twisted 4 normal form for elliptic curves
play

Twisted 4 -normal form for elliptic curves David Kohel Institut - PowerPoint PPT Presentation

Jul 08, 2023 •381 likes •552 views

Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion Twisted 4 -normal form for elliptic curves David Kohel Institut de Math ematiques de Marseille Eurocrypt 2017, Paris, 1 May 2017 Introduction

  1. Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion Twisted µ 4 -normal form for elliptic curves David Kohel Institut de Math´ ematiques de Marseille Eurocrypt 2017, Paris, 1 May 2017

  2. Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion Elliptic Curves over Binary Fields Standards for elliptic curve Diffie-Hellman or ElGamal require an ordinary (non-supersingular) elliptic curve over a finite field k . If k is characteristic 2 then the degree of k over F 2 should be odd. Such an ordinary binary elliptic curve E can be written in the form y 2 + xy + ax 2 = x 3 + b. Its j -invariant is b − 1 and the parameter a is the quadratic twist, which can be taken in { 0 , 1 } : the curves y 2 + xy = x 3 + b and y 2 + xy + x 2 = x 3 + b, for a = 0 and a = 1 , respectively, become isomorphic over the quadratic extension k [ ω ] , where ω 2 + ω + 1 = 0 .

  3. Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion Elliptic Curves over Binary Fields The parameter a ( = 0 or 1 ) gives a simple characterization of the pair of twists (over a binary odd degree field): y 2 + xy = x 3 + b and y 2 + xy + x 2 = x 3 + b. Namely, a = 0 if and only if E ( k ) has a point of order 4 . Recall that every binary ordinary elliptic curve has even order; the closest we can get to prime order is | E ( k ) | = 2 n for n prime, and consequently, | E ( k ) | ≡ 0 mod 4 if a = 0 , | E ( k ) | ≡ 2 mod 4 if a = 1 . Specifically, if a = 0 , then then point ( c : c 2 : 1) , where c 4 = b , is a point of order 4 .

  4. Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion Elliptic Curves over Binary Fields As was noted for Hessian curves, Edwards normal form, and the µ 4 -normal form (which we generalize here to twists), the existence of a small order point results in curves with symmetries, and yields families with efficient arithmetic and side channel resistance. Unfortunately, 20th-century standards focused on nearly prime order | E ( k ) | = hn , where n is prime and cofactor h as small as possible, ignorant of the benefits of a point of small order h > 2 . Hence for backwards compatibility, standard (NIST, SEC, etc.) curves can not be put in Hessian, Edwards, or µ 4 -normal form, which have points of order h = 3 , 4 (non-binary field), and 4 .

  5. Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion Elliptic Curves over Binary Fields So Edwards curves are not backward compatible with 20th century curve standards. Worse, over prime fields, there is a geometric restriction to having a point of order 4 — if the order | E ( k ) | is odd (e.g. prime) then so is the order of its quadratic twist: in short, twisted Edwards curves can not bridge this gap. In view of the above dichotomy, the situation for binary curves is much better — if | E ( k ) | ≡ 2 mod 4 then it is a twist of a curve with 4 -torsion point, which can be put in µ 4 -normal form, that is, E can be put in twisted µ 4 -normal form . The objective of this work is to introduce these twists of the µ 4 -normal form in order to combine the most efficient arithmetic with backward compatibility to standard binary curves.

  6. Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion Previous State of the Art Previous models which covered the case of standard curves ( a = 1 ) include L´ opez-Dahab ( a = 1 ) model, and the more recent Lambda coordinates, for which we compare known complexities ( S ∼ 0 ): L´ opez-Dahab ( a = 1 ): Advantages: Best known doubling 2 M + 4 S + 2 m Disadvantages: Slow addition 13 M + 3 S Lambda coordinates: Disadvantages: Slow doubling 3 M + 4 S + 1 m Advantages: Better addition 11 M + 2 S Reference complexities for the µ 4 -normal form are: µ 4 -normal form: Advantages: Best known doubling ∗ 2 M + 5 S + 2 m Best known addition 7 M + 2 S Disadvantages: Not standards compatible.

  7. Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion Previous State of the Art In table form we summarize the previous state of the art, and the results we present here for twisted µ 4 -normal form. Curve model Doubling Addition NIST Lambda coordinates 3 M + 4 S + 1 m 11 M + 2 S yes L´ opez-Dahab ( a = 0 ) 2 M + 5 S + 1 m 14 M + 3 S no L´ opez-Dahab ( a = 1 ) 2 M + 4 S + 2 m 13 M + 3 S yes µ 4 -normal form 2 M + 5 S + 2 m 7 M + 2 S no Twisted µ 4 -normal form 2 M + 5 S + 2 m 9 M + 2 S yes Remark. Standard curves (NIST, SEC, etc.) have large constants. For backward compatibility one should equate 1 M = 1 m , and the various models have complexity ∼ 4 M for doubling, modulo neglibible cost of squaring S ∼ 0 using normal bases.

  8. Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion The µ 4 -normal form: Edwards origins An elliptic curve E/k ⊂ P 3 in twisted Edwards normal form is X 2 0 + dX 2 3 = cX 2 1 + X 2 2 , X 0 X 3 = X 1 X 2 , O = (1 : 0 : 1 : 0) , and an elliptic curve C/k ⊂ P 3 in µ 4 -normal form is defined by X 2 0 − rX 2 2 = X 1 X 3 , X 2 1 − X 2 3 = X 0 X 2 , O = (1 : 1 : 0 : 1) . For ( c, d ) = ( − 1 , − 16 r ) — a twist by − 1 , we have an isomorphism ( X 0 : X 1 : X 2 : X 3 ) �− → ( X 0 : X 1 + X 2 : 4 X 3 : − X 1 + X 2 ) . Thus, when 2 is invertible, we recognize the µ 4 -normal form as a − 1 -twist of Edwards. Only the latter model is valid over binary fields (has good reduction at 2 ).

  9. Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion Split µ 4 -normal form: properties When r = 1 /c 4 (always true for binary finite fields), we can rescale the variables to put C/k in split µ 4 -normal form, defined by X 2 0 − X 2 2 = c 2 X 1 X 3 , X 2 1 − X 2 3 = c 2 X 0 X 2 , O = ( c : 1 : 0 : 1) . Properties: 1 The point T = (1 : c : 1 : 0) is 4 -torsion. 2 The translation–by– T morphism is given by: τ T ( X 0 : X 1 : X 2 : X 3 ) = ( X 3 : X 0 : X 1 : X 2 ) . 3 The inverse morphism is defined by: [ − 1]( X 0 : X 1 : X 2 : X 3 ) = ( X 0 : X 3 : X 2 : X 1 ) . Consequently the µ 4 -normal form has order divisible by 4 .

  10. Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion The twisted µ 4 -normal form Twists of an elliptic curve in characteristic 2 (or of a family in any characteristic, respecting good reduction at 2 ) should be with respect to a quadratic field extension k [ ω ] = k [ x ] / ( x 2 − x − a ) . The discriminant of this extension is D = 1 + 4 a , and the quadratic twist of C/k by the extension k [ ω ] is X 2 0 − Dr X 2 2 = X 1 X 3 − a ( X 1 − X 3 ) 2 , X 2 1 − X 2 3 = X 0 X 2 . In characteristic 2 , we have D = 1 , and this gives the binary twisted µ 4 -normal form X 2 0 + r X 2 2 = X 1 X 3 + a ( X 1 + X 3 ) 2 , X 2 1 + X 2 3 = X 0 X 2 , with identity (1 : 1 : 0 : 1) .

  11. Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion Addition laws on µ 4 -normal form Recall: the µ 4 -normal form yields an efficient addition algorithm. Theorem (K. Indocrypt 2012) Let C/k be an elliptic curve in split µ 4 -normal form over a binary field. Setting U ij = X i Y j , the following is a basis for bidegree (2 , 2) -addition laws: ( ( U 13 + U 31 ) 2 , c ( U 02 U 31 + U 20 U 13 ) , ( U 02 + U 20 ) 2 , c ( U 02 U 13 + U 20 U 31 ) ) , and ( c ( U 03 U 10 + U 21 U 32 ) , ( U 10 + U 32 ) 2 , c ( U 03 U 32 + U 10 U 21 ) , ( U 03 + U 21 ) 2 ) , and their rotations (substitutions U ij �→ U i − 1 ,j +1 ).

  12. Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion Addition laws on twisted µ 4 -normal form Theorem (K. Eurocrypt 2017) Let C t /k be an elliptic curve in twisted split µ 4 -normal form over a binary field. Setting U ij = X i Y j , the following is a complete system of two addition laws: (( U 13 + U 31 ) 2 , c ( U 02 U 31 + U 20 U 13 + aF ) , ( U 02 + U 20 ) 2 , c ( U 02 U 13 + U 20 U 31 + aF ) ) , and (by substituting U ij �→ U i − 1 ,j +1 ) (( U 00 + U 22 ) 2 , c ( U 00 U 11 + U 22 U 33 + aG ) , ( U 11 + U 33 ) 2 , c ( U 00 U 33 + U 11 U 22 + aG ) ) , where F = V 13 ( U 02 + U 20 ) and G = V 13 ( U 00 + U 22 ) , for V 13 = ( X 1 + X 3 )( Y 1 + Y 3 ) .

  13. Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion Complexity results for µ 4 -normal forms Corollary (K. Indocrypt 2012) Addition of generic points on an elliptic curve in µ 4 -normal form can be computed with 7 M + 2 S + 2 m . The extra cost of computing one of the the forms F = V 13 ( U 02 + U 20 ) or G = V 13 ( U 00 + U 22 ) , where V 13 = ( X 1 + X 3 )( Y 1 + Y 3 ) and where the respective cofactor U 02 + U 20 or U 00 + U 22 is known, adds two multiplications: Corollary (K. Eurocrypt 2017) Addition of generic points on an elliptic curve in twisted µ 4 -normal form can be computed with 9 M + 2 S + 2 m .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School before ECC September 2006 Elliptic curves An elliptic curve E over a field K is given by a Weierstra equation Y 2 + h ( X ) Y = f ( X ) with h, f

416 views • 13 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick joint work with Nuno Freitas (Warwick) AGC 2 T Luminy, 10 June 2019 Overview 1. Elliptic curves, mod p Galois representations, Weil pairing. 2.

954 views • 70 slides
Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Elliptic curves over F q F. Pappalardi Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j -invariant Research School: Algebraic curves over finite fields Points of finite order

581 views • 29 slides
Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves C. Negre and J.M. Robert april 8, 2015 1 / 39 Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic

781 views • 75 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is

Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is

Curves Over Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is part of the NSF-funded AIM FRG project on Databases of L -functions. This talk had much valuable input from Noam Elkies, John Voight,

567 views • 40 slides
Symmetry Breaking Polytopes: A Framework for Symmetry Handling in Binary Programs Christopher

Symmetry Breaking Polytopes: A Framework for Symmetry Handling in Binary Programs Christopher

Symmetry Breaking Polytopes: A Framework for Symmetry Handling in Binary Programs Christopher Hojny joint work with Marc E. Pfetsch Technische Universitt Darmstadt Department of Mathematics Aussois Combinatorial Optimization Workshop 2018

795 views • 46 slides
Algorithms 1. Existence 2. Efficiency Time Space Worst case behavior analysis as a

Algorithms 1. Existence 2. Efficiency Time Space Worst case behavior analysis as a

Algorithms 1. Existence 2. Efficiency Time Space Worst case behavior analysis as a function of input size Asymptotic growth: O W Q o w Donald Knuth Upper Bounds Definition: f(n) = O(g(n)) $ c,k > 0 ' 0 f(n) c

901 views • 31 slides
Binary Methods Programming: Non-issues the C LOS Perspective Types, Classes, Inheritance Method

Binary Methods Programming: Non-issues the C LOS Perspective Types, Classes, Inheritance Method

C LOS Binary Methods Didier Verna Introduction Binary Methods Programming: Non-issues the C LOS Perspective Types, Classes, Inheritance Method comb. Usage Introspection Binary function class Didier Verna Implementation

763 views • 26 slides
Binary Numbers 723 Binary Numbers 723 = 7x100 + 2x10 + 3x1 Binary Numbers 723 = 7x100 + 2x10 +

Binary Numbers 723 Binary Numbers 723 = 7x100 + 2x10 + 3x1 Binary Numbers 723 = 7x100 + 2x10 +

Binary Numbers 723 Binary Numbers 723 = 7x100 + 2x10 + 3x1 Binary Numbers 723 = 7x100 + 2x10 + 3x1 = 7x10 2 + 2x10 1 + 3x10 0 Binary Numbers 5349 = 5x10 3 + 3x10 2 + 4x10 1 + 9x10 0 Binary Numbers Why base 10? Binary Numbers 257 (base 8)

1.23k views • 75 slides
BINSEC: Binary-level Semantic Analysis to the Rescue S ebastien Bardin joint work with

BINSEC: Binary-level Semantic Analysis to the Rescue S ebastien Bardin joint work with

BINSEC: Binary-level Semantic Analysis to the Rescue S ebastien Bardin joint work with Richard Bonichon, Robin David, Adel Djoudi, Benjamin Farinier, Josselin Feist, Laurent Mounier, Marie-Laure Potet, Thanh Dihn Ta, Franck V edrine CEA

1.27k views • 61 slides
LECTURE 29 REGULAR EXPRESSIONS 2; ENCODINGS AND BINARY FILES MCS 260 Fall 2020 David Dumas /

LECTURE 29 REGULAR EXPRESSIONS 2; ENCODINGS AND BINARY FILES MCS 260 Fall 2020 David Dumas /

LECTURE 29 REGULAR EXPRESSIONS 2; ENCODINGS AND BINARY FILES MCS 260 Fall 2020 David Dumas / REMINDERS I hope you have worked on Project 3 Quiz 10 due Monday (Nov 2) Nov 3: No discussions Nov 5: Discussion converted to TA office hours /

330 views • 12 slides
Process Address Spaces and Binary Formats Don Porter CSE 506 Housekeeping Lab

Process Address Spaces and Binary Formats Don Porter CSE 506 Housekeeping Lab

Process Address Spaces and Binary Formats Don Porter CSE 506 Housekeeping Lab deadline extended to Wed night (9/14) Enrollment finalized if you still want in, email me All students should have VMs at this point

961 views • 50 slides
Programming for Engineers File Handling ICEN 200 Spring 2018 Prof. Dola Saha 1 Files in C

Programming for Engineers File Handling ICEN 200 Spring 2018 Prof. Dola Saha 1 Files in C

Programming for Engineers File Handling ICEN 200 Spring 2018 Prof. Dola Saha 1 Files in C Storage of data in variables and arrays is temporary such data is lost when a program terminates. Files are used for permanent retention of

802 views • 33 slides

More recommend