYPT 2007. Note: There are other papers not listed here. Hüseyin Hı¸ sıl () October 19, 2010 4 / 36

  7. This investigation Concrete results for: 1 Short Weierstrass form, y 2 = x 3 + ax + b , 2 Extended Jacobi quartic form, y 2 = dx 4 + 2 ax 2 + 1, 3 Twisted Hessian form, ax 3 + y 3 + 1 = dxy , 4 Twisted Edwards form, ax 2 + y 2 = 1 + dx 2 y 2 , 5 Twisted Jacobi intersection form, bs 2 + c 2 = 1 , as 2 + d 2 = 1. In fact, many other forms are checked for a better efficiency along the way. Extended Jacobi quartic curves will be used in all examples in the remainder of the talk. Hüseyin Hı¸ sıl () October 19, 2010 5 / 36

  8. Extended Jacobi quartics overview K denotes a field of odd characteristic. Definition An extended Jacobi quartic curve defined over K is the curve E Q , d , a := { ( x , y ) ∈ A 2 ( K ) | y 2 = dx 4 + 2 ax 2 + 1 } . E Q is non-singular if and only if d ( a 2 − d ) � = 0. The projective closure of E Q is given by the equation E Q , d , a : Y 2 Z 2 = dX 4 + 2 aX 2 Z 2 + Z 4 . A point ( X : Y : Z ) with Z � = 0 on E Q corresponds to the affine point ( X / Z , Y / Z ) on E Q . The point ( 0 : 1 : 0 ) on E Q is singular. The resolution of singularities produces two points which are labeled as Ω 1 √ and Ω 2 . These points are defined over K ( d ) . Hüseyin Hı¸ sıl () October 19, 2010 6 / 36

  9. Extended Jacobi quartics overview √ Let L = K ( d ) . With a slight abuse of notation, E Q ( L ) , the set of L -rational points on E Q is denoted by E Q ( L ) = { ( x , y ) ∈ L 2 | y 2 = dx 4 + 2 ax 2 + 1 } ∪ { Ω 1 , Ω 2 } . E Q , d , a is birationally equivalent over K to the Weierstrass curve E W : v 2 = u 3 − 4 au 2 + ( 4 a 2 − 4 d ) u with the maps � 2 y + 2 + 2 a , 4 y + 4 + 4 a � ψ : E Q → E W , ( x , y ) �→ , x 2 x 3 x v , 2 ( u − 2 a ) u 2 2 u � � φ : E W → E Q , ( u , v ) �→ v 2 − 1 . Hüseyin Hı¸ sıl () October 19, 2010 7 / 36

  10. Extended Jacobi quartics overview � 2 y + 2 + 2 a , 4 y + 4 + 4 a � ψ : E Q → E W , ( x , y ) �→ , x 2 x 3 x v , 2 ( u − 2 a ) u 2 2 u � � φ : E W → E Q , ( u , v ) �→ v 2 − 1 . Hüseyin Hı¸ sıl () October 19, 2010 8 / 36

  11. Extended Jacobi quartics overview � 2 y + 2 + 2 a , 4 y + 4 + 4 a � ψ : E Q → E W , ( x , y ) �→ , x 2 x 3 x v , 2 ( u − 2 a ) u 2 2 u � � φ : E W → E Q , ( u , v ) �→ v 2 − 1 . It is trivial to check that φ ◦ ψ = id E Q and ψ ◦ φ = id E W . The map ψ is regular at all points on E Q except ( 0 , 1 ) which corresponds to ∞ on E W . Hüseyin Hı¸ sıl () October 19, 2010 8 / 36

  12. Extended Jacobi quartics overview � 2 y + 2 + 2 a , 4 y + 4 + 4 a � ψ : E Q → E W , ( x , y ) �→ , x 2 x 3 x v , 2 ( u − 2 a ) u 2 2 u � � φ : E W → E Q , ( u , v ) �→ v 2 − 1 . It is trivial to check that φ ◦ ψ = id E Q and ψ ◦ φ = id E W . The map ψ is regular at all points on E Q except ( 0 , 1 ) which corresponds to ∞ on E W . At first glance, it may seem that ψ is not regular at ( 0 , − 1 ) . However, it is possible to alter ψ to successfully map all points on E Q except ( 0 , 1 ) . For instance, the point ( 0 , − 1 ) can be sent to ( 0 , 0 ) on E W with an alternative map given by � 2 dx 2 + 2 a ( 1 + y ) , 4 a ( dx 2 + 2 a ) − 4 d ( 1 − y ) ψ ′ : E Q → E W , ( x , y ) �→ � . x y − 1 ( 1 − y ) 2 Hüseyin Hı¸ sıl () October 19, 2010 8 / 36

  13. Extended Jacobi quartics overview � 2 y + 2 + 2 a , 4 y + 4 + 4 a � ψ : E Q → E W , ( x , y ) �→ , x 2 x 3 x v , 2 ( u − 2 a ) u 2 2 u � � φ : E W → E Q , ( u , v ) �→ v 2 − 1 . The map φ is regular at all points on E W except in two cases. Before investigating these cases observe that the point ( 0 , 0 ) on E W : v 2 = u 3 − 4 au 2 + ( 4 a 2 − 4 d ) u can be sent to ( 0 , − 1 ) on E Q with an alternative map given by ( u − 2 a ) 2 − 4 d , u 2 − 4 ( a 2 − d ) 2 v φ ′ : E W → E Q , ( u , v ) �→ � � . ( u − 2 a ) 2 − 4 d Hüseyin Hı¸ sıl () October 19, 2010 8 / 36

  14. Extended Jacobi quartics overview � 2 y + 2 + 2 a , 4 y + 4 + 4 a � ψ : E Q → E W , ( x , y ) �→ , x 2 x 3 x v , 2 ( u − 2 a ) u 2 2 u � � φ : E W → E Q , ( u , v ) �→ v 2 − 1 . The map φ is regular at all points on E W except in two cases. Before investigating these cases observe that the point ( 0 , 0 ) on E W : v 2 = u 3 − 4 au 2 + ( 4 a 2 − 4 d ) u can be sent to ( 0 , − 1 ) on E Q with an alternative map given by ( u − 2 a ) 2 − 4 d , u 2 − 4 ( a 2 − d ) 2 v φ ′ : E W → E Q , ( u , v ) �→ � � . ( u − 2 a ) 2 − 4 d The map φ is not regular at two points of the form ( u , v ) with u � = 0 and v = 0. These exceptional points correspond to two points at infinity on the desingularization of E Q . Hüseyin Hı¸ sıl () October 19, 2010 8 / 36

  15. Extended Jacobi quartics overview � 2 y + 2 + 2 a , 4 y + 4 + 4 a � ψ : E Q → E W , ( x , y ) �→ , x 2 x 3 x v , 2 ( u − 2 a ) u 2 2 u � � φ : E W → E Q , ( u , v ) �→ v 2 − 1 . Note: φ is a morphism if d is a non-square in K . Hüseyin Hı¸ sıl () October 19, 2010 8 / 36

  16. Extended Jacobi quartics overview Every Weierstrass curve v 2 = u 3 + a 2 u 2 + a 4 u is birationally equivalent over K to y 2 = a 2 2 − 4 a 4 x 4 − a 2 2 x 2 + 1 . 16 The shape v 2 = u 3 + a 2 u 2 + a 4 u covers all elliptic curves having at least one point of order two. Therefore every elliptic curve of even order can be written in extended Jacobi quartic form. This extended model covers approximately 1 . 33 # K of 2 # K isomorphism classes (assuming K is finite). Hüseyin Hı¸ sıl () October 19, 2010 9 / 36

  17. Extended Jacobi quartics overview Every Weierstrass curve v 2 = u 3 + a 2 u 2 + a 4 u is birationally equivalent over K to y 2 = a 2 2 − 4 a 4 x 4 − a 2 2 x 2 + 1 . 16 The shape v 2 = u 3 + a 2 u 2 + a 4 u covers all elliptic curves having at least one point of order two. Therefore every elliptic curve of even order can be written in extended Jacobi quartic form. This extended model covers approximately 1 . 33 # K of 2 # K isomorphism classes (assuming K is finite). Hüseyin Hı¸ sıl () October 19, 2010 9 / 36

  18. Outline Overview 1 Automated tools 2 Inversion-free point addition 3 Conclusion 4 Hüseyin Hı¸ sıl () October 19, 2010 10 / 36

  19. Automated Tools Develop tools to: 1 Automate group law derivation algorithmically. 2 Automate minimal/low degree point doubling/addition formulas derivation. 3 Verify the correctness of derived formulas. 4 Find alternative formulas. Hüseyin Hı¸ sıl () October 19, 2010 11 / 36

  20. Automated Tools Theorem (Automated Addition) Let W / K and M / K be affine curves. Assume that W and M are birationally equivalent over K . Let φ : W → M and ψ : M → W be maps such that φ ◦ ψ and ψ ◦ φ are equal to the identity maps id M and id W , respectively. Assume that ˜ W and ˜ M, each with a distinguished K -rational point, are elliptic curves. Let + W : W × W → W be a map which is regular at all but finitely many pairs of points on W, describing some part of the unique addition law on ˜ W. The corresponding part of the unique addition law on ˜ M is then given by the compositions + M := φ ◦ + W ◦ ( ψ × ψ ) and + M is regular at all but finitely many pairs of points on M. Hüseyin Hı¸ sıl () October 19, 2010 12 / 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking ECC2K-130, joint work by many authors: ECDL attack in progress against Koblitz curve over F 2 131 using many CPUs, GPUs, FPGAs. Vertically

288 views • 17 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla Batina 1 1 Radboud University, Digital Security, Nijmegen, The Netherlands j.renes,lejla@cs.ru.nl 2 Microsoft Research, Redmond, USA

481 views • 27 slides
Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla Batina 1 j.renes@cs.ru.nl 1 Radboud University, Nijmegen, The Netherlands 2 Microsoft Research, Redmond, USA 16 February 2016 16 February 2016 1 /

642 views • 62 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School before ECC September 2006 Elliptic curves An elliptic curve E over a field K is given by a Weierstra equation Y 2 + h ( X ) Y = f ( X ) with h, f

416 views • 13 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick joint work with Nuno Freitas (Warwick) AGC 2 T Luminy, 10 June 2019 Overview 1. Elliptic curves, mod p Galois representations, Weil pairing. 2.

954 views • 70 slides
Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Elliptic curves over F q F. Pappalardi Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j -invariant Research School: Algebraic curves over finite fields Points of finite order

581 views • 29 slides
ACCC Public Forum on TransGrid and EnergyAustralia Revenue Cap Decisions Simon Bartlett, CE

ACCC Public Forum on TransGrid and EnergyAustralia Revenue Cap Decisions Simon Bartlett, CE

ACCC Public Forum on TransGrid and EnergyAustralia Revenue Cap Decisions Simon Bartlett, CE Powerlink Queensland 18 March 2005 Key Messages New framework does not provide the level of certainty and is not as efficient as ACCC described.

742 views • 9 slides
Two Attacks on a White-Box AES Implementation Tancrde Lepoint 1,2 , Matthieu Rivain 1 , Yoni De

Two Attacks on a White-Box AES Implementation Tancrde Lepoint 1,2 , Matthieu Rivain 1 , Yoni De

Two Attacks on a White-Box AES Implementation Tancrde Lepoint 1,2 , Matthieu Rivain 1 , Yoni De Mulder 3 , Peter Roelse 4 , and Bart Preneel 3 1 CryptoExperts, France { tancrede.lepoint,matthieu.rivain } @cryptoexperts.com 2 Ecole Normale

320 views • 28 slides
Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur,

Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur,

Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur, Wil Michiels, Paul Gorissen, Bart Preneel COSIC K.U.Leuven and Philips Research March 27 2007 White-Box Attack Context key key ke y

555 views • 10 slides
LibreOffice's Android port By Miklos Vajna Software Engineer at Collabora Productivity

LibreOffice's Android port By Miklos Vajna Software Engineer at Collabora Productivity

LibreOffice's Android port By Miklos Vajna Software Engineer at Collabora Productivity 2015-09-24 @CollaboraOffice www.CollaboraOffice.com What has been done Cross-compiling, single .so Need to decide what will be run on the machine

500 views • 30 slides
Grbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Universit Paris 6

Grbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Universit Paris 6

Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Grbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Universit Paris 6 INRIA ludovic.perret@lip6.fr

693 views • 46 slides
3D Bipedal Walking including COM height variations St ephane Caron CRI Group Seminar Series

3D Bipedal Walking including COM height variations St ephane Caron CRI Group Seminar Series

3D Bipedal Walking including COM height variations St ephane Caron CRI Group Seminar Series May 14, 2018 What do we want? COMANOID project https://comanoid.cnrs.fr 2 What do we want? COMANOID project Aircraft entry plan (2017) 3

783 views • 25 slides
Robots With Legs Helge Wrede 27.11.2017 Outline Motivation Overview Properties Number of

Robots With Legs Helge Wrede 27.11.2017 Outline Motivation Overview Properties Number of

Robots With Legs Helge Wrede 27.11.2017 Outline Motivation Overview Properties Number of legs Balance Walking Basic Bipedal Implementation Dynamic Balancing Concepts 3D-LIPM 2 Motivation Figure: Side view of the Robot Cassie from

714 views • 27 slides
SIMULATION TO PROOFS IN C2E2 Parasara Sridhar Duggirala 1 A simple (often the only) strategy

SIMULATION TO PROOFS IN C2E2 Parasara Sridhar Duggirala 1 A simple (often the only) strategy

SIMULATION TO PROOFS IN C2E2 Parasara Sridhar Duggirala 1 A simple (often the only) strategy Given start and target S Compute finite cover of initial set Simulate from the center 0 of each cover Bloat

440 views • 22 slides

More recommend