complete addition laws for elliptic curves d j bernstein
play

Complete addition laws for elliptic curves D. J. Bernstein - PDF document

Sep 09, 2023 •505 likes •1.02k views

Complete addition laws for elliptic curves D. J. Bernstein University of Illinois at Chicago Tanja Lange Technische Universiteit Eindhoven Weierstrass coordinates k with 2 Fix a field 6 = 0. a; b 2 k with 4 a 3 + 27 b 2 Fix 6 = 0.

  1. Complete addition laws for elliptic curves D. J. Bernstein University of Illinois at Chicago Tanja Lange Technische Universiteit Eindhoven

  2. Weierstrass coordinates k with 2 Fix a field 6 = 0. a; b 2 k with 4 a 3 + 27 b 2 Fix 6 = 0. Well-known fact: The points of the “elliptic curve” E : y 2 = x 3 + ax + b over k E ( k ). form a commutative group f ( x; y ) 2 k � k : “So the group is y 2 = x 3 + ax + b g ?” f ( x; y ) 2 k � k : Not exactly! It’s y 2 = x 3 + ax + b g [ f1g .

  3. x 1 ; y 1 ) ; ( x 2 ; y 2 ) 2 E ( k ): To add ( x 3 = � 2 � x 1 � x 2 Define y 3 = � ( x 1 � x 3 ) � y 1 and � = ( y 2 � y 1 ) = ( x 2 � x 1 ). where x 3 ; y 3 ) 2 E ( k ). Then ( Geometric interpretation: x 1 ; y 1 ) ; ( x 2 ; y 2 ) ; ( x 3 ; � y 3 ) are ( y 2 = x 3 + ax + b on the curve and on a line; x 3 ; y 3 ) ; ( x 3 ; � y 3 ) are ( on a vertical line. “So that’s the group law? x 1 ; y 1 ) + ( x 2 ; y 2 ) = ( x 3 ; y 3 )?” (

  4. � Not exactly! Definition of x 2 x 1 . assumes that 6 = x 1 ; y 1 ) ; ( x 1 ; y 1 ) 2 E ( k ): To add ( x 3 = � 2 � x 1 � x 2 Define y 3 = � ( x 1 � x 3 ) � y 1 and � = (3 x 2 a ) = 2 y 1 . where 1 + x 3 ; y 3 ) 2 E ( k ). Then ( Geometric interpretation: The curve’s tangent line at x 1 ; y 1 ) passes through ( x 3 ; � y 3 ). ( “So that’s the group law? One special case for doubling?”

  5. Not exactly! More exceptions: y 1 could be 0. e.g., 1 + 1 = 1 ; Six cases overall: 1 + ( x 2 ; y 2 ) = ( x 2 ; y 2 ); x 1 ; y 1 ) + 1 = ( x 1 ; y 1 ); ( x 1 ; y 1 ) + ( x 1 ; � y 1 ) = 1 ; ( y 1 x 1 ; y 1 ) + ( x 1 ; y 1 ) = for 6 = 0, ( x 3 ; y 3 ) with x 3 = � 2 � x 1 � x 2 , ( y 3 = � ( x 1 � x 3 ) � y 1 , � = (3 x 2 a ) = 2 y 1 ; 1 + x 1 x 2 , ( x 1 ; y 1 ) + ( x 2 ; y 2 ) = for 6 = x 3 ; y 3 ) with x 3 = � 2 � x 1 � x 2 , ( y 3 = � ( x 1 � x 3 ) � y 1 , � = ( y 2 � y 1 ) = ( x 2 � x 1 ).

  6. E ( k ) is a commutative group: 1 , and � : Has neutral element �1 = 1 ; � ( x; y ) = ( x; � y ). P + Q = Q + P . Commutativity: Associativity: P + Q ) + R = P + ( Q + R ). ( Straightforward but tedious: use a computer-algebra system to check each possible case. P + Q case Or relate each to “ideal-class product.” Many other proofs, but can’t escape case analysis.

  7. Projective coordinates Can eliminate some exceptions. Define ( X : Y : Z ), for X ; Y ; Z ) 2 k � k � k � f (0 ; 0 ; 0) g , ( f ( r X ; r Y ; r Z ) : r 2 k � f 0 g g . as Could split into cases: X : Y : Z ) = ( X = Z : Y = Z : 1) if Z ( 6 = 0; X : Y : 0) = ( X = Y : 1 : 0) if Y ( 6 = 0; X : 0 : 0) = (1 : 0 : 0). ( But scaling unifies all cases.

  8. k ) = f ( X : Y : Z ) g . Write P 2 ( E ( k ) = Revised definition: f ( X : Y : Z ) 2 P 2 ( k ) : Y 2 Z = X 3 + aX Z 2 + bZ 3 g . Could split into cases: X : Y : Z ) 2 E ( k ) and Z If ( 6 = 0: X : Y : Z ) = ( x : y : 1) ( x = X = Z , y = Y = Z . where y 2 = x 3 + ax + b . Note that x; y ). Corresponds to previous ( X : Y : Z ) 2 E ( k ) and Z = 0: If ( X 3 = 0 so X = 0 so Y 6 = 0 so ( X : Y : Z ) = (0 : 1 : 0). 1 . Corresponds to previous

  9. X 1 : Y 1 : Z 1 ) + ( X 2 : Y 2 : Z 2 ) ( X 3 : Y 3 : Z 3 ) where = ( U = Y 2 Z 1 � Y 1 Z 2 , V = X 2 Z 1 � X 1 Z 2 , W = U 2 Z 1 Z 2 � V 3 � 2 V 2 X 1 Z 2 , X 3 = V W , Y 3 = U ( V 2 X 1 Z 2 � W ) � V 3 Y 1 Z 2 , Z 3 = V 3 Z 1 Z 2 . “Aha! No more divisions by 0.” Compare to previous formulas: x 3 = � 2 � x 1 � x 2 y 3 = � ( x 1 � x 3 ) � y 1 and � = ( y 2 � y 1 ) = ( x 2 � x 1 ). where

  10. Oops, still have exceptions! Formulas give bogus X 3 ; Y 3 ; Z 3 ) = (0 ; 0 ; 0) ( X 1 : Y 1 : Z 1 ) = (0 : 1 : 0). if ( Same problem for doubling. Formulas produce (0 : 1 : 0) for X 1 : Y 1 : Z 1 ) + ( X 1 : � Y 1 : Z 1 ) ( Y 1 Z 1 if 6 = 0 and 6 = 0 Y 1 = 0. but not if To define complete group law, use six cases as before.

  11. Jacobian coordinates “Weighted projective coordinates using weights 2 ; 3 ; 1”: Redefine ( X : Y : Z ) as � � r 2 X ; r 3 Y ; r Z ) : r 2 k � f 0 g ( . E ( k ) Redefine Y 2 = X 3 + aX Z 4 + bZ 6 . using Could again split into cases X : Y : Z ) 2 E ( k ): for ( Z X : Y : Z ) = if 6 = 0 then ( X = Z 2 : Y = Z 3 : 1); if Z = 0 ( X : Y : Z ) = (1 : 1 : 0). then (

  12. X 1 : Y 1 : Z 1 ) + ( X 2 : Y 2 : Z 2 ) ( X 3 : Y 3 : Z 3 ) where = ( U 1 = X 1 Z 2 U 2 = X 2 Z 2 2 , 1 , S 1 = Y 1 Z 3 S 2 = Y 2 Z 3 2 , 1 , H = U 2 � U 1 , J = S 2 � S 1 , X 3 = � H 3 � 2 U 1 H 2 + J 2 , Y 3 = � S 1 H 3 + J ( U 1 H 2 � X 3 ), Z 3 = Z 1 Z 2 H . Streamlined algorithm uses 12 M + 4 S , where k and S is squaring in k . M is general multiplication in (1986 Chudnovsky–Chudnovsky) 11 M + 5 S . (2001 Bernstein)

  13. Still need all six cases. Why use Jacobian coordinates? Answer: Only 3 M + 5 S for Jacobian-coordinate doubling a = � 3 (e.g. NIST curves). if Y 1 Formulas: If 6 = 0 then X 1 : Y 1 : Z 1 ) + ( X 1 : Y 1 : Z 1 ) ( X 3 ; Y 3 ; Z 3 ) where = ( T = Z 2 U = Y 2 V = X 1 U , 1 , 1 , W = 3( X 1 � T )( X 1 + T ), X 3 = W 2 � 8 V , Z 3 = ( Y 1 + Z 1 ) 2 � U � T , Y 3 = W (4 V � X 3 ) � 8 U 2 .

  14. Unified addition laws Do addition laws have to fail for doublings? Not necessarily! Example: “Jacobi intersection” s 2 + 2 = 1, as 2 + d 2 = 1 has 17 M addition formula that works for doublings. (1986 Chudnovsky–Chudnovsky) 16 M . (2001 Liardet–Smart) Many more “unified formulas.” But always find exceptions: points not added by formulas.

  15. “Is this Jacobi intersection y 2 = x 3 + � � � ?” related to s 2 + 2 = 1, as 2 + d 2 = 1 Yes: is birationally equivalent to y 2 = x 3 + (2 � a ) x 2 + (1 � a ) x . s; ; d ) 7! ( x; y ): ( x = ( d � 1)(1 � a ) = ( a � d +1 � a ); y = s (1 � a ) a= ( a � d + 1 � a ). x; y ) 7! ( s; ; d ): ( s = � 2 y = (( y 2 =x 2 + a ) x ); = 1 � 2 = ( y 2 =x 2 + a ) � � a ) = (( y 2 =x 2 + a ) x ); 2(1 d = 1 � 2 a= ( y 2 =x 2 + a ).

  16. Do we need 6 cases? No! E ( k ) � E ( k ) Can cover using 3 addition laws. (1985 H. Lange–Ruppert) How about just one law E ( k ) � E ( k )? that covers One complete addition law? Bad news: “Theorem 1. The smallest cardinality of a complete system of addition laws E equals two.” on (1995 Bosma–H. Lenstra)

  17. Edwards curves 2007 Edwards: Every elliptic curve over Q is birationally equivalent to x 2 + y 2 = 2 (1 + x 2 y 2 ) 2 Q � f 0 ; � 1 ; � i g . for some x 2 + y 2 = 2 (1 + x 2 y 2 ) has neutral element (0 ; ), addition x 1 ; y 1 ) + ( x 2 ; y 2 ) = ( x 3 ; y 3 ) with ( x 1 y 2 + y 1 x 2 x 3 = (1 + x 1 x 2 y 1 y 2 ), y 1 y 2 � x 1 x 2 y 3 = (1 � x 1 x 2 y 1 y 2 ).

  18. 2007 Bernstein–Lange: k , Over a non-binary finite field x 2 + y 2 = 2 (1 + dx 2 y 2 ) covers more elliptic curves. � with ; d 2 k d 4 Here 6 = 1. x 1 y 2 + y 1 x 2 x 3 = (1 + dx 1 x 2 y 1 y 2 ), y 1 y 2 � x 1 x 2 y 3 = (1 � dx 1 x 2 y 1 y 2 ). = 1. Then Can always take 10 M + 1 S + 1 D for addition, 3 M + 4 S for doubling. Latest news, comparisons: hyperelliptic.org/EFD

  19. Completeness 2007 Bernstein–Lange: d is not a square in k then If f ( x; y ) 2 k � k : x 2 + y 2 = 2 (1 + dx 2 y 2 ) g is a commutative group under this addition law. The denominators (1 + dx 1 x 2 y 1 y 2 ), (1 � dx 1 x 2 y 1 y 2 ) are never zero. No exceptional cases!

  20. Recall Bosma–Lenstra theorem: “The smallest cardinality of a complete system of addition laws E equals two.” on

  21. Recall Bosma–Lenstra theorem: “The smallest cardinality of a complete system of addition laws E equals two.” : : : meaning: on Any addition formula E for a Weierstrass curve in projective coordinates must have exceptional cases E ( k ) � E ( k ), where in k = algebraic closure of k .

  22. Recall Bosma–Lenstra theorem: “The smallest cardinality of a complete system of addition laws E equals two.” : : : meaning: on Any addition formula E for a Weierstrass curve in projective coordinates must have exceptional cases E ( k ) � E ( k ), where in k = algebraic closure of k . Edwards addition formula has E ( k ) exceptional cases for : : : but not for E ( k ). E ( k ). We do computations in

  23. Cryptographic impact Advantages for cryptography of choosing Edwards curves: Very high speed. Completeness eases implementations, avoids simple side-channel attacks.

  24. Cryptographic impact Advantages for cryptography of choosing Edwards curves: Very high speed. Completeness eases implementations, avoids simple side-channel attacks. Oops, hardware people want binary fields! 2008 B.–L.–Rezaeian Farashahi: binary analogue to Edwards curves; complete, very fast.

  25. Still one reason for complaint. Edwards curves always have point of order 4. Standard NIST curves were chosen to have prime order.

  26. Still one reason for complaint. Edwards curves always have point of order 4. Standard NIST curves were chosen to have prime order. NIST curves can’t take advantage of Edwards speed and don’t have complete addition formulas.

  27. Still one reason for complaint. Edwards curves always have point of order 4. Standard NIST curves were chosen to have prime order. NIST curves can’t take advantage of Edwards speed and don’t have complete addition formulas. 2009 Bernstein–Lange, this talk: Have a complete addition law for all of these curves.

Recommend

Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of

Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of

Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Joint work with: Tanja Lange Technische Universiteit Eindhoven Memories of graduate school Early 1990s,

768 views • 40 slides
Addition laws on elliptic curves D. J. Bernstein University of Illinois at Chicago Joint work

Addition laws on elliptic curves D. J. Bernstein University of Illinois at Chicago Joint work

Addition laws on elliptic curves D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven 2007.01.10, 09:00 (yikes!), Leiden University, part of Mathematics: Algorithms and

983 views • 63 slides
Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla Batina 1 1 Radboud University, Digital Security, Nijmegen, The Netherlands j.renes,lejla@cs.ru.nl 2 Microsoft Research, Redmond, USA

481 views • 27 slides
Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla

Complete addition formulas for prime order elliptic curves Joost Renes 1 Craig Costello 2 Lejla Batina 1 j.renes@cs.ru.nl 1 Radboud University, Nijmegen, The Netherlands 2 Microsoft Research, Redmond, USA 16 February 2016 16 February 2016 1 /

642 views • 62 slides
Efficient arithmetic on elliptic curves in large characteristic D. J. Bernstein University of

Efficient arithmetic on elliptic curves in large characteristic D. J. Bernstein University of

Efficient arithmetic on elliptic curves in large characteristic D. J. Bernstein University of Illinois at Chicago Fix a field and an elliptic curve. e.g. NIST P-224: the elliptic curve a 6 over Z =p . y 2 = x 3 3 x + p = 2 224 2 96 + 1

417 views • 23 slides
Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at Chicago (Joint work with Tanja Lange) Cohen Schoof ECPC Lenstra ECM Miller Bosma Koblitz Goldwasser/Kilian ECC

294 views • 27 slides
Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking ECC2K-130, joint work by many authors: ECDL attack in progress against Koblitz curve over F 2 131 using many CPUs, GPUs, FPGAs. Vertically

288 views • 17 slides
New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein and Tanja Lange Difference between security of: Elliptic-Curve Cryptography (ECC) Elliptic-Curve Discrete-Logarithm Problem (ECDLP)

384 views • 6 slides
ELLIPTIC CURVES By Jessica and Sushi WHAT ARE ELLIPTIC CURVES?! ADDING POINTS! Adding points

ELLIPTIC CURVES By Jessica and Sushi WHAT ARE ELLIPTIC CURVES?! ADDING POINTS! Adding points

ELLIPTIC CURVES By Jessica and Sushi WHAT ARE ELLIPTIC CURVES?! ADDING POINTS! Adding points is not the same addition as 1+1=2. The addition of points is the production of a third point using two already known points Properties of

503 views • 22 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985) Schoof: Algorithm to count points on elliptic curves over finite fields. Input: prime power q ; F q such that 6(4

784 views • 47 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
Verifiably random secure curves Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup

Verifiably random secure curves Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup

Verifiably random secure curves Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup Andreas H ulsing Tanja Lange Ruben Niederhagen Christine van Vredendaal May 13, 2014 NSA/NIST FUD The NIST elliptic curves are behind the state of

433 views • 26 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve

SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve

SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve cryptography e.g., RSA, DSA, ECDSA. Daniel J. Bernstein Some uses: signed OS updates, University of Illinois at Chicago & SSL certificates,

1.85k views • 165 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School before ECC September 2006 Elliptic curves An elliptic curve E over a field K is given by a Weierstra equation Y 2 + h ( X ) Y = f ( X ) with h, f

416 views • 13 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick joint work with Nuno Freitas (Warwick) AGC 2 T Luminy, 10 June 2019 Overview 1. Elliptic curves, mod p Galois representations, Weil pairing. 2.

954 views • 70 slides

More recommend