References on Elliptic Curves Most of examples/notations used in this presentation come from:

Transcription

1 References on Elliptic Curves Most of eamples/notations used in this presentation come from: Hardware Arithmetic Operators for Elliptic Curve Crptograph (ECC) Arnaud Tisserand Guide to Elliptic Curve Crptograph D. Hankerson, A. Menezes and S. Vanstone 24. Springer ISBN: X CNRS, IRISA laborator, CAIRN research team Journée Sécurité Numérique, GDR SoC-SiP Paris, November 16th, 211 The Arithmetic of Elliptic Curves Joseph H. Silverman 29. Springer ISBN: A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 2/1 Some Historical Aspects 198 Koblitz and Miller: ECC 1977 Rivest, Shamir and Adleman: RSA crptosstem 1976 Diffie and Hellman: public-ke crptograph Clifford Cocks Euler Legendre Gauss Jacobi Weierstrass Galois Question in the 18th centur: arc length of an ellipse? stud of integrals involving f () where deg f {3, 4} ears Notations Elliptic curve E Underling field K (R, F p, F 2 m,... ) Finite field F q (q = p or q = 2 m in this presentation) Points P, Q,... Coordinates (,, [z]) (,, [z] K) Point at infinit denoted Number of points on E: #E A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 3/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 4/1

2 Elliptic Curves Set of points (, ) defined b the Weierstrass equation: Elliptic Curves Eamples on R ER 1 : 2 = 3 ER 2 : 2 = E : 2 + a 1 + a 3 = 3 + a a 4 + a 6 where a 1, a 2, a 3, a 4, a 6 K discriminant of E: and = d 2 2 d 8 8d d d 2 d 4 d 6 d 2 = a a 2 d 4 = 2a 4 + a 1 a 3 d 6 = a a 6 d 8 = a 2 1a 6 + 4a 2 a 6 a 1 a 3 a 4 + a 2 a 2 3 a 2 4 Condition ensures that E is smooth Set of points where denotes the point at infinit: E(K) = {(, ) K K; 2 + a 1 + a 3 = 3 + a a 4 + a 6 } { } A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC /1 (a 1, a 2, a 3, a 4, a 6 ) = (,,, 1, ) (a 1, a 2, a 3, a 4, a 6 ) = (,,, 1 4, 4 ) A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 6/1 Group Law Point addition using the chord-and-tangent rule: the addition of 2 points of E gives a third point also on E Point Addition P + Q Geometrical eplanation: P + Q and P + P = [2]P Elliptic curves as algebraic objects: (E, +) forms an abelian group The set of points on E (over field K) and the point addition operation forms an abelian group with as its identit P + = + P = P P + ( P) = (P + Q) + R = P + (Q + R) P + Q = Q + P P Q R 1. draw P and Q 2. draw the line through P and Q, this line intersects E on a third point R 3. P + Q is the reflection of R w.r.t. the -ais. Point at infinit: Abelian groups in public-ke crptograph: operation on the group should be eas to implement computation of the discrete logarithm on the group should be hard E P + Q P + Q + R = A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 7/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 8/1

3 Point Doubling [2]P Specific Cases E Geometrical eplanation: 1. draw P E E R [2]P P 2. draw the tangent to E at point P, this tangent intersects E on a second point R 3. [2]P is the reflection of R w.r.t. the -ais. Point at infinit: P + P + R = P Q Point at infinit: P + Q + = P Point at infinit: P + P + = A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 9/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 1/1 Notations: Addition and Doubling Equations elliptic curve E : 2 = 3 + a + b P coordinates ( 1, 1 ) Q coordinates ( 2, 2 ) The slope of line (P, Q) is if P ±Q [ADD] λ = if P = Q [DBL] The addition P + Q (or doubling [2]P) gives the point ( 3, 3 ) where: 3 = λ and 3 = λ( 1 3 ) 1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 11/1 Simplified Weierstrass Equations Depending on the characteristic of the field K, the equation can be significantl simplified. Characteristic p: with p / {2, 3}, fields F p 2 = 3 + a + b and = 16(4a b 2 ) Characteristic 2: fields F 2 m a 1 : non-supersingular curve 2 + = 3 + a 2 + b and = b a 1 = : supersingular curve 2 + c = 3 + a + b and = c 4 Characteristic 3: fields F 3 m a1 2 a 2: non-supersingular curve 2 = 3 + a 2 + b and = a 3 b a1 2 = a 2: supersingular curve 2 = 3 + a + b and = a 3 Notation: a, b, c K A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 12/1

4 Elliptic Curves Eamples on F 11 Elliptic Curve 2 = , (,,, 4, 2) For K = F 11 : EF 1 : 2 = 3 1 EF 2 : 2 = F F F F 17 (a 1, a 2, a 3, a 4, a 6 ) = (,,, 1, ) (a 1, a 2, a 3, a 4, a 6 ) = (,,, 76, 77) A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 13/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 14/1 Number of Points in the Elliptic Curve Eample E : 2 = on F 29 (1/4) Notations: F q is a finite field (q = p or q = 2 m in this presentation) #E is the number of points in E over F q (also called the order of E over F q ) First bounds: Weierstrass equation has at most 2 solutions for each F q then 1 #E 2q + 1 Tighter bounds: Hasse s theorem bounds #E of an elliptic curve over a finite field F q q q #E q q In practice, #E is close to q There are 37 points on E: and (, 7), (, 22), (1, ), (1, 24), (2, 6), (2, 23), (3, 1), (3, 28), (4, 1), (4, 19), (, 7), (, 22), (6, 12), (6, 17), (8, 1), (8, 19), (1, 4), (1, 2), (13, 6), (13, 23), (14, 6), (14, 23), (, 2), (, 27), (16, 2), (16, 27), (17, 1), (17, 19), (19, 13), (19, 16), (2, 3), (2, 26), (24, 7), (24, 22), (27, 2), (27, 27) A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC /1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 16/1

5 Eample E : 2 = on F 29 (2/4) Eample E : 2 = on F 29 (3/4) Point addition eample: P = (8, 1) Q = (24, 22) 37P Point doubling eample: P = (8, 1) P Q λ = = = 8 3 = λ = = 3 3 = λ( 1 3 ) 1 = 8 (8 3) 1 = P 36P 4P P λ = a = = = λ = = 3 = λ( 1 3 ) 1 = 4 (8 ) 1 = 22 P + Q Verification using sage: P = EEF29(8,1) Q = EEF29(24,22) P+Q 1 3P 2 P 2 Verification using sage: P = EEF29(8,1) 2*P A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 17/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 18/1 Eample E : 2 = on F 29 (4/4) Scalar Multiplication Q = kp Point multiplication or scalar multiplication: Inputs: a point P E and k N Output: the point E Q = kp = P } + P + {{... + P } (also denoted [k]p) k times Choice for k: This is the main operation in ECC protocols #E(F q ) = nh where n is prime and h is small (n q) k random integer in [1, n 1] k binar representation (k t 1 k t 2...k 1 k ) 2 where t log 2 q Remark: computing efficientl multiple point multiplication [k]p + [l]q ma be useful in some protocols A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 19/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 2/1

6 Discrete Logarithm Problems Discrete logarithm problem (DLP) on a group G: Inputs: a, b (G, ) Output: the smallest integer (> ) such that a = b (if it eists) Remark: #G prime = a discrete logarithm alwas eists Elliptic curve discrete logarithm problem (ECDLP): Inputs: P, Q E Q = kp Output: the scalar k (long integer), k is the discrete logarithm of Q to the base P Given P and Q, it is computationall infeasible to obtain k, if k is large enough. A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 21/1 Ke Size vs Securit Level securit RSA ECC level F p F 2 m n [bits] p [bits] m [bits] Securit level of h: the best known algorithm takes 2 h steps for breaking the crptosstem RSA: Z/nZ with n = pq, p and q primes ECC: F p with p prime or F 2 m Source: SEC2 recommendations from Certicom (v1., Jan. 2) A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 22/1 ECC Challenge (1/2) Source: Challenge: compute ECC private ke from ECC public ke and parameters (ECDLP) challenge end date machine das 1 ECC2-79 Dec. 16, ECC2-89 Feb. 9, ECC2K-9 Ma 21, ECC2-97 Sep. 22, ECC2K-18 Apr. 4, ECC2-19 Apr. 8, 24 ECCp-79 Dec. 6, ECCp-89 Jan. 12, ECCp-97 Mar. 18, ECCp-19 Oct., 22 New record: ECC Challenge (2/2) Challenge: 112 bits (curve secp112r1) Dates: Support: 2 PlaStation 3 game consoles Location: EPFL Corresponding publication: J.W. Bos, M.E. Kaihara, T. Kleinjung, A.K. Lenstra and P.L. Montgomer. Solving a 112-bit Prime Elliptic Curve Discrete Logarithm Problem on Game Consoles using Slopp Reduction. Int. J. Applied Crptograph, 211. Source: 1 Machine das on a MHz alpha workstation. A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 23/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 24/1

7 Guidelines for Designing Robust Crptosstems Use recommendations/standards from specialists... Eample : elliptic curve P-21 over a prime finite field, recommendation from NIST (cf. FIPS 186-2) p = r = s = d9e88 291cb83 cc aa adaba c = b4 8bfaf42 a d2bdfc 2eeeeb 77688e4 4fbfad8 f6dedb3 7bd6b e19f1b9 ffbefe9 ed8a3c22 b8f87 e23868c 7c1ebf bad ECC Protocols Applications: encrption digital signature ke agreement ECC protocols: ECIES: Elliptic Curve Integrated Encrption Sstem ECDSA: Elliptic Curve Digital Signature Algorithm ECDH: Elliptic Curve Diffie-Hellman ke agreement... Notation: D is the set of domain parameters (E, q, #E = nh, P E,...) A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 2/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 26/1 Elliptic Curve Digital Signature Algorithm Preprocessing: select random integer d [1, n 1], compute Q = dp where P E = Q public ke and d private ke Signature: m is the message, H is the hash function 1. select random integer k [1, n 1] 2. ( 1, 1 ) = kp, r = 1 mod n, if r = then step 1 3. e = H(m), s = k 1 (e + dr) mod n, if s = then step 1 4. return (r, s) Verification: 1. if (r or s not in [1, n 1]) then REJECT 2. e = H(m), w = s 1 mod n, u 1 = ew mod n, u 2 = rw mod n, X = ( 1, 1 ) = u 1 P + u 2 Q 3. if X = then REJECT 4. v = 1 mod n. if v = r then ACCEPT else REJECT A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 27/1 ECC Implementation: Dela Estimation Counting the number of point operations: Point addition P + Q (ADD) Point doubling 2P (DBL) Counting the number of field operations: addition/subtraction (A) multiplication (M) squaring (S) inversion (I ) Common assumptions for high-level estimation: A S.8M for F p and S for F 2 m I 3M A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 28/1

8 Scalar Multiplication: Double-and-Add Algorithms Input: P E, k = (k t 1 k t 2..., k 1 k ) 2 N Output: Q = kp 1: Q 2: for i from to t-1 do 3: if k i = 1 then Q Q + P ADD 4: P 2P DBL Input: P E, k = (k t 1 k t 2..., k 1 k ) 2 N Output: Q = kp 1: Q 2: for i from t-1 downto do 4: Q 2Q DBL 3: if k i = 1 then Q Q + P ADD A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 29/1 Double-and-Add Analsis Assumption on the densit of k due to securit aspects: Point operations: number of 1 in k is t 2 t ADD + t DBL 2 Cost of DBL and ADD point operations: DBL I + 2 M + 2 S ADD I + 2 M + S Field operations: 3 2 t I + 3t M + 2 t S Estimation using previous assumptions: F p : cost(kp) t M F 2 m: cost(kp) 48t M A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 3/1 Optimization Q: Inversions are ver epensive, can we remove them? A: Yes, b changing the representation of the points In some different coordinate sstems, points on a curve can be added without inversions (, ) (X, Y, Z) Transformation: is replaced b X /Z c and is replaced b Y /Z d Several coordinates sstems are used in practice (several transformations and parameters c, d N ) Remark: affine coordinates are the basic coordinates (, ) Projective Coordinates Equivalence relation on the set K 3 \ (,, ): (X 1, Y 1, Z 1 ) (X 2, Y 2, Z 2 ) if X 1 = λ c X 2, Y 1 = λ d Y 2 and Z 1 = λz 2 for some λ K Equivalence class (X, Y, Z) K 3 \ (,, ), projective point: (X : Y : Z) = { (λ c X, λ d Y, λz) : λ K } Eample: projective form of the Weierstrass equation using standard projective coordinates (c = 1, d = 1): becomes E : 2 + a 1 + a 3 = 3 + a a 4 + a 6 Y 2 Z + a 1 XYZ + a 3 YZ 2 = X 3 + a 2 X 2 Z + a 4 XZ 2 + a 6 Z 3 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 31/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC /1

9 Eamples of Coordinates Sstems Affine coordinates, A: P : (, ) Standard projective coordinates, P (c = 1, d = 1): P : (X, Y, Z) = X Z, = Y = (, 1, ) Z Jacobian projective coordinates, J (c = 2, d = 3): P : (X, Y, Z) = X Z 2, = Y Z 3 = (1, 1, ) Chudnovsk coordinates, C: P : (X, Y, Z, Z 2, Z 3 ) = (1, 1, )... Remark: (X, Y, Z) = (X, Y, Z) A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 33/1 Point Addition and Doubling Costs Point doubling 2A A 1 I + 2 M + 2 S 2P P 7 M + 3 S 2J J 4 M + 4 S 2C C M + 4 S Point addition A + A A 1 I + 2 M + 1 S P + P P 12 M + 2 S J + J J 12 M + 4 S C + C C 11 M + 3 S J + A J 8 M + 3 S J + C J 11 M + 3 S C + A C 8 M + 3 S A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 34/1 More Information on Coordinates Sstems and Implementations Paper from D. Bernstein and T. Lange on Analsis and optimization of elliptic-curve single-scalar multiplication (PDF on the web) Implementation Eample from UCC-CSI (1/3) Source: Liam Marnane (Universit College Cork and Claude Shannon Institute), invited talk at ECC 27: Comparing Hardware Compleit of Crptographic Algorithms Eplicit-Formulas Database (EFD): Collection of eplicit formulas (point addition, doubling and tripling) for man coordinate sstems Best formulas from the literature Code (sage) for validation purpose Proceedings of the workshops on Crptographic Hardware and Embedded Sstems (CHES): (full-tet access via Springer) A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 3/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 36/1

10 Implementation Eample from UCC-CSI (2/3) F 2 m, m = 163, NIST curve, target Xilin c3s1l FPGA F 2 m mult.: digit size d = 1 ( 3 LUT) or d = 16 ( 1 LUT) F 2 m divider ( 11 LUT) freq: 8 MHz, static power: 92 mw Implementation Eample from UCC-CSI (3/3) Summar (scalar mutl. using Montgomer ladder): solution power energ time area A T 3 mult., d = mw.36 mj 177 µs 9393 LUT mult., d = 16 mw.39 mj 21 µs 6711 LUT 1.3 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 37/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 38/1 Addition Chains (Work of Nicolas Méloni) In scalar multiplication [k]p, onl use point additions on the curve robust against SPA ADD(P 1, P 2 ) = (P 1 + P 2, P 1 ) with P 1 and P 2 alread computed problem find a short chain Eample: addition chains for k = Collaboration with UCC code and crpto group (26 28) A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 39/1 Signed-Digit Redundant Number Sstems Avizienis 11: radi β representation replace the digit set {, 1, 2,..., β 1} b the digit set { α, α + 1,...,,..., α 1, α} with α β 1 If 2α + 1 > β some numbers have several possible representations Eample: radi β = 1, digits from the set D = {9,..., 1,, 1,..., 9} 21 = (21) β,d = (219) β,d = (399) β,d = (181) β,d = (1819) β,d =... In a redundant number sstem there is constant-time addition algorithm (without carr propagation) where all computations are done in parallel A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 4/1

11 Recoding k Recoding: w-naf (non-adjacent form) With n 1 k = k i 2 i, k i {, 1} i= use k with digits in windows of w bits Eample: k i < 2 w 1 k = 267 = ( ) 2 ( ) 2 NAF ( ) 3 NAF ( 1 1 ) 4 NAF ( 1 11 ) NAF Cost: (n 1) DBL and n w+1 ADD A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 41/1 Double-Base Number Sstems (DBNS) (1/3) Redundant representation based the sum of powers of 2 AND 3: = n i 2 a i 3 b i, with i { 1, 1}, a i, b i i=1 Eample: 127 = = = Source: L. Imbert A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 42/1 Double-Base Number Sstems (DBNS) (2/3) Double-Base Number Sstems (DBNS) (3/3) Smallest > with n DBNS terms in its decomposition: n unsigned signed (498) 18,431? 6 3,448, ,441,8,119 8? DBNS is a ver sparse and redundant representation Eample: 127 has 783 DBNS representations among which 6 are canonic: 127 = ( ) = ( ) = ( ) = ( ) = ( ) = ( ) Application: ECC scalar multiplication 3149 = [3149]P = [ ]P + [ ]P P cost: 12 DBL + 1 TPL + 2 ADD 3149 = [3149]P = 3(3(3(3 3 ([ ]P P) P) P) P cost: 4 DBL + 9 TPL + ADD A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 43/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 44/1

12 Protection at the Arithmetic Level Redundant number sstem = a wa to improve the performance of some operations a wa to represent a value with different representations k PhD Thesis of Thomas Chabrier Hardware random recoding of the scalar (NAF-like, DBNS,... ) Recoding rules: , , , ep. R2 red. R4 R 1 (k) R 2 (k) R 3 (k) R 4 (k) ep. R1 ep. R4 ep. R1 red. R [R 1 (k)]p [R 2 (k)]p [R 3 (k)]p [R 4 (k)]p... [144]P = [ ]([ ]([2 2 3 ]P P ) + P ) [144]P = [ ]([ ]([2 1 3 ]([2 3 1 ]([2 3 1 ]P P ) P ) P ) + P ) 6 = [ ]([2 2 3 ]([2 3 ]P + P ) P ) 2 = [ ]([ ]([2 1 3 ]P + P ) + P ) 3 = [ ]([2 3 1 ]([ ]([2 2 3 ]P P ) + P ) P ) 7 = [ ]([2 3 4 ]([2 3 1 ]P + P ) + P ) 8 = [ ]([ ]([2 1 3 ]P P ) + P ) 4 reduction epansion [k]p Proposed solution: use random redundant representations of k A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 4/1 Securit evaluation in progress A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 46/1 ECC (Co)Processor under Development Activit in GF(p) Arithmetic Operators (1/2) countermeasures ke recode COMM. CTRL AGU register file ±, on F q local register(s) CTRL ±, on F q local register(s) CTRL 1/ on F q local register(s) CTRL Functional units (FU): ±,, 1/ for F p and F 2 m, ke recoding Memor: register file + internal registers in the FUs Control: operations (E and F q levels) schedule, parameters management top: addition, middle: multiplication, bottom: addition with a constant A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 47/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 48/1

13 Activit in F p Arithmetic Operators (2/2) Other Topics.2 l=.2 l=6 Countermeasures against side channel attacks or fault attacks.1.1 Parameters selection (securit/performance/cost trade-off... ) l= l=8 Specific operations (e.g. ReADD: addition where one of the addends has been added before) Unified equations (same equations for ADD and DBL) l= l=1 Montgomer point multiplication Multiple point multiplication (kp + lq) Point halving Specific curves (Edwards, Montgomer, Huff,...) curves... A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 49/1 A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC /1 Contact: The end, some questions? mailto:arnaud.tisserand@irisa.fr CAIRN Group IRISA Laborator, CNRS INRIA Univ. Rennes 1 6 rue Kérampont, BP 818, F-223 Lannion cede, France SAGE Mathematical Software Sstem Features and information: Topics: algebra, combinatorics, geometr, number theor, numerical mathematics, calculus, crptograph... URL: License: GPL and GNU Free Documentation License Language: Pthon Platforms: Linu, OS X and Solaris (both 86 and SPARC) Histor:.1 in Jan. 2, 1 main version/ear + several releases/ear Use: command line or notebook (through a web browser) Integrated libraries: GMP, NTL, MPFR, MPFI, LinBo, ATLAS... Thank ou A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 1/1 Interfaces to/from: GP/Pari, Gnuplot, Magma, Maple, Matlab, Maima, Mathematica, Octave... A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 2/1

14 Sage Eamples (1/3) Sage Version 4.1, Release Date: Tpe notebook() for the GUI, and license() for information sage: sage: (factor(29),factor(3)) (29, 2 * 3 * ) sage:, b, c = var( b c ) sage: solve([^2 + b* + c == ],) [ == -1/2*b - 1/2*sqrt(b^2-4*c), == -1/2*b + 1/2*sqrt(b^2-4*c)] sage: ER1=EllipticCurve([,,,-1,]) sage: ER1 Elliptic Curve defined b ^2 = ^3 - over Rational Field sage: show(plot(er1),aspect_ratio=1,min=-1,ma=2,min=-2,ma=2) Remark: the prompts sage: or >>> are ignored during cut/paste A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 3/1 Sage Eamples (2/3) sage: EF1=EllipticCurve(GF(11),[,,,-1,]) sage: EF1 Elliptic Curve defined b ^2 = ^3 + over Finite Field of size 11 sage: show(plot(ef1),aspect_ratio=1) sage: EEF29=EllipticCurve(GF(29),[,,,4,2]) sage: EEF29 Elliptic Curve defined b ^2 = ^3+4*+2 over Finite Field of size 29 sage: show(plot(eef29),aspect_ratio=1) sage: P=EEF29.random_point() sage: Q=EEF29.random_point() sage: P, Q ((3 : 1 : 1), (24 : 7 : 1)) sage: P+Q (8 : 1 : 1) sage: 2*P (24 : 7 : 1) sage: 2*Q ( : 7 : 1) A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC 4/1 Sage Eamples (3/3) sage: F29=GF(29) sage: F29((22-1)/(24-8)) 8 sage: F29(8^2-8-24) 3 sage: F29(8*(8-3)-1) 1 sage: sage: F29((3*8^2+4)/(2*1)) 4 sage: F29(4^2-8-8) sage: F29(4*(8-)-1) 22 sage: eit Eiting SAGE (CPU time m4.1s, Wall time 18m4.22s). Eiting spawned Maima process. A. Tisserand, CNRS IRISA CAIRN. Hardware Arithmetic Operators for ECC /1