Addition laws on elliptic curves. D. J. Bernstein University of Illinois at Chicago. Joint work with: Tanja Lange Technische Universiteit Eindhoven

Transcription

1 Addition laws on elliptic curves D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven

2 , 09:00 (yikes!), Leiden University, part of Mathematics: Algorithms and Proofs week at Lorentz Center: Harold Edwards speaks on Addition on elliptic curves. Edwards

3 What we think when we hear addition on elliptic curves : Ý È + É É È Ü Addition on Ý 2 5ÜÝ = Ü 3 7.

4 = (Ý2 Ý1) (Ü2 Ü1), Ü3 = 2 5 Ü1 Ü2, Ý3 = 5Ü3 (Ý1 + (Ü3 Ü1)) µ (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3).

5 = (Ý2 Ý1) (Ü2 Ü1), Ü3 = 2 5 Ü1 Ü2, Ý3 = 5Ü3 (Ý1 + (Ü3 Ü1)) µ (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3). Oops, this requires Ü1 = Ü2. = (5Ý1 + 3Ü 2 1 ) (2Ý 1 5Ü1), Ü3 = 2 5 2Ü1, Ý3 = 5Ü3 (Ý1 + (Ü3 Ü1)) µ (Ü1 Ý1) + (Ü1 Ý1) = (Ü3 Ý3).

6 = (Ý2 Ý1) (Ü2 Ü1), Ü3 = 2 5 Ü1 Ü2, Ý3 = 5Ü3 (Ý1 + (Ü3 Ü1)) µ (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3). Oops, this requires Ü1 = Ü2. = (5Ý1 + 3Ü 2 1 ) (2Ý 1 5Ü1), Ü3 = 2 5 2Ü1, Ý3 = 5Ü3 (Ý1 + (Ü3 Ü1)) µ (Ü1 Ý1) + (Ü1 Ý1) = (Ü3 Ý3). Oops, this requires 2Ý1 = 5Ü1. (Ü1 Ý1) + (Ü1 5Ü1 Ý1) = ½. (Ü1 Ý1) + ½ = (Ü1 Ý1). ½ + (Ü1 Ý1) = (Ü1 Ý1). ½ + ½ = ½.

7 Despite 09:00, despite Dutch trains, we attend the talk. Edwards says: Euler Gauss addition law on Ü 2 + Ý 2 = 1 Ü 2 Ý 2 is (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3) with Ü3 = Ü 1Ý2 + Ý1Ü2 1 Ü1Ü2Ý1Ý2 Ý3 = Ý 1Ý2 Ü1Ü2 1 + Ü1Ü2Ý1Ý2,. Euler Gauss

8 Edwards, continued: Every elliptic curve over Q is birationally equivalent to Ü 2 + Ý 2 = 2 (1 + Ü 2 Ý 2 ) for some ¾ Q 0 1. (Euler Gauss curve the lemniscatic elliptic curve. )

9 Edwards, continued: Every elliptic curve over Q is birationally equivalent to Ü 2 + Ý 2 = 2 (1 + Ü 2 Ý 2 ) for some ¾ Q 0 1. (Euler Gauss curve the lemniscatic elliptic curve. ) Ü 2 + Ý 2 = 2 (1 + Ü 2 Ý 2 ) has neutral element (0 ), addition (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3) with Ü3 = Ü 1Ý2 + Ý1Ü2 (1 + Ü1Ü2Ý1Ý2), Ý3 = Ý 1Ý2 Ü1Ü2 (1 Ü1Ü2Ý1Ý2).

10 Addition law is unified : (Ü1 Ý1) + (Ü1 Ý1) = (Ü3 Ý3) with Ü3 = Ü 1Ý1 + Ý1Ü1 (1 + Ü1Ü1Ý1Ý1), Ý3 = Ý 1Ý1 Ü1Ü1 (1 Ü1Ü1Ý1Ý1). Have seen unification before. e.g., 1986 Chudnovsky 2 : 17M unified addition formulas for (Ë : : : ) on Jacobi s Ë = 2, 2 Ë = 2. Chudnovsky 2 Jacobi

11 , 09:30, Bernstein Lange: Edwards addition law with standard projective ( : : ), standard Karatsuba optimization, common-subexp elimination: 10M + 1S + 1A. Faster than anything seen before! M: field multiplication. S: field squaring. A: multiplication by. Karatsuba

12 Edwards paper: Bulletin AMS 44 (2007), Many papers in 2007, 2008, 2009 have now used Edwards curves to set speed records for critical computations in elliptic-curve cryptography. Also new speed records for ECM factorization: see Lange s talk here on Saturday. Also expect speedups in verifying elliptic-curve primality proofs.

13 Back to B. L., early Edwards Ü 2 + Ý 2 = 2 (1 + Ü 2 Ý 2 ) doesn t rationally include Euler Gauss Ü 2 + Ý 2 = 1 Ü 2 Ý 2. Common generalization, presumably more curves over Q, presumably more curves over F : Õ Ü 2 + Ý 2 = 2 (1 + Ü 2 Ý 2 ) has neutral element (0 ), addition (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3) with Ü3 = Ý3 = Ü 1Ý2 + Ý1Ü2 (1 + Ü1Ü2Ý1Ý2), Ý 1Ý2 Ü1Ü2 (1 Ü1Ü2Ý1Ý2).

14 Convenient to take = 1 for speed, simplicity. Covers same set of curves up to birational equivalence: ( ) (1 4 ). Ü 2 + Ý 2 = 1 + Ü 2 Ý 2 has neutral element (0 1), addition (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3) with Ü3 = Ü 1Ý2 + Ý1Ü2 1 + Ü1Ü2Ý1Ý2, Ý3 = Ý 1Ý2 Ü1Ü2 1 Ü1Ü2Ý1Ý2.

15 Hmmm, does this really work? Easiest way to check the generalized addition law: pull out the computer! Pick a prime Ô; e.g. 47. Pick curve param ¾ F. Ô Enumerate all affine points (Ü Ý) ¾ F F satisfying Ô Ô Ü 2 + Ý 2 = 1 + Ü 2 Ý 2. Use generalized addition law to make an addition table for all pairs of points. Check associativity etc.

16 Warning: Don t expect complete addition table. Addition law works generically but can fail for some exceptional pairs of points. Unified addition law works for generic additions and for generic doublings but can fail for some exceptional pairs of points. Basic problem: Denominators 1 Ü1Ü2Ý1Ý2 can be zero.

17 Even if we switched to projective coordinates, would expect addition law to fail for some points, producing (0 : 0 : 0) Bosma Lenstra theorem: The smallest cardinality of a complete system of addition laws on equals two. Bosma Lenstra

18 Try Ô = 47, = 25: denominator 1 Ü1Ü2Ý1Ý2 is nonzero for most points (Ü1 Ý1), (Ü2 Ý2) on curve. Edwards addition law is associative whenever defined.

19 Try Ô = 47, = 25: denominator 1 Ü1Ü2Ý1Ý2 is nonzero for most points (Ü1 Ý1), (Ü2 Ý2) on curve. Edwards addition law is associative whenever defined. Try Ô = 47, = 1: denominator 1 Ü1Ü2Ý1Ý2 is nonzero for all points (Ü1 Ý1), (Ü2 Ý2) on curve. Addition law is a group law!

20 Try Ô = 47, = 25: denominator 1 Ü1Ü2Ý1Ý2 is nonzero for most points (Ü1 Ý1), (Ü2 Ý2) on curve. Edwards addition law is associative whenever defined. Try Ô = 47, = 1: denominator 1 Ü1Ü2Ý1Ý2 is nonzero for all points (Ü1 Ý1), (Ü2 Ý2) on curve. Addition law is a group law! vs. Z60T

21 2007 Bernstein Lange completeness proof for all non-square : If Ü Ý2 1 = 1 + Ü2 1 Ý2 1 and Ü Ý2 2 = 1 + Ü2 2 Ý2 2 and Ü1Ü2Ý1Ý2 = 1

22 2007 Bernstein Lange completeness proof for all non-square : If Ü Ý2 1 = 1 + Ü2 1 Ý2 1 and Ü Ý2 2 = 1 + Ü2 2 Ý2 2 and Ü1Ü2Ý1Ý2 = 1 then Ü 2 1 Ý2 1 (Ü 2 + Ý2) 2 = Ü 2 1 Ý2 1 (Ü2 2 + Ý Ü 2Ý2) = Ü 2 1 Ý2 1 ( Ü2 2 Ý Ü 2Ý2)

23 2007 Bernstein Lange completeness proof for all non-square : If Ü Ý2 1 = 1 + Ü2 1 Ý2 1 and Ü Ý2 2 = 1 + Ü2 2 Ý2 2 and Ü1Ü2Ý1Ý2 = 1 then Ü 2 1 Ý2 1 (Ü 2 + Ý2) 2 = Ü 2 1 Ý2 1 (Ü2 2 + Ý Ü 2Ý2) = Ü 2 1 Ý2 1 ( Ü2 2 Ý Ü 2Ý2) = 2 Ü 2 1 Ý2 1 Ü2 2 Ý2 2 + Ü2 1 Ý Ü2 1 Ý2 1 Ü 2Ý2

24 2007 Bernstein Lange completeness proof for all non-square : If Ü Ý2 1 = 1 + Ü2 1 Ý2 1 and Ü Ý2 2 = 1 + Ü2 2 Ý2 2 and Ü1Ü2Ý1Ý2 = 1 then Ü 2 1 Ý2 1 (Ü 2 + Ý2) 2 = Ü 2 1 Ý2 1 (Ü2 2 + Ý Ü 2Ý2) = Ü 2 1 Ý2 1 ( Ü2 2 Ý Ü 2Ý2) = 2 Ü 2 1 Ý2 1 Ü2 2 Ý2 2 + Ü2 1 Ý Ü2 1 Ý2 1 Ü 2Ý2 = 1 + Ü 2 1 Ý2 1 2Ü 1Ý1

25 2007 Bernstein Lange completeness proof for all non-square : If Ü Ý2 1 = 1 + Ü2 1 Ý2 1 and Ü Ý2 2 = 1 + Ü2 2 Ý2 2 and Ü1Ü2Ý1Ý2 = 1 then Ü 2 1 Ý2 1 (Ü 2 + Ý2) 2 = Ü 2 1 Ý2 1 (Ü2 2 + Ý Ü 2Ý2) = Ü 2 1 Ý2 1 ( Ü2 2 Ý Ü 2Ý2) = 2 Ü 2 1 Ý2 1 Ü2 2 Ý2 2 + Ü2 1 Ý Ü2 1 Ý2 1 Ü 2Ý2 = 1 + Ü 2 1 Ý2 1 2Ü 1Ý1 = Ü Ý2 1 2Ü 1Ý1 = (Ü1 Ý1) 2.

26 2007 Bernstein Lange completeness proof for all non-square : If Ü Ý2 1 = 1 + Ü2 1 Ý2 1 and Ü Ý2 2 = 1 + Ü2 2 Ý2 2 and Ü1Ü2Ý1Ý2 = 1 then Ü 2 1 Ý2 1 (Ü 2 + Ý2) 2 = Ü 2 1 Ý2 1 (Ü2 2 + Ý Ü 2Ý2) = Ü 2 1 Ý2 1 ( Ü2 2 Ý Ü 2Ý2) = 2 Ü 2 1 Ý2 1 Ü2 2 Ý2 2 + Ü2 1 Ý Ü2 1 Ý2 1 Ü 2Ý2 = 1 + Ü 2 1 Ý2 1 2Ü 1Ý1 = Ü Ý2 1 2Ü 1Ý1 = (Ü1 Ý1) 2. Have Ü2 + Ý2 = 0 or Ü2 Ý2 = 0; either way is a square. Q.E.D.

27 1995 Bosma Lenstra theorem: The smallest cardinality of a complete system of addition laws on equals two.

28 1995 Bosma Lenstra theorem: The smallest cardinality of a complete system of addition laws on equals two. meaning: Any addition formula for a Weierstrass curve in projective coordinates must have exceptional cases in ( ) ( ), where = algebraic closure of.

29 1995 Bosma Lenstra theorem: The smallest cardinality of a complete system of addition laws on equals two. meaning: Any addition formula for a Weierstrass curve in projective coordinates must have exceptional cases in ( ) ( ), where = algebraic closure of. Edwards addition formula has exceptional cases for ( ) but not for ( ). We do computations in ( ).

30 Summary: Assume field; 2 = 0 in ; non-square ¾. Then (Ü Ý) ¾ : Ü 2 + Ý 2 = 1 + Ü 2 Ý 2 is a commutative group with (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3) defined by Edwards addition law: Ü3 = Ü 1Ý2 + Ý1Ü2 1 + Ü1Ü2Ý1Ý2 Ý3 = Ý 1Ý2 Ü1Ü2 1 Ü1Ü2Ý1Ý2,. Terminology: Edwards curves allow arbitrary ¾ ; = 4 are original Edwards curves ; non-square are complete.

31 = 0: the clock group. Ü 2 + Ý 2 = 1, parametrized by (Ü Ý) = (sin cos). Gauss parametrized Ü 2 + Ý 2 = 1 Ü 2 Ý 2 by (Ü Ý) = ( lemn sin lemn cos ). Abel, Jacobi sn, cn, dn handle all elliptic curves, but (sn cn) does not specialize to (lemn sin lemn cos). Bad generalization of (sin cos). Edwards Ü is sn; Edwards Ý is cn/dn. Theta view: see Edwards paper.

32 Every elliptic curve over with a point of order 4 is birationally equivalent to an Edwards curve. Unique order-2 point µ complete. Convenient for implementors: no need to worry about accidentally bumping into exceptional inputs. Particularly nice for cryptography: no need to worry about attackers manufacturing exceptional inputs, hearing case distinctions, etc.

33 What about elliptic curves without points of order 4? What about elliptic curves over binary fields? Continuing project (B. L.): For every elliptic curve, find complete addition law for with best possible speeds. Complete laws are useful even if slower than Edwards!

34 2008 B. Birkner L. Peters: twisted Edwards curves Ü 2 + Ý 2 = 1 + Ü 2 Ý 2 cover all Montgomery curves. Almost as fast as = 1; brings Edwards speed to larger class of curves B. B. Joye L. P.: every elliptic curve over F Ô where 4 divides group order is (1 or 2)-isogenous to a twisted Edwards curve.

35 Statistics for many Ô ¾ 1 + 4Z, number of pairs ( ( ) # ): Curves total odd 2odd 4odd 8odd orig 1 24 Ô compl 1 2 Ô Ô Ed 2 3 Ô Ô twist 5 6 Ô Ô 4Z 5 6 Ô all 2Ô 2 3 Ô 1 2 Ô 1 8 Ô 3 16 Ô 3 16 Ô 3 16 Ô 12 Ô 5 12 Ô 3 16 Ô Different statistics for 3 + 4Z. Bad news: complete twisted Edwards complete Edwards!

36 Some Newton polygons Short Weierstrass Jacobi quartic Hessian Edwards 1893 Baker: genus is generically number of interior points Poonen Rodriguez-Villegas classified genus-1 polygons.

37 How to generalize Edwards? Design decision: want quadratic in Ü and in Ý. Design decision: want Ü Ý symmetry Curve shape (Ü + Ý) + 11ÜÝ + 20(Ü 2 + Ý 2 ) + 21ÜÝ(Ü + Ý) + 22Ü 2 Ý 2 = 0.

38 Suppose that 22 = 0: Genus 1 µ (1 1) is an interior point µ 21 = 0. Homogenize: ( + ) ( ) + 21 ( + ) = 0.

39 Points at ½ are ( : : 0) with 21 ( + ) = 0: i.e., (1 : 0 : 0), (0 : 1 : 0), (1 : 1 : 0). Study (1 : 0 : 0) by setting Ý =, Þ = in homogeneous curve equation: 00Þ (1 + Ý)Þ ÝÞ + 20(1 + Ý 2 )Þ + 21Ý(1 + Ý) = 0. Nonzero coefficient of Ý so (1 : 0 : 0) is nonsingular. Addition law cannot be complete (unless is tiny).

40 So we require 22 = 0. Points at ½ are ( : : 0) with = 0: i.e., (1 : 0 : 0), (0 : 1 : 0). Study (1 : 0 : 0) again: 00Þ (1 + Ý)Þ ÝÞ (1 + Ý 2 )Þ Ý(1 + Ý)Þ + 22Ý 2 = 0. Coefficients of 1 Ý Þ are 0 so (1 : 0 : 0) is singular.

41 Put Ý = ÙÞ, divide by Þ 2 to blow up singularity: 00Þ (1 + ÙÞ)Þ + 11ÙÞ + 20(1 + Ù 2 Þ 2 ) + 21Ù(1 + ÙÞ) + 22Ù 2 = 0. Substitute Þ = 0 to find points above singularity: Ù + 22Ù 2 = 0. We require the quadratic Ù + 22Ù 2 to be irreducible in. Special case: complete Edwards, 1 Ù 2 irreducible in.

42 In particular 20 = 0: Design decision: Explore a deviation from Edwards. Choose neutral element (0 0). 00 = 0; 10 = 0. Can vary neutral element. Warning: bad choice can produce surprisingly expensive negation.

43 Now have a Newton polygon for generalized Edwards curves: By scaling Ü Ý and scaling curve equation can limit to three degrees of freedom.

44 2008 B. L. Rezaeian Farashahi: complete addition law for binary Edwards curves 1(Ü + Ý) + 2(Ü 2 + Ý 2 ) = (Ü + Ü 2 )(Ý + Ý 2 ). Covers all ordinary elliptic curves over F 2 Ò for Ò 3. Also surprisingly fast, especially if 1 = 2.

45 2008 B. L. Rezaeian Farashahi: complete addition law for binary Edwards curves 1(Ü + Ý) + 2(Ü 2 + Ý 2 ) = (Ü + Ü 2 )(Ý + Ý 2 ). Covers all ordinary elliptic curves over F 2 Ò for Ò 3. Also surprisingly fast, especially if 1 = B. L.: complete addition law for another specialization covering all the NIST curves over non-binary fields.

46 Consider, e.g., the curve Ü 2 + Ý 2 = Ü + Ý + ØÜÝ + Ü 2 Ý 2 with = 1 and Ø = ½¼½ ¼ ½½½ ¾ ¾ ¾¼ ½ ¼ ¼ ½ ¼¾¼¾ ½ ½½ ¾¼½ over F Ô where Ô = Note: is non-square in F Ô. Birationally equivalent to standard NIST P-256 curve Ú 2 = Ù 3 3Ù + 6 where 6 = ½¼ ¾ ½ ¾½ ¾½¾ ¾ ½¾ ¼ ¼ ¾ ¼ ½½ ½¼½ ¾ ¾ ½ ¼ ¼½¾ ½.

47 An addition law for Ü 2 + Ý 2 = Ü + Ý + ØÜÝ + Ü 2 Ý 2, complete if is not a square: Ü1 + Ü2 + (Ø 2)Ü1Ü2 + (Ü1 Ý1)(Ü2 Ý2) + Ü3 = Ü 2 1 (Ü 2Ý1 + Ü2Ý2 Ý1Ý2) 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) ; Ý1 + Ý2 + (Ø 2)Ý1Ý2 + (Ý1 Ü1)(Ý2 Ü2) + Ý3 = Ý 2 1 (Ý 2Ü1 + Ý2Ü2 Ü1Ü2) 1 2 Ý1Ý2Ü2 Ý 2 1 (Ý 2 + Ü2 + (Ø 2)Ý2Ü2).

48 Note on computing addition laws: An easy Magma script uses Riemann Roch to find addition law given a curve shape. Are those laws nice? No! Find lower-degree laws by Monagan Pearce algorithm, ISSAC 2006; or by evaluation at random points on random curves. Are those laws complete? No! But always seems easy to find complete addition laws among low-degree laws where denominator constant term = 0.

49 Birational equivalence from Ü 2 + Ý 2 = Ü + Ý + ØÜÝ + Ü 2 Ý 2 to Ú 2 (Ø + 2)ÙÚ + Ú = Ù 3 (Ø+2)Ù 2 Ù+(Ø+2) i.e. Ú 2 (Ø + 2)ÙÚ + Ú = (Ù 2 )(Ù (Ø + 2)): Ù = ( ÜÝ + Ø + 2) (Ü + Ý); Ú = ((Ø + 2)2 )Ü (Ø + 2)ÜÝ + Ü + Ý. Assuming Ø + 2 square, not: only exceptional point is (0 0), mapping to ½. Inverse: Ü = Ú (Ù 2 ); Ý = ((Ø + 2)Ù Ú ) (Ù 2 ).

50 Completeness Ü1 + Ü2 + (Ø 2)Ü1Ü2 + (Ü1 Ý1)(Ü2 Ý2) + Ü3 = Ü 2 1 (Ü 2Ý1 + Ü2Ý2 Ý1Ý2) 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) ; Ý1 + Ý2 + (Ø 2)Ý1Ý2 + (Ý1 Ü1)(Ý2 Ü2) + Ý3 = Ý 2 1 (Ý 2Ü1 + Ý2Ü2 Ü1Ü2) 1 2 Ý1Ý2Ü2 Ý 2 1 (Ý 2 + Ü2 + (Ø 2)Ý2Ü2). Can denominators be 0?

51 Only if is a square! Theorem: Assume that is a field with 2 = 0; Ø Ü1 Ý1 Ü2 Ý2 ¾ ; is not a square in ; 27 = (2 Ø) 3 ; Ü Ý2 1 = Ü 1+ Ý1+ ØÜ1Ý1+ Ü 2 1 Ý2 1 ; Ü Ý2 2 = Ü 2+ Ý2+ ØÜ2Ý2+ Ü 2 2 Ý2 2. Then 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0.

52 Only if is a square! Theorem: Assume that is a field with 2 = 0; Ø Ü1 Ý1 Ü2 Ý2 ¾ ; is not a square in ; 27 = (2 Ø) 3 ; Ü Ý2 1 = Ü 1+ Ý1+ ØÜ1Ý1+ Ü 2 1 Ý2 1 ; Ü Ý2 2 = Ü 2+ Ý2+ ØÜ2Ý2+ Ü 2 2 Ý2 2. Then 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0. By Ü Ý symmetry also 1 2 Ý1Ý2Ü2 Ý 1 2(Ý 2 + Ü2 + (Ø 2)Ý2Ü2) = 0.

53 Proof: Suppose that 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0.

54 Proof: Suppose that 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0. Note that Ü1 = 0.

55 Proof: Suppose that 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0. Note that Ü1 = 0. Use curve equation 2 to see that (1 Ü1Ü2Ý2) 2 = Ü 2 1 (Ü 2 Ý2) 2.

56 Proof: Suppose that 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0. Note that Ü1 = 0. Use curve equation 2 to see that (1 Ü1Ü2Ý2) 2 = Ü 2 1 (Ü 2 Ý2) 2. By hypothesis is non-square so Ü 2 1 (Ü 2 Ý2) 2 = 0 and (1 Ü1Ü2Ý2) 2 = 0.

57 Proof: Suppose that 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0. Note that Ü1 = 0. Use curve equation 2 to see that (1 Ü1Ü2Ý2) 2 = Ü 2 1 (Ü 2 Ý2) 2. By hypothesis is non-square so Ü 2 1 (Ü 2 Ý2) 2 = 0 and (1 Ü1Ü2Ý2) 2 = 0. Hence Ü2 = Ý2 and 1 = Ü1Ü2Ý2.

58 Curve equation 1 times 1 Ü 2 1 : 1 + Ý 2 1 Ü2 1 = 1 Ü1 + Ý1(1 Ü Ø Ü 1) + Ý 2 1.

59 Curve equation 1 times 1 Ü 2 1 : 1 + Ý 1 2 Ü2 1 = 1 Ü1 + Ý1(1 Ü Ø Ü 1) + Ý 1 2. Substitute 1 Ü1 = Ü 2 2 : Ý 1 2 Ü4 2 = Ü Ý 1( Ü Ü2 2 Ø) + Ý2 1.

60 Curve equation 1 times 1 Ü 2 1 : 1 + Ý 1 2 Ü2 1 = 1 Ü1 + Ý1(1 Ü Ø Ü 1) + Ý 1 2. Substitute 1 Ü1 = Ü 2 2 : Ý 1 2 Ü4 2 = Ü Ý 1( Ü Ü2 2 Ø) + Ý2 1. Substitute 2Ü 2 2 = 2Ü 2 + ØÜ Ü4 2 : (1 Ý1Ü 2 2 )2 = (Ü2 Ý1) 2.

61 Curve equation 1 times 1 Ü 2 1 : 1 + Ý 1 2 Ü2 1 = 1 Ü1 + Ý1(1 Ü Ø Ü 1) + Ý 1 2. Substitute 1 Ü1 = Ü 2 2 : Ý 1 2 Ü4 2 = Ü Ý 1( Ü Ü2 2 Ø) + Ý2 1. Substitute 2Ü 2 2 = 2Ü 2 + ØÜ Ü4 2 : (1 Ý1Ü 2 2 )2 = (Ü2 Ý1) 2. Thus Ü2 = Ý1 and 1 = Ý1Ü 2 2. Hence 1 = Ü 3 2.

62 Curve equation 1 times 1 Ü 2 1 : 1 + Ý 1 2 Ü2 1 = 1 Ü1 + Ý1(1 Ü Ø Ü 1) + Ý 1 2. Substitute 1 Ü1 = Ü 2 2 : Ý 1 2 Ü4 2 = Ü Ý 1( Ü Ü2 2 Ø) + Ý2 1. Substitute 2Ü 2 2 = 2Ü 2 + ØÜ Ü4 2 : (1 Ý1Ü 2 2 )2 = (Ü2 Ý1) 2. Thus Ü2 = Ý1 and 1 = Ý1Ü 2 2. Hence 1 = Ü 3 2. Now 2Ü 2 2 = 2Ü 2 + ØÜ Ü 2 so 3 = (2 Ø)Ü2 so 27 = (2 Ø) 3. Contradiction.

63 What s next? Make the mathematicians happy: Prove that all curves are covered; should be easy using Weil and rational param. Make the computer happy: Find faster complete laws. Latest news, B. Kohel L.: Have complete addition law for twisted Hessian curves Ü 3 + Ý = 3 ÜÝ when is non-cube. Close in speed to Edwards and covers different curves.