Hyper-and-elliptic-curve cryptography (which is not the same as: - - PowerPoint PPT Presentation

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange Technische Universiteit Eindhoven “Through our inefficient use of energy (gas guzzling vehicles, badly insulated buildings, poorly optimized crypto, etc) we needlessly throw away almost a third of the energy we use.” —Greenpeace UK

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange Technische Universiteit Eindhoven “Through our inefficient use of energy (gas guzzling vehicles, badly insulated buildings, poorly optimized crypto, etc) we needlessly throw away almost a third of the energy we use.” —Greenpeace UK (mostly)

er-and-elliptic-curve cryptography is not the same as: erelliptic-curve cryptography elliptic-curve cryptography)

• J. Bernstein

University of Illinois at Chicago & echnische Universiteit Eindhoven Lange echnische Universiteit Eindhoven “Through our inefficient use of energy (gas guzzling vehicles, badly insulated buildings, poorly optimized crypto, etc) we needlessly throw away almost a third of the energy we use.” —Greenpeace UK (mostly) DH speed Sandy Bridge security ❛❀ P ✼✦ ❛P (“?” if not 2011 Bernstein–Duif–Lange– Schwabe–Y 2012 Hamburg: 2012 Longa–Sica: 2013 Bos–Costello–Hisil– Lauter: 2013 Oliveira–L´ Rodr´ ıguez-Henr 2013 Faz-Hern S´ anchez: 2014 Bernstein–Chuengsatiansup– Lange–Schw

er-and-elliptic-curve the same as: erelliptic-curve cryptography elliptic-curve cryptography) Bernstein Illinois at Chicago & Universiteit Eindhoven Universiteit Eindhoven “Through our inefficient use of energy (gas guzzling vehicles, badly insulated buildings, poorly optimized crypto, etc) we needlessly throw away almost a third of the energy we use.” —Greenpeace UK (mostly) DH speed records Sandy Bridge cycles security constant-time ❛❀ P ✼✦ ❛P (“?” if not SUPERCOP-verified): 2011 Bernstein–Duif–Lange– Schwabe–Yang: 2012 Hamburg: 2012 Longa–Sica: 2013 Bos–Costello–Hisil– Lauter: 2013 Oliveira–L´

• pez–Aranha–

Rodr´ ıguez-Henr´ ıquez: 2013 Faz-Hern´ andez–Longa– S´ anchez: 2014 Bernstein–Chuengsatiansup– Lange–Schwabe:

as: cryptography cryptography) Chicago & Eindhoven Eindhoven “Through our inefficient use of energy (gas guzzling vehicles, badly insulated buildings, poorly optimized crypto, etc) we needlessly throw away almost a third of the energy we use.” —Greenpeace UK (mostly) DH speed records Sandy Bridge cycles for high- security constant-time ❛❀ P ✼✦ ❛P (“?” if not SUPERCOP-verified): 2011 Bernstein–Duif–Lange– Schwabe–Yang: 194036 2012 Hamburg: 153000? 2012 Longa–Sica: 137000? 2013 Bos–Costello–Hisil– Lauter: 122716 2013 Oliveira–L´

• pez–Aranha–

Rodr´ ıguez-Henr´ ıquez: 114800? 2013 Faz-Hern´ andez–Longa– S´ anchez: 96000? 2014 Bernstein–Chuengsatiansup– Lange–Schwabe: 91320

“Through our inefficient use of energy (gas guzzling vehicles, badly insulated buildings, poorly optimized crypto, etc) we needlessly throw away almost a third of the energy we use.” —Greenpeace UK (mostly) DH speed records Sandy Bridge cycles for high- security constant-time ❛❀ P ✼✦ ❛P (“?” if not SUPERCOP-verified): 2011 Bernstein–Duif–Lange– Schwabe–Yang: 194036 2012 Hamburg: 153000? 2012 Longa–Sica: 137000? 2013 Bos–Costello–Hisil– Lauter: 122716 2013 Oliveira–L´

• pez–Aranha–

Rodr´ ıguez-Henr´ ıquez: 114800? 2013 Faz-Hern´ andez–Longa– S´ anchez: 96000? 2014 Bernstein–Chuengsatiansup– Lange–Schwabe: 91320

“Through our inefficient use of (gas guzzling vehicles, insulated buildings,

• ptimized crypto, etc)

needlessly throw away almost

• f the energy we use.”

—Greenpeace UK (mostly) DH speed records Sandy Bridge cycles for high- security constant-time ❛❀ P ✼✦ ❛P (“?” if not SUPERCOP-verified): 2011 Bernstein–Duif–Lange– Schwabe–Yang: 194036 2012 Hamburg: 153000? 2012 Longa–Sica: 137000? 2013 Bos–Costello–Hisil– Lauter: 122716 2013 Oliveira–L´

• pez–Aranha–

Rodr´ ıguez-Henr´ ıquez: 114800? 2013 Faz-Hern´ andez–Longa– S´ anchez: 96000? 2014 Bernstein–Chuengsatiansup– Lange–Schwabe: 91320 Critical fo 1986 Chudnovsky–Chudnovsky: traditional allows fa 14M for ❳ P ✼✦ ❳ P 2006 Gaudry: 25M for ❳ P ❀ ❳ ◗ ❀ ❳ ◗ P ✼✦ ❳(2P ❀ ❳ ◗ P 6M by surface 2012 Gaudry–Schost: 1000000-CPU-hour found secure surface over

inefficient use of guzzling vehicles, buildings,

• ptimized crypto, etc)

throw away almost energy we use.” UK (mostly) DH speed records Sandy Bridge cycles for high- security constant-time ❛❀ P ✼✦ ❛P (“?” if not SUPERCOP-verified): 2011 Bernstein–Duif–Lange– Schwabe–Yang: 194036 2012 Hamburg: 153000? 2012 Longa–Sica: 137000? 2013 Bos–Costello–Hisil– Lauter: 122716 2013 Oliveira–L´

• pez–Aranha–

Rodr´ ıguez-Henr´ ıquez: 114800? 2013 Faz-Hern´ andez–Longa– S´ anchez: 96000? 2014 Bernstein–Chuengsatiansup– Lange–Schwabe: 91320 Critical for 122716, 1986 Chudnovsky–Chudnovsky: traditional Kummer allows fast scalar mult. 14M for ❳(P) ✼✦ ❳ P 2006 Gaudry: even 25M for ❳(P)❀ ❳(◗ ❀ ❳ ◗ P ✼✦ ❳(2P)❀ ❳(◗ + P 6M by surface coefficients. 2012 Gaudry–Schost: 1000000-CPU-hour found secure small-co surface over F2127

use of vehicles, , etc) almost use.” (mostly) DH speed records Sandy Bridge cycles for high- security constant-time ❛❀ P ✼✦ ❛P (“?” if not SUPERCOP-verified): 2011 Bernstein–Duif–Lange– Schwabe–Yang: 194036 2012 Hamburg: 153000? 2012 Longa–Sica: 137000? 2013 Bos–Costello–Hisil– Lauter: 122716 2013 Oliveira–L´

• pez–Aranha–

Rodr´ ıguez-Henr´ ıquez: 114800? 2013 Faz-Hern´ andez–Longa– S´ anchez: 96000? 2014 Bernstein–Chuengsatiansup– Lange–Schwabe: 91320 Critical for 122716, 91320: 1986 Chudnovsky–Chudnovsky: traditional Kummer surface allows fast scalar mult. 14M for ❳(P) ✼✦ ❳(2P). 2006 Gaudry: even faster. 25M for ❳(P)❀ ❳(◗)❀ ❳(◗ P ✼✦ ❳(2P)❀ ❳(◗ + P), including 6M by surface coefficients. 2012 Gaudry–Schost: 1000000-CPU-hour computation found secure small-coefficient surface over F21271.

DH speed records Sandy Bridge cycles for high- security constant-time ❛❀ P ✼✦ ❛P (“?” if not SUPERCOP-verified): 2011 Bernstein–Duif–Lange– Schwabe–Yang: 194036 2012 Hamburg: 153000? 2012 Longa–Sica: 137000? 2013 Bos–Costello–Hisil– Lauter: 122716 2013 Oliveira–L´

• pez–Aranha–

Rodr´ ıguez-Henr´ ıquez: 114800? 2013 Faz-Hern´ andez–Longa– S´ anchez: 96000? 2014 Bernstein–Chuengsatiansup– Lange–Schwabe: 91320 Critical for 122716, 91320: 1986 Chudnovsky–Chudnovsky: traditional Kummer surface allows fast scalar mult. 14M for ❳(P) ✼✦ ❳(2P). 2006 Gaudry: even faster. 25M for ❳(P)❀ ❳(◗)❀ ❳(◗ P) ✼✦ ❳(2P)❀ ❳(◗ + P), including 6M by surface coefficients. 2012 Gaudry–Schost: 1000000-CPU-hour computation found secure small-coefficient surface over F21271.

eed records Bridge cycles for high- y constant-time ❛❀ P ✼✦ ❛P if not SUPERCOP-verified): Bernstein–Duif–Lange– abe–Yang: 194036 Hamburg: 153000? Longa–Sica: 137000? Bos–Costello–Hisil– Lauter: 122716 Oliveira–L´

• pez–Aranha–

ıguez-Henr´ ıquez: 114800? az-Hern´ andez–Longa– anchez: 96000? Bernstein–Chuengsatiansup– Lange–Schwabe: 91320 Critical for 122716, 91320: 1986 Chudnovsky–Chudnovsky: traditional Kummer surface allows fast scalar mult. 14M for ❳(P) ✼✦ ❳(2P). 2006 Gaudry: even faster. 25M for ❳(P)❀ ❳(◗)❀ ❳(◗ P) ✼✦ ❳(2P)❀ ❳(◗ + P), including 6M by surface coefficients. 2012 Gaudry–Schost: 1000000-CPU-hour computation found secure small-coefficient surface over F21271. ①2

• ②2
• ③

t ① ② ③ t Hadama

• ✁ ❆2

❇2

• ✁ ❆

❈

✁ ❆

❉

✂

• ✂
• ✂

✂ ✂ ✂ ✂ ✂ Hadama

• ✂
• ✂
• ✂

✂ ✂ ✂ ✂ ✂ ✁❛2

❜2

• ✁❛

❝

✁❛

❞

✁①

②

✁①

③

✁①

t

①4 ②4 ③ t ① ② ③ t

rds ycles for high- constant-time ❛❀ P ✼✦ ❛P SUPERCOP-verified): Bernstein–Duif–Lange– 194036 153000? Longa–Sica: 137000? Bos–Costello–Hisil– 122716

• pez–Aranha–

ıquez: 114800? andez–Longa– 96000? Bernstein–Chuengsatiansup– e: 91320 Critical for 122716, 91320: 1986 Chudnovsky–Chudnovsky: traditional Kummer surface allows fast scalar mult. 14M for ❳(P) ✼✦ ❳(2P). 2006 Gaudry: even faster. 25M for ❳(P)❀ ❳(◗)❀ ❳(◗ P) ✼✦ ❳(2P)❀ ❳(◗ + P), including 6M by surface coefficients. 2012 Gaudry–Schost: 1000000-CPU-hour computation found secure small-coefficient surface over F21271. ①2

• ②2
• ③2
• t2
• ①
• ②

③ t Hadamard

• ✁ ❆2

❇2

• ✁ ❆2

❈2

• ✁ ❆2

❉2

• ✂
• ✂
• ✂
• ✂
• ✂
• ✂

✂ ✂ Hadamard

• ✂
• ✂
• ✂
• ✂
• ✂
• ✂

✂ ✂ ✁❛2

❜2

• ✁❛2

❝2

• ✁❛2

❞2

• ✁①

②

✁①

③

✁①

t

①4 ②4 ③4 t4 ① ② ③ t

high- ❛❀ P ✼✦ ❛P SUPERCOP-verified): Bernstein–Duif–Lange– 194036 153000? 137000? 122716 ez–Aranha– 114800? andez–Longa– 96000? Bernstein–Chuengsatiansup– 91320 Critical for 122716, 91320: 1986 Chudnovsky–Chudnovsky: traditional Kummer surface allows fast scalar mult. 14M for ❳(P) ✼✦ ❳(2P). 2006 Gaudry: even faster. 25M for ❳(P)❀ ❳(◗)❀ ❳(◗ P) ✼✦ ❳(2P)❀ ❳(◗ + P), including 6M by surface coefficients. 2012 Gaudry–Schost: 1000000-CPU-hour computation found secure small-coefficient surface over F21271. ①2

• ②2
• ③2
• t2
• ①3
• ②3
• ③3
• t

Hadamard

• Hadamard
• ✁ ❆2

❇2

• ✁ ❆2

❈2

• ✁ ❆2

❉2

• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂

Hadamard

• Hadamard
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂

✁❛2

❜2

• ✁❛2

❝2

• ✁❛2

❞2

• ✁①1

②1

• ✁①

③

• ✁①

t

①4 ②4 ③4 t4 ①5 ②5 ③5 t

Critical for 122716, 91320: 1986 Chudnovsky–Chudnovsky: traditional Kummer surface allows fast scalar mult. 14M for ❳(P) ✼✦ ❳(2P). 2006 Gaudry: even faster. 25M for ❳(P)❀ ❳(◗)❀ ❳(◗ P) ✼✦ ❳(2P)❀ ❳(◗ + P), including 6M by surface coefficients. 2012 Gaudry–Schost: 1000000-CPU-hour computation found secure small-coefficient surface over F21271. ①2

• ②2
• ③2
• t2
• ①3
• ②3
• ③3
• t3
• Hadamard
• Hadamard
• ✁ ❆2

❇2

• ✁ ❆2

❈2

• ✁ ❆2

❉2

• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• Hadamard
• Hadamard
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✁❛2

❜2

• ✁❛2

❝2

• ✁❛2

❞2

• ✁①1

②1

• ✁①1

③1

• ✁①1

t1

• ①4

②4 ③4 t4 ①5 ②5 ③5 t5

Critical for 122716, 91320: Chudnovsky–Chudnovsky: traditional Kummer surface fast scalar mult. for ❳(P) ✼✦ ❳(2P). Gaudry: even faster. for ❳(P)❀ ❳(◗)❀ ❳(◗ P) ✼✦ ❳(2P)❀ ❳(◗ + P), including surface coefficients. Gaudry–Schost: 1000000-CPU-hour computation secure small-coefficient surface over F21271. ①2

• ②2
• ③2
• t2
• ①3
• ②3
• ③3
• t3
• Hadamard
• Hadamard
• ✁ ❆2

❇2

• ✁ ❆2

❈2

• ✁ ❆2

❉2

• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• Hadamard
• Hadamard
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✁❛2

❜2

• ✁❛2

❝2

• ✁❛2

❞2

• ✁①1

②1

• ✁①1

③1

• ✁①1

t1

• ①4

②4 ③4 t4 ①5 ②5 ③5 t5 Strategies ❏❂ ♣ with kno ❏

♣

♣ fast build any curve many curves secure curves twist-secure Kummer small co fastest DH fastest k complete

122716, 91320: Chudnovsky–Chudnovsky: Kummer surface r mult. ❳ P ✼✦ ❳(2P). even faster. ❳ P ❀ ❳(◗)❀ ❳(◗ P) ✼✦ ❳ P ❀ ❳ ◗ + P), including coefficients. Gaudry–Schost: 1000000-CPU-hour computation small-coefficient

1271.

①2

• ②2
• ③2
• t2
• ①3
• ②3
• ③3
• t3
• Hadamard
• Hadamard
• ✁ ❆2

❇2

• ✁ ❆2

❈2

• ✁ ❆2

❉2

• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• Hadamard
• Hadamard
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✁❛2

❜2

• ✁❛2

❝2

• ✁❛2

❞2

• ✁①1

②1

• ✁①1

③1

• ✁①1

t1

• ①4

②4 ③4 t4 ①5 ②5 ③5 t5 Strategies to build ❏❂ ♣ with known #❏(F♣ ♣ CM fast build yes any curve no many curves no secure curves yes twist-secure yes Kummer yes small coeff no fastest DH no fastest keygen no complete add no

91320: Chudnovsky–Chudnovsky: e ❳ P ✼✦ ❳ P ❳ P ❀ ❳ ◗ ❀ ❳ ◗ P) ✼✦ ❳ P ❀ ❳ ◗ P including efficients. computation fficient

• ①2
• ②2
• ③2
• t2
• ①3
• ②3
• ③3
• t3
• Hadamard
• Hadamard
• ✁ ❆2

❇2

• ✁ ❆2

❈2

• ✁ ❆2

❉2

• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• Hadamard
• Hadamard
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✁❛2

❜2

• ✁❛2

❝2

• ✁❛2

❞2

• ✁①1

②1

• ✁①1

③1

• ✁①1

t1

• ①4

②4 ③4 t4 ①5 ②5 ③5 t5 Strategies to build dim-2 ❏❂F♣ with known #❏(F♣), large ♣ CM Pila new fast build yes no yes any curve no yes no many curves no yes yes secure curves yes yes yes twist-secure yes yes yes Kummer yes yes yes small coeff no yes yes fastest DH no yes yes fastest keygen no no yes complete add no no yes

①2

• ②2
• ③2
• t2
• ①3
• ②3
• ③3
• t3
• Hadamard
• Hadamard
• ✁ ❆2

❇2

• ✁ ❆2

❈2

• ✁ ❆2

❉2

• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• Hadamard
• Hadamard
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✁❛2

❜2

• ✁❛2

❝2

• ✁❛2

❞2

• ✁①1

②1

• ✁①1

③1

• ✁①1

t1

• ①4

②4 ③4 t4 ①5 ②5 ③5 t5 Strategies to build dim-2 ❏❂F♣ with known #❏(F♣), large ♣: CM Pila new fast build yes no yes any curve no yes no many curves no yes yes secure curves yes yes yes twist-secure yes yes yes Kummer yes yes yes small coeff no yes yes fastest DH no yes yes fastest keygen no no yes complete add no no yes

①2

• ②2
• ③2
• t2
• ①3
• ②3
• ③3
• t3
• Hadamard
• Hadamard
• ✁ ❆2

❇2

• ✁ ❆2

❈2

• ✁ ❆2

❉2

• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• Hadamard
• Hadamard
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✂
• ✁❛2

❜2

• ✁❛2

❝2

• ✁❛2

❞2

• ✁①1

②1

• ✁①1

③1

• ✁①1

t1

• ①4

②4 ③4 t4 ①5 ②5 ③5 t5 Strategies to build dim-2 ❏❂F♣ with known #❏(F♣), large ♣: CM Pila Stn new fast build yes no yes yes any curve no yes no no many curves no yes yes yes secure curves yes yes yes yes twist-secure yes yes yes yes Kummer yes yes yes yes small coeff no yes no yes fastest DH no yes no yes fastest keygen no no no yes complete add no no no yes

① ②2 ③2

• t2
• ①3
• ②3
• ③3
• t3
• Hadamard
• Hadamard
• ✁ ❆2

❇2

• ✁ ❆2

❈2

• ✁ ❆2

❉2

• ✂

✂ ✂

• ✂
• ✂
• ✂
• ✂
• ✂
• Hadamard
• Hadamard
• ✂

✂ ✂

• ✂
• ✂
• ✂
• ✂
• ✂
• ✁❛2

❜2 ✁❛2 ❝2

• ✁❛2

❞2

• ✁①1

②1

• ✁①1

③1

• ✁①1

t1

• ①

②4 ③4 t4 ①5 ②5 ③5 t5 Strategies to build dim-2 ❏❂F♣ with known #❏(F♣), large ♣: CM Pila Stn new fast build yes no yes yes any curve no yes no no many curves no yes yes yes secure curves yes yes yes yes twist-secure yes yes yes yes Kummer yes yes yes yes small coeff no yes no yes fastest DH no yes no yes fastest keygen no no no yes complete add no no no yes Hyper-and-elliptic-curve Typical example: ❍ : ②2 = ③ ③ ③ (③ ❂ ③ ❂ ③ ❂

• ver F♣

♣

• ❏ = Jac ❍

surface ❑ ❳ ❏ ✦ ❑ Small ❑

① ② ③ t ①3

• ②3
• ③3
• t3
• Hadamard
• ✁ ❆

❇

• ✁ ❆

❈

• ✁ ❆

❉

• ✂

✂ ✂ ✂ ✂

• ✂
• ✂
• ✂
• Hadamard
• ✂

✂ ✂ ✂ ✂

• ✂
• ✂
• ✂
• ✁❛

❜

✁❛

❝

✁❛

❞

✁①1

②1

• ✁①1

③1

• ✁①1

t1

• ①

② ③ t ①5 ②5 ③5 t5 Strategies to build dim-2 ❏❂F♣ with known #❏(F♣), large ♣: CM Pila Stn new fast build yes no yes yes any curve no yes no no many curves no yes yes yes secure curves yes yes yes yes twist-secure yes yes yes yes Kummer yes yes yes yes small coeff no yes no yes fastest DH no yes no yes fastest keygen no no no yes complete add no no no yes Hyper-and-elliptic-curve Typical example: Define ❍ : ②2 = (③ 1)(③ ③ (③ 1❂2)(③ + ❂ ③ ❂

• ver F♣ with ♣ = 2
• ❏ = Jac ❍; traditional

surface ❑; traditional ❳ ❏ ✦ ❑ Small ❑ coeffs (20

① ② ③ t ① ② ③3

• t3
• rd
• ✁ ❆

❇

✁ ❆

❈

✁ ❆

❉

• ✂

✂ ✂ ✂ ✂ ✂ ✂

• ✂
• rd
• ✂

✂ ✂ ✂ ✂ ✂ ✂

• ✂
• ✁❛

❜

✁❛

❝

✁❛

❞

✁①

②

✁①1

③1

• ✁①1

t1

• ①

② ③ t ① ② ③5 t5 Strategies to build dim-2 ❏❂F♣ with known #❏(F♣), large ♣: CM Pila Stn new fast build yes no yes yes any curve no yes no no many curves no yes yes yes secure curves yes yes yes yes twist-secure yes yes yes yes Kummer yes yes yes yes small coeff no yes no yes fastest DH no yes no yes fastest keygen no no no yes complete add no no no yes Hyper-and-elliptic-curve crypto Typical example: Define ❍ : ②2 = (③ 1)(③ + 1)(③ + (③ 1❂2)(③ + 3❂2)(③ ❂

• ver F♣ with ♣ = 2127 309;

❏ = Jac ❍; traditional Kumm surface ❑; traditional ❳ : ❏ ✦ ❑ Small ❑ coeffs (20 : 1 : 20 :

Strategies to build dim-2 ❏❂F♣ with known #❏(F♣), large ♣: CM Pila Stn new fast build yes no yes yes any curve no yes no no many curves no yes yes yes secure curves yes yes yes yes twist-secure yes yes yes yes Kummer yes yes yes yes small coeff no yes no yes fastest DH no yes no yes fastest keygen no no no yes complete add no no no yes Hyper-and-elliptic-curve crypto Typical example: Define ❍ : ②2 = (③ 1)(③ + 1)(③ + 2) (③ 1❂2)(③ + 3❂2)(③ 2❂3)

• ver F♣ with ♣ = 2127 309;

❏ = Jac ❍; traditional Kummer surface ❑; traditional ❳ : ❏ ✦ ❑. Small ❑ coeffs (20 : 1 : 20 : 40).

Strategies to build dim-2 ❏❂F♣ with known #❏(F♣), large ♣: CM Pila Stn new fast build yes no yes yes any curve no yes no no many curves no yes yes yes secure curves yes yes yes yes twist-secure yes yes yes yes Kummer yes yes yes yes small coeff no yes no yes fastest DH no yes no yes fastest keygen no no no yes complete add no no no yes Hyper-and-elliptic-curve crypto Typical example: Define ❍ : ②2 = (③ 1)(③ + 1)(③ + 2) (③ 1❂2)(③ + 3❂2)(③ 2❂3)

• ver F♣ with ♣ = 2127 309;

❏ = Jac ❍; traditional Kummer surface ❑; traditional ❳ : ❏ ✦ ❑. Small ❑ coeffs (20 : 1 : 20 : 40). Warning: There are typos in the Rosenhain/Mumford/Kummer formulas in 2007 Gaudry, 2010 Cosset, 2013 Bos–Costello– Hisil–Lauter. We have simpler, computer-verified formulas.

Strategies to build dim-2 ❏❂F♣ known #❏(F♣), large ♣: CM Pila Stn new build yes no yes yes curve no yes no no curves no yes yes yes curves yes yes yes yes wist-secure yes yes yes yes Kummer yes yes yes yes coeff no yes no yes fastest DH no yes no yes fastest keygen no no no yes complete add no no no yes Hyper-and-elliptic-curve crypto Typical example: Define ❍ : ②2 = (③ 1)(③ + 1)(③ + 2) (③ 1❂2)(③ + 3❂2)(③ 2❂3)

• ver F♣ with ♣ = 2127 309;

❏ = Jac ❍; traditional Kummer surface ❑; traditional ❳ : ❏ ✦ ❑. Small ❑ coeffs (20 : 1 : 20 : 40). Warning: There are typos in the Rosenhain/Mumford/Kummer formulas in 2007 Gaudry, 2010 Cosset, 2013 Bos–Costello– Hisil–Lauter. We have simpler, computer-verified formulas. #❏(F♣) ❵ where ❵ 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. Security ✙ Order of ❵ ❂♣ ✄ 12152941675747802266549093 122563150387. Twist securit ✙ (Want mo Switch to ♣

• cofactors

✁

build dim-2 ❏❂F♣ ❏ F♣), large ♣: CM Pila Stn new yes no yes yes no yes no no no yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes no yes no yes no yes no yes no no no yes no no no yes Hyper-and-elliptic-curve crypto Typical example: Define ❍ : ②2 = (③ 1)(③ + 1)(③ + 2) (③ 1❂2)(③ + 3❂2)(③ 2❂3)

• ver F♣ with ♣ = 2127 309;

❏ = Jac ❍; traditional Kummer surface ❑; traditional ❳ : ❏ ✦ ❑. Small ❑ coeffs (20 : 1 : 20 : 40). Warning: There are typos in the Rosenhain/Mumford/Kummer formulas in 2007 Gaudry, 2010 Cosset, 2013 Bos–Costello– Hisil–Lauter. We have simpler, computer-verified formulas. #❏(F♣) = 16❵ where ❵ is the prime 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. Security ✙ 2125 against Order of ❵ in (Z❂♣ ✄ 12152941675747802266549093 122563150387. Twist security ✙ 2 (Want more twist Switch to ♣ = 2127 cofactors 16 ✁ 3269239,

❏❂F♣ ❏

♣

♣: Stn new es yes no no es yes es yes es yes es yes no yes no yes no yes no yes Hyper-and-elliptic-curve crypto Typical example: Define ❍ : ②2 = (③ 1)(③ + 1)(③ + 2) (③ 1❂2)(③ + 3❂2)(③ 2❂3)

• ver F♣ with ♣ = 2127 309;

❏ = Jac ❍; traditional Kummer surface ❑; traditional ❳ : ❏ ✦ ❑. Small ❑ coeffs (20 : 1 : 20 : 40). Warning: There are typos in the Rosenhain/Mumford/Kummer formulas in 2007 Gaudry, 2010 Cosset, 2013 Bos–Costello– Hisil–Lauter. We have simpler, computer-verified formulas. #❏(F♣) = 16❵ where ❵ is the prime 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. Security ✙ 2125 against rho. Order of ❵ in (Z❂♣)✄ is 12152941675747802266549093 122563150387. Twist security ✙ 275. (Want more twist security? Switch to ♣ = 2127 94825; cofactors 16 ✁ 3269239, 4.)

Hyper-and-elliptic-curve crypto Typical example: Define ❍ : ②2 = (③ 1)(③ + 1)(③ + 2) (③ 1❂2)(③ + 3❂2)(③ 2❂3)

• ver F♣ with ♣ = 2127 309;

❏ = Jac ❍; traditional Kummer surface ❑; traditional ❳ : ❏ ✦ ❑. Small ❑ coeffs (20 : 1 : 20 : 40). Warning: There are typos in the Rosenhain/Mumford/Kummer formulas in 2007 Gaudry, 2010 Cosset, 2013 Bos–Costello– Hisil–Lauter. We have simpler, computer-verified formulas. #❏(F♣) = 16❵ where ❵ is the prime 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. Security ✙ 2125 against rho. Order of ❵ in (Z❂♣)✄ is 12152941675747802266549093 122563150387. Twist security ✙ 275. (Want more twist security? Switch to ♣ = 2127 94825; cofactors 16 ✁ 3269239, 4.)

er-and-elliptic-curve crypto ypical example: Define ❍ ② = (③ 1)(③ + 1)(③ + 2) ③ 1❂2)(③ + 3❂2)(③ 2❂3)

♣ with ♣ = 2127 309;

❏ Jac ❍; traditional Kummer surface ❑; traditional ❳ : ❏ ✦ ❑. ❑ coeffs (20 : 1 : 20 : 40). rning: There are typos in the Rosenhain/Mumford/Kummer rmulas in 2007 Gaudry, 2010 Cosset, 2013 Bos–Costello– Hisil–Lauter. We have simpler, computer-verified formulas. #❏(F♣) = 16❵ where ❵ is the prime 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. Security ✙ 2125 against rho. Order of ❵ in (Z❂♣)✄ is 12152941675747802266549093 122563150387. Twist security ✙ 275. (Want more twist security? Switch to ♣ = 2127 94825; cofactors 16 ✁ 3269239, 4.) Fast point-counting Define F♣

♣ ✐ ❂ ✐

r = (7 + ✐ ✐ s = 159 ✐ ✦ ♣ ❈ : ②2 = r① s① s① r

er-and-elliptic-curve crypto example: Define ❍ ② ③ 1)(③ + 1)(③ + 2) ③ ❂ ③ + 3❂2)(③ 2❂3)

♣

♣ 2127 309; ❏ ❍ traditional Kummer ❑ traditional ❳ : ❏ ✦ ❑. ❑ (20 : 1 : 20 : 40). are typos in the Rosenhain/Mumford/Kummer Gaudry, 2010 Bos–Costello– e have simpler, computer-verified formulas. #❏(F♣) = 16❵ where ❵ is the prime 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. Security ✙ 2125 against rho. Order of ❵ in (Z❂♣)✄ is 12152941675747802266549093 122563150387. Twist security ✙ 275. (Want more twist security? Switch to ♣ = 2127 94825; cofactors 16 ✁ 3269239, 4.) Fast point-counting Define F♣2 = F♣[✐]❂ ✐ r = (7 + 4✐)2 = 33 ✐ s = 159 + 56✐; ✦ = ♣ ❈ : ②2 = r①6 + s① s① r

crypto ❍ ② ③ ③ ③ + 2) ③ ❂ ③ ❂ ③ 2❂3)

♣

♣ 309; ❏ ❍ Kummer ❑ ❳ ❏ ✦ ❑. ❑ : 40). in the rd/Kummer 2010 Bos–Costello– simpler, rmulas. #❏(F♣) = 16❵ where ❵ is the prime 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. Security ✙ 2125 against rho. Order of ❵ in (Z❂♣)✄ is 12152941675747802266549093 122563150387. Twist security ✙ 275. (Want more twist security? Switch to ♣ = 2127 94825; cofactors 16 ✁ 3269239, 4.) Fast point-counting Define F♣2 = F♣[✐]❂(✐2 + 1); r = (7 + 4✐)2 = 33 + 56✐; s = 159 + 56✐; ✦ = ♣384; ❈ : ②2 = r①6 + s①4 + s①2 + r

#❏(F♣) = 16❵ where ❵ is the prime 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. Security ✙ 2125 against rho. Order of ❵ in (Z❂♣)✄ is 12152941675747802266549093 122563150387. Twist security ✙ 275. (Want more twist security? Switch to ♣ = 2127 94825; cofactors 16 ✁ 3269239, 4.) Fast point-counting Define F♣2 = F♣[✐]❂(✐2 + 1); r = (7 + 4✐)2 = 33 + 56✐; s = 159 + 56✐; ✦ = ♣384; ❈ : ②2 = r①6 + s①4 + s①2 + r.

#❏(F♣) = 16❵ where ❵ is the prime 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. Security ✙ 2125 against rho. Order of ❵ in (Z❂♣)✄ is 12152941675747802266549093 122563150387. Twist security ✙ 275. (Want more twist security? Switch to ♣ = 2127 94825; cofactors 16 ✁ 3269239, 4.) Fast point-counting Define F♣2 = F♣[✐]❂(✐2 + 1); r = (7 + 4✐)2 = 33 + 56✐; s = 159 + 56✐; ✦ = ♣384; ❈ : ②2 = r①6 + s①4 + s①2 + r. (①❀ ②) ✼✦ (①2❀ ②) takes ❈ to ❊ : ②2 = r①3 + s①2 + s① + r.

#❏(F♣) = 16❵ where ❵ is the prime 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. Security ✙ 2125 against rho. Order of ❵ in (Z❂♣)✄ is 12152941675747802266549093 122563150387. Twist security ✙ 275. (Want more twist security? Switch to ♣ = 2127 94825; cofactors 16 ✁ 3269239, 4.) Fast point-counting Define F♣2 = F♣[✐]❂(✐2 + 1); r = (7 + 4✐)2 = 33 + 56✐; s = 159 + 56✐; ✦ = ♣384; ❈ : ②2 = r①6 + s①4 + s①2 + r. (①❀ ②) ✼✦ (①2❀ ②) takes ❈ to ❊ : ②2 = r①3 + s①2 + s① + r. (①❀ ②) ✼✦ (1❂①2❀ ②❂①3) takes ❈ to ②2 = r①3 + s①2 + s① + r.

#❏(F♣) = 16❵ where ❵ is the prime 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. Security ✙ 2125 against rho. Order of ❵ in (Z❂♣)✄ is 12152941675747802266549093 122563150387. Twist security ✙ 275. (Want more twist security? Switch to ♣ = 2127 94825; cofactors 16 ✁ 3269239, 4.) Fast point-counting Define F♣2 = F♣[✐]❂(✐2 + 1); r = (7 + 4✐)2 = 33 + 56✐; s = 159 + 56✐; ✦ = ♣384; ❈ : ②2 = r①6 + s①4 + s①2 + r. (①❀ ②) ✼✦ (①2❀ ②) takes ❈ to ❊ : ②2 = r①3 + s①2 + s① + r. (①❀ ②) ✼✦ (1❂①2❀ ②❂①3) takes ❈ to ②2 = r①3 + s①2 + s① + r. (③❀ ②) ✼✦ ✒1 + ✐③ 1 ✐③ ❀ ✦② (1 ✐③)3 ✓ takes ❍ over F♣2 to ❈.

❏

♣) = 16❵

❵ is the prime 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. Security ✙ 2125 against rho.

• f ❵ in (Z❂♣)✄ is

12152941675747802266549093 122563150387. security ✙ 275. more twist security? to ♣ = 2127 94825; cofactors 16 ✁ 3269239, 4.) Fast point-counting Define F♣2 = F♣[✐]❂(✐2 + 1); r = (7 + 4✐)2 = 33 + 56✐; s = 159 + 56✐; ✦ = ♣384; ❈ : ②2 = r①6 + s①4 + s①2 + r. (①❀ ②) ✼✦ (①2❀ ②) takes ❈ to ❊ : ②2 = r①3 + s①2 + s① + r. (①❀ ②) ✼✦ (1❂①2❀ ②❂①3) takes ❈ to ②2 = r①3 + s①2 + s① + r. (③❀ ②) ✼✦ ✒1 + ✐③ 1 ✐③ ❀ ✦② (1 ✐③)3 ✓ takes ❍ over F♣2 to ❈. ❏ is isogenous Weil restriction ❲ ❊ computing ❏

♣

❏

♣

❵ ❵ rime 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. ✙ against rho. ❵ ❂♣)✄ is 12152941675747802266549093 ✙ 275. wist security? ♣

127 94825;

✁ 3269239, 4.) Fast point-counting Define F♣2 = F♣[✐]❂(✐2 + 1); r = (7 + 4✐)2 = 33 + 56✐; s = 159 + 56✐; ✦ = ♣384; ❈ : ②2 = r①6 + s①4 + s①2 + r. (①❀ ②) ✼✦ (①2❀ ②) takes ❈ to ❊ : ②2 = r①3 + s①2 + s① + r. (①❀ ②) ✼✦ (1❂①2❀ ②❂①3) takes ❈ to ②2 = r①3 + s①2 + s① + r. (③❀ ②) ✼✦ ✒1 + ✐③ 1 ✐③ ❀ ✦② (1 ✐③)3 ✓ takes ❍ over F♣2 to ❈. ❏ is isogenous to Weil restriction ❲ ❊ computing #❏(F♣)

❏

♣

❵ ❵ 18092513943330655534932966 40760748553649194606010814 289531455285792829679923. ✙ rho. ❵ ❂♣ ✄ 12152941675747802266549093 ✙ y? ♣ 94825; ✁ Fast point-counting Define F♣2 = F♣[✐]❂(✐2 + 1); r = (7 + 4✐)2 = 33 + 56✐; s = 159 + 56✐; ✦ = ♣384; ❈ : ②2 = r①6 + s①4 + s①2 + r. (①❀ ②) ✼✦ (①2❀ ②) takes ❈ to ❊ : ②2 = r①3 + s①2 + s① + r. (①❀ ②) ✼✦ (1❂①2❀ ②❂①3) takes ❈ to ②2 = r①3 + s①2 + s① + r. (③❀ ②) ✼✦ ✒1 + ✐③ 1 ✐③ ❀ ✦② (1 ✐③)3 ✓ takes ❍ over F♣2 to ❈. ❏ is isogenous to Weil restriction ❲ of ❊, so computing #❏(F♣) is fast.

Fast point-counting Define F♣2 = F♣[✐]❂(✐2 + 1); r = (7 + 4✐)2 = 33 + 56✐; s = 159 + 56✐; ✦ = ♣384; ❈ : ②2 = r①6 + s①4 + s①2 + r. (①❀ ②) ✼✦ (①2❀ ②) takes ❈ to ❊ : ②2 = r①3 + s①2 + s① + r. (①❀ ②) ✼✦ (1❂①2❀ ②❂①3) takes ❈ to ②2 = r①3 + s①2 + s① + r. (③❀ ②) ✼✦ ✒1 + ✐③ 1 ✐③ ❀ ✦② (1 ✐③)3 ✓ takes ❍ over F♣2 to ❈. ❏ is isogenous to Weil restriction ❲ of ❊, so computing #❏(F♣) is fast.

Fast point-counting Define F♣2 = F♣[✐]❂(✐2 + 1); r = (7 + 4✐)2 = 33 + 56✐; s = 159 + 56✐; ✦ = ♣384; ❈ : ②2 = r①6 + s①4 + s①2 + r. (①❀ ②) ✼✦ (①2❀ ②) takes ❈ to ❊ : ②2 = r①3 + s①2 + s① + r. (①❀ ②) ✼✦ (1❂①2❀ ②❂①3) takes ❈ to ②2 = r①3 + s①2 + s① + r. (③❀ ②) ✼✦ ✒1 + ✐③ 1 ✐③ ❀ ✦② (1 ✐③)3 ✓ takes ❍ over F♣2 to ❈. ❏ is isogenous to Weil restriction ❲ of ❊, so computing #❏(F♣) is fast. 2003 Scholten: this strategy for building many genus-2 curves with fast point-counting.

Fast point-counting Define F♣2 = F♣[✐]❂(✐2 + 1); r = (7 + 4✐)2 = 33 + 56✐; s = 159 + 56✐; ✦ = ♣384; ❈ : ②2 = r①6 + s①4 + s①2 + r. (①❀ ②) ✼✦ (①2❀ ②) takes ❈ to ❊ : ②2 = r①3 + s①2 + s① + r. (①❀ ②) ✼✦ (1❂①2❀ ②❂①3) takes ❈ to ②2 = r①3 + s①2 + s① + r. (③❀ ②) ✼✦ ✒1 + ✐③ 1 ✐③ ❀ ✦② (1 ✐③)3 ✓ takes ❍ over F♣2 to ❈. ❏ is isogenous to Weil restriction ❲ of ❊, so computing #❏(F♣) is fast. 2003 Scholten: this strategy for building many genus-2 curves with fast point-counting. Handles all elliptic curves

• ver F♣2 with full 2-torsion

(and more elliptic curves). Geometrically: all elliptic curves; codim 1 in hyperelliptic curves.

• int-counting

F♣2 = F♣[✐]❂(✐2 + 1); r + 4✐)2 = 33 + 56✐; s 159 + 56✐; ✦ = ♣384; ❈ ② = r①6 + s①4 + s①2 + r. ①❀ ② ✼✦ (①2❀ ②) takes ❈ to ❊ : ② r①3 + s①2 + s① + r. ①❀ ② ✼✦ (1❂①2❀ ②❂①3) takes ❈ to ② r①3 + s①2 + s① + r. ③❀ ② ✼✦ ✒1 + ✐③ 1 ✐③ ❀ ✦② (1 ✐③)3 ✓ ❍ over F♣2 to ❈. ❏ is isogenous to Weil restriction ❲ of ❊, so computing #❏(F♣) is fast. 2003 Scholten: this strategy for building many genus-2 curves with fast point-counting. Handles all elliptic curves

• ver F♣2 with full 2-torsion

(and more elliptic curves). Geometrically: all elliptic curves; codim 1 in hyperelliptic curves. New: not Alice generates ❛ ✷ Bob generates ❜ ✷ Alice computes ❛● ✷ ❊

♣

using standa

• ✷ ❊

♣

Top speed: Alice sends ❛● Bob views ❛● ❲

♣

applies isogeny ❲

♣ ✦ ❏ ♣

computes ❜ ❛● ❏

♣

Top speed:

• int-counting

♣ ♣[✐]❂(✐2 + 1);

r ✐ 33 + 56✐; s ✐ ✦ = ♣384; ❈ ② r① s①4 + s①2 + r. ①❀ ② ✼✦ ① ❀ ② takes ❈ to ❊ : ② r① s① + s① + r. ①❀ ② ✼✦ ❂① ❀ ②❂①3) takes ❈ to ② r① s① + s① + r. ③❀ ② ✼✦ ✒ ✐③ ✐③ ❀ ✦② (1 ✐③)3 ✓ ❍

♣ to ❈.

❏ is isogenous to Weil restriction ❲ of ❊, so computing #❏(F♣) is fast. 2003 Scholten: this strategy for building many genus-2 curves with fast point-counting. Handles all elliptic curves

• ver F♣2 with full 2-torsion

(and more elliptic curves). Geometrically: all elliptic curves; codim 1 in hyperelliptic curves. New: not just point-c Alice generates secret ❛ ✷ Bob generates secret ❜ ✷ Alice computes ❛● ✷ ❊

♣

using standard ● ✷ ❊

♣

Top speed: Edwards Alice sends ❛● to Bob views ❛● in ❲

♣

applies isogeny ❲( ♣ ✦ ❏

♣

computes ❜(❛●) in ❏

♣

Top speed: Kummer

♣ ♣ ✐ ❂ ✐

1); r ✐ ✐ s ✐ ✦ ♣384; ❈ ② r① s① s① + r. ①❀ ② ✼✦ ① ❀ ② ❈ to ❊ : ② r① s① s① r ①❀ ② ✼✦ ❂① ❀ ②❂① es ❈ to ② r① s① s① r ③❀ ② ✼✦ ✒ ✐③ ✐③ ❀ ✦② ✐③)3 ✓ ❍

♣

❈ ❏ is isogenous to Weil restriction ❲ of ❊, so computing #❏(F♣) is fast. 2003 Scholten: this strategy for building many genus-2 curves with fast point-counting. Handles all elliptic curves

• ver F♣2 with full 2-torsion

(and more elliptic curves). Geometrically: all elliptic curves; codim 1 in hyperelliptic curves. New: not just point-counting Alice generates secret ❛ ✷ Z Bob generates secret ❜ ✷ Z. Alice computes ❛● ✷ ❊(F♣2) using standard ● ✷ ❊(F♣2). Top speed: Edwards coordinates. Alice sends ❛● to Bob. Bob views ❛● in ❲(F♣), applies isogeny ❲(F♣) ✦ ❏( ♣ computes ❜(❛●) in ❏(F♣). Top speed: Kummer coordinates.

❏ is isogenous to Weil restriction ❲ of ❊, so computing #❏(F♣) is fast. 2003 Scholten: this strategy for building many genus-2 curves with fast point-counting. Handles all elliptic curves

• ver F♣2 with full 2-torsion

(and more elliptic curves). Geometrically: all elliptic curves; codim 1 in hyperelliptic curves. New: not just point-counting Alice generates secret ❛ ✷ Z. Bob generates secret ❜ ✷ Z. Alice computes ❛● ✷ ❊(F♣2) using standard ● ✷ ❊(F♣2). Top speed: Edwards coordinates. Alice sends ❛● to Bob. Bob views ❛● in ❲(F♣), applies isogeny ❲(F♣) ✦ ❏(F♣), computes ❜(❛●) in ❏(F♣). Top speed: Kummer coordinates.

❏ isogenous to restriction ❲ of ❊, so computing #❏(F♣) is fast. Scholten: strategy for building many genus-2 curves fast point-counting. Handles all elliptic curves

♣2 with full 2-torsion

more elliptic curves). Geometrically: all elliptic curves; 1 in hyperelliptic curves. New: not just point-counting Alice generates secret ❛ ✷ Z. Bob generates secret ❜ ✷ Z. Alice computes ❛● ✷ ❊(F♣2) using standard ● ✷ ❊(F♣2). Top speed: Edwards coordinates. Alice sends ❛● to Bob. Bob views ❛● in ❲(F♣), applies isogeny ❲(F♣) ✦ ❏(F♣), computes ❜(❛●) in ❏(F♣). Top speed: Kummer coordinates. In general: ✓ : ❲ ✦ ❏ ✓✵ ❏ ✦ ❲ dynamically between ❊

♣

❏

♣

But do w for ✓✵ and ✓

❏ ❲ of ❊, so ❏ F♣) is fast. genus-2 curves

• int-counting.

elliptic curves

♣

full 2-torsion elliptic curves). all elliptic curves; relliptic curves. New: not just point-counting Alice generates secret ❛ ✷ Z. Bob generates secret ❜ ✷ Z. Alice computes ❛● ✷ ❊(F♣2) using standard ● ✷ ❊(F♣2). Top speed: Edwards coordinates. Alice sends ❛● to Bob. Bob views ❛● in ❲(F♣), applies isogeny ❲(F♣) ✦ ❏(F♣), computes ❜(❛●) in ❏(F♣). Top speed: Kummer coordinates. In general: use isogenies ✓ : ❲ ✦ ❏ and ✓✵ : ❏ ✦ ❲ dynamically move between ❊(F♣2) and ❏

♣

But do we have fast for ✓✵ and for dual ✓

❏ ❲ ❊ so ❏

♣

fast. curves

♣

rsion curves; curves. New: not just point-counting Alice generates secret ❛ ✷ Z. Bob generates secret ❜ ✷ Z. Alice computes ❛● ✷ ❊(F♣2) using standard ● ✷ ❊(F♣2). Top speed: Edwards coordinates. Alice sends ❛● to Bob. Bob views ❛● in ❲(F♣), applies isogeny ❲(F♣) ✦ ❏(F♣), computes ❜(❛●) in ❏(F♣). Top speed: Kummer coordinates. In general: use isogenies ✓ : ❲ ✦ ❏ and ✓✵ : ❏ ✦ ❲ to dynamically move computations between ❊(F♣2) and ❏(F♣). But do we have fast formulas for ✓✵ and for dual isogeny ✓?

New: not just point-counting Alice generates secret ❛ ✷ Z. Bob generates secret ❜ ✷ Z. Alice computes ❛● ✷ ❊(F♣2) using standard ● ✷ ❊(F♣2). Top speed: Edwards coordinates. Alice sends ❛● to Bob. Bob views ❛● in ❲(F♣), applies isogeny ❲(F♣) ✦ ❏(F♣), computes ❜(❛●) in ❏(F♣). Top speed: Kummer coordinates. In general: use isogenies ✓ : ❲ ✦ ❏ and ✓✵ : ❏ ✦ ❲ to dynamically move computations between ❊(F♣2) and ❏(F♣). But do we have fast formulas for ✓✵ and for dual isogeny ✓?

New: not just point-counting Alice generates secret ❛ ✷ Z. Bob generates secret ❜ ✷ Z. Alice computes ❛● ✷ ❊(F♣2) using standard ● ✷ ❊(F♣2). Top speed: Edwards coordinates. Alice sends ❛● to Bob. Bob views ❛● in ❲(F♣), applies isogeny ❲(F♣) ✦ ❏(F♣), computes ❜(❛●) in ❏(F♣). Top speed: Kummer coordinates. In general: use isogenies ✓ : ❲ ✦ ❏ and ✓✵ : ❏ ✦ ❲ to dynamically move computations between ❊(F♣2) and ❏(F♣). But do we have fast formulas for ✓✵ and for dual isogeny ✓? Scholten: Define ✣ : ❍ ✦ ❊ as (③❀ ②) ✼✦ ✒(1 + ✐③)2 (1 ✐③)2 ❀ ✦② (1 ✐③)3 ✓ . Composition of ✣2 : (P1❀ P2) ✼✦ ✣(P1)+✣(P2) and standard ❊✦❲ is composition of standard ❍ ✂ ❍ ✦ ❏ and some ✓✵ : ❏ ✦ ❲.

not just point-counting generates secret ❛ ✷ Z. generates secret ❜ ✷ Z. computes ❛● ✷ ❊(F♣2) standard ● ✷ ❊(F♣2). eed: Edwards coordinates. sends ❛● to Bob. views ❛● in ❲(F♣), applies isogeny ❲(F♣) ✦ ❏(F♣), computes ❜(❛●) in ❏(F♣). eed: Kummer coordinates. In general: use isogenies ✓ : ❲ ✦ ❏ and ✓✵ : ❏ ✦ ❲ to dynamically move computations between ❊(F♣2) and ❏(F♣). But do we have fast formulas for ✓✵ and for dual isogeny ✓? Scholten: Define ✣ : ❍ ✦ ❊ as (③❀ ②) ✼✦ ✒(1 + ✐③)2 (1 ✐③)2 ❀ ✦② (1 ✐③)3 ✓ . Composition of ✣2 : (P1❀ P2) ✼✦ ✣(P1)+✣(P2) and standard ❊✦❲ is composition of standard ❍ ✂ ❍ ✦ ❏ and some ✓✵ : ❏ ✦ ❲. The conventional

• 1. Prove

✓✵ by analyzing ✣

• 2. Observe

✓ ✍ ✓✵ for some ✓

• 3. Compute

✓✵ P✐ = (③✐❀ ②✐ ❍ ② ❢ ③

• ver F♣(③ ❀ ③

② ❀ ② ❂(②2

1 ❢ ③

❀ ② ❢ ③ compose ✣ with addition ❊ eliminate ③ ❀ ③ ❀ ② ❀ ② in favor of

• int-counting

secret ❛ ✷ Z. secret ❜ ✷ Z. ❛● ✷ ❊(F♣2)

• ✷ ❊(F♣2).

ards coordinates. ❛● to Bob. ❛● ❲(F♣), ❲(F♣) ✦ ❏(F♣), ❜ ❛● in ❏(F♣). Kummer coordinates. In general: use isogenies ✓ : ❲ ✦ ❏ and ✓✵ : ❏ ✦ ❲ to dynamically move computations between ❊(F♣2) and ❏(F♣). But do we have fast formulas for ✓✵ and for dual isogeny ✓? Scholten: Define ✣ : ❍ ✦ ❊ as (③❀ ②) ✼✦ ✒(1 + ✐③)2 (1 ✐③)2 ❀ ✦② (1 ✐③)3 ✓ . Composition of ✣2 : (P1❀ P2) ✼✦ ✣(P1)+✣(P2) and standard ❊✦❲ is composition of standard ❍ ✂ ❍ ✦ ❏ and some ✓✵ : ❏ ✦ ❲. The conventional continua

• 1. Prove that ✓✵ is

by analyzing fibers ✣

• 2. Observe that ✓ ✍ ✓✵

for some isogeny ✓

• 3. Compute formula

✓✵ P✐ = (③✐❀ ②✐) on ❍ ② ❢ ③

• ver F♣(③1❀ ③2)[②1❀ ②

❂(②2

1 ❢(③1)❀ ②2 2 ❢ ③

compose definition ✣ with addition formulas ❊ eliminate ③1❀ ③2❀ ②1❀ ② in favor of Mumford

nting ❛ ✷ Z. ❜ ✷ Z. ❛● ✷ ❊

♣2)

• ✷ ❊

♣ ).

dinates. ❛● ❛● ❲

♣

❲

♣ ✦ ❏(F♣),

❜ ❛● ❏

♣

rdinates. In general: use isogenies ✓ : ❲ ✦ ❏ and ✓✵ : ❏ ✦ ❲ to dynamically move computations between ❊(F♣2) and ❏(F♣). But do we have fast formulas for ✓✵ and for dual isogeny ✓? Scholten: Define ✣ : ❍ ✦ ❊ as (③❀ ②) ✼✦ ✒(1 + ✐③)2 (1 ✐③)2 ❀ ✦② (1 ✐③)3 ✓ . Composition of ✣2 : (P1❀ P2) ✼✦ ✣(P1)+✣(P2) and standard ❊✦❲ is composition of standard ❍ ✂ ❍ ✦ ❏ and some ✓✵ : ❏ ✦ ❲. The conventional continuatio

• 1. Prove that ✓✵ is an isogeny

by analyzing fibers of ✣2.

• 2. Observe that ✓ ✍ ✓✵ = 2

for some isogeny ✓.

• 3. Compute formulas for ✓✵:

P✐ = (③✐❀ ②✐) on ❍ : ②2 = ❢(③

• ver F♣(③1❀ ③2)[②1❀ ②2]

❂(②2

1 ❢(③1)❀ ②2 2 ❢(③2));

compose definition of ✣ with addition formulas on ❊ eliminate ③1❀ ③2❀ ②1❀ ②2 in favor of Mumford coordinates.

In general: use isogenies ✓ : ❲ ✦ ❏ and ✓✵ : ❏ ✦ ❲ to dynamically move computations between ❊(F♣2) and ❏(F♣). But do we have fast formulas for ✓✵ and for dual isogeny ✓? Scholten: Define ✣ : ❍ ✦ ❊ as (③❀ ②) ✼✦ ✒(1 + ✐③)2 (1 ✐③)2 ❀ ✦② (1 ✐③)3 ✓ . Composition of ✣2 : (P1❀ P2) ✼✦ ✣(P1)+✣(P2) and standard ❊✦❲ is composition of standard ❍ ✂ ❍ ✦ ❏ and some ✓✵ : ❏ ✦ ❲. The conventional continuation:

• 1. Prove that ✓✵ is an isogeny

by analyzing fibers of ✣2.

• 2. Observe that ✓ ✍ ✓✵ = 2

for some isogeny ✓.

• 3. Compute formulas for ✓✵: take

P✐ = (③✐❀ ②✐) on ❍ : ②2 = ❢(③)

• ver F♣(③1❀ ③2)[②1❀ ②2]

❂(②2

1 ❢(③1)❀ ②2 2 ❢(③2));

compose definition of ✣ with addition formulas on ❊; eliminate ③1❀ ③2❀ ②1❀ ②2 in favor of Mumford coordinates.

general: use isogenies ✓ ❲ ✦ ❏ and ✓✵ : ❏ ✦ ❲ to dynamically move computations een ❊(F♣2) and ❏(F♣). we have fast formulas ✓✵ and for dual isogeny ✓? Scholten: Define ✣ : ❍ ✦ ❊ as ③❀ ② ✼✦ ✒(1 + ✐③)2 (1 ✐③)2 ❀ ✦② (1 ✐③)3 ✓ .

• sition of ✣2 : (P1❀ P2) ✼✦

✣ P ✣(P2) and standard ❊✦❲ composition of standard ❍ ✂ ❍ ✦ ❏ and some ✓✵ : ❏ ✦ ❲. The conventional continuation:

• 1. Prove that ✓✵ is an isogeny

by analyzing fibers of ✣2.

• 2. Observe that ✓ ✍ ✓✵ = 2

for some isogeny ✓.

• 3. Compute formulas for ✓✵: take

P✐ = (③✐❀ ②✐) on ❍ : ②2 = ❢(③)

• ver F♣(③1❀ ③2)[②1❀ ②2]

❂(②2

1 ❢(③1)❀ ②2 2 ❢(③2));

compose definition of ✣ with addition formulas on ❊; eliminate ③1❀ ③2❀ ②1❀ ②2 in favor of Mumford coordinates.

• 4. Simplify

✓✵ using, e.g., “rational

• 5. Find ✓

isogenies ✓ ❲ ✦ ❏ ✓✵ : ❏ ✦ ❲ to move computations ❊

♣

and ❏(F♣). fast formulas ✓✵ dual isogeny ✓? ✣ : ❍ ✦ ❊ as ③❀ ② ✼✦ ✒ ✐③)2 ✐③)2 ❀ ✦② (1 ✐③)3 ✓ . ✣2 : (P1❀ P2) ✼✦ ✣ P ✣ P and standard ❊✦❲

• f standard

❍ ✂ ❍ ✦ ❏ some ✓✵ : ❏ ✦ ❲. The conventional continuation:

• 1. Prove that ✓✵ is an isogeny

by analyzing fibers of ✣2.

• 2. Observe that ✓ ✍ ✓✵ = 2

for some isogeny ✓.

• 3. Compute formulas for ✓✵: take

P✐ = (③✐❀ ②✐) on ❍ : ②2 = ❢(③)

• ver F♣(③1❀ ③2)[②1❀ ②2]

❂(②2

1 ❢(③1)❀ ②2 2 ❢(③2));

compose definition of ✣ with addition formulas on ❊; eliminate ③1❀ ③2❀ ②1❀ ②2 in favor of Mumford coordinates.

• 4. Simplify formulas

✓✵ using, e.g., 2006 Monagan–P “rational simplification”

• 5. Find ✓: norm–cono

✓ ❲ ✦ ❏ ✓✵ ❏ ✦ ❲ to computations ❊

♣

❏

♣).

rmulas ✓✵ ✓? ✣ ❍ ✦ ❊ as ③❀ ② ✼✦ ✒ ✐③ ✐③ ❀ ✦② ✐③)3 ✓ . ✣ P ❀ P2) ✼✦ ✣ P ✣ P rd ❊✦❲ ❍ ✂ ❍ ✦ ❏ ✓✵ ❏ ✦ ❲. The conventional continuation:

• 1. Prove that ✓✵ is an isogeny

by analyzing fibers of ✣2.

• 2. Observe that ✓ ✍ ✓✵ = 2

for some isogeny ✓.

• 3. Compute formulas for ✓✵: take

P✐ = (③✐❀ ②✐) on ❍ : ②2 = ❢(③)

• ver F♣(③1❀ ③2)[②1❀ ②2]

❂(②2

1 ❢(③1)❀ ②2 2 ❢(③2));

compose definition of ✣ with addition formulas on ❊; eliminate ③1❀ ③2❀ ②1❀ ②2 in favor of Mumford coordinates.

• 4. Simplify formulas for ✓✵

using, e.g., 2006 Monagan–P “rational simplification” metho

• 5. Find ✓: norm–conorm etc.

The conventional continuation:

• 1. Prove that ✓✵ is an isogeny

by analyzing fibers of ✣2.

• 2. Observe that ✓ ✍ ✓✵ = 2

for some isogeny ✓.

• 3. Compute formulas for ✓✵: take

P✐ = (③✐❀ ②✐) on ❍ : ②2 = ❢(③)

• ver F♣(③1❀ ③2)[②1❀ ②2]

❂(②2

1 ❢(③1)❀ ②2 2 ❢(③2));

compose definition of ✣ with addition formulas on ❊; eliminate ③1❀ ③2❀ ②1❀ ②2 in favor of Mumford coordinates.

• 4. Simplify formulas for ✓✵

using, e.g., 2006 Monagan–Pearce “rational simplification” method.

• 5. Find ✓: norm–conorm etc.

The conventional continuation:

• 1. Prove that ✓✵ is an isogeny

by analyzing fibers of ✣2.

• 2. Observe that ✓ ✍ ✓✵ = 2

for some isogeny ✓.

• 3. Compute formulas for ✓✵: take

P✐ = (③✐❀ ②✐) on ❍ : ②2 = ❢(③)

• ver F♣(③1❀ ③2)[②1❀ ②2]

❂(②2

1 ❢(③1)❀ ②2 2 ❢(③2));

compose definition of ✣ with addition formulas on ❊; eliminate ③1❀ ③2❀ ②1❀ ②2 in favor of Mumford coordinates.

• 4. Simplify formulas for ✓✵

using, e.g., 2006 Monagan–Pearce “rational simplification” method.

• 5. Find ✓: norm–conorm etc.

Much easier: We applied ✣2 to random points in ❍(F♣) ✂ ❍(F♣), interpolated coefficients of ✓✵. Similarly interpolated formulas for ✓; verified composition. Easy computer calculation. “Wasting brain power is bad for the environment.”

conventional continuation: Prove that ✓✵ is an isogeny alyzing fibers of ✣2. Observe that ✓ ✍ ✓✵ = 2

• me isogeny ✓.

Compute formulas for ✓✵: take P✐ ③✐❀ ②✐) on ❍ : ②2 = ❢(③)

♣(③1❀ ③2)[②1❀ ②2]

❂ ② ❢(③1)❀ ②2

2 ❢(③2));

• se definition of ✣

addition formulas on ❊; eliminate ③1❀ ③2❀ ②1❀ ②2 r of Mumford coordinates.

• 4. Simplify formulas for ✓✵

using, e.g., 2006 Monagan–Pearce “rational simplification” method.

• 5. Find ✓: norm–conorm etc.

Much easier: We applied ✣2 to random points in ❍(F♣) ✂ ❍(F♣), interpolated coefficients of ✓✵. Similarly interpolated formulas for ✓; verified composition. Easy computer calculation. “Wasting brain power is bad for the environment.” New: small ❑ defined Only 2 degrees ❊ Can’t exp ✿ ✿ ✿ unless

conventional continuation: ✓✵ is an isogeny rs of ✣2. ✓ ✍ ✓✵ = 2 ✓. rmulas for ✓✵: take P✐ ③✐❀ ②✐ ❍ : ②2 = ❢(③)

♣ ③ ❀ ③

②1❀ ②2] ❂ ② ❢ ③ ❀ ② ❢(③2)); definition of ✣ rmulas on ❊; ③ ❀ ③ ❀ ②1❀ ②2 Mumford coordinates.

• 4. Simplify formulas for ✓✵

using, e.g., 2006 Monagan–Pearce “rational simplification” method.

• 5. Find ✓: norm–conorm etc.

Much easier: We applied ✣2 to random points in ❍(F♣) ✂ ❍(F♣), interpolated coefficients of ✓✵. Similarly interpolated formulas for ✓; verified composition. Easy computer calculation. “Wasting brain power is bad for the environment.” New: small coefficients ❑ defined by 3 coeffs. Only 2 degrees of ❊ Can’t expect small- ✿ ✿ ✿ unless everything

tion: ✓✵ isogeny ✣ ✓ ✍ ✓✵ ✓ ✓✵: take P✐ ③✐❀ ②✐ ❍ ② ❢(③)

♣ ③ ❀ ③

② ❀ ② ❂ ② ❢ ③ ❀ ② ❢ ③ )); ✣ ❊; ③ ❀ ③ ❀ ② ❀ ② rdinates.

• 4. Simplify formulas for ✓✵

using, e.g., 2006 Monagan–Pearce “rational simplification” method.

• 5. Find ✓: norm–conorm etc.

Much easier: We applied ✣2 to random points in ❍(F♣) ✂ ❍(F♣), interpolated coefficients of ✓✵. Similarly interpolated formulas for ✓; verified composition. Easy computer calculation. “Wasting brain power is bad for the environment.” New: small coefficients ❑ defined by 3 coeffs. Only 2 degrees of freedom in ❊ Can’t expect small-height co ✿ ✿ ✿ unless everything lifts to

• 4. Simplify formulas for ✓✵

using, e.g., 2006 Monagan–Pearce “rational simplification” method.

• 5. Find ✓: norm–conorm etc.

Much easier: We applied ✣2 to random points in ❍(F♣) ✂ ❍(F♣), interpolated coefficients of ✓✵. Similarly interpolated formulas for ✓; verified composition. Easy computer calculation. “Wasting brain power is bad for the environment.” New: small coefficients ❑ defined by 3 coeffs. Only 2 degrees of freedom in ❊. Can’t expect small-height coeffs. ✿ ✿ ✿ unless everything lifts to Q.

• 4. Simplify formulas for ✓✵

using, e.g., 2006 Monagan–Pearce “rational simplification” method.

• 5. Find ✓: norm–conorm etc.

Much easier: We applied ✣2 to random points in ❍(F♣) ✂ ❍(F♣), interpolated coefficients of ✓✵. Similarly interpolated formulas for ✓; verified composition. Easy computer calculation. “Wasting brain power is bad for the environment.” New: small coefficients ❑ defined by 3 coeffs. Only 2 degrees of freedom in ❊. Can’t expect small-height coeffs. ✿ ✿ ✿ unless everything lifts to Q. Choose non-square ∆ ✷ Q; distinct squares ✚1❀ ✚2❀ ✚3

• f norm-1 elements of Q(

♣ ∆); r ✷ Q( ♣ ∆) with ✚1✚2✚3 = r❂r. Define s = r(✚1 + ✚2 + ✚3). Then r①3 + s①2 + s① + r = r(① ✚1)(① ✚2)(① ✚3).

Simplify formulas for ✓✵ e.g., 2006 Monagan–Pearce “rational simplification” method. Find ✓: norm–conorm etc. easier: We applied ✣2 to points in ❍(F♣) ✂ ❍(F♣),

• lated coefficients of ✓✵.

rly interpolated formulas ✓ verified composition. computer calculation. asting brain power for the environment.” New: small coefficients ❑ defined by 3 coeffs. Only 2 degrees of freedom in ❊. Can’t expect small-height coeffs. ✿ ✿ ✿ unless everything lifts to Q. Choose non-square ∆ ✷ Q; distinct squares ✚1❀ ✚2❀ ✚3

• f norm-1 elements of Q(

♣ ∆); r ✷ Q( ♣ ∆) with ✚1✚2✚3 = r❂r. Define s = r(✚1 + ✚2 + ✚3). Then r①3 + s①2 + s① + r = r(① ✚1)(① ✚2)(① ✚3). Choose ☞ ✷ ♣ ☞ ❂ ✷ and (☞❂☞ ❂ ✷ ❢✚ ❀ ✚ ❀ ✚ ❣ Then the (r☞6 + s☞ ☞ s☞ ☞ r☞ ② r(1☞③ s ☞③ ☞③ s(1 ☞③ ☞③ r ☞③ has full 2-to In many Rosenhain ✕❀ ✖❀ ✗ have ✕✖ ✗ ✖ ✖ ✕ ✗ ✗ ✗ ✕ ✖ both squa so ❑ is defined (Degenerate

rmulas for ✓✵ Monagan–Pearce simplification” method. ✓ rm–conorm etc. e applied ✣2 to in ❍(F♣) ✂ ❍(F♣), efficients of ✓✵.

• lated formulas

✓ composition. calculation. power environment.” New: small coefficients ❑ defined by 3 coeffs. Only 2 degrees of freedom in ❊. Can’t expect small-height coeffs. ✿ ✿ ✿ unless everything lifts to Q. Choose non-square ∆ ✷ Q; distinct squares ✚1❀ ✚2❀ ✚3

• f norm-1 elements of Q(

♣ ∆); r ✷ Q( ♣ ∆) with ✚1✚2✚3 = r❂r. Define s = r(✚1 + ✚2 + ✚3). Then r①3 + s①2 + s① + r = r(① ✚1)(① ✚2)(① ✚3). Choose ☞ ✷ Q( ♣ ∆) ☞ ❂ ✷ and (☞❂☞)2 ❂ ✷ ❢✚1❀ ✚ ❀ ✚ ❣ Then the Scholten (r☞6 + s☞4☞2 + s☞ ☞ r☞ ② r(1☞③)6+s(1☞③ ☞③ s(1 ☞③)2(1 ☞③ r ☞③ has full 2-torsion over In many cases corresp Rosenhain paramete ✕❀ ✖❀ ✗ have ✕✖ ✗ and ✖(✖ ✕ ✗ ✗(✗ ✕ ✖ both squares in Q, so ❑ is defined over (Degenerate cases:

✓✵ Monagan–Pearce method. ✓ etc. ✣2 to ❍

♣ ✂ ❍(F♣),

• f ✓✵.

rmulas ✓ . calculation. environment.” New: small coefficients ❑ defined by 3 coeffs. Only 2 degrees of freedom in ❊. Can’t expect small-height coeffs. ✿ ✿ ✿ unless everything lifts to Q. Choose non-square ∆ ✷ Q; distinct squares ✚1❀ ✚2❀ ✚3

• f norm-1 elements of Q(

♣ ∆); r ✷ Q( ♣ ∆) with ✚1✚2✚3 = r❂r. Define s = r(✚1 + ✚2 + ✚3). Then r①3 + s①2 + s① + r = r(① ✚1)(① ✚2)(① ✚3). Choose ☞ ✷ Q( ♣ ∆) with ☞ ❂ ✷ and (☞❂☞)2 ❂ ✷ ❢✚1❀ ✚2❀ ✚3❣. Then the Scholten curve (r☞6 + s☞4☞2 + s☞2☞4 + r☞6 ② r(1☞③)6+s(1☞③)4(1☞③ s(1 ☞③)2(1 ☞③)4 + r(1 ☞③ has full 2-torsion over Q. In many cases corresponding Rosenhain parameters ✕❀ ✖❀ ✗ have ✕✖ ✗ and ✖(✖ 1)(✕ ✗ ✗(✗ 1)(✕ ✖ both squares in Q, so ❑ is defined over Q. (Degenerate cases: see paper.)

New: small coefficients ❑ defined by 3 coeffs. Only 2 degrees of freedom in ❊. Can’t expect small-height coeffs. ✿ ✿ ✿ unless everything lifts to Q. Choose non-square ∆ ✷ Q; distinct squares ✚1❀ ✚2❀ ✚3

• f norm-1 elements of Q(

♣ ∆); r ✷ Q( ♣ ∆) with ✚1✚2✚3 = r❂r. Define s = r(✚1 + ✚2 + ✚3). Then r①3 + s①2 + s① + r = r(① ✚1)(① ✚2)(① ✚3). Choose ☞ ✷ Q( ♣ ∆) with ☞ ❂ ✷ Q and (☞❂☞)2 ❂ ✷ ❢✚1❀ ✚2❀ ✚3❣. Then the Scholten curve (r☞6 + s☞4☞2 + s☞2☞4 + r☞6)②2 = r(1☞③)6+s(1☞③)4(1☞③)2+ s(1 ☞③)2(1 ☞③)4 + r(1 ☞③)6 has full 2-torsion over Q. In many cases corresponding Rosenhain parameters ✕❀ ✖❀ ✗ have ✕✖ ✗ and ✖(✖ 1)(✕ ✗) ✗(✗ 1)(✕ ✖) both squares in Q, so ❑ is defined over Q. (Degenerate cases: see paper.)

small coefficients ❑ defined by 3 coeffs. degrees of freedom in ❊. expect small-height coeffs. ✿ ✿ ✿ unless everything lifts to Q.

• se non-square ∆ ✷ Q;

distinct squares ✚1❀ ✚2❀ ✚3 rm-1 elements of Q( ♣ ∆); r ✷ ( ♣ ∆) with ✚1✚2✚3 = r❂r. s = r(✚1 + ✚2 + ✚3). r①3 + s①2 + s① + r = r ① ✚1)(① ✚2)(① ✚3). Choose ☞ ✷ Q( ♣ ∆) with ☞ ❂ ✷ Q and (☞❂☞)2 ❂ ✷ ❢✚1❀ ✚2❀ ✚3❣. Then the Scholten curve (r☞6 + s☞4☞2 + s☞2☞4 + r☞6)②2 = r(1☞③)6+s(1☞③)4(1☞③)2+ s(1 ☞③)2(1 ☞③)4 + r(1 ☞③)6 has full 2-torsion over Q. In many cases corresponding Rosenhain parameters ✕❀ ✖❀ ✗ have ✕✖ ✗ and ✖(✖ 1)(✕ ✗) ✗(✗ 1)(✕ ✖) both squares in Q, so ❑ is defined over Q. (Degenerate cases: see paper.) Example:

• ✚1 = (✐)2 ✚

✐ ❂ ✚3 = ((5 ✐ ❂ r ✐ s = 159 ✐ ☞ ✐ One Rosenhain ✕ = 10, ✖ ❂ ✗ Then ✕✖ ✗ and ✖(✖ ✕ ✗ ✗(✗ ✕ ✖ Larger exa r = 8648575 ✐ s = 40209279 ✐ coeffs (6137

efficients ❑ coeffs.

• f freedom in ❊.

all-height coeffs. ✿ ✿ ✿ everything lifts to Q. non-square ∆ ✷ Q; ✚1❀ ✚2❀ ✚3 elements of Q( ♣ ∆); r ✷ ♣ with ✚1✚2✚3 = r❂r. s r ✚1 + ✚2 + ✚3). r① s① + s① + r = r ① ✚ ① ✚ )(① ✚3). Choose ☞ ✷ Q( ♣ ∆) with ☞ ❂ ✷ Q and (☞❂☞)2 ❂ ✷ ❢✚1❀ ✚2❀ ✚3❣. Then the Scholten curve (r☞6 + s☞4☞2 + s☞2☞4 + r☞6)②2 = r(1☞③)6+s(1☞③)4(1☞③)2+ s(1 ☞③)2(1 ☞③)4 + r(1 ☞③)6 has full 2-torsion over Q. In many cases corresponding Rosenhain parameters ✕❀ ✖❀ ✗ have ✕✖ ✗ and ✖(✖ 1)(✕ ✗) ✗(✗ 1)(✕ ✖) both squares in Q, so ❑ is defined over Q. (Degenerate cases: see paper.) Example: Choose

• ✚1 = (✐)2, ✚2 = ((3

✐ ❂ ✚3 = ((5+12✐)❂13) r ✐ s = 159 + 56✐, ☞ = ✐ One Rosenhain choice ✕ = 10, ✖ = 5❂8, ✗ Then ✕✖ ✗ = 1 22 and ✖(✖ 1)(✕ ✗ ✗(✗ 1)(✕ ✖ Larger example: r = 8648575 15615600✐ s = 40209279 ✐ coeffs (6137 : 833

❑ in ❊. coeffs. ✿ ✿ ✿ to Q. ✷ ; ✚ ❀ ✚ ❀ ✚ ♣ ∆); r ✷ ♣ ✚ ✚ ✚ = r❂r. s r ✚ ✚ ✚3). r① s① s① r = r ① ✚ ① ✚ ① ✚ ). Choose ☞ ✷ Q( ♣ ∆) with ☞ ❂ ✷ Q and (☞❂☞)2 ❂ ✷ ❢✚1❀ ✚2❀ ✚3❣. Then the Scholten curve (r☞6 + s☞4☞2 + s☞2☞4 + r☞6)②2 = r(1☞③)6+s(1☞③)4(1☞③)2+ s(1 ☞③)2(1 ☞③)4 + r(1 ☞③)6 has full 2-torsion over Q. In many cases corresponding Rosenhain parameters ✕❀ ✖❀ ✗ have ✕✖ ✗ and ✖(✖ 1)(✕ ✗) ✗(✗ 1)(✕ ✖) both squares in Q, so ❑ is defined over Q. (Degenerate cases: see paper.) Example: Choose ∆ = 1; ✚1 = (✐)2, ✚2 = ((3 + 4✐)❂5) ✚3 = ((5+12✐)❂13)2; r = 33 ✐ s = 159 + 56✐, ☞ = ✐. One Rosenhain choice is ✕ = 10, ✖ = 5❂8, ✗ = 25. Then ✕✖ ✗ = 1 22 and ✖(✖ 1)(✕ ✗) ✗(✗ 1)(✕ ✖) = 1 402 Larger example: r = 8648575 15615600✐, s = 40209279 33245520✐ coeffs (6137 : 833 : 2275 : 2275).

Choose ☞ ✷ Q( ♣ ∆) with ☞ ❂ ✷ Q and (☞❂☞)2 ❂ ✷ ❢✚1❀ ✚2❀ ✚3❣. Then the Scholten curve (r☞6 + s☞4☞2 + s☞2☞4 + r☞6)②2 = r(1☞③)6+s(1☞③)4(1☞③)2+ s(1 ☞③)2(1 ☞③)4 + r(1 ☞③)6 has full 2-torsion over Q. In many cases corresponding Rosenhain parameters ✕❀ ✖❀ ✗ have ✕✖ ✗ and ✖(✖ 1)(✕ ✗) ✗(✗ 1)(✕ ✖) both squares in Q, so ❑ is defined over Q. (Degenerate cases: see paper.) Example: Choose ∆ = 1; ✚1 = (✐)2, ✚2 = ((3 + 4✐)❂5)2, ✚3 = ((5+12✐)❂13)2; r = 33+56✐, s = 159 + 56✐, ☞ = ✐. One Rosenhain choice is ✕ = 10, ✖ = 5❂8, ✗ = 25. Then ✕✖ ✗ = 1 22 and ✖(✖ 1)(✕ ✗) ✗(✗ 1)(✕ ✖) = 1 402 . Larger example: r = 8648575 15615600✐, s = 40209279 33245520✐; coeffs (6137 : 833 : 2275 : 2275).

• se ☞ ✷ Q(

♣ ∆) with ☞ ❂ ✷ Q ☞❂☞)2 ❂ ✷ ❢✚1❀ ✚2❀ ✚3❣. the Scholten curve r☞ s☞4☞2 + s☞2☞4 + r☞6)②2 = r ☞③)6+s(1☞③)4(1☞③)2+ s ☞③)2(1 ☞③)4 + r(1 ☞③)6 full 2-torsion over Q. many cases corresponding Rosenhain parameters ✕❀ ✖❀ ✗ ✕✖ ✗ and ✖(✖ 1)(✕ ✗) ✗(✗ 1)(✕ ✖) squares in Q, ❑ is defined over Q. (Degenerate cases: see paper.) Example: Choose ∆ = 1; ✚1 = (✐)2, ✚2 = ((3 + 4✐)❂5)2, ✚3 = ((5+12✐)❂13)2; r = 33+56✐, s = 159 + 56✐, ☞ = ✐. One Rosenhain choice is ✕ = 10, ✖ = 5❂8, ✗ = 25. Then ✕✖ ✗ = 1 22 and ✖(✖ 1)(✕ ✗) ✗(✗ 1)(✕ ✖) = 1 402 . Larger example: r = 8648575 15615600✐, s = 40209279 33245520✐; coeffs (6137 : 833 : 2275 : 2275).

☞ ✷ ♣ ∆) with ☞ ❂ ✷ Q ☞❂☞ ❂ ✷ ❢✚1❀ ✚2❀ ✚3❣. Scholten curve r☞ s☞ ☞ s☞2☞4 + r☞6)②2 = r ☞③ s ☞③)4(1☞③)2+ s ☞③ ☞③)4 + r(1 ☞③)6

• ver Q.

corresponding rameters ✕❀ ✖❀ ✗ ✕✖ ✗ ✖(✖ 1)(✕ ✗) ✗(✗ 1)(✕ ✖) Q, ❑

• ver Q.

cases: see paper.) Example: Choose ∆ = 1; ✚1 = (✐)2, ✚2 = ((3 + 4✐)❂5)2, ✚3 = ((5+12✐)❂13)2; r = 33+56✐, s = 159 + 56✐, ☞ = ✐. One Rosenhain choice is ✕ = 10, ✖ = 5❂8, ✗ = 25. Then ✕✖ ✗ = 1 22 and ✖(✖ 1)(✕ ✗) ✗(✗ 1)(✕ ✖) = 1 402 . Larger example: r = 8648575 15615600✐, s = 40209279 33245520✐; coeffs (6137 : 833 : 2275 : 2275).

☞ ✷ ♣ ☞ ❂ ✷ Q ☞❂☞ ❂ ✷ ❢✚ ❀ ✚ ❀ ✚ ❣. r☞ s☞ ☞ s☞ ☞ r☞6)②2 = r ☞③ s ☞③ ☞③)2+ s ☞③ ☞③ r(1 ☞③)6

• nding

✕❀ ✖❀ ✗ ✕✖ ✗ ✖ ✖ ✕ ✗) ✗ ✗ ✕ ✖) ❑ paper.) Example: Choose ∆ = 1; ✚1 = (✐)2, ✚2 = ((3 + 4✐)❂5)2, ✚3 = ((5+12✐)❂13)2; r = 33+56✐, s = 159 + 56✐, ☞ = ✐. One Rosenhain choice is ✕ = 10, ✖ = 5❂8, ✗ = 25. Then ✕✖ ✗ = 1 22 and ✖(✖ 1)(✕ ✗) ✗(✗ 1)(✕ ✖) = 1 402 . Larger example: r = 8648575 15615600✐, s = 40209279 33245520✐; coeffs (6137 : 833 : 2275 : 2275).

Example: Choose ∆ = 1; ✚1 = (✐)2, ✚2 = ((3 + 4✐)❂5)2, ✚3 = ((5+12✐)❂13)2; r = 33+56✐, s = 159 + 56✐, ☞ = ✐. One Rosenhain choice is ✕ = 10, ✖ = 5❂8, ✗ = 25. Then ✕✖ ✗ = 1 22 and ✖(✖ 1)(✕ ✗) ✗(✗ 1)(✕ ✖) = 1 402 . Larger example: r = 8648575 15615600✐, s = 40209279 33245520✐; coeffs (6137 : 833 : 2275 : 2275).