binary edwards curves
play

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University - PowerPoint PPT Presentation

Dec 17, 2023 •232 likes •571 views

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 09.05.2008 joint work with Reza Rezaeian Farashahi, Eindhoven

  1. Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 09.05.2008 joint work with Reza Rezaeian Farashahi, Eindhoven cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 1

  2. Harold M. Edwards Edwards generalized single example x 2 + y 2 = 1 − x 2 y 2 by Euler/Gauss to whole class of curves. Shows that – after some field extensions – every elliptic curve over field k of odd characteristic is birationally equivalent to a curve of the form x 2 + y 2 = a 2 (1 + x 2 y 2 ) , a 5 � = a Edwards gives addition law for this generalized form, shows equivalence with Weierstrass form, proves addition law, gives theta parameterization . . . in his paper Bulletin of the AMS, 44 , 393–422, 2007 cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 2

  3. � � How to add on an Edwards curve y Let k be a field with 2 � = 0 . Let d ∈ k with d � = 0 , 1 . Edwards curve: { ( x, y ) ∈ k × k | x 2 + y 2 = 1 + dx 2 y 2 } Generalization covers more curves over k . Associative operation on points x ( x 1 , y 1 ) + ( x 2 , y 2 ) = ( x 3 , y 3 ) defined by Edwards addition law x 1 y 2 + y 1 x 2 y 1 y 2 − x 1 x 2 x 3 = and y 3 = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 3

  4. � � How to add on an Edwards curve y Let k be a field with 2 � = 0 . Let d ∈ k with d � = 0 , 1 . Edwards curve: { ( x, y ) ∈ k × k | x 2 + y 2 = 1 + dx 2 y 2 } Generalization covers more curves over k . Associative operation on points x ( x 1 , y 1 ) + ( x 2 , y 2 ) = ( x 3 , y 3 ) defined by Edwards addition law x 1 y 2 + y 1 x 2 y 1 y 2 − x 1 x 2 x 3 = and y 3 = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 Neutral element is cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 3

  5. � � How to add on an Edwards curve y Let k be a field with 2 � = 0 . Let d ∈ k with d � = 0 , 1 . Edwards curve: { ( x, y ) ∈ k × k | x 2 + y 2 = 1 + dx 2 y 2 } Generalization covers more curves over k . Associative operation on points x ( x 1 , y 1 ) + ( x 2 , y 2 ) = ( x 3 , y 3 ) defined by Edwards addition law x 1 y 2 + y 1 x 2 y 1 y 2 − x 1 x 2 x 3 = and y 3 = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 Neutral element is (0 , 1) . cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 3

  6. � � How to add on an Edwards curve y Let k be a field with 2 � = 0 . Let d ∈ k with d � = 0 , 1 . Edwards curve: { ( x, y ) ∈ k × k | x 2 + y 2 = 1 + dx 2 y 2 } Generalization covers more curves over k . Associative operation on points x ( x 1 , y 1 ) + ( x 2 , y 2 ) = ( x 3 , y 3 ) defined by Edwards addition law x 1 y 2 + y 1 x 2 y 1 y 2 − x 1 x 2 x 3 = and y 3 = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 Neutral element is (0 , 1) . − ( x 1 , y 1 ) = cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 3

  7. � � How to add on an Edwards curve y Let k be a field with 2 � = 0 . Let d ∈ k with d � = 0 , 1 . Edwards curve: { ( x, y ) ∈ k × k | x 2 + y 2 = 1 + dx 2 y 2 } Generalization covers more curves over k . Associative operation on points x ( x 1 , y 1 ) + ( x 2 , y 2 ) = ( x 3 , y 3 ) defined by Edwards addition law x 1 y 2 + y 1 x 2 y 1 y 2 − x 1 x 2 x 3 = and y 3 = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 Neutral element is (0 , 1) . − ( x 1 , y 1 ) =( − x 1 , y 1 ) . cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 3

  8. � � How to add on an Edwards curve y Let k be a field with 2 � = 0 . Let d ∈ k with d � = 0 , 1 . Edwards curve: { ( x, y ) ∈ k × k | x 2 + y 2 = 1 + dx 2 y 2 } Generalization covers more curves over k . Associative operation on points x ( x 1 , y 1 ) + ( x 2 , y 2 ) = ( x 3 , y 3 ) defined by Edwards addition law x 1 y 2 + y 1 x 2 y 1 y 2 − x 1 x 2 x 3 = and y 3 = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 Neutral element is (0 , 1) . − ( x 1 , y 1 ) =( − x 1 , y 1 ) . (0 , − 1) has order 2 ; (1 , 0) and ( − 1 , 0) have order 4 . cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 3

  9. Relationship to elliptic curves Every elliptic curve with point of order 4 is birationally equivalent to an Edwards curve. Let P 4 = ( u 4 , v 4 ) have order 4 and shift u s.t. 2 P 4 = (0 , 0) . Then Weierstrass form: v 2 = u 3 + ( v 2 4 − 2 u 4 ) u 2 + u 2 4 /u 2 4 u. Define d = 1 − (4 u 3 4 /v 2 4 ) . The coordinates x = v 4 u/ ( u 4 v ) , y = ( u − u 4 ) / ( u + u 4 ) satisfy x 2 + y 2 = 1 + dx 2 y 2 . Inverse map u = u 4 (1 + y ) / (1 − y ) , v = v 4 u/ ( u 4 x ) . Finitely many exceptional points. Exceptional points have v ( u + u 4 ) = 0 . Addition on Edwards and Weierstrass corresponds. cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 4

  10. Nice features of the addition law Neutral element of addition law is affine point, this avoids special routines (for (0 , 1) one of the inputs or the result). Addition law is symmetric in both inputs. � x 1 y 2 + y 1 x 2 � , y 1 y 2 − x 1 x 2 P + Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 5

  11. Nice features of the addition law Neutral element of addition law is affine point, this avoids special routines (for (0 , 1) one of the inputs or the result). Addition law is symmetric in both inputs. � x 1 y 2 + y 1 x 2 � , y 1 y 2 − x 1 x 2 P + Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 � x 1 y 1 + y 1 x 1 � , y 1 y 1 − x 1 x 1 [2] P = . 1 + dx 1 x 1 y 1 y 1 1 − dx 1 x 1 y 1 y 1 cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 5

  12. Nice features of the addition law Neutral element of addition law is affine point, this avoids special routines (for (0 , 1) one of the inputs or the result). Addition law is symmetric in both inputs. � x 1 y 2 + y 1 x 2 � , y 1 y 2 − x 1 x 2 P + Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 � x 1 y 1 + y 1 x 1 � , y 1 y 1 − x 1 x 1 [2] P = . 1 + dx 1 x 1 y 1 y 1 1 − dx 1 x 1 y 1 y 1 No reason that the denominators should be 0 . Addition law produces correct result also for doubling. cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 5

  13. Nice features of the addition law Neutral element of addition law is affine point, this avoids special routines (for (0 , 1) one of the inputs or the result). Addition law is symmetric in both inputs. � x 1 y 2 + y 1 x 2 � , y 1 y 2 − x 1 x 2 P + Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 � x 1 y 1 + y 1 x 1 � , y 1 y 1 − x 1 x 1 [2] P = . 1 + dx 1 x 1 y 1 y 1 1 − dx 1 x 1 y 1 y 1 No reason that the denominators should be 0 . Addition law produces correct result also for doubling. Unified group operations! cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 5

  14. Nice features of the addition law Neutral element of addition law is affine point, this avoids special routines (for (0 , 1) one of the inputs or the result). Addition law is symmetric in both inputs. � x 1 y 2 + y 1 x 2 � , y 1 y 2 − x 1 x 2 P + Q = . 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 � x 1 y 1 + y 1 x 1 � , y 1 y 1 − x 1 x 1 [2] P = . 1 + dx 1 x 1 y 1 y 1 1 − dx 1 x 1 y 1 y 1 No reason that the denominators should be 0 . Addition law produces correct result also for doubling. Unified group operations! Having addition law work for doubling removes some checks from the code. cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 5

  15. Complete addition law If d is not a square in k , then there are no points at infinity on the blow-up of the curve. If d is not a square, the only exceptional points of the birational equivalence are P ∞ corresponding to (0 , 1) and (0 , 0) corresponding to (0 , − 1) . If d is not a square the denominators 1 + dx 1 x 2 y 1 y 2 and 1 − dx 1 x 2 y 1 y 2 are never 0 ; addition law is complete. Edwards addition law allows omitting all checks Neutral element is affine point on curve. Addition works to add P and P . Addition works to add P and − P . Addition just works to add P and any Q . Only complete addition law in the literature. cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 6

  16. Fast addition law Very fast point addition 10M + 1S + 1D. (Even faster with Inverted Edwards coordinates.) Dedicated doubling formulas need only 3M + 4S. Fastest scalar multiplication in the literature. For comparison: IEEE standard P1363 provides “the fastest arithmetic on elliptic curves” by using Jacobian coordinates on Weierstrass curves. Point addition 12M + 4S. Doubling formulas need only 4M + 4S. For more curve shapes, better algorithms (even for Weierstrass curves) and many more operations (mixed addition, re-addition, tripling, scaling,. . . ) see www.hyperelliptic.org/EFD for the Explicit-Formulas Database. cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 7

  17. Edwards Curves – a new star(fish) is born lecture circuit: Hoboken Turku Warsaw Fort Meade, Maryland Melbourne Ottawa (SAC) Dublin (ECC) Bordeaux Bristol Magdeburg Seoul Malaysia (Asiacrypt) Madras Bangalore (AAECC) . . . cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 8 Madrid

  18. One year passes . . . . . . I feel so odd . . . cr.yp.to/papers.html#edwards2 D. J. Bernstein & T. Lange – p. 9

Recommend

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 12.08.2008 joint work with Reza Rezaeian Farashahi, Eindhoven D. J. Bernstein

428 views • 27 slides
Binary Edwards Curves Reza Rezaeian Farashahi Dept. of Mathematics and Computing Science TU

Binary Edwards Curves Reza Rezaeian Farashahi Dept. of Mathematics and Computing Science TU

Binary Edwards Curves Reza Rezaeian Farashahi Dept. of Mathematics and Computing Science TU Eindhoven joint work with: Dan Bernstein (University of Illinois at Chicago) Tanja Lange (TU Eindhoven) and ECC, Sep 24, 2008 ( Dept. of Mathematics

721 views • 47 slides
Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at Chicago (Joint work with Tanja Lange) Cohen Schoof ECPC Lenstra ECM Miller Bosma Koblitz Goldwasser/Kilian ECC

294 views • 27 slides
Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange Eindhoven University Ruhr-Universitt of Technology Bochum Overview Elliptic Curves Hyperelliptic Curves HEC of Genus 2

473 views • 33 slides
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and Christiane Peters Paper at

1.02k views • 28 slides
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology

Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology The 12th Workshop on Elliptic Curve Cryptography 22 September 2008 Joint work with Daniel J. Bernstein, Tanja Lange and Christiane Peters Paper

650 views • 27 slides
Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux Dugardin, Sylvain Guilley, Martin Moreau, Zakaria Najm, Pablo Rauzy PROOFS 2016 - Santa Barbara, CA Introduction Eve Communications Alice Bob Channel

726 views • 60 slides
Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net

Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net

Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net ) Tanja Lange ( tue.nl ) Christiane Peters ( tue.nl ) Thanks to: NSF ITR0716498 IST2002507932 ECRYPT INRIA Lorraine, LORIA Todays

190 views • 15 slides
Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p index calculus Classic F needs to check smoothness < p . of many positive integers Smooth integer: integer > y . with no prime divisors y

475 views • 8 slides
Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Index Calculus Method Small char Finite Fields 9234 bits Impact on Pairings Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in F 2 4 1223 and F 2 12 367 ) Jens Zumbr agel Institute of

367 views • 32 slides
Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org joint work with Daniel J. Bernstein 10.11.2007 http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange p. 1 Do

787 views • 51 slides
Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves C. Negre and J.M. Robert april 8, 2015 1 / 39 Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic

781 views • 75 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Today Edge detection and matching process the image gradient to find curves/contours

Today Edge detection and matching process the image gradient to find curves/contours

1/25/2017 Edges and Binary Image Analysis Thurs Jan 26 Kristen Grauman UT Austin Today Edge detection and matching process the image gradient to find curves/contours comparing contours Binary image analysis blobs and

976 views • 60 slides
On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

1.32k views • 105 slides
Carnarvon DER Trials Update ESCI-KSP Submission @May 2018 David Edwards Blueprints

Carnarvon DER Trials Update ESCI-KSP Submission @May 2018 David Edwards Blueprints

Carnarvon DER Trials Update ESCI-KSP Submission @May 2018 David Edwards Blueprints Long range forecasting for all 38 networks Analysis of ongoing CAPEX, OPEX Overlaid with learning curves on PV, Energy Storage and cost of

765 views • 22 slides
1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

Topics Parametric curves and surfaces Polynomial curves Advanced Modeling 2 Rational curves Katja Bhler, Andrej Varchola, Eduard Tensor product surfaces Grller Triangular surfaces Institute of Computer Graphics and Algorithms Vienna

78 views • 6 slides
Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd

Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd

University of British Columbia CPSC 314 Computer Graphics Jan-Apr 2013 Tamara Munzner Curves http://www.ugrad.cs.ubc.ca/~cs314/Vjan2013 Reading FCG Chap 15 Curves Ch 13 2nd edition 2 Curves 3 Parametric Curves parametric form

615 views • 32 slides
Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves

Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves

Neatening sketched strokes using piecewise French Curves James McCrae, Karan Singh French Curves Physical tools, used to model curves French Curves Smoothly connect pre-determined curve points French Curves French Curves Digital French

845 views • 42 slides
A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica Gilles Dequen MIS Laboratory, University of Picardie Jules Verne AfricaCrypt 2020 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based

327 views • 19 slides
parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape

parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape

parametric spline curves 1 curves used in many contexts fonts (2D) animation paths (3D) shape modeling (3D) different representation implicit curves parametric curves (mostly used) 2D and 3D curves are mostly the same use vector notation

724 views • 35 slides
Edwards Metropolitan District Highway, Sidewalk and Trail/Path Needs And Funding Sources Edwards

Edwards Metropolitan District Highway, Sidewalk and Trail/Path Needs And Funding Sources Edwards

Edwards Metropolitan District Highway, Sidewalk and Trail/Path Needs And Funding Sources Edwards Metropolitan District is seeking feedback on the need for highway improvements to the Edwards Spur Road (Edwards Village Boulevard between I-70 and

602 views • 14 slides
BEZIER CURVES 1 OUTLINE Introduce types of curves and surfaces Introduce the types of

BEZIER CURVES 1 OUTLINE Introduce types of curves and surfaces Introduce the types of

BEZIER CURVES 1 OUTLINE Introduce types of curves and surfaces Introduce the types of curves Interpolating Hermite Bezier B-spline Quadratic Bezier Curves Cubic Bezier Curves 2 ESCAPING FLATLAND

991 views • 38 slides

More recommend