Twisted Hessian curves 1986 ChudnovskyChudnovsky, Sequences of - - PowerPoint PPT Presentation

▶

Jun 19, 2023 309 likes •1.66k views

Twisted Hessian curves 1986 ChudnovskyChudnovsky, Sequences of numbers cr.yp.to/papers.html#hessian generated by addition Daniel J. Bernstein in formal groups University of Illinois at Chicago & and new primality Technische

SLIDE 1

Twisted Hessian curves cr.yp.to/papers.html#hessian Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Chitchanok Chuengsatiansup Technische Universiteit Eindhoven David Kohel Aix-Marseille Universit´ e Tanja Lange Technische Universiteit Eindhoven 1986 Chudnovsky–Chudnovsky, “Sequences of numbers generated by addition in formal groups and new primality and factorization tests”: “The crucial problem becomes the choice of the model

f an algebraic group variety,

where computations mod p are the least time consuming.” Most important computations: ADD is P; Q → P + Q. DBL is P → 2P .

SLIDE 2

Twisted Hessian curves cr.yp.to/papers.html#hessian

J. Bernstein

University of Illinois at Chicago & echnische Universiteit Eindhoven

rk with:

Chitchanok Chuengsatiansup echnische Universiteit Eindhoven Kohel Aix-Marseille Universit´ e Lange echnische Universiteit Eindhoven 1986 Chudnovsky–Chudnovsky, “Sequences of numbers generated by addition in formal groups and new primality and factorization tests”: “The crucial problem becomes the choice of the model

f an algebraic group variety,

where computations mod p are the least time consuming.” Most important computations: ADD is P; Q → P + Q. DBL is P → 2P . “It is preferable models of lying in lo for other coordinates increasing. 4 basic mo Short W y2 = x3 Jacobi intersection: s2 + c2 = Jacobi qua Hessian:

SLIDE 3

curves cr.yp.to/papers.html#hessian Bernstein Illinois at Chicago & Universiteit Eindhoven Chuengsatiansup Universiteit Eindhoven Universit´ e Universiteit Eindhoven 1986 Chudnovsky–Chudnovsky, “Sequences of numbers generated by addition in formal groups and new primality and factorization tests”: “The crucial problem becomes the choice of the model

f an algebraic group variety,

where computations mod p are the least time consuming.” Most important computations: ADD is P; Q → P + Q. DBL is P → 2P . “It is preferable to models of elliptic curves lying in low-dimensional for otherwise the numb coordinates and op

increasing. This limits

4 basic models of elliptic Short Weierstrass: y2 = x3 + ax + b. Jacobi intersection: s2 + c2 = 1, as2 + Jacobi quartic: y2 Hessian: x3 + y3 +

SLIDE 4

cr.yp.to/papers.html#hessian Chicago & Eindhoven Chuengsatiansup Eindhoven Eindhoven 1986 Chudnovsky–Chudnovsky, “Sequences of numbers generated by addition in formal groups and new primality and factorization tests”: “The crucial problem becomes the choice of the model

f an algebraic group variety,

where computations mod p are the least time consuming.” Most important computations: ADD is P; Q → P + Q. DBL is P → 2P . “It is preferable to use models of elliptic curves lying in low-dimensional spaces, for otherwise the number of coordinates and operations is

increasing. This limits us : : :

4 basic models of elliptic curves.” Short Weierstrass: y2 = x3 + ax + b. Jacobi intersection: s2 + c2 = 1, as2 + d2 = 1. Jacobi quartic: y2 = x4+2ax Hessian: x3 + y3 + 1 = 3dxy

SLIDE 5

1986 Chudnovsky–Chudnovsky, “Sequences of numbers generated by addition in formal groups and new primality and factorization tests”: “The crucial problem becomes the choice of the model

f an algebraic group variety,

where computations mod p are the least time consuming.” Most important computations: ADD is P; Q → P + Q. DBL is P → 2P . “It is preferable to use models of elliptic curves lying in low-dimensional spaces, for otherwise the number of coordinates and operations is

increasing. This limits us : : : to

4 basic models of elliptic curves.” Short Weierstrass: y2 = x3 + ax + b. Jacobi intersection: s2 + c2 = 1, as2 + d2 = 1. Jacobi quartic: y2 = x4+2ax2+1. Hessian: x3 + y3 + 1 = 3dxy.

SLIDE 6

Chudnovsky–Chudnovsky, “Sequences of numbers generated by addition al groups new primality factorization tests”: crucial problem becomes choice of the model algebraic group variety, computations mod p the least time consuming.” important computations: is P; Q → P + Q. is P → 2P . “It is preferable to use models of elliptic curves lying in low-dimensional spaces, for otherwise the number of coordinates and operations is

increasing. This limits us : : : to

4 basic models of elliptic curves.” Short Weierstrass: y2 = x3 + ax + b. Jacobi intersection: s2 + c2 = 1, as2 + d2 = 1. Jacobi quartic: y2 = x4+2ax2+1. Hessian: x3 + y3 + 1 = 3dxy. “Our exp expression

n the cubic

(d) of an by far the X3 = Y 1 Y 3 = X1 Z3 = Z1 12M for where M

f multiplication

8:4M for assuming

f squaring

SLIDE 7

Chudnovsky–Chudnovsky, numbers addition rimality tests”: roblem becomes the model group variety, utations mod p time consuming.” computations: P + Q. . “It is preferable to use models of elliptic curves lying in low-dimensional spaces, for otherwise the number of coordinates and operations is

increasing. This limits us : : : to

4 basic models of elliptic curves.” Short Weierstrass: y2 = x3 + ax + b. Jacobi intersection: s2 + c2 = 1, as2 + d2 = 1. Jacobi quartic: y2 = x4+2ax2+1. Hessian: x3 + y3 + 1 = 3dxy. “Our experience sho expression of the la

n the cubic Hessian

(d) of an elliptic curve by far the best and X3 = Y 1X2 · Y 1Z2 Y 3 = X1Z2 · X1Y 2 Z3 = Z1Y 2 · Z1X2 12M for ADD, where M is the cost

f multiplication in

8:4M for DBL, assuming 0:8M for

f squaring in the

SLIDE 8

Chudnovsky–Chudnovsky, ecomes riety, p consuming.” computations: “It is preferable to use models of elliptic curves lying in low-dimensional spaces, for otherwise the number of coordinates and operations is

increasing. This limits us : : : to

4 basic models of elliptic curves.” Short Weierstrass: y2 = x3 + ax + b. Jacobi intersection: s2 + c2 = 1, as2 + d2 = 1. Jacobi quartic: y2 = x4+2ax2+1. Hessian: x3 + y3 + 1 = 3dxy. “Our experience shows that expression of the law of addition

n the cubic Hessian form

(d) of an elliptic curve is by far the best and the prettiest.” X3 = Y 1X2 · Y 1Z2 − Z1Y 2 · Y 3 = X1Z2 · X1Y 2 − Y 1X2 · Z3 = Z1Y 2 · Z1X2 − X1Z2 · 12M for ADD, where M is the cost

f multiplication in the field.

8:4M for DBL, assuming 0:8M for the cost

f squaring in the field.

SLIDE 9

“It is preferable to use models of elliptic curves lying in low-dimensional spaces, for otherwise the number of coordinates and operations is

increasing. This limits us : : : to

4 basic models of elliptic curves.” Short Weierstrass: y2 = x3 + ax + b. Jacobi intersection: s2 + c2 = 1, as2 + d2 = 1. Jacobi quartic: y2 = x4+2ax2+1. Hessian: x3 + y3 + 1 = 3dxy. “Our experience shows that the expression of the law of addition

n the cubic Hessian form

(d) of an elliptic curve is by far the best and the prettiest.” X3 = Y 1X2 · Y 1Z2 − Z1Y 2 · X1Y 2; Y 3 = X1Z2 · X1Y 2 − Y 1X2 · Z1X2; Z3 = Z1Y 2 · Z1X2 − X1Z2 · Y 1Z2: 12M for ADD, where M is the cost

f multiplication in the field.

8:4M for DBL, assuming 0:8M for the cost

f squaring in the field.

SLIDE 10

preferable to use dels of elliptic curves in low-dimensional spaces, erwise the number of rdinates and operations is

increasing. This limits us : : : to

basic models of elliptic curves.” Weierstrass:

3 + ax + b.

intersection: = 1, as2 + d2 = 1. quartic: y2 = x4+2ax2+1. Hessian: x3 + y3 + 1 = 3dxy. “Our experience shows that the expression of the law of addition

n the cubic Hessian form

(d) of an elliptic curve is by far the best and the prettiest.” X3 = Y 1X2 · Y 1Z2 − Z1Y 2 · X1Y 2; Y 3 = X1Z2 · X1Y 2 − Y 1X2 · Z1X2; Z3 = Z1Y 2 · Z1X2 − X1Z2 · Y 1Z2: 12M for ADD, where M is the cost

f multiplication in the field.

8:4M for DBL, assuming 0:8M for the cost

f squaring in the field.

1990s: ECC use short in Jacobian for “the 15:2M fo much slo Why is this

SLIDE 11

to use liptic curves w-dimensional spaces, the number of

perations is

limits us : : : to

f elliptic curves.”

eierstrass: b. intersection: + d2 = 1. y2 = x4+2ax2+1. + 1 = 3dxy. “Our experience shows that the expression of the law of addition

n the cubic Hessian form

(d) of an elliptic curve is by far the best and the prettiest.” X3 = Y 1X2 · Y 1Z2 − Z1Y 2 · X1Y 2; Y 3 = X1Z2 · X1Y 2 − Y 1X2 · Z1X2; Z3 = Z1Y 2 · Z1X2 − X1Z2 · Y 1Z2: 12M for ADD, where M is the cost

f multiplication in the field.

8:4M for DBL, assuming 0:8M for the cost

f squaring in the field.

1990s: ECC standa use short Weierstrass in Jacobian coordinates for “the fastest arithmetic”. 15:2M for ADD, much slower than Why is this a good

SLIDE 12

spaces,

erations is : : : to curves.” 1. 2ax2+1. dxy. “Our experience shows that the expression of the law of addition

n the cubic Hessian form

(d) of an elliptic curve is by far the best and the prettiest.” X3 = Y 1X2 · Y 1Z2 − Z1Y 2 · X1Y 2; Y 3 = X1Z2 · X1Y 2 − Y 1X2 · Z1X2; Z3 = Z1Y 2 · Z1X2 − X1Z2 · Y 1Z2: 12M for ADD, where M is the cost

f multiplication in the field.

8:4M for DBL, assuming 0:8M for the cost

f squaring in the field.

1990s: ECC standards instead use short Weierstrass curves in Jacobian coordinates for “the fastest arithmetic”. 15:2M for ADD, much slower than Hessian. Why is this a good idea?

SLIDE 13

“Our experience shows that the expression of the law of addition

n the cubic Hessian form

(d) of an elliptic curve is by far the best and the prettiest.” X3 = Y 1X2 · Y 1Z2 − Z1Y 2 · X1Y 2; Y 3 = X1Z2 · X1Y 2 − Y 1X2 · Z1X2; Z3 = Z1Y 2 · Z1X2 − X1Z2 · Y 1Z2: 12M for ADD, where M is the cost

f multiplication in the field.

8:4M for DBL, assuming 0:8M for the cost

f squaring in the field.

1990s: ECC standards instead use short Weierstrass curves in Jacobian coordinates for “the fastest arithmetic”. 15:2M for ADD, much slower than Hessian. Why is this a good idea?

SLIDE 14

“Our experience shows that the expression of the law of addition

n the cubic Hessian form

(d) of an elliptic curve is by far the best and the prettiest.” X3 = Y 1X2 · Y 1Z2 − Z1Y 2 · X1Y 2; Y 3 = X1Z2 · X1Y 2 − Y 1X2 · Z1X2; Z3 = Z1Y 2 · Z1X2 − X1Z2 · Y 1Z2: 12M for ADD, where M is the cost

f multiplication in the field.

8:4M for DBL, assuming 0:8M for the cost

f squaring in the field.

1990s: ECC standards instead use short Weierstrass curves in Jacobian coordinates for “the fastest arithmetic”. 15:2M for ADD, much slower than Hessian. Why is this a good idea? Answer: Only 7:2M for DBL with Chudnovsky–Chudnovsky formula.

SLIDE 15

“Our experience shows that the expression of the law of addition

n the cubic Hessian form

(d) of an elliptic curve is by far the best and the prettiest.” X3 = Y 1X2 · Y 1Z2 − Z1Y 2 · X1Y 2; Y 3 = X1Z2 · X1Y 2 − Y 1X2 · Z1X2; Z3 = Z1Y 2 · Z1X2 − X1Z2 · Y 1Z2: 12M for ADD, where M is the cost

f multiplication in the field.

8:4M for DBL, assuming 0:8M for the cost

f squaring in the field.

1990s: ECC standards instead use short Weierstrass curves in Jacobian coordinates for “the fastest arithmetic”. 15:2M for ADD, much slower than Hessian. Why is this a good idea? Answer: Only 7:2M for DBL with Chudnovsky–Chudnovsky formula. 2001 Bernstein: 15M, 7M.

SLIDE 16

“Our experience shows that the expression of the law of addition

n the cubic Hessian form

(d) of an elliptic curve is by far the best and the prettiest.” X3 = Y 1X2 · Y 1Z2 − Z1Y 2 · X1Y 2; Y 3 = X1Z2 · X1Y 2 − Y 1X2 · Z1X2; Z3 = Z1Y 2 · Z1X2 − X1Z2 · Y 1Z2: 12M for ADD, where M is the cost

f multiplication in the field.

8:4M for DBL, assuming 0:8M for the cost

f squaring in the field.

1990s: ECC standards instead use short Weierstrass curves in Jacobian coordinates for “the fastest arithmetic”. 15:2M for ADD, much slower than Hessian. Why is this a good idea? Answer: Only 7:2M for DBL with Chudnovsky–Chudnovsky formula. 2001 Bernstein: 15M, 7M. Compared to Hessian, Weierstrass saves 4M in typical DBL-DBL-DBL-DBL-DBL-ADD.

SLIDE 17

experience shows that the ression of the law of addition cubic Hessian form an elliptic curve is the best and the prettiest.” Y 1X2 · Y 1Z2 − Z1Y 2 · X1Y 2; X1Z2 · X1Y 2 − Y 1X2 · Z1X2; Z1Y 2 · Z1X2 − X1Z2 · Y 1Z2: for ADD, M is the cost multiplication in the field. for DBL, assuming 0:8M for the cost squaring in the field. 1990s: ECC standards instead use short Weierstrass curves in Jacobian coordinates for “the fastest arithmetic”. 15:2M for ADD, much slower than Hessian. Why is this a good idea? Answer: Only 7:2M for DBL with Chudnovsky–Chudnovsky formula. 2001 Bernstein: 15M, 7M. Compared to Hessian, Weierstrass saves 4M in typical DBL-DBL-DBL-DBL-DBL-ADD. 2007 Edw 2007 Bernstein–Lange: analyze sp Example: Sum of ( ((x1y2+ (y1y2−x

SLIDE 18

shows that the law of addition Hessian form curve is and the prettiest.” Z2 − Z1Y 2 · X1Y 2; Y 2 − Y 1X2 · Z1X2; X2 − X1Z2 · Y 1Z2: cost in the field. for the cost the field. 1990s: ECC standards instead use short Weierstrass curves in Jacobian coordinates for “the fastest arithmetic”. 15:2M for ADD, much slower than Hessian. Why is this a good idea? Answer: Only 7:2M for DBL with Chudnovsky–Chudnovsky formula. 2001 Bernstein: 15M, 7M. Compared to Hessian, Weierstrass saves 4M in typical DBL-DBL-DBL-DBL-DBL-ADD. 2007 Edwards: new 2007 Bernstein–Lange: analyze speed, com y

neutral
P
☞

☞ ☞ ☞ ❢ ❢ ❢ ❢ ❬ ❬ ❬ ❬ Example: x2 + y2 Sum of (x1; y1) and ((x1y2+y1x2)=(1− (y1y2−x1x2)=(1+30

SLIDE 19

that the addition rettiest.” · X1Y 2; · Z1X2; · Y 1Z2: field. cost 1990s: ECC standards instead use short Weierstrass curves in Jacobian coordinates for “the fastest arithmetic”. 15:2M for ADD, much slower than Hessian. Why is this a good idea? Answer: Only 7:2M for DBL with Chudnovsky–Chudnovsky formula. 2001 Bernstein: 15M, 7M. Compared to Hessian, Weierstrass saves 4M in typical DBL-DBL-DBL-DBL-DBL-ADD. 2007 Edwards: new curve shap 2007 Bernstein–Lange: generalize, analyze speed, completeness. y x

neutral = (0;
P1 = (x1; y
☞

☞ ☞ ☞ P2 = (x

❢ ❢ ❢ ❢ P3 = (

❬ ❬ ❬ ❬ ❬ Example: x2 + y2 = 1 − 30x Sum of (x1; y1) and (x2; y2) ((x1y2+y1x2)=(1−30x1x2y1 (y1y2−x1x2)=(1+30x1x2y1

SLIDE 20

1990s: ECC standards instead use short Weierstrass curves in Jacobian coordinates for “the fastest arithmetic”. 15:2M for ADD, much slower than Hessian. Why is this a good idea? Answer: Only 7:2M for DBL with Chudnovsky–Chudnovsky formula. 2001 Bernstein: 15M, 7M. Compared to Hessian, Weierstrass saves 4M in typical DBL-DBL-DBL-DBL-DBL-ADD. 2007 Edwards: new curve shape. 2007 Bernstein–Lange: generalize, analyze speed, completeness. y x

neutral = (0; 1)
P1 = (x1; y1)
☞

☞ ☞ ☞ P2 = (x2; y2)

❢ ❢ ❢ ❢ P3 = (x3; y3)

❬ ❬ ❬ ❬ ❬ Example: x2 + y2 = 1 − 30x2y2. Sum of (x1; y1) and (x2; y2) is ((x1y2+y1x2)=(1−30x1x2y1y2), (y1y2−x1x2)=(1+30x1x2y1y2)).

SLIDE 21

ECC standards instead short Weierstrass curves Jacobian coordinates e fastest arithmetic”. for ADD, slower than Hessian. is this a good idea? er: Only 7:2M for DBL with Chudnovsky–Chudnovsky formula. Bernstein: 15M, 7M. Compared to Hessian, eierstrass saves 4M in typical DBL-DBL-DBL-DBL-DBL-ADD. 2007 Edwards: new curve shape. 2007 Bernstein–Lange: generalize, analyze speed, completeness. y x

neutral = (0; 1)
P1 = (x1; y1)
☞

☞ ☞ ☞ P2 = (x2; y2)

❢ ❢ ❢ ❢ P3 = (x3; y3)

❬ ❬ ❬ ❬ ❬ Example: x2 + y2 = 1 − 30x2y2. Sum of (x1; y1) and (x2; y2) is ((x1y2+y1x2)=(1−30x1x2y1y2), (y1y2−x1x2)=(1+30x1x2y1y2)). 2007 Bernstein–Lange: 10:8M fo

SLIDE 22

standards instead eierstrass curves rdinates arithmetic”. ADD, than Hessian.

d idea?

2M for DBL with Chudnovsky–Chudnovsky formula. 15M, 7M. Hessian, saves 4M in typical DBL-DBL-DBL-DBL-DBL-ADD. 2007 Edwards: new curve shape. 2007 Bernstein–Lange: generalize, analyze speed, completeness. y x

neutral = (0; 1)
P1 = (x1; y1)
☞

☞ ☞ ☞ P2 = (x2; y2)

❢ ❢ ❢ ❢ P3 = (x3; y3)

❬ ❬ ❬ ❬ ❬ Example: x2 + y2 = 1 − 30x2y2. Sum of (x1; y1) and (x2; y2) is ((x1y2+y1x2)=(1−30x1x2y1y2), (y1y2−x1x2)=(1+30x1x2y1y2)). 2007 Bernstein–Lange: 10:8M for ADD, 6

SLIDE 23

instead rves rithmetic”. n. BL with formula. . ypical DBL-DBL-DBL-DBL-DBL-ADD. 2007 Edwards: new curve shape. 2007 Bernstein–Lange: generalize, analyze speed, completeness. y x

neutral = (0; 1)
P1 = (x1; y1)
☞

☞ ☞ ☞ P2 = (x2; y2)

❢ ❢ ❢ ❢ P3 = (x3; y3)

❬ ❬ ❬ ❬ ❬ Example: x2 + y2 = 1 − 30x2y2. Sum of (x1; y1) and (x2; y2) is ((x1y2+y1x2)=(1−30x1x2y1y2), (y1y2−x1x2)=(1+30x1x2y1y2)). 2007 Bernstein–Lange: 10:8M for ADD, 6:2M for DBL.

SLIDE 24

2007 Edwards: new curve shape. 2007 Bernstein–Lange: generalize, analyze speed, completeness. y x

neutral = (0; 1)
P1 = (x1; y1)
☞

☞ ☞ ☞ P2 = (x2; y2)

❢ ❢ ❢ ❢ P3 = (x3; y3)

❬ ❬ ❬ ❬ ❬ Example: x2 + y2 = 1 − 30x2y2. Sum of (x1; y1) and (x2; y2) is ((x1y2+y1x2)=(1−30x1x2y1y2), (y1y2−x1x2)=(1+30x1x2y1y2)). 2007 Bernstein–Lange: 10:8M for ADD, 6:2M for DBL.

SLIDE 25

2007 Edwards: new curve shape. 2007 Bernstein–Lange: generalize, analyze speed, completeness. y x

neutral = (0; 1)
P1 = (x1; y1)
☞

☞ ☞ ☞ P2 = (x2; y2)

❢ ❢ ❢ ❢ P3 = (x3; y3)

❬ ❬ ❬ ❬ ❬ Example: x2 + y2 = 1 − 30x2y2. Sum of (x1; y1) and (x2; y2) is ((x1y2+y1x2)=(1−30x1x2y1y2), (y1y2−x1x2)=(1+30x1x2y1y2)). 2007 Bernstein–Lange: 10:8M for ADD, 6:2M for DBL. 2008 Hisil–Wong–Carter–Dawson: just 8M for ADD.

SLIDE 26

2007 Edwards: new curve shape. 2007 Bernstein–Lange: generalize, analyze speed, completeness. y x

neutral = (0; 1)
P1 = (x1; y1)
☞

☞ ☞ ☞ P2 = (x2; y2)

❢ ❢ ❢ ❢ P3 = (x3; y3)

❬ ❬ ❬ ❬ ❬ Example: x2 + y2 = 1 − 30x2y2. Sum of (x1; y1) and (x2; y2) is ((x1y2+y1x2)=(1−30x1x2y1y2), (y1y2−x1x2)=(1+30x1x2y1y2)). 2007 Bernstein–Lange: 10:8M for ADD, 6:2M for DBL. 2008 Hisil–Wong–Carter–Dawson: just 8M for ADD.

SLIDE 27

Edwards: new curve shape. Bernstein–Lange: generalize, analyze speed, completeness. y x

neutral = (0; 1)
P1 = (x1; y1)
☞

☞ ☞ ☞ P2 = (x2; y2)

❢ ❢ ❢ ❢ P3 = (x3; y3)

❬ ❬ ❬ ❬ ❬ Example: x2 + y2 = 1 − 30x2y2.

f (x1; y1) and (x2; y2) is

+y1x2)=(1−30x1x2y1y2), −x1x2)=(1+30x1x2y1y2)). 2007 Bernstein–Lange: 10:8M for ADD, 6:2M for DBL. 2008 Hisil–Wong–Carter–Dawson: just 8M for ADD. y2 = x3

SLIDE 28

new curve shape. Bernstein–Lange: generalize, completeness. x

neutral = (0; 1)

P1 = (x1; y1)

P2 = (x2; y2)
❢

❢ P3 = (x3; y3)

❬ ❬

2 = 1 − 30x2y2.

and (x2; y2) is (1−30x1x2y1y2), (1+30x1x2y1y2)). 2007 Bernstein–Lange: 10:8M for ADD, 6:2M for DBL. 2008 Hisil–Wong–Carter–Dawson: just 8M for ADD. y2 = x3 − 0:4x +

SLIDE 29

shape. generalize, teness. x (0; 1) ; y1) (x2; y2) (x3; y3) 30x2y2.

2) is

y1y2), y1y2)). 2007 Bernstein–Lange: 10:8M for ADD, 6:2M for DBL. 2008 Hisil–Wong–Carter–Dawson: just 8M for ADD. y2 = x3 − 0:4x + 0:7

SLIDE 30

2007 Bernstein–Lange: 10:8M for ADD, 6:2M for DBL. 2008 Hisil–Wong–Carter–Dawson: just 8M for ADD. y2 = x3 − 0:4x + 0:7

SLIDE 31

Bernstein–Lange: for ADD, 6:2M for DBL. Hisil–Wong–Carter–Dawson: M for ADD. y2 = x3 − 0:4x + 0:7

SLIDE 32

Bernstein–Lange: ADD, 6:2M for DBL.

ng–Carter–Dawson:

ADD. y2 = x3 − 0:4x + 0:7

SLIDE 33

DBL. rter–Dawson: y2 = x3 − 0:4x + 0:7

SLIDE 34

y2 = x3 − 0:4x + 0:7

SLIDE 35

3 − 0:4x + 0:7

x2 + y2

SLIDE 36

+ 0:7 x2 + y2 = 1 − 300

SLIDE 37

x2 + y2 = 1 − 300x2y2

SLIDE 38

x2 + y2 = 1 − 300x2y2

SLIDE 39

x2 + y2 = 1 − 300x2y2

SLIDE 40

x2 + y2 = 1 − 300x2y2

SLIDE 41

x2 + y2 = 1 − 300x2y2

SLIDE 42

x2 + y2 = 1 − 300x2y2

SLIDE 43

2 = 1 − 300x2y2

x2 = y4

SLIDE 44

300x2y2 x2 = y4 − 1:9y2 +

SLIDE 45

x2 = y4 − 1:9y2 + 1

SLIDE 46

x2 = y4 − 1:9y2 + 1

SLIDE 47

x2 = y4 − 1:9y2 + 1

SLIDE 48

x2 = y4 − 1:9y2 + 1

SLIDE 49

x2 = y4 − 1:9y2 + 1

SLIDE 50

x2 = y4 − 1:9y2 + 1

SLIDE 51

4 − 1:9y2 + 1

x3 − y3 +

SLIDE 52

+ 1 x3 − y3 + 1 = 0:3xy

SLIDE 53

x3 − y3 + 1 = 0:3xy

SLIDE 54

x3 − y3 + 1 = 0:3xy

SLIDE 55

x3 − y3 + 1 = 0:3xy

SLIDE 56

x3 − y3 + 1 = 0:3xy

SLIDE 57

x3 − y3 + 1 = 0:3xy

SLIDE 58

x3 − y3 + 1 = 0:3xy

SLIDE 59

3 + 1 = 0:3xy

SLIDE 60

:3xy

SLIDE 61

SLIDE 62

SLIDE 63

SLIDE 64

SLIDE 65

SLIDE 66

SLIDE 67

SLIDE 68

SLIDE 69

SLIDE 70

SLIDE 71

SLIDE 72

SLIDE 73

SLIDE 74

SLIDE 75

SLIDE 76

SLIDE 77

SLIDE 78

SLIDE 79

SLIDE 80

SLIDE 81

SLIDE 82

SLIDE 83

Faster Hessian 2007 Hisil–Ca 7:8M for

SLIDE 84

Faster Hessian arithmetic 2007 Hisil–Carter–Da 7:8M for DBL.

SLIDE 85

Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7:8M for DBL.

SLIDE 86

Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7:8M for DBL.

SLIDE 87

Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7:8M for DBL. 2010 Hisil: 11M for ADD.

SLIDE 88

Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7:8M for DBL. 2010 Hisil: 11M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S=M, overhead for checking for special cases, extra DBL, extra ADD, etc.

SLIDE 89

Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7:8M for DBL. 2010 Hisil: 11M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S=M, overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more.

SLIDE 90

Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7:8M for DBL. 2010 Hisil: 11M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S=M, overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more. New: 7:6M for DBL.

SLIDE 91

Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7:8M for DBL. 2010 Hisil: 11M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S=M, overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more. New: 7:6M for DBL. New (announced Generalize twisted aX3 + Y with a(27 2007 7:8 2010 11M new 7:6M

SLIDE 92

Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7:8M for DBL. 2010 Hisil: 11M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S=M, overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more. New: 7:6M for DBL. New (announced July Generalize to more twisted Hessian curves aX3 + Y 3 + Z3 = with a(27a − d3) = 2007 7:8M DBL idea 2010 11M ADD generalizes, new 7:6M DBL generalizes.

SLIDE 93

Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7:8M for DBL. 2010 Hisil: 11M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S=M, overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more. New: 7:6M for DBL. New (announced July 2009): Generalize to more curves: twisted Hessian curves aX3 + Y 3 + Z3 = dXY Z with a(27a − d3) = 0. 2007 7:8M DBL idea fails, but 2010 11M ADD generalizes, new 7:6M DBL generalizes.

SLIDE 94

Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7:8M for DBL. 2010 Hisil: 11M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S=M, overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more. New: 7:6M for DBL. New (announced July 2009): Generalize to more curves: twisted Hessian curves aX3 + Y 3 + Z3 = dXY Z with a(27a − d3) = 0. 2007 7:8M DBL idea fails, but 2010 11M ADD generalizes, new 7:6M DBL generalizes.

SLIDE 95

Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7:8M for DBL. 2010 Hisil: 11M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S=M, overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more. New: 7:6M for DBL. New (announced July 2009): Generalize to more curves: twisted Hessian curves aX3 + Y 3 + Z3 = dXY Z with a(27a − d3) = 0. 2007 7:8M DBL idea fails, but 2010 11M ADD generalizes, new 7:6M DBL generalizes. Rotate addition law so that it also works for DBL; complete if a is not a cube. Eliminates special-case overhead, helps stop side-channel attacks.

SLIDE 96

Hessian arithmetic Hisil–Carter–Dawson: for DBL. Hisil: 11M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. to zoom in closer: analyze exact S=M, overhead hecking for special cases, DBL, extra ADD, etc. eed up Hessian more. 7:6M for DBL. New (announced July 2009): Generalize to more curves: twisted Hessian curves aX3 + Y 3 + Z3 = dXY Z with a(27a − d3) = 0. 2007 7:8M DBL idea fails, but 2010 11M ADD generalizes, new 7:6M DBL generalizes. Rotate addition law so that it also works for DBL; complete if a is not a cube. Eliminates special-case overhead, helps stop side-channel attacks. Triplings TPL is P 2007 Hisil–Ca 12:8M fo Generalizes

SLIDE 97

rithmetic rter–Dawson: for ADD. with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. closer: M, overhead special cases, ADD, etc. Hessian more. DBL. New (announced July 2009): Generalize to more curves: twisted Hessian curves aX3 + Y 3 + Z3 = dXY Z with a(27a − d3) = 0. 2007 7:8M DBL idea fails, but 2010 11M ADD generalizes, new 7:6M DBL generalizes. Rotate addition law so that it also works for DBL; complete if a is not a cube. Eliminates special-case overhead, helps stop side-channel attacks. Triplings (assuming TPL is P → 3P . 2007 Hisil–Carter–Da 12:8M for Hessian Generalizes to twisted

SLIDE 98

wson: . eierstrass for DBL-DBL-DBL-DBL-DBL-ADD.

verhead

cases, etc. re. New (announced July 2009): Generalize to more curves: twisted Hessian curves aX3 + Y 3 + Z3 = dXY Z with a(27a − d3) = 0. 2007 7:8M DBL idea fails, but 2010 11M ADD generalizes, new 7:6M DBL generalizes. Rotate addition law so that it also works for DBL; complete if a is not a cube. Eliminates special-case overhead, helps stop side-channel attacks. Triplings (assuming d = 0) TPL is P → 3P . 2007 Hisil–Carter–Dawson: 12:8M for Hessian TPL. Generalizes to twisted Hessian.

SLIDE 99

New (announced July 2009): Generalize to more curves: twisted Hessian curves aX3 + Y 3 + Z3 = dXY Z with a(27a − d3) = 0. 2007 7:8M DBL idea fails, but 2010 11M ADD generalizes, new 7:6M DBL generalizes. Rotate addition law so that it also works for DBL; complete if a is not a cube. Eliminates special-case overhead, helps stop side-channel attacks. Triplings (assuming d = 0) TPL is P → 3P . 2007 Hisil–Carter–Dawson: 12:8M for Hessian TPL. Generalizes to twisted Hessian.

SLIDE 100

New (announced July 2009): Generalize to more curves: twisted Hessian curves aX3 + Y 3 + Z3 = dXY Z with a(27a − d3) = 0. 2007 7:8M DBL idea fails, but 2010 11M ADD generalizes, new 7:6M DBL generalizes. Rotate addition law so that it also works for DBL; complete if a is not a cube. Eliminates special-case overhead, helps stop side-channel attacks. Triplings (assuming d = 0) TPL is P → 3P . 2007 Hisil–Carter–Dawson: 12:8M for Hessian TPL. Generalizes to twisted Hessian. 2015 Kohel: 11:2M.

SLIDE 101

New (announced July 2009): Generalize to more curves: twisted Hessian curves aX3 + Y 3 + Z3 = dXY Z with a(27a − d3) = 0. 2007 7:8M DBL idea fails, but 2010 11M ADD generalizes, new 7:6M DBL generalizes. Rotate addition law so that it also works for DBL; complete if a is not a cube. Eliminates special-case overhead, helps stop side-channel attacks. Triplings (assuming d = 0) TPL is P → 3P . 2007 Hisil–Carter–Dawson: 12:8M for Hessian TPL. Generalizes to twisted Hessian. 2015 Kohel: 11:2M. New: 10:8M assuming field with fast primitive

3

√ 1; e.g., Fq[!]=(!2 + ! + 1), or Fp with 7p = 2298 + 2149 + 1. (More history in small char. See paper for details.)

SLIDE 102

(announced July 2009): Generalize to more curves: sted Hessian curves Y 3 + Z3 = dXY Z (27a − d3) = 0. :8M DBL idea fails, but 11M ADD generalizes, :6M DBL generalizes. Rotate addition law that it also works for DBL; complete if a is not a cube. Eliminates special-case overhead, stop side-channel attacks. Triplings (assuming d = 0) TPL is P → 3P . 2007 Hisil–Carter–Dawson: 12:8M for Hessian TPL. Generalizes to twisted Hessian. 2015 Kohel: 11:2M. New: 10:8M assuming field with fast primitive

3

√ 1; e.g., Fq[!]=(!2 + ! + 1), or Fp with 7p = 2298 + 2149 + 1. (More history in small char. See paper for details.) If aX3 + then V W where U = −X If V W(V then aX3 where Q S = −(V dX3 = R Y3 = RS Z3 = RV Compose (X3 : Y3

SLIDE 103

July 2009): re curves: Hessian curves = dXY Z ) = 0. idea fails, but generalizes, generalizes. law

rks for DBL;

not a cube. ecial-case overhead, side-channel attacks. Triplings (assuming d = 0) TPL is P → 3P . 2007 Hisil–Carter–Dawson: 12:8M for Hessian TPL. Generalizes to twisted Hessian. 2015 Kohel: 11:2M. New: 10:8M assuming field with fast primitive

3

√ 1; e.g., Fq[!]=(!2 + ! + 1), or Fp with 7p = 2298 + 2149 + 1. (More history in small char. See paper for details.) If aX3 + Y 3 + Z3 then V W(V + dU where U = −XY Z, V = If V W(V + dU + aW then aX3

3 + Y 3 3 + Z

where Q = dU, R S = −(V + Q + R dX3 = R3 + S3 + Y3 = RS2 + SV 2 + Z3 = RV 2 + SR2 + Compose these 3-isogenies: (X3 : Y3 : Z3) = 3(

SLIDE 104

2009): curves: ils, but generalizes, generalizes. DBL; e.

verhead,

attacks. Triplings (assuming d = 0) TPL is P → 3P . 2007 Hisil–Carter–Dawson: 12:8M for Hessian TPL. Generalizes to twisted Hessian. 2015 Kohel: 11:2M. New: 10:8M assuming field with fast primitive

3

√ 1; e.g., Fq[!]=(!2 + ! + 1), or Fp with 7p = 2298 + 2149 + 1. (More history in small char. See paper for details.) If aX3 + Y 3 + Z3 = dXY Z then V W(V + dU + aW) = where U = −XY Z, V = Y 3, W = If V W(V + dU + aW) = U3 then aX3

3 + Y 3 3 + Z3 3 = dX3

where Q = dU, R = aW, S = −(V + Q + R), dX3 = R3 + S3 + V 3 − 3RS Y3 = RS2 + SV 2 + V R2 − 3 Z3 = RV 2 + SR2 + V S2 − 3 Compose these 3-isogenies: (X3 : Y3 : Z3) = 3(X : Y : Z

SLIDE 105

Triplings (assuming d = 0) TPL is P → 3P . 2007 Hisil–Carter–Dawson: 12:8M for Hessian TPL. Generalizes to twisted Hessian. 2015 Kohel: 11:2M. New: 10:8M assuming field with fast primitive

3

√ 1; e.g., Fq[!]=(!2 + ! + 1), or Fp with 7p = 2298 + 2149 + 1. (More history in small char. See paper for details.) If aX3 + Y 3 + Z3 = dXY Z then V W(V + dU + aW) = U3 where U = −XY Z, V = Y 3, W = X3. If V W(V + dU + aW) = U3 then aX3

3 + Y 3 3 + Z3 3 = dX3Y3Z3

where Q = dU, R = aW, S = −(V + Q + R), dX3 = R3 + S3 + V 3 − 3RSV , Y3 = RS2 + SV 2 + V R2 − 3RSV , Z3 = RV 2 + SR2 + V S2 − 3RSV . Compose these 3-isogenies: (X3 : Y3 : Z3) = 3(X : Y : Z).

SLIDE 106

riplings (assuming d = 0) is P → 3P . Hisil–Carter–Dawson: for Hessian TPL. Generalizes to twisted Hessian. Kohel: 11:2M. 10:8M assuming with fast primitive

3

√ 1;

q[!]=(!2 + ! + 1), or

with 7p = 2298 + 2149 + 1. history in small char. paper for details.) If aX3 + Y 3 + Z3 = dXY Z then V W(V + dU + aW) = U3 where U = −XY Z, V = Y 3, W = X3. If V W(V + dU + aW) = U3 then aX3

3 + Y 3 3 + Z3 3 = dX3Y3Z3

where Q = dU, R = aW, S = −(V + Q + R), dX3 = R3 + S3 + V 3 − 3RSV , Y3 = RS2 + SV 2 + V R2 − 3RSV , Z3 = RV 2 + SR2 + V S2 − 3RSV . Compose these 3-isogenies: (X3 : Y3 : Z3) = 3(X : Y : Z). To quickly Three cubings For three (¸; ˛; ‚) (¸R + ˛ (¸S + ˛ (¸V + ˛ = ¸˛‚dX + (¸˛2+ + (˛¸2+ + (¸+˛ Also use Solve for

SLIDE 107

(assuming d = 0) . rter–Dawson: ssian TPL. wisted Hessian. 2M. assuming rimitive

3

√ 1; + ! + 1), or

298 + 2149 + 1.

small char. details.) If aX3 + Y 3 + Z3 = dXY Z then V W(V + dU + aW) = U3 where U = −XY Z, V = Y 3, W = X3. If V W(V + dU + aW) = U3 then aX3

3 + Y 3 3 + Z3 3 = dX3Y3Z3

where Q = dU, R = aW, S = −(V + Q + R), dX3 = R3 + S3 + V 3 − 3RSV , Y3 = RS2 + SV 2 + V R2 − 3RSV , Z3 = RV 2 + SR2 + V S2 − 3RSV . Compose these 3-isogenies: (X3 : Y3 : Z3) = 3(X : Y : Z). To quickly triple (X Three cubings for R For three choices of (¸; ˛; ‚) compute (¸R + ˛S + ‚V ) · (¸S + ˛V + ‚R) · (¸V + ˛R + ‚S) = ¸˛‚dX3 + (¸˛2+˛‚2+‚¸ + (˛¸2+‚˛2+¸‚ + (¸+˛+‚)3RSV Also use a(R +S + Solve for dX3; Y3; Z

SLIDE 108

0) wson: Hessian. 1;

+ 1. r. If aX3 + Y 3 + Z3 = dXY Z then V W(V + dU + aW) = U3 where U = −XY Z, V = Y 3, W = X3. If V W(V + dU + aW) = U3 then aX3

3 + Y 3 3 + Z3 3 = dX3Y3Z3

where Q = dU, R = aW, S = −(V + Q + R), dX3 = R3 + S3 + V 3 − 3RSV , Y3 = RS2 + SV 2 + V R2 − 3RSV , Z3 = RV 2 + SR2 + V S2 − 3RSV . Compose these 3-isogenies: (X3 : Y3 : Z3) = 3(X : Y : Z). To quickly triple (X : Y : Z): Three cubings for R; S; V . For three choices of constants (¸; ˛; ‚) compute (¸R + ˛S + ‚V ) · (¸S + ˛V + ‚R) · (¸V + ˛R + ‚S) = ¸˛‚dX3 + (¸˛2+˛‚2+‚¸2)Y3 + (˛¸2+‚˛2+¸‚2)Z3 + (¸+˛+‚)3RSV . Also use a(R +S +V )3 = d3 Solve for dX3; Y3; Z3.

SLIDE 109

If aX3 + Y 3 + Z3 = dXY Z then V W(V + dU + aW) = U3 where U = −XY Z, V = Y 3, W = X3. If V W(V + dU + aW) = U3 then aX3

3 + Y 3 3 + Z3 3 = dX3Y3Z3

where Q = dU, R = aW, S = −(V + Q + R), dX3 = R3 + S3 + V 3 − 3RSV , Y3 = RS2 + SV 2 + V R2 − 3RSV , Z3 = RV 2 + SR2 + V S2 − 3RSV . Compose these 3-isogenies: (X3 : Y3 : Z3) = 3(X : Y : Z). To quickly triple (X : Y : Z): Three cubings for R; S; V . For three choices of constants (¸; ˛; ‚) compute (¸R + ˛S + ‚V ) · (¸S + ˛V + ‚R) · (¸V + ˛R + ‚S) = ¸˛‚dX3 + (¸˛2+˛‚2+‚¸2)Y3 + (˛¸2+‚˛2+¸‚2)Z3 + (¸+˛+‚)3RSV . Also use a(R +S +V )3 = d3RSV . Solve for dX3; Y3; Z3.

SLIDE 110

+ Y 3 + Z3 = dXY Z W(V + dU + aW) = U3 XY Z, V = Y 3, W = X3. (V + dU + aW) = U3 aX3

3 + Y 3 3 + Z3 3 = dX3Y3Z3

Q = dU, R = aW, (V + Q + R), R3 + S3 + V 3 − 3RSV , S2 + SV 2 + V R2 − 3RSV , RV 2 + SR2 + V S2 − 3RSV .

se these 3-isogenies:

3 : Z3) = 3(X : Y : Z).

To quickly triple (X : Y : Z): Three cubings for R; S; V . For three choices of constants (¸; ˛; ‚) compute (¸R + ˛S + ‚V ) · (¸S + ˛V + ‚R) · (¸V + ˛R + ‚S) = ¸˛‚dX3 + (¸˛2+˛‚2+‚¸2)Y3 + (˛¸2+‚˛2+¸‚2)Z3 + (¸+˛+‚)3RSV . Also use a(R +S +V )3 = d3RSV . Solve for dX3; Y3; Z3. 2015 Kohel’s (4 cubings introduced (¸; ˛; ‚) (¸; ˛; ‚) (¸; ˛; ‚)

SLIDE 111

3 = dXY Z

dU + aW) = U3 = Y 3, W = X3. aW) = U3 + Z3

3 = dX3Y3Z3

R = aW, R), + V 3 − 3RSV , + V R2 − 3RSV ,

2 + V S2 − 3RSV .

3-isogenies: 3(X : Y : Z). To quickly triple (X : Y : Z): Three cubings for R; S; V . For three choices of constants (¸; ˛; ‚) compute (¸R + ˛S + ‚V ) · (¸S + ˛V + ‚R) · (¸V + ˛R + ‚S) = ¸˛‚dX3 + (¸˛2+˛‚2+‚¸2)Y3 + (˛¸2+‚˛2+¸‚2)Z3 + (¸+˛+‚)3RSV . Also use a(R +S +V )3 = d3RSV . Solve for dX3; Y3; Z3. 2015 Kohel’s 11:2M (4 cubings + 4 mults) introduced this TPL (¸; ˛; ‚) = (1; 1; 1), (¸; ˛; ‚) = (1; −1; (¸; ˛; ‚) = (1; 1; 0).

SLIDE 112

Z = U3 = X3.

3 3Y3Z3

SV , 3RSV , 3RSV . 3-isogenies: Z). To quickly triple (X : Y : Z): Three cubings for R; S; V . For three choices of constants (¸; ˛; ‚) compute (¸R + ˛S + ‚V ) · (¸S + ˛V + ‚R) · (¸V + ˛R + ‚S) = ¸˛‚dX3 + (¸˛2+˛‚2+‚¸2)Y3 + (˛¸2+‚˛2+¸‚2)Z3 + (¸+˛+‚)3RSV . Also use a(R +S +V )3 = d3RSV . Solve for dX3; Y3; Z3. 2015 Kohel’s 11:2M (4 cubings + 4 mults) introduced this TPL idea with (¸; ˛; ‚) = (1; 1; 1), (¸; ˛; ‚) = (1; −1; 0), (¸; ˛; ‚) = (1; 1; 0).

SLIDE 113

To quickly triple (X : Y : Z): Three cubings for R; S; V . For three choices of constants (¸; ˛; ‚) compute (¸R + ˛S + ‚V ) · (¸S + ˛V + ‚R) · (¸V + ˛R + ‚S) = ¸˛‚dX3 + (¸˛2+˛‚2+‚¸2)Y3 + (˛¸2+‚˛2+¸‚2)Z3 + (¸+˛+‚)3RSV . Also use a(R +S +V )3 = d3RSV . Solve for dX3; Y3; Z3. 2015 Kohel’s 11:2M (4 cubings + 4 mults) introduced this TPL idea with (¸; ˛; ‚) = (1; 1; 1), (¸; ˛; ‚) = (1; −1; 0), (¸; ˛; ‚) = (1; 1; 0).

SLIDE 114

To quickly triple (X : Y : Z): Three cubings for R; S; V . For three choices of constants (¸; ˛; ‚) compute (¸R + ˛S + ‚V ) · (¸S + ˛V + ‚R) · (¸V + ˛R + ‚S) = ¸˛‚dX3 + (¸˛2+˛‚2+‚¸2)Y3 + (˛¸2+‚˛2+¸‚2)Z3 + (¸+˛+‚)3RSV . Also use a(R +S +V )3 = d3RSV . Solve for dX3; Y3; Z3. 2015 Kohel’s 11:2M (4 cubings + 4 mults) introduced this TPL idea with (¸; ˛; ‚) = (1; 1; 1), (¸; ˛; ‚) = (1; −1; 0), (¸; ˛; ‚) = (1; 1; 0). New 10:8M (6 cubings) makes faster choices assuming fast primitive ! = 3 √ 1: (¸; ˛; ‚) = (1; 1; 1), (¸; ˛; ‚) = (1; !; !2), (¸; ˛; ‚) = (1; !2; !).

SLIDE 115

quickly triple (X : Y : Z): cubings for R; S; V . three choices of constants ‚) compute ˛S + ‚V ) · ˛V + ‚R) · ˛R + ‚S) dX3

2+˛‚2+‚¸2)Y3 2+‚˛2+¸‚2)Z3

˛+‚)3RSV . use a(R +S +V )3 = d3RSV . for dX3; Y3; Z3. 2015 Kohel’s 11:2M (4 cubings + 4 mults) introduced this TPL idea with (¸; ˛; ‚) = (1; 1; 1), (¸; ˛; ‚) = (1; −1; 0), (¸; ˛; ‚) = (1; 1; 0). New 10:8M (6 cubings) makes faster choices assuming fast primitive ! = 3 √ 1: (¸; ˛; ‚) = (1; 1; 1), (¸; ˛; ‚) = (1; !; !2), (¸; ˛; ‚) = (1; !2; !). Are triplings 2005 Dimitrov–Imb “double-base compute 21532P + + 2 2TPL, 15DBL, 2006 Do generalized e.g., compute 212333P after precomputing 3TPL, 13DBL,

SLIDE 116

(X : Y : Z): r R; S; V . choices of constants compute ) · ) · ) ¸2)Y3 ¸‚2)Z3 V . +V )3 = d3RSV . ; Z3. 2015 Kohel’s 11:2M (4 cubings + 4 mults) introduced this TPL idea with (¸; ˛; ‚) = (1; 1; 1), (¸; ˛; ‚) = (1; −1; 0), (¸; ˛; ‚) = (1; 1; 0). New 10:8M (6 cubings) makes faster choices assuming fast primitive ! = 3 √ 1: (¸; ˛; ‚) = (1; 1; 1), (¸; ˛; ‚) = (1; !; !2), (¸; ˛; ‚) = (1; !2; !). Are triplings useful? 2005 Dimitrov–Imb “double-base chains”: compute 314159P 21532P + 21132P + + 2431P − 20 2TPL, 15DBL, 4A 2006 Doche–Imbert generalized double-base e.g., compute 314159 212333P −27335P − after precomputing 3TPL, 13DBL, 6ADD.

SLIDE 117

): constants d3RSV . 2015 Kohel’s 11:2M (4 cubings + 4 mults) introduced this TPL idea with (¸; ˛; ‚) = (1; 1; 1), (¸; ˛; ‚) = (1; −1; 0), (¸; ˛; ‚) = (1; 1; 0). New 10:8M (6 cubings) makes faster choices assuming fast primitive ! = 3 √ 1: (¸; ˛; ‚) = (1; 1; 1), (¸; ˛; ‚) = (1; !; !2), (¸; ˛; ‚) = (1; !2; !). Are triplings useful? 2005 Dimitrov–Imbert–Mishra “double-base chains”: e.g., compute 314159P as 21532P + 21132P + 2831P + 2431P − 2030P . 2TPL, 15DBL, 4ADD. 2006 Doche–Imbert generalized double-base chains: e.g., compute 314159P as 212333P −27335P −24317P − after precomputing 3P; 5P; 7 3TPL, 13DBL, 6ADD.

SLIDE 118

2015 Kohel’s 11:2M (4 cubings + 4 mults) introduced this TPL idea with (¸; ˛; ‚) = (1; 1; 1), (¸; ˛; ‚) = (1; −1; 0), (¸; ˛; ‚) = (1; 1; 0). New 10:8M (6 cubings) makes faster choices assuming fast primitive ! = 3 √ 1: (¸; ˛; ‚) = (1; 1; 1), (¸; ˛; ‚) = (1; !; !2), (¸; ˛; ‚) = (1; !2; !). Are triplings useful? 2005 Dimitrov–Imbert–Mishra “double-base chains”: e.g., compute 314159P as 21532P + 21132P + 2831P + 2431P − 2030P . 2TPL, 15DBL, 4ADD. 2006 Doche–Imbert generalized double-base chains: e.g., compute 314159P as 212333P −27335P −24317P −2030P after precomputing 3P; 5P; 7P . 3TPL, 13DBL, 6ADD.

SLIDE 119

Kohel’s 11:2M cubings + 4 mults) duced this TPL idea with ‚) = (1; 1; 1), ‚) = (1; −1; 0), ‚) = (1; 1; 0). 10:8M (6 cubings) faster choices assuming fast primitive ! = 3 √ 1: ‚) = (1; 1; 1), ‚) = (1; !; !2), ‚) = (1; !2; !). Are triplings useful? 2005 Dimitrov–Imbert–Mishra “double-base chains”: e.g., compute 314159P as 21532P + 21132P + 2831P + 2431P − 2030P . 2TPL, 15DBL, 4ADD. 2006 Doche–Imbert generalized double-base chains: e.g., compute 314159P as 212333P −27335P −24317P −2030P after precomputing 3P; 5P; 7P . 3TPL, 13DBL, 6ADD. Not good Good for factorization, Also need Good for

SLIDE 120

:2M mults) TPL idea with ; 1), 1; 0), ; 0). cubings) choices rimitive ! = 3 √ 1: ; 1), ; !2),

2; !).

Are triplings useful? 2005 Dimitrov–Imbert–Mishra “double-base chains”: e.g., compute 314159P as 21532P + 21132P + 2831P + 2431P − 2030P . 2TPL, 15DBL, 4ADD. 2006 Doche–Imbert generalized double-base chains: e.g., compute 314159P as 212333P −27335P −24317P −2030P after precomputing 3P; 5P; 7P . 3TPL, 13DBL, 6ADD. Not good for constant Good for signature factorization, math, Also need time to Good for scalars used

SLIDE 121

with = 3 √ 1: Are triplings useful? 2005 Dimitrov–Imbert–Mishra “double-base chains”: e.g., compute 314159P as 21532P + 21132P + 2831P + 2431P − 2030P . 2TPL, 15DBL, 4ADD. 2006 Doche–Imbert generalized double-base chains: e.g., compute 314159P as 212333P −27335P −24317P −2030P after precomputing 3P; 5P; 7P . 3TPL, 13DBL, 6ADD. Not good for constant time. Good for signature verification, factorization, math, etc. Also need time to compute chain. Good for scalars used many

SLIDE 122

Are triplings useful? 2005 Dimitrov–Imbert–Mishra “double-base chains”: e.g., compute 314159P as 21532P + 21132P + 2831P + 2431P − 2030P . 2TPL, 15DBL, 4ADD. 2006 Doche–Imbert generalized double-base chains: e.g., compute 314159P as 212333P −27335P −24317P −2030P after precomputing 3P; 5P; 7P . 3TPL, 13DBL, 6ADD. Not good for constant time. Good for signature verification, factorization, math, etc. Also need time to compute chain. Good for scalars used many times.

SLIDE 123

Are triplings useful? 2005 Dimitrov–Imbert–Mishra “double-base chains”: e.g., compute 314159P as 21532P + 21132P + 2831P + 2431P − 2030P . 2TPL, 15DBL, 4ADD. 2006 Doche–Imbert generalized double-base chains: e.g., compute 314159P as 212333P −27335P −24317P −2030P after precomputing 3P; 5P; 7P . 3TPL, 13DBL, 6ADD. Not good for constant time. Good for signature verification, factorization, math, etc. Also need time to compute chain. Good for scalars used many times. Analysis+optimization from 2007 Bernstein–Birkner–Lange–Peters: Double-base chains speed up Weierstrass curves slightly: 9:29M/bit for 256-bit scalars. More savings for, e.g., Hessian: 9:65M/bit. Still not competitive.

SLIDE 124

triplings useful? Dimitrov–Imbert–Mishra “double-base chains”: e.g., compute 314159P as + 21132P + 2831P 2431P − 2030P . 15DBL, 4ADD. Doche–Imbert generalized double-base chains: compute 314159P as P −27335P −24317P −2030P recomputing 3P; 5P; 7P . 13DBL, 6ADD. Not good for constant time. Good for signature verification, factorization, math, etc. Also need time to compute chain. Good for scalars used many times. Analysis+optimization from 2007 Bernstein–Birkner–Lange–Peters: Double-base chains speed up Weierstrass curves slightly: 9:29M/bit for 256-bit scalars. More savings for, e.g., Hessian: 9:65M/bit. Still not competitive. Revisit c using latest latest double-base

SLIDE 125

useful? Dimitrov–Imbert–Mishra chains”: e.g., P as + 2831P 2030P . 4ADD. ert double-base chains: 314159P as P −24317P −2030P recomputing 3P; 5P; 7P . 6ADD. Not good for constant time. Good for signature verification, factorization, math, etc. Also need time to compute chain. Good for scalars used many times. Analysis+optimization from 2007 Bernstein–Birkner–Lange–Peters: Double-base chains speed up Weierstrass curves slightly: 9:29M/bit for 256-bit scalars. More savings for, e.g., Hessian: 9:65M/bit. Still not competitive. Revisit conclusions using latest Hessian latest double-base

SLIDE 126

ert–Mishra e.g., chains: −2030P ; 7P . Not good for constant time. Good for signature verification, factorization, math, etc. Also need time to compute chain. Good for scalars used many times. Analysis+optimization from 2007 Bernstein–Birkner–Lange–Peters: Double-base chains speed up Weierstrass curves slightly: 9:29M/bit for 256-bit scalars. More savings for, e.g., Hessian: 9:65M/bit. Still not competitive. Revisit conclusions using latest Hessian formulas, latest double-base techniques.

SLIDE 127

Not good for constant time. Good for signature verification, factorization, math, etc. Also need time to compute chain. Good for scalars used many times. Analysis+optimization from 2007 Bernstein–Birkner–Lange–Peters: Double-base chains speed up Weierstrass curves slightly: 9:29M/bit for 256-bit scalars. More savings for, e.g., Hessian: 9:65M/bit. Still not competitive. Revisit conclusions using latest Hessian formulas, latest double-base techniques.

SLIDE 128