http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. - - PowerPoint PPT Presentation

http hyperelliptic org tanja newelliptic
SMART_READER_LITE
LIVE PREVIEW

http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. - - PowerPoint PPT Presentation

May 14, 2023 343 likes •587 views

http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange p. 1 Elliptic strikes back http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange p. 2 To face the challenge, to take the competition to a

slide-1
SLIDE 1
  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 1

slide-2
SLIDE 2

Elliptic strikes back

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 2

slide-3
SLIDE 3

To face the challenge, to take the competition to a completely new level . . .

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 3

slide-4
SLIDE 4

. . . elliptic has to reconsider its form . . .

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 4

slide-5
SLIDE 5

. . . has to abstract from its Weierstrass form .

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 5

slide-6
SLIDE 6

. . . has to undergo severe isomorphic transformations . . .

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 6

slide-7
SLIDE 7

. . . until it finds . . .

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 7

slide-8
SLIDE 8

. . . its true . . .

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 8

slide-9
SLIDE 9

. . . normal form!

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 9

slide-10
SLIDE 10

Long, long ago . . .

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 10

slide-11
SLIDE 11

Euler 1761

“ Observationes de Comparatione Arcuum Curvarum Irrectificabilium”

1 y2 = 1 − nx2 1 − x2 ⇔ x2 + y2 = 1 + nx2y2.

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 11

slide-12
SLIDE 12

Euler 1761

Euler gives doubling and (special) addition for (a, A) on

a2 + A2 = 1 − a2A2.

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 12

slide-13
SLIDE 13

Gauss, posthumously

Gauss gives general addition for arbitrary points on

1 = s2 + c2 + s2c2.

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 13

slide-14
SLIDE 14

Ex uno plura

Harold M. Edwards, Bulletin

  • f the AMS, 44, 393–422, 2007

x2 + y2 = a2(1 + x2y2), a5 = a

describes an elliptic curve over field k of odd characteristic. Every elliptic curve can be written in this form – over some extension field. Ur-elliptic curve

x2 + y2 = 1 − x2y2

needs √−1 ∈ k transform. Edwards gives addition law for this generalized form, shows equivalence with Weierstrass form, proves addition law, gives theta parameterization . . .

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 14

slide-15
SLIDE 15

Elliptic geared for crypto

Introduce further parameter d to cover more curves over k

x2 + y2 = c2(1 + dx2y2), c, d = 0, dc4 = 1. P + Q =

  • xP yQ + yP xQ

c(1 + dxP xQyP yQ), yP yQ − xP xQ c(1 − dxP xQyPyQ)

  • .

Neutral element is (0, c), this is an affine point!

−(xP , yP) = (−xP , yP).

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 15

slide-16
SLIDE 16

Elliptic geared for crypto

Introduce further parameter d to cover more curves over k

x2 + y2 = c2(1 + dx2y2), c, d = 0, dc4 = 1. P + Q =

  • xP yQ + yP xQ

c(1 + dxP xQyP yQ), yP yQ − xP xQ c(1 − dxP xQyPyQ)

  • .

Neutral element is (0, c), this is an affine point!

−(xP , yP) = (−xP , yP). [2]P =

  • xP yP + yP xP

c(1 + dxP xPyP yP ), yP yP − xP xP c(1 − dxP xPyP yP )

  • .
  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 15

slide-17
SLIDE 17

Elliptic geared for crypto

Introduce further parameter d to cover more curves over k

x2 + y2 = c2(1 + dx2y2), c, d = 0, dc4 = 1. P + Q =

  • xP yQ + yP xQ

c(1 + dxP xQyP yQ), yP yQ − xP xQ c(1 − dxP xQyPyQ)

  • .

Neutral element is (0, c), this is an affine point!

−(xP , yP) = (−xP , yP). [2]P =

  • xP yP + yP xP

c(1 + dxP xPyP yP ), yP yP − xP xP c(1 − dxP xPyP yP )

  • .

Unified group operations!

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 15

slide-18
SLIDE 18

Elliptic geared for crypto

Introduce further parameter d to cover more curves over k

x2 + y2 = c2(1 + dx2y2), c, d = 0, dc4 = 1. P + Q =

  • xP yQ + yP xQ

c(1 + dxP xQyP yQ), yP yQ − xP xQ c(1 − dxP xQyPyQ)

  • .

A = ZP · ZQ; B = A2; C = XP · XQ; D = YP · YQ; E = d · C · D; F = B − E; G = B + E; XP+Q = A · F · ((XP + YP) · (XQ + YQ) − C − D); YP+Q = A · G · (D − C); ZP+Q = c · F · G.

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 15

slide-19
SLIDE 19

Elliptic geared for crypto

Introduce further parameter d to cover more curves over k

x2 + y2 = c2(1 + dx2y2), c, d = 0, dc4 = 1. P + Q =

  • xP yQ + yP xQ

c(1 + dxP xQyP yQ), yP yQ − xP xQ c(1 − dxP xQyPyQ)

  • .

A = ZP · ZQ; B = A2; C = XP · XQ; D = YP · YQ; E = d · C · D; F = B − E; G = B + E; XP+Q = A · F · ((XP + YP) · (XQ + YQ) − C − D); YP+Q = A · G · (D − C); ZP+Q = c · F · G.

Needs 10M + 1S + 1C + 1D + 7A. At least one of c, d small: x2 + y2 = c2(1 + dx2y2) and

x2 + y2 = ¯ c2(1 + ¯ dx2y2) isomorphic if c4d = ¯ c4 ¯ d. ¯ c4 ¯ d = (c4d)−1 gives quadratic twist.

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 15

slide-20
SLIDE 20

Unified? Unified!

No exceptional cases? What if a denominator is zero? If d is not a square then Edwards addition law is complete: For x2

1 + y2 1 = 1 + dx2 1y2 1 and

x2

2 + y2 2 = 1 + dx2 2y2 2 always dx1x2y1y2 = ±1.

Outline of proof: If (dx1x2y1y2)2 = 1 then (x1 + dx1x2y1y2y1)2 =

dx2

1y2 1(x2 + y2)2. Conclude that d is a square. But d is not

a square! If d is not a square then there is exactly one point of

  • rder 2 and two of order 4. Otherwise the full 2-torsion

group is k-rational. Plane curve has 2 singular points at infinity; their blow-ups are defined over k(

√ d) and have order 2.

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 16

slide-21
SLIDE 21

Fastest unified addition-or-doubling formula

System Cost of unified addition-or-doubling Projective 11M+6S+1D; see Brier/Joye ’03 Projective if a4 = −1 13M+3S; see Brier/Joye ’02 Jacobi intersection 13M+2S+1D; see Liardet/Smart ’01 Jacobi quartic 10M+3S+1D; see Billet/Joye ’01 Hessian 12M; see Joye/Quisquater ’01 Edwards (c = 1) 10M+1S+1D Exactly the same formulae for doubling (no re-arrangement like in Hessian where

2(X1 : Y1 : Z1) = (Z1 : X1 : Y1) + (Y1 : Z1 : X1);

no if-else) No exceptional cases if d is not a square. Formulae correct for all affine inputs (incl. (0, c), P + (−P)).

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 17

slide-22
SLIDE 22

Spotlight on the transformation

Curve x2 + y2 = c2(1 + dx2y2) in Edwards form is birationally equivalent to curve

E : (1/e)v2 = u3 + (4/e − 2)u2 + u

in Montgomery form, where e = 1 − dc4. Let (x1, y1) + (x2, y2) = (x3, y3) on Edwards curve. Put

Pi = ∞ if (xi, yi) = (0, c); Pi = (0, 0) if (xi, yi) = (0, −c); Pi = (ui, vi) if xi = 0, where ui = (c + yi)/(c − yi) and vi = 2c(c + yi)/(c − yi)xi.

Then Pi ∈ E(k) and P1 + P2 = P3.

  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 18

slide-23
SLIDE 23
  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 19

slide-24
SLIDE 24
  • D. J. Bernstein & T. Lange

http://hyperelliptic.org/tanja/newelliptic

– p. 20