twisted hessian curves 1986 chudnovsky chudnovsky
play

Twisted Hessian curves 1986 ChudnovskyChudnovsky, Sequences of - PowerPoint PPT Presentation

Jun 19, 2023 •309 likes •1.65k views

Twisted Hessian curves 1986 ChudnovskyChudnovsky, Sequences of numbers cr.yp.to/papers.html#hessian generated by addition Daniel J. Bernstein in formal groups University of Illinois at Chicago & and new primality Technische

  1. “Our experience shows that the 1990s: ECC standards instead expression of the law of addition use short Weierstrass curves on the cubic Hessian form in Jacobian coordinates (d) of an elliptic curve is for “the fastest arithmetic”. by far the best and the prettiest.” 15 : 2 M for ADD, X 3 = Y 1 X 2 · Y 1 Z 2 − Z 1 Y 2 · X 1 Y 2 ; much slower than Hessian. Y 3 = X 1 Z 2 · X 1 Y 2 − Y 1 X 2 · Z 1 X 2 ; Why is this a good idea? Z 3 = Z 1 Y 2 · Z 1 X 2 − X 1 Z 2 · Y 1 Z 2 : 12 M for ADD, where M is the cost of multiplication in the field. 8 : 4 M for DBL, assuming 0 : 8 M for the cost of squaring in the field.

  2. “Our experience shows that the 1990s: ECC standards instead expression of the law of addition use short Weierstrass curves on the cubic Hessian form in Jacobian coordinates (d) of an elliptic curve is for “the fastest arithmetic”. by far the best and the prettiest.” 15 : 2 M for ADD, X 3 = Y 1 X 2 · Y 1 Z 2 − Z 1 Y 2 · X 1 Y 2 ; much slower than Hessian. Y 3 = X 1 Z 2 · X 1 Y 2 − Y 1 X 2 · Z 1 X 2 ; Why is this a good idea? Z 3 = Z 1 Y 2 · Z 1 X 2 − X 1 Z 2 · Y 1 Z 2 : Answer: Only 7 : 2 M for DBL with 12 M for ADD, Chudnovsky–Chudnovsky formula. where M is the cost of multiplication in the field. 8 : 4 M for DBL, assuming 0 : 8 M for the cost of squaring in the field.

  3. “Our experience shows that the 1990s: ECC standards instead expression of the law of addition use short Weierstrass curves on the cubic Hessian form in Jacobian coordinates (d) of an elliptic curve is for “the fastest arithmetic”. by far the best and the prettiest.” 15 : 2 M for ADD, X 3 = Y 1 X 2 · Y 1 Z 2 − Z 1 Y 2 · X 1 Y 2 ; much slower than Hessian. Y 3 = X 1 Z 2 · X 1 Y 2 − Y 1 X 2 · Z 1 X 2 ; Why is this a good idea? Z 3 = Z 1 Y 2 · Z 1 X 2 − X 1 Z 2 · Y 1 Z 2 : Answer: Only 7 : 2 M for DBL with 12 M for ADD, Chudnovsky–Chudnovsky formula. where M is the cost 2001 Bernstein: 15 M , 7 M . of multiplication in the field. 8 : 4 M for DBL, assuming 0 : 8 M for the cost of squaring in the field.

  4. “Our experience shows that the 1990s: ECC standards instead expression of the law of addition use short Weierstrass curves on the cubic Hessian form in Jacobian coordinates (d) of an elliptic curve is for “the fastest arithmetic”. by far the best and the prettiest.” 15 : 2 M for ADD, X 3 = Y 1 X 2 · Y 1 Z 2 − Z 1 Y 2 · X 1 Y 2 ; much slower than Hessian. Y 3 = X 1 Z 2 · X 1 Y 2 − Y 1 X 2 · Z 1 X 2 ; Why is this a good idea? Z 3 = Z 1 Y 2 · Z 1 X 2 − X 1 Z 2 · Y 1 Z 2 : Answer: Only 7 : 2 M for DBL with 12 M for ADD, Chudnovsky–Chudnovsky formula. where M is the cost 2001 Bernstein: 15 M , 7 M . of multiplication in the field. Compared to Hessian, 8 : 4 M for DBL, Weierstrass saves 4 M in typical assuming 0 : 8 M for the cost DBL-DBL-DBL-DBL-DBL-ADD. of squaring in the field.

  5. experience shows that the 1990s: ECC standards instead 2007 Edw ression of the law of addition use short Weierstrass curves 2007 Bernstein–Lange: cubic Hessian form in Jacobian coordinates analyze sp an elliptic curve is for “the fastest arithmetic”. the best and the prettiest.” 15 : 2 M for ADD, Y 1 X 2 · Y 1 Z 2 − Z 1 Y 2 · X 1 Y 2 ; much slower than Hessian. X 1 Z 2 · X 1 Y 2 − Y 1 X 2 · Z 1 X 2 ; Why is this a good idea? Z 1 Y 2 · Z 1 X 2 − X 1 Z 2 · Y 1 Z 2 : Answer: Only 7 : 2 M for DBL with for ADD, Chudnovsky–Chudnovsky formula. M is the cost 2001 Bernstein: 15 M , 7 M . Example: multiplication in the field. Compared to Hessian, Sum of ( for DBL, Weierstrass saves 4 M in typical (( x 1 y 2 + assuming 0 : 8 M for the cost DBL-DBL-DBL-DBL-DBL-ADD. ( y 1 y 2 − x squaring in the field.

  6. � shows that the 1990s: ECC standards instead 2007 Edwards: new law of addition use short Weierstrass curves 2007 Bernstein–Lange: Hessian form in Jacobian coordinates analyze speed, com curve is for “the fastest arithmetic”. y and the prettiest.” 15 : 2 M for ADD, neutral • Z 2 − Z 1 Y 2 · X 1 Y 2 ; much slower than Hessian. P • Y 2 − Y 1 X 2 · Z 1 X 2 ; ☞ Why is this a good idea? ☞ ☞ ❢ ❢ X 2 − X 1 Z 2 · Y 1 Z 2 : ❢ ❢ ☞ ❬ ❬ ❬ ❬ Answer: Only 7 : 2 M for DBL with Chudnovsky–Chudnovsky formula. cost 2001 Bernstein: 15 M , 7 M . Example: x 2 + y 2 in the field. Compared to Hessian, Sum of ( x 1 ; y 1 ) and Weierstrass saves 4 M in typical (( x 1 y 2 + y 1 x 2 ) = (1 − for the cost DBL-DBL-DBL-DBL-DBL-ADD. ( y 1 y 2 − x 1 x 2 ) = (1+30 the field.

  7. � � that the 1990s: ECC standards instead 2007 Edwards: new curve shap addition use short Weierstrass curves 2007 Bernstein–Lange: generalize, in Jacobian coordinates analyze speed, completeness. for “the fastest arithmetic”. y rettiest.” 15 : 2 M for ADD, neutral = (0 ; • · X 1 Y 2 ; much slower than Hessian. P 1 = ( x 1 ; y • · Z 1 X 2 ; ☞ Why is this a good idea? P 2 = ( x ☞ • ❢ ☞ ❢ ❢ · Y 1 Z 2 : ❢ x ❢ ☞ ❬ ❬ ❬ ❬ ❬ ❬ • Answer: Only 7 : 2 M for DBL with P 3 = ( Chudnovsky–Chudnovsky formula. 2001 Bernstein: 15 M , 7 M . Example: x 2 + y 2 = 1 − 30 x field. Compared to Hessian, Sum of ( x 1 ; y 1 ) and ( x 2 ; y 2 ) Weierstrass saves 4 M in typical (( x 1 y 2 + y 1 x 2 ) = (1 − 30 x 1 x 2 y 1 cost DBL-DBL-DBL-DBL-DBL-ADD. ( y 1 y 2 − x 1 x 2 ) = (1+30 x 1 x 2 y 1

  8. � � 1990s: ECC standards instead 2007 Edwards: new curve shape. use short Weierstrass curves 2007 Bernstein–Lange: generalize, in Jacobian coordinates analyze speed, completeness. for “the fastest arithmetic”. y 15 : 2 M for ADD, neutral = (0 ; 1) • much slower than Hessian. P 1 = ( x 1 ; y 1 ) • ☞ Why is this a good idea? P 2 = ( x 2 ; y 2 ) ☞ • ❢ ☞ ❢ ❢ ❢ x ❢ ❬ ☞ ❬ ❬ ❬ ❬ ❬ • Answer: Only 7 : 2 M for DBL with P 3 = ( x 3 ; y 3 ) Chudnovsky–Chudnovsky formula. 2001 Bernstein: 15 M , 7 M . Example: x 2 + y 2 = 1 − 30 x 2 y 2 . Compared to Hessian, Sum of ( x 1 ; y 1 ) and ( x 2 ; y 2 ) is Weierstrass saves 4 M in typical (( x 1 y 2 + y 1 x 2 ) = (1 − 30 x 1 x 2 y 1 y 2 ), DBL-DBL-DBL-DBL-DBL-ADD. ( y 1 y 2 − x 1 x 2 ) = (1+30 x 1 x 2 y 1 y 2 )).

  9. � � ECC standards instead 2007 Edwards: new curve shape. 2007 Bernstein–Lange: short Weierstrass curves 2007 Bernstein–Lange: generalize, 10 : 8 M fo Jacobian coordinates analyze speed, completeness. e fastest arithmetic”. y for ADD, neutral = (0 ; 1) • slower than Hessian. P 1 = ( x 1 ; y 1 ) • ☞ is this a good idea? P 2 = ( x 2 ; y 2 ) ☞ • ❢ ☞ ❢ ❢ ❢ x ☞ ❬ ❢ ❬ ❬ ❬ ❬ ❬ • er: Only 7 : 2 M for DBL with P 3 = ( x 3 ; y 3 ) Chudnovsky–Chudnovsky formula. Bernstein: 15 M , 7 M . Example: x 2 + y 2 = 1 − 30 x 2 y 2 . Compared to Hessian, Sum of ( x 1 ; y 1 ) and ( x 2 ; y 2 ) is eierstrass saves 4 M in typical (( x 1 y 2 + y 1 x 2 ) = (1 − 30 x 1 x 2 y 1 y 2 ), DBL-DBL-DBL-DBL-DBL-ADD. ( y 1 y 2 − x 1 x 2 ) = (1+30 x 1 x 2 y 1 y 2 )).

  10. � � standards instead 2007 Edwards: new curve shape. 2007 Bernstein–Lange: eierstrass curves 2007 Bernstein–Lange: generalize, 10 : 8 M for ADD, 6 rdinates analyze speed, completeness. arithmetic”. y ADD, neutral = (0 ; 1) • than Hessian. P 1 = ( x 1 ; y 1 ) • ☞ od idea? P 2 = ( x 2 ; y 2 ) ☞ • ❢ ☞ ❢ ❢ ❢ x ☞ ❬ ❢ ❬ ❬ ❬ ❬ ❬ • 2 M for DBL with P 3 = ( x 3 ; y 3 ) Chudnovsky–Chudnovsky formula. 15 M , 7 M . Example: x 2 + y 2 = 1 − 30 x 2 y 2 . Hessian, Sum of ( x 1 ; y 1 ) and ( x 2 ; y 2 ) is saves 4 M in typical (( x 1 y 2 + y 1 x 2 ) = (1 − 30 x 1 x 2 y 1 y 2 ), DBL-DBL-DBL-DBL-DBL-ADD. ( y 1 y 2 − x 1 x 2 ) = (1+30 x 1 x 2 y 1 y 2 )).

  11. � � instead 2007 Edwards: new curve shape. 2007 Bernstein–Lange: rves 2007 Bernstein–Lange: generalize, 10 : 8 M for ADD, 6 : 2 M for DBL. analyze speed, completeness. rithmetic”. y neutral = (0 ; 1) • n. P 1 = ( x 1 ; y 1 ) • ☞ P 2 = ( x 2 ; y 2 ) ☞ • ❢ ☞ ❢ ❢ ❢ x ❬ ❢ ☞ ❬ ❬ ❬ ❬ ❬ • BL with P 3 = ( x 3 ; y 3 ) formula. . Example: x 2 + y 2 = 1 − 30 x 2 y 2 . Sum of ( x 1 ; y 1 ) and ( x 2 ; y 2 ) is ypical (( x 1 y 2 + y 1 x 2 ) = (1 − 30 x 1 x 2 y 1 y 2 ), DBL-DBL-DBL-DBL-DBL-ADD. ( y 1 y 2 − x 1 x 2 ) = (1+30 x 1 x 2 y 1 y 2 )).

  12. � � 2007 Edwards: new curve shape. 2007 Bernstein–Lange: 2007 Bernstein–Lange: generalize, 10 : 8 M for ADD, 6 : 2 M for DBL. analyze speed, completeness. y neutral = (0 ; 1) • P 1 = ( x 1 ; y 1 ) • ☞ P 2 = ( x 2 ; y 2 ) ☞ • ❢ ☞ ❢ ❢ ❢ x ☞ ❬ ❢ ❬ ❬ ❬ ❬ ❬ • P 3 = ( x 3 ; y 3 ) Example: x 2 + y 2 = 1 − 30 x 2 y 2 . Sum of ( x 1 ; y 1 ) and ( x 2 ; y 2 ) is (( x 1 y 2 + y 1 x 2 ) = (1 − 30 x 1 x 2 y 1 y 2 ), ( y 1 y 2 − x 1 x 2 ) = (1+30 x 1 x 2 y 1 y 2 )).

  13. � � 2007 Edwards: new curve shape. 2007 Bernstein–Lange: 2007 Bernstein–Lange: generalize, 10 : 8 M for ADD, 6 : 2 M for DBL. analyze speed, completeness. 2008 Hisil–Wong–Carter–Dawson: y just 8 M for ADD. neutral = (0 ; 1) • P 1 = ( x 1 ; y 1 ) • ☞ P 2 = ( x 2 ; y 2 ) ☞ • ❢ ☞ ❢ ❢ ❢ x ❢ ❬ ☞ ❬ ❬ ❬ ❬ ❬ • P 3 = ( x 3 ; y 3 ) Example: x 2 + y 2 = 1 − 30 x 2 y 2 . Sum of ( x 1 ; y 1 ) and ( x 2 ; y 2 ) is (( x 1 y 2 + y 1 x 2 ) = (1 − 30 x 1 x 2 y 1 y 2 ), ( y 1 y 2 − x 1 x 2 ) = (1+30 x 1 x 2 y 1 y 2 )).

  14. � � 2007 Edwards: new curve shape. 2007 Bernstein–Lange: 2007 Bernstein–Lange: generalize, 10 : 8 M for ADD, 6 : 2 M for DBL. analyze speed, completeness. 2008 Hisil–Wong–Carter–Dawson: y just 8 M for ADD. neutral = (0 ; 1) • P 1 = ( x 1 ; y 1 ) • ☞ P 2 = ( x 2 ; y 2 ) ☞ • ❢ ☞ ❢ ❢ ❢ x ❢ ❬ ☞ ❬ ❬ ❬ ❬ ❬ • P 3 = ( x 3 ; y 3 ) Example: x 2 + y 2 = 1 − 30 x 2 y 2 . Sum of ( x 1 ; y 1 ) and ( x 2 ; y 2 ) is (( x 1 y 2 + y 1 x 2 ) = (1 − 30 x 1 x 2 y 1 y 2 ), ( y 1 y 2 − x 1 x 2 ) = (1+30 x 1 x 2 y 1 y 2 )).

  15. � � Edwards: new curve shape. 2007 Bernstein–Lange: Bernstein–Lange: generalize, 10 : 8 M for ADD, 6 : 2 M for DBL. analyze speed, completeness. 2008 Hisil–Wong–Carter–Dawson: y just 8 M for ADD. neutral = (0 ; 1) • P 1 = ( x 1 ; y 1 ) • ☞ P 2 = ( x 2 ; y 2 ) ☞ • ❢ ☞ ❢ ❢ ❢ x ❢ ❬ ☞ ❬ ❬ ❬ ❬ ❬ • P 3 = ( x 3 ; y 3 ) y 2 = x 3 Example: x 2 + y 2 = 1 − 30 x 2 y 2 . of ( x 1 ; y 1 ) and ( x 2 ; y 2 ) is + y 1 x 2 ) = (1 − 30 x 1 x 2 y 1 y 2 ), − x 1 x 2 ) = (1+30 x 1 x 2 y 1 y 2 )).

  16. � new curve shape. 2007 Bernstein–Lange: Bernstein–Lange: generalize, 10 : 8 M for ADD, 6 : 2 M for DBL. completeness. 2008 Hisil–Wong–Carter–Dawson: just 8 M for ADD. neutral = (0 ; 1) P 1 = ( x 1 ; y 1 ) • P 2 = ( x 2 ; y 2 ) • ❢ ❢ x ❬ ❬ ❬ • P 3 = ( x 3 ; y 3 ) y 2 = x 3 − 0 : 4 x + 2 = 1 − 30 x 2 y 2 . and ( x 2 ; y 2 ) is (1 − 30 x 1 x 2 y 1 y 2 ), (1+30 x 1 x 2 y 1 y 2 )).

  17. shape. 2007 Bernstein–Lange: generalize, 10 : 8 M for ADD, 6 : 2 M for DBL. teness. 2008 Hisil–Wong–Carter–Dawson: just 8 M for ADD. (0 ; 1) ; y 1 ) ( x 2 ; y 2 ) x ( x 3 ; y 3 ) y 2 = x 3 − 0 : 4 x + 0 : 7 30 x 2 y 2 . 2 ) is y 1 y 2 ), y 1 y 2 )).

  18. 2007 Bernstein–Lange: 10 : 8 M for ADD, 6 : 2 M for DBL. 2008 Hisil–Wong–Carter–Dawson: just 8 M for ADD. y 2 = x 3 − 0 : 4 x + 0 : 7

  19. Bernstein–Lange: for ADD, 6 : 2 M for DBL. Hisil–Wong–Carter–Dawson: M for ADD. y 2 = x 3 − 0 : 4 x + 0 : 7

  20. Bernstein–Lange: ADD, 6 : 2 M for DBL. ong–Carter–Dawson: ADD. y 2 = x 3 − 0 : 4 x + 0 : 7

  21. DBL. rter–Dawson: y 2 = x 3 − 0 : 4 x + 0 : 7

  22. y 2 = x 3 − 0 : 4 x + 0 : 7

  23. x 2 + y 2 3 − 0 : 4 x + 0 : 7

  24. x 2 + y 2 = 1 − 300 + 0 : 7

  25. x 2 + y 2 = 1 − 300 x 2 y 2

  26. x 2 + y 2 = 1 − 300 x 2 y 2

  27. x 2 + y 2 = 1 − 300 x 2 y 2

  28. x 2 + y 2 = 1 − 300 x 2 y 2

  29. x 2 + y 2 = 1 − 300 x 2 y 2

  30. x 2 + y 2 = 1 − 300 x 2 y 2

  31. 2 = 1 − 300 x 2 y 2 x 2 = y 4

  32. x 2 = y 4 − 1 : 9 y 2 + 300 x 2 y 2

  33. x 2 = y 4 − 1 : 9 y 2 + 1

  34. x 2 = y 4 − 1 : 9 y 2 + 1

  35. x 2 = y 4 − 1 : 9 y 2 + 1

  36. x 2 = y 4 − 1 : 9 y 2 + 1

  37. x 2 = y 4 − 1 : 9 y 2 + 1

  38. x 2 = y 4 − 1 : 9 y 2 + 1

  39. 4 − 1 : 9 y 2 + 1 x 3 − y 3 +

  40. x 3 − y 3 + 1 = 0 : 3 xy + 1

  41. x 3 − y 3 + 1 = 0 : 3 xy

  42. x 3 − y 3 + 1 = 0 : 3 xy

  43. x 3 − y 3 + 1 = 0 : 3 xy

  44. x 3 − y 3 + 1 = 0 : 3 xy

  45. x 3 − y 3 + 1 = 0 : 3 xy

  46. x 3 − y 3 + 1 = 0 : 3 xy

  47. 3 + 1 = 0 : 3 xy

  48. : 3 xy

  71. Faster Hessian 2007 Hisil–Ca 7 : 8 M for

  72. Faster Hessian arithmetic 2007 Hisil–Carter–Da 7 : 8 M for DBL.

  73. Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7 : 8 M for DBL.

  74. Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7 : 8 M for DBL.

  75. Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7 : 8 M for DBL. 2010 Hisil: 11 M for ADD.

  76. Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7 : 8 M for DBL. 2010 Hisil: 11 M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S = M , overhead for checking for special cases, extra DBL, extra ADD, etc.

  77. Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7 : 8 M for DBL. 2010 Hisil: 11 M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S = M , overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more.

  78. Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7 : 8 M for DBL. 2010 Hisil: 11 M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S = M , overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more. New: 7 : 6 M for DBL.

  79. Faster Hessian arithmetic New (announced 2007 Hisil–Carter–Dawson: Generalize 7 : 8 M for DBL. twisted aX 3 + Y 2010 Hisil: 11 M for ADD. with a (27 Hessian tied with Weierstrass for 2007 7 : 8 DBL-DBL-DBL-DBL-DBL-ADD. 2010 11 M Need to zoom in closer: new 7 : 6 M analyze exact S = M , overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more. New: 7 : 6 M for DBL.

  80. Faster Hessian arithmetic New (announced July 2007 Hisil–Carter–Dawson: Generalize to more 7 : 8 M for DBL. twisted Hessian curves aX 3 + Y 3 + Z 3 = 2010 Hisil: 11 M for ADD. with a (27 a − d 3 ) � = Hessian tied with Weierstrass for 2007 7 : 8 M DBL idea DBL-DBL-DBL-DBL-DBL-ADD. 2010 11 M ADD generalizes, Need to zoom in closer: new 7 : 6 M DBL generalizes. analyze exact S = M , overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more. New: 7 : 6 M for DBL.

  81. Faster Hessian arithmetic New (announced July 2009): 2007 Hisil–Carter–Dawson: Generalize to more curves: 7 : 8 M for DBL. twisted Hessian curves aX 3 + Y 3 + Z 3 = dXY Z 2010 Hisil: 11 M for ADD. with a (27 a − d 3 ) � = 0. Hessian tied with Weierstrass for 2007 7 : 8 M DBL idea fails, but DBL-DBL-DBL-DBL-DBL-ADD. 2010 11 M ADD generalizes, Need to zoom in closer: new 7 : 6 M DBL generalizes. analyze exact S = M , overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more. New: 7 : 6 M for DBL.

  82. Faster Hessian arithmetic New (announced July 2009): 2007 Hisil–Carter–Dawson: Generalize to more curves: 7 : 8 M for DBL. twisted Hessian curves aX 3 + Y 3 + Z 3 = dXY Z 2010 Hisil: 11 M for ADD. with a (27 a − d 3 ) � = 0. Hessian tied with Weierstrass for 2007 7 : 8 M DBL idea fails, but DBL-DBL-DBL-DBL-DBL-ADD. 2010 11 M ADD generalizes, Need to zoom in closer: new 7 : 6 M DBL generalizes. analyze exact S = M , overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more. New: 7 : 6 M for DBL.

  83. Faster Hessian arithmetic New (announced July 2009): 2007 Hisil–Carter–Dawson: Generalize to more curves: 7 : 8 M for DBL. twisted Hessian curves aX 3 + Y 3 + Z 3 = dXY Z 2010 Hisil: 11 M for ADD. with a (27 a − d 3 ) � = 0. Hessian tied with Weierstrass for 2007 7 : 8 M DBL idea fails, but DBL-DBL-DBL-DBL-DBL-ADD. 2010 11 M ADD generalizes, Need to zoom in closer: new 7 : 6 M DBL generalizes. analyze exact S = M , overhead Rotate addition law for checking for special cases, so that it also works for DBL; extra DBL, extra ADD, etc. complete if a is not a cube. Or speed up Hessian more. Eliminates special-case overhead, helps stop side-channel attacks. New: 7 : 6 M for DBL.

  84. Hessian arithmetic New (announced July 2009): Triplings Hisil–Carter–Dawson: Generalize to more curves: TPL is P for DBL. twisted Hessian curves 2007 Hisil–Ca aX 3 + Y 3 + Z 3 = dXY Z Hisil: 11 M for ADD. 12 : 8 M fo with a (27 a − d 3 ) � = 0. Hessian tied with Weierstrass for Generalizes 2007 7 : 8 M DBL idea fails, but DBL-DBL-DBL-DBL-DBL-ADD. 2010 11 M ADD generalizes, to zoom in closer: new 7 : 6 M DBL generalizes. analyze exact S = M , overhead Rotate addition law hecking for special cases, so that it also works for DBL; DBL, extra ADD, etc. complete if a is not a cube. eed up Hessian more. Eliminates special-case overhead, helps stop side-channel attacks. 7 : 6 M for DBL.

  85. rithmetic New (announced July 2009): Triplings (assuming rter–Dawson: Generalize to more curves: TPL is P �→ 3 P . twisted Hessian curves 2007 Hisil–Carter–Da aX 3 + Y 3 + Z 3 = dXY Z for ADD. 12 : 8 M for Hessian with a (27 a − d 3 ) � = 0. with Weierstrass for Generalizes to twisted 2007 7 : 8 M DBL idea fails, but DBL-DBL-DBL-DBL-DBL-ADD. 2010 11 M ADD generalizes, closer: new 7 : 6 M DBL generalizes. M , overhead Rotate addition law special cases, so that it also works for DBL; ADD, etc. complete if a is not a cube. Hessian more. Eliminates special-case overhead, helps stop side-channel attacks. DBL.

  86. New (announced July 2009): Triplings (assuming d � = 0) wson: Generalize to more curves: TPL is P �→ 3 P . twisted Hessian curves 2007 Hisil–Carter–Dawson: aX 3 + Y 3 + Z 3 = dXY Z . 12 : 8 M for Hessian TPL. with a (27 a − d 3 ) � = 0. eierstrass for Generalizes to twisted Hessian. 2007 7 : 8 M DBL idea fails, but DBL-DBL-DBL-DBL-DBL-ADD. 2010 11 M ADD generalizes, new 7 : 6 M DBL generalizes. overhead Rotate addition law cases, so that it also works for DBL; etc. complete if a is not a cube. re. Eliminates special-case overhead, helps stop side-channel attacks.

  87. New (announced July 2009): Triplings (assuming d � = 0) Generalize to more curves: TPL is P �→ 3 P . twisted Hessian curves 2007 Hisil–Carter–Dawson: aX 3 + Y 3 + Z 3 = dXY Z 12 : 8 M for Hessian TPL. with a (27 a − d 3 ) � = 0. Generalizes to twisted Hessian. 2007 7 : 8 M DBL idea fails, but 2010 11 M ADD generalizes, new 7 : 6 M DBL generalizes. Rotate addition law so that it also works for DBL; complete if a is not a cube. Eliminates special-case overhead, helps stop side-channel attacks.

  88. New (announced July 2009): Triplings (assuming d � = 0) Generalize to more curves: TPL is P �→ 3 P . twisted Hessian curves 2007 Hisil–Carter–Dawson: aX 3 + Y 3 + Z 3 = dXY Z 12 : 8 M for Hessian TPL. with a (27 a − d 3 ) � = 0. Generalizes to twisted Hessian. 2007 7 : 8 M DBL idea fails, but 2015 Kohel: 11 : 2 M . 2010 11 M ADD generalizes, new 7 : 6 M DBL generalizes. Rotate addition law so that it also works for DBL; complete if a is not a cube. Eliminates special-case overhead, helps stop side-channel attacks.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Finding optimal Chudnovsky-Chudnovsky multiplication algorithms Matthieu Rambaud Telecom

Finding optimal Chudnovsky-Chudnovsky multiplication algorithms Matthieu Rambaud Telecom

Finding optimal Chudnovsky-Chudnovsky multiplication algorithms Matthieu Rambaud Telecom ParisTech, Paris, France WAIFI 2014, Gebze September 27, 2014 Can one do better ? A trick Total : 4 multiplications Matthieu Rambaud Optimal ChCh

692 views • 22 slides
Twisted Hessian curves cr.yp.to/papers.html#hessian Daniel J. Bernstein University of Illinois

Twisted Hessian curves cr.yp.to/papers.html#hessian Daniel J. Bernstein University of Illinois

Twisted Hessian curves cr.yp.to/papers.html#hessian Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Chitchanok Chuengsatiansup Technische Universiteit Eindhoven David Kohel

772 views • 47 slides
Concatenating bipartite graphs Paul Seymour (Princeton) joint with Maria Chudnovsky, Patrick

Concatenating bipartite graphs Paul Seymour (Princeton) joint with Maria Chudnovsky, Patrick

Concatenating bipartite graphs Paul Seymour (Princeton) joint with Maria Chudnovsky, Patrick Hompe, Alex Scott and Sophie Spirkl 1 / 12 Caccetta-Hggkvist conjecture, 1978 For every integer k 1 , if G is an n-vertex digraph and every

667 views • 33 slides
Finite Quotients of Braid Groups Lily Li Joint Work with Alice Chudnovsky, Caleb Partin, and

Finite Quotients of Braid Groups Lily Li Joint Work with Alice Chudnovsky, Caleb Partin, and

Finite Quotients of Braid Groups Lily Li Joint Work with Alice Chudnovsky, Caleb Partin, and Kevin Kordek Consider... Given two groups G, H, what are all the homomorphisms between them? Braid Group Braid Group Main Result Finite Quotients

820 views • 29 slides
Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net

Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net

Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net ) Tanja Lange ( tue.nl ) Christiane Peters ( tue.nl ) Thanks to: NSF ITR0716498 IST2002507932 ECRYPT INRIA Lorraine, LORIA Todays

190 views • 15 slides
Twisted 4 -normal form for elliptic curves David Kohel Institut de Math ematiques de

Twisted 4 -normal form for elliptic curves David Kohel Institut de Math ematiques de

Introduction State of the Art Curve Origins Efficient arithmetic Comparisons and conclusion Twisted 4 -normal form for elliptic curves David Kohel Institut de Math ematiques de Marseille Eurocrypt 2017, Paris, 1 May 2017 Introduction

552 views • 16 slides
Spatial Variability and Vertical Distribution of Aerosols Over an Eastern Mediterranean Region

Spatial Variability and Vertical Distribution of Aerosols Over an Eastern Mediterranean Region

Spatial Variability and Vertical Distribution of Aerosols Over an Eastern Mediterranean Region Using LIDAR and MODIS/MAIAC-Measurements. Haifa as a Case Study Alexandra Chudnovsky 1 , Albert Ansmann 2 , Irina Rogozovski 1 , Holger Baars 2 , Alexei

433 views • 25 slides
3-coloring graphs without induced paths on seven vertices Oliver Schaudt Universit at zu K

3-coloring graphs without induced paths on seven vertices Oliver Schaudt Universit at zu K

3-coloring graphs without induced paths on seven vertices Oliver Schaudt Universit at zu K oln, Institut f ur Informatik with Flavia Bonomo, Maria Chudnovsky, Peter Maceli, Maya Stein, and Mingxian Zhong Graph coloring Graph coloring

598 views • 56 slides
Integrable twisted hierarchies Twisted with D 2 symmetries hierarchies of a splitting type

Integrable twisted hierarchies Twisted with D 2 symmetries hierarchies of a splitting type

Integrable twisted hierarchies Derchyi Wu Motivation The Adler-Kostant- Symes Theorem Integrable twisted hierarchies Twisted with D 2 symmetries hierarchies of a splitting type Twisted flows of a splitting type Examples Derchyi Wu

726 views • 36 slides
Coloring graphs without long induced paths Oliver Schaudt Universit at zu K oln & RWTH

Coloring graphs without long induced paths Oliver Schaudt Universit at zu K oln & RWTH

Coloring graphs without long induced paths Oliver Schaudt Universit at zu K oln & RWTH Aachen with Flavia Bonomo, Maria Chudnovsky, Jan Goedgebeur, Peter Maceli, Maya Stein, and Mingxian Zhong Graph coloring Graph coloring a

921 views • 90 slides
Innovation Inputs and Outputs in Argentine Manufacturing Firms in Bad Times (1998-2001) Daniel

Innovation Inputs and Outputs in Argentine Manufacturing Firms in Bad Times (1998-2001) Daniel

Innovation Inputs and Outputs in Argentine Manufacturing Firms in Bad Times (1998-2001) Daniel Chudnovsky, Andrs Lpez & Germn Pupato Universidad de San Andrs, Universidad de Buenos Aires & CENIT Paper prepared for the 1 st

686 views • 14 slides
Obstructions against 3-coloring graphs without long induced paths Oliver Schaudt Universit at

Obstructions against 3-coloring graphs without long induced paths Oliver Schaudt Universit at

Obstructions against 3-coloring graphs without long induced paths Oliver Schaudt Universit at zu K oln & RWTH Aachen with Maria Chudnovsky, Jan Goedgebeur, and Mingxian Zhong Graph coloring Graph coloring a k-coloring is an

588 views • 45 slides
Twisted K-theory and finite-dimensional approximation Kiyonori Gomi Problem in twisted

Twisted K-theory and finite-dimensional approximation Kiyonori Gomi Problem in twisted

Twisted K-theory and finite-dimensional approximation Kiyonori Gomi Problem in twisted K -theory Realize twisted K -theory generally by means of finite dimensional geometric ob- jects. Main theorem We can

446 views • 16 slides
Structure of the Hessian Graham C. Goodwin September 2004 Centre for Complex Dynamic Systems

Structure of the Hessian Graham C. Goodwin September 2004 Centre for Complex Dynamic Systems

Structure of the Hessian Graham C. Goodwin September 2004 Centre for Complex Dynamic Systems and Control 1. Introduction We saw in earlier lectures that a core ingredient in quadratic constrained optimisation problems is the Hessian matrix H .

628 views • 42 slides
On the twisted Alexander polynomial for metabelian SL 2 ( C ) representations with the adjoint

On the twisted Alexander polynomial for metabelian SL 2 ( C ) representations with the adjoint

On the twisted Alexander polynomial for metabelian SL 2 ( C ) representations with the adjoint action Yoshikazu Yamaguchi JSPS Research fellow (PD) Tokyo Institute of Technology RIMS Seminar Twisted topological invariants and topology of

556 views • 32 slides
1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

Topics Parametric curves and surfaces Polynomial curves Advanced Modeling 2 Rational curves Katja Bhler, Andrej Varchola, Eduard Tensor product surfaces Grller Triangular surfaces Institute of Computer Graphics and Algorithms Vienna

78 views • 6 slides
1 Peter Series Lesson #122 March 1, 2018 Dean Bible Ministries www.deanbibleministries.org Dr.

1 Peter Series Lesson #122 March 1, 2018 Dean Bible Ministries www.deanbibleministries.org Dr.

1 Peter Series Lesson #122 March 1, 2018 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. Accountability Eventually 1 Peter 4:56 aselgeia aselgeia dat fem plur sensuality epiqumia epithumia dat fem plur

680 views • 19 slides
Visual comparison of Moving Window Kriging models Dr Urka Demar National Centre for

Visual comparison of Moving Window Kriging models Dr Urka Demar National Centre for

Urka Demar & Paul Harris Visual comparison of Moving Window Kriging models Dr Urka Demar National Centre for Geocomputation National University of Ireland Maynooth urska.demsar@nuim.ie Work supported by a Research Frontiers

300 views • 9 slides
Symmetric Encryption via Keyrings and ECC Ronald L. Rivest Institute Professor MIT, Cambridge,

Symmetric Encryption via Keyrings and ECC Ronald L. Rivest Institute Professor MIT, Cambridge,

Symmetric Encryption via Keyrings and ECC Ronald L. Rivest Institute Professor MIT, Cambridge, MA ArcticCrypt 2016-07-18 Outline MotivationSimplifying Crypto Key Updates Keyring (Bag of Words) Model Incremental Key Updates Keyring

1.73k views • 135 slides
Optimal Control of Two-Phase Flow Harald Garcke, Michael Hinze, Christian Kahle RICAM special

Optimal Control of Two-Phase Flow Harald Garcke, Michael Hinze, Christian Kahle RICAM special

Optimal Control of Two-Phase Flow Harald Garcke, Michael Hinze, Christian Kahle RICAM special semester on Optimization WS1: New trends in PDE constrained optimization 14.10. 18.10.2019 Christian Kahle Optimal Control of Two-Phase Flow

887 views • 42 slides
Agenda Welcome and Introductions Task Force Updates Fred Kronz, NSF SBE Break (30

Agenda Welcome and Introductions Task Force Updates Fred Kronz, NSF SBE Break (30

Agenda Welcome and Introductions Task Force Updates Fred Kronz, NSF SBE Break (30 min.) Peter Harsha, CRA Susan Gregurick, NIH OD Break (30 min.) Margaret Martonosi, NSF CISE Break (30 min.) New Initiatives /

414 views • 8 slides
Chemnitz University of Technology @ VideoCLEF 2009 Outline Motivation System description

Chemnitz University of Technology @ VideoCLEF 2009 Outline Motivation System description

Classification as an IR task: Experiments and Observations Jens Krsten , Maximilian Eibl Chemnitz University of Technology @ VideoCLEF 2009 Outline Motivation System description Approach Resources Experimental results and

320 views • 13 slides
1 WEEK/CHOICE #1 The Reality Choice: realize Im not God, and humbly admit that I need help.

1 WEEK/CHOICE #1 The Reality Choice: realize Im not God, and humbly admit that I need help.

1 WEEK/CHOICE #1 The Reality Choice: realize Im not God, and humbly admit that I need help. WEEK/CHOICE #2 The Hope Choice: earnestly believe that God exists, that I matter to Him, and that He has the power to help me change. WEEK/CHOICE #3

727 views • 16 slides
Why probabili)es? Document representa)on is uncertain Understanding

Why probabili)es? Document representa)on is uncertain Understanding

Probabilis)c Models in IR Debapriyo Majumdar Information Retrieval Spring 2015 Indian Statistical Institute Kolkata Using majority of the slides from Chris Manning, Pandu Nayak and Prabhakar

902 views • 26 slides

More recommend