Addition laws on elliptic curves. D. J. Bernstein University of Illinois at Chicago. Joint work with: Tanja Lange Technische Universiteit Eindhoven
|
|
- Sophia Ross
- 5 years ago
- Views:
Transcription
1 Addition laws on elliptic curves D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven
2 , 09:00 (yikes!), Leiden University, part of Mathematics: Algorithms and Proofs week at Lorentz Center: Harold Edwards speaks on Addition on elliptic curves. Edwards
3 What we think when we hear addition on elliptic curves : Ý È + É É È Ü Addition on Ý 2 5ÜÝ = Ü 3 7.
4 = (Ý2 Ý1) (Ü2 Ü1), Ü3 = 2 5 Ü1 Ü2, Ý3 = 5Ü3 (Ý1 + (Ü3 Ü1)) µ (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3).
5 = (Ý2 Ý1) (Ü2 Ü1), Ü3 = 2 5 Ü1 Ü2, Ý3 = 5Ü3 (Ý1 + (Ü3 Ü1)) µ (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3). Oops, this requires Ü1 = Ü2. = (5Ý1 + 3Ü 2 1 ) (2Ý 1 5Ü1), Ü3 = 2 5 2Ü1, Ý3 = 5Ü3 (Ý1 + (Ü3 Ü1)) µ (Ü1 Ý1) + (Ü1 Ý1) = (Ü3 Ý3).
6 = (Ý2 Ý1) (Ü2 Ü1), Ü3 = 2 5 Ü1 Ü2, Ý3 = 5Ü3 (Ý1 + (Ü3 Ü1)) µ (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3). Oops, this requires Ü1 = Ü2. = (5Ý1 + 3Ü 2 1 ) (2Ý 1 5Ü1), Ü3 = 2 5 2Ü1, Ý3 = 5Ü3 (Ý1 + (Ü3 Ü1)) µ (Ü1 Ý1) + (Ü1 Ý1) = (Ü3 Ý3). Oops, this requires 2Ý1 = 5Ü1. (Ü1 Ý1) + (Ü1 5Ü1 Ý1) = ½. (Ü1 Ý1) + ½ = (Ü1 Ý1). ½ + (Ü1 Ý1) = (Ü1 Ý1). ½ + ½ = ½.
7 Despite 09:00, despite Dutch trains, we attend the talk. Edwards says: Euler Gauss addition law on Ü 2 + Ý 2 = 1 Ü 2 Ý 2 is (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3) with Ü3 = Ü 1Ý2 + Ý1Ü2 1 Ü1Ü2Ý1Ý2 Ý3 = Ý 1Ý2 Ü1Ü2 1 + Ü1Ü2Ý1Ý2,. Euler Gauss
8 Edwards, continued: Every elliptic curve over Q is birationally equivalent to Ü 2 + Ý 2 = 2 (1 + Ü 2 Ý 2 ) for some ¾ Q 0 1. (Euler Gauss curve the lemniscatic elliptic curve. )
9 Edwards, continued: Every elliptic curve over Q is birationally equivalent to Ü 2 + Ý 2 = 2 (1 + Ü 2 Ý 2 ) for some ¾ Q 0 1. (Euler Gauss curve the lemniscatic elliptic curve. ) Ü 2 + Ý 2 = 2 (1 + Ü 2 Ý 2 ) has neutral element (0 ), addition (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3) with Ü3 = Ü 1Ý2 + Ý1Ü2 (1 + Ü1Ü2Ý1Ý2), Ý3 = Ý 1Ý2 Ü1Ü2 (1 Ü1Ü2Ý1Ý2).
10 Addition law is unified : (Ü1 Ý1) + (Ü1 Ý1) = (Ü3 Ý3) with Ü3 = Ü 1Ý1 + Ý1Ü1 (1 + Ü1Ü1Ý1Ý1), Ý3 = Ý 1Ý1 Ü1Ü1 (1 Ü1Ü1Ý1Ý1). Have seen unification before. e.g., 1986 Chudnovsky 2 : 17M unified addition formulas for (Ë : : : ) on Jacobi s Ë = 2, 2 Ë = 2. Chudnovsky 2 Jacobi
11 , 09:30, Bernstein Lange: Edwards addition law with standard projective ( : : ), standard Karatsuba optimization, common-subexp elimination: 10M + 1S + 1A. Faster than anything seen before! M: field multiplication. S: field squaring. A: multiplication by. Karatsuba
12 Edwards paper: Bulletin AMS 44 (2007), Many papers in 2007, 2008, 2009 have now used Edwards curves to set speed records for critical computations in elliptic-curve cryptography. Also new speed records for ECM factorization: see Lange s talk here on Saturday. Also expect speedups in verifying elliptic-curve primality proofs.
13 Back to B. L., early Edwards Ü 2 + Ý 2 = 2 (1 + Ü 2 Ý 2 ) doesn t rationally include Euler Gauss Ü 2 + Ý 2 = 1 Ü 2 Ý 2. Common generalization, presumably more curves over Q, presumably more curves over F : Õ Ü 2 + Ý 2 = 2 (1 + Ü 2 Ý 2 ) has neutral element (0 ), addition (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3) with Ü3 = Ý3 = Ü 1Ý2 + Ý1Ü2 (1 + Ü1Ü2Ý1Ý2), Ý 1Ý2 Ü1Ü2 (1 Ü1Ü2Ý1Ý2).
14 Convenient to take = 1 for speed, simplicity. Covers same set of curves up to birational equivalence: ( ) (1 4 ). Ü 2 + Ý 2 = 1 + Ü 2 Ý 2 has neutral element (0 1), addition (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3) with Ü3 = Ü 1Ý2 + Ý1Ü2 1 + Ü1Ü2Ý1Ý2, Ý3 = Ý 1Ý2 Ü1Ü2 1 Ü1Ü2Ý1Ý2.
15 Hmmm, does this really work? Easiest way to check the generalized addition law: pull out the computer! Pick a prime Ô; e.g. 47. Pick curve param ¾ F. Ô Enumerate all affine points (Ü Ý) ¾ F F satisfying Ô Ô Ü 2 + Ý 2 = 1 + Ü 2 Ý 2. Use generalized addition law to make an addition table for all pairs of points. Check associativity etc.
16 Warning: Don t expect complete addition table. Addition law works generically but can fail for some exceptional pairs of points. Unified addition law works for generic additions and for generic doublings but can fail for some exceptional pairs of points. Basic problem: Denominators 1 Ü1Ü2Ý1Ý2 can be zero.
17 Even if we switched to projective coordinates, would expect addition law to fail for some points, producing (0 : 0 : 0) Bosma Lenstra theorem: The smallest cardinality of a complete system of addition laws on equals two. Bosma Lenstra
18 Try Ô = 47, = 25: denominator 1 Ü1Ü2Ý1Ý2 is nonzero for most points (Ü1 Ý1), (Ü2 Ý2) on curve. Edwards addition law is associative whenever defined.
19 Try Ô = 47, = 25: denominator 1 Ü1Ü2Ý1Ý2 is nonzero for most points (Ü1 Ý1), (Ü2 Ý2) on curve. Edwards addition law is associative whenever defined. Try Ô = 47, = 1: denominator 1 Ü1Ü2Ý1Ý2 is nonzero for all points (Ü1 Ý1), (Ü2 Ý2) on curve. Addition law is a group law!
20 Try Ô = 47, = 25: denominator 1 Ü1Ü2Ý1Ý2 is nonzero for most points (Ü1 Ý1), (Ü2 Ý2) on curve. Edwards addition law is associative whenever defined. Try Ô = 47, = 1: denominator 1 Ü1Ü2Ý1Ý2 is nonzero for all points (Ü1 Ý1), (Ü2 Ý2) on curve. Addition law is a group law! vs. Z60T
21 2007 Bernstein Lange completeness proof for all non-square : If Ü Ý2 1 = 1 + Ü2 1 Ý2 1 and Ü Ý2 2 = 1 + Ü2 2 Ý2 2 and Ü1Ü2Ý1Ý2 = 1
22 2007 Bernstein Lange completeness proof for all non-square : If Ü Ý2 1 = 1 + Ü2 1 Ý2 1 and Ü Ý2 2 = 1 + Ü2 2 Ý2 2 and Ü1Ü2Ý1Ý2 = 1 then Ü 2 1 Ý2 1 (Ü 2 + Ý2) 2 = Ü 2 1 Ý2 1 (Ü2 2 + Ý Ü 2Ý2) = Ü 2 1 Ý2 1 ( Ü2 2 Ý Ü 2Ý2)
23 2007 Bernstein Lange completeness proof for all non-square : If Ü Ý2 1 = 1 + Ü2 1 Ý2 1 and Ü Ý2 2 = 1 + Ü2 2 Ý2 2 and Ü1Ü2Ý1Ý2 = 1 then Ü 2 1 Ý2 1 (Ü 2 + Ý2) 2 = Ü 2 1 Ý2 1 (Ü2 2 + Ý Ü 2Ý2) = Ü 2 1 Ý2 1 ( Ü2 2 Ý Ü 2Ý2) = 2 Ü 2 1 Ý2 1 Ü2 2 Ý2 2 + Ü2 1 Ý Ü2 1 Ý2 1 Ü 2Ý2
24 2007 Bernstein Lange completeness proof for all non-square : If Ü Ý2 1 = 1 + Ü2 1 Ý2 1 and Ü Ý2 2 = 1 + Ü2 2 Ý2 2 and Ü1Ü2Ý1Ý2 = 1 then Ü 2 1 Ý2 1 (Ü 2 + Ý2) 2 = Ü 2 1 Ý2 1 (Ü2 2 + Ý Ü 2Ý2) = Ü 2 1 Ý2 1 ( Ü2 2 Ý Ü 2Ý2) = 2 Ü 2 1 Ý2 1 Ü2 2 Ý2 2 + Ü2 1 Ý Ü2 1 Ý2 1 Ü 2Ý2 = 1 + Ü 2 1 Ý2 1 2Ü 1Ý1
25 2007 Bernstein Lange completeness proof for all non-square : If Ü Ý2 1 = 1 + Ü2 1 Ý2 1 and Ü Ý2 2 = 1 + Ü2 2 Ý2 2 and Ü1Ü2Ý1Ý2 = 1 then Ü 2 1 Ý2 1 (Ü 2 + Ý2) 2 = Ü 2 1 Ý2 1 (Ü2 2 + Ý Ü 2Ý2) = Ü 2 1 Ý2 1 ( Ü2 2 Ý Ü 2Ý2) = 2 Ü 2 1 Ý2 1 Ü2 2 Ý2 2 + Ü2 1 Ý Ü2 1 Ý2 1 Ü 2Ý2 = 1 + Ü 2 1 Ý2 1 2Ü 1Ý1 = Ü Ý2 1 2Ü 1Ý1 = (Ü1 Ý1) 2.
26 2007 Bernstein Lange completeness proof for all non-square : If Ü Ý2 1 = 1 + Ü2 1 Ý2 1 and Ü Ý2 2 = 1 + Ü2 2 Ý2 2 and Ü1Ü2Ý1Ý2 = 1 then Ü 2 1 Ý2 1 (Ü 2 + Ý2) 2 = Ü 2 1 Ý2 1 (Ü2 2 + Ý Ü 2Ý2) = Ü 2 1 Ý2 1 ( Ü2 2 Ý Ü 2Ý2) = 2 Ü 2 1 Ý2 1 Ü2 2 Ý2 2 + Ü2 1 Ý Ü2 1 Ý2 1 Ü 2Ý2 = 1 + Ü 2 1 Ý2 1 2Ü 1Ý1 = Ü Ý2 1 2Ü 1Ý1 = (Ü1 Ý1) 2. Have Ü2 + Ý2 = 0 or Ü2 Ý2 = 0; either way is a square. Q.E.D.
27 1995 Bosma Lenstra theorem: The smallest cardinality of a complete system of addition laws on equals two.
28 1995 Bosma Lenstra theorem: The smallest cardinality of a complete system of addition laws on equals two. meaning: Any addition formula for a Weierstrass curve in projective coordinates must have exceptional cases in ( ) ( ), where = algebraic closure of.
29 1995 Bosma Lenstra theorem: The smallest cardinality of a complete system of addition laws on equals two. meaning: Any addition formula for a Weierstrass curve in projective coordinates must have exceptional cases in ( ) ( ), where = algebraic closure of. Edwards addition formula has exceptional cases for ( ) but not for ( ). We do computations in ( ).
30 Summary: Assume field; 2 = 0 in ; non-square ¾. Then (Ü Ý) ¾ : Ü 2 + Ý 2 = 1 + Ü 2 Ý 2 is a commutative group with (Ü1 Ý1) + (Ü2 Ý2) = (Ü3 Ý3) defined by Edwards addition law: Ü3 = Ü 1Ý2 + Ý1Ü2 1 + Ü1Ü2Ý1Ý2 Ý3 = Ý 1Ý2 Ü1Ü2 1 Ü1Ü2Ý1Ý2,. Terminology: Edwards curves allow arbitrary ¾ ; = 4 are original Edwards curves ; non-square are complete.
31 = 0: the clock group. Ü 2 + Ý 2 = 1, parametrized by (Ü Ý) = (sin cos). Gauss parametrized Ü 2 + Ý 2 = 1 Ü 2 Ý 2 by (Ü Ý) = ( lemn sin lemn cos ). Abel, Jacobi sn, cn, dn handle all elliptic curves, but (sn cn) does not specialize to (lemn sin lemn cos). Bad generalization of (sin cos). Edwards Ü is sn; Edwards Ý is cn/dn. Theta view: see Edwards paper.
32 Every elliptic curve over with a point of order 4 is birationally equivalent to an Edwards curve. Unique order-2 point µ complete. Convenient for implementors: no need to worry about accidentally bumping into exceptional inputs. Particularly nice for cryptography: no need to worry about attackers manufacturing exceptional inputs, hearing case distinctions, etc.
33 What about elliptic curves without points of order 4? What about elliptic curves over binary fields? Continuing project (B. L.): For every elliptic curve, find complete addition law for with best possible speeds. Complete laws are useful even if slower than Edwards!
34 2008 B. Birkner L. Peters: twisted Edwards curves Ü 2 + Ý 2 = 1 + Ü 2 Ý 2 cover all Montgomery curves. Almost as fast as = 1; brings Edwards speed to larger class of curves B. B. Joye L. P.: every elliptic curve over F Ô where 4 divides group order is (1 or 2)-isogenous to a twisted Edwards curve.
35 Statistics for many Ô ¾ 1 + 4Z, number of pairs ( ( ) # ): Curves total odd 2odd 4odd 8odd orig 1 24 Ô compl 1 2 Ô Ô Ed 2 3 Ô Ô twist 5 6 Ô Ô 4Z 5 6 Ô all 2Ô 2 3 Ô 1 2 Ô 1 8 Ô 3 16 Ô 3 16 Ô 3 16 Ô 12 Ô 5 12 Ô 3 16 Ô Different statistics for 3 + 4Z. Bad news: complete twisted Edwards complete Edwards!
36 Some Newton polygons Short Weierstrass Jacobi quartic Hessian Edwards 1893 Baker: genus is generically number of interior points Poonen Rodriguez-Villegas classified genus-1 polygons.
37 How to generalize Edwards? Design decision: want quadratic in Ü and in Ý. Design decision: want Ü Ý symmetry Curve shape (Ü + Ý) + 11ÜÝ + 20(Ü 2 + Ý 2 ) + 21ÜÝ(Ü + Ý) + 22Ü 2 Ý 2 = 0.
38 Suppose that 22 = 0: Genus 1 µ (1 1) is an interior point µ 21 = 0. Homogenize: ( + ) ( ) + 21 ( + ) = 0.
39 Points at ½ are ( : : 0) with 21 ( + ) = 0: i.e., (1 : 0 : 0), (0 : 1 : 0), (1 : 1 : 0). Study (1 : 0 : 0) by setting Ý =, Þ = in homogeneous curve equation: 00Þ (1 + Ý)Þ ÝÞ + 20(1 + Ý 2 )Þ + 21Ý(1 + Ý) = 0. Nonzero coefficient of Ý so (1 : 0 : 0) is nonsingular. Addition law cannot be complete (unless is tiny).
40 So we require 22 = 0. Points at ½ are ( : : 0) with = 0: i.e., (1 : 0 : 0), (0 : 1 : 0). Study (1 : 0 : 0) again: 00Þ (1 + Ý)Þ ÝÞ (1 + Ý 2 )Þ Ý(1 + Ý)Þ + 22Ý 2 = 0. Coefficients of 1 Ý Þ are 0 so (1 : 0 : 0) is singular.
41 Put Ý = ÙÞ, divide by Þ 2 to blow up singularity: 00Þ (1 + ÙÞ)Þ + 11ÙÞ + 20(1 + Ù 2 Þ 2 ) + 21Ù(1 + ÙÞ) + 22Ù 2 = 0. Substitute Þ = 0 to find points above singularity: Ù + 22Ù 2 = 0. We require the quadratic Ù + 22Ù 2 to be irreducible in. Special case: complete Edwards, 1 Ù 2 irreducible in.
42 In particular 20 = 0: Design decision: Explore a deviation from Edwards. Choose neutral element (0 0). 00 = 0; 10 = 0. Can vary neutral element. Warning: bad choice can produce surprisingly expensive negation.
43 Now have a Newton polygon for generalized Edwards curves: By scaling Ü Ý and scaling curve equation can limit to three degrees of freedom.
44 2008 B. L. Rezaeian Farashahi: complete addition law for binary Edwards curves 1(Ü + Ý) + 2(Ü 2 + Ý 2 ) = (Ü + Ü 2 )(Ý + Ý 2 ). Covers all ordinary elliptic curves over F 2 Ò for Ò 3. Also surprisingly fast, especially if 1 = 2.
45 2008 B. L. Rezaeian Farashahi: complete addition law for binary Edwards curves 1(Ü + Ý) + 2(Ü 2 + Ý 2 ) = (Ü + Ü 2 )(Ý + Ý 2 ). Covers all ordinary elliptic curves over F 2 Ò for Ò 3. Also surprisingly fast, especially if 1 = B. L.: complete addition law for another specialization covering all the NIST curves over non-binary fields.
46 Consider, e.g., the curve Ü 2 + Ý 2 = Ü + Ý + ØÜÝ + Ü 2 Ý 2 with = 1 and Ø = ½¼½ ¼ ½½½ ¾ ¾ ¾¼ ½ ¼ ¼ ½ ¼¾¼¾ ½ ½½ ¾¼½ over F Ô where Ô = Note: is non-square in F Ô. Birationally equivalent to standard NIST P-256 curve Ú 2 = Ù 3 3Ù + 6 where 6 = ½¼ ¾ ½ ¾½ ¾½¾ ¾ ½¾ ¼ ¼ ¾ ¼ ½½ ½¼½ ¾ ¾ ½ ¼ ¼½¾ ½.
47 An addition law for Ü 2 + Ý 2 = Ü + Ý + ØÜÝ + Ü 2 Ý 2, complete if is not a square: Ü1 + Ü2 + (Ø 2)Ü1Ü2 + (Ü1 Ý1)(Ü2 Ý2) + Ü3 = Ü 2 1 (Ü 2Ý1 + Ü2Ý2 Ý1Ý2) 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) ; Ý1 + Ý2 + (Ø 2)Ý1Ý2 + (Ý1 Ü1)(Ý2 Ü2) + Ý3 = Ý 2 1 (Ý 2Ü1 + Ý2Ü2 Ü1Ü2) 1 2 Ý1Ý2Ü2 Ý 2 1 (Ý 2 + Ü2 + (Ø 2)Ý2Ü2).
48 Note on computing addition laws: An easy Magma script uses Riemann Roch to find addition law given a curve shape. Are those laws nice? No! Find lower-degree laws by Monagan Pearce algorithm, ISSAC 2006; or by evaluation at random points on random curves. Are those laws complete? No! But always seems easy to find complete addition laws among low-degree laws where denominator constant term = 0.
49 Birational equivalence from Ü 2 + Ý 2 = Ü + Ý + ØÜÝ + Ü 2 Ý 2 to Ú 2 (Ø + 2)ÙÚ + Ú = Ù 3 (Ø+2)Ù 2 Ù+(Ø+2) i.e. Ú 2 (Ø + 2)ÙÚ + Ú = (Ù 2 )(Ù (Ø + 2)): Ù = ( ÜÝ + Ø + 2) (Ü + Ý); Ú = ((Ø + 2)2 )Ü (Ø + 2)ÜÝ + Ü + Ý. Assuming Ø + 2 square, not: only exceptional point is (0 0), mapping to ½. Inverse: Ü = Ú (Ù 2 ); Ý = ((Ø + 2)Ù Ú ) (Ù 2 ).
50 Completeness Ü1 + Ü2 + (Ø 2)Ü1Ü2 + (Ü1 Ý1)(Ü2 Ý2) + Ü3 = Ü 2 1 (Ü 2Ý1 + Ü2Ý2 Ý1Ý2) 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) ; Ý1 + Ý2 + (Ø 2)Ý1Ý2 + (Ý1 Ü1)(Ý2 Ü2) + Ý3 = Ý 2 1 (Ý 2Ü1 + Ý2Ü2 Ü1Ü2) 1 2 Ý1Ý2Ü2 Ý 2 1 (Ý 2 + Ü2 + (Ø 2)Ý2Ü2). Can denominators be 0?
51 Only if is a square! Theorem: Assume that is a field with 2 = 0; Ø Ü1 Ý1 Ü2 Ý2 ¾ ; is not a square in ; 27 = (2 Ø) 3 ; Ü Ý2 1 = Ü 1+ Ý1+ ØÜ1Ý1+ Ü 2 1 Ý2 1 ; Ü Ý2 2 = Ü 2+ Ý2+ ØÜ2Ý2+ Ü 2 2 Ý2 2. Then 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0.
52 Only if is a square! Theorem: Assume that is a field with 2 = 0; Ø Ü1 Ý1 Ü2 Ý2 ¾ ; is not a square in ; 27 = (2 Ø) 3 ; Ü Ý2 1 = Ü 1+ Ý1+ ØÜ1Ý1+ Ü 2 1 Ý2 1 ; Ü Ý2 2 = Ü 2+ Ý2+ ØÜ2Ý2+ Ü 2 2 Ý2 2. Then 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0. By Ü Ý symmetry also 1 2 Ý1Ý2Ü2 Ý 1 2(Ý 2 + Ü2 + (Ø 2)Ý2Ü2) = 0.
53 Proof: Suppose that 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0.
54 Proof: Suppose that 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0. Note that Ü1 = 0.
55 Proof: Suppose that 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0. Note that Ü1 = 0. Use curve equation 2 to see that (1 Ü1Ü2Ý2) 2 = Ü 2 1 (Ü 2 Ý2) 2.
56 Proof: Suppose that 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0. Note that Ü1 = 0. Use curve equation 2 to see that (1 Ü1Ü2Ý2) 2 = Ü 2 1 (Ü 2 Ý2) 2. By hypothesis is non-square so Ü 2 1 (Ü 2 Ý2) 2 = 0 and (1 Ü1Ü2Ý2) 2 = 0.
57 Proof: Suppose that 1 2 Ü1Ü2Ý2 Ü 2 1 (Ü 2 + Ý2 + (Ø 2)Ü2Ý2) = 0. Note that Ü1 = 0. Use curve equation 2 to see that (1 Ü1Ü2Ý2) 2 = Ü 2 1 (Ü 2 Ý2) 2. By hypothesis is non-square so Ü 2 1 (Ü 2 Ý2) 2 = 0 and (1 Ü1Ü2Ý2) 2 = 0. Hence Ü2 = Ý2 and 1 = Ü1Ü2Ý2.
58 Curve equation 1 times 1 Ü 2 1 : 1 + Ý 2 1 Ü2 1 = 1 Ü1 + Ý1(1 Ü Ø Ü 1) + Ý 2 1.
59 Curve equation 1 times 1 Ü 2 1 : 1 + Ý 1 2 Ü2 1 = 1 Ü1 + Ý1(1 Ü Ø Ü 1) + Ý 1 2. Substitute 1 Ü1 = Ü 2 2 : Ý 1 2 Ü4 2 = Ü Ý 1( Ü Ü2 2 Ø) + Ý2 1.
60 Curve equation 1 times 1 Ü 2 1 : 1 + Ý 1 2 Ü2 1 = 1 Ü1 + Ý1(1 Ü Ø Ü 1) + Ý 1 2. Substitute 1 Ü1 = Ü 2 2 : Ý 1 2 Ü4 2 = Ü Ý 1( Ü Ü2 2 Ø) + Ý2 1. Substitute 2Ü 2 2 = 2Ü 2 + ØÜ Ü4 2 : (1 Ý1Ü 2 2 )2 = (Ü2 Ý1) 2.
61 Curve equation 1 times 1 Ü 2 1 : 1 + Ý 1 2 Ü2 1 = 1 Ü1 + Ý1(1 Ü Ø Ü 1) + Ý 1 2. Substitute 1 Ü1 = Ü 2 2 : Ý 1 2 Ü4 2 = Ü Ý 1( Ü Ü2 2 Ø) + Ý2 1. Substitute 2Ü 2 2 = 2Ü 2 + ØÜ Ü4 2 : (1 Ý1Ü 2 2 )2 = (Ü2 Ý1) 2. Thus Ü2 = Ý1 and 1 = Ý1Ü 2 2. Hence 1 = Ü 3 2.
62 Curve equation 1 times 1 Ü 2 1 : 1 + Ý 1 2 Ü2 1 = 1 Ü1 + Ý1(1 Ü Ø Ü 1) + Ý 1 2. Substitute 1 Ü1 = Ü 2 2 : Ý 1 2 Ü4 2 = Ü Ý 1( Ü Ü2 2 Ø) + Ý2 1. Substitute 2Ü 2 2 = 2Ü 2 + ØÜ Ü4 2 : (1 Ý1Ü 2 2 )2 = (Ü2 Ý1) 2. Thus Ü2 = Ý1 and 1 = Ý1Ü 2 2. Hence 1 = Ü 3 2. Now 2Ü 2 2 = 2Ü 2 + ØÜ Ü 2 so 3 = (2 Ø)Ü2 so 27 = (2 Ø) 3. Contradiction.
63 What s next? Make the mathematicians happy: Prove that all curves are covered; should be easy using Weil and rational param. Make the computer happy: Find faster complete laws. Latest news, B. Kohel L.: Have complete addition law for twisted Hessian curves Ü 3 + Ý = 3 ÜÝ when is non-cube. Close in speed to Edwards and covers different curves.
Models of Elliptic Curves
Models of Elliptic Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 26.03.2009 D. J. Bernstein & T. Lange
More informationEdwards coordinates for elliptic curves, part 1
Edwards coordinates for elliptic curves, part 1 Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org joint work with Daniel J. Bernstein 19.10.2007 Tanja Lange http://www.hyperelliptic.org/tanja/newelliptic/
More informationElliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein
Elliptic curves Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Diffie-Hellman key exchange Pick some generator. Diffie-Hellman key exchange Pick some generator. Diffie-Hellman
More informationInverted Edwards coordinates
Inverted Edwards coordinates Daniel J. Bernstein 1 and Tanja Lange 2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at Chicago, Chicago, IL 60607 7045, USA
More informationParameterization of Edwards curves on the rational field Q with given torsion subgroups. Linh Tung Vo
Parameterization of Edwards curves on the rational field Q with given torsion subgroups Linh Tung Vo Email: vtlinh@bcy.gov.vn Abstract. This paper presents the basic concepts of the Edwards curves, twisted
More informationPublic-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.
Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook
More informationCORRESPONDENCE BETWEEN ELLIPTIC CURVES IN EDWARDS-BERNSTEIN AND WEIERSTRASS FORMS
CORRESPONDENCE BETWEEN ELLIPTIC CURVES IN EDWARDS-BERNSTEIN AND WEIERSTRASS FORMS DEPARTMENT OF MATHEMATICS AND STATISTICS UNIVERSITY OF OTTAWA SUPERVISOR: PROFESSOR MONICA NEVINS STUDENT: DANG NGUYEN
More informationTwisted Hessian curves
Twisted Hessian curves Daniel J. Bernstein 1,2, Chitchanok Chuengsatiansup 1, David Kohel 3, and Tanja Lange 1 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O. Box
More informationEdwards Curves and the ECM Factorisation Method
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and
More informationHyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago
Hyperelliptic-curve cryptography D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS 0140542 NSF ITR 0716498 Alfred P. Sloan Foundation Two parts to this talk: 1. Elliptic curves; modern
More informationSide-channel attacks and countermeasures for curve based cryptography
Side-channel attacks and countermeasures for curve based cryptography Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org 28.05.2007 Tanja Lange SCA on curves p. 1 Overview Elliptic curves
More informationECM using Edwards curves
ECM using Edwards curves Daniel J. Bernstein 1, Peter Birkner 2, Tanja Lange 2, and Christiane Peters 2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at
More information(which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography)
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit
More informationFinding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago
The number-field sieve Finding small factors of integers Speed of the number-field sieve D. J. Bernstein University of Illinois at Chicago Prelude: finding denominators 87366 22322444 in R. Easily compute
More informationSpeeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago
Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases D. J. Bernstein University of Illinois at Chicago NSF ITR 0716498 Part I. Linear maps Consider computing 0
More informationElliptic Curves Spring 2013 Lecture #12 03/19/2013
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring
More informationA New Model of Binary Elliptic Curves with Fast Arithmetic
A New Model of Binary Elliptic Curves with Fast Arithmetic Hongfeng Wu 1 Chunming Tang 2 and Rongquan Feng 2 1 College of Science North China University of technology Beijing 100144 PR China whfmath@gmailcom
More informationElliptic curves - Edwards curves
Elliptic curves - Edwards curves Robert Rolland May 9, 2011 ACrypTA - eriscs - IML web: http://www.acrypta.fr/ This presentation uses the Beamer L A TEXclass Robert Rolland () Elliptic curves - Edwards
More informationA normal form for elliptic curves in characteristic 2
A normal form for elliptic curves in characteristic 2 David R. Kohel Institut de Mathématiques de Luminy Arithmetic, Geometry, Cryptography et Coding Theory 2011 CIRM, Luminy, 15 March 2011 Edwards model
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationDistinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago
Distinguishing prime numbers from composite numbers: the state of the art D. J. Bernstein University of Illinois at Chicago Is it easy to determine whether a given integer is prime? If easy means computable
More informationD. J. Bernstein University of Illinois at Chicago
Algorithms for primes D. J. Bernstein University of Illinois at Chicago Some literature: Recognizing primes: 1982 Atkin Larson On a primality test of Solovay and Strassen ; 1995 Atkin Intelligent primality
More informationECM using Edwards curves
ECM using Edwards curves Daniel J. Bernstein 1, Peter Birkner 2, Tanja Lange 2, and Christiane Peters 2 1 Department of Computer Science (MC 152) University of Illinois at Chicago, Chicago, IL 60607 7053,
More informationFaster Group Operations on Elliptic Curves
Faster Group Operations on Elliptic Curves Huseyin Hisil 1 Kenneth Koon-Ho Wong 1 Gary Carter 1 Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, Brisbane, QLD, Australia,
More informationTwisted Jacobi Intersections Curves
Twisted Jacobi Intersections Curves Rongquan Feng 1, Menglong Nie 1, Hongfeng Wu 2 1 LMAM, School of Mathematical Sciences, Peking University, Beijing 100871, P.R. China 2 Academy of Mathematics and Systems
More informationINVERTED BINARY EDWARDS COORDINATES (MAIRE MODEL OF AN ELLIPTIC CURVE)
INVERTED BINARY EDWARDS COORDINATES (MAIRE MODEL OF AN ELLIPTIC CURVE) by STEVEN M. MAIRE Submitted in partial fulfillment of the requirements for the degree of Master of Science Dissertation Advisor:
More informationElliptic curves in Huff s model
Elliptic curves in Huff s model Hongfeng Wu 1, Rongquan Feng 1 College of Sciences, North China University of Technology, Beijing 1001, China whfmath@gmailcom LMAM, School of Mathematical Sciences, Peking
More informationArithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products
1 Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products David Kohel Institut de Mathématiques de Luminy International Workshop on Codes and Cryptography 2011 Qingdao, 2 June
More informationPARAMETRIZATIONS FOR FAMILIES OF ECM-FRIENDLY CURVES
PARAMETRIZATIONS FOR FAMILIES OF ECM-FRIENDLY CURVES ALEXANDRE GÉLIN, THORSTEN KLEINJUNG, AND ARJEN K. LENSTRA Abstract. We provide a new family of elliptic curves that results in a one to two percent
More informationDifferential Addition in generalized Edwards Coordinates
Differential Addition in generalized Edwards Coordinates Benjamin Justus and Daniel Loebenberger Bonn-Aachen International Center for Information Technology Universität Bonn 53113 Bonn Germany Abstract.
More informationMappings of elliptic curves
Mappings of elliptic curves Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves
More informationIntroduction to Arithmetic Geometry
Introduction to Arithmetic Geometry 18.782 Andrew V. Sutherland September 5, 2013 What is arithmetic geometry? Arithmetic geometry applies the techniques of algebraic geometry to problems in number theory
More informationECDLP course. Daniel J. Bernstein University of Illinois at Chicago. Tanja Lange Technische Universiteit Eindhoven
ECDLP course Daniel J. Bernstein University of Illinois at Chicago Tanja Lange Technische Universiteit Eindhoven Main goal of this course: We are the attackers. We want to break ECC. Enemy: ECC users.
More informationL-Polynomials of Curves over Finite Fields
School of Mathematical Sciences University College Dublin Ireland July 2015 12th Finite Fields and their Applications Conference Introduction This talk is about when the L-polynomial of one curve divides
More informationHyperelliptic curves
1/40 Hyperelliptic curves Pierrick Gaudry Caramel LORIA CNRS, Université de Lorraine, Inria ECC Summer School 2013, Leuven 2/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic
More informationECM at Work. Joppe W. Bos 1 and Thorsten Kleinjung 2. 1 Microsoft Research, Redmond, USA
ECM at Work Joppe W. Bos 1 and Thorsten Kleinjung 2 1 Microsoft Research, Redmond, USA 2 Laboratory for Cryptologic Algorithms, EPFL, Lausanne, Switzerland 1 / 18 Security assessment of public-key cryptography
More informationOn hybrid SIDH schemes using Edwards and Montgomery curve arithmetic
On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic Michael Meyer 1,2, Steffen Reith 1, and Fabio Campos 1 1 Department of Computer Science, University of Applied Sciences Wiesbaden 2
More informationThe tangent FFT. D. J. Bernstein University of Illinois at Chicago
The tangent FFT D. J. Bernstein University of Illinois at Chicago Advertisement SPEED: Software Performance Enhancement for Encryption and Decryption A workshop on software speeds for secret-key cryptography
More informationPerformance evaluation of a new coordinate system for elliptic curves
Performance evaluation of a new coordinate system for elliptic curves Daniel J. Bernstein 1 and Tanja Lange 2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois
More informationECM at Work. Joppe W. Bos and Thorsten Kleinjung. Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14
ECM at Work Joppe W. Bos and Thorsten Kleinjung Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14 Motivation The elliptic curve method for integer factorization
More informationFACTORIZATION WITH GENUS 2 CURVES
MATHEMATICS OF COMPUTATION Volume 00, Number 0, Pages 000 000 S 005-5718(XX)0000-0 FACTORIZATION WITH GENUS CURVES ROMAIN COSSET Abstract. The elliptic curve method (ECM) is one of the best factorization
More informationStarfish on Strike. University of Illinois at Chicago, Chicago, IL , USA
Starfish on Strike Daniel J. Bernstein 1, Peter Birkner 2, and Tanja Lange 3 1 Department of Mathematics, Statistics, and Computer Science M/C 249) University of Illinois at Chicago, Chicago, IL 60607
More informationTwisted Edwards Curves Revisited
A version of this paper appears in Advances in Cryptology - ASIACRYPT 2008, LNCS Vol. 5350, pp. 326 343. J. Pieprzyk ed., Springer-Verlag, 2008. Twisted Edwards Curves Revisited Huseyin Hisil, Kenneth
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationThe factorization of RSA D. J. Bernstein University of Illinois at Chicago
The factorization of RSA-1024 D. J. Bernstein University of Illinois at Chicago Abstract: This talk discusses the most important tools for attackers breaking 1024-bit RSA keys today and tomorrow. The same
More informationEnumerating Curves of Genus 2 Over Finite Fields
Enumerating Curves of Genus 2 Over Finite Fields Presented by Rose K. Steinberg to The Faculty of the College of Arts and Sciences of The University of Vermont In Partial Fulfillment of the Requirements
More informationStructure of elliptic curves and addition laws
Structure of elliptic curves and addition laws David R. Kohel Institut de Mathématiques de Luminy Barcelona 9 September 2010 Elliptic curve models We are interested in explicit projective models of elliptic
More informationComparison of Elliptic Curve and Edwards Curve
CS90G - PROJECT REPORT Comparison of Elliptic Curve and Edwards Curve Shivapriya Hiremath, Stephanie Smith June 14, 013 1 INTRODUCTION In this project we have implemented the Elliptic Curve and Edwards
More informationEfficient arithmetic on elliptic curves in characteristic 2
Efficient arithmetic on elliptic curves in characteristic 2 David Kohel arxiv:1601.03669v1 [math.nt] 14 Jan 2016 Institut de Mathématiques de Luminy Université d Aix-Marseille 163, avenue de Luminy, Case
More informationSide-Channel Attacks in ECC: A General Technique for Varying the Parametrization of the Elliptic Curve
Side-Channel Attacks in ECC: A General Technique for Varying the Parametrization of the Elliptic Curve Loren D. Olson Dept. of Mathematics and Statistics University of Tromsø N-9037 Tromsø, Norway Abstract.
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationINFINITY: CARDINAL NUMBERS
INFINITY: CARDINAL NUMBERS BJORN POONEN 1 Some terminology of set theory N := {0, 1, 2, 3, } Z := {, 2, 1, 0, 1, 2, } Q := the set of rational numbers R := the set of real numbers C := the set of complex
More informationHypersurfaces and the Weil conjectures
Hypersurfaces and the Weil conjectures Anthony J Scholl University of Cambridge 13 January 2010 1 / 21 Number theory What do number theorists most like to do? (try to) solve Diophantine equations x n +
More informationResolution of Singularities in Algebraic Varieties
Resolution of Singularities in Algebraic Varieties Emma Whitten Summer 28 Introduction Recall that algebraic geometry is the study of objects which are or locally resemble solution sets of polynomial equations.
More informationHashing into Hessian Curves
Hashing into Hessian Curves Reza Rezaeian Farashahi Department of Computing Macquarie University Sydney, NSW 109, Australia Abstract We describe a hashing function from the elements of the finite field
More informationToric forms of elliptic curves and their arithmetic
Toric forms of elliptic curves and their arithmetic Wouter Castryck Celestijnenlaan 200B - 3001 Heverlee (Leuven) - Belgium Frederik Vercauteren Kasteelpark Arenberg 10-3001 Heverlee (Leuven) - Belgium
More informationIntroduction to Arithmetic Geometry Fall 2013 Problem Set #10 Due: 12/3/2013
18.782 Introduction to Arithmetic Geometry Fall 2013 Problem Set #10 Due: 12/3/2013 These problems are related to the material covered in Lectures 21-22. I have made every effort to proof-read them, but
More informationDistinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago
Distinguishing prime numbers from composite numbers: the state of the art D. J. Bernstein University of Illinois at Chicago Is it easy to determine whether a given integer is prime? If easy means computable
More informationDivison Polynomials for Alternate Models of Elliptic Curves
Divison Polynomials for Alternate Models of Elliptic Curves Dustin Moody December 0 00 Abstract In this paper we find division polynomials for Huff curves Jacobi quartics and Jacobi intersections. These
More informationEigenvalues & Eigenvectors
Eigenvalues & Eigenvectors Page 1 Eigenvalues are a very important concept in linear algebra, and one that comes up in other mathematics courses as well. The word eigen is German for inherent or characteristic,
More informationParametrizations for Families of ECM-Friendly Curves
Parametrizations for Families of ECM-Friendly Curves Thorsten Kleinjung Arjen K. Lenstra Laboratoire d Informatique de Paris 6 Sorbonne Universités UPMC École Polytechnique Fédérale de Lausanne, EPFL IC
More informationSelecting Elliptic Curves for Cryptography Real World Issues
Selecting Elliptic Curves for Cryptography Real World Issues Michael Naehrig Cryptography Research Group Microsoft Research UW Number Theory Seminar Seattle, 28 April 2015 Elliptic Curve Cryptography 1985:
More informationDouble-base scalar multiplication revisited
Double-base scalar multiplication revisited Daniel J. Bernstein 1,2, Chitchanok Chuengsatiansup 1, and Tanja Lange 1 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O.
More informationWork sheet / Things to know. Chapter 3
MATH 251 Work sheet / Things to know 1. Second order linear differential equation Standard form: Chapter 3 What makes it homogeneous? We will, for the most part, work with equations with constant coefficients
More informationAsymptotically good sequences of codes and curves
Asymptotically good sequences of codes and curves Ruud Pellikaan Technical University of Eindhoven Soria Summer School on Computational Mathematics July 9, 2008 /k 1/29 Content: 8 Some algebraic geometry
More informationVARIETIES WITHOUT EXTRA AUTOMORPHISMS I: CURVES BJORN POONEN
VARIETIES WITHOUT EXTRA AUTOMORPHISMS I: CURVES BJORN POONEN Abstract. For any field k and integer g 3, we exhibit a curve X over k of genus g such that X has no non-trivial automorphisms over k. 1. Statement
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationHyperelliptic Curve Cryptography
Hyperelliptic Curve Cryptography A SHORT INTRODUCTION Definition (HEC over K): Curve with equation y 2 + h x y = f x with h, f K X Genus g deg h(x) g, deg f x = 2g + 1 f monic Nonsingular 2 Nonsingularity
More informationOn a Sequence of Nonsolvable Quintic Polynomials
1 3 47 6 3 11 Journal of Integer Sequences, Vol. 1 (009), Article 09..8 On a Sequence of Nonsolvable Quintic Polynomials Jennifer A. Johnstone and Blair K. Spearman 1 Mathematics and Statistics University
More informationBad reduction of genus 3 curves with Complex Multiplication
Bad reduction of genus 3 curves with Complex Multiplication Elisa Lorenzo García Universiteit Leiden Joint work with Bouw, Cooley, Lauter, Manes, Newton, Ozman. October 1, 2015 Elisa Lorenzo García Universiteit
More informationTorsion Points of Elliptic Curves Over Number Fields
Torsion Points of Elliptic Curves Over Number Fields Christine Croll A thesis presented to the faculty of the University of Massachusetts in partial fulfillment of the requirements for the degree of Bachelor
More informationHOME ASSIGNMENT: ELLIPTIC CURVES OVER FINITE FIELDS
HOME ASSIGNMENT: ELLIPTIC CURVES OVER FINITE FIELDS DANIEL LARSSON CONTENTS 1. Introduction 1 2. Finite fields 1 3. Elliptic curves over finite fields 3 4. Zeta functions and the Weil conjectures 6 1.
More informationFully Deterministic ECM
Fully Deterministic ECM Iram Chelli LORIA (CNRS) - CACAO Supervisor: P. Zimmermann September 23, 2009 Introduction The Elliptic Curve Method (ECM) is currently the best-known general-purpose factorization
More informationDaniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven. Tanja Lange Technische Universiteit Eindhoven
ECCHacks: a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange Technische Universiteit Eindhoven ecchacks.cr.yp.to
More informationAlgebra. Here are a couple of warnings to my students who may be here to get a copy of what happened on a day that you missed.
This document was written and copyrighted by Paul Dawkins. Use of this document and its online version is governed by the Terms and Conditions of Use located at. The online version of this document is
More informationIsogeny invariance of the BSD conjecture
Isogeny invariance of the BSD conjecture Akshay Venkatesh October 30, 2015 1 Examples The BSD conjecture predicts that for an elliptic curve E over Q with E(Q) of rank r 0, where L (r) (1, E) r! = ( p
More informationA Few Primality Testing Algorithms
A Few Primality Testing Algorithms Donald Brower April 2, 2006 0.1 Introduction These notes will cover a few primality testing algorithms. There are many such, some prove that a number is prime, others
More informationLECTURE 2 FRANZ LEMMERMEYER
LECTURE 2 FRANZ LEMMERMEYER Last time we have seen that the proof of Fermat s Last Theorem for the exponent 4 provides us with two elliptic curves (y 2 = x 3 + x and y 2 = x 3 4x) in the guise of the quartic
More informationORDERS OF UNITS IN MODULAR ARITHMETIC
ORDERS OF UNITS IN MODULAR ARITHMETIC KEITH CONRAD. Introduction If a mod m is a unit then a ϕ(m) mod m by Euler s theorem. Depending on a, it might happen that a n mod m for a positive integer n that
More informationTangent spaces, normals and extrema
Chapter 3 Tangent spaces, normals and extrema If S is a surface in 3-space, with a point a S where S looks smooth, i.e., without any fold or cusp or self-crossing, we can intuitively define the tangent
More informationSection September 6, If n = 3, 4, 5,..., the polynomial is called a cubic, quartic, quintic, etc.
Section 2.1-2.2 September 6, 2017 1 Polynomials Definition. A polynomial is an expression of the form a n x n + a n 1 x n 1 + + a 1 x + a 0 where each a 0, a 1,, a n are real numbers, a n 0, and n is a
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationClass numbers of algebraic function fields, or Jacobians of curves over finite fields
Class numbers of algebraic function fields, or Jacobians of curves over finite fields Anastassia Etropolski February 17, 2016 0 / 8 The Number Field Case The Function Field Case Class Numbers of Number
More information9. Birational Maps and Blowing Up
72 Andreas Gathmann 9. Birational Maps and Blowing Up In the course of this class we have already seen many examples of varieties that are almost the same in the sense that they contain isomorphic dense
More informationTheoretical Cryptography, Lecture 13
Theoretical Cryptography, Lecture 13 Instructor: Manuel Blum Scribe: Ryan Williams March 1, 2006 1 Today Proof that Z p has a generator Overview of Integer Factoring Discrete Logarithm and Quadratic Residues
More informationThe Cone Theorem. Stefano Filipazzi. February 10, 2016
The Cone Theorem Stefano Filipazzi February 10, 2016 These notes are supposed to be a handout for the student seminar in algebraic geometry at the University of Utah. In this seminar, we will give an overview
More informationTheorem 6.1 The addition defined above makes the points of E into an abelian group with O as the identity element. Proof. Let s assume that K is
6 Elliptic curves Elliptic curves are not ellipses. The name comes from the elliptic functions arising from the integrals used to calculate the arc length of ellipses. Elliptic curves can be parametrised
More informationWe have been going places in the car of calculus for years, but this analysis course is about how the car actually works.
Analysis I We have been going places in the car of calculus for years, but this analysis course is about how the car actually works. Copier s Message These notes may contain errors. In fact, they almost
More informationarxiv: v1 [math.nt] 31 Dec 2011
arxiv:1201.0266v1 [math.nt] 31 Dec 2011 Elliptic curves with large torsion and positive rank over number fields of small degree and ECM factorization Andrej Dujella and Filip Najman Abstract In this paper,
More informationFOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 45
FOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 45 RAVI VAKIL CONTENTS 1. Hyperelliptic curves 1 2. Curves of genus 3 3 1. HYPERELLIPTIC CURVES A curve C of genus at least 2 is hyperelliptic if it admits a degree
More informationLinear Least-Squares Data Fitting
CHAPTER 6 Linear Least-Squares Data Fitting 61 Introduction Recall that in chapter 3 we were discussing linear systems of equations, written in shorthand in the form Ax = b In chapter 3, we just considered
More informationSome elliptic curves from the real world
Some elliptic curves from the real world Bas Edixhoven Universiteit Leiden 2015/06/18 mathematics colloquium Luxembourg and the conference Frontiers in Serre s modularity conjecture Bas Edixhoven (Universiteit
More informationSECTION 7.4: PARTIAL FRACTIONS. These Examples deal with rational expressions in x, but the methods here extend to rational expressions in y, t, etc.
SECTION 7.4: PARTIAL FRACTIONS (Section 7.4: Partial Fractions) 7.14 PART A: INTRO A, B, C, etc. represent unknown real constants. Assume that our polynomials have real coefficients. These Examples deal
More information2 = = 0 Thus, the number which is largest in magnitude is equal to the number which is smallest in magnitude.
Limits at Infinity Two additional topics of interest with its are its as x ± and its where f(x) ±. Before we can properly discuss the notion of infinite its, we will need to begin with a discussion on
More informationRational Points on Conics, and Local-Global Relations in Number Theory
Rational Points on Conics, and Local-Global Relations in Number Theory Joseph Lipman Purdue University Department of Mathematics lipman@math.purdue.edu http://www.math.purdue.edu/ lipman November 26, 2007
More informationPairing computation on Edwards curves with high-degree twists
Pairing computation on Edwards curves with high-degree twists Liangze Li 1, Hongfeng Wu 2, Fan Zhang 1 1 LMAM, School of Mathematical Sciences, Peking University, Beijing 100871, China 2 College of Sciences,
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013
18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and
More informationCHAPTER 3: THE INTEGERS Z
CHAPTER 3: THE INTEGERS Z MATH 378, CSUSM. SPRING 2009. AITKEN 1. Introduction The natural numbers are designed for measuring the size of finite sets, but what if you want to compare the sizes of two sets?
More informationCS 259C/Math 250: Elliptic Curves in Cryptography Homework 1 Solutions. 3. (a)
CS 259C/Math 250: Elliptic Curves in Cryptography Homework 1 Solutions 1. 2. 3. (a) 1 (b) (c) Alternatively, we could compute the orders of the points in the group: (d) The group has 32 elements (EF.order()
More informationArithmetic Mirror Symmetry
Arithmetic Mirror Symmetry Daqing Wan April 15, 2005 Institute of Mathematics, Chinese Academy of Sciences, Beijing, P.R. China Department of Mathematics, University of California, Irvine, CA 92697-3875
More information