SafeCurves: Cryptography choosing safe curves for Public-key - - PowerPoint PPT Presentation

SafeCurves: choosing safe curves for elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange Technische Universiteit Eindhoven http://safecurves.cr.yp.to Cryptography Public-key signatures: e.g., RSA, DSA, ECDSA. Some uses: signed OS updates, SSL certificates, e-passports. Public-key encryption: e.g., RSA, DH, ECDH. Some uses: SSL key exchange, locked iPhone mail download. Secret-key encryption: e.g., AES, Salsa20. Some uses: disk encryption, bulk SSL encryption.

SafeCurves:

• sing safe curves for

elliptic-curve cryptography

• J. Bernstein

University of Illinois at Chicago & echnische Universiteit Eindhoven Lange echnische Universiteit Eindhoven http://safecurves.cr.yp.to Cryptography Public-key signatures: e.g., RSA, DSA, ECDSA. Some uses: signed OS updates, SSL certificates, e-passports. Public-key encryption: e.g., RSA, DH, ECDH. Some uses: SSL key exchange, locked iPhone mail download. Secret-key encryption: e.g., AES, Salsa20. Some uses: disk encryption, bulk SSL encryption. Why ECC? “Index calculus”: fastest metho to break Long histo many majo 1975, CFRA 1977, linea 1982, quadratic 1990, numb 1994, function-field 2006, medium-p 2013, ①q ① (FFS is not

curves for cryptography Bernstein Illinois at Chicago & Universiteit Eindhoven Universiteit Eindhoven http://safecurves.cr.yp.to Cryptography Public-key signatures: e.g., RSA, DSA, ECDSA. Some uses: signed OS updates, SSL certificates, e-passports. Public-key encryption: e.g., RSA, DH, ECDH. Some uses: SSL key exchange, locked iPhone mail download. Secret-key encryption: e.g., AES, Salsa20. Some uses: disk encryption, bulk SSL encryption. Why ECC? “Index calculus”: fastest method we to break original DH Long history, including many major improvements: 1975, CFRAC; 1977, linear sieve (LS); 1982, quadratic sie 1990, number-field 1994, function-field 2006, medium-prime 2013, ①q ① FFS. (FFS is not relevant

Chicago & Eindhoven Eindhoven http://safecurves.cr.yp.to Cryptography Public-key signatures: e.g., RSA, DSA, ECDSA. Some uses: signed OS updates, SSL certificates, e-passports. Public-key encryption: e.g., RSA, DH, ECDH. Some uses: SSL key exchange, locked iPhone mail download. Secret-key encryption: e.g., AES, Salsa20. Some uses: disk encryption, bulk SSL encryption. Why ECC? “Index calculus”: fastest method we know to break original DH and RSA. Long history, including many major improvements: 1975, CFRAC; 1977, linear sieve (LS); 1982, quadratic sieve (QS); 1990, number-field sieve (NFS); 1994, function-field sieve (FFS); 2006, medium-prime FFS/NFS; 2013, ①q ① FFS. (FFS is not relevant to RSA.)

Cryptography Public-key signatures: e.g., RSA, DSA, ECDSA. Some uses: signed OS updates, SSL certificates, e-passports. Public-key encryption: e.g., RSA, DH, ECDH. Some uses: SSL key exchange, locked iPhone mail download. Secret-key encryption: e.g., AES, Salsa20. Some uses: disk encryption, bulk SSL encryption. Why ECC? “Index calculus”: fastest method we know to break original DH and RSA. Long history, including many major improvements: 1975, CFRAC; 1977, linear sieve (LS); 1982, quadratic sieve (QS); 1990, number-field sieve (NFS); 1994, function-field sieve (FFS); 2006, medium-prime FFS/NFS; 2013, ①q ① FFS. (FFS is not relevant to RSA.)

Cryptography Public-key signatures: RSA, DSA, ECDSA. uses: signed OS updates, certificates, e-passports. Public-key encryption: RSA, DH, ECDH. uses: SSL key exchange, iPhone mail download. Secret-key encryption: AES, Salsa20. uses: disk encryption, SSL encryption. Why ECC? “Index calculus”: fastest method we know to break original DH and RSA. Long history, including many major improvements: 1975, CFRAC; 1977, linear sieve (LS); 1982, quadratic sieve (QS); 1990, number-field sieve (NFS); 1994, function-field sieve (FFS); 2006, medium-prime FFS/NFS; 2013, ①q ① FFS. (FFS is not relevant to RSA.) Also many ✙ 100 scientific Costs of breaking ✙ 2120, 2 ✙ 2110, 2 ✙ 2100, 2 ✙ 280, 2

signatures: ECDSA. signed OS updates, e-passports. encryption: ECDH. key exchange, mail download. encryption: 20. encryption, yption. Why ECC? “Index calculus”: fastest method we know to break original DH and RSA. Long history, including many major improvements: 1975, CFRAC; 1977, linear sieve (LS); 1982, quadratic sieve (QS); 1990, number-field sieve (NFS); 1994, function-field sieve (FFS); 2006, medium-prime FFS/NFS; 2013, ①q ① FFS. (FFS is not relevant to RSA.) Also many smaller ✙ 100 scientific pap Costs of these algo breaking RSA-1024, ✙ 2120, 2170, CFRA ✙ 2110, 2160, LS; ✙ 2100, 2150, QS; ✙ 280, 2112, NFS.

dates, rts. exchange, wnload. encryption, Why ECC? “Index calculus”: fastest method we know to break original DH and RSA. Long history, including many major improvements: 1975, CFRAC; 1977, linear sieve (LS); 1982, quadratic sieve (QS); 1990, number-field sieve (NFS); 1994, function-field sieve (FFS); 2006, medium-prime FFS/NFS; 2013, ①q ① FFS. (FFS is not relevant to RSA.) Also many smaller improvements: ✙ 100 scientific papers. Costs of these algorithms for breaking RSA-1024, RSA-2048: ✙ 2120, 2170, CFRAC; ✙ 2110, 2160, LS; ✙ 2100, 2150, QS; ✙ 280, 2112, NFS.

Why ECC? “Index calculus”: fastest method we know to break original DH and RSA. Long history, including many major improvements: 1975, CFRAC; 1977, linear sieve (LS); 1982, quadratic sieve (QS); 1990, number-field sieve (NFS); 1994, function-field sieve (FFS); 2006, medium-prime FFS/NFS; 2013, ①q ① FFS. (FFS is not relevant to RSA.) Also many smaller improvements: ✙ 100 scientific papers. Costs of these algorithms for breaking RSA-1024, RSA-2048: ✙ 2120, 2170, CFRAC; ✙ 2110, 2160, LS; ✙ 2100, 2150, QS; ✙ 280, 2112, NFS.

Why ECC? “Index calculus”: fastest method we know to break original DH and RSA. Long history, including many major improvements: 1975, CFRAC; 1977, linear sieve (LS); 1982, quadratic sieve (QS); 1990, number-field sieve (NFS); 1994, function-field sieve (FFS); 2006, medium-prime FFS/NFS; 2013, ①q ① FFS. (FFS is not relevant to RSA.) Also many smaller improvements: ✙ 100 scientific papers. Costs of these algorithms for breaking RSA-1024, RSA-2048: ✙ 2120, 2170, CFRAC; ✙ 2110, 2160, LS; ✙ 2100, 2150, QS; ✙ 280, 2112, NFS. 1986 Miller “Use of elliptic curves in cryptography”: “It is extremely unlikely that an ‘index calculus’ attack

• n the elliptic curve method

will ever be able to work.”

ECC? calculus”: method we know reak original DH and RSA. history, including major improvements: CFRAC; linear sieve (LS); quadratic sieve (QS); number-field sieve (NFS); function-field sieve (FFS); medium-prime FFS/NFS; ①q ① FFS. is not relevant to RSA.) Also many smaller improvements: ✙ 100 scientific papers. Costs of these algorithms for breaking RSA-1024, RSA-2048: ✙ 2120, 2170, CFRAC; ✙ 2110, 2160, LS; ✙ 2100, 2150, QS; ✙ 280, 2112, NFS. 1986 Miller “Use of elliptic curves in cryptography”: “It is extremely unlikely that an ‘index calculus’ attack

• n the elliptic curve method

will ever be able to work.” The clock ② ① This is the ① ② Warning: This is not “Elliptic ✻

calculus”: e know DH and RSA. including rovements: sieve (LS); sieve (QS); er-field sieve (NFS); function-field sieve (FFS); rime FFS/NFS; ①q ① FFS. relevant to RSA.) Also many smaller improvements: ✙ 100 scientific papers. Costs of these algorithms for breaking RSA-1024, RSA-2048: ✙ 2120, 2170, CFRAC; ✙ 2110, 2160, LS; ✙ 2100, 2150, QS; ✙ 280, 2112, NFS. 1986 Miller “Use of elliptic curves in cryptography”: “It is extremely unlikely that an ‘index calculus’ attack

• n the elliptic curve method

will ever be able to work.” The clock ② ①

• This is the curve ①

② Warning: This is not an elliptic “Elliptic curve” ✻=

RSA. rovements: (QS); (NFS); (FFS); FFS/NFS; ①q ① RSA.) Also many smaller improvements: ✙ 100 scientific papers. Costs of these algorithms for breaking RSA-1024, RSA-2048: ✙ 2120, 2170, CFRAC; ✙ 2110, 2160, LS; ✙ 2100, 2150, QS; ✙ 280, 2112, NFS. 1986 Miller “Use of elliptic curves in cryptography”: “It is extremely unlikely that an ‘index calculus’ attack

• n the elliptic curve method

will ever be able to work.” The clock ② ①

• This is the curve ①2 + ②2 =

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.”

Also many smaller improvements: ✙ 100 scientific papers. Costs of these algorithms for breaking RSA-1024, RSA-2048: ✙ 2120, 2170, CFRAC; ✙ 2110, 2160, LS; ✙ 2100, 2150, QS; ✙ 280, 2112, NFS. 1986 Miller “Use of elliptic curves in cryptography”: “It is extremely unlikely that an ‘index calculus’ attack

• n the elliptic curve method

will ever be able to work.” The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.”

many smaller improvements: ✙ scientific papers.

• f these algorithms for

reaking RSA-1024, RSA-2048: ✙ , 2170, CFRAC; ✙ , 2160, LS; ✙ , 2150, QS; ✙ 2112, NFS. Miller “Use of curves in cryptography”: extremely unlikely an ‘index calculus’ attack elliptic curve method ever be able to work.” The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples

smaller improvements: ✙ papers. algorithms for RSA-1024, RSA-2048: ✙ CFRAC; ✙ LS; ✙ QS; ✙ NFS. “Use of cryptography”: unlikely calculus’ attack curve method to work.” The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points

rovements: ✙ for RSA-2048: ✙ ✙ ✙ ✙ cryptography”: attack d The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve:

The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve:

The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”.

The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”.

The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”.

The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”.

The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) =

The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) = “2:00”.

The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) = “2:00”. (1❂2❀ ♣ 3❂4) =

The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) = “2:00”. (1❂2❀ ♣ 3❂4) = “5:00”. (1❂2❀ ♣ 3❂4) =

The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) = “2:00”. (1❂2❀ ♣ 3❂4) = “5:00”. (1❂2❀ ♣ 3❂4) = “7:00”.

The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) = “2:00”. (1❂2❀ ♣ 3❂4) = “5:00”. (1❂2❀ ♣ 3❂4) = “7:00”. ( ♣ 1❂2❀ ♣ 1❂2) = “1:30”. (3❂5❀ 4❂5). (3❂5❀ 4❂5).

The clock ② ①

• This is the curve ①2 + ②2 = 1.

Warning: This is not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) = “2:00”. (1❂2❀ ♣ 3❂4) = “5:00”. (1❂2❀ ♣ 3❂4) = “7:00”. ( ♣ 1❂2❀ ♣ 1❂2) = “1:30”. (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). Many more.

clock ② ①

• the curve ①2 + ②2 = 1.

rning: not an elliptic curve. “Elliptic curve” ✻= “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) = “2:00”. (1❂2❀ ♣ 3❂4) = “5:00”. (1❂2❀ ♣ 3❂4) = “7:00”. ( ♣ 1❂2❀ ♣ 1❂2) = “1:30”. (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). Many more. Addition ② ① ❀ ✎ P ① ❀ ② ✎ ☛ P ① ❀ ② ✎ P ① ❀ ② ✎ ①2 + ②2 ① = sin ☛ ② ☛

② ①

• ①2 + ②2 = 1.

elliptic curve. ✻= “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) = “2:00”. (1❂2❀ ♣ 3❂4) = “5:00”. (1❂2❀ ♣ 3❂4) = “7:00”. ( ♣ 1❂2❀ ♣ 1❂2) = “1:30”. (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). Many more. Addition on the clo ② ①

• neutral

❀ ✎ P ① ❀ ② ✎ ✂ ✂ ✂ ✂ ✂ ✂ ☛1 P ① ❀ ② ✎ ✐ ✐ ✐ ✐ ✐ P ① ❀ ② ✎ P P P P P ①2 + ②2 = 1, parametrized ① = sin ☛, ② = cos ☛

② ① ① ② = 1. e. ✻ “ellipse.” Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) = “2:00”. (1❂2❀ ♣ 3❂4) = “5:00”. (1❂2❀ ♣ 3❂4) = “7:00”. ( ♣ 1❂2❀ ♣ 1❂2) = “1:30”. (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). Many more. Addition on the clock: ② ①

• neutral = (0❀

✎ P1 = (① ❀ ② ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ☛1 P2 = ① ❀ ② ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (① ❀ ② ✎ P P P P P P P ①2 + ②2 = 1, parametrized b ① = sin ☛, ② = cos ☛.

Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) = “2:00”. (1❂2❀ ♣ 3❂4) = “5:00”. (1❂2❀ ♣ 3❂4) = “7:00”. ( ♣ 1❂2❀ ♣ 1❂2) = “1:30”. (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). Many more. Addition on the clock: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ☛1 P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ①2 + ②2 = 1, parametrized by ① = sin ☛, ② = cos ☛.

Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) = “2:00”. (1❂2❀ ♣ 3❂4) = “5:00”. (1❂2❀ ♣ 3❂4) = “7:00”. ( ♣ 1❂2❀ ♣ 1❂2) = “1:30”. (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). Many more. Addition on the clock: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ☛1 P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ①2 + ②2 = 1, parametrized by ① = sin ☛, ② = cos ☛. Recall (sin(☛1 + ☛2)❀ cos(☛1 + ☛2)) =

Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) = “2:00”. (1❂2❀ ♣ 3❂4) = “5:00”. (1❂2❀ ♣ 3❂4) = “7:00”. ( ♣ 1❂2❀ ♣ 1❂2) = “1:30”. (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). Many more. Addition on the clock: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ☛1 P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ①2 + ②2 = 1, parametrized by ① = sin ☛, ② = cos ☛. Recall (sin(☛1 + ☛2)❀ cos(☛1 + ☛2)) = (sin ☛1 cos ☛2 + cos ☛1 sin ☛2❀

Examples of points on this curve: (0❀ 1) = “12:00”. (0❀ 1) = “6:00”. (1❀ 0) = “3:00”. (1❀ 0) = “9:00”. ( ♣ 3❂4❀ 1❂2) = “2:00”. (1❂2❀ ♣ 3❂4) = “5:00”. (1❂2❀ ♣ 3❂4) = “7:00”. ( ♣ 1❂2❀ ♣ 1❂2) = “1:30”. (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (3❂5❀ 4❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). (4❂5❀ 3❂5). Many more. Addition on the clock: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ☛1 P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ①2 + ②2 = 1, parametrized by ① = sin ☛, ② = cos ☛. Recall (sin(☛1 + ☛2)❀ cos(☛1 + ☛2)) = (sin ☛1 cos ☛2 + cos ☛1 sin ☛2❀ cos ☛1 cos ☛2 sin ☛1 sin ☛2).

Examples of points on this curve: ❀ = “12:00”. ❀ 1) = “6:00”. ❀ = “3:00”. ❀ 0) = “9:00”. ♣ ❂ ❀ 1❂2) = “2:00”. ❂ ❀ ♣ 3❂4) = “5:00”. ❂ ❀ ♣ 3❂4) = “7:00”. ♣ ❂ ❀ ♣ 1❂2) = “1:30”. ❂ ❀ ❂5). (3❂5❀ 4❂5). ❂ ❀ 4❂5). (3❂5❀ 4❂5). ❂ ❀ ❂5). (4❂5❀ 3❂5). ❂ ❀ 3❂5). (4❂5❀ 3❂5). more. Addition on the clock: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ☛1 P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ①2 + ②2 = 1, parametrized by ① = sin ☛, ② = cos ☛. Recall (sin(☛1 + ☛2)❀ cos(☛1 + ☛2)) = (sin ☛1 cos ☛2 + cos ☛1 sin ☛2❀ cos ☛1 cos ☛2 sin ☛1 sin ☛2). Clock addition ② ① ❀ ✎ P ① ❀ ② ✎ P ① ❀ ② ✎ P ① ❀ ② ✎ Use Cartesian addition. for the clo ① ② sum of (① ❀ ② ① ❀ ② (①1②2 + ② ① ❀ ② ② ① ①

• ints on this curve:

❀ “12:00”. ❀ “6:00”. ❀ ❀ “9:00”. ♣ ❂ ❀ ❂ “2:00”. ❂ ❀ ♣ ❂ “5:00”. ❂ ❀ ♣ ❂ = “7:00”. ♣ ❂ ❀ ♣ ❂ “1:30”. ❂ ❀ ❂ ❂5❀ 4❂5). ❂ ❀ ❂ 3❂5❀ 4❂5). ❂ ❀ ❂ ❂5❀ 3❂5). ❂ ❀ ❂ 4❂5❀ 3❂5). Addition on the clock: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ☛1 P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ①2 + ②2 = 1, parametrized by ① = sin ☛, ② = cos ☛. Recall (sin(☛1 + ☛2)❀ cos(☛1 + ☛2)) = (sin ☛1 cos ☛2 + cos ☛1 sin ☛2❀ cos ☛1 cos ☛2 sin ☛1 sin ☛2). Clock addition without ② ①

• neutral

❀ ✎ P ① ❀ ② ✎ ✂ ✂ ✂ ✂ ✂ ✂ P ① ❀ ② ✎ ✐ ✐ ✐ ✐ ✐ P ① ❀ ② ✎ P P P P P Use Cartesian coordinates

• addition. Addition

for the clock ①2 + ② sum of (①1❀ ②1) and ① ❀ ② (①1②2 + ②1①2❀ ②1②2 ① ①

this curve: ❀ ❀ ❀ ❀ ♣ ❂ ❀ ❂ ❂ ❀ ♣ ❂ ❂ ❀ ♣ ❂ “7:00”. ♣ ❂ ❀ ♣ ❂ ❂ ❀ ❂ ❂ ❀ ❂ ❂ ❀ ❂ ❂ ❀ ❂5). ❂ ❀ ❂ ❂ ❀ ❂ ❂ ❀ ❂ ❂ ❀ ❂5). Addition on the clock: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ☛1 P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ①2 + ②2 = 1, parametrized by ① = sin ☛, ② = cos ☛. Recall (sin(☛1 + ☛2)❀ cos(☛1 + ☛2)) = (sin ☛1 cos ☛2 + cos ☛1 sin ☛2❀ cos ☛1 cos ☛2 sin ☛1 sin ☛2). Clock addition without sin, cos: ② ①

• neutral = (0❀

✎ P1 = (① ❀ ② ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = ① ❀ ② ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (① ❀ ② ✎ P P P P P P P Use Cartesian coordinates fo

• addition. Addition formula

for the clock ①2 + ②2 = 1: sum of (①1❀ ②1) and (①2❀ ②2) (①1②2 + ②1①2❀ ②1②2 ①1①2).

Addition on the clock: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ☛1 P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ①2 + ②2 = 1, parametrized by ① = sin ☛, ② = cos ☛. Recall (sin(☛1 + ☛2)❀ cos(☛1 + ☛2)) = (sin ☛1 cos ☛2 + cos ☛1 sin ☛2❀ cos ☛1 cos ☛2 sin ☛1 sin ☛2). Clock addition without sin, cos: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P Use Cartesian coordinates for

• addition. Addition formula

for the clock ①2 + ②2 = 1: sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2❀ ②1②2 ①1①2).

Addition on the clock: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ ☛1 P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ① ②2 = 1, parametrized by ① sin ☛, ② = cos ☛. Recall ☛ + ☛2)❀ cos(☛1 + ☛2)) = ☛ cos ☛2 + cos ☛1 sin ☛2❀ ☛ cos ☛2 sin ☛1 sin ☛2). Clock addition without sin, cos: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P Use Cartesian coordinates for

• addition. Addition formula

for the clock ①2 + ②2 = 1: sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2❀ ②1②2 ①1①2). Examples “2:00” + = ( ♣ 3❂4❀ ❂ ❂ ❀ ♣ ❂ = (1❂2❀ ♣ ❂ “5:00” + = (1❂2❀ ♣ ❂ ❀ = ( ♣ 3❂4❀ ❂ 2 ✒3 5❀ 4 5 ✓ ✒ ❀ ✓

clock: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ☛ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P ① ② rametrized by ① ☛ ② cos ☛. Recall ☛ ☛ ❀ cos(☛1 + ☛2)) = ☛ ☛ cos ☛1 sin ☛2❀ ☛ ☛ sin ☛1 sin ☛2). Clock addition without sin, cos: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P Use Cartesian coordinates for

• addition. Addition formula

for the clock ①2 + ②2 = 1: sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2❀ ②1②2 ①1①2). Examples of clock “2:00” + “5:00” = ( ♣ 3❂4❀ 1❂2) + (1❂ ❀ ♣ ❂ = (1❂2❀ ♣ 3❂4) “5:00” + “9:00” = (1❂2❀ ♣ 3❂4) + ❀ = ( ♣ 3❂4❀ 1❂2) = “2:00”. 2 ✒3 5❀ 4 5 ✓ = ✒24 25❀ ✓

② ① (0❀ 1) ✎ P (①1❀ ②1) ✎ ☛ P = (①2❀ ②2) ✎ P (①3❀ ②3) ✎ ① ② by ① ☛ ② ☛ ecall ☛ ☛ ❀ ☛ ☛ )) = ☛ ☛ ☛ ☛2❀ ☛ ☛ ☛ ☛2). Clock addition without sin, cos: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P Use Cartesian coordinates for

• addition. Addition formula

for the clock ①2 + ②2 = 1: sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2❀ ②1②2 ①1①2). Examples of clock addition: “2:00” + “5:00” = ( ♣ 3❂4❀ 1❂2) + (1❂2❀ ♣ 3❂ = (1❂2❀ ♣ 3❂4) = “7:00”. “5:00” + “9:00” = (1❂2❀ ♣ 3❂4) + (1❀ 0) = ( ♣ 3❂4❀ 1❂2) = “2:00”. 2 ✒3 5❀ 4 5 ✓ = ✒24 25❀ 7 25 ✓ .

Clock addition without sin, cos: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P Use Cartesian coordinates for

• addition. Addition formula

for the clock ①2 + ②2 = 1: sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2❀ ②1②2 ①1①2). Examples of clock addition: “2:00” + “5:00” = ( ♣ 3❂4❀ 1❂2) + (1❂2❀ ♣ 3❂4) = (1❂2❀ ♣ 3❂4) = “7:00”. “5:00” + “9:00” = (1❂2❀ ♣ 3❂4) + (1❀ 0) = ( ♣ 3❂4❀ 1❂2) = “2:00”. 2 ✒3 5❀ 4 5 ✓ = ✒24 25❀ 7 25 ✓ .

Clock addition without sin, cos: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P Use Cartesian coordinates for

• addition. Addition formula

for the clock ①2 + ②2 = 1: sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2❀ ②1②2 ①1①2). Examples of clock addition: “2:00” + “5:00” = ( ♣ 3❂4❀ 1❂2) + (1❂2❀ ♣ 3❂4) = (1❂2❀ ♣ 3❂4) = “7:00”. “5:00” + “9:00” = (1❂2❀ ♣ 3❂4) + (1❀ 0) = ( ♣ 3❂4❀ 1❂2) = “2:00”. 2 ✒3 5❀ 4 5 ✓ = ✒24 25❀ 7 25 ✓ . 3 ✒3 5❀ 4 5 ✓ = ✒117 125❀ 44 125 ✓ .

Clock addition without sin, cos: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P Use Cartesian coordinates for

• addition. Addition formula

for the clock ①2 + ②2 = 1: sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2❀ ②1②2 ①1①2). Examples of clock addition: “2:00” + “5:00” = ( ♣ 3❂4❀ 1❂2) + (1❂2❀ ♣ 3❂4) = (1❂2❀ ♣ 3❂4) = “7:00”. “5:00” + “9:00” = (1❂2❀ ♣ 3❂4) + (1❀ 0) = ( ♣ 3❂4❀ 1❂2) = “2:00”. 2 ✒3 5❀ 4 5 ✓ = ✒24 25❀ 7 25 ✓ . 3 ✒3 5❀ 4 5 ✓ = ✒117 125❀ 44 125 ✓ . 4 ✒3 5❀ 4 5 ✓ = ✒336 625❀ 527 625 ✓ .

Clock addition without sin, cos: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P Use Cartesian coordinates for

• addition. Addition formula

for the clock ①2 + ②2 = 1: sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2❀ ②1②2 ①1①2). Examples of clock addition: “2:00” + “5:00” = ( ♣ 3❂4❀ 1❂2) + (1❂2❀ ♣ 3❂4) = (1❂2❀ ♣ 3❂4) = “7:00”. “5:00” + “9:00” = (1❂2❀ ♣ 3❂4) + (1❀ 0) = ( ♣ 3❂4❀ 1❂2) = “2:00”. 2 ✒3 5❀ 4 5 ✓ = ✒24 25❀ 7 25 ✓ . 3 ✒3 5❀ 4 5 ✓ = ✒117 125❀ 44 125 ✓ . 4 ✒3 5❀ 4 5 ✓ = ✒336 625❀ 527 625 ✓ . (①1❀ ②1) + (0❀ 1) =

Clock addition without sin, cos: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P Use Cartesian coordinates for

• addition. Addition formula

for the clock ①2 + ②2 = 1: sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2❀ ②1②2 ①1①2). Examples of clock addition: “2:00” + “5:00” = ( ♣ 3❂4❀ 1❂2) + (1❂2❀ ♣ 3❂4) = (1❂2❀ ♣ 3❂4) = “7:00”. “5:00” + “9:00” = (1❂2❀ ♣ 3❂4) + (1❀ 0) = ( ♣ 3❂4❀ 1❂2) = “2:00”. 2 ✒3 5❀ 4 5 ✓ = ✒24 25❀ 7 25 ✓ . 3 ✒3 5❀ 4 5 ✓ = ✒117 125❀ 44 125 ✓ . 4 ✒3 5❀ 4 5 ✓ = ✒336 625❀ 527 625 ✓ . (①1❀ ②1) + (0❀ 1) = (①1❀ ②1).

Clock addition without sin, cos: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P Use Cartesian coordinates for

• addition. Addition formula

for the clock ①2 + ②2 = 1: sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2❀ ②1②2 ①1①2). Examples of clock addition: “2:00” + “5:00” = ( ♣ 3❂4❀ 1❂2) + (1❂2❀ ♣ 3❂4) = (1❂2❀ ♣ 3❂4) = “7:00”. “5:00” + “9:00” = (1❂2❀ ♣ 3❂4) + (1❀ 0) = ( ♣ 3❂4❀ 1❂2) = “2:00”. 2 ✒3 5❀ 4 5 ✓ = ✒24 25❀ 7 25 ✓ . 3 ✒3 5❀ 4 5 ✓ = ✒117 125❀ 44 125 ✓ . 4 ✒3 5❀ 4 5 ✓ = ✒336 625❀ 527 625 ✓ . (①1❀ ②1) + (0❀ 1) = (①1❀ ②1). (①1❀ ②1) + (①1❀ ②1) =

Clock addition without sin, cos: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P Use Cartesian coordinates for

• addition. Addition formula

for the clock ①2 + ②2 = 1: sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2❀ ②1②2 ①1①2). Examples of clock addition: “2:00” + “5:00” = ( ♣ 3❂4❀ 1❂2) + (1❂2❀ ♣ 3❂4) = (1❂2❀ ♣ 3❂4) = “7:00”. “5:00” + “9:00” = (1❂2❀ ♣ 3❂4) + (1❀ 0) = ( ♣ 3❂4❀ 1❂2) = “2:00”. 2 ✒3 5❀ 4 5 ✓ = ✒24 25❀ 7 25 ✓ . 3 ✒3 5❀ 4 5 ✓ = ✒117 125❀ 44 125 ✓ . 4 ✒3 5❀ 4 5 ✓ = ✒336 625❀ 527 625 ✓ . (①1❀ ②1) + (0❀ 1) = (①1❀ ②1). (①1❀ ②1) + (①1❀ ②1) = (0❀ 1).

addition without sin, cos: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P Cartesian coordinates for

• addition. Addition formula

clock ①2 + ②2 = 1:

• f (①1❀ ②1) and (①2❀ ②2) is

① ② + ②1①2❀ ②1②2 ①1①2). Examples of clock addition: “2:00” + “5:00” = ( ♣ 3❂4❀ 1❂2) + (1❂2❀ ♣ 3❂4) = (1❂2❀ ♣ 3❂4) = “7:00”. “5:00” + “9:00” = (1❂2❀ ♣ 3❂4) + (1❀ 0) = ( ♣ 3❂4❀ 1❂2) = “2:00”. 2 ✒3 5❀ 4 5 ✓ = ✒24 25❀ 7 25 ✓ . 3 ✒3 5❀ 4 5 ✓ = ✒117 125❀ 44 125 ✓ . 4 ✒3 5❀ 4 5 ✓ = ✒336 625❀ 527 625 ✓ . (①1❀ ②1) + (0❀ 1) = (①1❀ ②1). (①1❀ ②1) + (①1❀ ②1) = (0❀ 1). Clocks over ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ Clock(F7 ✟ (①❀ ②) ✷ ✂ ① ② ✠ Here F7 ❢ ❀ ❀ ❀ ❀ ❀ ❀ ❣ = ❢0❀ 1❀ 2❀ ❀ ❀ ❀ ❣ with arit e.g. 2 ✁ 5 ❂

without sin, cos: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P

• rdinates for

Addition formula ① + ②2 = 1: ① ❀ ② and (①2❀ ②2) is ① ② ② ① ❀ ② ②2 ①1①2). Examples of clock addition: “2:00” + “5:00” = ( ♣ 3❂4❀ 1❂2) + (1❂2❀ ♣ 3❂4) = (1❂2❀ ♣ 3❂4) = “7:00”. “5:00” + “9:00” = (1❂2❀ ♣ 3❂4) + (1❀ 0) = ( ♣ 3❂4❀ 1❂2) = “2:00”. 2 ✒3 5❀ 4 5 ✓ = ✒24 25❀ 7 25 ✓ . 3 ✒3 5❀ 4 5 ✓ = ✒117 125❀ 44 125 ✓ . 4 ✒3 5❀ 4 5 ✓ = ✒336 625❀ 527 625 ✓ . (①1❀ ②1) + (0❀ 1) = (①1❀ ②1). (①1❀ ②1) + (①1❀ ②1) = (0❀ 1). Clocks over finite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ Clock(F7) = ✟ (①❀ ②) ✷ F7 ✂ F7 ① ② ✠ Here F7 = ❢0❀ 1❀ 2❀ ❀ ❀ ❀ ❣ = ❢0❀ 1❀ 2❀ 3❀ 3❀ ❀ ❣ with arithmetic mo e.g. 2 ✁ 5 = 3 and ❂

sin, cos: ② ① (0❀ 1) ✎ P (①1❀ ②1) ✎ P = (①2❀ ②2) ✎ P (①3❀ ②3) ✎ for ① ② ① ❀ ② ① ❀ ②2) is ① ② ② ① ❀ ② ② ① ① ). Examples of clock addition: “2:00” + “5:00” = ( ♣ 3❂4❀ 1❂2) + (1❂2❀ ♣ 3❂4) = (1❂2❀ ♣ 3❂4) = “7:00”. “5:00” + “9:00” = (1❂2❀ ♣ 3❂4) + (1❀ 0) = ( ♣ 3❂4❀ 1❂2) = “2:00”. 2 ✒3 5❀ 4 5 ✓ = ✒24 25❀ 7 25 ✓ . 3 ✒3 5❀ 4 5 ✓ = ✒117 125❀ 44 125 ✓ . 4 ✒3 5❀ 4 5 ✓ = ✒336 625❀ 527 625 ✓ . (①1❀ ②1) + (0❀ 1) = (①1❀ ②1). (①1❀ ②1) + (①1❀ ②1) = (0❀ 1). Clocks over finite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ Clock(F7) = ✟ (①❀ ②) ✷ F7 ✂ F7 : ①2 + ②2 ✠ Here F7 = ❢0❀ 1❀ 2❀ 3❀ 4❀ 5❀ 6❣ = ❢0❀ 1❀ 2❀ 3❀ 3❀ 2❀ 1❣ with arithmetic modulo 7. e.g. 2 ✁ 5 = 3 and 3❂2 = 5 in

Examples of clock addition: “2:00” + “5:00” = ( ♣ 3❂4❀ 1❂2) + (1❂2❀ ♣ 3❂4) = (1❂2❀ ♣ 3❂4) = “7:00”. “5:00” + “9:00” = (1❂2❀ ♣ 3❂4) + (1❀ 0) = ( ♣ 3❂4❀ 1❂2) = “2:00”. 2 ✒3 5❀ 4 5 ✓ = ✒24 25❀ 7 25 ✓ . 3 ✒3 5❀ 4 5 ✓ = ✒117 125❀ 44 125 ✓ . 4 ✒3 5❀ 4 5 ✓ = ✒336 625❀ 527 625 ✓ . (①1❀ ②1) + (0❀ 1) = (①1❀ ②1). (①1❀ ②1) + (①1❀ ②1) = (0❀ 1). Clocks over finite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ Clock(F7) = ✟ (①❀ ②) ✷ F7 ✂ F7 : ①2 + ②2 = 1 ✠ . Here F7 = ❢0❀ 1❀ 2❀ 3❀ 4❀ 5❀ 6❣ = ❢0❀ 1❀ 2❀ 3❀ 3❀ 2❀ 1❣ with arithmetic modulo 7. e.g. 2 ✁ 5 = 3 and 3❂2 = 5 in F7.

Examples of clock addition: + “5:00” ♣ 3❂4❀ 1❂2) + (1❂2❀ ♣ 3❂4) ❂2❀ ♣ 3❂4) = “7:00”. + “9:00” ❂2❀ ♣ 3❂4) + (1❀ 0) ♣ 3❂4❀ 1❂2) = “2:00”. ✒ ❀ 4 5 ✓ = ✒24 25❀ 7 25 ✓ . ✒ ❀ 4 5 ✓ = ✒117 125❀ 44 125 ✓ . ✒ ❀ 4 5 ✓ = ✒336 625❀ 527 625 ✓ . ① ❀ ② ) + (0❀ 1) = (①1❀ ②1). ① ❀ ② ) + (①1❀ ②1) = (0❀ 1). Clocks over finite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ Clock(F7) = ✟ (①❀ ②) ✷ F7 ✂ F7 : ①2 + ②2 = 1 ✠ . Here F7 = ❢0❀ 1❀ 2❀ 3❀ 4❀ 5❀ 6❣ = ❢0❀ 1❀ 2❀ 3❀ 3❀ 2❀ 1❣ with arithmetic modulo 7. e.g. 2 ✁ 5 = 3 and 3❂2 = 5 in F7. Larger exa Examples

• n Clock(

2(1000❀ 2) ❀

ck addition: ♣ ❂ ❀ ❂ (1❂2❀ ♣ 3❂4) ❂ ❀ ♣ ❂4) = “7:00”. ❂ ❀ ♣ ❂4) + (1❀ 0) ♣ ❂ ❀ ❂ “2:00”. ✒ ❀ ✓ ✒24 25❀ 7 25 ✓ . ✒ ❀ ✓ ✒117 125❀ 44 125 ✓ . ✒ ❀ ✓ ✒336 625❀ 527 625 ✓ . ① ❀ ② ❀ = (①1❀ ②1). ① ❀ ② ① ❀ ②1) = (0❀ 1). Clocks over finite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ Clock(F7) = ✟ (①❀ ②) ✷ F7 ✂ F7 : ①2 + ②2 = 1 ✠ . Here F7 = ❢0❀ 1❀ 2❀ 3❀ 4❀ 5❀ 6❣ = ❢0❀ 1❀ 2❀ 3❀ 3❀ 2❀ 1❣ with arithmetic modulo 7. e.g. 2 ✁ 5 = 3 and 3❂2 = 5 in F7. Larger example: Clo Examples of addition

• n Clock(F1000003):

2(1000❀ 2) = (4000❀

addition: ♣ ❂ ❀ ❂ ❂ ❀ ♣ 3❂4) ❂ ❀ ♣ ❂ “7:00”. ❂ ❀ ♣ ❂ ❀ 0) ♣ ❂ ❀ ❂ ✒ ❀ ✓ ✒ ❀ ✓ ✒ ❀ ✓ ✒ ❀ ✓ . ✒ ❀ ✓ ✒ ❀ ✓ . ① ❀ ② ❀ ① ❀ ② ). ① ❀ ② ① ❀ ② ❀ 1). Clocks over finite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ Clock(F7) = ✟ (①❀ ②) ✷ F7 ✂ F7 : ①2 + ②2 = 1 ✠ . Here F7 = ❢0❀ 1❀ 2❀ 3❀ 4❀ 5❀ 6❣ = ❢0❀ 1❀ 2❀ 3❀ 3❀ 2❀ 1❣ with arithmetic modulo 7. e.g. 2 ✁ 5 = 3 and 3❂2 = 5 in F7. Larger example: Clock(F1000003 Examples of addition

• n Clock(F1000003):

2(1000❀ 2) = (4000❀ 7).

Clocks over finite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ Clock(F7) = ✟ (①❀ ②) ✷ F7 ✂ F7 : ①2 + ②2 = 1 ✠ . Here F7 = ❢0❀ 1❀ 2❀ 3❀ 4❀ 5❀ 6❣ = ❢0❀ 1❀ 2❀ 3❀ 3❀ 2❀ 1❣ with arithmetic modulo 7. e.g. 2 ✁ 5 = 3 and 3❂2 = 5 in F7. Larger example: Clock(F1000003). Examples of addition

• n Clock(F1000003):

2(1000❀ 2) = (4000❀ 7).

Clocks over finite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ Clock(F7) = ✟ (①❀ ②) ✷ F7 ✂ F7 : ①2 + ②2 = 1 ✠ . Here F7 = ❢0❀ 1❀ 2❀ 3❀ 4❀ 5❀ 6❣ = ❢0❀ 1❀ 2❀ 3❀ 3❀ 2❀ 1❣ with arithmetic modulo 7. e.g. 2 ✁ 5 = 3 and 3❂2 = 5 in F7. Larger example: Clock(F1000003). Examples of addition

• n Clock(F1000003):

2(1000❀ 2) = (4000❀ 7). 4(1000❀ 2) = (56000❀ 97).

Clocks over finite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ Clock(F7) = ✟ (①❀ ②) ✷ F7 ✂ F7 : ①2 + ②2 = 1 ✠ . Here F7 = ❢0❀ 1❀ 2❀ 3❀ 4❀ 5❀ 6❣ = ❢0❀ 1❀ 2❀ 3❀ 3❀ 2❀ 1❣ with arithmetic modulo 7. e.g. 2 ✁ 5 = 3 and 3❂2 = 5 in F7. Larger example: Clock(F1000003). Examples of addition

• n Clock(F1000003):

2(1000❀ 2) = (4000❀ 7). 4(1000❀ 2) = (56000❀ 97). 8(1000❀ 2) = (863970❀ 18817).

Clocks over finite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ Clock(F7) = ✟ (①❀ ②) ✷ F7 ✂ F7 : ①2 + ②2 = 1 ✠ . Here F7 = ❢0❀ 1❀ 2❀ 3❀ 4❀ 5❀ 6❣ = ❢0❀ 1❀ 2❀ 3❀ 3❀ 2❀ 1❣ with arithmetic modulo 7. e.g. 2 ✁ 5 = 3 and 3❂2 = 5 in F7. Larger example: Clock(F1000003). Examples of addition

• n Clock(F1000003):

2(1000❀ 2) = (4000❀ 7). 4(1000❀ 2) = (56000❀ 97). 8(1000❀ 2) = (863970❀ 18817). 16(1000❀ 2) = (549438❀ 156853).

Clocks over finite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ Clock(F7) = ✟ (①❀ ②) ✷ F7 ✂ F7 : ①2 + ②2 = 1 ✠ . Here F7 = ❢0❀ 1❀ 2❀ 3❀ 4❀ 5❀ 6❣ = ❢0❀ 1❀ 2❀ 3❀ 3❀ 2❀ 1❣ with arithmetic modulo 7. e.g. 2 ✁ 5 = 3 and 3❂2 = 5 in F7. Larger example: Clock(F1000003). Examples of addition

• n Clock(F1000003):

2(1000❀ 2) = (4000❀ 7). 4(1000❀ 2) = (56000❀ 97). 8(1000❀ 2) = (863970❀ 18817). 16(1000❀ 2) = (549438❀ 156853). 17(1000❀ 2) = (951405❀ 877356).

Clocks over finite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ Clock(F7) = ✟ (①❀ ②) ✷ F7 ✂ F7 : ①2 + ②2 = 1 ✠ . Here F7 = ❢0❀ 1❀ 2❀ 3❀ 4❀ 5❀ 6❣ = ❢0❀ 1❀ 2❀ 3❀ 3❀ 2❀ 1❣ with arithmetic modulo 7. e.g. 2 ✁ 5 = 3 and 3❂2 = 5 in F7. Larger example: Clock(F1000003). Examples of addition

• n Clock(F1000003):

2(1000❀ 2) = (4000❀ 7). 4(1000❀ 2) = (56000❀ 97). 8(1000❀ 2) = (863970❀ 18817). 16(1000❀ 2) = (549438❀ 156853). 17(1000❀ 2) = (951405❀ 877356). “Scalar multiplication”

• n a clock:

Given integer ♥ ✕ 0 and clock point (①❀ ②), compute ♥(①❀ ②).

• ver finite fields

✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ F7) = ✟ ①❀ ②) ✷ F7 ✂ F7 : ①2 + ②2 = 1 ✠ .

7 = ❢0❀ 1❀ 2❀ 3❀ 4❀ 5❀ 6❣

❢ ❀ 1❀ 2❀ 3❀ 3❀ 2❀ 1❣ rithmetic modulo 7. ✁ 5 = 3 and 3❂2 = 5 in F7. Larger example: Clock(F1000003). Examples of addition

• n Clock(F1000003):

2(1000❀ 2) = (4000❀ 7). 4(1000❀ 2) = (56000❀ 97). 8(1000❀ 2) = (863970❀ 18817). 16(1000❀ 2) = (549438❀ 156853). 17(1000❀ 2) = (951405❀ 877356). “Scalar multiplication”

• n a clock:

Given integer ♥ ✕ 0 and clock point (①❀ ②), compute ♥(①❀ ②). “Binary If ♥ is even, ♥ ①❀ ② by doubling ♥❂ ①❀ ② Otherwise ♥ ①❀ ② by adding ①❀ ② ♥ ①❀ ② This is very

ite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✟ ①❀ ② ✷ ✂

7 : ①2 + ②2 = 1

✠ . ❢ ❀ ❀ 2❀ 3❀ 4❀ 5❀ 6❣ ❢ ❀ ❀ ❀ ❀ ❀ 2❀ 1❣ modulo 7. ✁ and 3❂2 = 5 in F7. Larger example: Clock(F1000003). Examples of addition

• n Clock(F1000003):

2(1000❀ 2) = (4000❀ 7). 4(1000❀ 2) = (56000❀ 97). 8(1000❀ 2) = (863970❀ 18817). 16(1000❀ 2) = (549438❀ 156853). 17(1000❀ 2) = (951405❀ 877356). “Scalar multiplication”

• n a clock:

Given integer ♥ ✕ 0 and clock point (①❀ ②), compute ♥(①❀ ②). “Binary method”: If ♥ is even, compute ♥ ①❀ ② by doubling (♥❂2)(①❀ ② Otherwise compute ♥ ①❀ ② by adding (①❀ ②) to ♥ ①❀ ② This is very fast.

✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✟ ①❀ ② ✷ ✂ ① ②2 = 1 ✠ . ❢ ❀ ❀ ❀ ❀ ❀ ❀ 6❣ ❢ ❀ ❀ ❀ ❀ ❀ ❀ ❣ ✁ ❂ in F7. Larger example: Clock(F1000003). Examples of addition

• n Clock(F1000003):

2(1000❀ 2) = (4000❀ 7). 4(1000❀ 2) = (56000❀ 97). 8(1000❀ 2) = (863970❀ 18817). 16(1000❀ 2) = (549438❀ 156853). 17(1000❀ 2) = (951405❀ 877356). “Scalar multiplication”

• n a clock:

Given integer ♥ ✕ 0 and clock point (①❀ ②), compute ♥(①❀ ②). “Binary method”: If ♥ is even, compute ♥(①❀ ② by doubling (♥❂2)(①❀ ②). Otherwise compute ♥(①❀ ②) by adding (①❀ ②) to (♥ 1)(①❀ ② This is very fast.

Larger example: Clock(F1000003). Examples of addition

• n Clock(F1000003):

2(1000❀ 2) = (4000❀ 7). 4(1000❀ 2) = (56000❀ 97). 8(1000❀ 2) = (863970❀ 18817). 16(1000❀ 2) = (549438❀ 156853). 17(1000❀ 2) = (951405❀ 877356). “Scalar multiplication”

• n a clock:

Given integer ♥ ✕ 0 and clock point (①❀ ②), compute ♥(①❀ ②). “Binary method”: If ♥ is even, compute ♥(①❀ ②) by doubling (♥❂2)(①❀ ②). Otherwise compute ♥(①❀ ②) by adding (①❀ ②) to (♥ 1)(①❀ ②). This is very fast.

Larger example: Clock(F1000003). Examples of addition

• n Clock(F1000003):

2(1000❀ 2) = (4000❀ 7). 4(1000❀ 2) = (56000❀ 97). 8(1000❀ 2) = (863970❀ 18817). 16(1000❀ 2) = (549438❀ 156853). 17(1000❀ 2) = (951405❀ 877356). “Scalar multiplication”

• n a clock:

Given integer ♥ ✕ 0 and clock point (①❀ ②), compute ♥(①❀ ②). “Binary method”: If ♥ is even, compute ♥(①❀ ②) by doubling (♥❂2)(①❀ ②). Otherwise compute ♥(①❀ ②) by adding (①❀ ②) to (♥ 1)(①❀ ②). This is very fast. But figuring out ♥ given (①❀ ②) and ♥(①❀ ②) is much more difficult. With 30 clock additions we computed ♥(1000❀ 2) = (947472❀ 736284) for some 6-digit ♥. Can you figure out ♥?

example: Clock(F1000003). Examples of addition ck(F1000003): ❀ 2) = (4000❀ 7). ❀ 2) = (56000❀ 97). ❀ 2) = (863970❀ 18817). 16(1000❀ 2) = (549438❀ 156853). 17(1000❀ 2) = (951405❀ 877356). r multiplication” clock: integer ♥ ✕ 0 clock point (①❀ ②), compute ♥(①❀ ②). “Binary method”: If ♥ is even, compute ♥(①❀ ②) by doubling (♥❂2)(①❀ ②). Otherwise compute ♥(①❀ ②) by adding (①❀ ②) to (♥ 1)(①❀ ②). This is very fast. But figuring out ♥ given (①❀ ②) and ♥(①❀ ②) is much more difficult. With 30 clock additions we computed ♥(1000❀ 2) = (947472❀ 736284) for some 6-digit ♥. Can you figure out ♥? Clock cryptography Standardize ♣ and some ①❀ ② ✷

♣

Alice cho ❛ Computes ❛ ①❀ ② Bob cho ❜ Computes ❜ ①❀ ② Alice computes ❛ ❜ ①❀ ② Bob computes ❜ ❛ ①❀ ② They use to encrypt Warning Many choices ♣

Clock(F1000003). addition

1000003):

❀ (4000❀ 7). ❀ (56000❀ 97). ❀ (863970❀ 18817). ❀ (549438❀ 156853). ❀ (951405❀ 877356). multiplication” ♥ ✕ 0 (①❀ ②), ♥ ①❀ ②). “Binary method”: If ♥ is even, compute ♥(①❀ ②) by doubling (♥❂2)(①❀ ②). Otherwise compute ♥(①❀ ②) by adding (①❀ ②) to (♥ 1)(①❀ ②). This is very fast. But figuring out ♥ given (①❀ ②) and ♥(①❀ ②) is much more difficult. With 30 clock additions we computed ♥(1000❀ 2) = (947472❀ 736284) for some 6-digit ♥. Can you figure out ♥? Clock cryptography Standardize a large ♣ and some (①❀ ②) ✷

♣

Alice chooses big secret ❛ Computes her public ❛ ①❀ ② Bob chooses big secret ❜ Computes his public ❜ ①❀ ② Alice computes ❛(❜ ①❀ ② Bob computes ❜(❛ ①❀ ② They use this shared to encrypt with AES-GCM Warning #1: Many choices of ♣

1000003).

❀ ❀ ❀ ❀ ❀ ❀ 18817). ❀ ❀ 156853). ❀ ❀ 877356). ♥ ✕ ①❀ ② ♥ ①❀ ② “Binary method”: If ♥ is even, compute ♥(①❀ ②) by doubling (♥❂2)(①❀ ②). Otherwise compute ♥(①❀ ②) by adding (①❀ ②) to (♥ 1)(①❀ ②). This is very fast. But figuring out ♥ given (①❀ ②) and ♥(①❀ ②) is much more difficult. With 30 clock additions we computed ♥(1000❀ 2) = (947472❀ 736284) for some 6-digit ♥. Can you figure out ♥? Clock cryptography Standardize a large prime ♣ and some (①❀ ②) ✷ Clock(F♣). Alice chooses big secret ❛. Computes her public key ❛(①❀ ② Bob chooses big secret ❜. Computes his public key ❜(①❀ ② Alice computes ❛(❜(①❀ ②)). Bob computes ❜(❛(①❀ ②)). They use this shared secret to encrypt with AES-GCM etc. Warning #1: Many choices of ♣ are bad!

“Binary method”: If ♥ is even, compute ♥(①❀ ②) by doubling (♥❂2)(①❀ ②). Otherwise compute ♥(①❀ ②) by adding (①❀ ②) to (♥ 1)(①❀ ②). This is very fast. But figuring out ♥ given (①❀ ②) and ♥(①❀ ②) is much more difficult. With 30 clock additions we computed ♥(1000❀ 2) = (947472❀ 736284) for some 6-digit ♥. Can you figure out ♥? Clock cryptography Standardize a large prime ♣ and some (①❀ ②) ✷ Clock(F♣). Alice chooses big secret ❛. Computes her public key ❛(①❀ ②). Bob chooses big secret ❜. Computes his public key ❜(①❀ ②). Alice computes ❛(❜(①❀ ②)). Bob computes ❜(❛(①❀ ②)). They use this shared secret to encrypt with AES-GCM etc. Warning #1: Many choices of ♣ are bad!

ry method”: ♥ even, compute ♥(①❀ ②) bling (♥❂2)(①❀ ②). Otherwise compute ♥(①❀ ②) ding (①❀ ②) to (♥ 1)(①❀ ②). very fast. figuring out ♥ (①❀ ②) and ♥(①❀ ②) much more difficult. 30 clock additions computed ♥(1000❀ 2) = (947472❀ 736284)

• me 6-digit ♥.
• u figure out ♥?

Clock cryptography Standardize a large prime ♣ and some (①❀ ②) ✷ Clock(F♣). Alice chooses big secret ❛. Computes her public key ❛(①❀ ②). Bob chooses big secret ❜. Computes his public key ❜(①❀ ②). Alice computes ❛(❜(①❀ ②)). Bob computes ❜(❛(①❀ ②)). They use this shared secret to encrypt with AES-GCM etc. Warning #1: Many choices of ♣ are bad! Alice’s secret ❛

• ❜

Alice’s public ❛(①❀ ② ❜ ①❀ ② ❢Alice❀ Bob❣ shared ❛❜(①❀ ② ❢ ❀ ❣ ❜❛ ①❀ ②

d”: ♥ compute ♥(①❀ ②) ♥❂2)(①❀ ②). mpute ♥(①❀ ②) ①❀ ② to (♥ 1)(①❀ ②). fast. ♥ ①❀ ② ♥(①❀ ②) difficult. additions ♥ ❀ (947472❀ 736284) ♥.

• ut ♥?

Clock cryptography Standardize a large prime ♣ and some (①❀ ②) ✷ Clock(F♣). Alice chooses big secret ❛. Computes her public key ❛(①❀ ②). Bob chooses big secret ❜. Computes his public key ❜(①❀ ②). Alice computes ❛(❜(①❀ ②)). Bob computes ❜(❛(①❀ ②)). They use this shared secret to encrypt with AES-GCM etc. Warning #1: Many choices of ♣ are bad! Alice’s secret key ❛

• ❜

Alice’s public key ❛(①❀ ②) ▲ ▲ ▲ ▲ ▲ ▲ ❜ ①❀ ② rrrr ❢Alice❀ Bob❣’s shared secret ❛❜(①❀ ②) = ❢ ❀ ❣ ❜❛ ①❀ ②

♥ ♥ ①❀ ②) ♥❂ ①❀ ② ♥ ①❀ ②) ①❀ ② ♥ 1)(①❀ ②). ♥ ①❀ ② ♥ ①❀ ② ♥ ❀ ❀ 736284) ♥ ♥ Clock cryptography Standardize a large prime ♣ and some (①❀ ②) ✷ Clock(F♣). Alice chooses big secret ❛. Computes her public key ❛(①❀ ②). Bob chooses big secret ❜. Computes his public key ❜(①❀ ②). Alice computes ❛(❜(①❀ ②)). Bob computes ❜(❛(①❀ ②)). They use this shared secret to encrypt with AES-GCM etc. Warning #1: Many choices of ♣ are bad! Alice’s secret key ❛

• Bob’s

secret k ❜

• Alice’s

public key ❛(①❀ ②)

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public ❜(①❀ ② rrrrrrr ❢Alice❀ Bob❣’s shared secret ❛❜(①❀ ②) = ❢Bob❀ Alice❣ shared s ❜❛(①❀ ②

Clock cryptography Standardize a large prime ♣ and some (①❀ ②) ✷ Clock(F♣). Alice chooses big secret ❛. Computes her public key ❛(①❀ ②). Bob chooses big secret ❜. Computes his public key ❜(①❀ ②). Alice computes ❛(❜(①❀ ②)). Bob computes ❜(❛(①❀ ②)). They use this shared secret to encrypt with AES-GCM etc. Warning #1: Many choices of ♣ are bad! Alice’s secret key ❛

• Bob’s

secret key ❜

• Alice’s

public key ❛(①❀ ②)

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key ❜(①❀ ②) rrrrrrr ❢Alice❀ Bob❣’s shared secret ❛❜(①❀ ②) = ❢Bob❀ Alice❣’s shared secret ❜❛(①❀ ②)

Clock cryptography Standardize a large prime ♣ and some (①❀ ②) ✷ Clock(F♣). Alice chooses big secret ❛. Computes her public key ❛(①❀ ②). Bob chooses big secret ❜. Computes his public key ❜(①❀ ②). Alice computes ❛(❜(①❀ ②)). Bob computes ❜(❛(①❀ ②)). They use this shared secret to encrypt with AES-GCM etc. Warning #1: Many choices of ♣ are bad! Alice’s secret key ❛

• Bob’s

secret key ❜

• Alice’s

public key ❛(①❀ ②)

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key ❜(①❀ ②) rrrrrrr ❢Alice❀ Bob❣’s shared secret ❛❜(①❀ ②) = ❢Bob❀ Alice❣’s shared secret ❜❛(①❀ ②) Warning #2: Clocks aren’t elliptic! Can use index calculus to attack clock cryptography. To match RSA-3072 security need ♣ ✙ 21536.

cryptography Standardize a large prime ♣ some (①❀ ②) ✷ Clock(F♣). chooses big secret ❛. Computes her public key ❛(①❀ ②). chooses big secret ❜. Computes his public key ❜(①❀ ②). computes ❛(❜(①❀ ②)). computes ❜(❛(①❀ ②)). use this shared secret encrypt with AES-GCM etc. rning #1: choices of ♣ are bad! Alice’s secret key ❛

• Bob’s

secret key ❜

• Alice’s

public key ❛(①❀ ②)

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key ❜(①❀ ②) rrrrrrr ❢Alice❀ Bob❣’s shared secret ❛❜(①❀ ②) = ❢Bob❀ Alice❣’s shared secret ❜❛(①❀ ②) Warning #2: Clocks aren’t elliptic! Can use index calculus to attack clock cryptography. To match RSA-3072 security need ♣ ✙ 21536. Timing attacks Attacker ❛(①❀ ②) and ❜ ①❀ ② Attacker Alice to ❛ ❜ ①❀ ② Often attack time for performed not just This reveals ❛ Fix: constant-time performing no matter

cryptography rge prime ♣ ①❀ ② ✷ Clock(F♣). big secret ❛. public key ❛(①❀ ②). secret ❜. public key ❜(①❀ ②). ❛(❜(①❀ ②)). ❜(❛(①❀ ②)). shared secret AES-GCM etc. ♣ are bad! Alice’s secret key ❛

• Bob’s

secret key ❜

• Alice’s

public key ❛(①❀ ②)

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key ❜(①❀ ②) rrrrrrr ❢Alice❀ Bob❣’s shared secret ❛❜(①❀ ②) = ❢Bob❀ Alice❣’s shared secret ❜❛(①❀ ②) Warning #2: Clocks aren’t elliptic! Can use index calculus to attack clock cryptography. To match RSA-3072 security need ♣ ✙ 21536. Timing attacks Attacker sees more ❛(①❀ ②) and ❜(①❀ ②). Attacker sees time Alice to compute ❛ ❜ ①❀ ② Often attacker can time for each operation performed by Alice, not just total time. This reveals secret ❛ Fix: constant-time performing same op no matter what scala

♣ ①❀ ② ✷

♣).

❛. ❛(①❀ ②). ❜ ❜(①❀ ②). ❛ ❜ ①❀ ②)). ❜ ❛ ①❀ ② cret etc. ♣ ad! Alice’s secret key ❛

• Bob’s

secret key ❜

• Alice’s

public key ❛(①❀ ②)

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key ❜(①❀ ②) rrrrrrr ❢Alice❀ Bob❣’s shared secret ❛❜(①❀ ②) = ❢Bob❀ Alice❣’s shared secret ❜❛(①❀ ②) Warning #2: Clocks aren’t elliptic! Can use index calculus to attack clock cryptography. To match RSA-3072 security need ♣ ✙ 21536. Timing attacks Attacker sees more than ❛(①❀ ②) and ❜(①❀ ②). Attacker sees time for Alice to compute ❛(❜(①❀ ②)). Often attacker can see time for each operation performed by Alice, not just total time. This reveals secret ❛. Fix: constant-time code, performing same operations no matter what scalar is.

Alice’s secret key ❛

• Bob’s

secret key ❜

• Alice’s

public key ❛(①❀ ②)

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key ❜(①❀ ②) rrrrrrr ❢Alice❀ Bob❣’s shared secret ❛❜(①❀ ②) = ❢Bob❀ Alice❣’s shared secret ❜❛(①❀ ②) Warning #2: Clocks aren’t elliptic! Can use index calculus to attack clock cryptography. To match RSA-3072 security need ♣ ✙ 21536. Timing attacks Attacker sees more than ❛(①❀ ②) and ❜(①❀ ②). Attacker sees time for Alice to compute ❛(❜(①❀ ②)). Often attacker can see time for each operation performed by Alice, not just total time. This reveals secret ❛. Fix: constant-time code, performing same operations no matter what scalar is.

Alice’s secret key ❛

• Bob’s

secret key ❜

• Alice’s

public key ❛ ①❀ ②)

• ▲

▲ ▲ ▲ ▲ ▲ ▲ Bob’s public key ❜(①❀ ②) rrrrrrr ❢Alice❀ Bob❣’s red secret ❛❜(①❀ ②) = ❢Bob❀ Alice❣’s shared secret ❜❛(①❀ ②) rning #2: aren’t elliptic! use index calculus attack clock cryptography. match RSA-3072 security ♣ ✙ 21536. Timing attacks Attacker sees more than ❛(①❀ ②) and ❜(①❀ ②). Attacker sees time for Alice to compute ❛(❜(①❀ ②)). Often attacker can see time for each operation performed by Alice, not just total time. This reveals secret ❛. Fix: constant-time code, performing same operations no matter what scalar is. Addition ② ① ❀ ✎ P ① ❀ ② ✎ P ① ❀ ② ✎ P ① ❀ ② ✎ ①2 + ②2

• ① ②

Sum of (① ❀ ② ① ❀ ② ((①1②2+② ① ❂

• ① ① ② ②

(②1②2① ① ❂ ① ① ② ②

❛ Bob’s secret key ❜

• ❛ ①❀ ②
• ▲

▲ ▲ Bob’s public key ❜(①❀ ②) rrrr ❢ ❀ ❣ ❛❜ ①❀ ② = ❢Bob❀ Alice❣’s shared secret ❜❛(①❀ ②) elliptic! calculus cryptography. RSA-3072 security ♣ ✙ Timing attacks Attacker sees more than ❛(①❀ ②) and ❜(①❀ ②). Attacker sees time for Alice to compute ❛(❜(①❀ ②)). Often attacker can see time for each operation performed by Alice, not just total time. This reveals secret ❛. Fix: constant-time code, performing same operations no matter what scalar is. Addition on an elliptic ② ①

• neutral

❀ ✎ P ① ❀ ② ✎ ☞ ☞ ☞ ☞ P ① ❀ ② ✎ ❢ ❢ ❢ ❢ P ① ❀ ② ✎ ❬ ❬ ❬ ❬ ①2 + ②2 = 1 30① ② Sum of (①1❀ ②1) and ① ❀ ② ((①1②2+②1①2)❂(1 ① ① ② ② (②1②2①1①2)❂(1+30① ① ② ②

❛ Bob’s secret key ❜

• ❛ ①❀ ②

Bob’s public key ❜ ①❀ ②) ❢ ❀ ❣ ❛❜ ①❀ ② ❢ ❀ Alice❣’s secret ❜❛ ①❀ ②) cryptography. security ♣ ✙ Timing attacks Attacker sees more than ❛(①❀ ②) and ❜(①❀ ②). Attacker sees time for Alice to compute ❛(❜(①❀ ②)). Often attacker can see time for each operation performed by Alice, not just total time. This reveals secret ❛. Fix: constant-time code, performing same operations no matter what scalar is. Addition on an elliptic curve ② ①

• neutral = (0❀

✎ P1 = (①1❀ ② ✎ ☞ ☞ ☞ ☞ P2 = (① ❀ ② ✎ ❢ ❢ ❢ ❢ ❢ P3 = (① ❀ ② ✎ ❬ ❬ ❬ ❬ ❬ ❬ ①2 + ②2 = 1 30①2②2. Sum of (①1❀ ②1) and (①2❀ ②2) ((①1②2+②1①2)❂(130①1①2②1② (②1②2①1①2)❂(1+30①1①2②1②

Timing attacks Attacker sees more than ❛(①❀ ②) and ❜(①❀ ②). Attacker sees time for Alice to compute ❛(❜(①❀ ②)). Often attacker can see time for each operation performed by Alice, not just total time. This reveals secret ❛. Fix: constant-time code, performing same operations no matter what scalar is. Addition on an elliptic curve ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ☞ ☞ ☞ ☞ P2 = (①2❀ ②2) ✎ ❢ ❢ ❢ ❢ ❢ P3 = (①3❀ ②3) ✎ ❬ ❬ ❬ ❬ ❬ ❬ ①2 + ②2 = 1 30①2②2. Sum of (①1❀ ②1) and (①2❀ ②2) is ((①1②2+②1①2)❂(130①1①2②1②2), (②1②2①1①2)❂(1+30①1①2②1②2)).

Timing attacks er sees more than ❛ ①❀ ②) and ❜(①❀ ②). er sees time for to compute ❛(❜(①❀ ②)). attacker can see for each operation rmed by Alice, just total time. reveals secret ❛. constant-time code, rming same operations matter what scalar is. Addition on an elliptic curve ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ☞ ☞ ☞ ☞ P2 = (①2❀ ②2) ✎ ❢ ❢ ❢ ❢ ❢ P3 = (①3❀ ②3) ✎ ❬ ❬ ❬ ❬ ❬ ❬ ①2 + ②2 = 1 30①2②2. Sum of (①1❀ ②1) and (①2❀ ②2) is ((①1②2+②1①2)❂(130①1①2②1②2), (②1②2①1①2)❂(1+30①1①2②1②2)). The clock ② ① ❀ ✎ P ① ❀ ② ✎ P ① ❀ ② ✎ P ① ❀ ② ✎ ①2 + ②2 Sum of (① ❀ ② ① ❀ ② (①1②2 + ② ① ②1②2 ① ①

more than ❛ ①❀ ② ❜ ①❀ ②). time for compute ❛(❜(①❀ ②)). can see eration Alice, time. secret ❛. constant-time code,

• perations

scalar is. Addition on an elliptic curve ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ☞ ☞ ☞ ☞ P2 = (①2❀ ②2) ✎ ❢ ❢ ❢ ❢ ❢ P3 = (①3❀ ②3) ✎ ❬ ❬ ❬ ❬ ❬ ❬ ①2 + ②2 = 1 30①2②2. Sum of (①1❀ ②1) and (①2❀ ②2) is ((①1②2+②1①2)❂(130①1①2②1②2), (②1②2①1①2)❂(1+30①1①2②1②2)). The clock again, fo ② ①

• neutral

❀ ✎ P ① ❀ ② ✎ ✂ ✂ ✂ ✂ ✂ ✂ P ① ❀ ② ✎ ✐ ✐ ✐ ✐ ✐ P ① ❀ ② ✎ P P P P P ①2 + ②2 = 1. Sum of (①1❀ ②1) and ① ❀ ② (①1②2 + ②1①2, ②1②2 ①1①2).

❛ ①❀ ② ❜ ①❀ ② ❛ ❜ ①❀ ②)). ❛ erations Addition on an elliptic curve ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ☞ ☞ ☞ ☞ P2 = (①2❀ ②2) ✎ ❢ ❢ ❢ ❢ ❢ P3 = (①3❀ ②3) ✎ ❬ ❬ ❬ ❬ ❬ ❬ ①2 + ②2 = 1 30①2②2. Sum of (①1❀ ②1) and (①2❀ ②2) is ((①1②2+②1①2)❂(130①1①2②1②2), (②1②2①1①2)❂(1+30①1①2②1②2)). The clock again, for comparison: ② ①

• neutral = (0❀

✎ P1 = (① ❀ ② ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = ① ❀ ② ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (① ❀ ② ✎ P P P P P P P ①2 + ②2 = 1. Sum of (①1❀ ②1) and (①2❀ ②2) (①1②2 + ②1①2, ②1②2 ①1①2).

Addition on an elliptic curve ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ☞ ☞ ☞ ☞ P2 = (①2❀ ②2) ✎ ❢ ❢ ❢ ❢ ❢ P3 = (①3❀ ②3) ✎ ❬ ❬ ❬ ❬ ❬ ❬ ①2 + ②2 = 1 30①2②2. Sum of (①1❀ ②1) and (①2❀ ②2) is ((①1②2+②1①2)❂(130①1①2②1②2), (②1②2①1①2)❂(1+30①1①2②1②2)). The clock again, for comparison: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ①2 + ②2 = 1. Sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2, ②1②2 ①1①2).

Addition on an elliptic curve ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ☞ ☞ ☞ ☞ P2 = (①2❀ ②2) ✎ ❢ ❢ ❢ ❢ ❢ P3 = (①3❀ ②3) ✎ ❬ ❬ ❬ ❬ ❬ ❬ ① ②2 = 1 30①2②2.

• f (①1❀ ②1) and (①2❀ ②2) is

① ② +②1①2)❂(130①1①2②1②2), ② ② ①1①2)❂(1+30①1①2②1②2)). The clock again, for comparison: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ①2 + ②2 = 1. Sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2, ②1②2 ①1①2). More elliptic Choose an ♣ Choose a ❞ ✷

♣

❢(①❀ ②) ✷

♣ ✂ ♣

①2 + ② ❞① ② ❣ is a “complete “The Edw (①1❀ ②1) + ① ❀ ② ① ❀ ② where ①3 = ① ② ② ① 1 + ❞① ① ② ② ②3 = ②1② ① ① 1 ❞① ① ② ②

elliptic curve ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ P2 = (①2❀ ②2) ✎ ❢ ❢ P3 = (①3❀ ②3) ✎ ❬ ❬ ❬ ① ② 30①2②2. ① ❀ ② and (①2❀ ②2) is ① ② ② ① ❂(130①1①2②1②2), ② ② ① ① ❂(1+30①1①2②1②2)). The clock again, for comparison: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ①2 + ②2 = 1. Sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2, ②1②2 ①1①2). More elliptic curves Choose an odd prime ♣ Choose a non-squa ❞ ✷

♣

❢(①❀ ②) ✷ F♣ ✂ F♣ ①2 + ②2 = 1 + ❞① ② ❣ is a “complete Edw “The Edwards addition (①1❀ ②1) + (①2❀ ②2) ① ❀ ② where ①3 = ①1②2 + ②1① 1 + ❞①1①2②1② ②3 = ②1②2 ①1① 1 ❞①1①2②1②

curve ② ① (0❀ 1) ✎ P ① ❀ ②1) ✎ P (①2❀ ②2) ✎ P (①3❀ ②3) ✎ ① ②

• ① ②

① ❀ ② ① ❀ ②2) is ① ② ② ① ❂

• ① ① ②1②2),

② ② ① ① ❂ ① ① ②1②2)). The clock again, for comparison: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ①2 + ②2 = 1. Sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2, ②1②2 ①1①2). More elliptic curves Choose an odd prime ♣. Choose a non-square ❞ ✷ F♣ ❢(①❀ ②) ✷ F♣ ✂ F♣ : ①2 + ②2 = 1 + ❞①2②2❣ is a “complete Edwards curve”. “The Edwards addition law”: (①1❀ ②1) + (①2❀ ②2) = (①3❀ ②3 where ①3 = ①1②2 + ②1①2 1 + ❞①1①2②1②2 , ②3 = ②1②2 ①1①2 1 ❞①1①2②1②2 .

The clock again, for comparison: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ①2 + ②2 = 1. Sum of (①1❀ ②1) and (①2❀ ②2) is (①1②2 + ②1①2, ②1②2 ①1①2). More elliptic curves Choose an odd prime ♣. Choose a non-square ❞ ✷ F♣. ❢(①❀ ②) ✷ F♣ ✂ F♣ : ①2 + ②2 = 1 + ❞①2②2❣ is a “complete Edwards curve”. “The Edwards addition law”: (①1❀ ②1) + (①2❀ ②2) = (①3❀ ②3) where ①3 = ①1②2 + ②1①2 1 + ❞①1①2②1②2 , ②3 = ②1②2 ①1①2 1 ❞①1①2②1②2 .

clock again, for comparison: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ ✂ ✂ ✂ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P P P P P ① ②2 = 1.

• f (①1❀ ②1) and (①2❀ ②2) is

① ② + ②1①2, ② ② ①1①2). More elliptic curves Choose an odd prime ♣. Choose a non-square ❞ ✷ F♣. ❢(①❀ ②) ✷ F♣ ✂ F♣ : ①2 + ②2 = 1 + ❞①2②2❣ is a “complete Edwards curve”. “The Edwards addition law”: (①1❀ ②1) + (①2❀ ②2) = (①3❀ ②3) where ①3 = ①1②2 + ②1①2 1 + ❞①1①2②1②2 , ②3 = ②1②2 ①1①2 1 ❞①1①2②1②2 . “Hey, there in the Edw What if

again, for comparison: ② ①

• neutral = (0❀ 1)

✎ P1 = (①1❀ ②1) ✎ ✂ ✂ P2 = (①2❀ ②2) ✎ ✐ ✐ ✐ ✐ P3 = (①3❀ ②3) ✎ P P P ① ② ① ❀ ② and (①2❀ ②2) is ① ② ② ① ② ② ① ① More elliptic curves Choose an odd prime ♣. Choose a non-square ❞ ✷ F♣. ❢(①❀ ②) ✷ F♣ ✂ F♣ : ①2 + ②2 = 1 + ❞①2②2❣ is a “complete Edwards curve”. “The Edwards addition law”: (①1❀ ②1) + (①2❀ ②2) = (①3❀ ②3) where ①3 = ①1②2 + ②1①2 1 + ❞①1①2②1②2 , ②3 = ②1②2 ①1①2 1 ❞①1①2②1②2 . “Hey, there are divisions in the Edwards addition What if the denominato

comparison: ② ① (0❀ 1) ✎ P (①1❀ ②1) ✎ P = (①2❀ ②2) ✎ P (①3❀ ②3) ✎ ① ② ① ❀ ② ① ❀ ②2) is ① ② ② ① ② ② ① ① More elliptic curves Choose an odd prime ♣. Choose a non-square ❞ ✷ F♣. ❢(①❀ ②) ✷ F♣ ✂ F♣ : ①2 + ②2 = 1 + ❞①2②2❣ is a “complete Edwards curve”. “The Edwards addition law”: (①1❀ ②1) + (①2❀ ②2) = (①3❀ ②3) where ①3 = ①1②2 + ②1①2 1 + ❞①1①2②1②2 , ②3 = ②1②2 ①1①2 1 ❞①1①2②1②2 . “Hey, there are divisions in the Edwards addition law! What if the denominators are

More elliptic curves Choose an odd prime ♣. Choose a non-square ❞ ✷ F♣. ❢(①❀ ②) ✷ F♣ ✂ F♣ : ①2 + ②2 = 1 + ❞①2②2❣ is a “complete Edwards curve”. “The Edwards addition law”: (①1❀ ②1) + (①2❀ ②2) = (①3❀ ②3) where ①3 = ①1②2 + ②1①2 1 + ❞①1①2②1②2 , ②3 = ②1②2 ①1①2 1 ❞①1①2②1②2 . “Hey, there are divisions in the Edwards addition law! What if the denominators are 0?”

More elliptic curves Choose an odd prime ♣. Choose a non-square ❞ ✷ F♣. ❢(①❀ ②) ✷ F♣ ✂ F♣ : ①2 + ②2 = 1 + ❞①2②2❣ is a “complete Edwards curve”. “The Edwards addition law”: (①1❀ ②1) + (①2❀ ②2) = (①3❀ ②3) where ①3 = ①1②2 + ②1①2 1 + ❞①1①2②1②2 , ②3 = ②1②2 ①1①2 1 ❞①1①2②1②2 . “Hey, there are divisions in the Edwards addition law! What if the denominators are 0?” Answer: Can prove that the denominators are never 0. Addition law is complete.

More elliptic curves Choose an odd prime ♣. Choose a non-square ❞ ✷ F♣. ❢(①❀ ②) ✷ F♣ ✂ F♣ : ①2 + ②2 = 1 + ❞①2②2❣ is a “complete Edwards curve”. “The Edwards addition law”: (①1❀ ②1) + (①2❀ ②2) = (①3❀ ②3) where ①3 = ①1②2 + ②1①2 1 + ❞①1①2②1②2 , ②3 = ②1②2 ①1①2 1 ❞①1①2②1②2 . “Hey, there are divisions in the Edwards addition law! What if the denominators are 0?” Answer: Can prove that the denominators are never 0. Addition law is complete. This proof relies on choosing non-square ❞.

More elliptic curves Choose an odd prime ♣. Choose a non-square ❞ ✷ F♣. ❢(①❀ ②) ✷ F♣ ✂ F♣ : ①2 + ②2 = 1 + ❞①2②2❣ is a “complete Edwards curve”. “The Edwards addition law”: (①1❀ ②1) + (①2❀ ②2) = (①3❀ ②3) where ①3 = ①1②2 + ②1①2 1 + ❞①1①2②1②2 , ②3 = ②1②2 ①1①2 1 ❞①1①2②1②2 . “Hey, there are divisions in the Edwards addition law! What if the denominators are 0?” Answer: Can prove that the denominators are never 0. Addition law is complete. This proof relies on choosing non-square ❞. If we instead choose square ❞: curve is still elliptic, and addition seems to work, but there are failure cases,

• ften exploitable by attackers.

Safe code is more complicated.

elliptic curves

• se an odd prime ♣.
• se a non-square ❞ ✷ F♣.

❢ ①❀ ②) ✷ F♣ ✂ F♣ : ① + ②2 = 1 + ❞①2②2❣ “complete Edwards curve”. Edwards addition law”: ① ❀ ② ) + (①2❀ ②2) = (①3❀ ②3) ① ①1②2 + ②1①2 1 + ❞①1①2②1②2 , ② ②1②2 ①1①2 ❞①1①2②1②2 . “Hey, there are divisions in the Edwards addition law! What if the denominators are 0?” Answer: Can prove that the denominators are never 0. Addition law is complete. This proof relies on choosing non-square ❞. If we instead choose square ❞: curve is still elliptic, and addition seems to work, but there are failure cases,

• ften exploitable by attackers.

Safe code is more complicated. A safe example Choose ♣

• Choose ❞

❂ this is non-squa

♣

①2 + ②2 ❞① ② is a safe

curves rime ♣. non-square ❞ ✷ F♣. ❢ ①❀ ② ✷

♣ ✂ ♣ :

① ② 1 + ❞①2②2❣ Edwards curve”. addition law”: ① ❀ ② ① ❀ ②2) = (①3❀ ②3) ① ① ② ② ①2 ❞① ① ②1②2 , ② ② ② ① ①2 ❞① ① ②1②2 . “Hey, there are divisions in the Edwards addition law! What if the denominators are 0?” Answer: Can prove that the denominators are never 0. Addition law is complete. This proof relies on choosing non-square ❞. If we instead choose square ❞: curve is still elliptic, and addition seems to work, but there are failure cases,

• ften exploitable by attackers.

Safe code is more complicated. A safe example Choose ♣ = 2255 Choose ❞ = 121665❂ this is non-square

♣

①2 + ②2 = 1 + ❞①2② is a safe curve for

♣ ❞ ✷ F♣. ❢ ①❀ ② ✷

♣ ✂ ♣

① ② ❞① ② ❣ curve”. w”: ① ❀ ② ① ❀ ② ① ❀ ②3) ① ① ② ② ① ❞① ① ② ② ② ② ② ① ① ❞① ① ② ② “Hey, there are divisions in the Edwards addition law! What if the denominators are 0?” Answer: Can prove that the denominators are never 0. Addition law is complete. This proof relies on choosing non-square ❞. If we instead choose square ❞: curve is still elliptic, and addition seems to work, but there are failure cases,

• ften exploitable by attackers.

Safe code is more complicated. A safe example Choose ♣ = 2255 19. Choose ❞ = 121665❂121666; this is non-square in F♣. ①2 + ②2 = 1 + ❞①2②2 is a safe curve for ECC.

“Hey, there are divisions in the Edwards addition law! What if the denominators are 0?” Answer: Can prove that the denominators are never 0. Addition law is complete. This proof relies on choosing non-square ❞. If we instead choose square ❞: curve is still elliptic, and addition seems to work, but there are failure cases,

• ften exploitable by attackers.

Safe code is more complicated. A safe example Choose ♣ = 2255 19. Choose ❞ = 121665❂121666; this is non-square in F♣. ①2 + ②2 = 1 + ❞①2②2 is a safe curve for ECC.

“Hey, there are divisions in the Edwards addition law! What if the denominators are 0?” Answer: Can prove that the denominators are never 0. Addition law is complete. This proof relies on choosing non-square ❞. If we instead choose square ❞: curve is still elliptic, and addition seems to work, but there are failure cases,

• ften exploitable by attackers.

Safe code is more complicated. A safe example Choose ♣ = 2255 19. Choose ❞ = 121665❂121666; this is non-square in F♣. ①2 + ②2 = 1 + ❞①2②2 is a safe curve for ECC. ①2 + ②2 = 1 ❞①2②2 is another safe curve using the same ♣ and ❞.

“Hey, there are divisions in the Edwards addition law! What if the denominators are 0?” Answer: Can prove that the denominators are never 0. Addition law is complete. This proof relies on choosing non-square ❞. If we instead choose square ❞: curve is still elliptic, and addition seems to work, but there are failure cases,

• ften exploitable by attackers.

Safe code is more complicated. A safe example Choose ♣ = 2255 19. Choose ❞ = 121665❂121666; this is non-square in F♣. ①2 + ②2 = 1 + ❞①2②2 is a safe curve for ECC. ①2 + ②2 = 1 ❞①2②2 is another safe curve using the same ♣ and ❞. Actually, the second curve is the first curve in disguise: replace ① in first curve by ♣1 ✁ ①, using ♣1 ✷ F♣.

there are divisions Edwards addition law! if the denominators are 0?” er: Can prove that denominators are never 0. Addition law is complete. roof relies on

• sing non-square ❞.

instead choose square ❞: is still elliptic, and addition seems to work, there are failure cases, exploitable by attackers. code is more complicated. A safe example Choose ♣ = 2255 19. Choose ❞ = 121665❂121666; this is non-square in F♣. ①2 + ②2 = 1 + ❞①2②2 is a safe curve for ECC. ①2 + ②2 = 1 ❞①2②2 is another safe curve using the same ♣ and ❞. Actually, the second curve is the first curve in disguise: replace ① in first curve by ♣1 ✁ ①, using ♣1 ✷ F♣. Even mo Edwards ①2 + ②2 ❞① ② Twisted ❛①2 + ②2 ❞① ② Weierstrass ✈2 = ✉3 ❛✉ ❜ Montgomery ❜✈2 = ✉3 ❛✉ ✉ Many relationships: e.g., substitute ① ✉❂✈ ② = (✉ ❂ ✉ to obtain

divisions addition law! denominators are 0?” rove that rs are never 0. complete.

• n

non-square ❞. choose square ❞: elliptic, and to work, failure cases, by attackers. re complicated. A safe example Choose ♣ = 2255 19. Choose ❞ = 121665❂121666; this is non-square in F♣. ①2 + ②2 = 1 + ❞①2②2 is a safe curve for ECC. ①2 + ②2 = 1 ❞①2②2 is another safe curve using the same ♣ and ❞. Actually, the second curve is the first curve in disguise: replace ① in first curve by ♣1 ✁ ①, using ♣1 ✷ F♣. Even more elliptic Edwards curves: ①2 + ②2 = 1 + ❞①2② Twisted Edwards curves: ❛①2 + ②2 = 1 + ❞① ② Weierstrass curves: ✈2 = ✉3 + ❛✉ + ❜. Montgomery curves: ❜✈2 = ✉3 + ❛✉2 + ✉ Many relationships: e.g., substitute ① = ✉❂✈ ② = (✉ 1)❂(✉ + to obtain Montgomery

w! are 0?” never 0. ❞ re ❞: cases, ers. complicated. A safe example Choose ♣ = 2255 19. Choose ❞ = 121665❂121666; this is non-square in F♣. ①2 + ②2 = 1 + ❞①2②2 is a safe curve for ECC. ①2 + ②2 = 1 ❞①2②2 is another safe curve using the same ♣ and ❞. Actually, the second curve is the first curve in disguise: replace ① in first curve by ♣1 ✁ ①, using ♣1 ✷ F♣. Even more elliptic curves Edwards curves: ①2 + ②2 = 1 + ❞①2②2. Twisted Edwards curves: ❛①2 + ②2 = 1 + ❞①2②2. Weierstrass curves: ✈2 = ✉3 + ❛✉ + ❜. Montgomery curves: ❜✈2 = ✉3 + ❛✉2 + ✉. Many relationships: e.g., substitute ① = ✉❂✈, ② = (✉ 1)❂(✉ + 1) in Edw to obtain Montgomery.

A safe example Choose ♣ = 2255 19. Choose ❞ = 121665❂121666; this is non-square in F♣. ①2 + ②2 = 1 + ❞①2②2 is a safe curve for ECC. ①2 + ②2 = 1 ❞①2②2 is another safe curve using the same ♣ and ❞. Actually, the second curve is the first curve in disguise: replace ① in first curve by ♣1 ✁ ①, using ♣1 ✷ F♣. Even more elliptic curves Edwards curves: ①2 + ②2 = 1 + ❞①2②2. Twisted Edwards curves: ❛①2 + ②2 = 1 + ❞①2②2. Weierstrass curves: ✈2 = ✉3 + ❛✉ + ❜. Montgomery curves: ❜✈2 = ✉3 + ❛✉2 + ✉. Many relationships: e.g., substitute ① = ✉❂✈, ② = (✉ 1)❂(✉ + 1) in Edwards to obtain Montgomery.

example

• se ♣ = 2255 19.
• se ❞ = 121665❂121666;

non-square in F♣. ① ②2 = 1 + ❞①2②2 safe curve for ECC. ① ②2 = 1 ❞①2②2 another safe curve the same ♣ and ❞. Actually, the second curve first curve in disguise: replace ① in first curve ♣1 ✁ ①, using ♣1 ✷ F♣. Even more elliptic curves Edwards curves: ①2 + ②2 = 1 + ❞①2②2. Twisted Edwards curves: ❛①2 + ②2 = 1 + ❞①2②2. Weierstrass curves: ✈2 = ✉3 + ❛✉ + ❜. Montgomery curves: ❜✈2 = ✉3 + ❛✉2 + ✉. Many relationships: e.g., substitute ① = ✉❂✈, ② = (✉ 1)❂(✉ + 1) in Edwards to obtain Montgomery. Addition ✈2 = ✉3 ❛✉ ❜

♣ 19. ❞ 121665❂121666; re in F♣. ① ② ❞①2②2 r ECC. ① ② ❞①2②2 curve ♣ and ❞. second curve in disguise: ① curve ♣ ✁ ① using ♣1 ✷ F♣. Even more elliptic curves Edwards curves: ①2 + ②2 = 1 + ❞①2②2. Twisted Edwards curves: ❛①2 + ②2 = 1 + ❞①2②2. Weierstrass curves: ✈2 = ✉3 + ❛✉ + ❜. Montgomery curves: ❜✈2 = ✉3 + ❛✉2 + ✉. Many relationships: e.g., substitute ① = ✉❂✈, ② = (✉ 1)❂(✉ + 1) in Edwards to obtain Montgomery. Addition on Weierstrass ✈2 = ✉3 + ❛✉ + ❜:

♣

• ❞

❂121666;

♣

① ② ❞① ② ① ② ❞① ② ♣ ❞ disguise: ① ♣ ✁ ① ♣ ✷ F♣. Even more elliptic curves Edwards curves: ①2 + ②2 = 1 + ❞①2②2. Twisted Edwards curves: ❛①2 + ②2 = 1 + ❞①2②2. Weierstrass curves: ✈2 = ✉3 + ❛✉ + ❜. Montgomery curves: ❜✈2 = ✉3 + ❛✉2 + ✉. Many relationships: e.g., substitute ① = ✉❂✈, ② = (✉ 1)❂(✉ + 1) in Edwards to obtain Montgomery. Addition on Weierstrass curves ✈2 = ✉3 + ❛✉ + ❜:

Even more elliptic curves Edwards curves: ①2 + ②2 = 1 + ❞①2②2. Twisted Edwards curves: ❛①2 + ②2 = 1 + ❞①2②2. Weierstrass curves: ✈2 = ✉3 + ❛✉ + ❜. Montgomery curves: ❜✈2 = ✉3 + ❛✉2 + ✉. Many relationships: e.g., substitute ① = ✉❂✈, ② = (✉ 1)❂(✉ + 1) in Edwards to obtain Montgomery. Addition on Weierstrass curves ✈2 = ✉3 + ❛✉ + ❜:

Even more elliptic curves Edwards curves: ①2 + ②2 = 1 + ❞①2②2. Twisted Edwards curves: ❛①2 + ②2 = 1 + ❞①2②2. Weierstrass curves: ✈2 = ✉3 + ❛✉ + ❜. Montgomery curves: ❜✈2 = ✉3 + ❛✉2 + ✉. Many relationships: e.g., substitute ① = ✉❂✈, ② = (✉ 1)❂(✉ + 1) in Edwards to obtain Montgomery. Addition on Weierstrass curves ✈2 = ✉3 + ❛✉ + ❜: for ✉1 ✻= ✉2, (✉1❀ ✈1)+(✉2❀ ✈2) = (✉3❀ ✈3) with ✉3 = ✕2 ✉1 ✉2, ✈3 = ✕(✉1 ✉3) ✈1, ✕ = (✈2 ✈1)❂(✉2 ✉1); for ✈1 ✻= 0, (✉1❀ ✈1) + (✉1❀ ✈1) = (✉3❀ ✈3) with ✉3 = ✕2 ✉1 ✉2, ✈3 = ✕(✉1 ✉3) ✈1, ✕ = (3✉2

1 + ❛)❂2✈1;

(✉1❀ ✈1) + (✉1❀ ✈1) = ✶; (✉1❀ ✈1) + ✶ = (✉1❀ ✈1); ✶ + (✉2❀ ✈2) = (✉2❀ ✈2); ✶ + ✶ = ✶.

Even more elliptic curves Edwards curves: ①2 + ②2 = 1 + ❞①2②2. Twisted Edwards curves: ❛①2 + ②2 = 1 + ❞①2②2. Weierstrass curves: ✈2 = ✉3 + ❛✉ + ❜. Montgomery curves: ❜✈2 = ✉3 + ❛✉2 + ✉. Many relationships: e.g., substitute ① = ✉❂✈, ② = (✉ 1)❂(✉ + 1) in Edwards to obtain Montgomery. Addition on Weierstrass curves ✈2 = ✉3 + ❛✉ + ❜: for ✉1 ✻= ✉2, (✉1❀ ✈1)+(✉2❀ ✈2) = (✉3❀ ✈3) with ✉3 = ✕2 ✉1 ✉2, ✈3 = ✕(✉1 ✉3) ✈1, ✕ = (✈2 ✈1)❂(✉2 ✉1); for ✈1 ✻= 0, (✉1❀ ✈1) + (✉1❀ ✈1) = (✉3❀ ✈3) with ✉3 = ✕2 ✉1 ✉2, ✈3 = ✕(✉1 ✉3) ✈1, ✕ = (3✉2

1 + ❛)❂2✈1;

(✉1❀ ✈1) + (✉1❀ ✈1) = ✶; (✉1❀ ✈1) + ✶ = (✉1❀ ✈1); ✶ + (✉2❀ ✈2) = (✉2❀ ✈2); ✶ + ✶ = ✶. Messy to implement and test.

more elliptic curves rds curves: ① ②2 = 1 + ❞①2②2. Twisted Edwards curves: ❛① ②2 = 1 + ❞①2②2. eierstrass curves: ✈ ✉3 + ❛✉ + ❜. Montgomery curves: ❜✈ ✉3 + ❛✉2 + ✉. relationships: substitute ① = ✉❂✈, ② ✉ 1)❂(✉ + 1) in Edwards

• btain Montgomery.

Addition on Weierstrass curves ✈2 = ✉3 + ❛✉ + ❜: for ✉1 ✻= ✉2, (✉1❀ ✈1)+(✉2❀ ✈2) = (✉3❀ ✈3) with ✉3 = ✕2 ✉1 ✉2, ✈3 = ✕(✉1 ✉3) ✈1, ✕ = (✈2 ✈1)❂(✉2 ✉1); for ✈1 ✻= 0, (✉1❀ ✈1) + (✉1❀ ✈1) = (✉3❀ ✈3) with ✉3 = ✕2 ✉1 ✉2, ✈3 = ✕(✉1 ✉3) ✈1, ✕ = (3✉2

1 + ❛)❂2✈1;

(✉1❀ ✈1) + (✉1❀ ✈1) = ✶; (✉1❀ ✈1) + ✶ = (✉1❀ ✈1); ✶ + (✉2❀ ✈2) = (✉2❀ ✈2); ✶ + ✶ = ✶. Messy to implement and test. Much nicer Montgomery-curve the “Montgomery

• ur recommended

Diffie–Hellman (e.g., for Montgomery

• nly with ✉
• f curve

P Montgomery ♥P and ♥ P ❜♥❂2❝P ❜♥❂ ❝ P using one ♥ with no

elliptic curves ① ② ❞①2②2. rds curves: ❛① ② ❞①2②2. curves: ✈ ✉ ❛✉ ❜. curves: ❜✈ ✉ ❛✉ + ✉. relationships: ① = ✉❂✈, ② ✉ ❂ ✉ + 1) in Edwards Montgomery. Addition on Weierstrass curves ✈2 = ✉3 + ❛✉ + ❜: for ✉1 ✻= ✉2, (✉1❀ ✈1)+(✉2❀ ✈2) = (✉3❀ ✈3) with ✉3 = ✕2 ✉1 ✉2, ✈3 = ✕(✉1 ✉3) ✈1, ✕ = (✈2 ✈1)❂(✉2 ✉1); for ✈1 ✻= 0, (✉1❀ ✈1) + (✉1❀ ✈1) = (✉3❀ ✈3) with ✉3 = ✕2 ✉1 ✉2, ✈3 = ✕(✉1 ✉3) ✈1, ✕ = (3✉2

1 + ❛)❂2✈1;

(✉1❀ ✈1) + (✉1❀ ✈1) = ✶; (✉1❀ ✈1) + ✶ = (✉1❀ ✈1); ✶ + (✉2❀ ✈2) = (✉2❀ ✈2); ✶ + ✶ = ✶. Messy to implement and test. Much nicer than W Montgomery-curve the “Montgomery

• ur recommended

Diffie–Hellman key (e.g., for forward secrecy). Montgomery ladder

• nly with ✉-coordinates
• f curve points P.

Montgomery ladder ♥P and (♥ + 1)P ❜♥❂2❝P and (❜♥❂2❝ P using one bit of ♥ with no branches.

① ② ❞① ② ❛① ② ❞① ② ✈ ✉ ❛✉ ❜ ❜✈ ✉ ❛✉ ✉ ① ✉❂✈ ② ✉ ❂ ✉ Edwards Addition on Weierstrass curves ✈2 = ✉3 + ❛✉ + ❜: for ✉1 ✻= ✉2, (✉1❀ ✈1)+(✉2❀ ✈2) = (✉3❀ ✈3) with ✉3 = ✕2 ✉1 ✉2, ✈3 = ✕(✉1 ✉3) ✈1, ✕ = (✈2 ✈1)❂(✉2 ✉1); for ✈1 ✻= 0, (✉1❀ ✈1) + (✉1❀ ✈1) = (✉3❀ ✈3) with ✉3 = ✕2 ✉1 ✉2, ✈3 = ✕(✉1 ✉3) ✈1, ✕ = (3✉2

1 + ❛)❂2✈1;

(✉1❀ ✈1) + (✉1❀ ✈1) = ✶; (✉1❀ ✈1) + ✶ = (✉1❀ ✈1); ✶ + (✉2❀ ✈2) = (✉2❀ ✈2); ✶ + ✶ = ✶. Messy to implement and test. Much nicer than Weierstrass: Montgomery-curve ECDH using the “Montgomery ladder”—

• ur recommended method fo

Diffie–Hellman key exchange (e.g., for forward secrecy). Montgomery ladder works

• nly with ✉-coordinates
• f curve points P.

Montgomery ladder computes ♥P and (♥ + 1)P recursively ❜♥❂2❝P and (❜♥❂2❝ + 1)P using one bit of ♥ with no branches.

Addition on Weierstrass curves ✈2 = ✉3 + ❛✉ + ❜: for ✉1 ✻= ✉2, (✉1❀ ✈1)+(✉2❀ ✈2) = (✉3❀ ✈3) with ✉3 = ✕2 ✉1 ✉2, ✈3 = ✕(✉1 ✉3) ✈1, ✕ = (✈2 ✈1)❂(✉2 ✉1); for ✈1 ✻= 0, (✉1❀ ✈1) + (✉1❀ ✈1) = (✉3❀ ✈3) with ✉3 = ✕2 ✉1 ✉2, ✈3 = ✕(✉1 ✉3) ✈1, ✕ = (3✉2

1 + ❛)❂2✈1;

(✉1❀ ✈1) + (✉1❀ ✈1) = ✶; (✉1❀ ✈1) + ✶ = (✉1❀ ✈1); ✶ + (✉2❀ ✈2) = (✉2❀ ✈2); ✶ + ✶ = ✶. Messy to implement and test. Much nicer than Weierstrass: Montgomery-curve ECDH using the “Montgomery ladder”—

• ur recommended method for

Diffie–Hellman key exchange (e.g., for forward secrecy). Montgomery ladder works

• nly with ✉-coordinates
• f curve points P.

Montgomery ladder computes ♥P and (♥ + 1)P recursively from ❜♥❂2❝P and (❜♥❂2❝ + 1)P using one bit of ♥ with no branches.

Addition on Weierstrass curves ✈ ✉3 + ❛✉ + ❜: ✉ ✻= ✉2, (✉1❀ ✈1)+(✉2❀ ✈2) = ✉ ❀ ✈ ) with ✉3 = ✕2 ✉1 ✉2, ✈ ✕(✉1 ✉3) ✈1, ✕ ✈2 ✈1)❂(✉2 ✉1); for ✈ ✻ 0, (✉1❀ ✈1) + (✉1❀ ✈1) = ✉ ❀ ✈ ) with ✉3 = ✕2 ✉1 ✉2, ✈ ✕(✉1 ✉3) ✈1, ✕ ✉2

1 + ❛)❂2✈1;

✉ ❀ ✈ ) + (✉1❀ ✈1) = ✶; ✉ ❀ ✈ ) + ✶ = (✉1❀ ✈1); ✶ ✉2❀ ✈2) = (✉2❀ ✈2); ✶ ✶ = ✶. to implement and test. Much nicer than Weierstrass: Montgomery-curve ECDH using the “Montgomery ladder”—

• ur recommended method for

Diffie–Hellman key exchange (e.g., for forward secrecy). Montgomery ladder works

• nly with ✉-coordinates
• f curve points P.

Montgomery ladder computes ♥P and (♥ + 1)P recursively from ❜♥❂2❝P and (❜♥❂2❝ + 1)P using one bit of ♥ with no branches. Curve selection Many different 1999 ANSI 2000 IEEE 2000 SEC 2000 NIST 2001 ANSI 2005 Brainp 2005 NSA 2011 ANSSI Our new http://safecurves.cr.yp.to

eierstrass curves ✈ ✉ ❛✉ ❜: ✉ ✻ ✉ ✉ ❀ ✈1)+(✉2❀ ✈2) = ✉ ❀ ✈ ✉ = ✕2 ✉1 ✉2, ✈ ✕ ✉ ✉ ) ✈1, ✕ ✈ ✈ ❂(✉2 ✉1); for ✈ ✻ ✉ ❀ ✈ + (✉1❀ ✈1) = ✉ ❀ ✈ ✉ = ✕2 ✉1 ✉2, ✈ ✕ ✉ ✉ ) ✈1, ✕ ✉ ❛ ❂ ✈1; ✉ ❀ ✈ ✉ ❀ ✈1) = ✶; ✉ ❀ ✈ ✶ (✉1❀ ✈1); ✶ ✉ ❀ ✈ (✉2❀ ✈2); ✶ ✶ ✶ implement and test. Much nicer than Weierstrass: Montgomery-curve ECDH using the “Montgomery ladder”—

• ur recommended method for

Diffie–Hellman key exchange (e.g., for forward secrecy). Montgomery ladder works

• nly with ✉-coordinates
• f curve points P.

Montgomery ladder computes ♥P and (♥ + 1)P recursively from ❜♥❂2❝P and (❜♥❂2❝ + 1)P using one bit of ♥ with no branches. Curve selection Many different standa 1999 ANSI X9.62. 2000 IEEE P1363. 2000 SEC 2. 2000 NIST FIPS 186-2. 2001 ANSI X9.63. 2005 Brainpool. 2005 NSA Suite B. 2011 ANSSI FRP256V1. Our new evaluation http://safecurves.cr.yp.to

curves ✈ ✉ ❛✉ ❜ ✉ ✻ ✉ ✉ ❀ ✈ ✉ ❀ ✈2) = ✉ ❀ ✈ ✉ ✕ ✉1 ✉2, ✈ ✕ ✉ ✉ ✈ ✕ ✈ ✈ ❂ ✉ ✉ ); for ✈ ✻ ✉ ❀ ✈ ✉ ❀ ✈ ) = ✉ ❀ ✈ ✉ ✕ ✉1 ✉2, ✈ ✕ ✉ ✉ ✈ ✕ ✉ ❛ ❂ ✈ ✉ ❀ ✈ ✉ ❀ ✈ ✶; ✉ ❀ ✈ ✶ ✉ ❀ ✈ ✶ ✉ ❀ ✈ ✉ ❀ ✈ ✶ ✶ ✶ test. Much nicer than Weierstrass: Montgomery-curve ECDH using the “Montgomery ladder”—

• ur recommended method for

Diffie–Hellman key exchange (e.g., for forward secrecy). Montgomery ladder works

• nly with ✉-coordinates
• f curve points P.

Montgomery ladder computes ♥P and (♥ + 1)P recursively from ❜♥❂2❝P and (❜♥❂2❝ + 1)P using one bit of ♥ with no branches. Curve selection Many different standards: 1999 ANSI X9.62. 2000 IEEE P1363. 2000 SEC 2. 2000 NIST FIPS 186-2. 2001 ANSI X9.63. 2005 Brainpool. 2005 NSA Suite B. 2011 ANSSI FRP256V1. Our new evaluation site: http://safecurves.cr.yp.to

Much nicer than Weierstrass: Montgomery-curve ECDH using the “Montgomery ladder”—

• ur recommended method for

Diffie–Hellman key exchange (e.g., for forward secrecy). Montgomery ladder works

• nly with ✉-coordinates
• f curve points P.

Montgomery ladder computes ♥P and (♥ + 1)P recursively from ❜♥❂2❝P and (❜♥❂2❝ + 1)P using one bit of ♥ with no branches. Curve selection Many different standards: 1999 ANSI X9.62. 2000 IEEE P1363. 2000 SEC 2. 2000 NIST FIPS 186-2. 2001 ANSI X9.63. 2005 Brainpool. 2005 NSA Suite B. 2011 ANSSI FRP256V1. Our new evaluation site: http://safecurves.cr.yp.to

nicer than Weierstrass: Montgomery-curve ECDH using “Montgomery ladder”— recommended method for Diffie–Hellman key exchange for forward secrecy). Montgomery ladder works with ✉-coordinates curve points P. Montgomery ladder computes ♥P and (♥ + 1)P recursively from ❜♥❂ ❝P and (❜♥❂2❝ + 1)P

• ne bit of ♥

no branches. Curve selection Many different standards: 1999 ANSI X9.62. 2000 IEEE P1363. 2000 SEC 2. 2000 NIST FIPS 186-2. 2001 ANSI X9.63. 2005 Brainpool. 2005 NSA Suite B. 2011 ANSSI FRP256V1. Our new evaluation site: http://safecurves.cr.yp.to Avoiding The curve The numb must be a large p ❵ Standard ♣ ❵ ❵ ✙ 2200 ❵ ✙ 2256 ❵ must not ♣; ♣ 1; ♣ ♣3 1; ✿ ✿ ✿ ♣

• This gua

no “transfers”

Weierstrass: Montgomery-curve ECDH using “Montgomery ladder”— recommended method for ey exchange secrecy). ladder works ✉ rdinates P. ladder computes ♥P ♥ P recursively from ❜♥❂ ❝P ❜♥❂2❝ + 1)P ♥ ranches. Curve selection Many different standards: 1999 ANSI X9.62. 2000 IEEE P1363. 2000 SEC 2. 2000 NIST FIPS 186-2. 2001 ANSI X9.63. 2005 Brainpool. 2005 NSA Suite B. 2011 ANSSI FRP256V1. Our new evaluation site: http://safecurves.cr.yp.to Avoiding known attacks The curve must be The number of curve must be divisible b a large prime numb ❵ Standard attacks tak ♣ ❵ ❵ ✙ 2200 is adequate; ❵ ✙ 2256 is conservative. ❵ must not divide ♣; ♣ 1; ♣2 1; ♣3 1; ✿ ✿ ✿ ; ♣20 This guarantees that no “transfers” to clo

eierstrass: using ladder”— for exchange ✉ P computes ♥P ♥ P recursively from ❜♥❂ ❝P ❜♥❂ ❝ P ♥ Curve selection Many different standards: 1999 ANSI X9.62. 2000 IEEE P1363. 2000 SEC 2. 2000 NIST FIPS 186-2. 2001 ANSI X9.63. 2005 Brainpool. 2005 NSA Suite B. 2011 ANSSI FRP256V1. Our new evaluation site: http://safecurves.cr.yp.to Avoiding known attacks The curve must be elliptic. The number of curve points must be divisible by a large prime number ❵. Standard attacks take time ♣ ❵ ❵ ✙ 2200 is adequate; ❵ ✙ 2256 is conservative. ❵ must not divide ♣; ♣ 1; ♣2 1; ♣3 1; ✿ ✿ ✿ ; ♣20 1. This guarantees that there a no “transfers” to clocks etc.

Curve selection Many different standards: 1999 ANSI X9.62. 2000 IEEE P1363. 2000 SEC 2. 2000 NIST FIPS 186-2. 2001 ANSI X9.63. 2005 Brainpool. 2005 NSA Suite B. 2011 ANSSI FRP256V1. Our new evaluation site: http://safecurves.cr.yp.to Avoiding known attacks The curve must be elliptic. The number of curve points must be divisible by a large prime number ❵. Standard attacks take time ♣ ❵. ❵ ✙ 2200 is adequate; ❵ ✙ 2256 is conservative. ❵ must not divide ♣; ♣ 1; ♣2 1; ♣3 1; ✿ ✿ ✿ ; ♣20 1. This guarantees that there are no “transfers” to clocks etc.

selection different standards: ANSI X9.62. IEEE P1363. SEC 2. NIST FIPS 186-2. ANSI X9.63. Brainpool. NSA Suite B. ANSSI FRP256V1. new evaluation site: http://safecurves.cr.yp.to Avoiding known attacks The curve must be elliptic. The number of curve points must be divisible by a large prime number ❵. Standard attacks take time ♣ ❵. ❵ ✙ 2200 is adequate; ❵ ✙ 2256 is conservative. ❵ must not divide ♣; ♣ 1; ♣2 1; ♣3 1; ✿ ✿ ✿ ; ♣20 1. This guarantees that there are no “transfers” to clocks etc. Avoiding Simplify avoid possible even if no Require la discriminant”. SafeCurves. Brainpool, SafeCurves: ♣ Brainpool prohibit ❵ ♣❦ 1 fo ❦ ❁ ❵ ❂

standards: X9.62. P1363. 186-2. X9.63. B. FRP256V1. evaluation site: http://safecurves.cr.yp.to Avoiding known attacks The curve must be elliptic. The number of curve points must be divisible by a large prime number ❵. Standard attacks take time ♣ ❵. ❵ ✙ 2200 is adequate; ❵ ✙ 2256 is conservative. ❵ must not divide ♣; ♣ 1; ♣2 1; ♣3 1; ✿ ✿ ✿ ; ♣20 1. This guarantees that there are no “transfers” to clocks etc. Avoiding unnecessa Simplify the securit avoid possible attack even if no attacks Require large “CM discriminant”. See, SafeCurves. Brainpool, Suite B, SafeCurves: require ♣ Brainpool and SafeCurves: prohibit ❵ dividing ♣❦ 1 for each ❦ ❁ ❵ ❂

http://safecurves.cr.yp.to Avoiding known attacks The curve must be elliptic. The number of curve points must be divisible by a large prime number ❵. Standard attacks take time ♣ ❵. ❵ ✙ 2200 is adequate; ❵ ✙ 2256 is conservative. ❵ must not divide ♣; ♣ 1; ♣2 1; ♣3 1; ✿ ✿ ✿ ; ♣20 1. This guarantees that there are no “transfers” to clocks etc. Avoiding unnecessary structure Simplify the security story: avoid possible attack vectors even if no attacks are known. Require large “CM field discriminant”. See, e.g., SafeCurves. Brainpool, Suite B, ANSSI, SafeCurves: require prime ♣. Brainpool and SafeCurves: prohibit ❵ dividing ♣❦ 1 for each ❦ ❁ (❵ 1)❂

Avoiding known attacks The curve must be elliptic. The number of curve points must be divisible by a large prime number ❵. Standard attacks take time ♣ ❵. ❵ ✙ 2200 is adequate; ❵ ✙ 2256 is conservative. ❵ must not divide ♣; ♣ 1; ♣2 1; ♣3 1; ✿ ✿ ✿ ; ♣20 1. This guarantees that there are no “transfers” to clocks etc. Avoiding unnecessary structure Simplify the security story: avoid possible attack vectors even if no attacks are known. Require large “CM field discriminant”. See, e.g., SafeCurves. Brainpool, Suite B, ANSSI, SafeCurves: require prime ♣. Brainpool and SafeCurves: prohibit ❵ dividing ♣❦ 1 for each ❦ ❁ (❵ 1)❂100.

Avoiding known attacks curve must be elliptic. number of curve points e divisible by prime number ❵. Standard attacks take time ♣ ❵. ❵ ✙

200 is adequate;

❵ ✙

256 is conservative.

❵ must not divide ♣ ♣ 1; ♣2 1; ♣ 1; ✿ ✿ ✿ ; ♣20 1. guarantees that there are “transfers” to clocks etc. Avoiding unnecessary structure Simplify the security story: avoid possible attack vectors even if no attacks are known. Require large “CM field discriminant”. See, e.g., SafeCurves. Brainpool, Suite B, ANSSI, SafeCurves: require prime ♣. Brainpool and SafeCurves: prohibit ❵ dividing ♣❦ 1 for each ❦ ❁ (❵ 1)❂100. Rigidity Another

• f securit

✎ there’s a small ✎ public has missed ✎ the attack figured ✎ the attack choices to allow

attacks be elliptic. curve points by number ❵. attacks take time ♣ ❵. ❵ ✙ adequate; ❵ ✙ conservative. ❵ divide ♣ ♣ ♣ 1; ♣ ✿ ✿ ✿ ♣ 1. that there are to clocks etc. Avoiding unnecessary structure Simplify the security story: avoid possible attack vectors even if no attacks are known. Require large “CM field discriminant”. See, e.g., SafeCurves. Brainpool, Suite B, ANSSI, SafeCurves: require prime ♣. Brainpool and SafeCurves: prohibit ❵ dividing ♣❦ 1 for each ❦ ❁ (❵ 1)❂100. Rigidity Another conceivable

• f security problems:

✎ there’s another attack a small fraction ✎ public ECC cryptana has missed this attack; ✎ the attacker has figured out this attack; ✎ the attacker has choices of standa to allow the attack.

elliptic.

• ints

❵ time ♣ ❵. ❵ ✙ ❵ ✙ ❵ ♣ ♣ ♣ ♣ ✿ ✿ ✿ ♣

• are

etc. Avoiding unnecessary structure Simplify the security story: avoid possible attack vectors even if no attacks are known. Require large “CM field discriminant”. See, e.g., SafeCurves. Brainpool, Suite B, ANSSI, SafeCurves: require prime ♣. Brainpool and SafeCurves: prohibit ❵ dividing ♣❦ 1 for each ❦ ❁ (❵ 1)❂100. Rigidity Another conceivable source

• f security problems:

✎ there’s another attack against a small fraction of curves; ✎ public ECC cryptanalysis has missed this attack; ✎ the attacker has figured out this attack; ✎ the attacker has manipulated choices of standard curves to allow the attack.

Avoiding unnecessary structure Simplify the security story: avoid possible attack vectors even if no attacks are known. Require large “CM field discriminant”. See, e.g., SafeCurves. Brainpool, Suite B, ANSSI, SafeCurves: require prime ♣. Brainpool and SafeCurves: prohibit ❵ dividing ♣❦ 1 for each ❦ ❁ (❵ 1)❂100. Rigidity Another conceivable source

• f security problems:

✎ there’s another attack against a small fraction of curves; ✎ public ECC cryptanalysis has missed this attack; ✎ the attacker has figured out this attack; ✎ the attacker has manipulated choices of standard curves to allow the attack.

Avoiding unnecessary structure Simplify the security story: possible attack vectors if no attacks are known. Require large “CM field discriminant”. See, e.g., SafeCurves.

• ol, Suite B, ANSSI,

SafeCurves: require prime ♣.

• ol and SafeCurves:

rohibit ❵ dividing ♣❦ for each ❦ ❁ (❵ 1)❂100. Rigidity Another conceivable source

• f security problems:

✎ there’s another attack against a small fraction of curves; ✎ public ECC cryptanalysis has missed this attack; ✎ the attacker has figured out this attack; ✎ the attacker has manipulated choices of standard curves to allow the attack. NIST curves “verifiably ②2 = ①3 ① ❜ ❜ is derived SHA-1 hash

unnecessary structure security story: attack vectors attacks are known. “CM field See, e.g., B, ANSSI, require prime ♣. SafeCurves: ❵ dividing ♣❦ ❦ ❁ (❵ 1)❂100. Rigidity Another conceivable source

• f security problems:

✎ there’s another attack against a small fraction of curves; ✎ public ECC cryptanalysis has missed this attack; ✎ the attacker has figured out this attack; ✎ the attacker has manipulated choices of standard curves to allow the attack. NIST curves claim “verifiably random”: ②2 = ①3 3① + ❜ where ❜ is derived from SHA-1 hash of a public

structure ry: vectors wn. ANSSI, ♣. SafeCurves: ❵ ♣❦ ❦ ❁ ❵ 1)❂100. Rigidity Another conceivable source

• f security problems:

✎ there’s another attack against a small fraction of curves; ✎ public ECC cryptanalysis has missed this attack; ✎ the attacker has figured out this attack; ✎ the attacker has manipulated choices of standard curves to allow the attack. NIST curves claim to be “verifiably random”: ②2 = ①3 3① + ❜ where ❜ is derived from SHA-1 hash of a public seed.

Rigidity Another conceivable source

• f security problems:

✎ there’s another attack against a small fraction of curves; ✎ public ECC cryptanalysis has missed this attack; ✎ the attacker has figured out this attack; ✎ the attacker has manipulated choices of standard curves to allow the attack. NIST curves claim to be “verifiably random”: ②2 = ①3 3① + ❜ where ❜ is derived from SHA-1 hash of a public seed.

Rigidity Another conceivable source

• f security problems:

✎ there’s another attack against a small fraction of curves; ✎ public ECC cryptanalysis has missed this attack; ✎ the attacker has figured out this attack; ✎ the attacker has manipulated choices of standard curves to allow the attack. NIST curves claim to be “verifiably random”: ②2 = ①3 3① + ❜ where ❜ is derived from SHA-1 hash of a public seed. But is the seed actually random? Attacker could have tried many seeds to find a curve with a one-in-a-billion weakness. Not “verifiable” at all!

Rigidity Another conceivable source

• f security problems:

✎ there’s another attack against a small fraction of curves; ✎ public ECC cryptanalysis has missed this attack; ✎ the attacker has figured out this attack; ✎ the attacker has manipulated choices of standard curves to allow the attack. NIST curves claim to be “verifiably random”: ②2 = ①3 3① + ❜ where ❜ is derived from SHA-1 hash of a public seed. But is the seed actually random? Attacker could have tried many seeds to find a curve with a one-in-a-billion weakness. Not “verifiable” at all! ANSSI response: use our “random” curve instead.

y Another conceivable source security problems: ✎ there’s another attack against small fraction of curves; ✎ public ECC cryptanalysis missed this attack; ✎ attacker has figured out this attack; ✎ attacker has manipulated choices of standard curves allow the attack. NIST curves claim to be “verifiably random”: ②2 = ①3 3① + ❜ where ❜ is derived from SHA-1 hash of a public seed. But is the seed actually random? Attacker could have tried many seeds to find a curve with a one-in-a-billion weakness. Not “verifiable” at all! ANSSI response: use our “random” curve instead. Rigidity that can by a curve-generation Brainpool, ❜ is some

• f digits

✙ ❡

conceivable source roblems: ✎ another attack against tion of curves; ✎ cryptanalysis this attack; ✎ has this attack; ✎ has manipulated standard curves attack. NIST curves claim to be “verifiably random”: ②2 = ①3 3① + ❜ where ❜ is derived from SHA-1 hash of a public seed. But is the seed actually random? Attacker could have tried many seeds to find a curve with a one-in-a-billion weakness. Not “verifiable” at all! ANSSI response: use our “random” curve instead. Rigidity limits numb that can be generated by a curve-generation Brainpool, somewhat ❜ is some sort of ha

• f digits of ✙ and ❡

source ✎ against curves; ✎ lysis ✎ ✎ manipulated curves NIST curves claim to be “verifiably random”: ②2 = ①3 3① + ❜ where ❜ is derived from SHA-1 hash of a public seed. But is the seed actually random? Attacker could have tried many seeds to find a curve with a one-in-a-billion weakness. Not “verifiable” at all! ANSSI response: use our “random” curve instead. Rigidity limits number of curves that can be generated by a curve-generation process. Brainpool, somewhat rigid: ❜ is some sort of hash

• f digits of ✙ and ❡.

NIST curves claim to be “verifiably random”: ②2 = ①3 3① + ❜ where ❜ is derived from SHA-1 hash of a public seed. But is the seed actually random? Attacker could have tried many seeds to find a curve with a one-in-a-billion weakness. Not “verifiable” at all! ANSSI response: use our “random” curve instead. Rigidity limits number of curves that can be generated by a curve-generation process. Brainpool, somewhat rigid: ❜ is some sort of hash

• f digits of ✙ and ❡.

NIST curves claim to be “verifiably random”: ②2 = ①3 3① + ❜ where ❜ is derived from SHA-1 hash of a public seed. But is the seed actually random? Attacker could have tried many seeds to find a curve with a one-in-a-billion weakness. Not “verifiable” at all! ANSSI response: use our “random” curve instead. Rigidity limits number of curves that can be generated by a curve-generation process. Brainpool, somewhat rigid: ❜ is some sort of hash

• f digits of ✙ and ❡.

Not completely explained: why this particular hash? why ✙ and not ♣ 2? etc. But not much flexibility.

NIST curves claim to be “verifiably random”: ②2 = ①3 3① + ❜ where ❜ is derived from SHA-1 hash of a public seed. But is the seed actually random? Attacker could have tried many seeds to find a curve with a one-in-a-billion weakness. Not “verifiable” at all! ANSSI response: use our “random” curve instead. Rigidity limits number of curves that can be generated by a curve-generation process. Brainpool, somewhat rigid: ❜ is some sort of hash

• f digits of ✙ and ❡.

Not completely explained: why this particular hash? why ✙ and not ♣ 2? etc. But not much flexibility. Our recommendation, fully rigid: ❜ is smallest positive integer passing explained criteria.

curves claim to be “verifiably random”: ② ①3 3① + ❜ where ❜ derived from hash of a public seed. the seed actually random? er could have tried seeds to find a curve with

• ne-in-a-billion weakness.

“verifiable” at all! ANSSI response: use our “random” curve instead. Rigidity limits number of curves that can be generated by a curve-generation process. Brainpool, somewhat rigid: ❜ is some sort of hash

• f digits of ✙ and ❡.

Not completely explained: why this particular hash? why ✙ and not ♣ 2? etc. But not much flexibility. Our recommendation, fully rigid: ❜ is smallest positive integer passing explained criteria. ECC securit Covered hard to compute secret key But real-w is still being ECC implementations ✎ produce for some ✎ leak secret for input ✎ leak secret through

• etc. Attack

claim to be random”: ② ① ① ❜ where ❜ public seed. actually random? have tried find a curve with weakness. at all!

• nse: use our

instead. Rigidity limits number of curves that can be generated by a curve-generation process. Brainpool, somewhat rigid: ❜ is some sort of hash

• f digits of ✙ and ❡.

Not completely explained: why this particular hash? why ✙ and not ♣ 2? etc. But not much flexibility. Our recommendation, fully rigid: ❜ is smallest positive integer passing explained criteria. ECC security Covered so far: hard to compute ECC secret key from public But real-world ECC is still being broken! ECC implementations ✎ produce incorrect for some rare inputs; ✎ leak secret data for input points off ✎ leak secret data through timing;

• etc. Attackers exploit

② ① ① ❜ ❜ seed. ndom? curve with eakness. Rigidity limits number of curves that can be generated by a curve-generation process. Brainpool, somewhat rigid: ❜ is some sort of hash

• f digits of ✙ and ❡.

Not completely explained: why this particular hash? why ✙ and not ♣ 2? etc. But not much flexibility. Our recommendation, fully rigid: ❜ is smallest positive integer passing explained criteria. ECC security Covered so far: hard to compute ECC user’s secret key from public key. But real-world ECC is still being broken! ECC implementations ✎ produce incorrect results for some rare inputs; ✎ leak secret data for input points off curve; ✎ leak secret data through timing;

• etc. Attackers exploit this.

Rigidity limits number of curves that can be generated by a curve-generation process. Brainpool, somewhat rigid: ❜ is some sort of hash

• f digits of ✙ and ❡.

Not completely explained: why this particular hash? why ✙ and not ♣ 2? etc. But not much flexibility. Our recommendation, fully rigid: ❜ is smallest positive integer passing explained criteria. ECC security Covered so far: hard to compute ECC user’s secret key from public key. But real-world ECC is still being broken! ECC implementations ✎ produce incorrect results for some rare inputs; ✎ leak secret data for input points off curve; ✎ leak secret data through timing;

• etc. Attackers exploit this.

Rigidity limits number of curves can be generated curve-generation process.

• ol, somewhat rigid:

❜ some sort of hash digits of ✙ and ❡. completely explained: this particular hash? ✙ and not ♣ 2? etc. not much flexibility. recommendation, fully rigid: ❜ smallest positive integer passing explained criteria. ECC security Covered so far: hard to compute ECC user’s secret key from public key. But real-world ECC is still being broken! ECC implementations ✎ produce incorrect results for some rare inputs; ✎ leak secret data for input points off curve; ✎ leak secret data through timing;

• etc. Attackers exploit this.

Better choices allow simple to be secure This is the motivation

number of curves generated curve-generation process. somewhat rigid: ❜ hash ✙ and ❡. explained: rticular hash? ✙ ♣ 2? etc. flexibility. recommendation, fully rigid: ❜

• sitive integer

explained criteria. ECC security Covered so far: hard to compute ECC user’s secret key from public key. But real-world ECC is still being broken! ECC implementations ✎ produce incorrect results for some rare inputs; ✎ leak secret data for input points off curve; ✎ leak secret data through timing;

• etc. Attackers exploit this.

Better choices of curves allow simple implementations to be secure implementations. This is the primary motivation for SafeCurves.

curves cess. rigid: ❜ ✙ ❡ ✙ ♣ fully rigid: ❜ integer ECC security Covered so far: hard to compute ECC user’s secret key from public key. But real-world ECC is still being broken! ECC implementations ✎ produce incorrect results for some rare inputs; ✎ leak secret data for input points off curve; ✎ leak secret data through timing;

• etc. Attackers exploit this.

Better choices of curves allow simple implementations to be secure implementations. This is the primary motivation for SafeCurves.

ECC security Covered so far: hard to compute ECC user’s secret key from public key. But real-world ECC is still being broken! ECC implementations ✎ produce incorrect results for some rare inputs; ✎ leak secret data for input points off curve; ✎ leak secret data through timing;

• etc. Attackers exploit this.

Better choices of curves allow simple implementations to be secure implementations. This is the primary motivation for SafeCurves.

ECC security Covered so far: hard to compute ECC user’s secret key from public key. But real-world ECC is still being broken! ECC implementations ✎ produce incorrect results for some rare inputs; ✎ leak secret data for input points off curve; ✎ leak secret data through timing;

• etc. Attackers exploit this.

Better choices of curves allow simple implementations to be secure implementations. This is the primary motivation for SafeCurves. Example of new requirement: twist security. If curve isn’t twist-secure: Twist attacks break ladder implementations that don’t check whether input point is on curve. Security-simplicity conflict.

security Covered so far: to compute ECC user’s key from public key. real-world ECC being broken! implementations ✎ duce incorrect results

• me rare inputs;

✎ secret data input points off curve; ✎ secret data through timing; ttackers exploit this. Better choices of curves allow simple implementations to be secure implementations. This is the primary motivation for SafeCurves. Example of new requirement: twist security. If curve isn’t twist-secure: Twist attacks break ladder implementations that don’t check whether input point is on curve. Security-simplicity conflict.

ECC user’s public key. ECC roken! implementations ✎ rect results inputs; ✎ data

• ints off curve;

✎ data timing; exploit this. Better choices of curves allow simple implementations to be secure implementations. This is the primary motivation for SafeCurves. Example of new requirement: twist security. If curve isn’t twist-secure: Twist attacks break ladder implementations that don’t check whether input point is on curve. Security-simplicity conflict.

user’s . ✎ ✎ curve; ✎ this. Better choices of curves allow simple implementations to be secure implementations. This is the primary motivation for SafeCurves. Example of new requirement: twist security. If curve isn’t twist-secure: Twist attacks break ladder implementations that don’t check whether input point is on curve. Security-simplicity conflict.

Better choices of curves allow simple implementations to be secure implementations. This is the primary motivation for SafeCurves. Example of new requirement: twist security. If curve isn’t twist-secure: Twist attacks break ladder implementations that don’t check whether input point is on curve. Security-simplicity conflict.

choices of curves simple implementations secure implementations. the primary motivation for SafeCurves. Example of new requirement: security. curve isn’t twist-secure: attacks break implementations don’t check whether point is on curve. Security-simplicity conflict.

• f curves

implementations implementations. rimary SafeCurves. requirement: wist-secure: reak implementations whether curve. y-simplicity conflict.

implementations implementations. SafeCurves. requirement: conflict.