ECC minicourse Daniel J. Bernstein University of Illinois at - PDF document

� � Addition on the clock: ② neutral = (0 ❀ 1) ✎ P 1 = ( ① 1 ❀ ② 1 ) ✎ ☛ 1 � � � P 2 = ( ① 2 ❀ ② 2 ) ✎ � � � � � � � � � ① � � � � � � � � � ✎ P 3 = ( ① 3 ❀ ② 3 ) ① 2 + ② 2 = 1, parametrized by ① = sin ☛ , ② = cos ☛ . Recall (sin( ☛ 1 + ☛ 2 ) ❀ cos( ☛ 1 + ☛ 2 )) = (sin ☛ 1 cos ☛ 2 + cos ☛ 1 sin ☛ 2 ❀

� � Addition on the clock: ② neutral = (0 ❀ 1) ✎ P 1 = ( ① 1 ❀ ② 1 ) ✎ ☛ 1 � � � P 2 = ( ① 2 ❀ ② 2 ) ✎ � � � � � � � � � ① � � � � � � � � � ✎ P 3 = ( ① 3 ❀ ② 3 ) ① 2 + ② 2 = 1, parametrized by ① = sin ☛ , ② = cos ☛ . Recall (sin( ☛ 1 + ☛ 2 ) ❀ cos( ☛ 1 + ☛ 2 )) = (sin ☛ 1 cos ☛ 2 + cos ☛ 1 sin ☛ 2 ❀ cos ☛ 1 cos ☛ 2 � sin ☛ 1 sin ☛ 2 ).

Adding two points corresponds to adding the angles ☛ 1 and ☛ 2 . Angles modulo 360 ✍ are a group, so points on clock are a group. Neutral element: angle ☛ = 0; point (0 ❀ 1); “12:00”. The point with ☛ = 180 ✍ has order 2 and equals 6:00. 3:00 and 9:00 have order 4. Inverse of point with ☛ is point with � ☛ since ☛ + ( � ☛ ) = 0. There are many more points where angle ☛ is not “nice.”

� � Clock addition without sin, cos: ② neutral = (0 ❀ 1) ✎ P 1 = ( ① 1 ❀ ② 1 ) ✎ � � � P 2 = ( ① 2 ❀ ② 2 ) � ✎ � � � � � � � � ① � � � � � � � � � ✎ P 3 = ( ① 3 ❀ ② 3 ) Use Cartesian coordinates for addition. Addition formula for the clock ① 2 + ② 2 = 1: sum of ( ① 1 ❀ ② 1 ) and ( ① 2 ❀ ② 2 ) is ( ① 1 ② 2 + ② 1 ① 2 ❀ ② 1 ② 2 � ① 1 ① 2 ).

Examples of clock addition: “2:00” + “5:00” ♣ ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) + (1 ❂ 2 ❀ � 3 ❂ 4) ♣ = ( � 1 ❂ 2 ❀ � 3 ❂ 4) = “7:00”. “5:00” + “9:00” ♣ = (1 ❂ 2 ❀ � 3 ❂ 4) + ( � 1 ❀ 0) ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) = “2:00”. ✒ 3 ✓ ✒ 24 ✓ 5 ❀ 4 25 ❀ 7 2 = . 5 25

Examples of clock addition: “2:00” + “5:00” ♣ ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) + (1 ❂ 2 ❀ � 3 ❂ 4) ♣ = ( � 1 ❂ 2 ❀ � 3 ❂ 4) = “7:00”. “5:00” + “9:00” ♣ = (1 ❂ 2 ❀ � 3 ❂ 4) + ( � 1 ❀ 0) ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) = “2:00”. ✒ 3 ✓ ✒ 24 ✓ 5 ❀ 4 25 ❀ 7 2 = . 5 25 ✒ 3 ✓ ✒ 117 ✓ 5 ❀ 4 125 ❀ � 44 3 = . 5 125

Examples of clock addition: “2:00” + “5:00” ♣ ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) + (1 ❂ 2 ❀ � 3 ❂ 4) ♣ = ( � 1 ❂ 2 ❀ � 3 ❂ 4) = “7:00”. “5:00” + “9:00” ♣ = (1 ❂ 2 ❀ � 3 ❂ 4) + ( � 1 ❀ 0) ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) = “2:00”. ✒ 3 ✓ ✒ 24 ✓ 5 ❀ 4 25 ❀ 7 2 = . 5 25 ✒ 3 ✓ ✒ 117 ✓ 5 ❀ 4 125 ❀ � 44 3 = . 5 125 ✒ 3 ✓ ✒ 336 ✓ 5 ❀ 4 625 ❀ � 527 4 = . 5 625

Examples of clock addition: “2:00” + “5:00” ♣ ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) + (1 ❂ 2 ❀ � 3 ❂ 4) ♣ = ( � 1 ❂ 2 ❀ � 3 ❂ 4) = “7:00”. “5:00” + “9:00” ♣ = (1 ❂ 2 ❀ � 3 ❂ 4) + ( � 1 ❀ 0) ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) = “2:00”. ✒ 3 ✓ ✒ 24 ✓ 5 ❀ 4 25 ❀ 7 2 = . 5 25 ✒ 3 ✓ ✒ 117 ✓ 5 ❀ 4 125 ❀ � 44 3 = . 5 125 ✒ 3 ✓ ✒ 336 ✓ 5 ❀ 4 625 ❀ � 527 4 = . 5 625 ( ① 1 ❀ ② 1 ) + (0 ❀ 1) =

Examples of clock addition: “2:00” + “5:00” ♣ ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) + (1 ❂ 2 ❀ � 3 ❂ 4) ♣ = ( � 1 ❂ 2 ❀ � 3 ❂ 4) = “7:00”. “5:00” + “9:00” ♣ = (1 ❂ 2 ❀ � 3 ❂ 4) + ( � 1 ❀ 0) ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) = “2:00”. ✒ 3 ✓ ✒ 24 ✓ 5 ❀ 4 25 ❀ 7 2 = . 5 25 ✒ 3 ✓ ✒ 117 ✓ 5 ❀ 4 125 ❀ � 44 3 = . 5 125 ✒ 3 ✓ ✒ 336 ✓ 5 ❀ 4 625 ❀ � 527 4 = . 5 625 ( ① 1 ❀ ② 1 ) + (0 ❀ 1) = ( ① 1 ❀ ② 1 ).

Examples of clock addition: “2:00” + “5:00” ♣ ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) + (1 ❂ 2 ❀ � 3 ❂ 4) ♣ = ( � 1 ❂ 2 ❀ � 3 ❂ 4) = “7:00”. “5:00” + “9:00” ♣ = (1 ❂ 2 ❀ � 3 ❂ 4) + ( � 1 ❀ 0) ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) = “2:00”. ✒ 3 ✓ ✒ 24 ✓ 5 ❀ 4 25 ❀ 7 2 = . 5 25 ✒ 3 ✓ ✒ 117 ✓ 5 ❀ 4 125 ❀ � 44 3 = . 5 125 ✒ 3 ✓ ✒ 336 ✓ 5 ❀ 4 625 ❀ � 527 4 = . 5 625 ( ① 1 ❀ ② 1 ) + (0 ❀ 1) = ( ① 1 ❀ ② 1 ). ( ① 1 ❀ ② 1 ) + ( � ① 1 ❀ ② 1 ) =

Examples of clock addition: “2:00” + “5:00” ♣ ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) + (1 ❂ 2 ❀ � 3 ❂ 4) ♣ = ( � 1 ❂ 2 ❀ � 3 ❂ 4) = “7:00”. “5:00” + “9:00” ♣ = (1 ❂ 2 ❀ � 3 ❂ 4) + ( � 1 ❀ 0) ♣ = ( 3 ❂ 4 ❀ 1 ❂ 2) = “2:00”. ✒ 3 ✓ ✒ 24 ✓ 5 ❀ 4 25 ❀ 7 2 = . 5 25 ✒ 3 ✓ ✒ 117 ✓ 5 ❀ 4 125 ❀ � 44 3 = . 5 125 ✒ 3 ✓ ✒ 336 ✓ 5 ❀ 4 625 ❀ � 527 4 = . 5 625 ( ① 1 ❀ ② 1 ) + (0 ❀ 1) = ( ① 1 ❀ ② 1 ). ( ① 1 ❀ ② 1 ) + ( � ① 1 ❀ ② 1 ) = (0 ❀ 1).

Problems The coordinates show a clear growth; e.g. 625 = 5 4 clearly shows the scalar 4. Solution: Use modular reduction as in Diffie-Hellman example.

Clocks over finite fields ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✁ ✁ ✁ ✁ ✎ ✁ ✁ ✁ ✁ ✁ ✎ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✁ ✁ ✎ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✁ ✁ ✁ ✁ ✁ ✎ ✁ ✁ ✁ ✁ ✎ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ Clock( F 7 ) = ( ①❀ ② ) ✷ F 7 ✂ F 7 : ① 2 + ② 2 = 1 ✟ ✠ . Here F 7 = ❢ 0 ❀ 1 ❀ 2 ❀ 3 ❀ 4 ❀ 5 ❀ 6 ❣ = ❢ 0 ❀ 1 ❀ 2 ❀ 3 ❀ � 3 ❀ � 2 ❀ � 1 ❣ with + ❀ � ❀ ✂ modulo 7.

Larger example: Clock( F 1000003 ). Examples of clock addition: 2(1000 ❀ 2) = (4000 ❀ 7). 4(1000 ❀ 2) = (56000 ❀ 97). 8(1000 ❀ 2) = (863970 ❀ 18817). 16(1000 ❀ 2) = (549438 ❀ 156853). 17(1000 ❀ 2) = (951405 ❀ 877356). With 30 clock additions we computed ♥ (1000 ❀ 2) = (947472 ❀ 736284) for some 6-digit ♥ . Can you figure out ♥ ?

Clock cryptography Standardize a large prime ♣ and some ( ❳❀ ❨ ) ✷ Clock( F ♣ ). Follow standard security criteria. Alice chooses big secret ❛ . Computes her public key ❛ ( ❳❀ ❨ ). Bob chooses big secret ❜ . Computes his public key ❜ ( ❳❀ ❨ ). Alice computes ❛ ( ❜ ( ❳❀ ❨ )). Bob computes ❜ ( ❛ ( ❳❀ ❨ )). They use this shared secret to encrypt with AES-GCM etc.

� � � � � Alice’s Bob’s secret key ❛ secret key ❜ Alice’s Bob’s public key public key ❛ ( ❳❀ ❨ ) ❜ ( ❳❀ ❨ ) � � � ������ � � � � ❢ Alice ❀ Bob ❣ ’s ❢ Bob ❀ Alice ❣ ’s = shared secret shared secret ❛❜ ( ❳❀ ❨ ) ❜❛ ( ❳❀ ❨ )

� � � � � Alice’s Bob’s secret key ❛ secret key ❜ Alice’s Bob’s public key public key ❛ ( ❳❀ ❨ ) ❜ ( ❳❀ ❨ ) � � � ������ � � � � ❢ Alice ❀ Bob ❣ ’s ❢ Bob ❀ Alice ❣ ’s = shared secret shared secret ❛❜ ( ❳❀ ❨ ) ❜❛ ( ❳❀ ❨ ) Warning: Clocks aren’t elliptic! Can attack clock cryptography by combining congruences. To match RSA-3072 security need ♣ ✙ 2 1536 .

Exercise How many multiplications do you need to compute ( ① 1 ② 2 + ② 1 ① 2 ❀ ② 1 ② 2 � ① 1 ① 2 )? How many multiplications do you need to double a point, i.e. to compute ( ① 1 ② 1 + ② 1 ① 1 ❀ ② 1 ② 1 � ① 1 ① 1 )? How can you optimize the computation if squarings are cheaper than multiplications? Assume S ❁ M ❁ 2 S .

� � Addition on an elliptic curve ② neutral = (0 ❀ 1) ✎ P 1 = ( ① 1 ❀ ② 1 ) ✎ � P 2 = ( ① 2 ❀ ② 2 ) � ✎ � � � � � ① � � � � � � � ✎ � P 3 = ( ① 3 ❀ ② 3 ) ① 2 + ② 2 = 1 � 30 ① 2 ② 2 . Sum of ( ① 1 ❀ ② 1 ) and ( ① 2 ❀ ② 2 ) is (( ① 1 ② 2 + ② 1 ① 2 ) ❂ (1 � 30 ① 1 ① 2 ② 1 ② 2 ), ( ② 1 ② 2 � ① 1 ① 2 ) ❂ (1+30 ① 1 ① 2 ② 1 ② 2 )).

� � The clock again, for comparison: ② neutral = (0 ❀ 1) ✎ P 1 = ( ① 1 ❀ ② 1 ) ✎ � � � P 2 = ( ① 2 ❀ ② 2 ) � ✎ � � � � � � � � ① � � � � � � � � � ✎ P 3 = ( ① 3 ❀ ② 3 ) ① 2 + ② 2 = 1. Sum of ( ① 1 ❀ ② 1 ) and ( ① 2 ❀ ② 2 ) is ( ① 1 ② 2 + ② 1 ① 2 , ② 1 ② 2 � ① 1 ① 2 ).

“Hey, there were divisions in the Edwards addition law! What if the denominators are 0?” Answer: They aren’t! If ① ✐ = 0 or ② ✐ = 0 then 1 ✝ 30 ① 1 ① 2 ② 1 ② 2 = 1 ✻ = 0. If ① 2 + ② 2 = 1 � 30 ① 2 ② 2 then 30 ① 2 ② 2 ❁ 1 ♣ so 30 ❥ ①② ❥ ❁ 1.

“Hey, there were divisions in the Edwards addition law! What if the denominators are 0?” Answer: They aren’t! If ① ✐ = 0 or ② ✐ = 0 then 1 ✝ 30 ① 1 ① 2 ② 1 ② 2 = 1 ✻ = 0. If ① 2 + ② 2 = 1 � 30 ① 2 ② 2 then 30 ① 2 ② 2 ❁ 1 ♣ so 30 ❥ ①② ❥ ❁ 1. If ① 2 1 + ② 2 1 = 1 � 30 ① 2 1 ② 2 1 and ① 2 2 + ② 2 2 = 1 � 30 ① 2 2 ② 2 2 ♣ then 30 ❥ ① 1 ② 1 ❥ ❁ 1 ♣ and 30 ❥ ① 2 ② 2 ❥ ❁ 1

“Hey, there were divisions in the Edwards addition law! What if the denominators are 0?” Answer: They aren’t! If ① ✐ = 0 or ② ✐ = 0 then 1 ✝ 30 ① 1 ① 2 ② 1 ② 2 = 1 ✻ = 0. If ① 2 + ② 2 = 1 � 30 ① 2 ② 2 then 30 ① 2 ② 2 ❁ 1 ♣ so 30 ❥ ①② ❥ ❁ 1. If ① 2 1 + ② 2 1 = 1 � 30 ① 2 1 ② 2 1 and ① 2 2 + ② 2 2 = 1 � 30 ① 2 2 ② 2 2 ♣ then 30 ❥ ① 1 ② 1 ❥ ❁ 1 ♣ and 30 ❥ ① 2 ② 2 ❥ ❁ 1 so 30 ❥ ① 1 ② 1 ① 2 ② 2 ❥ ❁ 1 so 1 ✝ 30 ① 1 ① 2 ② 1 ② 2 ❃ 0.

The Edwards addition law ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = (( ① 1 ② 2 + ② 1 ① 2 ) ❂ (1 � 30 ① 1 ① 2 ② 1 ② 2 ), ( ② 1 ② 2 � ① 1 ① 2 ) ❂ (1+30 ① 1 ① 2 ② 1 ② 2 )) is a group law for the curve ① 2 + ② 2 = 1 � 30 ① 2 ② 2 . Some calculation required: addition result is on curve; addition law is associative. Other parts of proof are easy: addition law is commutative; (0 ❀ 1) is neutral element; ( ① 1 ❀ ② 1 ) + ( � ① 1 ❀ ② 1 ) = (0 ❀ 1).

More Edwards curves Fix an odd prime power q . Fix a non-square ❞ ✷ F q . ❢ ( ①❀ ② ) ✷ F q ✂ F q : ① 2 + ② 2 = 1 + ❞① 2 ② 2 ❣ is a commutative group with ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = ( ① 3 ❀ ② 3 ) defined by Edwards addition law: ① 1 ② 2 + ② 1 ① 2 ① 3 = , 1 + ❞① 1 ① 2 ② 1 ② 2 ② 1 ② 2 � ① 1 ① 2 ② 3 = . 1 � ❞① 1 ① 2 ② 1 ② 2

Denominators are never 0. But need different proof; “ ① 2 + ② 2 ❃ 0” doesn’t work.

Denominators are never 0. But need different proof; “ ① 2 + ② 2 ❃ 0” doesn’t work. If ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 and ① 2 2 + ② 2 2 = 1 + ❞① 2 2 ② 2 2 and ❞① 1 ① 2 ② 1 ② 2 = ✝ 1

Denominators are never 0. But need different proof; “ ① 2 + ② 2 ❃ 0” doesn’t work. If ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 and ① 2 2 + ② 2 2 = 1 + ❞① 2 2 ② 2 2 and ❞① 1 ① 2 ② 1 ② 2 = ✝ 1 then ❞① 2 1 ② 2 1 ( ① 2 + ② 2 ) 2 = ❞① 2 1 ② 2 1 ( ① 2 2 + ② 2 2 + 2 ① 2 ② 2 )

Denominators are never 0. But need different proof; “ ① 2 + ② 2 ❃ 0” doesn’t work. If ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 and ① 2 2 + ② 2 2 = 1 + ❞① 2 2 ② 2 2 and ❞① 1 ① 2 ② 1 ② 2 = ✝ 1 then ❞① 2 1 ② 2 1 ( ① 2 + ② 2 ) 2 = ❞① 2 1 ② 2 1 ( ① 2 2 + ② 2 2 + 2 ① 2 ② 2 ) = ❞① 2 1 ② 2 1 ( ❞① 2 2 ② 2 2 + 1 + 2 ① 2 ② 2 )

Denominators are never 0. But need different proof; “ ① 2 + ② 2 ❃ 0” doesn’t work. If ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 and ① 2 2 + ② 2 2 = 1 + ❞① 2 2 ② 2 2 and ❞① 1 ① 2 ② 1 ② 2 = ✝ 1 then ❞① 2 1 ② 2 1 ( ① 2 + ② 2 ) 2 = ❞① 2 1 ② 2 1 ( ① 2 2 + ② 2 2 + 2 ① 2 ② 2 ) = ❞① 2 1 ② 2 1 ( ❞① 2 2 ② 2 2 + 1 + 2 ① 2 ② 2 ) = ❞ 2 ① 2 1 ② 2 1 ① 2 2 ② 2 2 + ❞① 2 1 ② 2 1 +2 ❞① 2 1 ② 2 1 ① 2 ② 2

Denominators are never 0. But need different proof; “ ① 2 + ② 2 ❃ 0” doesn’t work. If ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 and ① 2 2 + ② 2 2 = 1 + ❞① 2 2 ② 2 2 and ❞① 1 ① 2 ② 1 ② 2 = ✝ 1 then ❞① 2 1 ② 2 1 ( ① 2 + ② 2 ) 2 = ❞① 2 1 ② 2 1 ( ① 2 2 + ② 2 2 + 2 ① 2 ② 2 ) = ❞① 2 1 ② 2 1 ( ❞① 2 2 ② 2 2 + 1 + 2 ① 2 ② 2 ) = ❞ 2 ① 2 1 ② 2 1 ① 2 2 ② 2 2 + ❞① 2 1 ② 2 1 +2 ❞① 2 1 ② 2 1 ① 2 ② 2 = 1 + ❞① 2 1 ② 2 1 ✝ 2 ① 1 ② 1

Denominators are never 0. But need different proof; “ ① 2 + ② 2 ❃ 0” doesn’t work. If ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 and ① 2 2 + ② 2 2 = 1 + ❞① 2 2 ② 2 2 and ❞① 1 ① 2 ② 1 ② 2 = ✝ 1 then ❞① 2 1 ② 2 1 ( ① 2 + ② 2 ) 2 = ❞① 2 1 ② 2 1 ( ① 2 2 + ② 2 2 + 2 ① 2 ② 2 ) = ❞① 2 1 ② 2 1 ( ❞① 2 2 ② 2 2 + 1 + 2 ① 2 ② 2 ) = ❞ 2 ① 2 1 ② 2 1 ① 2 2 ② 2 2 + ❞① 2 1 ② 2 1 +2 ❞① 2 1 ② 2 1 ① 2 ② 2 = 1 + ❞① 2 1 ② 2 1 ✝ 2 ① 1 ② 1 = ① 2 1 + ② 2 1 ✝ 2 ① 1 ② 1

Denominators are never 0. But need different proof; “ ① 2 + ② 2 ❃ 0” doesn’t work. If ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 and ① 2 2 + ② 2 2 = 1 + ❞① 2 2 ② 2 2 and ❞① 1 ① 2 ② 1 ② 2 = ✝ 1 then ❞① 2 1 ② 2 1 ( ① 2 + ② 2 ) 2 = ❞① 2 1 ② 2 1 ( ① 2 2 + ② 2 2 + 2 ① 2 ② 2 ) = ❞① 2 1 ② 2 1 ( ❞① 2 2 ② 2 2 + 1 + 2 ① 2 ② 2 ) = ❞ 2 ① 2 1 ② 2 1 ① 2 2 ② 2 2 + ❞① 2 1 ② 2 1 +2 ❞① 2 1 ② 2 1 ① 2 ② 2 = 1 + ❞① 2 1 ② 2 1 ✝ 2 ① 1 ② 1 = ① 2 1 + ② 2 1 ✝ 2 ① 1 ② 1 = ( ① 1 ✝ ② 1 ) 2 .

Case 1: ① 2 + ② 2 ✻ = 0. Then ✓ 2 ✒ ① 1 ✝ ② 1 ❞ = , ① 1 ② 1 ( ① 2 + ② 2 ) contradiction.

Case 1: ① 2 + ② 2 ✻ = 0. Then ✓ 2 ✒ ① 1 ✝ ② 1 ❞ = , ① 1 ② 1 ( ① 2 + ② 2 ) contradiction. Case 2: ① 2 � ② 2 ✻ = 0. Then ✓ 2 ✒ ① 1 ✞ ② 1 ❞ = , ① 1 ② 1 ( ① 2 � ② 2 ) contradiction.

Case 1: ① 2 + ② 2 ✻ = 0. Then ✓ 2 ✒ ① 1 ✝ ② 1 ❞ = , ① 1 ② 1 ( ① 2 + ② 2 ) contradiction. Case 2: ① 2 � ② 2 ✻ = 0. Then ✓ 2 ✒ ① 1 ✞ ② 1 ❞ = , ① 1 ② 1 ( ① 2 � ② 2 ) contradiction. Case 3: ① 2 + ② 2 = ① 2 � ② 2 = 0. Then ① 2 = 0 and ② 2 = 0, contradiction.

Group operations Can compute on Edwards curve, do Diffie–Hellman key exchange. Formulas use divisions. Denominators are nonzero but divisions are expensive. Better: postpone divisions and work with fractions. ❆ = ❩ 1 ✁ ❩ 2 ; ❇ = ❆ 2 ; ❈ = ❳ 1 ✁ ❳ 2 ; ❉ = ❨ 1 ✁ ❨ 2 ; ❊ = ❞ ✁ ❈ ✁ ❉ ; ❋ = ❇ � ❊ ; ● = ❇ + ❊ ; ❳ 3 = ❆ ✁ ❋ ✁ (( ❳ 1 + ❨ 1 ) ✁ ( ❳ 2 + ❨ 2 ) � ❈ � ❉ ); ❨ 3 = ❆ ✁ ● ✁ ( ❉ � ❈ ); ❩ 3 = ❋ ✁ ● . Needs 1 S +10 M +1 M ❞ .

Edwards curves are elliptic! Can use Edwards group in crypto. ✿ ✿ ✿ if it’s a “strong” curve. Need to compute group order. If no large prime factor in order, must switch to another ❞ ; this very often happens. Also check “twist security,” “embedding degree,” et al. IEEE Std 1363 is good source for most security criteria except twist security. Safe example, “Curve25519”: q = 2 255 � 19; ❞ = 1 � 1 ❂ 121666.

Using ECC sensibly Typical starting point: Client knows secret key ❛ and server’s public key ❜ ( ❳❀ ❨ ). Client computes (and caches) shared secret ❛❜ ( ❳❀ ❨ ). Client has packet for server. Generates unique nonce. Uses shared secret to encrypt and authenticate packet. Total packet overhead: 24 bytes for nonce, 16 bytes for authenticator, 32 bytes for client’s public key.

Server receives packet, sees client’s public key ❛ ( ❳❀ ❨ ). Server computes (and caches) shared secret ❛❜ ( ❳❀ ❨ ). Server uses shared secret to verify authenticator and decrypt packet. Client and server encrypt, authenticate, verify, and decrypt all subsequent packets in the same way, using the same shared secret.

Easy-to-use packet protection: crypto_box from nacl.cace-project.eu . High-security curve (Curve25519). High-security implementation (e.g., no secret array indices). Extensive code validation. Server can compute shared secrets for 1000000 new clients in 40 seconds of computation on a Core 2 Quad. Now you are ready to run software using elliptic curves. But there is more to know.

More curves Can we use Edwards curve ① 2 + ② 2 = 1 + ❞① 2 ② 2 when ❞ is a square? ❞ = 0: Clock. Not very secure. ❞ = 1: Even worse problems. Other squares ❞ : The Edwards curve is elliptic but it is not “complete.” Need “points at ✶ .” These are the points where ① or ② has division by 0.

Example of how ✶ appears: Define ❞ = 4 ❂ 49 = (2 ❂ 7) 2 . (4 ❀ 7) is a point on ① 2 + ② 2 = 1 + ❞① 2 ② 2 . ( � 7 ❂ 8 ❀ 1 ❂ 2) is a point on ① 2 + ② 2 = 1 + ❞① 2 ② 2 . Try adding these points: 4 ✁ 1 2 � 7 ✁ 7 � 33 8 8 ① 3 = = 0 , 1 � 4 49 ✁ 4 ✁ 7 8 ✁ 7 ✁ 1 2 7 ✁ 1 2 + 4 ✁ 7 = 7 8 ② 3 = 2. 1 + 4 49 ✁ 4 ✁ 7 8 ✁ 7 ✁ 1 2

New definition of set of curve points when ❞ is a square: ( ①❀ ② ) : ① 2 + ② 2 = 1 + ❞① 2 ② 2 ✠ ✟ ♣ ♥ ♦ ❬ ( ✝ 1 ❂ ❞❀ ✶ ) ♣ ♥ ♦ ❬ ( ✶ ❀ ✝ 1 ❂ ❞ ) .

Even more trouble: Again take ❞ = 4 ❂ 49 = (2 ❂ 7) 2 . (4 ❀ 7) is a point on ① 2 + ② 2 = 1 + ❞① 2 ② 2 . (7 ❂ 8 ❀ 1 ❂ 2) is a point on ① 2 + ② 2 = 1 + ❞① 2 ② 2 . Try adding these points: 4 ✁ 1 2 + 7 ✁ 7 = 65 8 ① 3 = 16, 1 + 4 49 ✁ 4 ✁ 7 8 ✁ 7 ✁ 1 2 7 ✁ 1 2 � 4 ✁ 7 = 0 8 ② 3 = 0. 1 � 4 49 ✁ 4 ✁ 7 8 ✁ 7 ✁ 1 2

Generalize addition law: Represent ( ① ✐ ❀ ② ✐ ) by ( ❳ ✐ ❂❩ ✐ ❀ ❨ ✐ ❂❚ ✐ ) and use ( ❳ 1 ❂❩ 1 ❀ ❨ 1 ❂❚ 1 ) + ( ❳ 2 ❂❩ 2 ❀ ❨ 2 ❂❚ 2 ) = � ( ❳ 1 ❨ 2 ❩ 2 ❚ 1 + ❳ 2 ❨ 1 ❩ 1 ❚ 2 ) ❂ ( ❩ 1 ❩ 2 ❚ 1 ❚ 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 ) ❀ ( ❨ 1 ❨ 2 ❩ 1 ❩ 2 � ❛❳ 1 ❳ 2 ❚ 1 ❚ 2 ) ❂ ✁ ( ❩ 1 ❩ 2 ❚ 1 ❚ 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 ) if defined; or

� ❳ 1 ❨ 1 ❩ 2 ❚ 2 + ❳ 2 ❨ 2 ❩ 1 ❚ 1 ❂ ❳ 1 ❳ 2 ❚ 1 ❚ 2 + ❨ 1 ❨ 2 ❩ 1 ❩ 2 ), ( ❳ 1 ❨ 1 ❩ 2 ❚ 2 � ❳ 2 ❨ 2 ❩ 1 ❚ 1 ) ❂ ✁ ( ❳ 1 ❨ 2 ❩ 2 ❚ 1 � ❳ 2 ❨ 1 ❩ 1 ❚ 2 ) if defined. Have shown in ePrint 2009/580 that at least one of these two expressions is defined for any pair of input points. Have 2 addition laws to cover all inputs even in the incomplete case where ❞ is a square. As a designer can choose parameters and choose ❞ not to be a square.

The second law is interesting also outside the context of square values of ❞ . Hisil et al. at Asiacrypt 2008 obtained better addition speed by using ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = � ① 1 ② 1 + ① 2 ② 2 ① 1 ① 2 + ② 1 ② 2 ❀ ① 1 ② 1 � ① 2 ② 2 ✁ . ① 1 ② 2 � ① 2 ② 1 Attention: these formulas fail for doubling. Curious fact: formulas do not involve curve parameter ❞

Twisted Edwards curves Generalization to cover more curves over given finite field F q : Use ❛❀ ❞ ✷ F ✄ q with ❛ ✻ = ❞ and consider twisted Edwards curve ❛① 2 + ② 2 = 1 + ❞① 2 ② 2 . Particular fast choice: ❛ = � 1 gives additions in 8 M .

There are many perspectives on elliptic-curve computations. Early development: 1984 (published 1987) Lenstra: ECM, the elliptic-curve method of factoring integers. 1984 (published 1985) Miller, and independently 1984 (published 1987) Koblitz: Elliptic-curve cryptography. Bosma, Goldwasser–Kilian, Chudnovsky–Chudnovsky, Atkin: elliptic-curve primality proving.

The Edwards perspective is new! 1761 Euler, 1866 Gauss introduced an addition law for ① 2 + ② 2 = 1 � ① 2 ② 2 , the “lemniscatic elliptic curve.” 2007 Edwards generalized to many curves ① 2 + ② 2 = 1+ ❝ 4 ① 2 ② 2 . Theorem: have now obtained all elliptic curves over Q . 2007 Bernstein–Lange: Edwards addition law is complete for ① 2 + ② 2 = 1 + ❞① 2 ② 2 if ❞ ✻ = ; and gives new ECC speed records.

Representing curve points Crypto 1985, Miller, “Use of elliptic curves in cryptography”: Given ♥ ✷ Z , P ✷ ❊ ( F q ), division-polynomial recurrence computes ♥P ✷ ❊ ( F q ) “in 26 log 2 ♥ multiplications”; but can do better! “It appears to be best to represent the points on the curve in the following form: Each point is represented by the triple ( ①❀ ②❀ ③ ) which corresponds to the point ( ①❂③ 2 ❀ ②❂③ 3 ).”

1986 Chudnovsky–Chudnovsky, “Sequences of numbers generated by addition in formal groups and new primality and factorization tests”: “The crucial problem becomes the choice of the model of an algebraic group variety, where computations mod ♣ are the least time consuming.” Most important computations: ADD is P❀ ◗ ✼✦ P + ◗ . DBL is P ✼✦ 2 P .

“It is preferable to use models of elliptic curves lying in low-dimensional spaces, for otherwise the number of coordinates and operations is increasing. This limits us ✿ ✿ ✿ to 4 basic models of elliptic curves.” Short Weierstrass: ② 2 = ① 3 + ❛① + ❜ . Jacobi intersection: s 2 + ❝ 2 = 1, ❛s 2 + ❞ 2 = 1. Jacobi quartic: ② 2 = ① 4 +2 ❛① 2 +1. Hessian: ① 3 + ② 3 + 1 = 3 ❞①② .

Some Newton polygons ✎ ✁ ✁ ✁ ✁ ✁ � � � � ✁ ✁ ✁ ✁ ✁ � � � ✎ ✁ ✎ ✁ ✁ ✎ ✁ ✁ Short Weierstrass ✎ ✁ ✁ ✁ ✁ ✁ ���� � � � � ✁ ✁ ✁ ✁ ✁ � � � ✁ ✎ ✁ ✎ ✁ ✎ ✁ ✁ Montgomery ✎ ✁ ✁ ✁ ✁ ✁ � � � � ✁ ✁ ✁ ✁ ✁ � � � � ✎ ✁ ✁ ✎ ✁ ✁ ✎ ✁ Jacobi quartic ✎ ✁ ✁ ✁ ✁ ✁ � � � ✁ ✁ ✁ ✁ ✁ � � � ✁ ✎ ✁ ✁ ✁ ✁ � � ✎ ✁ ✁ ✁ ✎ ✁ ✁ Hessian ✎ ✁ ✁ ✎ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✁ ✁ ✎ ✁ ✁ ✁ Edwards ✎ ✁ ✎ ✁ ✎ ✁ ✁ ✁ ✎ ✁ ✎ ✁ ✎ ✁ ✁ ✁ � � � ✁ ✎ ✁ ✎ ✁ ✁ ✁ Binary Edwards

Birational equivalence Starting from point ( ①❀ ② ) on ① 2 + ② 2 = 1 + ❞① 2 ② 2 : Define ❆ = 2(1 + ❞ ) ❂ (1 � ❞ ), ❇ = 4 ❂ (1 � ❞ ); ✉ = (1 + ② ) ❂ ( ❇ (1 � ② )), ✈ = ✉❂① = (1 + ② ) ❂ ( ❇① (1 � ② )). (Skip a few exceptional points.) Then ( ✉❀ ✈ ) is a point on a long Weierstrass curve: ✈ 2 = ✉ 3 + ( ❆❂❇ ) ✉ 2 + (1 ❂❇ 2 ) ✉ ; Easily invert this map: ① = ✉❂✈ , ② = ( ❇✉ � 1) ❂ ( ❇✉ + 1). ✮ Same discrete-log security!

Optimizing Jacobian coordinates For “traditional” ( ❳❂❩ 2 ❀ ❨❂❩ 3 ) on ② 2 = ① 3 + ❛① + ❜ : 1986 Chudnovsky–Chudnovsky state explicit formulas using 10 M for DBL; 16 M for ADD. Consequence: ✒ ✓ 10 lg ♥ + 16 lg ♥ ✙ M lg lg ♥ to compute ♥❀ P ✼✦ ♥P using sliding-windows method of scalar multiplication. Notation: lg = log 2 .

Squaring is faster than M . Here are the DBL formulas: ❙ = 4 ❳ 1 ✁ ❨ 2 1 ; ▼ = 3 ❳ 2 1 + ❛❩ 4 1 ; ❚ = ▼ 2 � 2 ❙ ; ❳ 3 = ❚ ; ❨ 3 = ▼ ✁ ( ❙ � ❚ ) � 8 ❨ 4 1 ; ❩ 3 = 2 ❨ 1 ✁ ❩ 1 . Total cost 3 M + 6 S + 1 D where S is the cost of squaring in F q , D is the cost of multiplying by ❛ . The squarings produce ❳ 2 1 ❀ ❨ 2 1 ❀ ❨ 4 1 ❀ ❩ 2 1 ❀ ❩ 4 1 ❀ ▼ 2 .

Most ECC standards choose curves that make formulas faster. Curve-choice advice from 1986 Chudnovsky–Chudnovsky: Can eliminate the 1 D by choosing curve with ❛ = 1. But “it is even smarter” to choose curve with ❛ = � 3. If ❛ = � 3 then ▼ = 3( ❳ 2 1 � ❩ 4 1 ) = 3( ❳ 1 � ❩ 2 1 ) ✁ ( ❳ 1 + ❩ 2 1 ). Replace 2 S with 1 M . Now DBL costs 4 M + 4 S .

2001 Bernstein: 3 M + 5 S for DBL. 11 M + 5 S for ADD. How? Easy S � M tradeoff: instead of computing 2 ❨ 1 ✁ ❩ 1 , compute ( ❨ 1 + ❩ 1 ) 2 � ❨ 2 1 � ❩ 2 1 . DBL formulas were already computing ❨ 2 1 and ❩ 2 1 . Same idea for the ADD formulas, but have to scale ❳❀ ❨❀ ❩ to eliminate divisions by 2.

ADD for ② 2 = ① 3 + ❛① + ❜ : ❯ 1 = ❳ 1 ❩ 2 2 , ❯ 2 = ❳ 2 ❩ 2 1 , ❙ 1 = ❨ 1 ❩ 3 2 , ❙ 2 = ❨ 2 ❩ 3 1 , many more computations. 1986 Chudnovsky–Chudnovsky: “We suggest to write addition formulas involving ( ❳❀ ❨❀ ❩❀ ❩ 2 ❀ ❩ 3 ).” Disadvantages: Allocate space for ❩ 2 ❀ ❩ 3 . Pay 1 S +1 M in ADD and in DBL. Advantages: Save 2 S + 2 M at start of ADD. Save 1 S at start of DBL.

1998 Cohen–Miyaji–Ono: Store point as ( ❳ : ❨ : ❩ ). If point is input to ADD, also cache ❩ 2 and ❩ 3 . No cost, aside from space. If point is input to another ADD, reuse ❩ 2 ❀ ❩ 3 . Save 1 S + 1 M ! Best Jacobian speeds today, including S � M tradeoffs: 3 M + 5 S for DBL if ❛ = � 3. 11 M + 5 S for ADD. 10 M + 4 S for reADD. 7 M + 4 S for mADD (i.e. ❩ 2 = 1).

Compare to speeds for Edwards curves ① 2 + ② 2 = 1 + ❞① 2 ② 2 in projective coordinates (2007 Bernstein–Lange): 3 M + 4 S for DBL. 10 M + 1 S + 1 D for ADD. 9 M + 1 S + 1 D for mADD. Inverted Edwards coordinates (2007 Bernstein–Lange): 3 M + 4 S + 1 D for DBL. 9 M + 1 S + 1 D for ADD. 8 M + 1 S + 1 D for mADD. Even better speeds from extended/completed coordinates (2008 Hisil–Wong–Carter–Dawson).

② 2 = ① 3 � 0 ✿ 4 ① + 0 ✿ 7