high speed cryptography crypto performance problems part
play

High-speed cryptography, Crypto performance problems part 1: often - PowerPoint PPT Presentation

Mar 19, 2024 •167 likes •1.55k views

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce elliptic-curve formulas cryptographic security levels or give up on cryptography. Daniel J. Bernstein University of Illinois at Chicago & Example 1

  1. RSA-1024. Extensive work on ECC speed Eliminating divisions ✮ fast high-security ECC. Typical computation: RSA- Example: Curve25519 ECDH in P ✼✦ ♥P . the 460200 Cortex A8 cycles; and Decompose into additions: 332304 Snapdragon S4 cycles; ✿ ✿ ✿ P❀ ◗ ✼✦ P + ◗ . 182632 Ivy Bridge cycles. secret Addition ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) Requires serious analysis dangerous! (( ① 1 ② 2 + ② 1 ① 2 ) ❂ (1 + ❞① 1 ① 2 ② ② and optimization of algorithms. ( ② 1 ② 2 � ① 1 ① 2 ) ❂ (1 � ❞① 1 ① 2 ② ② Not just “polynomial time”; uses expensive divisions. https://sourceforge.net/account not just “quadratic time”. Better: postpone divisions My topic today: https://sourceforge.net/develop and work with fractions. decomposing elliptic-curve Represent ( ①❀ ② ) as operations into field operations. http://sourceforge.net/develop , ( ❳ : ❨ : ❩ ) with ① = ❳❂❩ cryptography. ② = ❨❂❩ for ❩ ✻ = 0.

  2. Extensive work on ECC speed Eliminating divisions ✮ fast high-security ECC. Typical computation: Example: Curve25519 ECDH in P ✼✦ ♥P . 460200 Cortex A8 cycles; Decompose into additions: 332304 Snapdragon S4 cycles; P❀ ◗ ✼✦ P + ◗ . 182632 Ivy Bridge cycles. Addition ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = Requires serious analysis (( ① 1 ② 2 + ② 1 ① 2 ) ❂ (1 + ❞① 1 ① 2 ② 1 ② 2 ), and optimization of algorithms. ( ② 1 ② 2 � ① 1 ① 2 ) ❂ (1 � ❞① 1 ① 2 ② 1 ② 2 )) Not just “polynomial time”; uses expensive divisions. not just “quadratic time”. Better: postpone divisions My topic today: and work with fractions. decomposing elliptic-curve Represent ( ①❀ ② ) as operations into field operations. ( ❳ : ❨ : ❩ ) with ① = ❳❂❩ and ② = ❨❂❩ for ❩ ✻ = 0.

  3. Extensive work on ECC speed Eliminating divisions Addition ✮ fast high-security ECC. handle fractions Typical computation: Example: Curve25519 ECDH in ✒ ❳ 1 ✓ ✒ ❳ ✓ ❀ ❨ 1 ❩ ❀ ❨ P ✼✦ ♥P . 460200 Cortex A8 cycles; ❩ 1 ❩ 1 ❩ Decompose into additions: 332304 Snapdragon S4 cycles; ❳ 1 ❨ 2 ❨ ❳ ✥ P❀ ◗ ✼✦ P + ◗ . 182632 Ivy Bridge cycles. ❩ 1 ❩ 2 ❩ ❩ 1 + ❞ ❳ ❳ ❨ ❨ Addition ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = ❩ ❩ ❩ ❩ Requires serious analysis (( ① 1 ② 2 + ② 1 ① 2 ) ❂ (1 + ❞① 1 ① 2 ② 1 ② 2 ), ❨ 1 ❩ 2 � ❳ ❨ 2 ❳ optimization of algorithms. ✦ ❩ 1 ❩ ❩ ( ② 1 ② 2 � ① 1 ① 2 ) ❂ (1 � ❞① 1 ① 2 ② 1 ② 2 )) just “polynomial time”; 1 � ❞ ❳ ❳ ❨ ❨ uses expensive divisions. ❩ ❩ ❩ ❩ just “quadratic time”. ✥ Better: postpone divisions ❩ 1 ❩ 2 ( ❳ ❨ ❨ ❳ topic today: ❩ 2 1 ❩ 2 and work with fractions. ❞❳ ❳ ❨ ❨ decomposing elliptic-curve 2 Represent ( ①❀ ② ) as erations into field operations. ✦ ❩ 1 ❩ 2 ( ❨ ❨ � ❳ ❳ ( ❳ : ❨ : ❩ ) with ① = ❳❂❩ and ❩ 2 1 ❩ 2 2 � ❞❳ ❳ ❨ ❨ ② = ❨❂❩ for ❩ ✻ = 0.

  4. on ECC speed Eliminating divisions Addition now has to high-security ECC. handle fractions as ✮ Typical computation: Curve25519 ECDH in ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ P ✼✦ ♥P . + A8 cycles; ❩ 1 ❩ 1 ❩ 2 ❩ Decompose into additions: dragon S4 cycles; ❳ 1 ❩ 2 + ❨ 1 ❨ 2 ❳ 2 ✥ P❀ ◗ ✼✦ P + ◗ . Bridge cycles. ❩ 1 ❩ 1 ❩ 2 1 + ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 Addition ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = ❩ 1 ❩ 2 ❩ 1 ❩ 2 analysis (( ① 1 ② 2 + ② 1 ① 2 ) ❂ (1 + ❞① 1 ① 2 ② 1 ② 2 ), ❨ 1 ❩ 2 � ❳ 1 ❨ 2 ❳ 2 of algorithms. ✦ ❩ 1 ❩ 1 ❩ 2 ( ② 1 ② 2 � ① 1 ① 2 ) ❂ (1 � ❞① 1 ① 2 ② 1 ② 2 )) olynomial time”; 1 � ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 uses expensive divisions. ❩ 1 ❩ 2 ❩ 1 ❩ 2 ratic time”. ✥ Better: postpone divisions ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ ❩ 2 1 ❩ 2 and work with fractions. 2 + ❞❳ 1 ❳ 2 ❨ ❨ elliptic-curve Represent ( ①❀ ② ) as field operations. ✦ ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ ( ❳ : ❨ : ❩ ) with ① = ❳❂❩ and ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ ❨ ② = ❨❂❩ for ❩ ✻ = 0.

  5. eed Eliminating divisions Addition now has to handle fractions as input: ✮ Typical computation: ECDH in ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ 2 P ✼✦ ♥P . + = ❩ 1 ❩ 1 ❩ 2 ❩ 2 Decompose into additions: cycles; ❳ 1 ❩ 2 + ❨ 1 ❨ 2 ❳ 2 ✥ P❀ ◗ ✼✦ P + ◗ . ❩ 1 ❩ 1 ❩ 2 , 1 + ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 Addition ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = ❩ 1 ❩ 2 ❩ 1 ❩ 2 (( ① 1 ② 2 + ② 1 ① 2 ) ❂ (1 + ❞① 1 ① 2 ② 1 ② 2 ), ❨ 1 ❩ 2 � ❳ 1 ❨ 2 ❳ 2 rithms. ✦ ❩ 1 ❩ 1 ❩ 2 ( ② 1 ② 2 � ① 1 ① 2 ) ❂ (1 � ❞① 1 ① 2 ② 1 ② 2 )) = time”; 1 � ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 uses expensive divisions. ❩ 1 ❩ 2 ❩ 1 ❩ 2 ✥ Better: postpone divisions ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) , ❩ 2 1 ❩ 2 and work with fractions. 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 Represent ( ①❀ ② ) as erations. ✦ ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ( ❳ : ❨ : ❩ ) with ① = ❳❂❩ and ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 ② = ❨❂❩ for ❩ ✻ = 0.

  6. Eliminating divisions Addition now has to handle fractions as input: Typical computation: ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ 2 P ✼✦ ♥P . + = ❩ 1 ❩ 1 ❩ 2 ❩ 2 Decompose into additions: ❳ 1 ❩ 2 + ❨ 1 ❨ 2 ❳ 2 ✥ P❀ ◗ ✼✦ P + ◗ . ❩ 1 ❩ 1 ❩ 2 , 1 + ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 Addition ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = ❩ 1 ❩ 2 ❩ 1 ❩ 2 (( ① 1 ② 2 + ② 1 ① 2 ) ❂ (1 + ❞① 1 ① 2 ② 1 ② 2 ), ❨ 1 ❩ 2 � ❳ 1 ❨ 2 ❳ 2 ✦ ❩ 1 ❩ 1 ❩ 2 ( ② 1 ② 2 � ① 1 ① 2 ) ❂ (1 � ❞① 1 ① 2 ② 1 ② 2 )) = 1 � ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 uses expensive divisions. ❩ 1 ❩ 2 ❩ 1 ❩ 2 ✥ Better: postpone divisions ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) , ❩ 2 1 ❩ 2 and work with fractions. 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 Represent ( ①❀ ② ) as ✦ ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ( ❳ : ❨ : ❩ ) with ① = ❳❂❩ and ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 ② = ❨❂❩ for ❩ ✻ = 0.

  7. ✒ ❳ 1 ✓ ✒ ❳ ✓ ❀ ❨ ❩ ❀ ❨ Eliminating divisions Addition now has to i.e. ❩ 1 ❩ ❩ handle fractions as input: ypical computation: ✒ ❳ 3 ❀ ❨ ✓ ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ 2 P ✼✦ ♥P . = + = ❩ 3 ❩ ❩ 1 ❩ 1 ❩ 2 ❩ 2 Decompose into additions: where ❳ 1 ❩ 2 + ❨ 1 ❨ 2 ❳ 2 ✥ P❀ ◗ ✼✦ P + ◗ . ❩ 1 ❩ 1 ❩ 2 ❋ = ❩ 2 1 ❩ � ❞❳ ❳ ❨ ❨ , 1 + ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 ● = ❩ 2 Addition ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = 1 ❩ ❞❳ ❳ ❨ ❨ ❩ 1 ❩ 2 ❩ 1 ❩ 2 ① ② + ② 1 ① 2 ) ❂ (1 + ❞① 1 ① 2 ② 1 ② 2 ), ❳ 3 = ❩ 1 ❩ ❳ ❨ ❨ ❳ ❋ ❨ 1 ❩ 2 � ❳ 1 ❨ 2 ❳ 2 ✦ ❩ 1 ❩ 1 ❩ 2 ② ② � ① 1 ① 2 ) ❂ (1 � ❞① 1 ① 2 ② 1 ② 2 )) ❨ 3 = ❩ 1 ❩ ❨ ❨ � ❳ ❳ ● = 1 � ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 expensive divisions. ❩ 3 = ❋● ❩ 1 ❩ 2 ❩ 1 ❩ 2 ✥ Better: postpone divisions ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) Input to , ❩ 2 1 ❩ 2 ork with fractions. 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 ❳ 1 ❀ ❨ 1 ❀ ❩ ❀ ❳ ❀ ❨ ❀ ❩ resent ( ①❀ ② ) as Output from ✦ ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ❳ ❨ : ❩ ) with ① = ❳❂❩ and ❳ 3 ❀ ❨ 3 ❀ ❩ ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 ② ❨❂❩ for ❩ ✻ = 0.

  8. ✒ ❳ 1 ✓ ✒ ❳ ✓ ❀ ❨ 1 ❩ ❀ ❨ divisions Addition now has to i.e. + ❩ 1 ❩ 1 ❩ handle fractions as input: computation: ✒ ❳ 3 ❀ ❨ 3 ✓ ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ 2 P ✼✦ ♥P = + = ❩ 3 ❩ 3 ❩ 1 ❩ 1 ❩ 2 ❩ 2 additions: where ❳ 1 ❩ 2 + ❨ 1 ❨ 2 ❳ 2 ✥ P❀ ◗ ✼✦ P ◗ ❩ 1 ❩ 1 ❩ 2 ❋ = ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ ❨ ❨ , 1 + ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 ● = ❩ 2 1 ❩ 2 ① ❀ ② ) + ( ① 2 ❀ ② 2 ) = 2 + ❞❳ 1 ❳ ❨ ❨ ❩ 1 ❩ 2 ❩ 1 ❩ 2 ① ② ② ① ❂ (1 + ❞① 1 ① 2 ② 1 ② 2 ), ❳ 3 = ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ ❳ ❋ ❨ 1 ❩ 2 � ❳ 1 ❨ 2 ❳ 2 ✦ ❩ 1 ❩ 1 ❩ 2 ② ② � ① ① ❂ (1 � ❞① 1 ① 2 ② 1 ② 2 )) ❨ 3 = ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ ❳ ● = 1 � ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 divisions. ❩ 3 = ❋● . ❩ 1 ❩ 2 ❩ 1 ❩ 2 ✥ one divisions ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) Input to addition algo , ❩ 2 1 ❩ 2 fractions. 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 ❳ 1 ❀ ❨ 1 ❀ ❩ 1 ❀ ❳ 2 ❀ ❨ 2 ❀ ❩ ①❀ ② as Output from addition ✦ ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ❳ ❨ ❩ with ① = ❳❂❩ and ❳ 3 ❀ ❨ 3 ❀ ❩ 3 . No divisions ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 ② ❨❂❩ ❩ ✻ 0.

  9. ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ 2 Addition now has to i.e. + ❩ 1 ❩ 1 ❩ 2 ❩ 2 handle fractions as input: ✒ ❳ 3 ❀ ❨ 3 ✓ ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ 2 P ✼✦ ♥P = + = ❩ 3 ❩ 3 ❩ 1 ❩ 1 ❩ 2 ❩ 2 : where ❳ 1 ❩ 2 + ❨ 1 ❨ 2 ❳ 2 ✥ P❀ ◗ ✼✦ P ◗ ❩ 1 ❩ 1 ❩ 2 ❋ = ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , , 1 + ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 ● = ❩ 2 1 ❩ 2 ① ❀ ② ① ❀ ② ) = 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , ❩ 1 ❩ 2 ❩ 1 ❩ 2 ① ② ② ① ❂ ❞① ① 2 ② 1 ② 2 ), ❳ 3 = ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) ❋ ❨ 1 ❩ 2 � ❳ 1 ❨ 2 ❳ 2 ✦ ❩ 1 ❩ 1 ❩ 2 ② ② � ① ① ❂ � ❞① ① 2 ② 1 ② 2 )) ❨ 3 = ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ● , = 1 � ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 ❩ 3 = ❋● . ❩ 1 ❩ 2 ❩ 1 ❩ 2 ✥ ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) Input to addition algorithm: , ❩ 2 1 ❩ 2 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 ❳ 1 ❀ ❨ 1 ❀ ❩ 1 ❀ ❳ 2 ❀ ❨ 2 ❀ ❩ 2 . ①❀ ② Output from addition algorithm: ✦ ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ❳ ❨ ❩ ① ❳❂❩ and ❳ 3 ❀ ❨ 3 ❀ ❩ 3 . No divisions needed! ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 ② ❨❂❩ ❩ ✻

  10. ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ 2 Addition now has to i.e. + ❩ 1 ❩ 1 ❩ 2 ❩ 2 handle fractions as input: ✒ ❳ 3 ❀ ❨ 3 ✓ ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ 2 = + = ❩ 3 ❩ 3 ❩ 1 ❩ 1 ❩ 2 ❩ 2 where ❳ 1 ❩ 2 + ❨ 1 ❨ 2 ❳ 2 ✥ ❩ 1 ❩ 1 ❩ 2 ❋ = ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , , 1 + ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 ● = ❩ 2 1 ❩ 2 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , ❩ 1 ❩ 2 ❩ 1 ❩ 2 ❳ 3 = ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) ❋ , ❨ 1 ❩ 2 � ❳ 1 ❨ 2 ❳ 2 ✦ ❩ 1 ❩ 1 ❩ 2 ❨ 3 = ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ● , = 1 � ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 ❩ 3 = ❋● . ❩ 1 ❩ 2 ❩ 1 ❩ 2 ✥ ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) Input to addition algorithm: , ❩ 2 1 ❩ 2 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 ❳ 1 ❀ ❨ 1 ❀ ❩ 1 ❀ ❳ 2 ❀ ❨ 2 ❀ ❩ 2 . Output from addition algorithm: ✦ ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ❳ 3 ❀ ❨ 3 ❀ ❩ 3 . No divisions needed! ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2

  11. ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ 2 Addition now has to Save multiplications i.e. + ❩ 1 ❩ 1 ❩ 2 ❩ 2 fractions as input: eliminating subexpressions: ✒ ❳ 3 ❀ ❨ 3 ✓ ✒ ❳ ✓ ✒ ❳ 2 ✓ ❩ ❀ ❨ 1 ❀ ❨ 2 = + = ❩ 3 ❩ 3 ❩ 1 ❩ 2 ❩ 2 ❆ = ❩ 1 ✁ ❩ ❇ ❆ where ❳ ❩ 2 + ❨ 1 ❨ 2 ❳ 2 ❈ = ❳ 1 ✁ ❳ ✥ ❩ ❩ 1 ❩ 2 ❋ = ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , , ❉ = ❨ 1 ✁ ❨ ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 ● = ❩ 2 1 ❩ 2 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , ❩ 1 ❩ 2 ❩ 1 ❩ 2 ❊ = ❞ ✁ ❈ ✁ ❉ ❳ 3 = ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) ❋ , ❨ ❩ 2 � ❳ 1 ❨ 2 ❳ 2 ❋ = ❇ � ❊ ● ❇ ❊ ✦ ❩ ❩ 1 ❩ 2 ❨ 3 = ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ● , = ❳ 3 = ❆ ✁ ❋ ✁ ❳ ✁ ❨ ❨ ✁ ❳ � ❞ ❳ 1 ❳ 2 ❨ 1 ❨ 2 ❩ 3 = ❋● . ❩ 1 ❩ 2 ❩ 1 ❩ 2 ❨ 3 = ❆ ✁ ● ✁ ❉ � ❈ ✥ ❩ 3 = ❋ ✁ ● ❩ ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) Input to addition algorithm: , ❩ ❩ 2 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 ❳ 1 ❀ ❨ 1 ❀ ❩ 1 ❀ ❳ 2 ❀ ❨ 2 ❀ ❩ 2 . Cost: 11 Output from addition algorithm: Can do b ✦ ❩ ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ❳ 3 ❀ ❨ 3 ❀ ❩ 3 . No divisions needed! ❩ ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2

  12. ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ 2 has to Save multiplications i.e. + ❩ 1 ❩ 1 ❩ 2 ❩ 2 as input: eliminating common subexpressions: ✒ ❳ 3 ❀ ❨ 3 ✓ ✒ ❳ ✓ ✒ ❳ 2 ✓ ❩ ❀ ❨ ❀ ❨ 2 = = ❩ 3 ❩ 3 ❩ ❩ 2 ❩ 2 ❆ = ❩ 1 ✁ ❩ 2 ; ❇ = ❆ where ❳ ❨ ❨ ❳ 2 ❈ = ❳ 1 ✁ ❳ 2 ; ✥ ❩ ❩ ❩ ❩ 2 ❋ = ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , , ❉ = ❨ 1 ✁ ❨ 2 ; ❞ ❳ ❳ ❨ ❨ 2 ● = ❩ 2 1 ❩ 2 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , ❩ ❩ ❩ ❩ 2 ❊ = ❞ ✁ ❈ ✁ ❉ ; ❳ 3 = ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) ❋ , ❨ ❩ � ❳ ❨ ❳ 2 ❋ = ❇ � ❊ ; ● = ❇ ❊ ✦ ❩ ❩ ❩ 2 ❨ 3 = ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ● , = ❳ 3 = ❆ ✁ ❋ ✁ ( ❳ 1 ✁ ❨ ❨ ✁ ❳ � ❞ ❳ ❳ ❨ ❨ 2 ❩ 3 = ❋● . ❩ ❩ ❩ ❩ 2 ❨ 3 = ❆ ✁ ● ✁ ( ❉ � ❈ ✥ ❩ 3 = ❋ ✁ ● . ❩ ❩ ❳ ❨ ❨ 1 ❳ 2 ) Input to addition algorithm: , ❩ ❩ ❞❳ ❳ 2 ❨ 1 ❨ 2 ❳ 1 ❀ ❨ 1 ❀ ❩ 1 ❀ ❳ 2 ❀ ❨ 2 ❀ ❩ 2 . Cost: 11 M + 1 S + Output from addition algorithm: Can do better: 10 M ✦ ❩ ❩ ❨ ❨ � ❳ 1 ❳ 2 ) ❳ 3 ❀ ❨ 3 ❀ ❩ 3 . No divisions needed! ❩ ❩ � ❞❳ ❳ 2 ❨ 1 ❨ 2

  13. ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ 2 Save multiplications by i.e. + ❩ 1 ❩ 1 ❩ 2 ❩ 2 eliminating common subexpressions: ✒ ❳ 3 ❀ ❨ 3 ✓ ✒ ❳ ✓ ✒ ❳ ✓ ❩ ❀ ❨ ❩ ❀ ❨ = = ❩ 3 ❩ 3 ❩ ❩ ❆ = ❩ 1 ✁ ❩ 2 ; ❇ = ❆ 2 ; where ❳ ❨ ❨ ❳ ❈ = ❳ 1 ✁ ❳ 2 ; ✥ ❩ ❩ ❩ ❩ ❋ = ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , ❉ = ❨ 1 ✁ ❨ 2 ; ❞ ❳ ❳ ❨ ❨ ● = ❩ 2 1 ❩ 2 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , ❩ ❩ ❩ ❩ ❊ = ❞ ✁ ❈ ✁ ❉ ; ❳ 3 = ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) ❋ , ❨ ❩ � ❳ ❨ ❳ ❋ = ❇ � ❊ ; ● = ❇ + ❊ ; ✦ ❩ ❩ ❩ ❨ 3 = ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ● , ❳ 3 = ❆ ✁ ❋ ✁ ( ❳ 1 ✁ ❨ 2 + ❨ 1 ✁ ❳ � ❞ ❳ ❳ ❨ ❨ ❩ 3 = ❋● . ❩ ❩ ❩ ❩ ❨ 3 = ❆ ✁ ● ✁ ( ❉ � ❈ ); ✥ ❩ 3 = ❋ ✁ ● . ❩ ❩ ❳ ❨ ❨ ❳ Input to addition algorithm: ❩ ❩ ❞❳ ❳ ❨ ❨ ❳ 1 ❀ ❨ 1 ❀ ❩ 1 ❀ ❳ 2 ❀ ❨ 2 ❀ ❩ 2 . Cost: 11 M + 1 S + 1 D . Output from addition algorithm: Can do better: 10 M + 1 S + ✦ ❩ ❩ ❨ ❨ � ❳ ❳ ❳ 3 ❀ ❨ 3 ❀ ❩ 3 . No divisions needed! ❩ ❩ � ❞❳ ❳ ❨ ❨

  14. ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ 2 Save multiplications by i.e. + ❩ 1 ❩ 1 ❩ 2 ❩ 2 eliminating common subexpressions: ✒ ❳ 3 ❀ ❨ 3 ✓ = ❩ 3 ❩ 3 ❆ = ❩ 1 ✁ ❩ 2 ; ❇ = ❆ 2 ; where ❈ = ❳ 1 ✁ ❳ 2 ; ❋ = ❩ 2 1 ❩ 2 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , ❉ = ❨ 1 ✁ ❨ 2 ; ● = ❩ 2 1 ❩ 2 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , ❊ = ❞ ✁ ❈ ✁ ❉ ; ❳ 3 = ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) ❋ , ❋ = ❇ � ❊ ; ● = ❇ + ❊ ; ❨ 3 = ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ● , ❳ 3 = ❆ ✁ ❋ ✁ ( ❳ 1 ✁ ❨ 2 + ❨ 1 ✁ ❳ 2 ); ❩ 3 = ❋● . ❨ 3 = ❆ ✁ ● ✁ ( ❉ � ❈ ); ❩ 3 = ❋ ✁ ● . Input to addition algorithm: ❳ 1 ❀ ❨ 1 ❀ ❩ 1 ❀ ❳ 2 ❀ ❨ 2 ❀ ❩ 2 . Cost: 11 M + 1 S + 1 D . Output from addition algorithm: Can do better: 10 M + 1 S + 1 D . ❳ 3 ❀ ❨ 3 ❀ ❩ 3 . No divisions needed!

  15. ✒ ❳ 1 ✓ ✒ ❳ 2 ✓ ❀ ❨ 1 ❀ ❨ 2 Save multiplications by Faster doublin + ❩ 1 ❩ 1 ❩ 2 ❩ 2 eliminating common ( ① 1 ❀ ② 1 ) + ① ❀ ② subexpressions: ✒ ❳ 3 ❩ ❀ ❨ 3 ✓ (( ① 1 ② 1 + ② ① ❂ ❞① ① ② ② ❩ 3 ❆ = ❩ 1 ✁ ❩ 2 ; ❇ = ❆ 2 ; ( ② 1 ② 1 � ① ① ❂ � ❞① ① ② ② ❈ = ❳ 1 ✁ ❳ 2 ; ((2 ① 1 ② 1 ) ❂ ❞① ② ❩ 2 1 ❩ 2 ❋ 2 � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , ( ② 2 1 � ① 2 ❉ = ❨ 1 ✁ ❨ 2 ; 1 ❂ � ❞① ② ❩ 2 1 ❩ 2 ● 2 + ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , ❊ = ❞ ✁ ❈ ✁ ❉ ; ① 2 1 + ② 2 ❞① ② 1 ❳ ❩ 1 ❩ 2 ( ❳ 1 ❨ 2 + ❨ 1 ❳ 2 ) ❋ , ❋ = ❇ � ❊ ; ● = ❇ + ❊ ; ( ① 1 ❀ ② 1 ) + ① ❀ ② ❨ ❩ 1 ❩ 2 ( ❨ 1 ❨ 2 � ❳ 1 ❳ 2 ) ● , ❳ 3 = ❆ ✁ ❋ ✁ ( ❳ 1 ✁ ❨ 2 + ❨ 1 ✁ ❳ 2 ); ((2 ① 1 ② 1 ) ❂ ① ② ❩ ❋● . ❨ 3 = ❆ ✁ ● ✁ ( ❉ � ❈ ); ( ② 2 1 � ① 2 1 ❂ � ① � ② ❩ 3 = ❋ ✁ ● . to addition algorithm: Again eliminate ❳ ❀ ❨ ❀ ❩ 1 ❀ ❳ 2 ❀ ❨ 2 ❀ ❩ 2 . Cost: 11 M + 1 S + 1 D . using P 2 Output from addition algorithm: Can do better: 10 M + 1 S + 1 D . Much faster ❳ ❀ ❨ ❀ ❩ 3 . No divisions needed! Useful: many

  16. ✒ ❳ ✓ ✒ ❳ 2 ✓ ❩ ❀ ❨ ❀ ❨ 2 Save multiplications by Faster doubling ❩ ❩ 2 ❩ 2 eliminating common ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) subexpressions: ✒ ❳ ❩ ❀ ❨ ✓ (( ① 1 ② 1 + ② 1 ① 1 ) ❂ (1+ ❞① ① ② ② ❩ ❆ = ❩ 1 ✁ ❩ 2 ; ❇ = ❆ 2 ; ( ② 1 ② 1 � ① 1 ① 1 ) ❂ (1 � ❞① ① ② ② ((2 ① 1 ② 1 ) ❂ (1 + ❞① 2 ❈ = ❳ 1 ✁ ❳ 2 ; 1 ② ❋ ❩ ❩ � ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , ( ② 2 1 � ① 2 ❉ = ❨ 1 ✁ ❨ 2 ; 1 ) ❂ (1 � ❞① ② ● ❩ ❩ ❞❳ 1 ❳ 2 ❨ 1 ❨ 2 , ❊ = ❞ ✁ ❈ ✁ ❉ ; ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② ❳ ❩ ❩ ❳ ❨ 2 + ❨ 1 ❳ 2 ) ❋ , ❋ = ❇ � ❊ ; ● = ❇ + ❊ ; ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) ❨ ❩ ❩ ❨ ❨ � ❳ 1 ❳ 2 ) ● , ❳ 3 = ❆ ✁ ❋ ✁ ( ❳ 1 ✁ ❨ 2 + ❨ 1 ✁ ❳ 2 ); ((2 ① 1 ② 1 ) ❂ ( ① 2 1 + ② 2 1 ❩ ❋● ❨ 3 = ❆ ✁ ● ✁ ( ❉ � ❈ ); ( ② 2 1 � ① 2 1 ) ❂ (2 � ① 2 1 � ② ❩ 3 = ❋ ✁ ● . algorithm: Again eliminate divisions ❳ ❀ ❨ ❀ ❩ ❀ ❳ ❀ ❨ ❀ ❩ 2 . Cost: 11 M + 1 S + 1 D . using P 2 : only 3 M addition algorithm: Can do better: 10 M + 1 S + 1 D . Much faster than addition. divisions needed! ❳ ❀ ❨ ❀ ❩ Useful: many doublings

  17. ✒ ❳ ✓ ✒ ❳ ✓ ❩ ❀ ❨ ❩ ❀ ❨ Save multiplications by Faster doubling ❩ ❩ 2 eliminating common ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = subexpressions: ✒ ❳ ❩ ❀ ❨ ✓ (( ① 1 ② 1 + ② 1 ① 1 ) ❂ (1+ ❞① 1 ① 1 ② 1 ② ❩ ❆ = ❩ 1 ✁ ❩ 2 ; ❇ = ❆ 2 ; ( ② 1 ② 1 � ① 1 ① 1 ) ❂ (1 � ❞① 1 ① 1 ② 1 ② ((2 ① 1 ② 1 ) ❂ (1 + ❞① 2 1 ② 2 ❈ = ❳ 1 ✁ ❳ 2 ; 1 ), ❋ ❩ ❩ � ❞❳ ❳ ❨ ❨ ( ② 2 1 � ① 2 1 ) ❂ (1 � ❞① 2 1 ② 2 ❉ = ❨ 1 ✁ ❨ 2 ; 1 )). ● ❩ ❩ ❞❳ ❳ ❨ ❨ ❊ = ❞ ✁ ❈ ✁ ❉ ; ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 so ❳ ❩ ❩ ❳ ❨ ❨ ❳ ❋ , ❋ = ❇ � ❊ ; ● = ❇ + ❊ ; ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = ❨ ❩ ❩ ❨ ❨ � ❳ ❳ ● , ❳ 3 = ❆ ✁ ❋ ✁ ( ❳ 1 ✁ ❨ 2 + ❨ 1 ✁ ❳ 2 ); ((2 ① 1 ② 1 ) ❂ ( ① 2 1 + ② 2 1 ), ❩ ❋● ❨ 3 = ❆ ✁ ● ✁ ( ❉ � ❈ ); ( ② 2 1 � ① 2 1 ) ❂ (2 � ① 2 1 � ② 2 1 )). ❩ 3 = ❋ ✁ ● . rithm: Again eliminate divisions ❳ ❀ ❨ ❀ ❩ ❀ ❳ ❀ ❨ ❀ ❩ Cost: 11 M + 1 S + 1 D . using P 2 : only 3 M + 4 S . rithm: Can do better: 10 M + 1 S + 1 D . Much faster than addition. needed! ❳ ❀ ❨ ❀ ❩ Useful: many doublings in ECC.

  18. Save multiplications by Faster doubling eliminating common ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = subexpressions: (( ① 1 ② 1 + ② 1 ① 1 ) ❂ (1+ ❞① 1 ① 1 ② 1 ② 1 ), ❆ = ❩ 1 ✁ ❩ 2 ; ❇ = ❆ 2 ; ( ② 1 ② 1 � ① 1 ① 1 ) ❂ (1 � ❞① 1 ① 1 ② 1 ② 1 )) = ((2 ① 1 ② 1 ) ❂ (1 + ❞① 2 1 ② 2 ❈ = ❳ 1 ✁ ❳ 2 ; 1 ), ( ② 2 1 � ① 2 1 ) ❂ (1 � ❞① 2 1 ② 2 ❉ = ❨ 1 ✁ ❨ 2 ; 1 )). ❊ = ❞ ✁ ❈ ✁ ❉ ; ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 so ❋ = ❇ � ❊ ; ● = ❇ + ❊ ; ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = ❳ 3 = ❆ ✁ ❋ ✁ ( ❳ 1 ✁ ❨ 2 + ❨ 1 ✁ ❳ 2 ); ((2 ① 1 ② 1 ) ❂ ( ① 2 1 + ② 2 1 ), ❨ 3 = ❆ ✁ ● ✁ ( ❉ � ❈ ); ( ② 2 1 � ① 2 1 ) ❂ (2 � ① 2 1 � ② 2 1 )). ❩ 3 = ❋ ✁ ● . Again eliminate divisions Cost: 11 M + 1 S + 1 D . using P 2 : only 3 M + 4 S . Can do better: 10 M + 1 S + 1 D . Much faster than addition. Useful: many doublings in ECC.

  19. multiplications by Faster doubling More add eliminating common ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = Dual addition ressions: (( ① 1 ② 1 + ② 1 ① 1 ) ❂ (1+ ❞① 1 ① 1 ② 1 ② 1 ), ( ① 1 ❀ ② 1 ) + ① ❀ ② ❩ 1 ✁ ❩ 2 ; ❇ = ❆ 2 ; ❆ ( ② 1 ② 1 � ① 1 ① 1 ) ❂ (1 � ❞① 1 ① 1 ② 1 ② 1 )) = (( ① 1 ② 1 + ① ② ❂ ① ① ② ② ❀ ((2 ① 1 ② 1 ) ❂ (1 + ❞① 2 1 ② 2 ❈ ❳ 1 ✁ ❳ 2 ; 1 ), ( ① 1 ② 1 � ① ② ❂ ① ② � ① ② ( ② 2 1 � ① 2 1 ) ❂ (1 � ❞① 2 1 ② 2 ❉ ❨ 1 ✁ ❨ 2 ; 1 )). Low degree, ❞ ❊ ❞ ✁ ❈ ✁ ❉ ; ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 so Warning: ❋ ❇ � ❊ ; ● = ❇ + ❊ ; ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = Is this really ❆ ✁ ❋ ✁ ( ❳ 1 ✁ ❨ 2 + ❨ 1 ✁ ❳ 2 ); ❳ ((2 ① 1 ② 1 ) ❂ ( ① 2 1 + ② 2 1 ), Most EC ❨ ❆ ✁ ● ✁ ( ❉ � ❈ ); ( ② 2 1 � ① 2 1 ) ❂ (2 � ① 2 1 � ② 2 1 )). ❩ ❋ ✁ ● . Again eliminate divisions 11 M + 1 S + 1 D . using P 2 : only 3 M + 4 S . do better: 10 M + 1 S + 1 D . Much faster than addition. Useful: many doublings in ECC.

  20. multiplications by Faster doubling More addition strategies common ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = Dual addition formula: (( ① 1 ② 1 + ② 1 ① 1 ) ❂ (1+ ❞① 1 ① 1 ② 1 ② 1 ), ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) ❇ = ❆ 2 ; ❆ ❩ ✁ ❩ ( ② 1 ② 1 � ① 1 ① 1 ) ❂ (1 � ❞① 1 ① 1 ② 1 ② 1 )) = (( ① 1 ② 1 + ① 2 ② 2 ) ❂ ( ① ① ② ② ❀ ((2 ① 1 ② 1 ) ❂ (1 + ❞① 2 1 ② 2 ❈ ❳ ✁ ❳ 1 ), ( ① 1 ② 1 � ① 2 ② 2 ) ❂ ( ① ② � ① ② ( ② 2 1 � ① 2 1 ) ❂ (1 � ❞① 2 1 ② 2 ❉ ❨ ✁ ❨ 1 )). Low degree, no need ❞ ❊ ❞ ✁ ❈ ✁ ❉ ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 so Warning: fails for ❋ ❇ � ❊ ● ❇ + ❊ ; ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = Is this really “addition”? ❆ ✁ ❋ ✁ ❳ ✁ ❨ 2 + ❨ 1 ✁ ❳ 2 ); ❳ ((2 ① 1 ② 1 ) ❂ ( ① 2 1 + ② 2 1 ), Most EC formulas ❨ ❆ ✁ ● ✁ ❉ � ❈ ); ( ② 2 1 � ① 2 1 ) ❂ (2 � ① 2 1 � ② 2 1 )). ❩ ❋ ✁ ● Again eliminate divisions + 1 D . using P 2 : only 3 M + 4 S . 10 M + 1 S + 1 D . Much faster than addition. Useful: many doublings in ECC.

  21. Faster doubling More addition strategies ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = Dual addition formula: (( ① 1 ② 1 + ② 1 ① 1 ) ❂ (1+ ❞① 1 ① 1 ② 1 ② 1 ), ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = ❆ ❩ ✁ ❩ ❇ ❆ ( ② 1 ② 1 � ① 1 ① 1 ) ❂ (1 � ❞① 1 ① 1 ② 1 ② 1 )) = (( ① 1 ② 1 + ① 2 ② 2 ) ❂ ( ① 1 ① 2 + ② 1 ② ❀ ((2 ① 1 ② 1 ) ❂ (1 + ❞① 2 1 ② 2 ❈ ❳ ✁ ❳ 1 ), ( ① 1 ② 1 � ① 2 ② 2 ) ❂ ( ① 1 ② 2 � ① 2 ② ( ② 2 1 � ① 2 1 ) ❂ (1 � ❞① 2 1 ② 2 ❉ ❨ ✁ ❨ 1 )). Low degree, no need for ❞ . ❊ ❞ ✁ ❈ ✁ ❉ ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 so Warning: fails for doubling! ❋ ❇ � ❊ ● ❇ ❊ ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = Is this really “addition”? ❨ ✁ ❳ 2 ); ❳ ❆ ✁ ❋ ✁ ❳ ✁ ❨ ((2 ① 1 ② 1 ) ❂ ( ① 2 1 + ② 2 1 ), Most EC formulas have failures. ❨ ❆ ✁ ● ✁ ❉ � ❈ ( ② 2 1 � ① 2 1 ) ❂ (2 � ① 2 1 � ② 2 1 )). ❩ ❋ ✁ ● Again eliminate divisions using P 2 : only 3 M + 4 S . + 1 D . Much faster than addition. Useful: many doublings in ECC.

  22. Faster doubling More addition strategies ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = Dual addition formula: (( ① 1 ② 1 + ② 1 ① 1 ) ❂ (1+ ❞① 1 ① 1 ② 1 ② 1 ), ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = ( ② 1 ② 1 � ① 1 ① 1 ) ❂ (1 � ❞① 1 ① 1 ② 1 ② 1 )) = (( ① 1 ② 1 + ① 2 ② 2 ) ❂ ( ① 1 ① 2 + ② 1 ② 2 ) ❀ ((2 ① 1 ② 1 ) ❂ (1 + ❞① 2 1 ② 2 1 ), ( ① 1 ② 1 � ① 2 ② 2 ) ❂ ( ① 1 ② 2 � ① 2 ② 1 )). ( ② 2 1 � ① 2 1 ) ❂ (1 � ❞① 2 1 ② 2 1 )). Low degree, no need for ❞ . ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 so Warning: fails for doubling! ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = Is this really “addition”? ((2 ① 1 ② 1 ) ❂ ( ① 2 1 + ② 2 1 ), Most EC formulas have failures. ( ② 2 1 � ① 2 1 ) ❂ (2 � ① 2 1 � ② 2 1 )). Again eliminate divisions using P 2 : only 3 M + 4 S . Much faster than addition. Useful: many doublings in ECC.

  23. Faster doubling More addition strategies ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = Dual addition formula: (( ① 1 ② 1 + ② 1 ① 1 ) ❂ (1+ ❞① 1 ① 1 ② 1 ② 1 ), ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = ( ② 1 ② 1 � ① 1 ① 1 ) ❂ (1 � ❞① 1 ① 1 ② 1 ② 1 )) = (( ① 1 ② 1 + ① 2 ② 2 ) ❂ ( ① 1 ① 2 + ② 1 ② 2 ) ❀ ((2 ① 1 ② 1 ) ❂ (1 + ❞① 2 1 ② 2 1 ), ( ① 1 ② 1 � ① 2 ② 2 ) ❂ ( ① 1 ② 2 � ① 2 ② 1 )). ( ② 2 1 � ① 2 1 ) ❂ (1 � ❞① 2 1 ② 2 1 )). Low degree, no need for ❞ . ① 2 1 + ② 2 1 = 1 + ❞① 2 1 ② 2 1 so Warning: fails for doubling! ( ① 1 ❀ ② 1 ) + ( ① 1 ❀ ② 1 ) = Is this really “addition”? ((2 ① 1 ② 1 ) ❂ ( ① 2 1 + ② 2 1 ), Most EC formulas have failures. ( ② 2 1 � ① 2 1 ) ❂ (2 � ① 2 1 � ② 2 1 )). More coordinate systems: Again eliminate divisions Inverted: ① = ❩❂❳ , ② = ❩❂❨ . using P 2 : only 3 M + 4 S . Extended: ① = ❳❂❩ , ② = ❨❂❚ . Much faster than addition. Completed: ① = ❳❂❩ , ② = ❨❂❩ , Useful: many doublings in ECC. ①② = ❚❂❩ .

  24. doubling More addition strategies More elliptic ① ❀ ② ) + ( ① 1 ❀ ② 1 ) = Dual addition formula: Edwards ① ② + ② 1 ① 1 ) ❂ (1+ ❞① 1 ① 1 ② 1 ② 1 ), ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = Easiest w ② ② � ① 1 ① 1 ) ❂ (1 � ❞① 1 ① 1 ② 1 ② 1 )) = (( ① 1 ② 1 + ① 2 ② 2 ) ❂ ( ① 1 ① 2 + ② 1 ② 2 ) ❀ elliptic curves ① ② 1 ) ❂ (1 + ❞① 2 1 ② 2 1 ), ( ① 1 ② 1 � ① 2 ② 2 ) ❂ ( ① 1 ② 2 � ① 2 ② 1 )). Geometrically ② � ① 2 1 ) ❂ (1 � ❞① 2 1 ② 2 1 )). Low degree, no need for ❞ . are Edwa ② 2 1 = 1 + ❞① 2 1 ② 2 ① 1 so Warning: fails for doubling! Algebraically ① ❀ ② ) + ( ① 1 ❀ ② 1 ) = Is this really “addition”? more elliptic ① ② 1 ) ❂ ( ① 2 1 + ② 2 1 ), Most EC formulas have failures. ② � ① 2 1 ) ❂ (2 � ① 2 1 � ② 2 Every odd-cha 1 )). More coordinate systems: expressed eliminate divisions Inverted: ① = ❩❂❳ , ② = ❩❂❨ . ✈ 2 = ✉ 3 ❛ ✉ ❛ ✉ ❛ P 2 : only 3 M + 4 S . Extended: ① = ❳❂❩ , ② = ❨❂❚ . Warning: faster than addition. Completed: ① = ❳❂❩ , ② = ❨❂❩ , different Useful: many doublings in ECC. ①② = ❚❂❩ .

  25. More addition strategies More elliptic curves ① ❀ ② ① ❀ ② 1 ) = Dual addition formula: Edwards curves are ① ② ② ① ❂ (1+ ❞① 1 ① 1 ② 1 ② 1 ), ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = Easiest way to understand ② ② � ① ① ❂ (1 � ❞① 1 ① 1 ② 1 ② 1 )) = (( ① 1 ② 1 + ① 2 ② 2 ) ❂ ( ① 1 ① 2 + ② 1 ② 2 ) ❀ elliptic curves is Edw ❞① 2 1 ② 2 ① ② ❂ 1 ), ( ① 1 ② 1 � ① 2 ② 2 ) ❂ ( ① 1 ② 2 � ① 2 ② 1 )). Geometrically, all elliptic � ❞① 2 1 ② 2 ② � ① ❂ 1 )). Low degree, no need for ❞ . are Edwards curves. ❞① 2 1 ② 2 ① ② 1 so Warning: fails for doubling! Algebraically, ① ❀ ② ① ❀ ② 1 ) = Is this really “addition”? more elliptic curves ② 2 ① ② ❂ ① 1 ), Most EC formulas have failures. � ① 2 1 � ② 2 Every odd-char curve ② � ① ❂ 1 )). More coordinate systems: expressed as Weierstrass divisions Inverted: ① = ❩❂❳ , ② = ❩❂❨ . ✈ 2 = ✉ 3 + ❛ 2 ✉ 2 + ❛ ✉ ❛ M + 4 S . Extended: ① = ❳❂❩ , ② = ❨❂❚ . Warning: “Weierstra than addition. Completed: ① = ❳❂❩ , ② = ❨❂❩ , different meaning in doublings in ECC. ①② = ❚❂❩ .

  26. More addition strategies More elliptic curves ① ❀ ② ① ❀ ② Dual addition formula: Edwards curves are elliptic. ① ② ② ① ❂ ❞① ① ② 1 ② 1 ), ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = Easiest way to understand ② ② � ① ① ❂ � ❞① ① ② 1 ② 1 )) = (( ① 1 ② 1 + ① 2 ② 2 ) ❂ ( ① 1 ① 2 + ② 1 ② 2 ) ❀ elliptic curves is Edwards. ① ② ❂ ❞① ② ( ① 1 ② 1 � ① 2 ② 2 ) ❂ ( ① 1 ② 2 � ① 2 ② 1 )). Geometrically, all elliptic curves ② � ① ❂ � ❞① ② Low degree, no need for ❞ . are Edwards curves. ① ② ❞① ② Warning: fails for doubling! Algebraically, ① ❀ ② ① ❀ ② Is this really “addition”? more elliptic curves exist. ① ② ❂ ① ② Most EC formulas have failures. Every odd-char curve can be ② � ① ❂ � ① � ② More coordinate systems: expressed as Weierstrass curve Inverted: ① = ❩❂❳ , ② = ❩❂❨ . ✈ 2 = ✉ 3 + ❛ 2 ✉ 2 + ❛ 4 ✉ + ❛ 6 . Extended: ① = ❳❂❩ , ② = ❨❂❚ . Warning: “Weierstrass” has addition. Completed: ① = ❳❂❩ , ② = ❨❂❩ , different meaning in char 2. ECC. ①② = ❚❂❩ .

  27. More addition strategies More elliptic curves Dual addition formula: Edwards curves are elliptic. ( ① 1 ❀ ② 1 ) + ( ① 2 ❀ ② 2 ) = Easiest way to understand (( ① 1 ② 1 + ① 2 ② 2 ) ❂ ( ① 1 ① 2 + ② 1 ② 2 ) ❀ elliptic curves is Edwards. ( ① 1 ② 1 � ① 2 ② 2 ) ❂ ( ① 1 ② 2 � ① 2 ② 1 )). Geometrically, all elliptic curves Low degree, no need for ❞ . are Edwards curves. Warning: fails for doubling! Algebraically, Is this really “addition”? more elliptic curves exist. Most EC formulas have failures. Every odd-char curve can be More coordinate systems: expressed as Weierstrass curve Inverted: ① = ❩❂❳ , ② = ❩❂❨ . ✈ 2 = ✉ 3 + ❛ 2 ✉ 2 + ❛ 4 ✉ + ❛ 6 . Extended: ① = ❳❂❩ , ② = ❨❂❚ . Warning: “Weierstrass” has Completed: ① = ❳❂❩ , ② = ❨❂❩ , different meaning in char 2. ①② = ❚❂❩ .

  28. addition strategies More elliptic curves Addition ✈ 2 = ✉ 3 addition formula: Edwards curves are elliptic. ✉ ✉ ① ❀ ② ) + ( ① 2 ❀ ② 2 ) = Easiest way to understand ✈ ① ② + ① 2 ② 2 ) ❂ ( ① 1 ① 2 + ② 1 ② 2 ) ❀ elliptic curves is Edwards. ✎ P P ① ② � ① 2 ② 2 ) ❂ ( ① 1 ② 2 � ① 2 ② 1 )). Geometrically, all elliptic curves ✾ degree, no need for ❞ . are Edwards curves. P ✎ rning: fails for doubling! ✉ Algebraically, ✎ P really “addition”? more elliptic curves exist. EC formulas have failures. ✎� P P Every odd-char curve can be coordinate systems: expressed as Weierstrass curve Slope ✕ = ✈ � ✈ ❂ ✉ � ✉ Inverted: ① = ❩❂❳ , ② = ❩❂❨ . ✈ 2 = ✉ 3 + ❛ 2 ✉ 2 + ❛ 4 ✉ + ❛ 6 . Note that ✉ ✻ ✉ Extended: ① = ❳❂❩ , ② = ❨❂❚ . Warning: “Weierstrass” has Completed: ① = ❳❂❩ , ② = ❨❂❩ , different meaning in char 2. ①② ❚❂❩ .

  29. � strategies More elliptic curves Addition on Weierstrass ✈ 2 = ✉ 3 + ✉ 2 + ✉ rmula: Edwards curves are elliptic. ① ❀ ② ① ❀ ② 2 ) = Easiest way to understand ✈ ① ② ① ② ❂ ( ① 1 ① 2 + ② 1 ② 2 ) ❀ elliptic curves is Edwards. ✎ P P ① ② � ① ② ❂ ( ① 1 ② 2 � ① 2 ② 1 )). Geometrically, all elliptic curves ✾ ✾ need for ❞ . ✾ ✾ are Edwards curves. P 1 ✾ ✾ ✎ ✾ r doubling! ✾ ✉ ✾ Algebraically, ✾ ✾ ✎ P 2 “addition”? ✾ ✾ more elliptic curves exist. ✾ ✾ rmulas have failures. ✎� P P Every odd-char curve can be systems: expressed as Weierstrass curve Slope ✕ = ( ✈ 2 � ✈ 1 ❂ ✉ � ✉ ① ❩❂❳ , ② = ❩❂❨ . ✈ 2 = ✉ 3 + ❛ 2 ✉ 2 + ❛ 4 ✉ + ❛ 6 . Note that ✉ 1 ✻ = ✉ 2 ① ❳❂❩ , ② = ❨❂❚ . Warning: “Weierstrass” has ① ❳❂❩ , ② = ❨❂❩ , different meaning in char 2. ①② ❚❂❩

  30. � � More elliptic curves Addition on Weierstrass curve ✈ 2 = ✉ 3 + ✉ 2 + ✉ + 1 Edwards curves are elliptic. ① ❀ ② ① ❀ ② Easiest way to understand ✈ ① ② ① ② ❂ ① ① ② 1 ② 2 ) ❀ elliptic curves is Edwards. ✎ P 1 + P 2 ① ② � ① ② ❂ ① ② � ① 2 ② 1 )). Geometrically, all elliptic curves ✾ ✾ ❞ . ✾ ✾ are Edwards curves. P 1 ✾ ✾ ✎ ✾ doubling! ✾ ✉ ✾ Algebraically, ✾ ✾ ✎ P 2 ✾ ✾ more elliptic curves exist. ✾ ✾ failures. ✾ ✎� ( P 1 + P ✾ ✾ Every odd-char curve can be ✾ ✾ expressed as Weierstrass curve Slope ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ ① ❩❂❳ ② ❩❂❨ . ✈ 2 = ✉ 3 + ❛ 2 ✉ 2 + ❛ 4 ✉ + ❛ 6 . Note that ✉ 1 ✻ = ✉ 2 . ① ❳❂❩ ② ❨❂❚ . Warning: “Weierstrass” has ① ❳❂❩ ② = ❨❂❩ , different meaning in char 2. ①② ❚❂❩

  31. � � More elliptic curves Addition on Weierstrass curve ✈ 2 = ✉ 3 + ✉ 2 + ✉ + 1 Edwards curves are elliptic. Easiest way to understand ✈ elliptic curves is Edwards. ✎ P 1 + P 2 Geometrically, all elliptic curves ✾ ✾ ✾ ✾ are Edwards curves. P 1 ✾ ✾ ✎ ✾ ✾ ✉ ✾ Algebraically, ✾ ✾ ✎ P 2 ✾ ✾ more elliptic curves exist. ✾ ✾ ✾ ✎� ( P 1 + P 2 ) ✾ ✾ Every odd-char curve can be ✾ ✾ expressed as Weierstrass curve Slope ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). ✈ 2 = ✉ 3 + ❛ 2 ✉ 2 + ❛ 4 ✉ + ❛ 6 . Note that ✉ 1 ✻ = ✉ 2 . Warning: “Weierstrass” has different meaning in char 2.

  32. � � elliptic curves Addition on Weierstrass curve Doubling ✈ 2 = ✉ 3 + ✉ 2 + ✉ + 1 ✈ 2 = ✉ 3 � ✉ rds curves are elliptic. Easiest way to understand ✈ ✈ curves is Edwards. ✎ P 1 + P 2 Geometrically, all elliptic curves ✾ ✾ ✎ � P ✾ P ✾ Edwards curves. P 1 ✾ ✎ ✾ ✎ ✾ ✾ ❧ ✉ ✉ ✾ ❧ raically, ❧ ✾ ✾ ✎ P 2 ✾ ✾ P elliptic curves exist. ✎ ✾ ✾ ✾ ✎� ( P 1 + P 2 ) ✾ ✾ odd-char curve can be ✾ ✾ ressed as Weierstrass curve Slope ✕ = ✉ � ❂ ✈ Slope ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). ✉ 3 + ❛ 2 ✉ 2 + ❛ 4 ✉ + ❛ 6 . ✈ Note that ✉ 1 ✻ = ✉ 2 . rning: “Weierstrass” has different meaning in char 2.

  33. � � � curves Addition on Weierstrass curve Doubling on Weierstrass ✈ 2 = ✉ 3 + ✉ 2 + ✉ + 1 ✈ 2 = ✉ 3 � ✉ are elliptic. nderstand ✈ ✈ Edwards. ✎ P 1 + P 2 all elliptic curves ✾ ✾ ✎ � P ✾ P 1 ✾ curves. ❧ P 1 ❧ ✾ ❧ ✎ ❧ ✾ ❧ ✎ ❧ ✾ ❧ ❧ ✾ ❧ ❧ ✉ ✉ ✾ ❧ ❧ ✾ ✾ ✎ P 2 ✾ ✾ P curves exist. ✎ ✾ ✾ ✾ ✎� ( P 1 + P 2 ) ✾ ✾ curve can be ✾ ✾ eierstrass curve Slope ✕ = (3 ✉ 2 ❂ ✈ 1 � Slope ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). ✈ ✉ ❛ ✉ + ❛ 4 ✉ + ❛ 6 . Note that ✉ 1 ✻ = ✉ 2 . rstrass” has meaning in char 2.

  34. � � � � Addition on Weierstrass curve Doubling on Weierstrass curve ✈ 2 = ✉ 3 + ✉ 2 + ✉ + 1 ✈ 2 = ✉ 3 � ✉ elliptic. ✈ ✈ ✎ P 1 + P 2 ❧ curves ❧ ❧ ✾ ❧ ❧ ✾ ✎ � 2 P 1 ❧ ❧ ✾ P 1 ❧ ❧ ✾ ❧ P 1 ❧ ✾ ❧ ✎ ❧ ✾ ❧ ✎ ❧ ✾ ❧ ❧ ✾ ❧ ❧ ✉ ✉ ✾ ❧ ❧ ✾ ✾ ✎ P 2 ✾ ✾ ✎ 2 P 1 ✾ ✾ ✾ ✎� ( P 1 + P 2 ) ✾ ✾ be ✾ ✾ curve Slope ✕ = (3 ✉ 2 1 � 1) ❂ (2 ✈ 1 ). Slope ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). ✈ ✉ ❛ ✉ ❛ ✉ ❛ 6 . Note that ✉ 1 ✻ = ✉ 2 . has 2.

  35. � � � � Addition on Weierstrass curve Doubling on Weierstrass curve ✈ 2 = ✉ 3 + ✉ 2 + ✉ + 1 ✈ 2 = ✉ 3 � ✉ ✈ ✈ ✎ P 1 + P 2 ❧ ❧ ❧ ✾ ❧ ❧ ✾ ✎ � 2 P 1 ❧ ❧ ✾ P 1 ❧ ❧ ✾ ❧ P 1 ❧ ✾ ❧ ✎ ❧ ✾ ❧ ✎ ❧ ✾ ❧ ❧ ✾ ❧ ❧ ✉ ✉ ✾ ❧ ❧ ✾ ✾ ✎ P 2 ✾ ✾ ✎ 2 P 1 ✾ ✾ ✾ ✎� ( P 1 + P 2 ) ✾ ✾ ✾ ✾ Slope ✕ = (3 ✉ 2 1 � 1) ❂ (2 ✈ 1 ). Slope ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). Note that ✉ 1 ✻ = ✉ 2 .

  36. � � � � Addition on Weierstrass curve Doubling on Weierstrass curve In most ( ✉ 1 ❀ ✈ 1 ) + ✉ ❀ ✈ ✉ 3 + ✉ 2 + ✉ + 1 ✈ 2 = ✉ 3 � ✉ ✈ ( ✉ 3 ❀ ✈ 3 ) ✉ ❀ ✈ ✈ ✈ ( ✕ 2 � ✉ 1 � ✉ ❀ ✕ ✉ � ✉ � ✈ ✿ ✎ P 1 + P 2 ✉ 1 ✻ = ✉ 2 , ❧ ❧ ❧ ✾ ❧ ❧ ✾ ✎ � 2 P 1 ❧ ✕ = ( ✈ 2 � ✈ ❂ ✉ � ✉ ❧ ✾ P 1 ❧ ❧ ✾ ❧ P 1 ❧ ✾ ❧ ✎ ❧ ✾ ❧ Total cost ✎ ❧ ✾ ❧ ❧ ✾ ❧ ❧ ✉ ✉ ✾ ❧ ❧ ✾ ✾ ✎ P 2 ( ✉ 1 ❀ ✈ 1 ) ✉ ❀ ✈ ✈ ✻ ✾ ✾ ✎ 2 P 1 ✾ ✾ “doubling” ✾ ✎� ( P 1 + P 2 ) ✾ ✾ ✕ = (3 ✉ 2 ✾ ❛ ✉ ❛ ❂ ✈ ✾ 1 Slope ✕ = (3 ✉ 2 Total cost 1 � 1) ❂ (2 ✈ 1 ). ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). that ✉ 1 ✻ = ✉ 2 . Also handle ( ✉ 1 ❀ ✈ 1 ) ✉ ❀ � ✈ inputs at ✶

  37. � � � eierstrass curve Doubling on Weierstrass curve In most cases ( ✉ 1 ❀ ✈ 1 ) + ( ✉ 2 ❀ ✈ 2 ) ✈ 2 = ✉ 3 � ✉ ✈ ✉ ✉ ✉ + 1 ( ✉ 3 ❀ ✈ 3 ) where ( ✉ 3 ❀ ✈ ✈ ✈ ( ✕ 2 � ✉ 1 � ✉ 2 ❀ ✕ ( ✉ 1 � ✉ � ✈ ✿ ✎ P 1 + P 2 ✉ 1 ✻ = ✉ 2 , “addition” ❧ ❧ ❧ ❧ ❧ ✎ � 2 P 1 ❧ ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ ❧ P 1 ❧ ❧ ❧ P ❧ ❧ ✎ ❧ ❧ Total cost 1 I + 2 M ✎ ❧ ❧ ❧ ❧ ❧ ✉ ✉ ❧ ❧ ✎ P 2 ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ ✈ 2 ) ✈ ✻ ✎ 2 P 1 ✾ ✾ “doubling” (alert!): ✾ ✎� ( P 1 + P 2 ) ✾ ✾ ✕ = (3 ✉ 2 ✾ 1 + 2 ❛ 2 ✉ 1 ❛ ❂ ✈ ✾ Slope ✕ = (3 ✉ 2 Total cost 1 I + 2 M 1 � 1) ❂ (2 ✈ 1 ). ✕ ✈ � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). ✉ ✻ ✉ 2 . Also handle some exceptions: ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ � ✈ inputs at ✶ .

  38. � � � curve Doubling on Weierstrass curve In most cases ( ✉ 1 ❀ ✈ 1 ) + ( ✉ 2 ❀ ✈ 2 ) = ✈ 2 = ✉ 3 � ✉ ✈ ✉ ✉ ✉ ( ✉ 3 ❀ ✈ 3 ) where ( ✉ 3 ❀ ✈ 3 ) = ✈ ✈ ( ✕ 2 � ✉ 1 � ✉ 2 ❀ ✕ ( ✉ 1 � ✉ 3 ) � ✈ 1 ) ✿ ✎ P P 2 ✉ 1 ✻ = ✉ 2 , “addition” (alert!): ❧ ❧ ❧ ❧ ❧ ✎ � 2 P 1 ❧ ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). ❧ P 1 ❧ ❧ ❧ P ❧ ❧ ✎ ❧ ❧ Total cost 1 I + 2 M + 1 S . ✎ ❧ ❧ ❧ ❧ ❧ ✉ ✉ ❧ ❧ ✎ P ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ ✈ 2 ) and ✈ 1 ✻ = ✎ 2 P 1 “doubling” (alert!): ✎� P + P 2 ) ✕ = (3 ✉ 2 1 + 2 ❛ 2 ✉ 1 + ❛ 4 ) ❂ (2 ✈ Slope ✕ = (3 ✉ 2 Total cost 1 I + 2 M + 2 S . 1 � 1) ❂ (2 ✈ 1 ). ✕ ✈ � ✈ ❂ ✉ � ✉ 1 ). ✉ ✻ ✉ Also handle some exceptions: ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ � ✈ 2 ); inputs at ✶ .

  39. � � Doubling on Weierstrass curve In most cases ( ✉ 1 ❀ ✈ 1 ) + ( ✉ 2 ❀ ✈ 2 ) = ✈ 2 = ✉ 3 � ✉ ( ✉ 3 ❀ ✈ 3 ) where ( ✉ 3 ❀ ✈ 3 ) = ✈ ( ✕ 2 � ✉ 1 � ✉ 2 ❀ ✕ ( ✉ 1 � ✉ 3 ) � ✈ 1 ) ✿ ✉ 1 ✻ = ✉ 2 , “addition” (alert!): ❧ ❧ ❧ ❧ ❧ ✎ � 2 P 1 ❧ ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). ❧ P 1 ❧ ❧ ❧ ❧ ❧ ✎ ❧ ❧ Total cost 1 I + 2 M + 1 S . ❧ ❧ ❧ ❧ ❧ ✉ ❧ ❧ ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ ✈ 2 ) and ✈ 1 ✻ = 0, ✎ 2 P 1 “doubling” (alert!): ✕ = (3 ✉ 2 1 + 2 ❛ 2 ✉ 1 + ❛ 4 ) ❂ (2 ✈ 1 ). Slope ✕ = (3 ✉ 2 Total cost 1 I + 2 M + 2 S . 1 � 1) ❂ (2 ✈ 1 ). Also handle some exceptions: ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ � ✈ 2 ); inputs at ✶ .

  40. � � Doubling on Weierstrass curve In most cases Birational ( ✉ 1 ❀ ✈ 1 ) + ( ✉ 2 ❀ ✈ 2 ) = ✉ 3 � ✉ ✈ Starting ①❀ ② ( ✉ 3 ❀ ✈ 3 ) where ( ✉ 3 ❀ ✈ 3 ) = on ① 2 + ② ❞① ② ✈ ( ✕ 2 � ✉ 1 � ✉ 2 ❀ ✕ ( ✉ 1 � ✉ 3 ) � ✈ 1 ) ✿ Define ❆ ❞ ❂ � ❞ ✉ 1 ✻ = ✉ 2 , “addition” (alert!): ❧ ❧ ❇ = 4 ❂ (1 � ❞ ❧ ❧ ❧ ✎ � 2 P 1 ❧ ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). ❧ P 1 ❧ ❧ ✉ = (1 + ② ❂ ❇ � ② ❧ ❧ ❧ ✎ ❧ ❧ Total cost 1 I + 2 M + 1 S . ❧ ❧ ❧ ✈ = ✉❂① ② ❂ ❇① � ② ❧ ❧ ✉ ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ ✈ 2 ) and ✈ 1 ✻ = 0, (Skip a fe ✎ 2 P 1 “doubling” (alert!): ✈ 2 = ✉ 3 ❆❂❇ ✉ ❂❇ ✉ ✕ = (3 ✉ 2 1 + 2 ❛ 2 ✉ 1 + ❛ 4 ) ❂ (2 ✈ 1 ). Maps Edw ✕ = (3 ✉ 2 Total cost 1 I + 2 M + 2 S . 1 � 1) ❂ (2 ✈ 1 ). Compatible Also handle some exceptions: Easily invert ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ � ✈ 2 ); ① = ✉❂✈ ② ❇✉ � ❂ ❇✉ inputs at ✶ .

  41. � eierstrass curve In most cases Birational equivalence ( ✉ 1 ❀ ✈ 1 ) + ( ✉ 2 ❀ ✈ 2 ) = ✈ ✉ � ✉ Starting from point ①❀ ② ( ✉ 3 ❀ ✈ 3 ) where ( ✉ 3 ❀ ✈ 3 ) = on ① 2 + ② 2 = 1 + ❞① ② ✈ ( ✕ 2 � ✉ 1 � ✉ 2 ❀ ✕ ( ✉ 1 � ✉ 3 ) � ✈ 1 ) ✿ Define ❆ = 2(1 + ❞ ❂ � ❞ ✉ 1 ✻ = ✉ 2 , “addition” (alert!): ❧ ❧ ❇ = 4 ❂ (1 � ❞ ); ❧ ❧ ❧ ✎ � 2 P 1 ❧ ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). ❧ P ❧ ❧ ✉ = (1 + ② ) ❂ ( ❇ (1 � ② ❧ ✎ Total cost 1 I + 2 M + 1 S . ✈ = ✉❂① = (1 + ② ) ❂ ❇① � ② ✉ ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ ✈ 2 ) and ✈ 1 ✻ = 0, (Skip a few exceptional ✎ 2 P 1 “doubling” (alert!): ✈ 2 = ✉ 3 + ( ❆❂❇ ) ✉ ❂❇ ✉ ✕ = (3 ✉ 2 1 + 2 ❛ 2 ✉ 1 + ❛ 4 ) ❂ (2 ✈ 1 ). Maps Edwards to W Total cost 1 I + 2 M + 2 S . ✕ ✉ � 1) ❂ (2 ✈ 1 ). Compatible with p Also handle some exceptions: Easily invert this map: ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ � ✈ 2 ); ① = ✉❂✈ , ② = ( ❇✉ � ❂ ❇✉ inputs at ✶ .

  42. � curve In most cases Birational equivalence ( ✉ 1 ❀ ✈ 1 ) + ( ✉ 2 ❀ ✈ 2 ) = ✈ ✉ � ✉ Starting from point ( ①❀ ② ) ( ✉ 3 ❀ ✈ 3 ) where ( ✉ 3 ❀ ✈ 3 ) = on ① 2 + ② 2 = 1 + ❞① 2 ② 2 : ✈ ( ✕ 2 � ✉ 1 � ✉ 2 ❀ ✕ ( ✉ 1 � ✉ 3 ) � ✈ 1 ) ✿ Define ❆ = 2(1 + ❞ ) ❂ (1 � ❞ ), ✉ 1 ✻ = ✉ 2 , “addition” (alert!): ❧ ❇ = 4 ❂ (1 � ❞ ); ✎ � P 1 ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). P ✉ = (1 + ② ) ❂ ( ❇ (1 � ② )), ✎ Total cost 1 I + 2 M + 1 S . ✈ = ✉❂① = (1 + ② ) ❂ ( ❇① (1 � ② ✉ ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ ✈ 2 ) and ✈ 1 ✻ = 0, (Skip a few exceptional points.) P ✎ “doubling” (alert!): ✈ 2 = ✉ 3 + ( ❆❂❇ ) ✉ 2 + (1 ❂❇ ✉ ✕ = (3 ✉ 2 1 + 2 ❛ 2 ✉ 1 + ❛ 4 ) ❂ (2 ✈ 1 ). Maps Edwards to Weierstrass. Total cost 1 I + 2 M + 2 S . ✕ ✉ � ❂ ✈ ). Compatible with point addition! Also handle some exceptions: Easily invert this map: ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ � ✈ 2 ); ① = ✉❂✈ , ② = ( ❇✉ � 1) ❂ ( ❇✉ inputs at ✶ .

  43. In most cases Birational equivalence ( ✉ 1 ❀ ✈ 1 ) + ( ✉ 2 ❀ ✈ 2 ) = Starting from point ( ①❀ ② ) ( ✉ 3 ❀ ✈ 3 ) where ( ✉ 3 ❀ ✈ 3 ) = on ① 2 + ② 2 = 1 + ❞① 2 ② 2 : ( ✕ 2 � ✉ 1 � ✉ 2 ❀ ✕ ( ✉ 1 � ✉ 3 ) � ✈ 1 ) ✿ Define ❆ = 2(1 + ❞ ) ❂ (1 � ❞ ), ✉ 1 ✻ = ✉ 2 , “addition” (alert!): ❇ = 4 ❂ (1 � ❞ ); ✕ = ( ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). ✉ = (1 + ② ) ❂ ( ❇ (1 � ② )), Total cost 1 I + 2 M + 1 S . ✈ = ✉❂① = (1 + ② ) ❂ ( ❇① (1 � ② )). ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ ✈ 2 ) and ✈ 1 ✻ = 0, (Skip a few exceptional points.) “doubling” (alert!): ✈ 2 = ✉ 3 + ( ❆❂❇ ) ✉ 2 + (1 ❂❇ 2 ) ✉ . ✕ = (3 ✉ 2 1 + 2 ❛ 2 ✉ 1 + ❛ 4 ) ❂ (2 ✈ 1 ). Maps Edwards to Weierstrass. Total cost 1 I + 2 M + 2 S . Compatible with point addition! Also handle some exceptions: Easily invert this map: ( ✉ 1 ❀ ✈ 1 ) = ( ✉ 2 ❀ � ✈ 2 ); ① = ✉❂✈ , ② = ( ❇✉ � 1) ❂ ( ❇✉ + 1). inputs at ✶ .

  44. most cases Birational equivalence Some histo ✉ ❀ ✈ ) + ( ✉ 2 ❀ ✈ 2 ) = Starting from point ( ①❀ ② ) There ar ✉ ❀ ✈ ) where ( ✉ 3 ❀ ✈ 3 ) = on ① 2 + ② 2 = 1 + ❞① 2 ② 2 : elliptic-curve ✕ � ✉ 1 � ✉ 2 ❀ ✕ ( ✉ 1 � ✉ 3 ) � ✈ 1 ) ✿ Define ❆ = 2(1 + ❞ ) ❂ (1 � ❞ ), 1984 (published ✉ ✻ ✉ 2 , “addition” (alert!): ❇ = 4 ❂ (1 � ❞ ); ECM, the ✕ ✈ 2 � ✈ 1 ) ❂ ( ✉ 2 � ✉ 1 ). ✉ = (1 + ② ) ❂ ( ❇ (1 � ② )), of factor cost 1 I + 2 M + 1 S . ✈ = ✉❂① = (1 + ② ) ❂ ( ❇① (1 � ② )). 1984 (published ✉ ❀ ✈ ) = ( ✉ 2 ❀ ✈ 2 ) and ✈ 1 ✻ = 0, (Skip a few exceptional points.) and indep “doubling” (alert!): ✈ 2 = ✉ 3 + ( ❆❂❇ ) ✉ 2 + (1 ❂❇ 2 ) ✉ . 1984 (published ✉ 2 ✕ 1 + 2 ❛ 2 ✉ 1 + ❛ 4 ) ❂ (2 ✈ 1 ). Elliptic-curve Maps Edwards to Weierstrass. cost 1 I + 2 M + 2 S . Compatible with point addition! Bosma, Goldw handle some exceptions: Chudnovsky–Chudnovsky Easily invert this map: ✉ ❀ ✈ ) = ( ✉ 2 ❀ � ✈ 2 ); elliptic-curve ① = ✉❂✈ , ② = ( ❇✉ � 1) ❂ ( ❇✉ + 1). at ✶ .

  45. Birational equivalence Some history ✉ ❀ ✈ ✉ ❀ ✈ 2 ) = Starting from point ( ①❀ ② ) There are many persp ✉ ❀ ✈ ✉ 3 ❀ ✈ 3 ) = on ① 2 + ② 2 = 1 + ❞① 2 ② 2 : elliptic-curve compu ✕ � ✉ � ✉ ❀ ✕ ✉ 1 � ✉ 3 ) � ✈ 1 ) ✿ Define ❆ = 2(1 + ❞ ) ❂ (1 � ❞ ), 1984 (published 1987) ✉ ✻ ✉ “addition” (alert!): ❇ = 4 ❂ (1 � ❞ ); ECM, the elliptic-curve ✕ ✈ � ✈ ❂ ✉ 2 � ✉ 1 ). ✉ = (1 + ② ) ❂ ( ❇ (1 � ② )), of factoring integers. 2 M + 1 S . ✈ = ✉❂① = (1 + ② ) ❂ ( ❇① (1 � ② )). 1984 (published 1985) ✉ ❀ ✈ ✉ ❀ ✈ 2 ) and ✈ 1 ✻ = 0, (Skip a few exceptional points.) and independently (alert!): ✈ 2 = ✉ 3 + ( ❆❂❇ ) ✉ 2 + (1 ❂❇ 2 ) ✉ . 1984 (published 1987) ✕ ✉ ❛ ✉ 1 + ❛ 4 ) ❂ (2 ✈ 1 ). Elliptic-curve cryptography Maps Edwards to Weierstrass. 2 M + 2 S . Compatible with point addition! Bosma, Goldwasser–Kilian, some exceptions: Chudnovsky–Chudnovsky Easily invert this map: ✉ ❀ ✈ ✉ ❀ � ✈ 2 ); elliptic-curve primalit ① = ✉❂✈ , ② = ( ❇✉ � 1) ❂ ( ❇✉ + 1). ✶

  46. Birational equivalence Some history ✉ ❀ ✈ ✉ ❀ ✈ Starting from point ( ①❀ ② ) There are many perspectives ✉ ❀ ✈ ✉ ❀ ✈ on ① 2 + ② 2 = 1 + ❞① 2 ② 2 : elliptic-curve computations. ✕ � ✉ � ✉ ❀ ✕ ✉ � ✉ � ✈ 1 ) ✿ Define ❆ = 2(1 + ❞ ) ❂ (1 � ❞ ), 1984 (published 1987) Lenstra: ✉ ✻ ✉ (alert!): ❇ = 4 ❂ (1 � ❞ ); ECM, the elliptic-curve metho ✕ ✈ � ✈ ❂ ✉ � ✉ ✉ = (1 + ② ) ❂ ( ❇ (1 � ② )), of factoring integers. ✈ = ✉❂① = (1 + ② ) ❂ ( ❇① (1 � ② )). 1984 (published 1985) Miller, ✉ ❀ ✈ ✉ ❀ ✈ ✈ ✻ = 0, (Skip a few exceptional points.) and independently ✈ 2 = ✉ 3 + ( ❆❂❇ ) ✉ 2 + (1 ❂❇ 2 ) ✉ . 1984 (published 1987) Koblitz: ✕ ✉ ❛ ✉ ❛ ❂ (2 ✈ 1 ). Elliptic-curve cryptography. Maps Edwards to Weierstrass. Compatible with point addition! Bosma, Goldwasser–Kilian, exceptions: Chudnovsky–Chudnovsky, Atkin: Easily invert this map: ✉ ❀ ✈ ✉ ❀ � ✈ elliptic-curve primality proving. ① = ✉❂✈ , ② = ( ❇✉ � 1) ❂ ( ❇✉ + 1). ✶

  47. Birational equivalence Some history Starting from point ( ①❀ ② ) There are many perspectives on on ① 2 + ② 2 = 1 + ❞① 2 ② 2 : elliptic-curve computations. Define ❆ = 2(1 + ❞ ) ❂ (1 � ❞ ), 1984 (published 1987) Lenstra: ❇ = 4 ❂ (1 � ❞ ); ECM, the elliptic-curve method ✉ = (1 + ② ) ❂ ( ❇ (1 � ② )), of factoring integers. ✈ = ✉❂① = (1 + ② ) ❂ ( ❇① (1 � ② )). 1984 (published 1985) Miller, (Skip a few exceptional points.) and independently ✈ 2 = ✉ 3 + ( ❆❂❇ ) ✉ 2 + (1 ❂❇ 2 ) ✉ . 1984 (published 1987) Koblitz: Elliptic-curve cryptography. Maps Edwards to Weierstrass. Compatible with point addition! Bosma, Goldwasser–Kilian, Chudnovsky–Chudnovsky, Atkin: Easily invert this map: elliptic-curve primality proving. ① = ✉❂✈ , ② = ( ❇✉ � 1) ❂ ( ❇✉ + 1).

  48. Birational equivalence Some history The Edw rting from point ( ①❀ ② ) There are many perspectives on 1761 Euler, ① + ② 2 = 1 + ❞① 2 ② 2 : elliptic-curve computations. introduced for ① 2 + ② � ① ② ❆ = 2(1 + ❞ ) ❂ (1 � ❞ ), 1984 (published 1987) Lenstra: the “lemniscatic ❇ ❂ (1 � ❞ ); ECM, the elliptic-curve method ✉ + ② ) ❂ ( ❇ (1 � ② )), of factoring integers. 2007 Edw ✈ ✉❂① = (1 + ② ) ❂ ( ❇① (1 � ② )). many curves ① ② ❝ ① ② 1984 (published 1985) Miller, a few exceptional points.) Theorem: and independently all elliptic ✉ 3 + ( ❆❂❇ ) ✉ 2 + (1 ❂❇ 2 ) ✉ . ✈ 1984 (published 1987) Koblitz: Elliptic-curve cryptography. 2007 Bernstein–Lange: Edwards to Weierstrass. Edwards Compatible with point addition! Bosma, Goldwasser–Kilian, for ① 2 + ② ❞① ② ❞ ✻ Chudnovsky–Chudnovsky, Atkin: invert this map: and gives elliptic-curve primality proving. ✉❂✈ , ② = ( ❇✉ � 1) ❂ ( ❇✉ + 1). ①

  49. equivalence Some history The Edwards persp oint ( ①❀ ② ) There are many perspectives on 1761 Euler, 1866 Gauss + ❞① 2 ② 2 : ① ② elliptic-curve computations. introduced an addition for ① 2 + ② 2 = 1 � ① ② + ❞ ) ❂ (1 � ❞ ), 1984 (published 1987) Lenstra: ❆ the “lemniscatic elliptic ❇ ❂ � ❞ ECM, the elliptic-curve method ✉ ② ❂ ❇ (1 � ② )), of factoring integers. 2007 Edwards generalized many curves ① 2 + ② ✈ ✉❂① ② ) ❂ ( ❇① (1 � ② )). ❝ ① ② 1984 (published 1985) Miller, exceptional points.) Theorem: have no and independently all elliptic curves over ❆❂❇ ) ✉ 2 + (1 ❂❇ 2 ) ✉ . ✈ ✉ 1984 (published 1987) Koblitz: Elliptic-curve cryptography. 2007 Bernstein–Lange: to Weierstrass. Edwards addition la point addition! Bosma, Goldwasser–Kilian, for ① 2 + ② 2 = 1 + ❞① ② ❞ ✻ Chudnovsky–Chudnovsky, Atkin: map: and gives new ECC elliptic-curve primality proving. ❇✉ � 1) ❂ ( ❇✉ + 1). ① ✉❂✈ ②

  50. Some history The Edwards perspective is new! ①❀ ② There are many perspectives on 1761 Euler, 1866 Gauss ① ② ❞① ② elliptic-curve computations. introduced an addition law for ① 2 + ② 2 = 1 � ① 2 ② 2 , � ❞ ), 1984 (published 1987) Lenstra: ❆ ❞ ❂ the “lemniscatic elliptic curve.” ❇ ❂ � ❞ ECM, the elliptic-curve method ✉ ② ❂ ❇ � ② of factoring integers. 2007 Edwards generalized to many curves ① 2 + ② 2 = 1+ ❝ 4 ① ② ✈ ✉❂① ② ❂ ❇① � ② )). 1984 (published 1985) Miller, oints.) Theorem: have now obtained and independently all elliptic curves over Q . ❂❇ 2 ) ✉ . ✈ ✉ ❆❂❇ ✉ 1984 (published 1987) Koblitz: Elliptic-curve cryptography. 2007 Bernstein–Lange: ierstrass. Edwards addition law is complete addition! Bosma, Goldwasser–Kilian, for ① 2 + ② 2 = 1 + ❞① 2 ② 2 if ❞ ✻ Chudnovsky–Chudnovsky, Atkin: and gives new ECC speed reco elliptic-curve primality proving. ❂ ❇✉ + 1). ① ✉❂✈ ② ❇✉ �

  51. Some history The Edwards perspective is new! There are many perspectives on 1761 Euler, 1866 Gauss elliptic-curve computations. introduced an addition law for ① 2 + ② 2 = 1 � ① 2 ② 2 , 1984 (published 1987) Lenstra: the “lemniscatic elliptic curve.” ECM, the elliptic-curve method of factoring integers. 2007 Edwards generalized to many curves ① 2 + ② 2 = 1+ ❝ 4 ① 2 ② 2 . 1984 (published 1985) Miller, Theorem: have now obtained and independently all elliptic curves over Q . 1984 (published 1987) Koblitz: Elliptic-curve cryptography. 2007 Bernstein–Lange: Edwards addition law is complete Bosma, Goldwasser–Kilian, for ① 2 + ② 2 = 1 + ❞① 2 ② 2 if ❞ ✻ = ; Chudnovsky–Chudnovsky, Atkin: and gives new ECC speed records. elliptic-curve primality proving.

  52. history The Edwards perspective is new! Representing are many perspectives on 1761 Euler, 1866 Gauss Crypto 1985, elliptic-curve computations. introduced an addition law elliptic curves for ① 2 + ② 2 = 1 � ① 2 ② 2 , (published 1987) Lenstra: Given ♥ ✷ P ✷ ❊ q the “lemniscatic elliptic curve.” the elliptic-curve method division-p factoring integers. 2007 Edwards generalized to computes ♥P ✷ ❊ q many curves ① 2 + ② 2 = 1+ ❝ 4 ① 2 ② 2 . “in 26 log ♥ (published 1985) Miller, Theorem: have now obtained but can independently all elliptic curves over Q . (published 1987) Koblitz: “It appea Elliptic-curve cryptography. 2007 Bernstein–Lange: represent Edwards addition law is complete in the follo Bosma, Goldwasser–Kilian, for ① 2 + ② 2 = 1 + ❞① 2 ② 2 if ❞ ✻ = ; Each point Chudnovsky–Chudnovsky, Atkin: and gives new ECC speed records. triple ( ①❀ ②❀ ③ elliptic-curve primality proving. to the point ①❂③ ❀ ②❂③

  53. The Edwards perspective is new! Representing curve perspectives on 1761 Euler, 1866 Gauss Crypto 1985, Miller, putations. introduced an addition law elliptic curves in cryptography”: for ① 2 + ② 2 = 1 � ① 2 ② 2 , 1987) Lenstra: Given ♥ ✷ Z , P ✷ ❊ q the “lemniscatic elliptic curve.” elliptic-curve method division-polynomial integers. 2007 Edwards generalized to computes ♥P ✷ ❊ q many curves ① 2 + ② 2 = 1+ ❝ 4 ① 2 ② 2 . “in 26 log 2 ♥ multiplications”; 1985) Miller, Theorem: have now obtained but can do better! endently all elliptic curves over Q . 1987) Koblitz: “It appears to be b cryptography. 2007 Bernstein–Lange: represent the points Edwards addition law is complete in the following form: ser–Kilian, for ① 2 + ② 2 = 1 + ❞① 2 ② 2 if ❞ ✻ = ; Each point is represented Chudnovsky–Chudnovsky, Atkin: and gives new ECC speed records. triple ( ①❀ ②❀ ③ ) which rimality proving. to the point ( ①❂③ 2 ❀ ②❂③

  54. The Edwards perspective is new! Representing curve points ectives on 1761 Euler, 1866 Gauss Crypto 1985, Miller, “Use of tations. introduced an addition law elliptic curves in cryptography”: for ① 2 + ② 2 = 1 � ① 2 ② 2 , Lenstra: Given ♥ ✷ Z , P ✷ ❊ ( F q ), the “lemniscatic elliptic curve.” method division-polynomial recurrence 2007 Edwards generalized to computes ♥P ✷ ❊ ( F q ) many curves ① 2 + ② 2 = 1+ ❝ 4 ① 2 ② 2 . “in 26 log 2 ♥ multiplications”; Miller, Theorem: have now obtained but can do better! all elliptic curves over Q . Koblitz: “It appears to be best to cryptography. 2007 Bernstein–Lange: represent the points on the curve Edwards addition law is complete in the following form: ser–Kilian, for ① 2 + ② 2 = 1 + ❞① 2 ② 2 if ❞ ✻ = ; Each point is represented by Atkin: and gives new ECC speed records. triple ( ①❀ ②❀ ③ ) which corresp roving. to the point ( ①❂③ 2 ❀ ②❂③ 3 ).”

  55. The Edwards perspective is new! Representing curve points 1761 Euler, 1866 Gauss Crypto 1985, Miller, “Use of introduced an addition law elliptic curves in cryptography”: for ① 2 + ② 2 = 1 � ① 2 ② 2 , Given ♥ ✷ Z , P ✷ ❊ ( F q ), the “lemniscatic elliptic curve.” division-polynomial recurrence 2007 Edwards generalized to computes ♥P ✷ ❊ ( F q ) many curves ① 2 + ② 2 = 1+ ❝ 4 ① 2 ② 2 . “in 26 log 2 ♥ multiplications”; Theorem: have now obtained but can do better! all elliptic curves over Q . “It appears to be best to 2007 Bernstein–Lange: represent the points on the curve Edwards addition law is complete in the following form: for ① 2 + ② 2 = 1 + ❞① 2 ② 2 if ❞ ✻ = ; Each point is represented by the and gives new ECC speed records. triple ( ①❀ ②❀ ③ ) which corresponds to the point ( ①❂③ 2 ❀ ②❂③ 3 ).”

  56. Edwards perspective is new! Representing curve points 1986 Chudnovsky–Chudnovsky “Sequences Euler, 1866 Gauss Crypto 1985, Miller, “Use of generated duced an addition law elliptic curves in cryptography”: in formal ① + ② 2 = 1 � ① 2 ② 2 , Given ♥ ✷ Z , P ✷ ❊ ( F q ), and new “lemniscatic elliptic curve.” division-polynomial recurrence and facto Edwards generalized to computes ♥P ✷ ❊ ( F q ) “The crucial curves ① 2 + ② 2 = 1+ ❝ 4 ① 2 ② 2 . “in 26 log 2 ♥ multiplications”; the choice rem: have now obtained but can do better! of an alge elliptic curves over Q . “It appears to be best to where com ♣ Bernstein–Lange: represent the points on the curve are the least rds addition law is complete in the following form: Most imp ① + ② 2 = 1 + ❞① 2 ② 2 if ❞ ✻ = ; Each point is represented by the ADD is P❀ ◗ ✼✦ P ◗ gives new ECC speed records. triple ( ①❀ ②❀ ③ ) which corresponds DBL is P ✼✦ P to the point ( ①❂③ 2 ❀ ②❂③ 3 ).”

  57. erspective is new! Representing curve points 1986 Chudnovsky–Chudnovsky “Sequences of numb 1866 Gauss Crypto 1985, Miller, “Use of generated by addition addition law elliptic curves in cryptography”: in formal groups � ① 2 ② 2 , ① ② Given ♥ ✷ Z , P ✷ ❊ ( F q ), and new primality elliptic curve.” division-polynomial recurrence and factorization tests”: generalized to computes ♥P ✷ ❊ ( F q ) “The crucial problem ① + ② 2 = 1+ ❝ 4 ① 2 ② 2 . “in 26 log 2 ♥ multiplications”; the choice of the mo now obtained but can do better! of an algebraic group over Q . “It appears to be best to where computations ♣ Bernstein–Lange: represent the points on the curve are the least time addition law is complete in the following form: Most important computations: + ❞① 2 ② 2 if ❞ ✻ = ; ① ② Each point is represented by the ADD is P❀ ◗ ✼✦ P ◗ ECC speed records. triple ( ①❀ ②❀ ③ ) which corresponds DBL is P ✼✦ 2 P . to the point ( ①❂③ 2 ❀ ②❂③ 3 ).”

  58. is new! Representing curve points 1986 Chudnovsky–Chudnovsky “Sequences of numbers Crypto 1985, Miller, “Use of generated by addition elliptic curves in cryptography”: in formal groups ① ② � ① ② Given ♥ ✷ Z , P ✷ ❊ ( F q ), and new primality curve.” division-polynomial recurrence and factorization tests”: to computes ♥P ✷ ❊ ( F q ) “The crucial problem becomes ❝ 4 ① 2 ② 2 . ① ② “in 26 log 2 ♥ multiplications”; the choice of the model obtained but can do better! of an algebraic group variety “It appears to be best to where computations mod ♣ represent the points on the curve are the least time consuming.” complete in the following form: Most important computations: ① ② ❞① ② if ❞ ✻ = ; Each point is represented by the ADD is P❀ ◗ ✼✦ P + ◗ . records. triple ( ①❀ ②❀ ③ ) which corresponds DBL is P ✼✦ 2 P . to the point ( ①❂③ 2 ❀ ②❂③ 3 ).”

  59. Representing curve points 1986 Chudnovsky–Chudnovsky, “Sequences of numbers Crypto 1985, Miller, “Use of generated by addition elliptic curves in cryptography”: in formal groups Given ♥ ✷ Z , P ✷ ❊ ( F q ), and new primality division-polynomial recurrence and factorization tests”: computes ♥P ✷ ❊ ( F q ) “The crucial problem becomes “in 26 log 2 ♥ multiplications”; the choice of the model but can do better! of an algebraic group variety, “It appears to be best to where computations mod ♣ represent the points on the curve are the least time consuming.” in the following form: Most important computations: Each point is represented by the ADD is P❀ ◗ ✼✦ P + ◗ . triple ( ①❀ ②❀ ③ ) which corresponds DBL is P ✼✦ 2 P . to the point ( ①❂③ 2 ❀ ②❂③ 3 ).”

  60. resenting curve points 1986 Chudnovsky–Chudnovsky, “It is preferable “Sequences of numbers models of 1985, Miller, “Use of generated by addition lying in lo curves in cryptography”: in formal groups for other ♥ ✷ Z , P ✷ ❊ ( F q ), and new primality coordinates division-polynomial recurrence and factorization tests”: increasing. ✿ ✿ ✿ computes ♥P ✷ ❊ ( F q ) 4 basic mo “The crucial problem becomes log 2 ♥ multiplications”; the choice of the model Short W can do better! ② 2 = ① 3 of an algebraic group variety, ❛① ❜ appears to be best to where computations mod ♣ Jacobi intersection: resent the points on the curve are the least time consuming.” s 2 + ❝ 2 = ❛s ❞ following form: Most important computations: oint is represented by the Jacobi qua ② ① ❛① ADD is P❀ ◗ ✼✦ P + ◗ . ( ①❀ ②❀ ③ ) which corresponds Hessian: ① ② ❞①② DBL is P ✼✦ 2 P . point ( ①❂③ 2 ❀ ②❂③ 3 ).”

  61. curve points 1986 Chudnovsky–Chudnovsky, “It is preferable to “Sequences of numbers models of elliptic curves Miller, “Use of generated by addition lying in low-dimensional cryptography”: in formal groups for otherwise the numb P ✷ ❊ ( F q ), ♥ ✷ and new primality coordinates and op olynomial recurrence and factorization tests”: increasing. This limits ✿ ✿ ✿ ♥P ✷ ❊ ( F q ) 4 basic models of elliptic “The crucial problem becomes ♥ multiplications”; the choice of the model Short Weierstrass: etter! ② 2 = ① 3 + ❛① + ❜ . of an algebraic group variety, e best to where computations mod ♣ Jacobi intersection: oints on the curve are the least time consuming.” s 2 + ❝ 2 = 1, ❛s 2 + ❞ form: Most important computations: Jacobi quartic: ② 2 represented by the ① ❛① ADD is P❀ ◗ ✼✦ P + ◗ . ①❀ ②❀ ③ which corresponds Hessian: ① 3 + ② 3 + ❞①② DBL is P ✼✦ 2 P . ①❂③ 2 ❀ ②❂③ 3 ).”

  62. 1986 Chudnovsky–Chudnovsky, “It is preferable to use “Sequences of numbers models of elliptic curves of generated by addition lying in low-dimensional spaces, cryptography”: in formal groups for otherwise the number of ♥ ✷ P ✷ ❊ and new primality coordinates and operations is q recurrence and factorization tests”: increasing. This limits us ✿ ✿ ✿ ♥P ✷ ❊ 4 basic models of elliptic curves.” q “The crucial problem becomes ♥ multiplications”; the choice of the model Short Weierstrass: ② 2 = ① 3 + ❛① + ❜ . of an algebraic group variety, where computations mod ♣ Jacobi intersection: the curve are the least time consuming.” s 2 + ❝ 2 = 1, ❛s 2 + ❞ 2 = 1. Most important computations: Jacobi quartic: ② 2 = ① 4 +2 ❛① by the ADD is P❀ ◗ ✼✦ P + ◗ . ①❀ ②❀ ③ rresponds Hessian: ① 3 + ② 3 + 1 = 3 ❞①② DBL is P ✼✦ 2 P . ①❂③ ❀ ②❂③ ).”

  63. 1986 Chudnovsky–Chudnovsky, “It is preferable to use “Sequences of numbers models of elliptic curves generated by addition lying in low-dimensional spaces, in formal groups for otherwise the number of and new primality coordinates and operations is and factorization tests”: increasing. This limits us ✿ ✿ ✿ to 4 basic models of elliptic curves.” “The crucial problem becomes the choice of the model Short Weierstrass: ② 2 = ① 3 + ❛① + ❜ . of an algebraic group variety, where computations mod ♣ Jacobi intersection: are the least time consuming.” s 2 + ❝ 2 = 1, ❛s 2 + ❞ 2 = 1. Most important computations: Jacobi quartic: ② 2 = ① 4 +2 ❛① 2 +1. ADD is P❀ ◗ ✼✦ P + ◗ . Hessian: ① 3 + ② 3 + 1 = 3 ❞①② . DBL is P ✼✦ 2 P .

  64. Chudnovsky–Chudnovsky, “It is preferable to use Optimizing “Sequences of numbers models of elliptic curves For “traditional” ❳❂❩ ❀ ❨❂❩ generated by addition lying in low-dimensional spaces, on ② 2 = ① ❛① ❜ al groups for otherwise the number of 1986 Chudnovsky–Chudnovsky new primality coordinates and operations is state explicit factorization tests”: increasing. This limits us ✿ ✿ ✿ to 10 M for 4 basic models of elliptic curves.” crucial problem becomes Consequence: choice of the model Short Weierstrass: ✒ ✓ ♥ 10 lg ♥ ✙ ② 2 = ① 3 + ❛① + ❜ . algebraic group variety, ♥ computations mod ♣ to compute ♥❀ P ✼✦ ♥P Jacobi intersection: the least time consuming.” using sliding-windo s 2 + ❝ 2 = 1, ❛s 2 + ❞ 2 = 1. of scalar important computations: Jacobi quartic: ② 2 = ① 4 +2 ❛① 2 +1. is P❀ ◗ ✼✦ P + ◗ . Notation: Hessian: ① 3 + ② 3 + 1 = 3 ❞①② . is P ✼✦ 2 P .

  65. Chudnovsky–Chudnovsky, “It is preferable to use Optimizing Jacobian numbers models of elliptic curves For “traditional” ( ❳❂❩ ❀ ❨❂❩ addition lying in low-dimensional spaces, on ② 2 = ① 3 + ❛① + ❜ for otherwise the number of 1986 Chudnovsky–Chudnovsky rimality coordinates and operations is state explicit formulas tests”: increasing. This limits us ✿ ✿ ✿ to 10 M for DBL; 16 M 4 basic models of elliptic curves.” roblem becomes Consequence: the model Short Weierstrass: ✒ ✓ 10 lg ♥ + 16 lg ♥ ✙ ② 2 = ① 3 + ❛① + ❜ . group variety, lg ♥ utations mod ♣ to compute ♥❀ P ✼✦ ♥P Jacobi intersection: time consuming.” using sliding-windo s 2 + ❝ 2 = 1, ❛s 2 + ❞ 2 = 1. of scalar multiplication. computations: Jacobi quartic: ② 2 = ① 4 +2 ❛① 2 +1. P❀ ◗ ✼✦ P + ◗ . Notation: lg = log Hessian: ① 3 + ② 3 + 1 = 3 ❞①② . P ✼✦ P .

  66. Chudnovsky–Chudnovsky, “It is preferable to use Optimizing Jacobian coordina models of elliptic curves For “traditional” ( ❳❂❩ 2 ❀ ❨❂❩ lying in low-dimensional spaces, on ② 2 = ① 3 + ❛① + ❜ : for otherwise the number of 1986 Chudnovsky–Chudnovsky coordinates and operations is state explicit formulas using increasing. This limits us ✿ ✿ ✿ to 10 M for DBL; 16 M for ADD. 4 basic models of elliptic curves.” ecomes Consequence: Short Weierstrass: ✒ ✓ 10 lg ♥ + 16 lg ♥ ✙ M ② 2 = ① 3 + ❛① + ❜ . riety, lg lg ♥ ♣ to compute ♥❀ P ✼✦ ♥P Jacobi intersection: consuming.” using sliding-windows metho s 2 + ❝ 2 = 1, ❛s 2 + ❞ 2 = 1. of scalar multiplication. computations: Jacobi quartic: ② 2 = ① 4 +2 ❛① 2 +1. P❀ ◗ ✼✦ P ◗ Notation: lg = log 2 . Hessian: ① 3 + ② 3 + 1 = 3 ❞①② . P ✼✦ P

  67. “It is preferable to use Optimizing Jacobian coordinates models of elliptic curves For “traditional” ( ❳❂❩ 2 ❀ ❨❂❩ 3 ) lying in low-dimensional spaces, on ② 2 = ① 3 + ❛① + ❜ : for otherwise the number of 1986 Chudnovsky–Chudnovsky coordinates and operations is state explicit formulas using increasing. This limits us ✿ ✿ ✿ to 10 M for DBL; 16 M for ADD. 4 basic models of elliptic curves.” Consequence: Short Weierstrass: ✒ ✓ 10 lg ♥ + 16 lg ♥ ✙ M ② 2 = ① 3 + ❛① + ❜ . lg lg ♥ to compute ♥❀ P ✼✦ ♥P Jacobi intersection: using sliding-windows method s 2 + ❝ 2 = 1, ❛s 2 + ❞ 2 = 1. of scalar multiplication. Jacobi quartic: ② 2 = ① 4 +2 ❛① 2 +1. Notation: lg = log 2 . Hessian: ① 3 + ② 3 + 1 = 3 ❞①② .

  68. preferable to use Optimizing Jacobian coordinates Squaring dels of elliptic curves For “traditional” ( ❳❂❩ 2 ❀ ❨❂❩ 3 ) Here are in low-dimensional spaces, on ② 2 = ① 3 + ❛① + ❜ : ❙ = 4 ❳ ✁ ❨ erwise the number of 1986 Chudnovsky–Chudnovsky ▼ = 3 ❳ ❛❩ rdinates and operations is state explicit formulas using ❚ = ▼ � ❙ increasing. This limits us ✿ ✿ ✿ to 10 M for DBL; 16 M for ADD. ❳ 3 = ❚ basic models of elliptic curves.” ❨ 3 = ▼ ✁ ❙ � ❚ � ❨ Consequence: Weierstrass: ❩ 3 = 2 ❨ ✁ ❩ ✒ ✓ 10 lg ♥ + 16 lg ♥ ✙ M ① 3 + ❛① + ❜ . ② lg lg ♥ Total cost to compute ♥❀ P ✼✦ ♥P intersection: S is the q using sliding-windows method ❝ = 1, ❛s 2 + ❞ 2 = 1. s D is the ❛ of scalar multiplication. quartic: ② 2 = ① 4 +2 ❛① 2 +1. The squa Notation: lg = log 2 . ❳ 2 1 ❀ ❨ 2 1 ❀ ❨ ❀ ❩ ❀ ❩ ❀ ▼ Hessian: ① 3 + ② 3 + 1 = 3 ❞①② .

  69. to use Optimizing Jacobian coordinates Squaring is faster than liptic curves For “traditional” ( ❳❂❩ 2 ❀ ❨❂❩ 3 ) Here are the DBL w-dimensional spaces, on ② 2 = ① 3 + ❛① + ❜ : ❙ = 4 ❳ 1 ✁ ❨ 2 1 ; the number of ▼ = 3 ❳ 2 1 + ❛❩ 4 1986 Chudnovsky–Chudnovsky 1 operations is ❚ = ▼ 2 � 2 ❙ ; state explicit formulas using limits us ✿ ✿ ✿ to 10 M for DBL; 16 M for ADD. ❳ 3 = ❚ ; of elliptic curves.” ❨ 3 = ▼ ✁ ( ❙ � ❚ � ❨ Consequence: eierstrass: ❩ 3 = 2 ❨ 1 ✁ ❩ 1 . ✒ ✓ 10 lg ♥ + 16 lg ♥ ✙ M ❜ . ② ① ❛① lg lg ♥ Total cost 3 M + 6 to compute ♥❀ P ✼✦ ♥P intersection: S is the cost of squa q using sliding-windows method ❛s + ❞ 2 = 1. s ❝ D is the cost of multiplying ❛ of scalar multiplication. ② 2 = ① 4 +2 ❛① 2 +1. The squarings produce Notation: lg = log 2 . ❳ 2 1 ❀ ❨ 2 1 ❀ ❨ 4 1 ❀ ❩ 2 1 ❀ ❩ 4 1 ❀ ▼ ① ② + 1 = 3 ❞①② .

  70. Optimizing Jacobian coordinates Squaring is faster than M . For “traditional” ( ❳❂❩ 2 ❀ ❨❂❩ 3 ) Here are the DBL formulas: spaces, on ② 2 = ① 3 + ❛① + ❜ : ❙ = 4 ❳ 1 ✁ ❨ 2 1 ; of ▼ = 3 ❳ 2 1 + ❛❩ 4 1986 Chudnovsky–Chudnovsky 1 ; erations is ❚ = ▼ 2 � 2 ❙ ; state explicit formulas using ✿ ✿ ✿ to 10 M for DBL; 16 M for ADD. ❳ 3 = ❚ ; curves.” ❨ 3 = ▼ ✁ ( ❙ � ❚ ) � 8 ❨ 4 1 ; Consequence: ❩ 3 = 2 ❨ 1 ✁ ❩ 1 . ✒ ✓ 10 lg ♥ + 16 lg ♥ ✙ M ② ① ❛① ❜ lg lg ♥ Total cost 3 M + 6 S + 1 D where to compute ♥❀ P ✼✦ ♥P S is the cost of squaring in F q using sliding-windows method s ❝ ❛s ❞ 1. D is the cost of multiplying ❛ of scalar multiplication. 2 ❛① 2 +1. ② ① The squarings produce Notation: lg = log 2 . ❳ 2 1 ❀ ❨ 2 1 ❀ ❨ 4 1 ❀ ❩ 2 1 ❀ ❩ 4 1 ❀ ▼ 2 . ① ② ❞①② .

  71. Optimizing Jacobian coordinates Squaring is faster than M . For “traditional” ( ❳❂❩ 2 ❀ ❨❂❩ 3 ) Here are the DBL formulas: on ② 2 = ① 3 + ❛① + ❜ : ❙ = 4 ❳ 1 ✁ ❨ 2 1 ; ▼ = 3 ❳ 2 1 + ❛❩ 4 1986 Chudnovsky–Chudnovsky 1 ; ❚ = ▼ 2 � 2 ❙ ; state explicit formulas using 10 M for DBL; 16 M for ADD. ❳ 3 = ❚ ; ❨ 3 = ▼ ✁ ( ❙ � ❚ ) � 8 ❨ 4 1 ; Consequence: ❩ 3 = 2 ❨ 1 ✁ ❩ 1 . ✒ ✓ 10 lg ♥ + 16 lg ♥ ✙ M lg lg ♥ Total cost 3 M + 6 S + 1 D where to compute ♥❀ P ✼✦ ♥P S is the cost of squaring in F q , using sliding-windows method D is the cost of multiplying by ❛ . of scalar multiplication. The squarings produce Notation: lg = log 2 . ❳ 2 1 ❀ ❨ 2 1 ❀ ❨ 4 1 ❀ ❩ 2 1 ❀ ❩ 4 1 ❀ ▼ 2 .

  72. Optimizing Jacobian coordinates Squaring is faster than M . Most ECC curves that “traditional” ( ❳❂❩ 2 ❀ ❨❂❩ 3 ) Here are the DBL formulas: ② = ① 3 + ❛① + ❜ : ❙ = 4 ❳ 1 ✁ ❨ 2 1 ; Curve-choice ▼ = 3 ❳ 2 1 + ❛❩ 4 Chudnovsky–Chudnovsky 1 ; 1986 Chudnovsky–Chudnovsky: ❚ = ▼ 2 � 2 ❙ ; explicit formulas using Can eliminate for DBL; 16 M for ADD. ❳ 3 = ❚ ; by choosing ❛ ❨ 3 = ▼ ✁ ( ❙ � ❚ ) � 8 ❨ 4 1 ; Consequence: But “it is ❩ 3 = 2 ❨ 1 ✁ ❩ 1 . ✒ ✓ lg ♥ + 16 lg ♥ ✙ M to choose ❛ � lg lg ♥ Total cost 3 M + 6 S + 1 D where compute ♥❀ P ✼✦ ♥P If ❛ = � ▼ ❳ � ❩ S is the cost of squaring in F q , sliding-windows method = 3( ❳ 1 � ❩ ✁ ❳ ❩ D is the cost of multiplying by ❛ . scalar multiplication. Replace The squarings produce Notation: lg = log 2 . ❳ 2 1 ❀ ❨ 2 1 ❀ ❨ 4 1 ❀ ❩ 2 1 ❀ ❩ 4 1 ❀ ▼ 2 . Now DBL

  73. Jacobian coordinates Squaring is faster than M . Most ECC standards curves that make fo ( ❳❂❩ 2 ❀ ❨❂❩ 3 ) Here are the DBL formulas: ❙ = 4 ❳ 1 ✁ ❨ 2 ② ① ❛① + ❜ : 1 ; Curve-choice advice ▼ = 3 ❳ 2 1 + ❛❩ 4 Chudnovsky–Chudnovsky 1 ; 1986 Chudnovsky–Chudnovsky: ❚ = ▼ 2 � 2 ❙ ; rmulas using Can eliminate the 16 M for ADD. ❳ 3 = ❚ ; by choosing curve ❛ ❨ 3 = ▼ ✁ ( ❙ � ❚ ) � 8 ❨ 4 1 ; But “it is even sma ❩ 3 = 2 ❨ 1 ✁ ❩ 1 . ✒ ✓ lg ♥ ♥ ✙ M to choose curve with ❛ � lg lg ♥ Total cost 3 M + 6 S + 1 D where ♥❀ P ✼✦ ♥P If ❛ = � 3 then ▼ ❳ � ❩ S is the cost of squaring in F q , sliding-windows method = 3( ❳ 1 � ❩ 2 1 ) ✁ ( ❳ ❩ D is the cost of multiplying by ❛ . multiplication. Replace 2 S with 1 M The squarings produce log 2 . ❳ 2 1 ❀ ❨ 2 1 ❀ ❨ 4 1 ❀ ❩ 2 1 ❀ ❩ 4 1 ❀ ▼ 2 . Now DBL costs 4 M

  74. rdinates Squaring is faster than M . Most ECC standards choose curves that make formulas faster. ❳❂❩ ❀ ❨❂❩ 3 ) Here are the DBL formulas: ❙ = 4 ❳ 1 ✁ ❨ 2 ② ① ❛① ❜ 1 ; Curve-choice advice from ▼ = 3 ❳ 2 1 + ❛❩ 4 Chudnovsky–Chudnovsky 1 ; 1986 Chudnovsky–Chudnovsky: ❚ = ▼ 2 � 2 ❙ ; using Can eliminate the 1 D ADD. ❳ 3 = ❚ ; by choosing curve with ❛ = ❨ 3 = ▼ ✁ ( ❙ � ❚ ) � 8 ❨ 4 1 ; But “it is even smarter” ❩ 3 = 2 ❨ 1 ✁ ❩ 1 . ✒ ✓ ♥ ♥ ✙ to choose curve with ❛ = � 3. ♥ Total cost 3 M + 6 S + 1 D where ♥❀ P ✼✦ ♥P If ❛ = � 3 then ▼ = 3( ❳ 2 1 � ❩ S is the cost of squaring in F q , method = 3( ❳ 1 � ❩ 2 1 ) ✁ ( ❳ 1 + ❩ 2 1 ). D is the cost of multiplying by ❛ . Replace 2 S with 1 M . The squarings produce ❳ 2 1 ❀ ❨ 2 1 ❀ ❨ 4 1 ❀ ❩ 2 1 ❀ ❩ 4 1 ❀ ▼ 2 . Now DBL costs 4 M + 4 S .

  75. Squaring is faster than M . Most ECC standards choose curves that make formulas faster. Here are the DBL formulas: ❙ = 4 ❳ 1 ✁ ❨ 2 1 ; Curve-choice advice from ▼ = 3 ❳ 2 1 + ❛❩ 4 1 ; 1986 Chudnovsky–Chudnovsky: ❚ = ▼ 2 � 2 ❙ ; Can eliminate the 1 D ❳ 3 = ❚ ; by choosing curve with ❛ = 1. ❨ 3 = ▼ ✁ ( ❙ � ❚ ) � 8 ❨ 4 1 ; But “it is even smarter” ❩ 3 = 2 ❨ 1 ✁ ❩ 1 . to choose curve with ❛ = � 3. Total cost 3 M + 6 S + 1 D where If ❛ = � 3 then ▼ = 3( ❳ 2 1 � ❩ 4 1 ) S is the cost of squaring in F q , = 3( ❳ 1 � ❩ 2 1 ) ✁ ( ❳ 1 + ❩ 2 1 ). D is the cost of multiplying by ❛ . Replace 2 S with 1 M . The squarings produce ❳ 2 1 ❀ ❨ 2 1 ❀ ❨ 4 1 ❀ ❩ 2 1 ❀ ❩ 4 1 ❀ ▼ 2 . Now DBL costs 4 M + 4 S .

  76. ring is faster than M . Most ECC standards choose 2001 Bernstein: curves that make formulas faster. 3 M + 5 S re the DBL formulas: 11 M + 5 4 ❳ 1 ✁ ❨ 2 ❙ 1 ; Curve-choice advice from 3 ❳ 2 1 + ❛❩ 4 ▼ 1 ; 1986 Chudnovsky–Chudnovsky: How? Easy � ▼ 2 � 2 ❙ ; ❚ instead of ❨ ✁ ❩ Can eliminate the 1 D ❳ = ❚ ; compute ❨ ❩ � ❨ � ❩ by choosing curve with ❛ = 1. ▼ ✁ ( ❙ � ❚ ) � 8 ❨ 4 ❨ 1 ; DBL form But “it is even smarter” ❩ 2 ❨ 1 ✁ ❩ 1 . computing ❨ ❩ to choose curve with ❛ = � 3. cost 3 M + 6 S + 1 D where Same idea If ❛ = � 3 then ▼ = 3( ❳ 2 1 � ❩ 4 1 ) the cost of squaring in F q , but have ❳❀ ❨❀ ❩ = 3( ❳ 1 � ❩ 2 1 ) ✁ ( ❳ 1 + ❩ 2 1 ). the cost of multiplying by ❛ . to eliminate Replace 2 S with 1 M . squarings produce ❳ ❀ ❨ ❀ ❨ 4 1 ❀ ❩ 2 1 ❀ ❩ 4 1 ❀ ▼ 2 . Now DBL costs 4 M + 4 S .

  77. faster than M . Most ECC standards choose 2001 Bernstein: curves that make formulas faster. 3 M + 5 S for DBL. DBL formulas: 11 M + 5 S for ADD. ❙ ❳ ✁ ❨ ; Curve-choice advice from ❛❩ 4 ▼ ❳ 1 ; 1986 Chudnovsky–Chudnovsky: How? Easy S � M ❚ ▼ � ❙ ; instead of computing ❨ ✁ ❩ Can eliminate the 1 D ❳ ❚ compute ( ❨ 1 + ❩ 1 ) � ❨ � ❩ by choosing curve with ❛ = 1. ▼ ✁ ❙ � ❚ ) � 8 ❨ 4 ❨ 1 ; DBL formulas were But “it is even smarter” computing ❨ 2 ❩ ❨ ✁ ❩ . 1 and ❩ to choose curve with ❛ = � 3. 6 S + 1 D where Same idea for the If ❛ = � 3 then ▼ = 3( ❳ 2 1 � ❩ 4 1 ) squaring in F q , but have to scale ❳❀ ❨❀ ❩ = 3( ❳ 1 � ❩ 2 1 ) ✁ ( ❳ 1 + ❩ 2 1 ). multiplying by ❛ . to eliminate divisions Replace 2 S with 1 M . roduce ❳ ❀ ❨ ❀ ❨ ❀ ❩ ❀ ❩ 4 1 ❀ ▼ 2 . Now DBL costs 4 M + 4 S .

  78. . Most ECC standards choose 2001 Bernstein: curves that make formulas faster. 3 M + 5 S for DBL. rmulas: 11 M + 5 S for ADD. ❙ ❳ ✁ ❨ Curve-choice advice from ▼ ❳ ❛❩ 1986 Chudnovsky–Chudnovsky: How? Easy S � M tradeoff: ❚ ▼ � ❙ instead of computing 2 ❨ 1 ✁ ❩ Can eliminate the 1 D compute ( ❨ 1 + ❩ 1 ) 2 � ❨ 2 ❳ ❚ 1 � ❩ by choosing curve with ❛ = 1. ❨ ▼ ✁ ❙ � ❚ � ❨ ; DBL formulas were already But “it is even smarter” computing ❨ 2 1 and ❩ 2 ❩ ❨ ✁ ❩ 1 . to choose curve with ❛ = � 3. where Same idea for the ADD formulas, If ❛ = � 3 then ▼ = 3( ❳ 2 1 � ❩ 4 1 ) in F q , but have to scale ❳❀ ❨❀ ❩ = 3( ❳ 1 � ❩ 2 1 ) ✁ ( ❳ 1 + ❩ 2 1 ). multiplying by ❛ . to eliminate divisions by 2. Replace 2 S with 1 M . Now DBL costs 4 M + 4 S . ❳ ❀ ❨ ❀ ❨ ❀ ❩ ❀ ❩ ❀ ▼

  79. Most ECC standards choose 2001 Bernstein: curves that make formulas faster. 3 M + 5 S for DBL. 11 M + 5 S for ADD. Curve-choice advice from 1986 Chudnovsky–Chudnovsky: How? Easy S � M tradeoff: instead of computing 2 ❨ 1 ✁ ❩ 1 , Can eliminate the 1 D compute ( ❨ 1 + ❩ 1 ) 2 � ❨ 2 1 � ❩ 2 1 . by choosing curve with ❛ = 1. DBL formulas were already But “it is even smarter” computing ❨ 2 1 and ❩ 2 1 . to choose curve with ❛ = � 3. Same idea for the ADD formulas, If ❛ = � 3 then ▼ = 3( ❳ 2 1 � ❩ 4 1 ) but have to scale ❳❀ ❨❀ ❩ = 3( ❳ 1 � ❩ 2 1 ) ✁ ( ❳ 1 + ❩ 2 1 ). to eliminate divisions by 2. Replace 2 S with 1 M . Now DBL costs 4 M + 4 S .

  80. ECC standards choose 2001 Bernstein: ADD for ② ① ❛① ❜ that make formulas faster. 3 M + 5 S for DBL. ❯ 1 = ❳ 1 ❩ ❯ ❳ ❩ 11 M + 5 S for ADD. ❙ 1 = ❨ 1 ❩ ❙ ❨ ❩ Curve-choice advice from many mo Chudnovsky–Chudnovsky: How? Easy S � M tradeoff: instead of computing 2 ❨ 1 ✁ ❩ 1 , 1986 Chudnovsky–Chudnovsky: eliminate the 1 D compute ( ❨ 1 + ❩ 1 ) 2 � ❨ 2 1 � ❩ 2 1 . “We suggest osing curve with ❛ = 1. DBL formulas were already addition “it is even smarter” computing ❨ 2 1 and ❩ 2 1 . ( ❳❀ ❨❀ ❩❀ ❩ ❀ ❩ ose curve with ❛ = � 3. Same idea for the ADD formulas, Disadvantages: � 3 then ▼ = 3( ❳ 2 1 � ❩ 4 ❛ 1 ) but have to scale ❳❀ ❨❀ ❩ Allocate ❩ ❀ ❩ ❳ 1 � ❩ 2 1 ) ✁ ( ❳ 1 + ❩ 2 1 ). to eliminate divisions by 2. Pay 1 S + Replace 2 S with 1 M . Advantages: DBL costs 4 M + 4 S . Save 2 S Save 1 S

  81. ADD for ② 2 = ① 3 + ❛① standards choose 2001 Bernstein: ❜ ❯ 1 = ❳ 1 ❩ 2 e formulas faster. 3 M + 5 S for DBL. 2 , ❯ 2 = ❳ ❩ ❙ 1 = ❨ 1 ❩ 3 11 M + 5 S for ADD. 2 , ❙ 2 = ❨ ❩ advice from many more computations. Chudnovsky–Chudnovsky: How? Easy S � M tradeoff: instead of computing 2 ❨ 1 ✁ ❩ 1 , 1986 Chudnovsky–Chudnovsky: the 1 D compute ( ❨ 1 + ❩ 1 ) 2 � ❨ 2 1 � ❩ 2 1 . “We suggest to write curve with ❛ = 1. DBL formulas were already addition formulas involving smarter” computing ❨ 2 1 and ❩ 2 ( ❳❀ ❨❀ ❩❀ ❩ 2 ❀ ❩ 3 ).” 1 . with ❛ = � 3. Same idea for the ADD formulas, Disadvantages: ▼ = 3( ❳ 2 1 � ❩ 4 ❛ 1 ) � but have to scale ❳❀ ❨❀ ❩ Allocate space for ❩ ❀ ❩ ✁ ( ❳ 1 + ❩ 2 1 ). ❳ � ❩ to eliminate divisions by 2. Pay 1 S +1 M in ADD 1 M . Advantages: 4 M + 4 S . Save 2 S + 2 M at sta Save 1 S at start of

  82. ADD for ② 2 = ① 3 + ❛① + ❜ : ose 2001 Bernstein: ❯ 1 = ❳ 1 ❩ 2 2 , ❯ 2 = ❳ 2 ❩ 2 faster. 3 M + 5 S for DBL. 1 , ❙ 1 = ❨ 1 ❩ 3 2 , ❙ 2 = ❨ 2 ❩ 3 11 M + 5 S for ADD. 1 , many more computations. Chudnovsky–Chudnovsky: How? Easy S � M tradeoff: instead of computing 2 ❨ 1 ✁ ❩ 1 , 1986 Chudnovsky–Chudnovsky: compute ( ❨ 1 + ❩ 1 ) 2 � ❨ 2 1 � ❩ 2 1 . “We suggest to write ❛ = 1. DBL formulas were already addition formulas involving computing ❨ 2 1 and ❩ 2 ( ❳❀ ❨❀ ❩❀ ❩ 2 ❀ ❩ 3 ).” 1 . ❛ � 3. Same idea for the ADD formulas, Disadvantages: ❳ � ❩ 4 Allocate space for ❩ 2 ❀ ❩ 3 . ❛ ▼ 1 ) � but have to scale ❳❀ ❨❀ ❩ ❩ ). ❳ � ❩ ✁ ❳ to eliminate divisions by 2. Pay 1 S +1 M in ADD and in Advantages: Save 2 S + 2 M at start of ADD. Save 1 S at start of DBL.

  83. ADD for ② 2 = ① 3 + ❛① + ❜ : 2001 Bernstein: ❯ 1 = ❳ 1 ❩ 2 2 , ❯ 2 = ❳ 2 ❩ 2 3 M + 5 S for DBL. 1 , ❙ 1 = ❨ 1 ❩ 3 2 , ❙ 2 = ❨ 2 ❩ 3 11 M + 5 S for ADD. 1 , many more computations. How? Easy S � M tradeoff: instead of computing 2 ❨ 1 ✁ ❩ 1 , 1986 Chudnovsky–Chudnovsky: compute ( ❨ 1 + ❩ 1 ) 2 � ❨ 2 1 � ❩ 2 1 . “We suggest to write DBL formulas were already addition formulas involving computing ❨ 2 1 and ❩ 2 ( ❳❀ ❨❀ ❩❀ ❩ 2 ❀ ❩ 3 ).” 1 . Same idea for the ADD formulas, Disadvantages: Allocate space for ❩ 2 ❀ ❩ 3 . but have to scale ❳❀ ❨❀ ❩ to eliminate divisions by 2. Pay 1 S +1 M in ADD and in DBL. Advantages: Save 2 S + 2 M at start of ADD. Save 1 S at start of DBL.

  84. ADD for ② 2 = ① 3 + ❛① + ❜ : Bernstein: 1998 Cohen–Miy ❯ 1 = ❳ 1 ❩ 2 2 , ❯ 2 = ❳ 2 ❩ 2 5 S for DBL. 1 , Store point ❳ ❨ ❩ ❙ 1 = ❨ 1 ❩ 3 2 , ❙ 2 = ❨ 2 ❩ 3 5 S for ADD. 1 , If point is many more computations. also cache ❩ ❩ Easy S � M tradeoff: No cost, of computing 2 ❨ 1 ✁ ❩ 1 , 1986 Chudnovsky–Chudnovsky: If point is compute ( ❨ 1 + ❩ 1 ) 2 � ❨ 2 1 � ❩ 2 1 . “We suggest to write reuse ❩ 2 ❀ ❩ formulas were already addition formulas involving computing ❨ 2 1 and ❩ 2 ( ❳❀ ❨❀ ❩❀ ❩ 2 ❀ ❩ 3 ).” 1 . Best Jacobian including � idea for the ADD formulas, Disadvantages: 3 M + 5 S ❛ � Allocate space for ❩ 2 ❀ ❩ 3 . have to scale ❳❀ ❨❀ ❩ 11 M + 5 eliminate divisions by 2. Pay 1 S +1 M in ADD and in DBL. 10 M + 4 Advantages: 7 M + 4 S ❩ Save 2 S + 2 M at start of ADD. Save 1 S at start of DBL.

  85. ADD for ② 2 = ① 3 + ❛① + ❜ : 1998 Cohen–Miyaj ❯ 1 = ❳ 1 ❩ 2 2 , ❯ 2 = ❳ 2 ❩ 2 DBL. 1 , Store point as ( ❳ ❨ ❩ ❙ 1 = ❨ 1 ❩ 3 2 , ❙ 2 = ❨ 2 ❩ 3 ADD. 1 , If point is input to also cache ❩ 2 and ❩ many more computations. � M tradeoff: No cost, aside from computing 2 ❨ 1 ✁ ❩ 1 , 1986 Chudnovsky–Chudnovsky: If point is input to ❩ 1 ) 2 � ❨ 2 1 � ❩ 2 ❨ 1 . “We suggest to write reuse ❩ 2 ❀ ❩ 3 . Save ere already addition formulas involving and ❩ 2 ( ❳❀ ❨❀ ❩❀ ❩ 2 ❀ ❩ 3 ).” ❨ 1 . Best Jacobian speeds including S � M tradeoffs: the ADD formulas, Disadvantages: 3 M + 5 S for DBL ❛ � Allocate space for ❩ 2 ❀ ❩ 3 . scale ❳❀ ❨❀ ❩ 11 M + 5 S for ADD. divisions by 2. Pay 1 S +1 M in ADD and in DBL. 10 M + 4 S for reADD. Advantages: 7 M + 4 S for mADD ❩ Save 2 S + 2 M at start of ADD. Save 1 S at start of DBL.

  86. ADD for ② 2 = ① 3 + ❛① + ❜ : 1998 Cohen–Miyaji–Ono: ❯ 1 = ❳ 1 ❩ 2 2 , ❯ 2 = ❳ 2 ❩ 2 1 , Store point as ( ❳ : ❨ : ❩ ). ❙ 1 = ❨ 1 ❩ 3 2 , ❙ 2 = ❨ 2 ❩ 3 1 , If point is input to ADD, also cache ❩ 2 and ❩ 3 . many more computations. tradeoff: � No cost, aside from space. ❨ ✁ ❩ 1 , 1986 Chudnovsky–Chudnovsky: If point is input to another ADD, � ❩ 2 ❨ ❩ � ❨ 1 . “We suggest to write reuse ❩ 2 ❀ ❩ 3 . Save 1 S + 1 M already addition formulas involving ( ❳❀ ❨❀ ❩❀ ❩ 2 ❀ ❩ 3 ).” ❨ ❩ Best Jacobian speeds today, including S � M tradeoffs: rmulas, Disadvantages: 3 M + 5 S for DBL if ❛ = � 3. Allocate space for ❩ 2 ❀ ❩ 3 . ❳❀ ❨❀ ❩ 11 M + 5 S for ADD. 2. Pay 1 S +1 M in ADD and in DBL. 10 M + 4 S for reADD. Advantages: 7 M + 4 S for mADD (i.e. ❩ 2 Save 2 S + 2 M at start of ADD. Save 1 S at start of DBL.

  87. ADD for ② 2 = ① 3 + ❛① + ❜ : 1998 Cohen–Miyaji–Ono: ❯ 1 = ❳ 1 ❩ 2 2 , ❯ 2 = ❳ 2 ❩ 2 1 , Store point as ( ❳ : ❨ : ❩ ). ❙ 1 = ❨ 1 ❩ 3 2 , ❙ 2 = ❨ 2 ❩ 3 1 , If point is input to ADD, also cache ❩ 2 and ❩ 3 . many more computations. No cost, aside from space. 1986 Chudnovsky–Chudnovsky: If point is input to another ADD, “We suggest to write reuse ❩ 2 ❀ ❩ 3 . Save 1 S + 1 M ! addition formulas involving ( ❳❀ ❨❀ ❩❀ ❩ 2 ❀ ❩ 3 ).” Best Jacobian speeds today, including S � M tradeoffs: Disadvantages: 3 M + 5 S for DBL if ❛ = � 3. Allocate space for ❩ 2 ❀ ❩ 3 . 11 M + 5 S for ADD. Pay 1 S +1 M in ADD and in DBL. 10 M + 4 S for reADD. Advantages: 7 M + 4 S for mADD (i.e. ❩ 2 = 1). Save 2 S + 2 M at start of ADD. Save 1 S at start of DBL.

  88. for ② 2 = ① 3 + ❛① + ❜ : 1998 Cohen–Miyaji–Ono: Compare ❳ 1 ❩ 2 2 , ❯ 2 = ❳ 2 ❩ 2 ❯ 1 , Store point as ( ❳ : ❨ : ❩ ). curves ① ② ❞① ② ❨ 1 ❩ 3 2 , ❙ 2 = ❨ 2 ❩ 3 ❙ 1 , If point is input to ADD, in projec also cache ❩ 2 and ❩ 3 . more computations. (2007 Bernstein–Lange): No cost, aside from space. 3 M + 4 S Chudnovsky–Chudnovsky: If point is input to another ADD, 10 M + 1 suggest to write reuse ❩ 2 ❀ ❩ 3 . Save 1 S + 1 M ! 9 M + 1 S addition formulas involving Inverted ❳❀ ❨❀ ❩❀ ❩ 2 ❀ ❩ 3 ).” Best Jacobian speeds today, (2007 Bernstein–Lange): including S � M tradeoffs: Disadvantages: 3 M + 4 S 3 M + 5 S for DBL if ❛ = � 3. cate space for ❩ 2 ❀ ❩ 3 . 9 M + 1 S 11 M + 5 S for ADD. S +1 M in ADD and in DBL. 8 M + 1 S 10 M + 4 S for reADD. Advantages: 7 M + 4 S for mADD (i.e. ❩ 2 = 1). Even better S + 2 M at start of ADD. extended/completed S at start of DBL. (2008 Hisil–W

  89. ① 3 + ❛① + ❜ : ② 1998 Cohen–Miyaji–Ono: Compare to speeds curves ① 2 + ② 2 = 1 ❯ = ❳ 2 ❩ 2 ❯ ❳ ❩ 1 , Store point as ( ❳ : ❨ : ❩ ). ❞① ② ❨ 2 ❩ 3 ❙ ❨ ❩ ❙ 1 , If point is input to ADD, in projective coordinates also cache ❩ 2 and ❩ 3 . computations. (2007 Bernstein–Lange): No cost, aside from space. 3 M + 4 S for DBL. Chudnovsky–Chudnovsky: If point is input to another ADD, 10 M + 1 S + 1 D fo write reuse ❩ 2 ❀ ❩ 3 . Save 1 S + 1 M ! 9 M + 1 S + 1 D for rmulas involving Inverted Edwards co ❳❀ ❨❀ ❩❀ ❩ ❀ ❩ ).” Best Jacobian speeds today, (2007 Bernstein–Lange): including S � M tradeoffs: 3 M + 4 S + 1 D for 3 M + 5 S for DBL if ❛ = � 3. for ❩ 2 ❀ ❩ 3 . 9 M + 1 S + 1 D for 11 M + 5 S for ADD. ADD and in DBL. 8 M + 1 S + 1 D for 10 M + 4 S for reADD. 7 M + 4 S for mADD (i.e. ❩ 2 = 1). Even better speeds at start of ADD. extended/completed of DBL. (2008 Hisil–Wong–Ca

Recommend

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363 more elliptic-curve formulas; uses Weierstrass curves field arithmetic in Jacobian coordinates Daniel J. Bernstein to provide the fastest

2.15k views • 187 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

1 2 High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is University of Illinois at Chicago & much slower than it could be. Technische Universiteit Eindhoven Is software applied to much data? with

1.17k views • 115 slides
Cryptography for Software and Web Developers Part 5: Dont believe the crypto hype Hanno B

Cryptography for Software and Web Developers Part 5: Dont believe the crypto hype Hanno B

Snake Oil Nationalism Conclusion Cryptography for Software and Web Developers Part 5: Dont believe the crypto hype Hanno B ock 2014-05-28 1 / 10 New fancy crypto tool Snake Oil Example Telegram Nationalism Example Threema

670 views • 11 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
Evolving Ecosystems Moti Yung, Google Talk Agenda Part I: Crypto as part of general

Evolving Ecosystems Moti Yung, Google Talk Agenda Part I: Crypto as part of general

Actual Cryptography at the Age of Evolving Ecosystems Moti Yung, Google Talk Agenda Part I: Crypto as part of general engineering projects Part II: Adx Review Part III: Adx Crypto solutions Part IV: Conclusions From

861 views • 43 slides
elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 11, 2018 ibenik , Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4:

1.38k views • 48 slides
Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles Barthe Arthur Blot Benjamin Grgoire Vincent Laporte Tiago Oliveira Hugo Pacheco Benedick Schmidt Pierre-Yves Strub CCS17 2017-11-02

440 views • 31 slides
High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University of Illinois at Chicago Professor, Cryptographic Implementations, Technische Universiteit Eindhoven Tanja Lange Professor, Coding and Cryptology,

288 views • 17 slides
High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven Picture credits: geeky-gadgets.com ; Star Trek The Internet of Things Andrew Myers, Stanford Report, 2011.02.11:

543 views • 36 slides
Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO Use this space to add an image. IMPLEMENTATION, OR CRYPTO RNG Insert an image and change the scale to cover this box. ALSO, KEY MANAGEMENT IS

1.01k views • 81 slides
High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J. Bernstein University of Illinois at Chicago wget -m -k -I / \ secspider.cs.ucla.edu cd secspider.cs.ucla.edu awk /GREEN.*GREEN.*GREEN.*Yes/

1.48k views • 94 slides
High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

1 High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven with some slides from: Tanja Lange Technische Universiteit Eindhoven 2 Do we care about speed? Almost all software is

1.36k views • 44 slides
CS 4803 Crypto as a science (modern cryptography) has short but Computer and Network Security

CS 4803 Crypto as a science (modern cryptography) has short but Computer and Network Security

Cryptography is very old and very new Crypto is an ancient discipline Recall Julius Caesar, Enigma,... CS 4803 Crypto as a science (modern cryptography) has short but Computer and Network Security exciting history Most of it

638 views • 4 slides
Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020, Tenerife, January 2013 Outline 1 1. Past results 2. Future challenges 1. Block ciphers 2 TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT,

844 views • 68 slides
High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes

924 views • 61 slides
High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

Preliminaries FPGA Implementation Results, Comparisons and Conclusions High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma Skytt a Helsinki University of Technology Department of Signal

528 views • 36 slides
High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes an SMTP connection, sends

617 views • 40 slides
CS 1501 www.cs.pitt.edu/~nlf4/cs1501/ An Introduction to Cryptography Introduction to crypto

CS 1501 www.cs.pitt.edu/~nlf4/cs1501/ An Introduction to Cryptography Introduction to crypto

CS 1501 www.cs.pitt.edu/~nlf4/cs1501/ An Introduction to Cryptography Introduction to crypto Cryptography - enabling secure communication in the presence of third parties Alice wants to send Bob a message without anyone else being

878 views • 44 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
Proper Use of Cryptography Never write your own crypto functions if you have any choice

Proper Use of Cryptography Never write your own crypto functions if you have any choice

Proper Use of Cryptography Never write your own crypto functions if you have any choice Another favorite piece of advice from industry Never, ever, design your own encryption algorithm Unless thats your area of expertise

417 views • 15 slides
Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert

Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert

Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert Staples STVM/CSD/NIST A perspective: cryptography evolves very fast to provide security in cyberspace Emerging crypto technologies - lightweight crypto

199 views • 17 slides
m MaxPak Enables High Current, Voltage & Speed Power Devices Optimum Performance

m MaxPak Enables High Current, Voltage & Speed Power Devices Optimum Performance

m MaxPak Power Package by Semiconductor Packaging Solutions Near Chip-Scale SMD Enabling High Speed & Efficient Power for Wide- Band-Gap Devices, and even Hi- Performance Silicon Devices January 2016 SPS CONFIDENTIAL 1 m MaxPak Enables

703 views • 20 slides

More recommend