twisted hessian curves cr yp to papers html hessian
play

Twisted Hessian curves cr.yp.to/papers.html#hessian Daniel J. - PDF document

May 15, 2023 •281 likes •772 views

Twisted Hessian curves cr.yp.to/papers.html#hessian Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Chitchanok Chuengsatiansup Technische Universiteit Eindhoven David Kohel

  1. Twisted Hessian curves cr.yp.to/papers.html#hessian Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Chitchanok Chuengsatiansup Technische Universiteit Eindhoven David Kohel Aix-Marseille Universit´ e Tanja Lange Technische Universiteit Eindhoven

  2. 1986 Chudnovsky–Chudnovsky, “Sequences of numbers generated by addition in formal groups and new primality and factorization tests”: “The crucial problem becomes the choice of the model of an algebraic group variety, where computations mod p are the least time consuming.” Most important computations: ADD is P; Q �→ P + Q . DBL is P �→ 2 P .

  3. “It is preferable to use models of elliptic curves lying in low-dimensional spaces, for otherwise the number of coordinates and operations is increasing. This limits us : : : to 4 basic models of elliptic curves.” Short Weierstrass: y 2 = x 3 + ax + b . Jacobi intersection: s 2 + c 2 = 1, as 2 + d 2 = 1. Jacobi quartic: y 2 = x 4 +2 ax 2 +1. Hessian: x 3 + y 3 + 1 = 3 dxy .

  4. “Our experience shows that the expression of the law of addition on the cubic Hessian form (d) of an elliptic curve is by far the best and the prettiest.” X 3 = Y 1 X 2 · Y 1 Z 2 − Z 1 Y 2 · X 1 Y 2 ; Y 3 = X 1 Z 2 · X 1 Y 2 − Y 1 X 2 · Z 1 X 2 ; Z 3 = Z 1 Y 2 · Z 1 X 2 − X 1 Z 2 · Y 1 Z 2 : 12 M for ADD, where M is the cost of multiplication in the field. 8 : 4 M for DBL, assuming 0 : 8 M for the cost of squaring in the field.

  5. 1990s: ECC standards instead use short Weierstrass curves in Jacobian coordinates for “the fastest arithmetic”. 15 : 2 M for ADD, much slower than Hessian. Why is this a good idea?

  6. 1990s: ECC standards instead use short Weierstrass curves in Jacobian coordinates for “the fastest arithmetic”. 15 : 2 M for ADD, much slower than Hessian. Why is this a good idea? Answer: Only 7 : 2 M for DBL with Chudnovsky–Chudnovsky formula.

  7. 1990s: ECC standards instead use short Weierstrass curves in Jacobian coordinates for “the fastest arithmetic”. 15 : 2 M for ADD, much slower than Hessian. Why is this a good idea? Answer: Only 7 : 2 M for DBL with Chudnovsky–Chudnovsky formula. 2001 Bernstein: 15 M , 7 M .

  8. 1990s: ECC standards instead use short Weierstrass curves in Jacobian coordinates for “the fastest arithmetic”. 15 : 2 M for ADD, much slower than Hessian. Why is this a good idea? Answer: Only 7 : 2 M for DBL with Chudnovsky–Chudnovsky formula. 2001 Bernstein: 15 M , 7 M . Compared to Hessian, Weierstrass saves 4 M in typical DBL-DBL-DBL-DBL-DBL-ADD.

  9. � � 2007 Edwards: new curve shape. 2007 Bernstein–Lange: generalize, analyze speed, completeness. y neutral = (0 ; 1) • P 1 = ( x 1 ; y 1 ) • ☞ P 2 = ( x 2 ; y 2 ) ☞ • ☞ ❢ ❢ ❢ ❢ x ☞ ❢ ❬ ❬ ❬ ❬ ❬ ❬ • P 3 = ( x 3 ; y 3 ) Example: x 2 + y 2 = 1 − 30 x 2 y 2 . Sum of ( x 1 ; y 1 ) and ( x 2 ; y 2 ) is (( x 1 y 2 + y 1 x 2 ) = (1 − 30 x 1 x 2 y 1 y 2 ), ( y 1 y 2 − x 1 x 2 ) = (1+30 x 1 x 2 y 1 y 2 )).

  10. 2007 Bernstein–Lange: 10 : 8 M for ADD, 6 : 2 M for DBL.

  11. 2007 Bernstein–Lange: 10 : 8 M for ADD, 6 : 2 M for DBL. 2008 Hisil–Wong–Carter–Dawson: just 8 M for ADD.

  12. 2007 Bernstein–Lange: 10 : 8 M for ADD, 6 : 2 M for DBL. 2008 Hisil–Wong–Carter–Dawson: just 8 M for ADD.

  13. y 2 = x 3 − 0 : 4 x + 0 : 7

  15. x 2 + y 2 = 1 − 300 x 2 y 2

  17. x 2 = y 4 − 1 : 9 y 2 + 1

  19. x 3 − y 3 + 1 = 0 : 3 xy

  27. Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7 : 8 M for DBL.

  28. Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7 : 8 M for DBL. 2010 Hisil: 11 M for ADD.

  29. Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7 : 8 M for DBL. 2010 Hisil: 11 M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S = M , overhead for checking for special cases, extra DBL, extra ADD, etc.

  30. Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7 : 8 M for DBL. 2010 Hisil: 11 M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S = M , overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more.

  31. Faster Hessian arithmetic 2007 Hisil–Carter–Dawson: 7 : 8 M for DBL. 2010 Hisil: 11 M for ADD. Hessian tied with Weierstrass for DBL-DBL-DBL-DBL-DBL-ADD. Need to zoom in closer: analyze exact S = M , overhead for checking for special cases, extra DBL, extra ADD, etc. Or speed up Hessian more. New: 7 : 6 M for DBL.

  32. New (announced July 2009): Generalize to more curves: twisted Hessian curves aX 3 + Y 3 + Z 3 = dXY Z with a (27 a − d 3 ) � = 0. 2007 7 : 8 M DBL idea fails, but 2010 11 M ADD generalizes, new 7 : 6 M DBL generalizes.

  33. New (announced July 2009): Generalize to more curves: twisted Hessian curves aX 3 + Y 3 + Z 3 = dXY Z with a (27 a − d 3 ) � = 0. 2007 7 : 8 M DBL idea fails, but 2010 11 M ADD generalizes, new 7 : 6 M DBL generalizes. Rotate addition law so that it also works for DBL; complete if a is not a cube. Eliminates special-case overhead, helps stop side-channel attacks.

  34. Triplings (assuming d � = 0) TPL is P �→ 3 P . 2007 Hisil–Carter–Dawson: 12 : 8 M for Hessian TPL. Generalizes to twisted Hessian.

  35. Triplings (assuming d � = 0) TPL is P �→ 3 P . 2007 Hisil–Carter–Dawson: 12 : 8 M for Hessian TPL. Generalizes to twisted Hessian. 2015 Kohel: 11 : 2 M .

  36. Triplings (assuming d � = 0) TPL is P �→ 3 P . 2007 Hisil–Carter–Dawson: 12 : 8 M for Hessian TPL. Generalizes to twisted Hessian. 2015 Kohel: 11 : 2 M . New: 10 : 8 M assuming √ 3 field with fast primitive 1; e.g., F q [ ! ] = ( ! 2 + ! + 1), or F p with 7 p = 2 298 + 2 149 + 1. (More history in small char. See paper for details.)

  37. If aX 3 + Y 3 + Z 3 = dXY Z then V W ( V + dU + aW ) = U 3 where U = − XY Z , V = Y 3 , W = X 3 . If V W ( V + dU + aW ) = U 3 then aX 3 3 + Y 3 3 + Z 3 3 = dX 3 Y 3 Z 3 where Q = dU , R = aW , S = − ( V + Q + R ), dX 3 = R 3 + S 3 + V 3 − 3 RSV , Y 3 = RS 2 + SV 2 + V R 2 − 3 RSV , Z 3 = RV 2 + SR 2 + V S 2 − 3 RSV . Compose these 3-isogenies: ( X 3 : Y 3 : Z 3 ) = 3( X : Y : Z ).

  38. To quickly triple ( X : Y : Z ): Three cubings for R; S; V . For three choices of constants ( ¸; ˛; ‚ ) compute ( ¸R + ˛S + ‚V ) · ( ¸S + ˛V + ‚R ) · ( ¸V + ˛R + ‚S ) = ¸˛‚dX 3 + ( ¸˛ 2 + ˛‚ 2 + ‚¸ 2 ) Y 3 + ( ˛¸ 2 + ‚˛ 2 + ¸‚ 2 ) Z 3 + ( ¸ + ˛ + ‚ ) 3 RSV . Also use a ( R + S + V ) 3 = d 3 RSV . Solve for dX 3 ; Y 3 ; Z 3 .

  39. 2015 Kohel’s 11 : 2 M (4 cubings + 4 mults) introduced this TPL idea with ( ¸; ˛; ‚ ) = (1 ; 1 ; 1), ( ¸; ˛; ‚ ) = (1 ; − 1 ; 0), ( ¸; ˛; ‚ ) = (1 ; 1 ; 0).

  40. 2015 Kohel’s 11 : 2 M (4 cubings + 4 mults) introduced this TPL idea with ( ¸; ˛; ‚ ) = (1 ; 1 ; 1), ( ¸; ˛; ‚ ) = (1 ; − 1 ; 0), ( ¸; ˛; ‚ ) = (1 ; 1 ; 0). New 10 : 8 M (6 cubings) makes faster choices √ assuming fast primitive ! = 3 1: ( ¸; ˛; ‚ ) = (1 ; 1 ; 1), ( ¸; ˛; ‚ ) = (1 ; !; ! 2 ), ( ¸; ˛; ‚ ) = (1 ; ! 2 ; ! ).

  41. Are triplings useful? 2005 Dimitrov–Imbert–Mishra “double-base chains”: e.g., compute 314159 P as 2 15 3 2 P + 2 11 3 2 P + 2 8 3 1 P + 2 4 3 1 P − 2 0 3 0 P . 2TPL, 15DBL, 4ADD. 2006 Doche–Imbert generalized double-base chains: e.g., compute 314159 P as 2 12 3 3 3 P − 2 7 3 3 5 P − 2 4 3 1 7 P − 2 0 3 0 P after precomputing 3 P; 5 P; 7 P . 3TPL, 13DBL, 6ADD.

  42. Not good for constant time. Good for signature verification, factorization, math, etc. Also need time to compute chain. Good for scalars used many times.

  43. Not good for constant time. Good for signature verification, factorization, math, etc. Also need time to compute chain. Good for scalars used many times. Analysis+optimization from 2007 Bernstein–Birkner–Lange–Peters: Double-base chains speed up Weierstrass curves slightly: 9 : 29 M /bit for 256-bit scalars. More savings for, e.g., Hessian: 9 : 65 M /bit. Still not competitive.

  44. Revisit conclusions using latest Hessian formulas, latest double-base techniques.

  45. Revisit conclusions using latest Hessian formulas, latest double-base techniques. New: 8 : 77 M /bit for 256 bits.

  46. Revisit conclusions using latest Hessian formulas, latest double-base techniques. New: 8 : 77 M /bit for 256 bits. Comparison to Weierstrass for 1-bit, 2-bit, : : : , 64-bit scalars: Multiplications saved 100 50 0 -50 0 50 100 150 200 250 300 350 400 450 500 550 600 650 Multiplications using the new formulas Uses 2008 Doche–Habsieger “tree search” and some new improvements: e.g., account for costs of ADD, DBL, TPL.

  47. Summary: Twisted Hessian curves solidly beat Weierstrass. Chuengsatiansup talk tomorrow: even better double-base chains from shortest paths in DAG— and also new Edwards speeds!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Twisted Hessian curves 1986 ChudnovskyChudnovsky, Sequences of numbers

Twisted Hessian curves 1986 ChudnovskyChudnovsky, Sequences of numbers

Twisted Hessian curves 1986 ChudnovskyChudnovsky, Sequences of numbers cr.yp.to/papers.html#hessian generated by addition Daniel J. Bernstein in formal groups University of Illinois at Chicago & and new primality Technische

1.65k views • 133 slides
Structure of the Hessian Graham C. Goodwin September 2004 Centre for Complex Dynamic Systems

Structure of the Hessian Graham C. Goodwin September 2004 Centre for Complex Dynamic Systems

Structure of the Hessian Graham C. Goodwin September 2004 Centre for Complex Dynamic Systems and Control 1. Introduction We saw in earlier lectures that a core ingredient in quadratic constrained optimisation problems is the Hessian matrix H .

628 views • 42 slides
HESSIAN vs OFFSET method PDF4LHC F b PDF4LHC February 2008 2008 A M Cooper-Sarkar Comparisons

HESSIAN vs OFFSET method PDF4LHC F b PDF4LHC February 2008 2008 A M Cooper-Sarkar Comparisons

HESSIAN vs OFFSET method PDF4LHC F b PDF4LHC February 2008 2008 A M Cooper-Sarkar Comparisons on using the SAME NLOQCD fit analysis in a global fit in a global fit In a fit to just ZEUS data Model dependence in Hessian and Offset

298 views • 17 slides
An Investigation into Neural Net Optimization via Hessian Eigenvalue Density Behrooz Ghorbani

An Investigation into Neural Net Optimization via Hessian Eigenvalue Density Behrooz Ghorbani

An Investigation into Neural Net Optimization via Hessian Eigenvalue Density Behrooz Ghorbani Department of Electrical Engineering Stanford University (Joint Work with Shankar Krishnan & Ying Xiao from Google Research) June 2019 Behrooz

782 views • 59 slides
c cientific The Hessian Module omputing Current status and future perspectives

c cientific The Hessian Module omputing Current status and future perspectives

c cientific The Hessian Module omputing Current status and future perspectives Reference: J. Abate, C. Bischof, A. Carle, L. Roh: Algorithms and Design for a Second- Order Automatic Differentiation Module Int. Symposium on Symbolic

453 views • 24 slides
Partial-Hessian Strategies for Fast Learning of Nonlinear Embeddings Max Vladymyrov and Miguel

Partial-Hessian Strategies for Fast Learning of Nonlinear Embeddings Max Vladymyrov and Miguel

Partial-Hessian Strategies for Fast Learning of Nonlinear Embeddings Max Vladymyrov and Miguel A. Carreira-Perpi n an Electrical Engineering and Computer Science University of California, Merced https://eecs.ucmerced.edu June 29, 2012

302 views • 18 slides
Partial-Hessian Strategies for Fast Learning of Nonlinear Embeddings Max Vladymyrov and Miguel

Partial-Hessian Strategies for Fast Learning of Nonlinear Embeddings Max Vladymyrov and Miguel

Partial-Hessian Strategies for Fast Learning of Nonlinear Embeddings Max Vladymyrov and Miguel A. Carreira-Perpi n an Electrical Engineering and Computer Science University of California, Merced https://eecs.ucmerced.edu August 30,

177 views • 17 slides
Hessian Aided Policy Gradient Z. Shen 1 , A. Ribeiro 2 , H. Hassani 2 , H. Qian 1 , C. Mi 1 1

Hessian Aided Policy Gradient Z. Shen 1 , A. Ribeiro 2 , H. Hassani 2 , H. Qian 1 , C. Mi 1 1

Motivation Our Results/Contribution Summary Hessian Aided Policy Gradient Z. Shen 1 , A. Ribeiro 2 , H. Hassani 2 , H. Qian 1 , C. Mi 1 1 Department of Computer Science and Technology Zhejiang University 2 Department of Electrical and Systems

607 views • 15 slides
A Hybrid Variational-Ensemble Data Assimilation Method with an Implicit Optimal Hessian

A Hybrid Variational-Ensemble Data Assimilation Method with an Implicit Optimal Hessian

The Sixth WMO Symposium on Data Assimilation College Park, MD, 7-11 October 2013 A Hybrid Variational-Ensemble Data Assimilation Method with an Implicit Optimal Hessian Preconditioning Milija Zupanski Cooperative Institute for Research in the

348 views • 12 slides
Reduced-Hessian Methods for Constrained Optimization Philip E. Gill University of California,

Reduced-Hessian Methods for Constrained Optimization Philip E. Gill University of California,

Reduced-Hessian Methods for Constrained Optimization Philip E. Gill University of California, San Diego Joint work with: Michael Ferry & Elizabeth Wong 11th US & Mexico Workshop on Optimization and its Applications Huatulco, Mexico,

1.07k views • 73 slides
Games for eigenvalues of the Hessian and concave/convex envelopes. Julio D. Rossi (joint work

Games for eigenvalues of the Hessian and concave/convex envelopes. Julio D. Rossi (joint work

Games for eigenvalues of the Hessian and concave/convex envelopes. Julio D. Rossi (joint work with Pablo Blanc) U. Buenos Aires (Argentina) jrossi@dm.uba.ar www.dm.uba.ar/ jrossi U. Carlos III, Madrid, Spain, 2018 beamer-tu-logo

468 views • 24 slides
Koszul/Souriau Fisher Metric Spaces & Optimization by Maximum Entropy: Hessian Information

Koszul/Souriau Fisher Metric Spaces & Optimization by Maximum Entropy: Hessian Information

Koszul/Souriau Fisher Metric Spaces & Optimization by Maximum Entropy: Hessian Information Geometry, Lie Group Thermodynamics & Poincar'Marle'Souriau Equation Frdric

1.18k views • 83 slides
Hessian-based sampling in high dimensions for goal-oriented model order reduction Peng Chen Omar

Hessian-based sampling in high dimensions for goal-oriented model order reduction Peng Chen Omar

Hessian-based sampling in high dimensions for goal-oriented model order reduction Peng Chen Omar Ghattas Center for Computational Geosciences and Optimization The Institute for Computational Engineering and Sciences The University of Texas at

795 views • 60 slides
RESILIENCE IN CIVIL SOCIETY: Chris Hessian, RSW Art Fisher ACHIEVING STRUCTURAL CHANGE THROUGH

RESILIENCE IN CIVIL SOCIETY: Chris Hessian, RSW Art Fisher ACHIEVING STRUCTURAL CHANGE THROUGH

RESILIENCE IN CIVIL SOCIETY: Chris Hessian, RSW Art Fisher ACHIEVING STRUCTURAL CHANGE THROUGH SYSTEM, COMMUNITY AND INDIVIDUAL INTERVENTION Family Service of Western NS CANADA NOVA SCOTIA BRIDGEWATER FAMILY SERVICE OF WESTERN NOVA SCOTIA

362 views • 23 slides
EigenDamage: Structured Pruning in the Kronecker-Factored Eigenbasis Chaoqi Wang , Roger Grosse,

EigenDamage: Structured Pruning in the Kronecker-Factored Eigenbasis Chaoqi Wang , Roger Grosse,

Structured Pruning Background: Hessian-Based Pruning Methods Approximating Hessian with K-FAC Fisher EigenDamage: Structured Pruning in the KFE EigenDamage: Structured Pruning in the Kronecker-Factored Eigenbasis Chaoqi Wang , Roger Grosse,

819 views • 22 slides
Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net

Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net

Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net ) Tanja Lange ( tue.nl ) Christiane Peters ( tue.nl ) Thanks to: NSF ITR0716498 IST2002507932 ECRYPT INRIA Lorraine, LORIA Todays

190 views • 15 slides
CIMA Paper P2 Advanced Management Accounting Ian Kusano and Nathi Thela Session Learning Curves

CIMA Paper P2 Advanced Management Accounting Ian Kusano and Nathi Thela Session Learning Curves

CIMA Paper P2 Advanced Management Accounting Ian Kusano and Nathi Thela Session Learning Curves 1 Learning Outcome Lead A1: Evaluate techniques for analysing and managing costs for competitive advantage Component A1d): Apply learning curves

1.28k views • 13 slides
Poverty and Tax Policy: A Lay of the Land Login at: https://results.zoom.us/j/873308801 or dial

Poverty and Tax Policy: A Lay of the Land Login at: https://results.zoom.us/j/873308801 or dial

July 2019 RESULTS U.S. Poverty National Webinar Poverty and Tax Policy: A Lay of the Land Login at: https://results.zoom.us/j/873308801 or dial (929) 436-2866 or (669) 900- 6833, Meeting ID: 873 308 801. 2 Welcome from Joanne Carter Executive

756 views • 43 slides
Comment on McGrattan and Prescott, On efficiently financing retirement Ed Green Penn State

Comment on McGrattan and Prescott, On efficiently financing retirement Ed Green Penn State

Comment on McGrattan and Prescott, On efficiently financing retirement Ed Green Penn State University Conference in honor of Gary Stern Federal Reserve Bank of Minneapolis April 23, 2010 Apology Im a consumernot a doerof RBC

501 views • 11 slides
Portola Valley School District 2018-19 Preliminary Budget June 6, 2018 1 AGENDA Timeline -

Portola Valley School District 2018-19 Preliminary Budget June 6, 2018 1 AGENDA Timeline -

Portola Valley School District 2018-19 Preliminary Budget June 6, 2018 1 AGENDA Timeline - Budget Calendar Estimated Actuals for 2017-18 Proposed Budget for 2018-19 Multi-year Projection assumptions Summary 2

283 views • 7 slides
What is Machine Learning? Definition: A computer program is said to learn from experience

What is Machine Learning? Definition: A computer program is said to learn from experience

What is Machine Learning? Definition: A computer program is said to learn from experience E with respect to some class of tasks T and performance measure P, if its performance at tasks in T, as measured by P, improves with experience E.

611 views • 40 slides
Solar Cell Market Evolution Can we predict the next wave of innovation? Jim Rand 8 May 2014

Solar Cell Market Evolution Can we predict the next wave of innovation? Jim Rand 8 May 2014

Solar Cell Market Evolution Can we predict the next wave of innovation? Jim Rand 8 May 2014 Market Highlights Ramification on Supply Technology Demand Price 1. Look Forward for Growth Potential 2. Look Backward for What Triggered Change

257 views • 13 slides
The Case for Columnar Analysis (a two-part series) Nick Smith, on behalf of the Coffea team

The Case for Columnar Analysis (a two-part series) Nick Smith, on behalf of the Coffea team

FERMILAB-SLIDES-19-007-T The Case for Columnar Analysis (a two-part series) Nick Smith, on behalf of the Coffea team Lindsey Gray, Matteo Cremonisi, Bo Jayatilaka, Oliver Gutsche, Nick Smith, Allison Hall, Kevin Pedro (FNAL); Andrew Melo

190 views • 16 slides
REBUILDING THE MONOLITH WITH COMPOSABLE APPS

REBUILDING THE MONOLITH WITH COMPOSABLE APPS

REBUILDING THE MONOLITH WITH COMPOSABLE APPS https://www.quora.com/Why-are-front-end-developers-so-high-in-demand-at-startups-if-front-end-development-is-relatively-easier-than-other-fields-of-engineering 2013

1.17k views • 87 slides

More recommend