High-speed cryptography, Speed-oriented Jacobian standards part 2: - - PowerPoint PPT Presentation

High-speed cryptography, part 2: more elliptic-curve formulas; field arithmetic Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Speed-oriented Jacobian standards 2000 IEEE “Std 1363” uses Weierstrass curves in Jacobian coordinates to “provide the fastest arithmetic on elliptic curves.” Also specifies a method of choosing curves ②2 = ①3 3① + ❜. 2000 NIST “FIPS 186–2” standardizes five such curves. 2005 NSA “Suite B” recommends two of the NIST curves as the only public-key cryptosystems for U.S. government use.

High-speed cryptography, 2: elliptic-curve formulas; rithmetic

• J. Bernstein

University of Illinois at Chicago & echnische Universiteit Eindhoven Speed-oriented Jacobian standards 2000 IEEE “Std 1363” uses Weierstrass curves in Jacobian coordinates to “provide the fastest arithmetic on elliptic curves.” Also specifies a method of choosing curves ②2 = ①3 3① + ❜. 2000 NIST “FIPS 186–2” standardizes five such curves. 2005 NSA “Suite B” recommends two of the NIST curves as the only public-key cryptosystems for U.S. government use. Projective 1986 Chudnovsky–Chudnovsky: Speed up (❳❂❩2❀ ❨❂❩ ❳❂❩❀ ❨❂❩ 7M + 3S ❛

• 12M + 2

12M + 2 Option has DBL dominates But ADD some applications: batch signature

cryptography, elliptic-curve formulas; Bernstein Illinois at Chicago & Universiteit Eindhoven Speed-oriented Jacobian standards 2000 IEEE “Std 1363” uses Weierstrass curves in Jacobian coordinates to “provide the fastest arithmetic on elliptic curves.” Also specifies a method of choosing curves ②2 = ①3 3① + ❜. 2000 NIST “FIPS 186–2” standardizes five such curves. 2005 NSA “Suite B” recommends two of the NIST curves as the only public-key cryptosystems for U.S. government use. Projective for Weierstrass 1986 Chudnovsky–Chudnovsky: Speed up ADD by (❳❂❩2❀ ❨❂❩3) to (❳❂❩❀ ❨❂❩ 7M + 3S for DBL ❛

• 12M + 2S for ADD.

12M + 2S for reADD. Option has been mostly DBL dominates in But ADD dominates some applications: batch signature verification.

rmulas; Chicago & Eindhoven Speed-oriented Jacobian standards 2000 IEEE “Std 1363” uses Weierstrass curves in Jacobian coordinates to “provide the fastest arithmetic on elliptic curves.” Also specifies a method of choosing curves ②2 = ①3 3① + ❜. 2000 NIST “FIPS 186–2” standardizes five such curves. 2005 NSA “Suite B” recommends two of the NIST curves as the only public-key cryptosystems for U.S. government use. Projective for Weierstrass 1986 Chudnovsky–Chudnovsky: Speed up ADD by switching (❳❂❩2❀ ❨❂❩3) to (❳❂❩❀ ❨❂❩ 7M + 3S for DBL if ❛ = 3. 12M + 2S for ADD. 12M + 2S for reADD. Option has been mostly igno DBL dominates in ECDH etc. But ADD dominates in some applications: e.g., batch signature verification.

Speed-oriented Jacobian standards 2000 IEEE “Std 1363” uses Weierstrass curves in Jacobian coordinates to “provide the fastest arithmetic on elliptic curves.” Also specifies a method of choosing curves ②2 = ①3 3① + ❜. 2000 NIST “FIPS 186–2” standardizes five such curves. 2005 NSA “Suite B” recommends two of the NIST curves as the only public-key cryptosystems for U.S. government use. Projective for Weierstrass 1986 Chudnovsky–Chudnovsky: Speed up ADD by switching from (❳❂❩2❀ ❨❂❩3) to (❳❂❩❀ ❨❂❩). 7M + 3S for DBL if ❛ = 3. 12M + 2S for ADD. 12M + 2S for reADD. Option has been mostly ignored: DBL dominates in ECDH etc. But ADD dominates in some applications: e.g., batch signature verification.

eed-oriented Jacobian standards IEEE “Std 1363” eierstrass curves Jacobian coordinates rovide the fastest rithmetic on elliptic curves.” specifies a method of

• sing curves ②2 = ①3 3① + ❜.

NIST “FIPS 186–2” rdizes five such curves. NSA “Suite B” recommends the NIST curves as

• nly public-key cryptosystems
• S. government use.

Projective for Weierstrass 1986 Chudnovsky–Chudnovsky: Speed up ADD by switching from (❳❂❩2❀ ❨❂❩3) to (❳❂❩❀ ❨❂❩). 7M + 3S for DBL if ❛ = 3. 12M + 2S for ADD. 12M + 2S for reADD. Option has been mostly ignored: DBL dominates in ECDH etc. But ADD dominates in some applications: e.g., batch signature verification. Montgomery 1987 Montgomery: Use ❜②2 ① ❛① ① Choose small ❛ ❂ 2(①2❀ ②2) ① ❀ ② ✮ ①4 = ① ① ① ❛① (①3❀ ②3) ① ❀ ② ① ❀ ② (①3❀ ②3) + ① ❀ ② ① ❀ ② ✮ ①5 = ① ① ① ① ①

Jacobian standards 1363” curves rdinates fastest elliptic curves.” method of ②2 = ①3 3① + ❜. “FIPS 186–2” such curves. “Suite B” recommends curves as ey cryptosystems government use. Projective for Weierstrass 1986 Chudnovsky–Chudnovsky: Speed up ADD by switching from (❳❂❩2❀ ❨❂❩3) to (❳❂❩❀ ❨❂❩). 7M + 3S for DBL if ❛ = 3. 12M + 2S for ADD. 12M + 2S for reADD. Option has been mostly ignored: DBL dominates in ECDH etc. But ADD dominates in some applications: e.g., batch signature verification. Montgomery curves 1987 Montgomery: Use ❜②2 = ①3 + ❛① ① Choose small (❛ + ❂ 2(①2❀ ②2) = (①4❀ ②4 ✮ ①4 = (①2

2

4①2(①2

2 + ❛①

(①3❀ ②3) (①2❀ ②2) ① ❀ ② (①3❀ ②3) + (①2❀ ②2) ① ❀ ② ✮ ①5 = (①2①3 ①1(①2 ①

standards curves.” ② ① 3① + ❜. curves. recommends cryptosystems Projective for Weierstrass 1986 Chudnovsky–Chudnovsky: Speed up ADD by switching from (❳❂❩2❀ ❨❂❩3) to (❳❂❩❀ ❨❂❩). 7M + 3S for DBL if ❛ = 3. 12M + 2S for ADD. 12M + 2S for reADD. Option has been mostly ignored: DBL dominates in ECDH etc. But ADD dominates in some applications: e.g., batch signature verification. Montgomery curves 1987 Montgomery: Use ❜②2 = ①3 + ❛①2 + ①. Choose small (❛ + 2)❂4. 2(①2❀ ②2) = (①4❀ ②4) ✮ ①4 = (①2

2 1)2

4①2(①2

2 + ❛①2 + 1).

(①3❀ ②3) (①2❀ ②2) = (①1❀ ②1 (①3❀ ②3) + (①2❀ ②2) = (①5❀ ②5 ✮ ①5 = (①2①3 1)2 ①1(①2 ①3)2 .

Projective for Weierstrass 1986 Chudnovsky–Chudnovsky: Speed up ADD by switching from (❳❂❩2❀ ❨❂❩3) to (❳❂❩❀ ❨❂❩). 7M + 3S for DBL if ❛ = 3. 12M + 2S for ADD. 12M + 2S for reADD. Option has been mostly ignored: DBL dominates in ECDH etc. But ADD dominates in some applications: e.g., batch signature verification. Montgomery curves 1987 Montgomery: Use ❜②2 = ①3 + ❛①2 + ①. Choose small (❛ + 2)❂4. 2(①2❀ ②2) = (①4❀ ②4) ✮ ①4 = (①2

2 1)2

4①2(①2

2 + ❛①2 + 1).

(①3❀ ②3) (①2❀ ②2) = (①1❀ ②1), (①3❀ ②3) + (①2❀ ②2) = (①5❀ ②5) ✮ ①5 = (①2①3 1)2 ①1(①2 ①3)2 .

Projective for Weierstrass Chudnovsky–Chudnovsky: up ADD by switching from ❳❂❩ ❀ ❨❂❩3) to (❳❂❩❀ ❨❂❩). 3S for DBL if ❛ = 3. 2S for ADD. 2S for reADD. has been mostly ignored: dominates in ECDH etc. ADD dominates in applications: e.g., signature verification. Montgomery curves 1987 Montgomery: Use ❜②2 = ①3 + ❛①2 + ①. Choose small (❛ + 2)❂4. 2(①2❀ ②2) = (①4❀ ②4) ✮ ①4 = (①2

2 1)2

4①2(①2

2 + ❛①2 + 1).

(①3❀ ②3) (①2❀ ②2) = (①1❀ ②1), (①3❀ ②3) + (①2❀ ②2) = (①5❀ ②5) ✮ ①5 = (①2①3 1)2 ①1(①2 ①3)2 . Represent ①❀ ② as (❳:❩) ① ❳❂❩ ❇ = (❳2 ❩ ❈ = (❳2 ❩ ❉ = ❇ ❈ ❳ ❇ ✁ ❈ ❩4 = ❉ ✁ ❈ ❉ ❛ ❂ ✮ 2(❳2:❩2 ❳ ❩ (❳3:❩3) ❳ ❩ ❳ ❩ ❊ = (❳3 ❩ ✁ ❳ ❩ ❋ = (❳3 ❩ ✁ ❳ ❩ ❳5 = ❩1 ✁ ❊ ❋ ❩5 = ❳1 ✁ ❊ ❋ ✮ (❳3:❩3) ❳ ❩ ❳ ❩

eierstrass Chudnovsky–Chudnovsky: by switching from ❳❂❩ ❀ ❨❂❩ (❳❂❩❀ ❨❂❩). DBL if ❛ = 3. ADD. reADD. mostly ignored: in ECDH etc. dominates in applications: e.g., verification. Montgomery curves 1987 Montgomery: Use ❜②2 = ①3 + ❛①2 + ①. Choose small (❛ + 2)❂4. 2(①2❀ ②2) = (①4❀ ②4) ✮ ①4 = (①2

2 1)2

4①2(①2

2 + ❛①2 + 1).

(①3❀ ②3) (①2❀ ②2) = (①1❀ ②1), (①3❀ ②3) + (①2❀ ②2) = (①5❀ ②5) ✮ ①5 = (①2①3 1)2 ①1(①2 ①3)2 . Represent (①❀ ②) as (❳:❩) satisfying ① ❳❂❩ ❇ = (❳2 + ❩2)2, ❈ = (❳2 ❩2)2, ❉ = ❇ ❈, ❳4 = ❇ ✁ ❈ ❩4 = ❉ ✁ (❈ + ❉(❛ ❂ ✮ 2(❳2:❩2) = (❳4:❩ (❳3:❩3) (❳2:❩2) ❳ ❩ ❊ = (❳3 ❩3) ✁ (❳ ❩ ❋ = (❳3 + ❩3) ✁ (❳ ❩ ❳5 = ❩1 ✁ (❊ + ❋) ❩5 = ❳1 ✁ (❊ ❋) ✮ (❳3:❩3) + (❳2:❩2) ❳ ❩

Chudnovsky–Chudnovsky: switching from ❳❂❩ ❀ ❨❂❩ ❳❂❩❀ ❨❂❩). ❛ 3. ignored: etc. verification. Montgomery curves 1987 Montgomery: Use ❜②2 = ①3 + ❛①2 + ①. Choose small (❛ + 2)❂4. 2(①2❀ ②2) = (①4❀ ②4) ✮ ①4 = (①2

2 1)2

4①2(①2

2 + ❛①2 + 1).

(①3❀ ②3) (①2❀ ②2) = (①1❀ ②1), (①3❀ ②3) + (①2❀ ②2) = (①5❀ ②5) ✮ ①5 = (①2①3 1)2 ①1(①2 ①3)2 . Represent (①❀ ②) as (❳:❩) satisfying ① = ❳❂❩ ❇ = (❳2 + ❩2)2, ❈ = (❳2 ❩2)2, ❉ = ❇ ❈, ❳4 = ❇ ✁ ❈, ❩4 = ❉ ✁ (❈ + ❉(❛ + 2)❂4) ✮ 2(❳2:❩2) = (❳4:❩4). (❳3:❩3) (❳2:❩2) = (❳1:❩ ❊ = (❳3 ❩3) ✁ (❳2 + ❩2), ❋ = (❳3 + ❩3) ✁ (❳2 ❩2), ❳5 = ❩1 ✁ (❊ + ❋)2, ❩5 = ❳1 ✁ (❊ ❋)2 ✮ (❳3:❩3) + (❳2:❩2) = (❳5:❩

Montgomery curves 1987 Montgomery: Use ❜②2 = ①3 + ❛①2 + ①. Choose small (❛ + 2)❂4. 2(①2❀ ②2) = (①4❀ ②4) ✮ ①4 = (①2

2 1)2

4①2(①2

2 + ❛①2 + 1).

(①3❀ ②3) (①2❀ ②2) = (①1❀ ②1), (①3❀ ②3) + (①2❀ ②2) = (①5❀ ②5) ✮ ①5 = (①2①3 1)2 ①1(①2 ①3)2 . Represent (①❀ ②) as (❳:❩) satisfying ① = ❳❂❩. ❇ = (❳2 + ❩2)2, ❈ = (❳2 ❩2)2, ❉ = ❇ ❈, ❳4 = ❇ ✁ ❈, ❩4 = ❉ ✁ (❈ + ❉(❛ + 2)❂4) ✮ 2(❳2:❩2) = (❳4:❩4). (❳3:❩3) (❳2:❩2) = (❳1:❩1), ❊ = (❳3 ❩3) ✁ (❳2 + ❩2), ❋ = (❳3 + ❩3) ✁ (❳2 ❩2), ❳5 = ❩1 ✁ (❊ + ❋)2, ❩5 = ❳1 ✁ (❊ ❋)2 ✮ (❳3:❩3) + (❳2:❩2) = (❳5:❩5).

Montgomery curves Montgomery: ❜②2 = ①3 + ❛①2 + ①.

• se small (❛ + 2)❂4.

① ❀ ②2) = (①4❀ ②4) ✮ ① = (①2

2 1)2

4①2(①2

2 + ❛①2 + 1).

① ❀ ② ) (①2❀ ②2) = (①1❀ ②1), ① ❀ ② ) + (①2❀ ②2) = (①5❀ ②5) ✮ ① = (①2①3 1)2 ①1(①2 ①3)2 . Represent (①❀ ②) as (❳:❩) satisfying ① = ❳❂❩. ❇ = (❳2 + ❩2)2, ❈ = (❳2 ❩2)2, ❉ = ❇ ❈, ❳4 = ❇ ✁ ❈, ❩4 = ❉ ✁ (❈ + ❉(❛ + 2)❂4) ✮ 2(❳2:❩2) = (❳4:❩4). (❳3:❩3) (❳2:❩2) = (❳1:❩1), ❊ = (❳3 ❩3) ✁ (❳2 + ❩2), ❋ = (❳3 + ❩3) ✁ (❳2 ❩2), ❳5 = ❩1 ✁ (❊ + ❋)2, ❩5 = ❳1 ✁ (❊ ❋)2 ✮ (❳3:❩3) + (❳2:❩2) = (❳5:❩5). This repre does not DADD, “differential ◗❀ ❘❀ ◗ ❘ ✼✦ ◗ ❘ e.g. 2P❀ P❀ P ✼✦ P e.g. 3P❀ P❀ P ✼✦ P e.g. 6P❀ P❀ P ✼✦ P 2M + 2S 4M + 2S Save 1M ❩ Easily compute ♥ ❳ ❩ ✙ lg ♥ DBL, ✙ ♥ Almost as ♥P Relatively ♠P ♥◗

curves Montgomery: ❜② ① ❛①2 + ①. ❛ + 2)❂4. ① ❀ ② ① ❀ ②4) ✮ ① ① 1)2 ① ① + ❛①2 + 1). ① ❀ ② ① ❀ ②2) = (①1❀ ②1), ① ❀ ② ① ❀ ②2) = (①5❀ ②5) ✮ ① ① ① 1)2 ① ① ①3)2 . Represent (①❀ ②) as (❳:❩) satisfying ① = ❳❂❩. ❇ = (❳2 + ❩2)2, ❈ = (❳2 ❩2)2, ❉ = ❇ ❈, ❳4 = ❇ ✁ ❈, ❩4 = ❉ ✁ (❈ + ❉(❛ + 2)❂4) ✮ 2(❳2:❩2) = (❳4:❩4). (❳3:❩3) (❳2:❩2) = (❳1:❩1), ❊ = (❳3 ❩3) ✁ (❳2 + ❩2), ❋ = (❳3 + ❩3) ✁ (❳2 ❩2), ❳5 = ❩1 ✁ (❊ + ❋)2, ❩5 = ❳1 ✁ (❊ ❋)2 ✮ (❳3:❩3) + (❳2:❩2) = (❳5:❩5). This representation does not allow ADD DADD, “differential ◗❀ ❘❀ ◗ ❘ ✼✦ ◗ + ❘ e.g. 2P❀ P❀ P ✼✦ 3P e.g. 3P❀ 2P❀ P ✼✦ 5P e.g. 6P❀ 5P❀ P ✼✦ 11P 2M + 2S + 1D for 4M + 2S for DADD. Save 1M if ❩1 = 1. Easily compute ♥(❳ ❩ ✙ lg ♥ DBL, ✙ lg ♥ Almost as fast as Edw ♥P Relatively slow for ♠P ♥◗

❜② ① ❛① ① ❛ ❂ ① ❀ ② ① ❀ ② ✮ ① ① ① ① ❛① 1). ① ❀ ② ① ❀ ② ① ❀ ②1), ① ❀ ② ① ❀ ② ① ❀ ②5) ✮ ① ① ① ① ① ① Represent (①❀ ②) as (❳:❩) satisfying ① = ❳❂❩. ❇ = (❳2 + ❩2)2, ❈ = (❳2 ❩2)2, ❉ = ❇ ❈, ❳4 = ❇ ✁ ❈, ❩4 = ❉ ✁ (❈ + ❉(❛ + 2)❂4) ✮ 2(❳2:❩2) = (❳4:❩4). (❳3:❩3) (❳2:❩2) = (❳1:❩1), ❊ = (❳3 ❩3) ✁ (❳2 + ❩2), ❋ = (❳3 + ❩3) ✁ (❳2 ❩2), ❳5 = ❩1 ✁ (❊ + ❋)2, ❩5 = ❳1 ✁ (❊ ❋)2 ✮ (❳3:❩3) + (❳2:❩2) = (❳5:❩5). This representation does not allow ADD but it allo DADD, “differential addition”: ◗❀ ❘❀ ◗ ❘ ✼✦ ◗ + ❘. e.g. 2P❀ P❀ P ✼✦ 3P. e.g. 3P❀ 2P❀ P ✼✦ 5P. e.g. 6P❀ 5P❀ P ✼✦ 11P. 2M + 2S + 1D for DBL. 4M + 2S for DADD. Save 1M if ❩1 = 1. Easily compute ♥(❳1 : ❩1) using ✙ lg ♥ DBL, ✙ lg ♥ DADD. Almost as fast as Edwards ♥P Relatively slow for ♠P + ♥◗

Represent (①❀ ②) as (❳:❩) satisfying ① = ❳❂❩. ❇ = (❳2 + ❩2)2, ❈ = (❳2 ❩2)2, ❉ = ❇ ❈, ❳4 = ❇ ✁ ❈, ❩4 = ❉ ✁ (❈ + ❉(❛ + 2)❂4) ✮ 2(❳2:❩2) = (❳4:❩4). (❳3:❩3) (❳2:❩2) = (❳1:❩1), ❊ = (❳3 ❩3) ✁ (❳2 + ❩2), ❋ = (❳3 + ❩3) ✁ (❳2 ❩2), ❳5 = ❩1 ✁ (❊ + ❋)2, ❩5 = ❳1 ✁ (❊ ❋)2 ✮ (❳3:❩3) + (❳2:❩2) = (❳5:❩5). This representation does not allow ADD but it allows DADD, “differential addition”: ◗❀ ❘❀ ◗ ❘ ✼✦ ◗ + ❘. e.g. 2P❀ P❀ P ✼✦ 3P. e.g. 3P❀ 2P❀ P ✼✦ 5P. e.g. 6P❀ 5P❀ P ✼✦ 11P. 2M + 2S + 1D for DBL. 4M + 2S for DADD. Save 1M if ❩1 = 1. Easily compute ♥(❳1 : ❩1) using ✙ lg ♥ DBL, ✙ lg ♥ DADD. Almost as fast as Edwards ♥P. Relatively slow for ♠P + ♥◗ etc.

resent (①❀ ②) ❳ ❩) satisfying ① = ❳❂❩. ❇ ❳2 + ❩2)2, ❈ ❳2 ❩2)2, ❉ ❇ ❈, ❳4 = ❇ ✁ ❈, ❩ ❉ ✁ (❈ + ❉(❛ + 2)❂4) ✮ ❳ ❩2) = (❳4:❩4). ❳ ❩ ) (❳2:❩2) = (❳1:❩1), ❊ ❳3 ❩3) ✁ (❳2 + ❩2), ❋ ❳3 + ❩3) ✁ (❳2 ❩2), ❳ ❩1 ✁ (❊ + ❋)2, ❩ ❳1 ✁ (❊ ❋)2 ✮ ❳ ❩ ) + (❳2:❩2) = (❳5:❩5). This representation does not allow ADD but it allows DADD, “differential addition”: ◗❀ ❘❀ ◗ ❘ ✼✦ ◗ + ❘. e.g. 2P❀ P❀ P ✼✦ 3P. e.g. 3P❀ 2P❀ P ✼✦ 5P. e.g. 6P❀ 5P❀ P ✼✦ 11P. 2M + 2S + 1D for DBL. 4M + 2S for DADD. Save 1M if ❩1 = 1. Easily compute ♥(❳1 : ❩1) using ✙ lg ♥ DBL, ✙ lg ♥ DADD. Almost as fast as Edwards ♥P. Relatively slow for ♠P + ♥◗ etc. Doubling-o 2006 Do Use ②2 = ① ❛① ❛① Choose small ❛ Use (❳ : ❨ ❩ ❩ to represent ❳❂❩❀ ❨❂❩ 3M + 4S How? Facto ✬ ✬ where ✬ 2007 Bernstein–Lange: 2M + 5S

• n the same

①❀ ② ❳ ❩ satisfying ① = ❳❂❩. ❇ ❳ ❩ , ❈ ❳ ❩ , ❉ ❇ ❈ ❳ = ❇ ✁ ❈, ❩ ❉ ✁ ❈ ❉(❛ + 2)❂4) ✮ ❳ ❩ ❳ :❩4). ❳ ❩ ❳ ❩2) = (❳1:❩1), ❊ ❳ ❩ ✁ (❳2 + ❩2), ❋ ❳ ❩ ✁ (❳2 ❩2), ❳ ❩ ✁ ❊ ❋)2, ❩ ❳ ✁ ❊ ❋)2 ✮ ❳ ❩ ❳ ❩2) = (❳5:❩5). This representation does not allow ADD but it allows DADD, “differential addition”: ◗❀ ❘❀ ◗ ❘ ✼✦ ◗ + ❘. e.g. 2P❀ P❀ P ✼✦ 3P. e.g. 3P❀ 2P❀ P ✼✦ 5P. e.g. 6P❀ 5P❀ P ✼✦ 11P. 2M + 2S + 1D for DBL. 4M + 2S for DADD. Save 1M if ❩1 = 1. Easily compute ♥(❳1 : ❩1) using ✙ lg ♥ DBL, ✙ lg ♥ DADD. Almost as fast as Edwards ♥P. Relatively slow for ♠P + ♥◗ etc. Doubling-oriented 2006 Doche–Icart–Kohel: Use ②2 = ①3 + ❛①2 ❛① Choose small ❛. Use (❳ : ❨ : ❩ : ❩ to represent (❳❂❩❀ ❨❂❩ 3M + 4S + 2D for How? Factor DBL ✬ ✬ where ✬ is a 2-isogeny 2007 Bernstein–Lange: 2M + 5S + 2D for

• n the same curves.

①❀ ② ❳ ❩ ① ❳❂❩. ❇ ❳ ❩ ❈ ❳ ❩ ❉ ❇ ❈ ❳ ❇ ✁ ❈ ❩ ❉ ✁ ❈ ❉ ❛ ❂4) ✮ ❳ ❩ ❳ ❩ ❳ ❩ ❳ ❩ ❳ :❩1), ❊ ❳ ❩ ✁ ❳ ❩ ), ❋ ❳ ❩ ✁ ❳ ❩ ), ❳ ❩ ✁ ❊ ❋ ❩ ❳ ✁ ❊ ❋ ✮ ❳ ❩ ❳ ❩ ❳ :❩5). This representation does not allow ADD but it allows DADD, “differential addition”: ◗❀ ❘❀ ◗ ❘ ✼✦ ◗ + ❘. e.g. 2P❀ P❀ P ✼✦ 3P. e.g. 3P❀ 2P❀ P ✼✦ 5P. e.g. 6P❀ 5P❀ P ✼✦ 11P. 2M + 2S + 1D for DBL. 4M + 2S for DADD. Save 1M if ❩1 = 1. Easily compute ♥(❳1 : ❩1) using ✙ lg ♥ DBL, ✙ lg ♥ DADD. Almost as fast as Edwards ♥P. Relatively slow for ♠P + ♥◗ etc. Doubling-oriented curves 2006 Doche–Icart–Kohel: Use ②2 = ①3 + ❛①2 + 16❛①. Choose small ❛. Use (❳ : ❨ : ❩ : ❩2) to represent (❳❂❩❀ ❨❂❩2). 3M + 4S + 2D for DBL. How? Factor DBL as ˆ ✬(✬) where ✬ is a 2-isogeny. 2007 Bernstein–Lange: 2M + 5S + 2D for DBL

• n the same curves.

This representation does not allow ADD but it allows DADD, “differential addition”: ◗❀ ❘❀ ◗ ❘ ✼✦ ◗ + ❘. e.g. 2P❀ P❀ P ✼✦ 3P. e.g. 3P❀ 2P❀ P ✼✦ 5P. e.g. 6P❀ 5P❀ P ✼✦ 11P. 2M + 2S + 1D for DBL. 4M + 2S for DADD. Save 1M if ❩1 = 1. Easily compute ♥(❳1 : ❩1) using ✙ lg ♥ DBL, ✙ lg ♥ DADD. Almost as fast as Edwards ♥P. Relatively slow for ♠P + ♥◗ etc. Doubling-oriented curves 2006 Doche–Icart–Kohel: Use ②2 = ①3 + ❛①2 + 16❛①. Choose small ❛. Use (❳ : ❨ : ❩ : ❩2) to represent (❳❂❩❀ ❨❂❩2). 3M + 4S + 2D for DBL. How? Factor DBL as ˆ ✬(✬) where ✬ is a 2-isogeny. 2007 Bernstein–Lange: 2M + 5S + 2D for DBL

• n the same curves.

representation not allow ADD but it allows ADD, “differential addition”: ◗❀ ❘❀ ◗ ❘ ✼✦ ◗ + ❘. P❀ P❀ P ✼✦ 3P. P❀ 2P❀ P ✼✦ 5P. P❀ 5P❀ P ✼✦ 11P. 2S + 1D for DBL. 2S for DADD. M if ❩1 = 1. compute ♥(❳1 : ❩1) using ✙ ♥ DBL, ✙ lg ♥ DADD. Almost as fast as Edwards ♥P. Relatively slow for ♠P + ♥◗ etc. Doubling-oriented curves 2006 Doche–Icart–Kohel: Use ②2 = ①3 + ❛①2 + 16❛①. Choose small ❛. Use (❳ : ❨ : ❩ : ❩2) to represent (❳❂❩❀ ❨❂❩2). 3M + 4S + 2D for DBL. How? Factor DBL as ˆ ✬(✬) where ✬ is a 2-isogeny. 2007 Bernstein–Lange: 2M + 5S + 2D for DBL

• n the same curves.

12M + 5 Slower ADD typically

• f the very

But isogenies Example, fast DBL+D genus-2 using simila Tricky but tripling-o (see 2006 double-base ✿ ✿ ✿

sentation ADD but it allows “differential addition”: ◗❀ ❘❀ ◗ ❘ ✼✦ ◗ + ❘. P❀ P❀ P ✼✦ 3P. P❀ P❀ P ✼✦ 5P. P❀ P❀ P ✼✦ 11P. for DBL. ADD. ❩ 1. ♥(❳1 : ❩1) using ✙ ♥ ✙ lg ♥ DADD. as Edwards ♥P. for ♠P + ♥◗ etc. Doubling-oriented curves 2006 Doche–Icart–Kohel: Use ②2 = ①3 + ❛①2 + 16❛①. Choose small ❛. Use (❳ : ❨ : ❩ : ❩2) to represent (❳❂❩❀ ❨❂❩2). 3M + 4S + 2D for DBL. How? Factor DBL as ˆ ✬(✬) where ✬ is a 2-isogeny. 2007 Bernstein–Lange: 2M + 5S + 2D for DBL

• n the same curves.

12M + 5S + 1D fo Slower ADD than typically outweighing

• f the very fast DBL.

But isogenies are useful. Example, 2005 Gaudry: fast DBL+DADD genus-2 hyperelliptic using similar factorization. Tricky but potentially tripling-oriented cur (see 2006 Doche–Ica double-base chains, ✿ ✿ ✿

it allows addition”: ◗❀ ❘❀ ◗ ❘ ✼✦ ◗ ❘ P❀ P❀ P ✼✦ P P❀ P❀ P ✼✦ P P❀ P❀ P ✼✦ P ❩ ♥ ❳ ❩ ) using ✙ ♥ ✙ ♥ ADD. ♥P. ♠P ♥◗ etc. Doubling-oriented curves 2006 Doche–Icart–Kohel: Use ②2 = ①3 + ❛①2 + 16❛①. Choose small ❛. Use (❳ : ❨ : ❩ : ❩2) to represent (❳❂❩❀ ❨❂❩2). 3M + 4S + 2D for DBL. How? Factor DBL as ˆ ✬(✬) where ✬ is a 2-isogeny. 2007 Bernstein–Lange: 2M + 5S + 2D for DBL

• n the same curves.

12M + 5S + 1D for ADD. Slower ADD than other systems, typically outweighing benefit

• f the very fast DBL.

But isogenies are useful. Example, 2005 Gaudry: fast DBL+DADD on Jacobians genus-2 hyperelliptic curves, using similar factorization. Tricky but potentially helpful: tripling-oriented curves (see 2006 Doche–Icart–Kohel), double-base chains, ✿ ✿ ✿

Doubling-oriented curves 2006 Doche–Icart–Kohel: Use ②2 = ①3 + ❛①2 + 16❛①. Choose small ❛. Use (❳ : ❨ : ❩ : ❩2) to represent (❳❂❩❀ ❨❂❩2). 3M + 4S + 2D for DBL. How? Factor DBL as ˆ ✬(✬) where ✬ is a 2-isogeny. 2007 Bernstein–Lange: 2M + 5S + 2D for DBL

• n the same curves.

12M + 5S + 1D for ADD. Slower ADD than other systems, typically outweighing benefit

• f the very fast DBL.

But isogenies are useful. Example, 2005 Gaudry: fast DBL+DADD on Jacobians of genus-2 hyperelliptic curves, using similar factorization. Tricky but potentially helpful: tripling-oriented curves (see 2006 Doche–Icart–Kohel), double-base chains, ✿ ✿ ✿

Doubling-oriented curves Doche–Icart–Kohel: ② = ①3 + ❛①2 + 16❛①.

• se small ❛.

❳ : ❨ : ❩ : ❩2) resent (❳❂❩❀ ❨❂❩2). 4S + 2D for DBL. Factor DBL as ˆ ✬(✬) ✬ is a 2-isogeny. Bernstein–Lange: 5S + 2D for DBL same curves. 12M + 5S + 1D for ADD. Slower ADD than other systems, typically outweighing benefit

• f the very fast DBL.

But isogenies are useful. Example, 2005 Gaudry: fast DBL+DADD on Jacobians of genus-2 hyperelliptic curves, using similar factorization. Tricky but potentially helpful: tripling-oriented curves (see 2006 Doche–Icart–Kohel), double-base chains, ✿ ✿ ✿ Hessian Credited by 1986 (❳ : ❨ : ❩ ❳❂❩❀ ❨❂❩

• n ①3 + ②

❞①② 12M for ❳3 = ❨1❳ ✁ ❨ ❩ ❩ ❨ ✁ ❳ ❨ ❨3 = ❳1❩ ✁ ❳ ❨ ❨ ❳ ✁ ❩ ❳ ❩3 = ❩1❨ ✁ ❩ ❳ ❳ ❩ ✁ ❨ ❩ 6M + 3S

riented curves rt–Kohel: ② ① ❛①2 + 16❛①. ❛ ❳ ❨ ❩ ❩2) ❳❂❩❀ ❨❂❩2). for DBL. DBL as ˆ ✬(✬) ✬ 2-isogeny. Bernstein–Lange: for DBL curves. 12M + 5S + 1D for ADD. Slower ADD than other systems, typically outweighing benefit

• f the very fast DBL.

But isogenies are useful. Example, 2005 Gaudry: fast DBL+DADD on Jacobians of genus-2 hyperelliptic curves, using similar factorization. Tricky but potentially helpful: tripling-oriented curves (see 2006 Doche–Icart–Kohel), double-base chains, ✿ ✿ ✿ Hessian curves Credited to Sylvester by 1986 Chudnovsky–Chudnovsky: (❳ : ❨ : ❩) represent ❳❂❩❀ ❨❂❩

• n ①3 + ②3 + 1 = ❞①②

12M for ADD: ❳3 = ❨1❳2 ✁ ❨1❩2 ❩ ❨ ✁ ❳ ❨ ❨3 = ❳1❩2 ✁ ❳1❨2 ❨ ❳ ✁ ❩ ❳ ❩3 = ❩1❨2 ✁ ❩1❳2 ❳ ❩ ✁ ❨ ❩ 6M + 3S for DBL.

② ① ❛① ❛①. ❛ ❳ ❨ ❩ ❩ ❳❂❩❀ ❨❂❩ ✬ ✬) ✬ 12M + 5S + 1D for ADD. Slower ADD than other systems, typically outweighing benefit

• f the very fast DBL.

But isogenies are useful. Example, 2005 Gaudry: fast DBL+DADD on Jacobians of genus-2 hyperelliptic curves, using similar factorization. Tricky but potentially helpful: tripling-oriented curves (see 2006 Doche–Icart–Kohel), double-base chains, ✿ ✿ ✿ Hessian curves Credited to Sylvester by 1986 Chudnovsky–Chudnovsky: (❳ : ❨ : ❩) represent (❳❂❩❀ ❨❂❩

• n ①3 + ②3 + 1 = 3❞①②.

12M for ADD: ❳3 = ❨1❳2 ✁ ❨1❩2 ❩1❨2 ✁ ❳ ❨ ❨3 = ❳1❩2 ✁ ❳1❨2 ❨1❳2 ✁ ❩ ❳ ❩3 = ❩1❨2 ✁ ❩1❳2 ❳1❩2 ✁ ❨ ❩ 6M + 3S for DBL.

12M + 5S + 1D for ADD. Slower ADD than other systems, typically outweighing benefit

• f the very fast DBL.

But isogenies are useful. Example, 2005 Gaudry: fast DBL+DADD on Jacobians of genus-2 hyperelliptic curves, using similar factorization. Tricky but potentially helpful: tripling-oriented curves (see 2006 Doche–Icart–Kohel), double-base chains, ✿ ✿ ✿ Hessian curves Credited to Sylvester by 1986 Chudnovsky–Chudnovsky: (❳ : ❨ : ❩) represent (❳❂❩❀ ❨❂❩)

• n ①3 + ②3 + 1 = 3❞①②.

12M for ADD: ❳3 = ❨1❳2 ✁ ❨1❩2 ❩1❨2 ✁ ❳1❨2, ❨3 = ❳1❩2 ✁ ❳1❨2 ❨1❳2 ✁ ❩1❳2, ❩3 = ❩1❨2 ✁ ❩1❳2 ❳1❩2 ✁ ❨1❩2. 6M + 3S for DBL.

5S + 1D for ADD. ADD than other systems, ypically outweighing benefit very fast DBL. isogenies are useful. Example, 2005 Gaudry: DBL+DADD on Jacobians of genus-2 hyperelliptic curves, similar factorization. but potentially helpful: tripling-oriented curves 2006 Doche–Icart–Kohel), double-base chains, ✿ ✿ ✿ Hessian curves Credited to Sylvester by 1986 Chudnovsky–Chudnovsky: (❳ : ❨ : ❩) represent (❳❂❩❀ ❨❂❩)

• n ①3 + ②3 + 1 = 3❞①②.

12M for ADD: ❳3 = ❨1❳2 ✁ ❨1❩2 ❩1❨2 ✁ ❳1❨2, ❨3 = ❳1❩2 ✁ ❳1❨2 ❨1❳2 ✁ ❩1❳2, ❩3 = ❩1❨2 ✁ ❩1❳2 ❳1❩2 ✁ ❨1❩2. 6M + 3S for DBL. 2001 Joy 2(❳1 : ❨1 ❩ (❩1 : ❳1 ❨ ❨ ❩ ❳ so can use “Unified helpful against But need 2009 Bernstein–Kohel–Lange: Easily avoid 2008 Hisil–W (❳ : ❨ : ❩ ❳ ❨ ❩ : 2❳❨ ❳❩ ❨ ❩ 6M + 6S 3M + 6S

for ADD. than other systems, eighing benefit DBL. re useful. Gaudry: D on Jacobians of erelliptic curves, factorization.

• tentially helpful:

curves che–Icart–Kohel), chains, ✿ ✿ ✿ Hessian curves Credited to Sylvester by 1986 Chudnovsky–Chudnovsky: (❳ : ❨ : ❩) represent (❳❂❩❀ ❨❂❩)

• n ①3 + ②3 + 1 = 3❞①②.

12M for ADD: ❳3 = ❨1❳2 ✁ ❨1❩2 ❩1❨2 ✁ ❳1❨2, ❨3 = ❳1❩2 ✁ ❳1❨2 ❨1❳2 ✁ ❩1❳2, ❩3 = ❩1❨2 ✁ ❩1❳2 ❳1❩2 ✁ ❨1❩2. 6M + 3S for DBL. 2001 Joye–Quisquater: 2(❳1 : ❨1 : ❩1) = (❩1 : ❳1 : ❨1) + (❨ ❩ ❳ so can use ADD to “Unified addition fo helpful against side But need to permute 2009 Bernstein–Kohel–Lange: Easily avoid permutation! 2008 Hisil–Wong–Ca (❳ : ❨ : ❩ : ❳2 : ❨ ❩ : 2❳❨ : 2❳❩ ❨ ❩ 6M + 6S for ADD. 3M + 6S for DBL.

systems, enefit Jacobians of s, helpful: rt–Kohel), ✿ ✿ ✿ Hessian curves Credited to Sylvester by 1986 Chudnovsky–Chudnovsky: (❳ : ❨ : ❩) represent (❳❂❩❀ ❨❂❩)

• n ①3 + ②3 + 1 = 3❞①②.

12M for ADD: ❳3 = ❨1❳2 ✁ ❨1❩2 ❩1❨2 ✁ ❳1❨2, ❨3 = ❳1❩2 ✁ ❳1❨2 ❨1❳2 ✁ ❩1❳2, ❩3 = ❩1❨2 ✁ ❩1❳2 ❳1❩2 ✁ ❨1❩2. 6M + 3S for DBL. 2001 Joye–Quisquater: 2(❳1 : ❨1 : ❩1) = (❩1 : ❳1 : ❨1) + (❨1 : ❩1 : ❳ so can use ADD to double. “Unified addition formulas,” helpful against side channels. But need to permute inputs. 2009 Bernstein–Kohel–Lange: Easily avoid permutation! 2008 Hisil–Wong–Carter–Dawson: (❳ : ❨ : ❩ : ❳2 : ❨ 2 : ❩2 : 2❳❨ : 2❳❩ : 2❨ ❩). 6M + 6S for ADD. 3M + 6S for DBL.

Hessian curves Credited to Sylvester by 1986 Chudnovsky–Chudnovsky: (❳ : ❨ : ❩) represent (❳❂❩❀ ❨❂❩)

• n ①3 + ②3 + 1 = 3❞①②.

12M for ADD: ❳3 = ❨1❳2 ✁ ❨1❩2 ❩1❨2 ✁ ❳1❨2, ❨3 = ❳1❩2 ✁ ❳1❨2 ❨1❳2 ✁ ❩1❳2, ❩3 = ❩1❨2 ✁ ❩1❳2 ❳1❩2 ✁ ❨1❩2. 6M + 3S for DBL. 2001 Joye–Quisquater: 2(❳1 : ❨1 : ❩1) = (❩1 : ❳1 : ❨1) + (❨1 : ❩1 : ❳1) so can use ADD to double. “Unified addition formulas,” helpful against side channels. But need to permute inputs. 2009 Bernstein–Kohel–Lange: Easily avoid permutation! 2008 Hisil–Wong–Carter–Dawson: (❳ : ❨ : ❩ : ❳2 : ❨ 2 : ❩2 : 2❳❨ : 2❳❩ : 2❨ ❩). 6M + 6S for ADD. 3M + 6S for DBL.

Hessian curves Credited to Sylvester 1986 Chudnovsky–Chudnovsky: ❳ ❨ : ❩) represent (❳❂❩❀ ❨❂❩) ① + ②3 + 1 = 3❞①②. for ADD: ❳ ❨1❳2 ✁ ❨1❩2 ❩1❨2 ✁ ❳1❨2, ❨ ❳1❩2 ✁ ❳1❨2 ❨1❳2 ✁ ❩1❳2, ❩ ❩1❨2 ✁ ❩1❳2 ❳1❩2 ✁ ❨1❩2. 3S for DBL. 2001 Joye–Quisquater: 2(❳1 : ❨1 : ❩1) = (❩1 : ❳1 : ❨1) + (❨1 : ❩1 : ❳1) so can use ADD to double. “Unified addition formulas,” helpful against side channels. But need to permute inputs. 2009 Bernstein–Kohel–Lange: Easily avoid permutation! 2008 Hisil–Wong–Carter–Dawson: (❳ : ❨ : ❩ : ❳2 : ❨ 2 : ❩2 : 2❳❨ : 2❳❩ : 2❨ ❩). 6M + 6S for ADD. 3M + 6S for DBL. ①3 ②3 + ✿ ①②

Sylvester Chudnovsky–Chudnovsky: ❳ ❨ ❩ resent (❳❂❩❀ ❨❂❩) ① ② = 3❞①②. ❳ ❨ ❳ ✁ ❨ ❩2 ❩1❨2 ✁ ❳1❨2, ❨ ❳ ❩ ✁ ❳ ❨2 ❨1❳2 ✁ ❩1❳2, ❩ ❩ ❨ ✁ ❩ ❳2 ❳1❩2 ✁ ❨1❩2. DBL. 2001 Joye–Quisquater: 2(❳1 : ❨1 : ❩1) = (❩1 : ❳1 : ❨1) + (❨1 : ❩1 : ❳1) so can use ADD to double. “Unified addition formulas,” helpful against side channels. But need to permute inputs. 2009 Bernstein–Kohel–Lange: Easily avoid permutation! 2008 Hisil–Wong–Carter–Dawson: (❳ : ❨ : ❩ : ❳2 : ❨ 2 : ❩2 : 2❳❨ : 2❳❩ : 2❨ ❩). 6M + 6S for ADD. 3M + 6S for DBL. ①3 ②3 + 1 = 0✿3①②

Chudnovsky–Chudnovsky: ❳ ❨ ❩ ❳❂❩❀ ❨❂❩) ① ② ❞①② ❳ ❨ ❳ ✁ ❨ ❩ ❩ ❨ ✁ ❳1❨2, ❨ ❳ ❩ ✁ ❳ ❨ ❨ ❳ ✁ ❩1❳2, ❩ ❩ ❨ ✁ ❩ ❳ ❳ ❩ ✁ ❨1❩2. 2001 Joye–Quisquater: 2(❳1 : ❨1 : ❩1) = (❩1 : ❳1 : ❨1) + (❨1 : ❩1 : ❳1) so can use ADD to double. “Unified addition formulas,” helpful against side channels. But need to permute inputs. 2009 Bernstein–Kohel–Lange: Easily avoid permutation! 2008 Hisil–Wong–Carter–Dawson: (❳ : ❨ : ❩ : ❳2 : ❨ 2 : ❩2 : 2❳❨ : 2❳❩ : 2❨ ❩). 6M + 6S for ADD. 3M + 6S for DBL. ①3 ②3 + 1 = 0✿3①②

2001 Joye–Quisquater: 2(❳1 : ❨1 : ❩1) = (❩1 : ❳1 : ❨1) + (❨1 : ❩1 : ❳1) so can use ADD to double. “Unified addition formulas,” helpful against side channels. But need to permute inputs. 2009 Bernstein–Kohel–Lange: Easily avoid permutation! 2008 Hisil–Wong–Carter–Dawson: (❳ : ❨ : ❩ : ❳2 : ❨ 2 : ❩2 : 2❳❨ : 2❳❩ : 2❨ ❩). 6M + 6S for ADD. 3M + 6S for DBL. ①3 ②3 + 1 = 0✿3①②

Joye–Quisquater: ❳ ❨1 : ❩1) = ❩ ❳1 : ❨1) + (❨1 : ❩1 : ❳1) use ADD to double. “Unified addition formulas,” helpful against side channels. need to permute inputs. Bernstein–Kohel–Lange: avoid permutation! Hisil–Wong–Carter–Dawson: ❳ ❨ : ❩ : ❳2 : ❨ 2 : ❩2 2❳❨ : 2❳❩ : 2❨ ❩). 6S for ADD. 6S for DBL. ①3 ②3 + 1 = 0✿3①②

e–Quisquater: ❳ ❨ ❩ ❩ ❳ ❨ (❨1 : ❩1 : ❳1) to double. addition formulas,” side channels. ermute inputs. Bernstein–Kohel–Lange: ermutation!

• ng–Carter–Dawson:

❳ ❨ ❩ ❳ : ❨ 2 : ❩2 ❳❨ ❳❩ : 2❨ ❩). ADD. DBL. ①3 ②3 + 1 = 0✿3①②

❳ ❨ ❩ ❩ ❳ ❨ ❨ ❩ ❳1) double. rmulas,” channels. inputs. Bernstein–Kohel–Lange: rter–Dawson: ❳ ❨ ❩ ❳ ❨ ❩ ❳❨ ❳❩ ❨ ❩ ①3 ②3 + 1 = 0✿3①②

①3 ②3 + 1 = 0✿3①②

① ②3 + 1 = 0✿3①② Jacobi intersections 1986 Chudnovsky–Chudnovsky: (❙ : ❈ : ❉ ❩ (❙❂❩❀ ❈❂❩❀ ❉❂❩ s2 + ❝2 = ❛s ❞ 14M + 2 “Tremendous

• f being

5M + 3S “Perhaps ✿ ✿ ✿ efficient which do coefficients

① ② ✿3①② Jacobi intersections 1986 Chudnovsky–Chudnovsky: (❙ : ❈ : ❉ : ❩) rep (❙❂❩❀ ❈❂❩❀ ❉❂❩) on s2 + ❝2 = 1, ❛s2 + ❞ 14M + 2S + 1D fo “Tremendous advantage”

• f being strongly unified.

5M + 3S for DBL. “Perhaps (?) ✿ ✿ ✿ the efficient duplication which do not depend coefficients of an elliptic

① ② ✿ ①② Jacobi intersections 1986 Chudnovsky–Chudnovsky: (❙ : ❈ : ❉ : ❩) represent (❙❂❩❀ ❈❂❩❀ ❉❂❩) on s2 + ❝2 = 1, ❛s2 + ❞2 = 1. 14M + 2S + 1D for ADD. “Tremendous advantage”

• f being strongly unified.

5M + 3S for DBL. “Perhaps (?) ✿ ✿ ✿ the most efficient duplication formulas which do not depend on the coefficients of an elliptic curve.”

Jacobi intersections 1986 Chudnovsky–Chudnovsky: (❙ : ❈ : ❉ : ❩) represent (❙❂❩❀ ❈❂❩❀ ❉❂❩) on s2 + ❝2 = 1, ❛s2 + ❞2 = 1. 14M + 2S + 1D for ADD. “Tremendous advantage”

• f being strongly unified.

5M + 3S for DBL. “Perhaps (?) ✿ ✿ ✿ the most efficient duplication formulas which do not depend on the coefficients of an elliptic curve.”

Jacobi intersections 1986 Chudnovsky–Chudnovsky: (❙ : ❈ : ❉ : ❩) represent (❙❂❩❀ ❈❂❩❀ ❉❂❩) on s2 + ❝2 = 1, ❛s2 + ❞2 = 1. 14M + 2S + 1D for ADD. “Tremendous advantage”

• f being strongly unified.

5M + 3S for DBL. “Perhaps (?) ✿ ✿ ✿ the most efficient duplication formulas which do not depend on the coefficients of an elliptic curve.” 2001 Lia 13M + 2 4M + 3S 2007 Bernstein–Lange: 3M + 4S 2008 Hisil–W 13M + 1 2M + 5S Also (❙ : ❈ ❉ ❩ ❙❈ ❉❩ 11M + 1 2M + 5S

Jacobi intersections 1986 Chudnovsky–Chudnovsky: (❙ : ❈ : ❉ : ❩) represent (❙❂❩❀ ❈❂❩❀ ❉❂❩) on s2 + ❝2 = 1, ❛s2 + ❞2 = 1. 14M + 2S + 1D for ADD. “Tremendous advantage”

• f being strongly unified.

5M + 3S for DBL. “Perhaps (?) ✿ ✿ ✿ the most efficient duplication formulas which do not depend on the coefficients of an elliptic curve.” 2001 Liardet–Smart: 13M + 2S + 1D fo 4M + 3S for DBL. 2007 Bernstein–Lange: 3M + 4S for DBL. 2008 Hisil–Wong–Ca 13M + 1S + 2D fo 2M + 5S + 1D for Also (❙ : ❈ : ❉ : ❩ ❙❈ ❉❩ 11M + 1S + 2D fo 2M + 5S + 1D for

Jacobi intersections 1986 Chudnovsky–Chudnovsky: (❙ : ❈ : ❉ : ❩) represent (❙❂❩❀ ❈❂❩❀ ❉❂❩) on s2 + ❝2 = 1, ❛s2 + ❞2 = 1. 14M + 2S + 1D for ADD. “Tremendous advantage”

• f being strongly unified.

5M + 3S for DBL. “Perhaps (?) ✿ ✿ ✿ the most efficient duplication formulas which do not depend on the coefficients of an elliptic curve.” 2001 Liardet–Smart: 13M + 2S + 1D for ADD. 4M + 3S for DBL. 2007 Bernstein–Lange: 3M + 4S for DBL. 2008 Hisil–Wong–Carter–Dawson: 13M + 1S + 2D for ADD. 2M + 5S + 1D for DBL. Also (❙ : ❈ : ❉ : ❩ : ❙❈ : ❉❩ 11M + 1S + 2D for ADD. 2M + 5S + 1D for DBL.

Jacobi intersections 1986 Chudnovsky–Chudnovsky: (❙ : ❈ : ❉ : ❩) represent (❙❂❩❀ ❈❂❩❀ ❉❂❩) on s2 + ❝2 = 1, ❛s2 + ❞2 = 1. 14M + 2S + 1D for ADD. “Tremendous advantage”

• f being strongly unified.

5M + 3S for DBL. “Perhaps (?) ✿ ✿ ✿ the most efficient duplication formulas which do not depend on the coefficients of an elliptic curve.” 2001 Liardet–Smart: 13M + 2S + 1D for ADD. 4M + 3S for DBL. 2007 Bernstein–Lange: 3M + 4S for DBL. 2008 Hisil–Wong–Carter–Dawson: 13M + 1S + 2D for ADD. 2M + 5S + 1D for DBL. Also (❙ : ❈ : ❉ : ❩ : ❙❈ : ❉❩): 11M + 1S + 2D for ADD. 2M + 5S + 1D for DBL.

intersections Chudnovsky–Chudnovsky: ❙ ❈ : ❉ : ❩) represent ❙❂❩❀ ❈❂❩❀ ❉❂❩) on s ❝ = 1, ❛s2 + ❞2 = 1. 2S + 1D for ADD. remendous advantage” eing strongly unified. 3S for DBL. erhaps (?) ✿ ✿ ✿ the most efficient duplication formulas do not depend on the efficients of an elliptic curve.” 2001 Liardet–Smart: 13M + 2S + 1D for ADD. 4M + 3S for DBL. 2007 Bernstein–Lange: 3M + 4S for DBL. 2008 Hisil–Wong–Carter–Dawson: 13M + 1S + 2D for ADD. 2M + 5S + 1D for DBL. Also (❙ : ❈ : ❉ : ❩ : ❙❈ : ❉❩): 11M + 1S + 2D for ADD. 2M + 5S + 1D for DBL. Jacobi qua (❳:❨ :❩) ❳❂❩❀ ❨❂❩

• n ②2 = ①

❛① 1986 Chudnovsky–Chudnovsky: 3M + 6S Slow ADD. 2002 Billet–Jo New choic 10M + 3 strongly 2007 Bernstein–Lange: 1M + 9S

intersections Chudnovsky–Chudnovsky: ❙ ❈ ❉ ❩ represent ❙❂❩❀ ❈❂❩❀ ❉❂❩) on s ❝ ❛s + ❞2 = 1. for ADD. advantage” unified. DBL. ✿ ✿ ✿ the most duplication formulas depend on the elliptic curve.” 2001 Liardet–Smart: 13M + 2S + 1D for ADD. 4M + 3S for DBL. 2007 Bernstein–Lange: 3M + 4S for DBL. 2008 Hisil–Wong–Carter–Dawson: 13M + 1S + 2D for ADD. 2M + 5S + 1D for DBL. Also (❙ : ❈ : ❉ : ❩ : ❙❈ : ❉❩): 11M + 1S + 2D for ADD. 2M + 5S + 1D for DBL. Jacobi quartics (❳:❨ :❩) represent ❳❂❩❀ ❨❂❩

• n ②2 = ①4 + 2❛①2

1986 Chudnovsky–Chudnovsky: 3M + 6S + 2D for Slow ADD. 2002 Billet–Joye: New choice of neutral 10M + 3S + 1D fo strongly unified. 2007 Bernstein–Lange: 1M + 9S + 1D for

Chudnovsky–Chudnovsky: ❙ ❈ ❉ ❩ ❙❂❩❀ ❈❂❩❀ ❉❂❩ s ❝ ❛s ❞ 1. ✿ ✿ ✿ rmulas the curve.” 2001 Liardet–Smart: 13M + 2S + 1D for ADD. 4M + 3S for DBL. 2007 Bernstein–Lange: 3M + 4S for DBL. 2008 Hisil–Wong–Carter–Dawson: 13M + 1S + 2D for ADD. 2M + 5S + 1D for DBL. Also (❙ : ❈ : ❉ : ❩ : ❙❈ : ❉❩): 11M + 1S + 2D for ADD. 2M + 5S + 1D for DBL. Jacobi quartics (❳:❨ :❩) represent (❳❂❩❀ ❨❂❩

• n ②2 = ①4 + 2❛①2 + 1.

1986 Chudnovsky–Chudnovsky: 3M + 6S + 2D for DBL. Slow ADD. 2002 Billet–Joye: New choice of neutral element. 10M + 3S + 1D for ADD, strongly unified. 2007 Bernstein–Lange: 1M + 9S + 1D for DBL.

2001 Liardet–Smart: 13M + 2S + 1D for ADD. 4M + 3S for DBL. 2007 Bernstein–Lange: 3M + 4S for DBL. 2008 Hisil–Wong–Carter–Dawson: 13M + 1S + 2D for ADD. 2M + 5S + 1D for DBL. Also (❙ : ❈ : ❉ : ❩ : ❙❈ : ❉❩): 11M + 1S + 2D for ADD. 2M + 5S + 1D for DBL. Jacobi quartics (❳:❨ :❩) represent (❳❂❩❀ ❨❂❩2)

• n ②2 = ①4 + 2❛①2 + 1.

1986 Chudnovsky–Chudnovsky: 3M + 6S + 2D for DBL. Slow ADD. 2002 Billet–Joye: New choice of neutral element. 10M + 3S + 1D for ADD, strongly unified. 2007 Bernstein–Lange: 1M + 9S + 1D for DBL.

Liardet–Smart: 2S + 1D for ADD. 3S for DBL. Bernstein–Lange: 4S for DBL. Hisil–Wong–Carter–Dawson: 1S + 2D for ADD. 5S + 1D for DBL. ❙ : ❈ : ❉ : ❩ : ❙❈ : ❉❩): 1S + 2D for ADD. 5S + 1D for DBL. Jacobi quartics (❳:❨ :❩) represent (❳❂❩❀ ❨❂❩2)

• n ②2 = ①4 + 2❛①2 + 1.

1986 Chudnovsky–Chudnovsky: 3M + 6S + 2D for DBL. Slow ADD. 2002 Billet–Joye: New choice of neutral element. 10M + 3S + 1D for ADD, strongly unified. 2007 Bernstein–Lange: 1M + 9S + 1D for DBL. 2007 Hisil–Ca 2M + 6S 2007 Feng–W 2M + 6S 1M + 7S

• n curves

❛ ❝ More speedups: 2007 Hisil–Ca 2008 Hisil–W use (❳ : ❨ ❩ ❳ ❩

• r (❳ : ❨

❩ ❳ ❩ ❳❩ Can combine Competitive

art: for ADD. DBL. Bernstein–Lange: DBL.

• ng–Carter–Dawson:

for ADD. for DBL. ❙ ❈ ❉ : ❩ : ❙❈ : ❉❩): for ADD. for DBL. Jacobi quartics (❳:❨ :❩) represent (❳❂❩❀ ❨❂❩2)

• n ②2 = ①4 + 2❛①2 + 1.

1986 Chudnovsky–Chudnovsky: 3M + 6S + 2D for DBL. Slow ADD. 2002 Billet–Joye: New choice of neutral element. 10M + 3S + 1D for ADD, strongly unified. 2007 Bernstein–Lange: 1M + 9S + 1D for DBL. 2007 Hisil–Carter–Da 2M + 6S + 2D for 2007 Feng–Wu: 2M + 6S + 1D for 1M + 7S + 3D for

• n curves chosen with ❛

❝ More speedups: 2007 2007 Hisil–Carter–Da 2008 Hisil–Wong–Ca use (❳ : ❨ : ❩ : ❳ ❩

• r (❳ : ❨ : ❩ : ❳2

❩ ❳❩ Can combine with Competitive with Edw

rter–Dawson: ❙ ❈ ❉ ❩ ❙❈ ❉❩): Jacobi quartics (❳:❨ :❩) represent (❳❂❩❀ ❨❂❩2)

• n ②2 = ①4 + 2❛①2 + 1.

1986 Chudnovsky–Chudnovsky: 3M + 6S + 2D for DBL. Slow ADD. 2002 Billet–Joye: New choice of neutral element. 10M + 3S + 1D for ADD, strongly unified. 2007 Bernstein–Lange: 1M + 9S + 1D for DBL. 2007 Hisil–Carter–Dawson: 2M + 6S + 2D for DBL. 2007 Feng–Wu: 2M + 6S + 1D for DBL. 1M + 7S + 3D for DBL

• n curves chosen with ❛2+❝

More speedups: 2007 Duquesne, 2007 Hisil–Carter–Dawson, 2008 Hisil–Wong–Carter–Dawson: use (❳ : ❨ : ❩ : ❳2 : ❩2)

• r (❳ : ❨ : ❩ : ❳2 : ❩2 : 2❳❩

Can combine with Feng–Wu. Competitive with Edwards!

Jacobi quartics (❳:❨ :❩) represent (❳❂❩❀ ❨❂❩2)

• n ②2 = ①4 + 2❛①2 + 1.

1986 Chudnovsky–Chudnovsky: 3M + 6S + 2D for DBL. Slow ADD. 2002 Billet–Joye: New choice of neutral element. 10M + 3S + 1D for ADD, strongly unified. 2007 Bernstein–Lange: 1M + 9S + 1D for DBL. 2007 Hisil–Carter–Dawson: 2M + 6S + 2D for DBL. 2007 Feng–Wu: 2M + 6S + 1D for DBL. 1M + 7S + 3D for DBL

• n curves chosen with ❛2+❝2 = 1.

More speedups: 2007 Duquesne, 2007 Hisil–Carter–Dawson, 2008 Hisil–Wong–Carter–Dawson: use (❳ : ❨ : ❩ : ❳2 : ❩2)

• r (❳ : ❨ : ❩ : ❳2 : ❩2 : 2❳❩).

Can combine with Feng–Wu. Competitive with Edwards!

quartics ❳ ❨ ❩) represent (❳❂❩❀ ❨❂❩2) ② = ①4 + 2❛①2 + 1. Chudnovsky–Chudnovsky: 6S + 2D for DBL. ADD. Billet–Joye: choice of neutral element. 3S + 1D for ADD, strongly unified. Bernstein–Lange: 9S + 1D for DBL. 2007 Hisil–Carter–Dawson: 2M + 6S + 2D for DBL. 2007 Feng–Wu: 2M + 6S + 1D for DBL. 1M + 7S + 3D for DBL

• n curves chosen with ❛2+❝2 = 1.

More speedups: 2007 Duquesne, 2007 Hisil–Carter–Dawson, 2008 Hisil–Wong–Carter–Dawson: use (❳ : ❨ : ❩ : ❳2 : ❩2)

• r (❳ : ❨ : ❩ : ❳2 : ❩2 : 2❳❩).

Can combine with Feng–Wu. Competitive with Edwards! ①2 = ②4 ✿ ②

❳ ❨ ❩ resent (❳❂❩❀ ❨❂❩2) ② ① ❛①2 + 1. Chudnovsky–Chudnovsky: for DBL. e: neutral element. for ADD, Bernstein–Lange: for DBL. 2007 Hisil–Carter–Dawson: 2M + 6S + 2D for DBL. 2007 Feng–Wu: 2M + 6S + 1D for DBL. 1M + 7S + 3D for DBL

• n curves chosen with ❛2+❝2 = 1.

More speedups: 2007 Duquesne, 2007 Hisil–Carter–Dawson, 2008 Hisil–Wong–Carter–Dawson: use (❳ : ❨ : ❩ : ❳2 : ❩2)

• r (❳ : ❨ : ❩ : ❳2 : ❩2 : 2❳❩).

Can combine with Feng–Wu. Competitive with Edwards! ①2 = ②4 1✿9②2 +

❳ ❨ ❩ ❳❂❩❀ ❨❂❩2) ② ① ❛① Chudnovsky–Chudnovsky: element. 2007 Hisil–Carter–Dawson: 2M + 6S + 2D for DBL. 2007 Feng–Wu: 2M + 6S + 1D for DBL. 1M + 7S + 3D for DBL

• n curves chosen with ❛2+❝2 = 1.

More speedups: 2007 Duquesne, 2007 Hisil–Carter–Dawson, 2008 Hisil–Wong–Carter–Dawson: use (❳ : ❨ : ❩ : ❳2 : ❩2)

• r (❳ : ❨ : ❩ : ❳2 : ❩2 : 2❳❩).

Can combine with Feng–Wu. Competitive with Edwards! ①2 = ②4 1✿9②2 + 1

2007 Hisil–Carter–Dawson: 2M + 6S + 2D for DBL. 2007 Feng–Wu: 2M + 6S + 1D for DBL. 1M + 7S + 3D for DBL

• n curves chosen with ❛2+❝2 = 1.

More speedups: 2007 Duquesne, 2007 Hisil–Carter–Dawson, 2008 Hisil–Wong–Carter–Dawson: use (❳ : ❨ : ❩ : ❳2 : ❩2)

• r (❳ : ❨ : ❩ : ❳2 : ❩2 : 2❳❩).

Can combine with Feng–Wu. Competitive with Edwards! ①2 = ②4 1✿9②2 + 1

Hisil–Carter–Dawson: 6S + 2D for DBL. eng–Wu: 6S + 1D for DBL. 7S + 3D for DBL curves chosen with ❛2+❝2 = 1. speedups: 2007 Duquesne, Hisil–Carter–Dawson, Hisil–Wong–Carter–Dawson: ❳ : ❨ : ❩ : ❳2 : ❩2) ❳ : ❨ : ❩ : ❳2 : ❩2 : 2❳❩). combine with Feng–Wu. etitive with Edwards! ①2 = ②4 1✿9②2 + 1

rter–Dawson: for DBL. for DBL. for DBL with ❛2+❝2 = 1. 2007 Duquesne, rter–Dawson,

• ng–Carter–Dawson:

❳ ❨ ❩ ❳2 : ❩2) ❳ ❨ ❩ ❳2 : ❩2 : 2❳❩). with Feng–Wu. with Edwards! ①2 = ②4 1✿9②2 + 1

wson: ❛ ❝2 = 1. Duquesne, wson, rter–Dawson: ❳ ❨ ❩ ❳ ❩ ❳ ❨ ❩ ❳ ❩ ❳❩). u. rds! ①2 = ②4 1✿9②2 + 1

①2 = ②4 1✿9②2 + 1

① ②4 1✿9②2 + 1

① ② ✿ ② + 1

① ② ✿ ②

More add Explicit-F hyperelliptic.org/EFD EFD has formulas for ADD in 51 rep

• n 13 shap

Not yet handled generalit (e.g., Hessian ✷ complete (e.g., checking ✶

More addition formulas Explicit-Formulas Database: hyperelliptic.org/EFD EFD has 583 computer-verified formulas and operation for ADD, DBL, etc. in 51 representations

• n 13 shapes of elliptic

Not yet handled by generality of curve (e.g., Hessian order ✷ complete addition (e.g., checking for ✶

More addition formulas Explicit-Formulas Database: hyperelliptic.org/EFD EFD has 583 computer-verified formulas and operation counts for ADD, DBL, etc. in 51 representations

• n 13 shapes of elliptic curves.

Not yet handled by computer: generality of curve shapes (e.g., Hessian order ✷ 3Z); complete addition algorithms (e.g., checking for ✶).

More addition formulas Explicit-Formulas Database: hyperelliptic.org/EFD EFD has 583 computer-verified formulas and operation counts for ADD, DBL, etc. in 51 representations

• n 13 shapes of elliptic curves.

Not yet handled by computer: generality of curve shapes (e.g., Hessian order ✷ 3Z); complete addition algorithms (e.g., checking for ✶).

More addition formulas Explicit-Formulas Database: hyperelliptic.org/EFD EFD has 583 computer-verified formulas and operation counts for ADD, DBL, etc. in 51 representations

• n 13 shapes of elliptic curves.

Not yet handled by computer: generality of curve shapes (e.g., Hessian order ✷ 3Z); complete addition algorithms (e.g., checking for ✶). How to multiply Standard with coefficients ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ to represent Example 839 = 8 ✁ ✁ ✁ value (at t 8t2 + 3t1 t Convenient inside computer ❀ ❀ (or 9❀ 3❀ 8❀ ❀ ❀ ❀ ❀ ✿ ✿ ✿ “p[0] =

More addition formulas Explicit-Formulas Database: hyperelliptic.org/EFD EFD has 583 computer-verified formulas and operation counts for ADD, DBL, etc. in 51 representations

• n 13 shapes of elliptic curves.

Not yet handled by computer: generality of curve shapes (e.g., Hessian order ✷ 3Z); complete addition algorithms (e.g., checking for ✶). How to multiply big Standard idea: Use with coefficients in ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ to represent integer Example of representation: 839 = 8 ✁ 102 + 3 ✁ ✁ value (at t = 10) of 8t2 + 3t1 + 9t0. Convenient to express inside computer as ❀ ❀ (or 9❀ 3❀ 8❀ 0 or 9❀ 3❀ ❀ ❀ ✿ ✿ ✿ “p[0] = 9; p[1]

More addition formulas Explicit-Formulas Database: hyperelliptic.org/EFD EFD has 583 computer-verified formulas and operation counts for ADD, DBL, etc. in 51 representations

• n 13 shapes of elliptic curves.

Not yet handled by computer: generality of curve shapes (e.g., Hessian order ✷ 3Z); complete addition algorithms (e.g., checking for ✶). How to multiply big integers Standard idea: Use polynomial with coefficients in ❢0❀ 1❀ ✿ ✿ ✿ ❀ ❣ to represent integer in radix Example of representation: 839 = 8 ✁ 102 + 3 ✁ 101 + 9 ✁ 10 value (at t = 10) of polynomial 8t2 + 3t1 + 9t0. Convenient to express polynomial inside computer as array 9❀ 3❀ (or 9❀ 3❀ 8❀ 0 or 9❀ 3❀ 8❀ 0❀ 0 or ✿ ✿ ✿ “p[0] = 9; p[1] = 3; p[2]

More addition formulas Explicit-Formulas Database: hyperelliptic.org/EFD EFD has 583 computer-verified formulas and operation counts for ADD, DBL, etc. in 51 representations

• n 13 shapes of elliptic curves.

Not yet handled by computer: generality of curve shapes (e.g., Hessian order ✷ 3Z); complete addition algorithms (e.g., checking for ✶). How to multiply big integers Standard idea: Use polynomial with coefficients in ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣ to represent integer in radix 10. Example of representation: 839 = 8 ✁ 102 + 3 ✁ 101 + 9 ✁ 100 = value (at t = 10) of polynomial 8t2 + 3t1 + 9t0. Convenient to express polynomial inside computer as array 9❀ 3❀ 8 (or 9❀ 3❀ 8❀ 0 or 9❀ 3❀ 8❀ 0❀ 0 or ✿ ✿ ✿ ): “p[0] = 9; p[1] = 3; p[2] = 8”

addition formulas Explicit-Formulas Database: hyperelliptic.org/EFD has 583 computer-verified rmulas and operation counts ADD, DBL, etc. representations shapes of elliptic curves. et handled by computer: generality of curve shapes Hessian order ✷ 3Z); complete addition algorithms checking for ✶). How to multiply big integers Standard idea: Use polynomial with coefficients in ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣ to represent integer in radix 10. Example of representation: 839 = 8 ✁ 102 + 3 ✁ 101 + 9 ✁ 100 = value (at t = 10) of polynomial 8t2 + 3t1 + 9t0. Convenient to express polynomial inside computer as array 9❀ 3❀ 8 (or 9❀ 3❀ 8❀ 0 or 9❀ 3❀ 8❀ 0❀ 0 or ✿ ✿ ✿ ): “p[0] = 9; p[1] = 3; p[2] = 8” Multiply by multiplyin that repre Polynomial involves Have split into many Example, (8t2 + 3t t 64t4 + 48t t t t

rmulas rmulas Database: hyperelliptic.org/EFD computer-verified eration counts etc. resentations elliptic curves. by computer: curve shapes rder ✷ 3Z); addition algorithms for ✶). How to multiply big integers Standard idea: Use polynomial with coefficients in ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣ to represent integer in radix 10. Example of representation: 839 = 8 ✁ 102 + 3 ✁ 101 + 9 ✁ 100 = value (at t = 10) of polynomial 8t2 + 3t1 + 9t0. Convenient to express polynomial inside computer as array 9❀ 3❀ 8 (or 9❀ 3❀ 8❀ 0 or 9❀ 3❀ 8❀ 0❀ 0 or ✿ ✿ ✿ ): “p[0] = 9; p[1] = 3; p[2] = 8” Multiply two integers by multiplying polynomial that represent the Polynomial multiplic involves small integer Have split one big into many small op Example, squaring (8t2 + 3t1 + 9t0)2 64t4 + 48t3 + 153t t t

Database: computer-verified counts curves. computer: ✷ ); rithms ✶ How to multiply big integers Standard idea: Use polynomial with coefficients in ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣ to represent integer in radix 10. Example of representation: 839 = 8 ✁ 102 + 3 ✁ 101 + 9 ✁ 100 = value (at t = 10) of polynomial 8t2 + 3t1 + 9t0. Convenient to express polynomial inside computer as array 9❀ 3❀ 8 (or 9❀ 3❀ 8❀ 0 or 9❀ 3❀ 8❀ 0❀ 0 or ✿ ✿ ✿ ): “p[0] = 9; p[1] = 3; p[2] = 8” Multiply two integers by multiplying polynomials that represent the integers. Polynomial multiplication involves small integer coefficients. Have split one big multiplication into many small operations. Example, squaring 839: (8t2 + 3t1 + 9t0)2 = 64t4 + 48t3 + 153t2 + 54t1 + t

How to multiply big integers Standard idea: Use polynomial with coefficients in ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣ to represent integer in radix 10. Example of representation: 839 = 8 ✁ 102 + 3 ✁ 101 + 9 ✁ 100 = value (at t = 10) of polynomial 8t2 + 3t1 + 9t0. Convenient to express polynomial inside computer as array 9❀ 3❀ 8 (or 9❀ 3❀ 8❀ 0 or 9❀ 3❀ 8❀ 0❀ 0 or ✿ ✿ ✿ ): “p[0] = 9; p[1] = 3; p[2] = 8” Multiply two integers by multiplying polynomials that represent the integers. Polynomial multiplication involves small integer coefficients. Have split one big multiplication into many small operations. Example, squaring 839: (8t2 + 3t1 + 9t0)2 = 64t4 + 48t3 + 153t2 + 54t1 + 81t0.

to multiply big integers Standard idea: Use polynomial coefficients in ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣ resent integer in radix 10. Example of representation: 8 ✁ 102 + 3 ✁ 101 + 9 ✁ 100 = (at t = 10) of polynomial t 3t1 + 9t0. Convenient to express polynomial computer as array 9❀ 3❀ 8 ❀ 3❀ 8❀ 0 or 9❀ 3❀ 8❀ 0❀ 0 or ✿ ✿ ✿ ): = 9; p[1] = 3; p[2] = 8” Multiply two integers by multiplying polynomials that represent the integers. Polynomial multiplication involves small integer coefficients. Have split one big multiplication into many small operations. Example, squaring 839: (8t2 + 3t1 + 9t0)2 = 64t4 + 48t3 + 153t2 + 54t1 + 81t0. Oops, pro usually has ❃ So “carry” ❝t❥ ✦ ❜❝❂ ❝ t❥ ❝ t❥ Example, 64t4 + 48t t t t 64t4 + 48t t t t 64t4 + 48t t t t 64t4 + 63t t t t 70t4 + 3t t t t 7t5 + 0t4 t t t t In other

big integers Use polynomial in ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣ integer in radix 10. resentation: ✁ 3 ✁ 101 + 9 ✁ 100 = t 10) of polynomial t t t express polynomial as array 9❀ 3❀ 8 ❀ ❀ ❀ ❀ 3❀ 8❀ 0❀ 0 or ✿ ✿ ✿ ): = 3; p[2] = 8” Multiply two integers by multiplying polynomials that represent the integers. Polynomial multiplication involves small integer coefficients. Have split one big multiplication into many small operations. Example, squaring 839: (8t2 + 3t1 + 9t0)2 = 64t4 + 48t3 + 153t2 + 54t1 + 81t0. Oops, product polynomial usually has coefficients ❃ So “carry” extra digits: ❝t❥ ✦ ❜❝❂10❝ t❥+1 ❝ t❥ Example, squaring 64t4 + 48t3 + 153t t t 64t4 + 48t3 + 153t t t 64t4 + 48t3 + 159t t t 64t4 + 63t3 + 9t2 + t t 70t4 + 3t3 + 9t2 + t t 7t5 + 0t4 + 3t3 + 9t t t In other words, 839

gers

• lynomial

❢ ❀ ❀ ✿ ✿ ✿ ❀ 9❣ adix 10. resentation: ✁ ✁ ✁ 100 = t

• lynomial

t t t

• lynomial

❀ 3❀ 8 ❀ ❀ ❀ ❀ ❀ ❀ ❀

• r ✿ ✿ ✿ ):

p[2] = 8” Multiply two integers by multiplying polynomials that represent the integers. Polynomial multiplication involves small integer coefficients. Have split one big multiplication into many small operations. Example, squaring 839: (8t2 + 3t1 + 9t0)2 = 64t4 + 48t3 + 153t2 + 54t1 + 81t0. Oops, product polynomial usually has coefficients ❃ 9. So “carry” extra digits: ❝t❥ ✦ ❜❝❂10❝ t❥+1 + (❝ mod t❥ Example, squaring 839: 64t4 + 48t3 + 153t2 + 54t1 + t 64t4 + 48t3 + 153t2 + 62t1 + t 64t4 + 48t3 + 159t2 + 2t1 + t 64t4 + 63t3 + 9t2 + 2t1 + 1t 70t4 + 3t3 + 9t2 + 2t1 + 1t0 7t5 + 0t4 + 3t3 + 9t2 + 2t1 + t In other words, 8392 = 703921

Multiply two integers by multiplying polynomials that represent the integers. Polynomial multiplication involves small integer coefficients. Have split one big multiplication into many small operations. Example, squaring 839: (8t2 + 3t1 + 9t0)2 = 64t4 + 48t3 + 153t2 + 54t1 + 81t0. Oops, product polynomial usually has coefficients ❃ 9. So “carry” extra digits: ❝t❥ ✦ ❜❝❂10❝ t❥+1 + (❝ mod 10)t❥. Example, squaring 839: 64t4 + 48t3 + 153t2 + 54t1 + 81t0; 64t4 + 48t3 + 153t2 + 62t1 + 1t0; 64t4 + 48t3 + 159t2 + 2t1 + 1t0; 64t4 + 63t3 + 9t2 + 2t1 + 1t0; 70t4 + 3t3 + 9t2 + 2t1 + 1t0; 7t5 + 0t4 + 3t3 + 9t2 + 2t1 + 1t0. In other words, 8392 = 703921.

Multiply two integers multiplying polynomials represent the integers.

• lynomial multiplication

involves small integer coefficients. split one big multiplication many small operations. Example, squaring 839: t 3t1 + 9t0)2 = t 48t3 + 153t2 + 54t1 + 81t0. Oops, product polynomial usually has coefficients ❃ 9. So “carry” extra digits: ❝t❥ ✦ ❜❝❂10❝ t❥+1 + (❝ mod 10)t❥. Example, squaring 839: 64t4 + 48t3 + 153t2 + 54t1 + 81t0; 64t4 + 48t3 + 153t2 + 62t1 + 1t0; 64t4 + 48t3 + 159t2 + 2t1 + 1t0; 64t4 + 63t3 + 9t2 + 2t1 + 1t0; 70t4 + 3t3 + 9t2 + 2t1 + 1t0; 7t5 + 0t4 + 3t3 + 9t2 + 2t1 + 1t0. In other words, 8392 = 703921. What op

• 72

divide b 15

integers

• lynomials

the integers. multiplication integer coefficients. big multiplication

• perations.

ing 839: t t t )2 = t t 153t2 + 54t1 + 81t0. Oops, product polynomial usually has coefficients ❃ 9. So “carry” extra digits: ❝t❥ ✦ ❜❝❂10❝ t❥+1 + (❝ mod 10)t❥. Example, squaring 839: 64t4 + 48t3 + 153t2 + 54t1 + 81t0; 64t4 + 48t3 + 153t2 + 62t1 + 1t0; 64t4 + 48t3 + 159t2 + 2t1 + 1t0; 64t4 + 63t3 + 9t2 + 2t1 + 1t0; 70t4 + 3t3 + 9t2 + 2t1 + 1t0; 7t5 + 0t4 + 3t3 + 9t2 + 2t1 + 1t0. In other words, 8392 = 703921. What operations w 8

• P

P P P P P P P 3

• ♥♥♥♥♥♥♥

72

• ❅

❅ ❅ ❅ ❅ ❅ 9 153 159 divide by 10 ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ mo

• 15

9

s integers. efficients. multiplication erations. t t t t t t t + 81t0. Oops, product polynomial usually has coefficients ❃ 9. So “carry” extra digits: ❝t❥ ✦ ❜❝❂10❝ t❥+1 + (❝ mod 10)t❥. Example, squaring 839: 64t4 + 48t3 + 153t2 + 54t1 + 81t0; 64t4 + 48t3 + 153t2 + 62t1 + 1t0; 64t4 + 48t3 + 159t2 + 2t1 + 1t0; 64t4 + 63t3 + 9t2 + 2t1 + 1t0; 70t4 + 3t3 + 9t2 + 2t1 + 1t0; 7t5 + 0t4 + 3t3 + 9t2 + 2t1 + 1t0. In other words, 8392 = 703921. What operations were used here? 8

• P

P P P P P P P P P P P 3

• 9

♥♥♥♥♥♥♥♥♥♥♥♥ multiply

• 72
• ❅

❅ ❅ ❅ ❅ ❅ 9

• 72

add ⑦ ⑦ ⑦ ⑦ ⑦ ⑦ 153

• ⑧

⑧ ⑧ 6 add ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ 159 divide by 10 ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ mod 10

• 15

9

Oops, product polynomial usually has coefficients ❃ 9. So “carry” extra digits: ❝t❥ ✦ ❜❝❂10❝ t❥+1 + (❝ mod 10)t❥. Example, squaring 839: 64t4 + 48t3 + 153t2 + 54t1 + 81t0; 64t4 + 48t3 + 153t2 + 62t1 + 1t0; 64t4 + 48t3 + 159t2 + 2t1 + 1t0; 64t4 + 63t3 + 9t2 + 2t1 + 1t0; 70t4 + 3t3 + 9t2 + 2t1 + 1t0; 7t5 + 0t4 + 3t3 + 9t2 + 2t1 + 1t0. In other words, 8392 = 703921. What operations were used here? 8

• P

P P P P P P P P P P P 3

• 9

♥♥♥♥♥♥♥♥♥♥♥♥ multiply

• 72
• ❅

❅ ❅ ❅ ❅ ❅ 9

• 72

add ⑦ ⑦ ⑦ ⑦ ⑦ ⑦ 153

• ...

⑧ ⑧ ⑧ ⑧ ⑧ ⑧ 6 add ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ 159 divide by 10 ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ mod 10

• 15

9

product polynomial has coefficients ❃ 9. rry” extra digits: ❝t❥ ✦ ❜❝❂10❝ t❥+1 + (❝ mod 10)t❥. Example, squaring 839: t 48t3 + 153t2 + 54t1 + 81t0; t 48t3 + 153t2 + 62t1 + 1t0; t 48t3 + 159t2 + 2t1 + 1t0; t 63t3 + 9t2 + 2t1 + 1t0; t 3t3 + 9t2 + 2t1 + 1t0; t 0t4 + 3t3 + 9t2 + 2t1 + 1t0.

• ther words, 8392 = 703921.

What operations were used here? 8

• P

P P P P P P P P P P P 3

• 9

♥♥♥♥♥♥♥♥♥♥♥♥ multiply

• 72
• ❅

❅ ❅ ❅ ❅ ❅ 9

• 72

add ⑦ ⑦ ⑦ ⑦ ⑦ ⑦ 153

• ...

⑧ ⑧ ⑧ ⑧ ⑧ ⑧ 6 add ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ 159 divide by 10 ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ mod 10

• 15

9

8

• 64

✮

✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮

24

✹ ✹ ✹ ✹ ✹ 72

64

• 70
• ⑤

⑤

7

⑤

⑤

7

• 7

• lynomial

efficients ❃ 9. digits: ❝t❥ ✦ ❜❝❂ ❝ t❥+1 + (❝ mod 10)t❥. ing 839: t t 153t2 + 54t1 + 81t0; t t 153t2 + 62t1 + 1t0; t t 159t2 + 2t1 + 1t0; t t t2 + 2t1 + 1t0; t t t + 2t1 + 1t0; t t t + 9t2 + 2t1 + 1t0. 8392 = 703921. What operations were used here? 8

• P

P P P P P P P P P P P 3

• 9

♥♥♥♥♥♥♥♥♥♥♥♥ multiply

• 72
• ❅

❅ ❅ ❅ ❅ ❅ 9

• 72

add ⑦ ⑦ ⑦ ⑦ ⑦ ⑦ 153

• ...

⑧ ⑧ ⑧ ⑧ ⑧ ⑧ 6 add ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ 159 divide by 10 ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ mod 10

• 15

9

8

• 3
• ✶

✶ ✶ ✶

9

• 24

✪

✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪

9

✶ ✶ ✶ ✶ ✶

27 64

✮

✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮

24

• ✹

✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ 72 ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

48

• 15

⑤

⑤

64

• 63
• ⑤

⑤

6

⑤

⑤

3 70

• ⑤

⑤

7

⑤

⑤

7

• 7

❃ 9. ❝t❥ ✦ ❜❝❂ ❝ t❥ ❝ d 10)t❥. t t t t + 81t0; t t t t1 + 1t0; t t t t + 1t0; t t t t 1t0; t t t t t0; t t t t t1 + 1t0. 703921. What operations were used here? 8

• P

P P P P P P P P P P P 3

• 9

♥♥♥♥♥♥♥♥♥♥♥♥ multiply

• 72
• ❅

❅ ❅ ❅ ❅ ❅ 9

• 72

add ⑦ ⑦ ⑦ ⑦ ⑦ ⑦ 153

• ...

⑧ ⑧ ⑧ ⑧ ⑧ ⑧ 6 add ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ 159 divide by 10 ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ mod 10

• 15

9

8

• 3
• ✶

✶ ✶ ✶

9

• 72
• 27
• ✰

✰ ✰ ✰ ✰ ✰

81 24

✪

✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪

9

• ✶

✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶

27

• ▲

▲ ▲ ▲ ▲ ▲ ▲ ▲

64

✮

✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮

24

• ✹

✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ 72

• ■

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

54 153

• 62

⑤

⑤

6

⑤

⑤

48

• 159
• ⑤

⑤

15

⑤

⑤

9 64

• 63
• ⑤

⑤

6

⑤

⑤

3 70

• ⑤

⑤

7

⑤

⑤

7

• 7

What operations were used here? 8

• P

P P P P P P P P P P P 3

• 9

♥♥♥♥♥♥♥♥♥♥♥♥ multiply

• 72
• ❅

❅ ❅ ❅ ❅ ❅ 9

• 72

add ⑦ ⑦ ⑦ ⑦ ⑦ ⑦ 153

• ...

⑧ ⑧ ⑧ ⑧ ⑧ ⑧ 6 add ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ 159 divide by 10 ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ mod 10

• 15

9

8

• 3
• ✶

✶ ✶ ✶

9

• 72
• 27
• ✰

✰ ✰ ✰ ✰ ✰ ✰

81

• ◗

◗ ◗ ◗

24

✪

✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪

9

• ✶

✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶

27

• ▲

▲ ▲ ▲ ▲ ▲ ▲ ▲

81

• 64

✮

✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮

24

• ✹

✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ 72

• ■

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

54

• 81
• ⑤

⑤

8

⑤

⑤

1 153

• 62
• ⑤

⑤

6

⑤

⑤

2 48

• 159
• ⑤

⑤

15

⑤

⑤

9 64

• 63
• ⑤

⑤

6

⑤

⑤

3 70

• ⑤

⑤

7

⑤

⑤

7

• 7

• perations were used here?

8

• P

P P P P P P P P P P P 3

• 9

♥♥♥♥♥♥♥♥♥♥♥♥ multiply

• 72
• ❅

❅ ❅ ❅ ❅ ❅ 9

• 72

add ⑦ ⑦ ⑦ ⑦ ⑦ ⑦ 153

• ...

⑧ ⑧ ⑧ ⑧ ⑧ ⑧ 6 add ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ 159 by 10 ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ mod 10

• 15

9

8

• 3
• ✶

✶ ✶ ✶

9

• 72
• 27
• ✰

✰ ✰ ✰ ✰ ✰ ✰

81

• ◗

◗ ◗ ◗

24

✪

✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪

9

• ✶

✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶

27

• ▲

▲ ▲ ▲ ▲ ▲ ▲ ▲

81

• 64

✮

✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮

24

• ✹

✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ 72

• ■

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

54

• 81
• ⑤

⑤

8

⑤

⑤

1 153

• 62
• ⑤

⑤

6

⑤

⑤

2 48

• 159
• ⑤

⑤

15

⑤

⑤

9 64

• 63
• ⑤

⑤

6

⑤

⑤

3 70

• ⑤

⑤

7

⑤

⑤

7

• 7

The scaled 839 = 800 value (at t 800t2 + t t Squaring: t t t 640000t4 t t 540t1 + t Carrying: 640000t4 t t 540t1 + t 640000t4 t t 620t1 + t ✿ ✿ ✿ 700000t5 t t t 20t1 + 1t

were used here?

• P

P P P P 3

• 9

♥♥♥♥♥♥ multiply

• 9
• 72

add ⑦ ⑦ ⑦ ⑦ ⑦ ⑦ 153

• ...

⑧ ⑧ ⑧ ⑧ ⑧ ⑧ 6 add ⑥ ⑥ ⑥ ⑥ ⑥ ⑥ 159 mod 10

• 9

8

• 3
• ✶

✶ ✶ ✶

9

• 72
• 27
• ✰

✰ ✰ ✰ ✰ ✰ ✰

81

• ◗

◗ ◗ ◗

24

✪

✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪

9

• ✶

✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶

27

• ▲

▲ ▲ ▲ ▲ ▲ ▲ ▲

81

• 64

✮

✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮

24

• ✹

✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ 72

• ■

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

54

• 81
• ⑤

⑤

8

⑤

⑤

1 153

• 62
• ⑤

⑤

6

⑤

⑤

2 48

• 159
• ⑤

⑤

15

⑤

⑤

9 64

• 63
• ⑤

⑤

6

⑤

⑤

3 70

• ⑤

⑤

7

⑤

⑤

7

• 7

The scaled variation 839 = 800 + 30 + value (at t = 1) of 800t2 + 30t1 + 9t0 Squaring: (800t2 + t t 640000t4 + 48000t t 540t1 + 81t0. Carrying: 640000t4 + 48000t t 540t1 + 81t0; 640000t4 + 48000t t 620t1 + 1t0; ✿ ✿ ✿ 700000t5 + 0t4 + 3000t t 20t1 + 1t0.

used here? multiply ... ⑧ ⑧ ⑧ ⑧ ⑧

8

• 3
• ✶

✶ ✶ ✶

9

• 72
• 27
• ✰

✰ ✰ ✰ ✰ ✰ ✰

81

• ◗

◗ ◗ ◗

24

✪

✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪

9

• ✶

✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶

27

• ▲

▲ ▲ ▲ ▲ ▲ ▲ ▲

81

• 64

✮

✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮

24

• ✹

✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ 72

• ■

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

54

• 81
• ⑤

⑤

8

⑤

⑤

1 153

• 62
• ⑤

⑤

6

⑤

⑤

2 48

• 159
• ⑤

⑤

15

⑤

⑤

9 64

• 63
• ⑤

⑤

6

⑤

⑤

3 70

• ⑤

⑤

7

⑤

⑤

7

• 7

The scaled variation 839 = 800 + 30 + 9 = value (at t = 1) of polynomial 800t2 + 30t1 + 9t0. Squaring: (800t2 +30t1 +9t 640000t4 + 48000t3 + 15300t 540t1 + 81t0. Carrying: 640000t4 + 48000t3 + 15300t 540t1 + 81t0; 640000t4 + 48000t3 + 15300t 620t1 + 1t0; ✿ ✿ ✿ 700000t5 + 0t4 + 3000t3 + 900t 20t1 + 1t0.

8

• 3
• ✶

✶ ✶ ✶

9

• 72
• 27
• ✰

✰ ✰ ✰ ✰ ✰ ✰

81

• ◗

◗ ◗ ◗

24

✪

✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪

9

• ✶

✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶

27

• ▲

▲ ▲ ▲ ▲ ▲ ▲ ▲

81

• 64

✮

✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮ ✮

24

• ✹

✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ 72

• ■

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

54

• 81
• ⑤

⑤

8

⑤

⑤

1 153

• 62
• ⑤

⑤

6

⑤

⑤

2 48

• 159
• ⑤

⑤

15

⑤

⑤

9 64

• 63
• ⑤

⑤

6

⑤

⑤

3 70

• ⑤

⑤

7

⑤

⑤

7

• 7

The scaled variation 839 = 800 + 30 + 9 = value (at t = 1) of polynomial 800t2 + 30t1 + 9t0. Squaring: (800t2 +30t1 +9t0)2 = 640000t4 + 48000t3 + 15300t2 + 540t1 + 81t0. Carrying: 640000t4 + 48000t3 + 15300t2 + 540t1 + 81t0; 640000t4 + 48000t3 + 15300t2 + 620t1 + 1t0; ✿ ✿ ✿ 700000t5 + 0t4 + 3000t3 + 900t2 + 20t1 + 1t0.

• 3
• ✶

✶ ✶ ✶

9

• 72
• 27
• ✰

✰ ✰ ✰ ✰ ✰ ✰

81

• ◗

◗ ◗ ◗

24

✪

✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪ ✪

9

• ✶

✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶ ✶

27

• ▲

▲ ▲ ▲ ▲ ▲ ▲ ▲

81

• ✮

✮

• ✹

✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹ ✹

72

• ■

■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

54

• 81
• ⑤

⑤

8

⑤

⑤

1 153

• 62
• ⑤

⑤

6

⑤

⑤

2 48

• 159
• ⑤

⑤

15

⑤

⑤

9 64

• 63
• ⑤

⑤

6

⑤

⑤

3 70

• The scaled variation

839 = 800 + 30 + 9 = value (at t = 1) of polynomial 800t2 + 30t1 + 9t0. Squaring: (800t2 +30t1 +9t0)2 = 640000t4 + 48000t3 + 15300t2 + 540t1 + 81t0. Carrying: 640000t4 + 48000t3 + 15300t2 + 540t1 + 81t0; 640000t4 + 48000t3 + 15300t2 + 620t1 + 1t0; ✿ ✿ ✿ 700000t5 + 0t4 + 3000t3 + 900t2 + 20t1 + 1t0. What op 800

• ❚

❚ ❥❥ 7200 ■ ■ ■ subtract ✉✉✉✉ 15000

• 9
• 72
• 27
• ✰

✰ ✰ ✰ ✰ ✰ ✰

81

• ◗

◗ ◗ ◗

• ✶

✶ ✶ ✶ ✶ ✶ ✶ ✶

27

• ▲

▲ ▲ ▲ ▲ ▲ ▲ ▲

81

• ■

■ ■

54

• 81
• ⑤

⑤

8

⑤

⑤

1 153

• 62
• ⑤

⑤

6

⑤

⑤

2 159

• ⑤

⑤

15 9

The scaled variation 839 = 800 + 30 + 9 = value (at t = 1) of polynomial 800t2 + 30t1 + 9t0. Squaring: (800t2 +30t1 +9t0)2 = 640000t4 + 48000t3 + 15300t2 + 540t1 + 81t0. Carrying: 640000t4 + 48000t3 + 15300t2 + 540t1 + 81t0; 640000t4 + 48000t3 + 15300t2 + 620t1 + 1t0; ✿ ✿ ✿ 700000t5 + 0t4 + 3000t3 + 900t2 + 20t1 + 1t0. What operations w 800

• ❚

❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ 30

• ❥❥❥❥❥❥❥❥❥❥❥

7200

• ■

■ ■ ■ ■ ■ ■ 900

• ✇✇

15300

• ✈✈

15900 subtract ✉✉✉✉✉✉✉✉ mo

• 15000

900

• ✰

✰ ✰ ✰

81

• ◗

◗ ◗ ◗

• 81
• 54
• 81
• ⑤

⑤

8

⑤

⑤

1 62

• ⑤

2

The scaled variation 839 = 800 + 30 + 9 = value (at t = 1) of polynomial 800t2 + 30t1 + 9t0. Squaring: (800t2 +30t1 +9t0)2 = 640000t4 + 48000t3 + 15300t2 + 540t1 + 81t0. Carrying: 640000t4 + 48000t3 + 15300t2 + 540t1 + 81t0; 640000t4 + 48000t3 + 15300t2 + 620t1 + 1t0; ✿ ✿ ✿ 700000t5 + 0t4 + 3000t3 + 900t2 + 20t1 + 1t0. What operations were used here? 800

• ❚

❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ 30

• 9

❥❥❥❥❥❥❥❥❥❥❥❥❥❥❥ multiply

• 7200
• ■

■ ■ ■ ■ ■ ■ 900

• 7200

add ✇✇✇✇✇✇✇ 15300

• ④④

600 add ✈✈✈✈✈✈✈ 15900 subtract ✉✉✉✉✉✉✉✉ mod 1000

• 15000

900

The scaled variation 839 = 800 + 30 + 9 = value (at t = 1) of polynomial 800t2 + 30t1 + 9t0. Squaring: (800t2 +30t1 +9t0)2 = 640000t4 + 48000t3 + 15300t2 + 540t1 + 81t0. Carrying: 640000t4 + 48000t3 + 15300t2 + 540t1 + 81t0; 640000t4 + 48000t3 + 15300t2 + 620t1 + 1t0; ✿ ✿ ✿ 700000t5 + 0t4 + 3000t3 + 900t2 + 20t1 + 1t0. What operations were used here? 800

• ❚

❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ 30

• 9

❥❥❥❥❥❥❥❥❥❥❥❥❥❥❥ multiply

• 7200
• ■

■ ■ ■ ■ ■ ■ 900

• 7200

add ✇✇✇✇✇✇✇ 15300

• ...

④④④④④④ 600 add ✈✈✈✈✈✈✈ 15900 subtract ✉✉✉✉✉✉✉✉ mod 1000

• 15000

900

scaled variation 800 + 30 + 9 = (at t = 1) of polynomial t + 30t1 + 9t0. ring: (800t2 +30t1 +9t0)2 = 640000t4 + 48000t3 + 15300t2 + t + 81t0. rrying: 640000t4 + 48000t3 + 15300t2 + t + 81t0; 640000t4 + 48000t3 + 15300t2 + t + 1t0; ✿ ✿ ✿ 700000t5 + 0t4 + 3000t3 + 900t2 + t 1t0. What operations were used here? 800

• ❚

❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ 30

• 9

❥❥❥❥❥❥❥❥❥❥❥❥❥❥❥ multiply

• 7200
• ■

■ ■ ■ ■ ■ ■ 900

• 7200

add ✇✇✇✇✇✇✇ 15300

• ...

④④④④④④ 600 add ✈✈✈✈✈✈✈ 15900 subtract ✉✉✉✉✉✉✉✉ mod 1000

• 15000

900 Speedup: (✁ ✁ ✁ + ❢2t ❢ t ❢ t has coefficients ❢4❢0 + ❢ ❢ ❢ ❢ ❢ ❢ ❢ ❢ 5 mults,

riation + 9 = t

• f polynomial

t t 9t0. t +30t1 +9t0)2 = t 48000t3 + 15300t2 + t t t 48000t3 + 15300t2 + t t t 48000t3 + 15300t2 + t t ✿ ✿ ✿ t t 3000t3 + 900t2 + t t What operations were used here? 800

• ❚

❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ 30

• 9

❥❥❥❥❥❥❥❥❥❥❥❥❥❥❥ multiply

• 7200
• ■

■ ■ ■ ■ ■ ■ 900

• 7200

add ✇✇✇✇✇✇✇ 15300

• ...

④④④④④④ 600 add ✈✈✈✈✈✈✈ 15900 subtract ✉✉✉✉✉✉✉✉ mod 1000

• 15000

900 Speedup: double inside (✁ ✁ ✁ + ❢2t2 + ❢1t1 ❢ t has coefficients such ❢4❢0 + ❢3❢1 + ❢2❢2 ❢ ❢ ❢ ❢ 5 mults, 4 adds.

t

• lynomial

t t t t t 9t0)2 = t t 15300t2 + t t t t 15300t2 + t t t t 15300t2 + t t ✿ ✿ ✿ t t t 900t2 + t t What operations were used here? 800

• ❚

❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ 30

• 9

❥❥❥❥❥❥❥❥❥❥❥❥❥❥❥ multiply

• 7200
• ■

■ ■ ■ ■ ■ ■ 900

• 7200

add ✇✇✇✇✇✇✇ 15300

• ...

④④④④④④ 600 add ✈✈✈✈✈✈✈ 15900 subtract ✉✉✉✉✉✉✉✉ mod 1000

• 15000

900 Speedup: double inside squa (✁ ✁ ✁ + ❢2t2 + ❢1t1 + ❢0t0)2 has coefficients such as ❢4❢0 + ❢3❢1 + ❢2❢2 + ❢1❢3 + ❢ ❢ 5 mults, 4 adds.

What operations were used here? 800

• ❚

❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ 30

• 9

❥❥❥❥❥❥❥❥❥❥❥❥❥❥❥ multiply

• 7200
• ■

■ ■ ■ ■ ■ ■ 900

• 7200

add ✇✇✇✇✇✇✇ 15300

• ...

④④④④④④ 600 add ✈✈✈✈✈✈✈ 15900 subtract ✉✉✉✉✉✉✉✉ mod 1000

• 15000

900 Speedup: double inside squaring (✁ ✁ ✁ + ❢2t2 + ❢1t1 + ❢0t0)2 has coefficients such as ❢4❢0 + ❢3❢1 + ❢2❢2 + ❢1❢3 + ❢0❢4. 5 mults, 4 adds.

What operations were used here? 800

• ❚

❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ 30

• 9

❥❥❥❥❥❥❥❥❥❥❥❥❥❥❥ multiply

• 7200
• ■

■ ■ ■ ■ ■ ■ 900

• 7200

add ✇✇✇✇✇✇✇ 15300

• ...

④④④④④④ 600 add ✈✈✈✈✈✈✈ 15900 subtract ✉✉✉✉✉✉✉✉ mod 1000

• 15000

900 Speedup: double inside squaring (✁ ✁ ✁ + ❢2t2 + ❢1t1 + ❢0t0)2 has coefficients such as ❢4❢0 + ❢3❢1 + ❢2❢2 + ❢1❢3 + ❢0❢4. 5 mults, 4 adds. Compute more efficiently as 2❢4❢0 + 2❢3❢1 + ❢2❢2. 3 mults, 2 adds, 2 doublings. Save ✙ 1❂2 of the mults if there are many coefficients.

• perations were used here?
• ❚

❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ ❚ 30

• 9

❥❥❥❥❥❥❥❥❥❥❥❥❥❥ multiply

• ■

■ ■ ■ ■ 900

• 7200

add ✇✇✇✇✇✇✇ 15300

• ...

④④④④④④ 600 add ✈✈✈✈✈✈✈ 15900 subtract ✉✉✉✉✉ mod 1000

• 900

Speedup: double inside squaring (✁ ✁ ✁ + ❢2t2 + ❢1t1 + ❢0t0)2 has coefficients such as ❢4❢0 + ❢3❢1 + ❢2❢2 + ❢1❢3 + ❢0❢4. 5 mults, 4 adds. Compute more efficiently as 2❢4❢0 + 2❢3❢1 + ❢2❢2. 3 mults, 2 adds, 2 doublings. Save ✙ 1❂2 of the mults if there are many coefficients. Faster alternative: 2(❢4❢0 + ❢ ❢ ❢ ❢ 3 mults, Save ✙ 1❂ if there a

were used here?

• ❚

❚ ❚ ❚ 9 ❥❥❥❥❥ multiply

• 7200

add ✇✇✇✇✇✇ 15300 ... ④④④④④④ 600 add ✈✈✈✈✈✈✈ 15900 mod 1000 Speedup: double inside squaring (✁ ✁ ✁ + ❢2t2 + ❢1t1 + ❢0t0)2 has coefficients such as ❢4❢0 + ❢3❢1 + ❢2❢2 + ❢1❢3 + ❢0❢4. 5 mults, 4 adds. Compute more efficiently as 2❢4❢0 + 2❢3❢1 + ❢2❢2. 3 mults, 2 adds, 2 doublings. Save ✙ 1❂2 of the mults if there are many coefficients. Faster alternative: 2(❢4❢0 + ❢3❢1) + ❢ ❢ 3 mults, 2 adds, 1 Save ✙ 1❂2 of the if there are many co

used here? multiply 7200 ... ④④④④④ Speedup: double inside squaring (✁ ✁ ✁ + ❢2t2 + ❢1t1 + ❢0t0)2 has coefficients such as ❢4❢0 + ❢3❢1 + ❢2❢2 + ❢1❢3 + ❢0❢4. 5 mults, 4 adds. Compute more efficiently as 2❢4❢0 + 2❢3❢1 + ❢2❢2. 3 mults, 2 adds, 2 doublings. Save ✙ 1❂2 of the mults if there are many coefficients. Faster alternative: 2(❢4❢0 + ❢3❢1) + ❢2❢2. 3 mults, 2 adds, 1 doubling. Save ✙ 1❂2 of the adds if there are many coefficients.

Speedup: double inside squaring (✁ ✁ ✁ + ❢2t2 + ❢1t1 + ❢0t0)2 has coefficients such as ❢4❢0 + ❢3❢1 + ❢2❢2 + ❢1❢3 + ❢0❢4. 5 mults, 4 adds. Compute more efficiently as 2❢4❢0 + 2❢3❢1 + ❢2❢2. 3 mults, 2 adds, 2 doublings. Save ✙ 1❂2 of the mults if there are many coefficients. Faster alternative: 2(❢4❢0 + ❢3❢1) + ❢2❢2. 3 mults, 2 adds, 1 doubling. Save ✙ 1❂2 of the adds if there are many coefficients.

Speedup: double inside squaring (✁ ✁ ✁ + ❢2t2 + ❢1t1 + ❢0t0)2 has coefficients such as ❢4❢0 + ❢3❢1 + ❢2❢2 + ❢1❢3 + ❢0❢4. 5 mults, 4 adds. Compute more efficiently as 2❢4❢0 + 2❢3❢1 + ❢2❢2. 3 mults, 2 adds, 2 doublings. Save ✙ 1❂2 of the mults if there are many coefficients. Faster alternative: 2(❢4❢0 + ❢3❢1) + ❢2❢2. 3 mults, 2 adds, 1 doubling. Save ✙ 1❂2 of the adds if there are many coefficients. Even faster alternative: (2❢0)❢4 + (2❢1)❢3 + ❢2❢2, after precomputing 2❢0❀ 2❢1❀ ✿ ✿ ✿. 3 mults, 2 adds, 0 doublings. Precomputation ✙ 0✿5 doublings.

eedup: double inside squaring ✁ ✁ ✁ ❢2t2 + ❢1t1 + ❢0t0)2 efficients such as ❢ ❢ ❢3❢1 + ❢2❢2 + ❢1❢3 + ❢0❢4. mults, 4 adds. Compute more efficiently as ❢ ❢ + 2❢3❢1 + ❢2❢2. mults, 2 adds, 2 doublings. ✙ 1❂2 of the mults there are many coefficients. Faster alternative: 2(❢4❢0 + ❢3❢1) + ❢2❢2. 3 mults, 2 adds, 1 doubling. Save ✙ 1❂2 of the adds if there are many coefficients. Even faster alternative: (2❢0)❢4 + (2❢1)❢3 + ❢2❢2, after precomputing 2❢0❀ 2❢1❀ ✿ ✿ ✿. 3 mults, 2 adds, 0 doublings. Precomputation ✙ 0✿5 doublings. Speedup: Recall 159 ✼✦ ❀ Scaled: 15900 ✼✦ ❀ Alternative: ✼✦ ❀ Scaled: 15900 ✼✦ ❀ Use digits ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❀ ❣ instead of ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ Small disadvantage:

• Several small

easily handle easily handle reduce p

double inside squaring ✁ ✁ ✁ ❢ t ❢ t1 + ❢0t0)2 such as ❢ ❢ ❢ ❢ ❢ ❢2 + ❢1❢3 + ❢0❢4. efficiently as ❢ ❢ ❢ ❢ ❢2❢2. 2 doublings. ✙ ❂ the mults many coefficients. Faster alternative: 2(❢4❢0 + ❢3❢1) + ❢2❢2. 3 mults, 2 adds, 1 doubling. Save ✙ 1❂2 of the adds if there are many coefficients. Even faster alternative: (2❢0)❢4 + (2❢1)❢3 + ❢2❢2, after precomputing 2❢0❀ 2❢1❀ ✿ ✿ ✿. 3 mults, 2 adds, 0 doublings. Precomputation ✙ 0✿5 doublings. Speedup: allow negative Recall 159 ✼✦ 15❀ 9 Scaled: 15900 ✼✦ 15000❀ Alternative: 159 ✼✦ ❀ Scaled: 15900 ✼✦ 16000❀ Use digits ❢5❀ 4❀ ✿ ✿ ✿ ❀ ❀ ❣ instead of ❢0❀ 1❀ ✿ ✿ ✿ ❀ ❣ Small disadvantage:

• Several small advanta

easily handle negative easily handle subtra reduce products a

squaring ✁ ✁ ✁ ❢ t ❢ t ❢ t ❢ ❢ ❢ ❢ ❢ ❢ ❢ ❢ + ❢0❢4. as ❢ ❢ ❢ ❢ ❢ ❢ doublings. ✙ ❂ efficients. Faster alternative: 2(❢4❢0 + ❢3❢1) + ❢2❢2. 3 mults, 2 adds, 1 doubling. Save ✙ 1❂2 of the adds if there are many coefficients. Even faster alternative: (2❢0)❢4 + (2❢1)❢3 + ❢2❢2, after precomputing 2❢0❀ 2❢1❀ ✿ ✿ ✿. 3 mults, 2 adds, 0 doublings. Precomputation ✙ 0✿5 doublings. Speedup: allow negative coeffs Recall 159 ✼✦ 15❀ 9. Scaled: 15900 ✼✦ 15000❀ 900 Alternative: 159 ✼✦ 16❀ 1. Scaled: 15900 ✼✦ 16000❀ 100 Use digits ❢5❀ 4❀ ✿ ✿ ✿ ❀ 4❀ 5❣ instead of ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣. Small disadvantage: need Several small advantages: easily handle negative integers; easily handle subtraction; reduce products a bit.

Faster alternative: 2(❢4❢0 + ❢3❢1) + ❢2❢2. 3 mults, 2 adds, 1 doubling. Save ✙ 1❂2 of the adds if there are many coefficients. Even faster alternative: (2❢0)❢4 + (2❢1)❢3 + ❢2❢2, after precomputing 2❢0❀ 2❢1❀ ✿ ✿ ✿. 3 mults, 2 adds, 0 doublings. Precomputation ✙ 0✿5 doublings. Speedup: allow negative coeffs Recall 159 ✼✦ 15❀ 9. Scaled: 15900 ✼✦ 15000❀ 900. Alternative: 159 ✼✦ 16❀ 1. Scaled: 15900 ✼✦ 16000❀ 100. Use digits ❢5❀ 4❀ ✿ ✿ ✿ ❀ 4❀ 5❣ instead of ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣. Small disadvantage: need . Several small advantages: easily handle negative integers; easily handle subtraction; reduce products a bit.

alternative: ❢ ❢ + ❢3❢1) + ❢2❢2. mults, 2 adds, 1 doubling. ✙ 1❂2 of the adds there are many coefficients. faster alternative: ❢ ❢4 + (2❢1)❢3 + ❢2❢2, recomputing 2❢0❀ 2❢1❀ ✿ ✿ ✿. mults, 2 adds, 0 doublings. Precomputation ✙ 0✿5 doublings. Speedup: allow negative coeffs Recall 159 ✼✦ 15❀ 9. Scaled: 15900 ✼✦ 15000❀ 900. Alternative: 159 ✼✦ 16❀ 1. Scaled: 15900 ✼✦ 16000❀ 100. Use digits ❢5❀ 4❀ ✿ ✿ ✿ ❀ 4❀ 5❣ instead of ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣. Small disadvantage: need . Several small advantages: easily handle negative integers; easily handle subtraction; reduce products a bit. Speedup: Computing ❛❜ ❝ multiply ❛❀ ❜ square ❝ e.g. ❛ = ❜ ❝ (3t2+1t t t t t 6t4 + 23t t t t carry: 8t t t t t As before t t t 64t4 + 48t t t t 7t5 + 0t4 t t t t +: 7t5+ t t t t t 7t5 + 8t4 t t t t

alternative: ❢ ❢ ❢ ❢ ❢2❢2. 1 doubling. ✙ ❂ the adds many coefficients. alternative: ❢ ❢ ❢ ❢3 + ❢2❢2,

• mputing 2❢0❀ 2❢1❀ ✿ ✿ ✿.

0 doublings. ✙ 0✿5 doublings. Speedup: allow negative coeffs Recall 159 ✼✦ 15❀ 9. Scaled: 15900 ✼✦ 15000❀ 900. Alternative: 159 ✼✦ 16❀ 1. Scaled: 15900 ✼✦ 16000❀ 100. Use digits ❢5❀ 4❀ ✿ ✿ ✿ ❀ 4❀ 5❣ instead of ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣. Small disadvantage: need . Several small advantages: easily handle negative integers; easily handle subtraction; reduce products a bit. Speedup: delay ca Computing (e.g.) big ❛❜ ❝ multiply ❛❀ ❜ polynomials, square ❝ poly, carry e.g. ❛ = 314, ❜ = ❝ (3t2+1t1+4t0)(2t t t 6t4 + 23t3 + 18t2 + t t carry: 8t4 + 5t3 + t t t As before (8t2 + 3t t 64t4 + 48t3 + 153t t t 7t5 + 0t4 + 3t3 + 9t t t +: 7t5+8t4+8t3+ t t t 7t5 + 8t4 + 9t3 + 0t t t

❢ ❢ ❢ ❢ ❢ ❢ doubling. ✙ ❂ efficients. ❢ ❢ ❢ ❢ ❢ ❢ ❢ ❀ ❢1❀ ✿ ✿ ✿. doublings. ✙ ✿ doublings. Speedup: allow negative coeffs Recall 159 ✼✦ 15❀ 9. Scaled: 15900 ✼✦ 15000❀ 900. Alternative: 159 ✼✦ 16❀ 1. Scaled: 15900 ✼✦ 16000❀ 100. Use digits ❢5❀ 4❀ ✿ ✿ ✿ ❀ 4❀ 5❣ instead of ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣. Small disadvantage: need . Several small advantages: easily handle negative integers; easily handle subtraction; reduce products a bit. Speedup: delay carries Computing (e.g.) big ❛❜ + ❝2 multiply ❛❀ ❜ polynomials, ca square ❝ poly, carry, add, carry e.g. ❛ = 314, ❜ = 271, ❝ = 839 (3t2+1t1+4t0)(2t2+7t1+1t 6t4 + 23t3 + 18t2 + 29t1 + 4t carry: 8t4 + 5t3 + 0t2 + 9t1 t As before (8t2 + 3t1 + 9t0)2 64t4 + 48t3 + 153t2 + 54t1 + t 7t5 + 0t4 + 3t3 + 9t2 + 2t1 + t +: 7t5+8t4+8t3+9t2+11t1 t 7t5 + 8t4 + 9t3 + 0t2 + 1t1 + t

Speedup: allow negative coeffs Recall 159 ✼✦ 15❀ 9. Scaled: 15900 ✼✦ 15000❀ 900. Alternative: 159 ✼✦ 16❀ 1. Scaled: 15900 ✼✦ 16000❀ 100. Use digits ❢5❀ 4❀ ✿ ✿ ✿ ❀ 4❀ 5❣ instead of ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣. Small disadvantage: need . Several small advantages: easily handle negative integers; easily handle subtraction; reduce products a bit. Speedup: delay carries Computing (e.g.) big ❛❜ + ❝2: multiply ❛❀ ❜ polynomials, carry, square ❝ poly, carry, add, carry. e.g. ❛ = 314, ❜ = 271, ❝ = 839: (3t2+1t1+4t0)(2t2+7t1+1t0) = 6t4 + 23t3 + 18t2 + 29t1 + 4t0; carry: 8t4 + 5t3 + 0t2 + 9t1 + 4t0. As before (8t2 + 3t1 + 9t0)2 = 64t4 + 48t3 + 153t2 + 54t1 + 81t0; 7t5 + 0t4 + 3t3 + 9t2 + 2t1 + 1t0. +: 7t5+8t4+8t3+9t2+11t1+5t0; 7t5 + 8t4 + 9t3 + 0t2 + 1t1 + 5t0.

eedup: allow negative coeffs 159 ✼✦ 15❀ 9. Scaled: 15900 ✼✦ 15000❀ 900. Alternative: 159 ✼✦ 16❀ 1. Scaled: 15900 ✼✦ 16000❀ 100. digits ❢5❀ 4❀ ✿ ✿ ✿ ❀ 4❀ 5❣

• f ❢0❀ 1❀ ✿ ✿ ✿ ❀ 9❣.

disadvantage: need . Several small advantages: handle negative integers; handle subtraction; products a bit. Speedup: delay carries Computing (e.g.) big ❛❜ + ❝2: multiply ❛❀ ❜ polynomials, carry, square ❝ poly, carry, add, carry. e.g. ❛ = 314, ❜ = 271, ❝ = 839: (3t2+1t1+4t0)(2t2+7t1+1t0) = 6t4 + 23t3 + 18t2 + 29t1 + 4t0; carry: 8t4 + 5t3 + 0t2 + 9t1 + 4t0. As before (8t2 + 3t1 + 9t0)2 = 64t4 + 48t3 + 153t2 + 54t1 + 81t0; 7t5 + 0t4 + 3t3 + 9t2 + 2t1 + 1t0. +: 7t5+8t4+8t3+9t2+11t1+5t0; 7t5 + 8t4 + 9t3 + 0t2 + 1t1 + 5t0. Faster: multiply ❛❀ ❜ square ❝ (6t4 + 23t t t t (64t4 +48t t t t = 70t4+ t t t t 7t5 + 8t4 t t t t Eliminate Outweighs slightly la Important multiplications to reduce but carries before additions,

negative coeffs ✼✦ ❀ 9. ✼✦ 15000❀ 900. ✼✦ 16❀ 1. ✼✦ 16000❀ 100. ❢ ❀ 4❀ ✿ ✿ ✿ ❀ 4❀ 5❣ ❢ ❀ ❀ ✿ ✿ ✿ ❀ 9❣. disadvantage: need . advantages: negative integers; subtraction; a bit. Speedup: delay carries Computing (e.g.) big ❛❜ + ❝2: multiply ❛❀ ❜ polynomials, carry, square ❝ poly, carry, add, carry. e.g. ❛ = 314, ❜ = 271, ❝ = 839: (3t2+1t1+4t0)(2t2+7t1+1t0) = 6t4 + 23t3 + 18t2 + 29t1 + 4t0; carry: 8t4 + 5t3 + 0t2 + 9t1 + 4t0. As before (8t2 + 3t1 + 9t0)2 = 64t4 + 48t3 + 153t2 + 54t1 + 81t0; 7t5 + 0t4 + 3t3 + 9t2 + 2t1 + 1t0. +: 7t5+8t4+8t3+9t2+11t1+5t0; 7t5 + 8t4 + 9t3 + 0t2 + 1t1 + 5t0. Faster: multiply ❛❀ ❜ square ❝ polynomial, (6t4 + 23t3 + 18t2 t t (64t4 +48t3 +153t t t = 70t4+71t3+171t t t 7t5 + 8t4 + 9t3 + 0t t t Eliminate intermediate Outweighs cost of slightly larger coefficients. Important to carry multiplications (and to reduce coefficient but carries are usually before additions, sub

coeffs ✼✦ ❀ ✼✦ ❀ 900. ✼✦ ❀ . ✼✦ ❀ 100. ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❀ 5❣ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❣ . integers; Speedup: delay carries Computing (e.g.) big ❛❜ + ❝2: multiply ❛❀ ❜ polynomials, carry, square ❝ poly, carry, add, carry. e.g. ❛ = 314, ❜ = 271, ❝ = 839: (3t2+1t1+4t0)(2t2+7t1+1t0) = 6t4 + 23t3 + 18t2 + 29t1 + 4t0; carry: 8t4 + 5t3 + 0t2 + 9t1 + 4t0. As before (8t2 + 3t1 + 9t0)2 = 64t4 + 48t3 + 153t2 + 54t1 + 81t0; 7t5 + 0t4 + 3t3 + 9t2 + 2t1 + 1t0. +: 7t5+8t4+8t3+9t2+11t1+5t0; 7t5 + 8t4 + 9t3 + 0t2 + 1t1 + 5t0. Faster: multiply ❛❀ ❜ polynomials, square ❝ polynomial, add, ca (6t4 + 23t3 + 18t2 + 29t1 + 4t (64t4 +48t3 +153t2 +54t1 + t = 70t4+71t3+171t2+83t1+ t 7t5 + 8t4 + 9t3 + 0t2 + 1t1 + t Eliminate intermediate carries. Outweighs cost of handling slightly larger coefficients. Important to carry between multiplications (and squarings) to reduce coefficient size; but carries are usually a bad before additions, subtractions,

Speedup: delay carries Computing (e.g.) big ❛❜ + ❝2: multiply ❛❀ ❜ polynomials, carry, square ❝ poly, carry, add, carry. e.g. ❛ = 314, ❜ = 271, ❝ = 839: (3t2+1t1+4t0)(2t2+7t1+1t0) = 6t4 + 23t3 + 18t2 + 29t1 + 4t0; carry: 8t4 + 5t3 + 0t2 + 9t1 + 4t0. As before (8t2 + 3t1 + 9t0)2 = 64t4 + 48t3 + 153t2 + 54t1 + 81t0; 7t5 + 0t4 + 3t3 + 9t2 + 2t1 + 1t0. +: 7t5+8t4+8t3+9t2+11t1+5t0; 7t5 + 8t4 + 9t3 + 0t2 + 1t1 + 5t0. Faster: multiply ❛❀ ❜ polynomials, square ❝ polynomial, add, carry. (6t4 + 23t3 + 18t2 + 29t1 + 4t0) + (64t4 +48t3 +153t2 +54t1 +81t0) = 70t4+71t3+171t2+83t1+85t0; 7t5 + 8t4 + 9t3 + 0t2 + 1t1 + 5t0. Eliminate intermediate carries. Outweighs cost of handling slightly larger coefficients. Important to carry between multiplications (and squarings) to reduce coefficient size; but carries are usually a bad idea before additions, subtractions, etc.

eedup: delay carries Computing (e.g.) big ❛❜ + ❝2: multiply ❛❀ ❜ polynomials, carry, ❝ poly, carry, add, carry. ❛ = 314, ❜ = 271, ❝ = 839: t 1t1+4t0)(2t2+7t1+1t0) = t 23t3 + 18t2 + 29t1 + 4t0; 8t4 + 5t3 + 0t2 + 9t1 + 4t0. efore (8t2 + 3t1 + 9t0)2 = t 48t3 + 153t2 + 54t1 + 81t0; t 0t4 + 3t3 + 9t2 + 2t1 + 1t0. t +8t4+8t3+9t2+11t1+5t0; t 8t4 + 9t3 + 0t2 + 1t1 + 5t0. Faster: multiply ❛❀ ❜ polynomials, square ❝ polynomial, add, carry. (6t4 + 23t3 + 18t2 + 29t1 + 4t0) + (64t4 +48t3 +153t2 +54t1 +81t0) = 70t4+71t3+171t2+83t1+85t0; 7t5 + 8t4 + 9t3 + 0t2 + 1t1 + 5t0. Eliminate intermediate carries. Outweighs cost of handling slightly larger coefficients. Important to carry between multiplications (and squarings) to reduce coefficient size; but carries are usually a bad idea before additions, subtractions, etc. Speedup: How much ❢ = ❢0 + ❢ t ✁ ✁ ✁ ❢ t ❣ = ❣0 + ❣ t ✁ ✁ ✁ ❣ t Using the 400 coeff Faster: W ❢ ❋ ❋ t ❋0 = ❢0 ❢ t ✁ ✁ ✁ ❢ t ❋1 = ❢10 ❢ t ✁ ✁ ✁ ❢ t Similarly ❣

• t

Then ❢❣ ❋ ❋

• t

+ (❋0●0 ❋ ● t t

carries (e.g.) big ❛❜ + ❝2: ❛❀ ❜

• lynomials, carry,

❝ rry, add, carry. ❛ ❜ = 271, ❝ = 839: t t t 2t2+7t1+1t0) = t t t2 + 29t1 + 4t0; t t + 0t2 + 9t1 + 4t0. t 3t1 + 9t0)2 = t t 153t2 + 54t1 + 81t0; t t t + 9t2 + 2t1 + 1t0. t t t +9t2+11t1+5t0; t t t + 0t2 + 1t1 + 5t0. Faster: multiply ❛❀ ❜ polynomials, square ❝ polynomial, add, carry. (6t4 + 23t3 + 18t2 + 29t1 + 4t0) + (64t4 +48t3 +153t2 +54t1 +81t0) = 70t4+71t3+171t2+83t1+85t0; 7t5 + 8t4 + 9t3 + 0t2 + 1t1 + 5t0. Eliminate intermediate carries. Outweighs cost of handling slightly larger coefficients. Important to carry between multiplications (and squarings) to reduce coefficient size; but carries are usually a bad idea before additions, subtractions, etc. Speedup: polynom How much work to ❢ = ❢0 + ❢1t + ✁ ✁ ✁ ❢ t ❣ = ❣0 + ❣1t + ✁ ✁ ✁ ❣ t Using the obvious 400 coeff mults, 361 Faster: Write ❢ as ❋ ❋ t ❋0 = ❢0 + ❢1t + ✁ ✁ ✁ ❢ t ❋1 = ❢10 + ❢11t + ✁ ✁ ✁ ❢ t Similarly write ❣ as ●

• t

Then ❢❣ = (❋0 + ❋

• t

+ (❋0●0 ❋1●1t10 t

❛❜ ❝2: ❛❀ ❜ carry, ❝ carry. ❛ ❜ ❝ 839: t t t t t 1t0) = t t t t 4t0; t t t t1 + 4t0. t t t )2 = t t t t + 81t0; t t t t t1 + 1t0. t t t t t1+5t0; t t t t t1 + 5t0. Faster: multiply ❛❀ ❜ polynomials, square ❝ polynomial, add, carry. (6t4 + 23t3 + 18t2 + 29t1 + 4t0) + (64t4 +48t3 +153t2 +54t1 +81t0) = 70t4+71t3+171t2+83t1+85t0; 7t5 + 8t4 + 9t3 + 0t2 + 1t1 + 5t0. Eliminate intermediate carries. Outweighs cost of handling slightly larger coefficients. Important to carry between multiplications (and squarings) to reduce coefficient size; but carries are usually a bad idea before additions, subtractions, etc. Speedup: polynomial Karatsuba How much work to multiply ❢ = ❢0 + ❢1t + ✁ ✁ ✁ + ❢19t19, ❣ = ❣0 + ❣1t + ✁ ✁ ✁ + ❣19t19? Using the obvious method: 400 coeff mults, 361 coeff adds. Faster: Write ❢ as ❋0 + ❋1t10 ❋0 = ❢0 + ❢1t + ✁ ✁ ✁ + ❢9t9; ❋1 = ❢10 + ❢11t + ✁ ✁ ✁ + ❢19t Similarly write ❣ as ●0 + ●1t Then ❢❣ = (❋0 + ❋1)(●0 + ● t + (❋0●0 ❋1●1t10)(1 t10

Faster: multiply ❛❀ ❜ polynomials, square ❝ polynomial, add, carry. (6t4 + 23t3 + 18t2 + 29t1 + 4t0) + (64t4 +48t3 +153t2 +54t1 +81t0) = 70t4+71t3+171t2+83t1+85t0; 7t5 + 8t4 + 9t3 + 0t2 + 1t1 + 5t0. Eliminate intermediate carries. Outweighs cost of handling slightly larger coefficients. Important to carry between multiplications (and squarings) to reduce coefficient size; but carries are usually a bad idea before additions, subtractions, etc. Speedup: polynomial Karatsuba How much work to multiply polys ❢ = ❢0 + ❢1t + ✁ ✁ ✁ + ❢19t19, ❣ = ❣0 + ❣1t + ✁ ✁ ✁ + ❣19t19? Using the obvious method: 400 coeff mults, 361 coeff adds. Faster: Write ❢ as ❋0 + ❋1t10; ❋0 = ❢0 + ❢1t + ✁ ✁ ✁ + ❢9t9; ❋1 = ❢10 + ❢11t + ✁ ✁ ✁ + ❢19t9. Similarly write ❣ as ●0 + ●1t10. Then ❢❣ = (❋0 + ❋1)(●0 + ●1)t10 + (❋0●0 ❋1●1t10)(1 t10).

aster: multiply ❛❀ ❜ polynomials, ❝ polynomial, add, carry. t 23t3 + 18t2 + 29t1 + 4t0) + t 48t3 +153t2 +54t1 +81t0) t +71t3+171t2+83t1+85t0; t 8t4 + 9t3 + 0t2 + 1t1 + 5t0. Eliminate intermediate carries. eighs cost of handling slightly larger coefficients. rtant to carry between multiplications (and squarings) reduce coefficient size; rries are usually a bad idea additions, subtractions, etc. Speedup: polynomial Karatsuba How much work to multiply polys ❢ = ❢0 + ❢1t + ✁ ✁ ✁ + ❢19t19, ❣ = ❣0 + ❣1t + ✁ ✁ ✁ + ❣19t19? Using the obvious method: 400 coeff mults, 361 coeff adds. Faster: Write ❢ as ❋0 + ❋1t10; ❋0 = ❢0 + ❢1t + ✁ ✁ ✁ + ❢9t9; ❋1 = ❢10 + ❢11t + ✁ ✁ ✁ + ❢19t9. Similarly write ❣ as ●0 + ●1t10. Then ❢❣ = (❋0 + ❋1)(●0 + ●1)t10 + (❋0●0 ❋1●1t10)(1 t10). 20 adds ❋ ❋

• 300 mults

❋0●0, ❋1● ❋ ❋

• 243 adds

9 adds fo ❋ ● ❋ ● t with subs and with 19 adds ✁ ✁ ✁ t 19 adds Total 300 Larger co still saves Can apply as poly degree

❛❀ ❜ polynomials, ❝

• lynomial, add, carry.

t t t2 + 29t1 + 4t0) + t t 153t2 +54t1 +81t0) t t 171t2+83t1+85t0; t t t + 0t2 + 1t1 + 5t0. intermediate carries.

• f handling

efficients. rry between (and squarings) efficient size; usually a bad idea additions, subtractions, etc. Speedup: polynomial Karatsuba How much work to multiply polys ❢ = ❢0 + ❢1t + ✁ ✁ ✁ + ❢19t19, ❣ = ❣0 + ❣1t + ✁ ✁ ✁ + ❣19t19? Using the obvious method: 400 coeff mults, 361 coeff adds. Faster: Write ❢ as ❋0 + ❋1t10; ❋0 = ❢0 + ❢1t + ✁ ✁ ✁ + ❢9t9; ❋1 = ❢10 + ❢11t + ✁ ✁ ✁ + ❢19t9. Similarly write ❣ as ●0 + ●1t10. Then ❢❣ = (❋0 + ❋1)(●0 + ●1)t10 + (❋0●0 ❋1●1t10)(1 t10). 20 adds for ❋0 + ❋

• 300 mults for three

❋0●0, ❋1●1, (❋0 + ❋

• 243 adds for those

9 adds for ❋0●0 ❋ ● t with subs counted and with delayed negations. 19 adds for ✁ ✁ ✁ (1 t 19 adds to finish. Total 300 mults, 310 Larger coefficients, still saves time. Can apply idea recursively as poly degree grows.

❛❀ ❜

• lynomials,

❝ carry. t t t t 4t0) + t t t t +81t0) t t t t1+85t0; t t t t t1 + 5t0. rries. andling een rings) bad idea tractions, etc. Speedup: polynomial Karatsuba How much work to multiply polys ❢ = ❢0 + ❢1t + ✁ ✁ ✁ + ❢19t19, ❣ = ❣0 + ❣1t + ✁ ✁ ✁ + ❣19t19? Using the obvious method: 400 coeff mults, 361 coeff adds. Faster: Write ❢ as ❋0 + ❋1t10; ❋0 = ❢0 + ❢1t + ✁ ✁ ✁ + ❢9t9; ❋1 = ❢10 + ❢11t + ✁ ✁ ✁ + ❢19t9. Similarly write ❣ as ●0 + ●1t10. Then ❢❣ = (❋0 + ❋1)(●0 + ●1)t10 + (❋0●0 ❋1●1t10)(1 t10). 20 adds for ❋0 + ❋1, ●0 + ● 300 mults for three products ❋0●0, ❋1●1, (❋0 + ❋1)(●0 + ● 243 adds for those products. 9 adds for ❋0●0 ❋1●1t10 with subs counted as adds and with delayed negations. 19 adds for ✁ ✁ ✁ (1 t10). 19 adds to finish. Total 300 mults, 310 adds. Larger coefficients, slight exp still saves time. Can apply idea recursively as poly degree grows.

Speedup: polynomial Karatsuba How much work to multiply polys ❢ = ❢0 + ❢1t + ✁ ✁ ✁ + ❢19t19, ❣ = ❣0 + ❣1t + ✁ ✁ ✁ + ❣19t19? Using the obvious method: 400 coeff mults, 361 coeff adds. Faster: Write ❢ as ❋0 + ❋1t10; ❋0 = ❢0 + ❢1t + ✁ ✁ ✁ + ❢9t9; ❋1 = ❢10 + ❢11t + ✁ ✁ ✁ + ❢19t9. Similarly write ❣ as ●0 + ●1t10. Then ❢❣ = (❋0 + ❋1)(●0 + ●1)t10 + (❋0●0 ❋1●1t10)(1 t10). 20 adds for ❋0 + ❋1, ●0 + ●1. 300 mults for three products ❋0●0, ❋1●1, (❋0 + ❋1)(●0 + ●1). 243 adds for those products. 9 adds for ❋0●0 ❋1●1t10 with subs counted as adds and with delayed negations. 19 adds for ✁ ✁ ✁ (1 t10). 19 adds to finish. Total 300 mults, 310 adds. Larger coefficients, slight expense; still saves time. Can apply idea recursively as poly degree grows.

eedup: polynomial Karatsuba much work to multiply polys ❢ ❢ + ❢1t + ✁ ✁ ✁ + ❢19t19, ❣ ❣ + ❣1t + ✁ ✁ ✁ + ❣19t19? the obvious method: eff mults, 361 coeff adds. aster: Write ❢ as ❋0 + ❋1t10; ❋ ❢0 + ❢1t + ✁ ✁ ✁ + ❢9t9; ❋ ❢10 + ❢11t + ✁ ✁ ✁ + ❢19t9. rly write ❣ as ●0 + ●1t10. ❢❣ = (❋0 + ❋1)(●0 + ●1)t10 ❋ ●0 ❋1●1t10)(1 t10). 20 adds for ❋0 + ❋1, ●0 + ●1. 300 mults for three products ❋0●0, ❋1●1, (❋0 + ❋1)(●0 + ●1). 243 adds for those products. 9 adds for ❋0●0 ❋1●1t10 with subs counted as adds and with delayed negations. 19 adds for ✁ ✁ ✁ (1 t10). 19 adds to finish. Total 300 mults, 310 adds. Larger coefficients, slight expense; still saves time. Can apply idea recursively as poly degree grows. Many other in polynomial “Toom,” Increasingly polynomial ❖(♥ lg ♥ ♥ to compute ♥ Useful fo ♥ that occur In some But Karatsuba for prime-field

• n most

• lynomial Karatsuba

to multiply polys ❢ ❢ ❢ t ✁ ✁ ✁ + ❢19t19, ❣ ❣ ❣ t ✁ ✁ ✁ + ❣19t19?

• bvious method:

361 coeff adds. ❢ as ❋0 + ❋1t10; ❋ ❢ ❢ t ✁ ✁ ✁ + ❢9t9; ❋ ❢ ❢ t + ✁ ✁ ✁ + ❢19t9. ❣ as ●0 + ●1t10. ❢❣ ❋ + ❋1)(●0 + ●1)t10 ❋ ● ❋ ● t10)(1 t10). 20 adds for ❋0 + ❋1, ●0 + ●1. 300 mults for three products ❋0●0, ❋1●1, (❋0 + ❋1)(●0 + ●1). 243 adds for those products. 9 adds for ❋0●0 ❋1●1t10 with subs counted as adds and with delayed negations. 19 adds for ✁ ✁ ✁ (1 t10). 19 adds to finish. Total 300 mults, 310 adds. Larger coefficients, slight expense; still saves time. Can apply idea recursively as poly degree grows. Many other algebraic in polynomial multiplication: “Toom,” “FFT,” etc. Increasingly important polynomial degree ❖(♥ lg ♥ lg lg ♥) co to compute ♥-coeff Useful for sizes of ♥ that occur in cryptography? In some cases, yes! But Karatsuba is the for prime-field ECC/ECDLP

• n most current CPUs.

ratsuba multiply polys ❢ ❢ ❢ t ✁ ✁ ✁ ❢ t19, ❣ ❣ ❣ t ✁ ✁ ✁ ❣ t19? d: adds. ❢ ❋ ❋1t10; ❋ ❢ ❢ t ✁ ✁ ✁ ❢ t ; ❋ ❢ ❢ t ✁ ✁ ✁ ❢19t9. ❣

• 1t10.

❢❣ ❋ ❋

• + ●1)t10

❋ ● ❋ ● t t10). 20 adds for ❋0 + ❋1, ●0 + ●1. 300 mults for three products ❋0●0, ❋1●1, (❋0 + ❋1)(●0 + ●1). 243 adds for those products. 9 adds for ❋0●0 ❋1●1t10 with subs counted as adds and with delayed negations. 19 adds for ✁ ✁ ✁ (1 t10). 19 adds to finish. Total 300 mults, 310 adds. Larger coefficients, slight expense; still saves time. Can apply idea recursively as poly degree grows. Many other algebraic speedups in polynomial multiplication: “Toom,” “FFT,” etc. Increasingly important as polynomial degree grows. ❖(♥ lg ♥ lg lg ♥) coeff operations to compute ♥-coeff product. Useful for sizes of ♥ that occur in cryptography? In some cases, yes! But Karatsuba is the limit for prime-field ECC/ECDLP

• n most current CPUs.

20 adds for ❋0 + ❋1, ●0 + ●1. 300 mults for three products ❋0●0, ❋1●1, (❋0 + ❋1)(●0 + ●1). 243 adds for those products. 9 adds for ❋0●0 ❋1●1t10 with subs counted as adds and with delayed negations. 19 adds for ✁ ✁ ✁ (1 t10). 19 adds to finish. Total 300 mults, 310 adds. Larger coefficients, slight expense; still saves time. Can apply idea recursively as poly degree grows. Many other algebraic speedups in polynomial multiplication: “Toom,” “FFT,” etc. Increasingly important as polynomial degree grows. ❖(♥ lg ♥ lg lg ♥) coeff operations to compute ♥-coeff product. Useful for sizes of ♥ that occur in cryptography? In some cases, yes! But Karatsuba is the limit for prime-field ECC/ECDLP

• n most current CPUs.

adds for ❋0 + ❋1, ●0 + ●1. mults for three products ❋ ● ❋1●1, (❋0 + ❋1)(●0 + ●1). adds for those products. for ❋0●0 ❋1●1t10 subs counted as adds with delayed negations. adds for ✁ ✁ ✁ (1 t10). adds to finish. 300 mults, 310 adds. coefficients, slight expense; saves time. apply idea recursively

• ly degree grows.

Many other algebraic speedups in polynomial multiplication: “Toom,” “FFT,” etc. Increasingly important as polynomial degree grows. ❖(♥ lg ♥ lg lg ♥) coeff operations to compute ♥-coeff product. Useful for sizes of ♥ that occur in cryptography? In some cases, yes! But Karatsuba is the limit for prime-field ECC/ECDLP

• n most current CPUs.

Modular How to compute ❢ ♣ Can use ❢ mod ♣ ❢ ♣ ❜❢❂♣❝ Can multiply ❢ precomputed ❂♣ easily adjust ❜❢❂♣❝ Slight sp “Montgomery

❋ ❋1, ●0 + ●1. three products ❋ ● ❋ ● ❋ + ❋1)(●0 + ●1). those products. ❋ ● ❋1●1t10 counted as adds negations. ✁ ✁ ✁ (1 t10). finish. mults, 310 adds. efficients, slight expense; recursively grows. Many other algebraic speedups in polynomial multiplication: “Toom,” “FFT,” etc. Increasingly important as polynomial degree grows. ❖(♥ lg ♥ lg lg ♥) coeff operations to compute ♥-coeff product. Useful for sizes of ♥ that occur in cryptography? In some cases, yes! But Karatsuba is the limit for prime-field ECC/ECDLP

• n most current CPUs.

Modular reduction How to compute ❢ ♣ Can use definition: ❢ mod ♣ = ❢ ♣ ❜❢❂♣❝ Can multiply ❢ by precomputed 1❂♣ app easily adjust to obtain ❜❢❂♣❝ Slight speedup: “2-adic “Montgomery reduction.”

❋ ❋

• 1.

ducts ❋ ● ❋ ● ❋ ❋

• + ●1).

ducts. ❋ ● ❋ ● t negations. ✁ ✁ ✁ t adds. expense; Many other algebraic speedups in polynomial multiplication: “Toom,” “FFT,” etc. Increasingly important as polynomial degree grows. ❖(♥ lg ♥ lg lg ♥) coeff operations to compute ♥-coeff product. Useful for sizes of ♥ that occur in cryptography? In some cases, yes! But Karatsuba is the limit for prime-field ECC/ECDLP

• n most current CPUs.

Modular reduction How to compute ❢ mod ♣? Can use definition: ❢ mod ♣ = ❢ ♣ ❜❢❂♣❝. Can multiply ❢ by a precomputed 1❂♣ approximation; easily adjust to obtain ❜❢❂♣❝ Slight speedup: “2-adic inverse”; “Montgomery reduction.”

Many other algebraic speedups in polynomial multiplication: “Toom,” “FFT,” etc. Increasingly important as polynomial degree grows. ❖(♥ lg ♥ lg lg ♥) coeff operations to compute ♥-coeff product. Useful for sizes of ♥ that occur in cryptography? In some cases, yes! But Karatsuba is the limit for prime-field ECC/ECDLP

• n most current CPUs.

Modular reduction How to compute ❢ mod ♣? Can use definition: ❢ mod ♣ = ❢ ♣ ❜❢❂♣❝. Can multiply ❢ by a precomputed 1❂♣ approximation; easily adjust to obtain ❜❢❂♣❝. Slight speedup: “2-adic inverse”; “Montgomery reduction.”

• ther algebraic speedups
• lynomial multiplication:

,” “FFT,” etc. Increasingly important as

• lynomial degree grows.

❖ ♥ ♥ lg lg ♥) coeff operations compute ♥-coeff product. for sizes of ♥ ccur in cryptography? some cases, yes! Karatsuba is the limit rime-field ECC/ECDLP most current CPUs. Modular reduction How to compute ❢ mod ♣? Can use definition: ❢ mod ♣ = ❢ ♣ ❜❢❂♣❝. Can multiply ❢ by a precomputed 1❂♣ approximation; easily adjust to obtain ❜❢❂♣❝. Slight speedup: “2-adic inverse”; “Montgomery reduction.” e.g. 314159265358 Precompute ❜1000000000000❂ ❝ = 3678796. Compute 314159 ✁ = 1155726872564. Compute 314159265358 ✁ = 578230. Oops, to 578230 306402

algebraic speedups multiplication: “FFT,” etc.

• rtant as

degree grows. ❖ ♥ ♥ ♥ coeff operations ♥ eff product.

• f ♥

cryptography? es! is the limit ECC/ECDLP CPUs. Modular reduction How to compute ❢ mod ♣? Can use definition: ❢ mod ♣ = ❢ ♣ ❜❢❂♣❝. Can multiply ❢ by a precomputed 1❂♣ approximation; easily adjust to obtain ❜❢❂♣❝. Slight speedup: “2-adic inverse”; “Montgomery reduction.” e.g. 314159265358 Precompute ❜1000000000000❂271828❝ = 3678796. Compute 314159 ✁ 3678796 = 1155726872564. Compute 314159265358 1155726 ✁ = 578230. Oops, too big: 578230 271828 = 306402 271828 =

eedups multiplication: ❖ ♥ ♥ ♥ erations ♥ duct. ♥ cryptography? ECC/ECDLP Modular reduction How to compute ❢ mod ♣? Can use definition: ❢ mod ♣ = ❢ ♣ ❜❢❂♣❝. Can multiply ❢ by a precomputed 1❂♣ approximation; easily adjust to obtain ❜❢❂♣❝. Slight speedup: “2-adic inverse”; “Montgomery reduction.” e.g. 314159265358 mod 271828: Precompute ❜1000000000000❂271828❝ = 3678796. Compute 314159 ✁ 3678796 = 1155726872564. Compute 314159265358 1155726 ✁ 271828 = 578230. Oops, too big: 578230 271828 = 306402. 306402 271828 = 34574.

Modular reduction How to compute ❢ mod ♣? Can use definition: ❢ mod ♣ = ❢ ♣ ❜❢❂♣❝. Can multiply ❢ by a precomputed 1❂♣ approximation; easily adjust to obtain ❜❢❂♣❝. Slight speedup: “2-adic inverse”; “Montgomery reduction.” e.g. 314159265358 mod 271828: Precompute ❜1000000000000❂271828❝ = 3678796. Compute 314159 ✁ 3678796 = 1155726872564. Compute 314159265358 1155726 ✁ 271828 = 578230. Oops, too big: 578230 271828 = 306402. 306402 271828 = 34574.

dular reduction to compute ❢ mod ♣? use definition: ❢ ♣ = ❢ ♣ ❜❢❂♣❝. multiply ❢ by a recomputed 1❂♣ approximation; adjust to obtain ❜❢❂♣❝. speedup: “2-adic inverse”; “Montgomery reduction.” e.g. 314159265358 mod 271828: Precompute ❜1000000000000❂271828❝ = 3678796. Compute 314159 ✁ 3678796 = 1155726872564. Compute 314159265358 1155726 ✁ 271828 = 578230. Oops, too big: 578230 271828 = 306402. 306402 271828 = 34574. We can do ♣ is chosen to make ❢ ♣ Special p for F✄

♣, Clo ♣

but not fo gls1271: ♣

• with degree-2

Curve25519: ♣

• NIST P-224: ♣
• secp112r1: ♣
• ❂

Divides sp

reduction ❢ mod ♣? definition: ❢ ♣ ❢ ♣ ❜❢❂♣❝. ❢ by a ❂♣ approximation;

• btain ❜❢❂♣❝.

“2-adic inverse”; reduction.” e.g. 314159265358 mod 271828: Precompute ❜1000000000000❂271828❝ = 3678796. Compute 314159 ✁ 3678796 = 1155726872564. Compute 314159265358 1155726 ✁ 271828 = 578230. Oops, too big: 578230 271828 = 306402. 306402 271828 = 34574. We can do better: ♣ is chosen with a to make ❢ mod ♣ much Special primes hurt for F✄

♣, Clock(F♣),

but not for elliptic gls1271: ♣ = 2127 with degree-2 extension. Curve25519: ♣ = 2

• NIST P-224: ♣ =
• secp112r1: ♣ = (2
• ❂

Divides special form.

❢ ♣? ❢ ♣ ❢ ♣ ❜❢❂♣❝ ❢ ❂♣ ximation; ❜❢❂♣❝. inverse”; e.g. 314159265358 mod 271828: Precompute ❜1000000000000❂271828❝ = 3678796. Compute 314159 ✁ 3678796 = 1155726872564. Compute 314159265358 1155726 ✁ 271828 = 578230. Oops, too big: 578230 271828 = 306402. 306402 271828 = 34574. We can do better: normally ♣ is chosen with a special for to make ❢ mod ♣ much faster. Special primes hurt security for F✄

♣, Clock(F♣), etc.,

but not for elliptic curves! gls1271: ♣ = 2127 1, with degree-2 extension. Curve25519: ♣ = 2255 19. NIST P-224: ♣ = 2224 296 secp112r1: ♣ = (2128 3)❂76439. Divides special form.

e.g. 314159265358 mod 271828: Precompute ❜1000000000000❂271828❝ = 3678796. Compute 314159 ✁ 3678796 = 1155726872564. Compute 314159265358 1155726 ✁ 271828 = 578230. Oops, too big: 578230 271828 = 306402. 306402 271828 = 34574. We can do better: normally ♣ is chosen with a special form to make ❢ mod ♣ much faster. Special primes hurt security for F✄

♣, Clock(F♣), etc.,

but not for elliptic curves! gls1271: ♣ = 2127 1, with degree-2 extension. Curve25519: ♣ = 2255 19. NIST P-224: ♣ = 2224 296 + 1. secp112r1: ♣ = (2128 3)❂76439. Divides special form.

314159265358 mod 271828: Precompute ❜1000000000000❂271828❝ 3678796. Compute 314159 ✁ 3678796 1155726872564. Compute 314159265358 1155726 ✁ 271828 578230. too big: 578230 271828 = 306402. 306402 271828 = 34574. We can do better: normally ♣ is chosen with a special form to make ❢ mod ♣ much faster. Special primes hurt security for F✄

♣, Clock(F♣), etc.,

but not for elliptic curves! gls1271: ♣ = 2127 1, with degree-2 extension. Curve25519: ♣ = 2255 19. NIST P-224: ♣ = 2224 296 + 1. secp112r1: ♣ = (2128 3)❂76439. Divides special form. Small example: ♣ Then 1000000❛ ❜ ✑ ❜ ❛ e.g. 314159265358 314159 ✁ ✑ 314159( 942477 677119. Easily adjust ❜ ❛ to the range ❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ ❣ by adding/subtracting ♣ e.g. 677119 ✑

314159265358 mod 271828: ❜ ❂271828❝ ✁ 3678796 1155726872564. 1155726 ✁ 271828 271828 = 306402. 271828 = 34574. We can do better: normally ♣ is chosen with a special form to make ❢ mod ♣ much faster. Special primes hurt security for F✄

♣, Clock(F♣), etc.,

but not for elliptic curves! gls1271: ♣ = 2127 1, with degree-2 extension. Curve25519: ♣ = 2255 19. NIST P-224: ♣ = 2224 296 + 1. secp112r1: ♣ = (2128 3)❂76439. Divides special form. Small example: ♣ = Then 1000000❛ + ❜ ✑ ❜ ❛ e.g. 314159265358 314159 ✁ 1000000 + ✑ 314159(3) + 265358 942477 + 265358 677119. Easily adjust ❜ 3❛ to the range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ ❣ by adding/subtracting ♣ e.g. 677119 ✑ 322884.

271828: ❜ ❂ ❝ ✁

• ✁ 271828
• 306402.
• 34574.

We can do better: normally ♣ is chosen with a special form to make ❢ mod ♣ much faster. Special primes hurt security for F✄

♣, Clock(F♣), etc.,

but not for elliptic curves! gls1271: ♣ = 2127 1, with degree-2 extension. Curve25519: ♣ = 2255 19. NIST P-224: ♣ = 2224 296 + 1. secp112r1: ♣ = (2128 3)❂76439. Divides special form. Small example: ♣ = 1000003. Then 1000000❛ + ❜ ✑ ❜ 3❛ e.g. 314159265358 = 314159 ✁ 1000000 + 265358 ✑ 314159(3) + 265358 = 942477 + 265358 = 677119. Easily adjust ❜ 3❛ to the range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ by adding/subtracting a few ♣ e.g. 677119 ✑ 322884.

We can do better: normally ♣ is chosen with a special form to make ❢ mod ♣ much faster. Special primes hurt security for F✄

♣, Clock(F♣), etc.,

but not for elliptic curves! gls1271: ♣ = 2127 1, with degree-2 extension. Curve25519: ♣ = 2255 19. NIST P-224: ♣ = 2224 296 + 1. secp112r1: ♣ = (2128 3)❂76439. Divides special form. Small example: ♣ = 1000003. Then 1000000❛ + ❜ ✑ ❜ 3❛. e.g. 314159265358 = 314159 ✁ 1000000 + 265358 ✑ 314159(3) + 265358 = 942477 + 265358 = 677119. Easily adjust ❜ 3❛ to the range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ by adding/subtracting a few ♣’s: e.g. 677119 ✑ 322884.

can do better: normally ♣ chosen with a special form make ❢ mod ♣ much faster. ecial primes hurt security

✄ ♣, Clock(F♣), etc.,

not for elliptic curves! gls1271: ♣ = 2127 1, degree-2 extension. Curve25519: ♣ = 2255 19. P-224: ♣ = 2224 296 + 1. secp112r1: ♣ = (2128 3)❂76439. Divides special form. Small example: ♣ = 1000003. Then 1000000❛ + ❜ ✑ ❜ 3❛. e.g. 314159265358 = 314159 ✁ 1000000 + 265358 ✑ 314159(3) + 265358 = 942477 + 265358 = 677119. Easily adjust ❜ 3❛ to the range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ by adding/subtracting a few ♣’s: e.g. 677119 ✑ 322884. Hmmm, Conditional (Also dangerous branch timing Can eliminate but adjustment Speedup: for interm “Lazy reduction.” Adjust only ❜ 3❛ is to continue

etter: normally ♣ a special form ❢ ♣ much faster. hurt security

✄ ♣ ♣), etc.,

elliptic curves! ♣

127 1,

extension. ♣ 2255 19. ♣ = 2224 296 + 1. ♣ (2128 3)❂76439. form. Small example: ♣ = 1000003. Then 1000000❛ + ❜ ✑ ❜ 3❛. e.g. 314159265358 = 314159 ✁ 1000000 + 265358 ✑ 314159(3) + 265358 = 942477 + 265358 = 677119. Easily adjust ❜ 3❛ to the range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ by adding/subtracting a few ♣’s: e.g. 677119 ✑ 322884. Hmmm, is adjustment Conditional branches (Also dangerous fo branch timing leaks Can eliminate the but adjustment isn’t Speedup: Skip the for intermediate results. “Lazy reduction.” Adjust only for output. ❜ 3❛ is small enough to continue computations.

rmally ♣ form ❢ ♣ faster. security

✄ ♣ ♣

♣

• ♣

19. ♣

• 96 + 1.

♣

• ❂76439.

Small example: ♣ = 1000003. Then 1000000❛ + ❜ ✑ ❜ 3❛. e.g. 314159265358 = 314159 ✁ 1000000 + 265358 ✑ 314159(3) + 265358 = 942477 + 265358 = 677119. Easily adjust ❜ 3❛ to the range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ by adding/subtracting a few ♣’s: e.g. 677119 ✑ 322884. Hmmm, is adjustment so easy? Conditional branches are slow. (Also dangerous for defenders: branch timing leaks secrets.) Can eliminate the branches, but adjustment isn’t free. Speedup: Skip the adjustment for intermediate results. “Lazy reduction.” Adjust only for output. ❜ 3❛ is small enough to continue computations.

Small example: ♣ = 1000003. Then 1000000❛ + ❜ ✑ ❜ 3❛. e.g. 314159265358 = 314159 ✁ 1000000 + 265358 ✑ 314159(3) + 265358 = 942477 + 265358 = 677119. Easily adjust ❜ 3❛ to the range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ by adding/subtracting a few ♣’s: e.g. 677119 ✑ 322884. Hmmm, is adjustment so easy? Conditional branches are slow. (Also dangerous for defenders: branch timing leaks secrets.) Can eliminate the branches, but adjustment isn’t free. Speedup: Skip the adjustment for intermediate results. “Lazy reduction.” Adjust only for output. ❜ 3❛ is small enough to continue computations.

example: ♣ = 1000003. 1000000❛ + ❜ ✑ ❜ 3❛. 314159265358 = 314159 ✁ 1000000 + 265358 ✑ 314159(3) + 265358 = 942477 + 265358 = 677119. adjust ❜ 3❛ range ❢0❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ dding/subtracting a few ♣’s: 677119 ✑ 322884. Hmmm, is adjustment so easy? Conditional branches are slow. (Also dangerous for defenders: branch timing leaks secrets.) Can eliminate the branches, but adjustment isn’t free. Speedup: Skip the adjustment for intermediate results. “Lazy reduction.” Adjust only for output. ❜ 3❛ is small enough to continue computations. Can dela multiplication e.g. To squa in Z❂1000003: 3t5 + 1t4 t t t t

• btaining

t t t 14t7 + 48t t t 82t3 + 43t t t Reduce: ❝✐ t

✐

(3❝✐)t✐ t t 64t3 32t t t Carry: 8t t t 1t3 + 2t2 t t

♣ = 1000003. ❛ + ❜ ✑ ❜ 3❛. 314159265358 = ✁ 1000000 + 265358 ✑

• 265358 =
• 265358 =
• ❜ 3❛

❢ ❀ 1❀ ✿ ✿ ✿ ❀ ♣ 1❣ dding/subtracting a few ♣’s:

• ✑ 322884.

Hmmm, is adjustment so easy? Conditional branches are slow. (Also dangerous for defenders: branch timing leaks secrets.) Can eliminate the branches, but adjustment isn’t free. Speedup: Skip the adjustment for intermediate results. “Lazy reduction.” Adjust only for output. ❜ 3❛ is small enough to continue computations. Can delay carries until multiplication by 3. e.g. To square 314159 in Z❂1000003: Squa 3t5 + 1t4 + 4t3 + t t t

• btaining 9t10 + 6t

t 14t7 + 48t6 + 72t5 t 82t3 + 43t2 + 90t1 t Reduce: replace (❝✐ t

✐

(3❝✐)t✐, obtaining t t 64t3 32t2 + 48t1 t Carry: 8t6 4t5 t 1t3 + 2t2 + 2t1 3t

♣ 1000003. ❛ ❜ ✑ ❜ 3❛. ✁ 265358 ✑

• ❜ ❛

❢ ❀ ❀ ✿ ✿ ✿ ❀ ♣ 1❣ few ♣’s:

• ✑

Hmmm, is adjustment so easy? Conditional branches are slow. (Also dangerous for defenders: branch timing leaks secrets.) Can eliminate the branches, but adjustment isn’t free. Speedup: Skip the adjustment for intermediate results. “Lazy reduction.” Adjust only for output. ❜ 3❛ is small enough to continue computations. Can delay carries until after multiplication by 3. e.g. To square 314159 in Z❂1000003: Square poly 3t5 + 1t4 + 4t3 + 1t2 + 5t1 + t

• btaining 9t10 + 6t9 + 25t8 +

14t7 + 48t6 + 72t5 + 59t4 + 82t3 + 43t2 + 90t1 + 81t0. Reduce: replace (❝✐)t6+✐ by (3❝✐)t✐, obtaining 72t5 + 32t 64t3 32t2 + 48t1 63t0. Carry: 8t6 4t5 2t4 + 1t3 + 2t2 + 2t1 3t0.

Hmmm, is adjustment so easy? Conditional branches are slow. (Also dangerous for defenders: branch timing leaks secrets.) Can eliminate the branches, but adjustment isn’t free. Speedup: Skip the adjustment for intermediate results. “Lazy reduction.” Adjust only for output. ❜ 3❛ is small enough to continue computations. Can delay carries until after multiplication by 3. e.g. To square 314159 in Z❂1000003: Square poly 3t5 + 1t4 + 4t3 + 1t2 + 5t1 + 9t0,

• btaining 9t10 + 6t9 + 25t8 +

14t7 + 48t6 + 72t5 + 59t4 + 82t3 + 43t2 + 90t1 + 81t0. Reduce: replace (❝✐)t6+✐ by (3❝✐)t✐, obtaining 72t5 + 32t4 + 64t3 32t2 + 48t1 63t0. Carry: 8t6 4t5 2t4 + 1t3 + 2t2 + 2t1 3t0.

Hmmm, is adjustment so easy? Conditional branches are slow. dangerous for defenders: timing leaks secrets.) eliminate the branches, adjustment isn’t free. eedup: Skip the adjustment intermediate results. reduction.”

• nly for output.

❜ ❛ is small enough continue computations. Can delay carries until after multiplication by 3. e.g. To square 314159 in Z❂1000003: Square poly 3t5 + 1t4 + 4t3 + 1t2 + 5t1 + 9t0,

• btaining 9t10 + 6t9 + 25t8 +

14t7 + 48t6 + 72t5 + 59t4 + 82t3 + 43t2 + 90t1 + 81t0. Reduce: replace (❝✐)t6+✐ by (3❝✐)t✐, obtaining 72t5 + 32t4 + 64t3 32t2 + 48t1 63t0. Carry: 8t6 4t5 2t4 + 1t3 + 2t2 + 2t1 3t0. To minimize mix reduction carrying e.g. Star t t 25t8 + 14t t t t 82t3 + 43t t t Reduce t ✦ t t ✦ t5 ✦ t6: t t t t 5t5+2t4 t t t t Finish reduction: t t 64t3 32t t t t0 ✦ t1 ✦ t ✦ t ✦ t ✦ t 4t5 2t t t t t

adjustment so easy? ranches are slow. for defenders: leaks secrets.) the branches, isn’t free. the adjustment results. reduction.”

• utput.

❜ ❛ enough computations. Can delay carries until after multiplication by 3. e.g. To square 314159 in Z❂1000003: Square poly 3t5 + 1t4 + 4t3 + 1t2 + 5t1 + 9t0,

• btaining 9t10 + 6t9 + 25t8 +

14t7 + 48t6 + 72t5 + 59t4 + 82t3 + 43t2 + 90t1 + 81t0. Reduce: replace (❝✐)t6+✐ by (3❝✐)t✐, obtaining 72t5 + 32t4 + 64t3 32t2 + 48t1 63t0. Carry: 8t6 4t5 2t4 + 1t3 + 2t2 + 2t1 3t0. To minimize poly degree, mix reduction and carrying the top so e.g. Start from squa t t 25t8 + 14t7 + 48t6 t t 82t3 + 43t2 + 90t1 t Reduce t10 ✦ t4 and t ✦ t5 ✦ t6: 6t9+25t8 t t 5t5+2t4+82t3+43t t t Finish reduction: t t 64t3 32t2 + 48t1 t t0 ✦ t1 ✦ t2 ✦ t ✦ t ✦ t 4t5 2t4 + 1t3 + t t t

easy? slow. defenders: secrets.) ranches, adjustment ❜ ❛ Can delay carries until after multiplication by 3. e.g. To square 314159 in Z❂1000003: Square poly 3t5 + 1t4 + 4t3 + 1t2 + 5t1 + 9t0,

• btaining 9t10 + 6t9 + 25t8 +

14t7 + 48t6 + 72t5 + 59t4 + 82t3 + 43t2 + 90t1 + 81t0. Reduce: replace (❝✐)t6+✐ by (3❝✐)t✐, obtaining 72t5 + 32t4 + 64t3 32t2 + 48t1 63t0. Carry: 8t6 4t5 2t4 + 1t3 + 2t2 + 2t1 3t0. To minimize poly degree, mix reduction and carrying, carrying the top sooner. e.g. Start from square 9t10 + t 25t8 + 14t7 + 48t6 + 72t5 + 59t 82t3 + 43t2 + 90t1 + 81t0. Reduce t10 ✦ t4 and carry t ✦ t5 ✦ t6: 6t9+25t8+14t7+56t 5t5+2t4+82t3+43t2+90t1+ t Finish reduction: 5t5 + 2t4 64t3 32t2 + 48t1 87t0. t0 ✦ t1 ✦ t2 ✦ t3 ✦ t4 ✦ t 4t5 2t4 + 1t3 + 2t2 1t1 t

Can delay carries until after multiplication by 3. e.g. To square 314159 in Z❂1000003: Square poly 3t5 + 1t4 + 4t3 + 1t2 + 5t1 + 9t0,

• btaining 9t10 + 6t9 + 25t8 +

14t7 + 48t6 + 72t5 + 59t4 + 82t3 + 43t2 + 90t1 + 81t0. Reduce: replace (❝✐)t6+✐ by (3❝✐)t✐, obtaining 72t5 + 32t4 + 64t3 32t2 + 48t1 63t0. Carry: 8t6 4t5 2t4 + 1t3 + 2t2 + 2t1 3t0. To minimize poly degree, mix reduction and carrying, carrying the top sooner. e.g. Start from square 9t10 +6t9 + 25t8 + 14t7 + 48t6 + 72t5 + 59t4 + 82t3 + 43t2 + 90t1 + 81t0. Reduce t10 ✦ t4 and carry t4 ✦ t5 ✦ t6: 6t9+25t8+14t7+56t6 5t5+2t4+82t3+43t2+90t1+81t0. Finish reduction: 5t5 + 2t4 + 64t3 32t2 + 48t1 87t0. Carry t0 ✦ t1 ✦ t2 ✦ t3 ✦ t4 ✦ t5: 4t5 2t4 + 1t3 + 2t2 1t1 + 3t0.

delay carries until after multiplication by 3.

• square 314159

❂1000003: Square poly t 1t4 + 4t3 + 1t2 + 5t1 + 9t0,

• btaining 9t10 + 6t9 + 25t8 +

t 48t6 + 72t5 + 59t4 + t 43t2 + 90t1 + 81t0. Reduce: replace (❝✐)t6+✐ by ❝✐)t✐, obtaining 72t5 + 32t4 + t 32t2 + 48t1 63t0. 8t6 4t5 2t4 + t 2t2 + 2t1 3t0. To minimize poly degree, mix reduction and carrying, carrying the top sooner. e.g. Start from square 9t10 +6t9 + 25t8 + 14t7 + 48t6 + 72t5 + 59t4 + 82t3 + 43t2 + 90t1 + 81t0. Reduce t10 ✦ t4 and carry t4 ✦ t5 ✦ t6: 6t9+25t8+14t7+56t6 5t5+2t4+82t3+43t2+90t1+81t0. Finish reduction: 5t5 + 2t4 + 64t3 32t2 + 48t1 87t0. Carry t0 ✦ t1 ✦ t2 ✦ t3 ✦ t4 ✦ t5: 4t5 2t4 + 1t3 + 2t2 1t1 + 3t0. Speedup: ♣ = 261 Five coeffs ❢4t4 + ❢ t ❢ t ❢ t ❢ t Most coeffs Square ✁ ✁ ✁ ❢ ❢ ❢ ❢ t ✁ ✁ ✁ Coeff of t ❃ Reduce: ❂

• ✁ ✁ ✁ + (25 ❢ ❢

❢ ❢ ❢ t Coeff could ❃ Very little additions,

• n 32-bit

rries until after 3. 314159 ❂ Square poly t t t + 1t2 + 5t1 + 9t0, t 6t9 + 25t8 + t t 72t5 + 59t4 + t t 90t1 + 81t0. (❝✐)t6+✐ by ❝✐ t✐ obtaining 72t5 + 32t4 + t t 48t1 63t0. t t 2t4 + t t t 3t0. To minimize poly degree, mix reduction and carrying, carrying the top sooner. e.g. Start from square 9t10 +6t9 + 25t8 + 14t7 + 48t6 + 72t5 + 59t4 + 82t3 + 43t2 + 90t1 + 81t0. Reduce t10 ✦ t4 and carry t4 ✦ t5 ✦ t6: 6t9+25t8+14t7+56t6 5t5+2t4+82t3+43t2+90t1+81t0. Finish reduction: 5t5 + 2t4 + 64t3 32t2 + 48t1 87t0. Carry t0 ✦ t1 ✦ t2 ✦ t3 ✦ t4 ✦ t5: 4t5 2t4 + 1t3 + 2t2 1t1 + 3t0. Speedup: non-integer ♣ = 261 1. Five coeffs in radix ❢4t4 + ❢3t3 + ❢2t2 ❢ t ❢ t Most coeffs could Square ✁ ✁ ✁+2(❢4❢1 ❢ ❢ t ✁ ✁ ✁ Coeff of t5 could b ❃ Reduce: 265 = 24 ❂

• ✁ ✁ ✁ + (25(❢4❢1 + ❢ ❢

❢ t Coeff could be ❃ 2 Very little room fo additions, delayed

• n 32-bit platforms.

fter ❂

• ly

t t t t t1 + 9t0, t t t8 + t t t t + t t t t . ❝✐ t

✐

y ❝✐ t✐ t 32t4 + t t t t . t t t t t t t To minimize poly degree, mix reduction and carrying, carrying the top sooner. e.g. Start from square 9t10 +6t9 + 25t8 + 14t7 + 48t6 + 72t5 + 59t4 + 82t3 + 43t2 + 90t1 + 81t0. Reduce t10 ✦ t4 and carry t4 ✦ t5 ✦ t6: 6t9+25t8+14t7+56t6 5t5+2t4+82t3+43t2+90t1+81t0. Finish reduction: 5t5 + 2t4 + 64t3 32t2 + 48t1 87t0. Carry t0 ✦ t1 ✦ t2 ✦ t3 ✦ t4 ✦ t5: 4t5 2t4 + 1t3 + 2t2 1t1 + 3t0. Speedup: non-integer radix ♣ = 261 1. Five coeffs in radix 213? ❢4t4 + ❢3t3 + ❢2t2 + ❢1t1 + ❢ t Most coeffs could be 212. Square ✁ ✁ ✁+2(❢4❢1+❢3❢2)t5 ✁ ✁ ✁ Coeff of t5 could be ❃ 225. Reduce: 265 = 24 in Z❂(261 ✁ ✁ ✁ + (25(❢4❢1 + ❢3❢2) + ❢2

0 t

Coeff could be ❃ 229. Very little room for additions, delayed carries, etc.

• n 32-bit platforms.

To minimize poly degree, mix reduction and carrying, carrying the top sooner. e.g. Start from square 9t10 +6t9 + 25t8 + 14t7 + 48t6 + 72t5 + 59t4 + 82t3 + 43t2 + 90t1 + 81t0. Reduce t10 ✦ t4 and carry t4 ✦ t5 ✦ t6: 6t9+25t8+14t7+56t6 5t5+2t4+82t3+43t2+90t1+81t0. Finish reduction: 5t5 + 2t4 + 64t3 32t2 + 48t1 87t0. Carry t0 ✦ t1 ✦ t2 ✦ t3 ✦ t4 ✦ t5: 4t5 2t4 + 1t3 + 2t2 1t1 + 3t0. Speedup: non-integer radix ♣ = 261 1. Five coeffs in radix 213? ❢4t4 + ❢3t3 + ❢2t2 + ❢1t1 + ❢0t0. Most coeffs could be 212. Square ✁ ✁ ✁+2(❢4❢1+❢3❢2)t5+✁ ✁ ✁. Coeff of t5 could be ❃ 225. Reduce: 265 = 24 in Z❂(261 1); ✁ ✁ ✁ + (25(❢4❢1 + ❢3❢2) + ❢2

0 )t0.

Coeff could be ❃ 229. Very little room for additions, delayed carries, etc.

• n 32-bit platforms.

minimize poly degree, reduction and carrying, rrying the top sooner. Start from square 9t10 +6t9 + t 14t7 + 48t6 + 72t5 + 59t4 + t 43t2 + 90t1 + 81t0. Reduce t10 ✦ t4 and carry t4 ✦ t ✦ t6: 6t9+25t8+14t7+56t6 t t4+82t3+43t2+90t1+81t0. reduction: 5t5 + 2t4 + t 32t2 + 48t1 87t0. Carry t ✦ t1 ✦ t2 ✦ t3 ✦ t4 ✦ t5: t 2t4 + 1t3 + 2t2 1t1 + 3t0. Speedup: non-integer radix ♣ = 261 1. Five coeffs in radix 213? ❢4t4 + ❢3t3 + ❢2t2 + ❢1t1 + ❢0t0. Most coeffs could be 212. Square ✁ ✁ ✁+2(❢4❢1+❢3❢2)t5+✁ ✁ ✁. Coeff of t5 could be ❃ 225. Reduce: 265 = 24 in Z❂(261 1); ✁ ✁ ✁ + (25(❢4❢1 + ❢3❢2) + ❢2

0 )t0.

Coeff could be ❃ 229. Very little room for additions, delayed carries, etc.

• n 32-bit platforms.

Scaled: Evaluate t ❢4 is multiple ❢3 is multiple ❢2 is multiple ❢1 is multiple ❢0 is multiple ✁ ✁ ✁ + (2 ❢ ❢ ❢ ❢ ❢ t Better: Non-integer

✿

❢4 is multiple ❢3 is multiple ❢2 is multiple ❢1 is multiple ❢0 is multiple Saves a f

• ly degree,

and carrying, sooner. square 9t10 +6t9 + t t t6 + 72t5 + 59t4 + t t 90t1 + 81t0. t ✦ t and carry t4 ✦ t ✦ t t 25t8+14t7+56t6 t t t 43t2+90t1+81t0. reduction: 5t5 + 2t4 + t t 48t1 87t0. Carry t ✦ t ✦ t ✦ t3 ✦ t4 ✦ t5: t t t + 2t2 1t1 + 3t0. Speedup: non-integer radix ♣ = 261 1. Five coeffs in radix 213? ❢4t4 + ❢3t3 + ❢2t2 + ❢1t1 + ❢0t0. Most coeffs could be 212. Square ✁ ✁ ✁+2(❢4❢1+❢3❢2)t5+✁ ✁ ✁. Coeff of t5 could be ❃ 225. Reduce: 265 = 24 in Z❂(261 1); ✁ ✁ ✁ + (25(❢4❢1 + ❢3❢2) + ❢2

0 )t0.

Coeff could be ❃ 229. Very little room for additions, delayed carries, etc.

• n 32-bit platforms.

Scaled: Evaluate at t ❢4 is multiple of 252 ❢3 is multiple of 239 ❢2 is multiple of 226 ❢1 is multiple of 213 ❢0 is multiple of 20 ✁ ✁ ✁ + (260(❢4❢1 + ❢ ❢ ❢ t Better: Non-integer

✿

❢4 is multiple of 249 ❢3 is multiple of 237 ❢2 is multiple of 225 ❢1 is multiple of 213 ❢0 is multiple of 20 Saves a few bits in

rrying, t +6t9 + t t t t + 59t4 + t t t t . t ✦ t rry t4 ✦ t ✦ t t t t +56t6 t t t t t1+81t0. t 2t4 + t t t t . Carry t ✦ t ✦ t ✦ t ✦ t ✦ t5: t t t t t1 + 3t0. Speedup: non-integer radix ♣ = 261 1. Five coeffs in radix 213? ❢4t4 + ❢3t3 + ❢2t2 + ❢1t1 + ❢0t0. Most coeffs could be 212. Square ✁ ✁ ✁+2(❢4❢1+❢3❢2)t5+✁ ✁ ✁. Coeff of t5 could be ❃ 225. Reduce: 265 = 24 in Z❂(261 1); ✁ ✁ ✁ + (25(❢4❢1 + ❢3❢2) + ❢2

0 )t0.

Coeff could be ❃ 229. Very little room for additions, delayed carries, etc.

• n 32-bit platforms.

Scaled: Evaluate at t = 1. ❢4 is multiple of 252; ❢3 is multiple of 239; ❢2 is multiple of 226; ❢1 is multiple of 213; ❢0 is multiple of 20. Reduce: ✁ ✁ ✁ + (260(❢4❢1 + ❢3❢2) + ❢ t Better: Non-integer radix 212✿ ❢4 is multiple of 249; ❢3 is multiple of 237; ❢2 is multiple of 225; ❢1 is multiple of 213; ❢0 is multiple of 20. Saves a few bits in coeffs.

Speedup: non-integer radix ♣ = 261 1. Five coeffs in radix 213? ❢4t4 + ❢3t3 + ❢2t2 + ❢1t1 + ❢0t0. Most coeffs could be 212. Square ✁ ✁ ✁+2(❢4❢1+❢3❢2)t5+✁ ✁ ✁. Coeff of t5 could be ❃ 225. Reduce: 265 = 24 in Z❂(261 1); ✁ ✁ ✁ + (25(❢4❢1 + ❢3❢2) + ❢2

0 )t0.

Coeff could be ❃ 229. Very little room for additions, delayed carries, etc.

• n 32-bit platforms.

Scaled: Evaluate at t = 1. ❢4 is multiple of 252; ❢3 is multiple of 239; ❢2 is multiple of 226; ❢1 is multiple of 213; ❢0 is multiple of 20. Reduce: ✁ ✁ ✁ + (260(❢4❢1 + ❢3❢2) + ❢2

0 )t0.

Better: Non-integer radix 212✿2. ❢4 is multiple of 249; ❢3 is multiple of 237; ❢2 is multiple of 225; ❢1 is multiple of 213; ❢0 is multiple of 20. Saves a few bits in coeffs.