http hyperelliptic org tanja newelliptic
play

http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. - PowerPoint PPT Presentation

May 14, 2023 •343 likes •586 views

http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange p. 1 Elliptic strikes back http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange p. 2 To face the challenge, to take the competition to a

  1. http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 1

  2. Elliptic strikes back http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 2

  3. To face the challenge, to take the competition to a completely new level . . . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 3

  4. . . . elliptic has to reconsider its form . . . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 4

  5. . . . has to abstract from its Weierstrass form . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 5

  6. . . . has to undergo severe isomorphic transformations . . . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 6

  7. . . . until it finds . . . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 7

  8. . . . its true . . . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 8

  9. . . . normal form! http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 9

  10. Long, long ago . . . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 10

  11. Euler 1761 “ Observationes de Comparatione Arcuum Curvarum Irrectificabilium” y 2 = 1 − nx 2 1 1 − x 2 ⇔ x 2 + y 2 = 1 + nx 2 y 2 . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 11

  12. Euler 1761 Euler gives doubling and (special) addition for ( a, A ) on a 2 + A 2 = 1 − a 2 A 2 . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 12

  13. Gauss, posthumously Gauss gives general addition for arbitrary points on 1 = s 2 + c 2 + s 2 c 2 . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 13

  14. Ex uno plura Harold M. Edwards, Bulletin of the AMS, 44 , 393–422, 2007 x 2 + y 2 = a 2 (1 + x 2 y 2 ) , a 5 � = a describes an elliptic curve over field k of odd characteristic. Every elliptic curve can be written in this form – over some extension field. Ur-elliptic curve x 2 + y 2 = 1 − x 2 y 2 needs √− 1 ∈ k transform. Edwards gives addition law for this generalized form, shows equivalence with Weierstrass form, proves addition law, gives theta parameterization . . . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 14

  15. Elliptic geared for crypto Introduce further parameter d to cover more curves over k x 2 + y 2 = c 2 (1 + dx 2 y 2 ) , c, d � = 0 , dc 4 � = 1 . � x P y Q + y P x Q y P y Q − x P x Q � P + Q = c (1 + dx P x Q y P y Q ) , . c (1 − dx P x Q y P y Q ) Neutral element is (0 , c ) , this is an affine point! − ( x P , y P ) = ( − x P , y P ) . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 15

  16. Elliptic geared for crypto Introduce further parameter d to cover more curves over k x 2 + y 2 = c 2 (1 + dx 2 y 2 ) , c, d � = 0 , dc 4 � = 1 . � x P y Q + y P x Q y P y Q − x P x Q � P + Q = c (1 + dx P x Q y P y Q ) , . c (1 − dx P x Q y P y Q ) Neutral element is (0 , c ) , this is an affine point! − ( x P , y P ) = ( − x P , y P ) . � � x P y P + y P x P y P y P − x P x P [2] P = c (1 + dx P x P y P y P ) , . c (1 − dx P x P y P y P ) http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 15

  17. Elliptic geared for crypto Introduce further parameter d to cover more curves over k x 2 + y 2 = c 2 (1 + dx 2 y 2 ) , c, d � = 0 , dc 4 � = 1 . � x P y Q + y P x Q y P y Q − x P x Q � P + Q = c (1 + dx P x Q y P y Q ) , . c (1 − dx P x Q y P y Q ) Neutral element is (0 , c ) , this is an affine point! − ( x P , y P ) = ( − x P , y P ) . � x P y P + y P x P y P y P − x P x P � [2] P = c (1 + dx P x P y P y P ) , . c (1 − dx P x P y P y P ) Unified group operations! http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 15

  18. Elliptic geared for crypto Introduce further parameter d to cover more curves over k x 2 + y 2 = c 2 (1 + dx 2 y 2 ) , c, d � = 0 , dc 4 � = 1 . � x P y Q + y P x Q y P y Q − x P x Q � P + Q = c (1 + dx P x Q y P y Q ) , . c (1 − dx P x Q y P y Q ) Z P · Z Q ; B = A 2 ; C = X P · X Q ; D = Y P · Y Q ; A = E = d · C · D ; F = B − E ; G = B + E ; X P + Q = A · F · (( X P + Y P ) · ( X Q + Y Q ) − C − D ); Y P + Q = A · G · ( D − C ); Z P + Q = c · F · G. http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 15

  19. Elliptic geared for crypto Introduce further parameter d to cover more curves over k x 2 + y 2 = c 2 (1 + dx 2 y 2 ) , c, d � = 0 , dc 4 � = 1 . � x P y Q + y P x Q y P y Q − x P x Q � P + Q = c (1 + dx P x Q y P y Q ) , . c (1 − dx P x Q y P y Q ) Z P · Z Q ; B = A 2 ; C = X P · X Q ; D = Y P · Y Q ; A = E = d · C · D ; F = B − E ; G = B + E ; X P + Q = A · F · (( X P + Y P ) · ( X Q + Y Q ) − C − D ); Y P + Q = A · G · ( D − C ); Z P + Q = c · F · G. Needs 10M + 1S + 1C + 1D + 7A. At least one of c, d small: x 2 + y 2 = c 2 (1 + dx 2 y 2 ) and x 2 + y 2 = ¯ c 4 ¯ c 2 (1 + ¯ dx 2 y 2 ) isomorphic if c 4 d = ¯ d . d = ( c 4 d ) − 1 gives quadratic twist. c 4 ¯ ¯ http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 15

  20. Unified? Unified! No exceptional cases? What if a denominator is zero? If d is not a square then Edwards addition law is complete: For x 2 1 + y 2 1 = 1 + dx 2 1 y 2 1 and x 2 2 + y 2 2 = 1 + dx 2 2 y 2 2 always dx 1 x 2 y 1 y 2 � = ± 1 . Outline of proof: If ( dx 1 x 2 y 1 y 2 ) 2 = 1 then ( x 1 + dx 1 x 2 y 1 y 2 y 1 ) 2 = dx 2 1 y 2 1 ( x 2 + y 2 ) 2 . Conclude that d is a square. But d is not a square! If d is not a square then there is exactly one point of order 2 and two of order 4 . Otherwise the full 2 -torsion group is k -rational. Plane curve has 2 singular points at infinity; their √ blow-ups are defined over k ( d ) and have order 2 . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 16

  21. Fastest unified addition-or-doubling formula System Cost of unified addition-or-doubling Projective 11M+6S+1D; see Brier/Joye ’03 Projective if a 4 = − 1 13M+3S; see Brier/Joye ’02 Jacobi intersection 13M+2S+1D; see Liardet/Smart ’01 Jacobi quartic 10M+3S+1D; see Billet/Joye ’01 Hessian 12M; see Joye/Quisquater ’01 Edwards ( c = 1 ) 10M+1S+1D Exactly the same formulae for doubling (no re-arrangement like in Hessian where 2( X 1 : Y 1 : Z 1 ) = ( Z 1 : X 1 : Y 1 ) + ( Y 1 : Z 1 : X 1 ); no if-else) No exceptional cases if d is not a square. Formulae correct for all affine inputs (incl. (0 , c ) , P + ( − P ) ). http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 17

  22. Spotlight on the transformation Curve x 2 + y 2 = c 2 (1 + dx 2 y 2 ) in Edwards form is birationally equivalent to curve E : (1 /e ) v 2 = u 3 + (4 /e − 2) u 2 + u in Montgomery form, where e = 1 − dc 4 . Let ( x 1 , y 1 ) + ( x 2 , y 2 ) = ( x 3 , y 3 ) on Edwards curve. Put P i = ∞ if ( x i , y i ) = (0 , c ) ; P i = (0 , 0) if ( x i , y i ) = (0 , − c ) ; P i = ( u i , v i ) if x i � = 0 , where u i = ( c + y i ) / ( c − y i ) and v i = 2 c ( c + y i ) / ( c − y i ) x i . Then P i ∈ E ( k ) and P 1 + P 2 = P 3 . http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 18

  23. http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 19

  24. http://hyperelliptic.org/tanja/newelliptic D. J. Bernstein & T. Lange – p. 20

Recommend

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven

Edwards Coordinates for Elliptic Curves, part 1 Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org joint work with Daniel J. Bernstein 10.11.2007 http://www.hyperelliptic.org/tanja/newelliptic/ Tanja Lange p. 1 Do

787 views • 51 slides
ECM on Graphics Cards Tanja Lange Department of Mathematics and Computer Science Technische

ECM on Graphics Cards Tanja Lange Department of Mathematics and Computer Science Technische

ECM on Graphics Cards Tanja Lange Department of Mathematics and Computer Science Technische Universiteit Eindhoven tanja@hyperelliptic.org 09.10.2008 joint work with Daniel J. Bernstein (UIC), Tien-Ren Chen (NTU), Chen-Mou Cheng (NTU), and

465 views • 27 slides
Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 09.05.2008 joint work with Reza Rezaeian Farashahi, Eindhoven

571 views • 33 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 12.08.2008 joint work with Reza Rezaeian Farashahi, Eindhoven D. J. Bernstein

428 views • 27 slides
L -functions via deformations: from hyperelliptic curves to hypergeometric motives Kiran S.

L -functions via deformations: from hyperelliptic curves to hypergeometric motives Kiran S.

L -functions via deformations: from hyperelliptic curves to hypergeometric motives Kiran S. Kedlaya Department of Mathematics, University of California, San Diego kedlaya@ucsd.edu http://kskedlaya.org/slides/ Arithmetic of Hyperelliptic Curves

708 views • 48 slides
Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve Cryptography Nicolas Thriault ntheriau@fields.utoronto.ca Fields Institute Discrete Logarithms Suppose that G = a , an additive group of order

230 views • 21 slides
Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange Eindhoven University Ruhr-Universitt of Technology Bochum Overview Elliptic Curves Hyperelliptic Curves HEC of Genus 2

473 views • 33 slides
Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927 http://xkcd.com/927 But our goal today isnt unification; its security. We come to bury the standard, not to praise it. Why do people choose

572 views • 31 slides
Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault

Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault

Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault nicolast@exp-math.uni-essen.de University of Toronto / IEM Universitt DuisburgEssen Slide index Discrete Log Problem Large primes Hyperelliptic

927 views • 67 slides
Rank and Bias in Families of Hyperelliptic Curves Trajan Hammonds 1 Ben Logsdon 2

Rank and Bias in Families of Hyperelliptic Curves Trajan Hammonds 1 Ben Logsdon 2

Background Hyperelliptic curves with moderately large rank over Q ( T ) Bias Conjecture Acknowledgements Rank and Bias in Families of Hyperelliptic Curves Trajan Hammonds 1 Ben Logsdon 2 thammond@andrew.cmu.edu bcl5@williams.edu Joint with

426 views • 41 slides
Abel-Jacobi map on complex hyperelliptic curves Pascal Molin CARAMEL, Loria Nancy june 2011

Abel-Jacobi map on complex hyperelliptic curves Pascal Molin CARAMEL, Loria Nancy june 2011

Abel-Jacobi map on complex hyperelliptic curves Pascal Molin CARAMEL, Loria Nancy june 2011 Hyperelliptic curve 2 g + 1 C : y 2 = ( x a i ) i = 1 Riemann surface with two sheets. a i = branch points. color = argument of y

733 views • 28 slides
Cleaning up crypto D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja Lange, T. U.

Cleaning up crypto D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja Lange, T. U.

Cleaning up crypto D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja Lange, T. U. Eindhoven Joint work with: Peter Schwabe, R. U. Nijmegen http://xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted standards. Obviously

844 views • 52 slides
Counting numerical semigroups of a given genus by using -hyperelliptic semigroups Matheus

Counting numerical semigroups of a given genus by using -hyperelliptic semigroups Matheus

Counting numerical semigroups of a given genus by using -hyperelliptic semigroups Matheus Bernardini 1 University of Campinas / Federal Institute of S ao Paulo (Joint work in progress with Fernando Torres 1 ) International Meeting on

779 views • 51 slides
Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis

Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis

Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis Christophe Negre ici joined work with T. Plantard (U. of Wollongong, Australia) Journees Nationales GDR IM January 19-th, 2016 1 / 39 Outline Regular

1.15k views • 90 slides
Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de

Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de

Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de Lorraine, Nancy Joint work with P. Gaudry and P.-J. Spaenlehauer January 25, 2018 CARAMBA /* */ E,C, /* */ c,r, /* */ u,l, e,s, i=5,

907 views • 36 slides
Efficient and Cryptographically Secure Addition in the Ideal Class Groups of Hyperelliptic

Efficient and Cryptographically Secure Addition in the Ideal Class Groups of Hyperelliptic

Efficient and Cryptographically Secure Addition in the Ideal Class Groups of Hyperelliptic Curves Diploma thesis Andrey Bogdanov* Scientific advisors: Prof. Dr. Dr. h.c. Gerhard Frey Prof. Dr. Vladimir Anashin Russian State

397 views • 29 slides
Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel

Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel

Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel GALLIN CNRS IRISA Univ. Rennes 1 November 29 th , 2018 Ph.D. supervised by Arnaud TISSERAND, CNRS Lab-STICC Introduction 1 HTMM

591 views • 40 slides
Explicit Coleman integration for hyperelliptic curves Jennifer Balakrishnan 1 Robert Bradshaw 2

Explicit Coleman integration for hyperelliptic curves Jennifer Balakrishnan 1 Robert Bradshaw 2

Explicit Coleman integration for hyperelliptic curves Jennifer Balakrishnan 1 Robert Bradshaw 2 Kiran Kedlaya 1 1 Massachusetts Institute of Technology 2 University of Washington ANTS-IX INRIA Nancy, France Thursday, July 22, 2010 Balakrishnan,

630 views • 41 slides
A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd , 2003 M.Katagi, I.Kitamura, T.Akishita, and T. Takagi(*) Sony Corporation (*)Technische Universitaet Darmstadt Introduction Optimization of

229 views • 5 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
Meyers function of the hyperelliptic mapping class group and related invariants of 3-manifolds

Meyers function of the hyperelliptic mapping class group and related invariants of 3-manifolds

Meyers function of the hyperelliptic mapping class group and related invariants of 3-manifolds Takayuki Morifuji Tokyo University of Agriculture and Technology CTQM, 28 March 2008 1 Secondary invariants signature cocycle Meyers

484 views • 44 slides
Local heights on hyperelliptic curves Jennifer Balakrishnan MIT, Department of Mathematics E ff

Local heights on hyperelliptic curves Jennifer Balakrishnan MIT, Department of Mathematics E ff

Local heights on hyperelliptic curves Jennifer Balakrishnan MIT, Department of Mathematics E ff ective Methods in p -adic Cohomology Mathematical Institute, University of Oxford Tuesday, March 16, 2010 Jennifer Balakrishnan (MIT) Local heights

309 views • 14 slides
ECC2011 summer school September 1516, 2011 Point counting algorithms on hyperelliptic curves

ECC2011 summer school September 1516, 2011 Point counting algorithms on hyperelliptic curves

ECC2011 summer school September 1516, 2011 Point counting algorithms on hyperelliptic curves F. Morain I. Introduction and motivations Goal: build an effective group of cryptographic strength, resisting all known attacks. Dream: find

834 views • 48 slides

More recommend