Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products
|
|
- Erica Dean
- 5 years ago
- Views:
Transcription
1 1 Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products David Kohel Institut de Mathématiques de Luminy International Workshop on Codes and Cryptography 2011 Qingdao, 2 June 2011
2 Elliptic curve scalar multiplication The cryptographic use of elliptic curves over finite fields in place of the multiplicative group of a finite field in cryptography, in an ElGamal or Diffie Hellman protocol, is based on performance relative to security. For the same security level, one can take a significantly smaller sized field which compensates for the additional complexity of elliptic curve operations. On the other hand, the additional complexity of addition on elliptic curves leaves room for more sophisticated ideas for minimizing its cost. In the Diffie Hellman protocol, it suffices to have a scalar multiplication P np, rather than a group. Here we focus on the arithmetic of the Kummer curve and split Kummer surface K 1 = E/ 1, and K 2 = E E/ ( 1, 1). which admit scalar multiplications (induced from E). 2
3 Montogomery scalar multiplication Let A be an additive abelian group and M 2 (Z) End(A 2 ), such that ( ) a b α(x, y) = (ax + by, cx + dy) where α = c d Define endomorphisms σ by σ(x, y) = (y, x) and ϕ i by ( ) ( ϕ = ϕ 0 =, and ϕ = σ ϕ σ = 1 1 The Montgomery ladder for scalar multiplication by an integer n is expressed on A 2 by the recursion v r = (x, 0) and v i = ϕ ni (v i+1 ) for i = r 1,..., 1, 0, ), where n has binary representation n r 1... n 1 n 0. 3
4 Montogomery endomorphism The successive steps v i in the ladder are of the form ((k + 1)x, kx) and v 0 = (nx, (n 1)x), from which we output nx. We refer to ϕ (= ϕ 0 and ϕ 1 ) as the Montgomery endomorphism(s). Example. For n = 13 = , we have (x, 0) ϕ 1 (2x, x) ϕ 1 (4x, 3x) ϕ 0 (7x, 6x) ϕ 1 (13x, 12x) Moreover, since 1 is an automorphism in the center of M 2 (Z), an endomorphism of A 2 also acts on the quotient A 2 / 1. In particular, we will derive expressions for certain endomorphisms of the split Kummer surface associated to an elliptic curve E (as a means of computing ϕ), when E is in Edwards normal form. 4
5 5 Montgomery endomorphism factorizations There exists a close relation between the Montgomery endomorphism ϕ and another endomorphism ρ: ( ) ( ) ϕ = and ρ = Both have determinant 2, up to sign, but the symmetry properties of ρ make it more suitable for its efficient evaluation in the context of elliptic curve products. We observe that τ(x, y) = (x + y, y) determined by a single addition allows us to compute ϕ: ( ) ( )( )( ) ϕ 1 = = τ σ ρ =, and ϕ = σ ϕ 1 σ (where the cost of σ is trivial).
6 Application to Kummer quotients Prior work has considered Montgomery addition in relation to the Kummer curves (of a Weierstrass model): K 1 = E/{±1} = P 1, determined by the quotient π(= x) : E K 1. Such work is usually expresses as operating only on the x-coordinate. Caution: Due to an unfortunate choice of coordinate names, an Edwards curve has the traditional roles of the functions x and y reversed: x is anti-invariant and y invariant under [ 1]. Thus for an Edwards curve, eliminating the x-coordinate refers to the Kummer quotient π(= y) : E K 1. This Kummer curve approaches focus on arithmetic of K 1 and the full quotient K1 2 ; we introduce the study of the intermediate surface K 2 : E 2 K 2 = E 2 / ( 1, 1) K 2 1 = E 2 / (±1, ±1). 6
7 Kummer quotients and endomorphisms In the study of the arithmetic of Kummer quotients, the endomorphism of E 2, ( ) 1 1 ρ = 1 1 satisfying ρ 2 = 2, plays an important role. The successive quotients, and the endomorphism ρ, give a hierarchy of commuting maps E 2 ρ E 2 ρ K 2 K 2 K 2 1 K 2 1. Note that ρ induces an endomorphism of K 2, also denoted ρ, but no such map is induced on K
8 8 Differential addition of Kummer quotients Although ρ does not extend to an endomorphism of K1 2 we obtain a system of polynomial equations in K1 2 K2 1 from the graph: Γ ρ = {( (P, Q), ρ(p, Q) ) : (P, Q) E 2} E 2 E 2, where ρ(p, Q) = (P + Q, P Q). We denote by Γ ρ the image of Γ ρ in K 2 or K 2 1. One recovers π(p + Q) by specializing this system at known points π(p ), π(q), π(p Q). Such an interpolation algorithm is called a pseudo-addition or differential addition on K 1.
9 9 Edwards model for elliptic curves In 2007, Edwards introduced a new model for elliptic curves, defined by the affine model x 2 + y 2 = a 2 (1 + z 2 ), z = xy, over any field k of characteristic different from 2. The complete linear system associated to the degree 4 model determines a nonsingular model in P 3 with identity O = (1 : 0 : a : 0): a 2 (X X2 3 ) = X2 1 + X2 2, X 0X 3 = X 1 X 2, as a family of curves over k(a) = k(x(4)). Lange and Bernstein introduced a rescaling to descend to k(d) = k(a 4 ) = k(x 1 (4)), and subsequently (with Joye, Birkner, and Peters) a quadratic twist by c, to define the twisted Edwards model with O = (1 : 0 : 1 : 0): X dx2 3 = cx2 1 + X2 2, X 0X 3 = X 1 X 2.
10 10 Edwards model factorization The (twisted) Edwards model... X dx2 3 = cx2 1 + X2 2, X 0X 3 = X 1 X 2 with O = (1 : 0 : 1 : 0) admits a factorization S (π 1 π 2 ) = id through P 1 P 1, where π 1 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 1 ) = (X 2 : X 3 ), π 2 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 2 ) = (X 1 : X 3 ), and S : P 1 P 1 P 3 is the Segre embedding S((U 0 : U 1 ), (V 0 : V 1 )) = (U 0 V 0 : U 1 V 0 : U 0 V 1 : U 1 V 1 ). Remark: The inverse morphism is [ 1](X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 1 : X 2 : X 3 ), π 2 : E P 1 = K 1 is the Kummer quotient, and π 2 (O) = (1 : 1).
11 11 Edwards addition law The remarkable property of the Edwards model is that the composition of the addition morphism µ : E E E with each of the projectons π i : E P admits a basis of bilinear defining polynomials. For µ π 1, we have { } (X0 Y 0 + dx 3 Y 3, X 1 Y 2 + X 2 Y 1 ),, (cx 1 Y 1 + X 2 Y 2, X 0 Y 3 + X 3 Y 0 ) and for µ π 2, we have { (X1 Y 2 X 2 Y 1, X 0 Y 3 + X 3 Y 0 ), (X 0 Y 0 dx 3 Y 3, cx 1 Y 1 + X 2 Y 2 ) }. Addition laws given by polynomial maps of bidegree (2, 2) are recovered by composing with the Segre embedding.
12 Models for Kummer quotients The Edwards Kummer curve K 1 = P 1 is determined by the projection π 2 to (X 0 : X 2 ), however on K 1 we denote the coordinate functions (X 0 : X 1 ). The following lemma is a consequence of the addition law projection for π 2. Lemma The duplication morphism on E induces [2] : K 1 K 1, given by (X 0 : X 1 ) ((d 1)X 4 0 d(x 2 0 X 2 1) 2 : (X 2 0 X 2 1) 2 +(d 1)X 4 1). This polynomial map is unique and determines [2] everywhere. Remark. Clearly π 2 (O) = (1 : 1) maps to itself, and the pre-image of (1 : 1) are the solutions to X 4 0 (d + 1)X 2 0X dx 4 1 = (X 2 0 dx 2 1)(X 2 0 X 2 1) = 0, which are the equations cutting out E[2]. 12
13 13 Product Kummer curve model The Segre embedding maps a projective space product P r P s into a projective space P (r+1)(s+1) 1, given by ((X 0 : : X r ), (Y 0 : : Y s )) (X 0 Y 0 : X 1 Y 0 : : X r Y s ). For the Kummer curve product, this gives S : K 2 1 = P 1 P 1 P 3 ((X 0 : X 1 ), (Y 0 : Y 1 )) (X 0 Y 0 : X 1 Y 0 : X 0 Y 1 : X 1 Y 1 ) = (U 0 : U 1 : U 2 : U 3 ). whose image is U 0 U 3 = U 1 U 2. We use this representation for S(K 2 1 ) P3 and construct K 2 as a double cover: E 2 K 2 = E 2 / ( 1, 1) S(K 2 1) = K 2 1 = E 2 / (±1, ±1).
14 14 Split Kummer surface models We now describe the embeddings of K 2 as a double cover of K 2 1. Theorem The Kummer surface K 2 has a model as a hypersurface in K 2 1 P1 given by (X 2 0 X 2 1)(Y 2 0 Y 2 1 )Z 2 0 = (X 2 0 dx 2 1)(Y 2 0 dy 2 1 )Z 2 1, with base point π(o) = ((1 : 1), (1 : 1), (1 : 0)). Under the Segre embedding S : K 2 1 P3, this determines the variety in P 3 P 1 cut out by (U 2 0 U 2 1 U U 2 3 )Z 2 0 = (U 2 0 du 2 1 du d 2 U 2 3 )Z 2 1, on the hypersurface U 0 U 3 = U 1 U 2 defining S(K 2 1 ).
15 15 Edwards Kummer quotient maps Recall that E : X dx2 3 = X2 1 + X2 2, X 0X 3 = X 1 X 3 is an Edwards elliptic curve in P 3 with identity O = (1 : 0 : 1 : 0). For a pair (P, Q) = ( (X 0 : X 1 : X 2 : X 3 ), (Y 0 : Y 1 : Y 2 : Y 3 ) ), the projection E 2 K 2 K 2 1 P 1 is given by and π 1 (P, Q) = (X 0 : X 2 ), π 2 (P, Q) = (Y 0 : Y 2 ), π 3 (P, Q) = (X 0 Y 0 : X 1 Y 1 ) = (X 2 Y 0 : X 3 Y 1 ) = (X 0 Y 2 : X 1 Y 3 ) = (X 2 Y 2 : X 3 Y 3 ) = (Z 0 : Z 1 ). After composition with the Segre embedding, we find (P, Q) (X 0 Y 0 : X 2 Y 0 : X 0 Y 2 : X 2 Y 2 ) = (U 0 : U 1 : U 2 : U 3 ).
16 16 Kummer endomorphisms Recall that our objective is to compute ϕ 0 and ϕ 1, which can be defined by ϕ 1 = τ σ ρ and ϕ = σ ϕ 1 σ. For ρ (and τ) we describe explicit polynomial maps: ((U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 )) ((V 0 : V 1 : V 2 : V 3 ), (W 0 : W 1 )), for V i and W j, for which it suffices to define: π 1 ((V 0 : V 1 : V 2 : V 3 ), (W 0 : W 1 )) = (V 0 : V 1 ) = (V 2 : V 3 ), π 2 ((V 0 : V 1 : V 2 : V 3 ), (W 0 : W 1 )) = (V 0 : V 2 ) = (V 1 : V 3 ), π 3 ((V 0 : V 1 : V 2 : V 3 ), (W 0 : W 1 )) = (W 0 : W 1 ). The image point ((V 0 : V 1 : V 2 : V 3 ), (W 0 : W 1 )) requires the composition of the Segre embedding with (π 1 ρ) (π 2 ρ).
17 17 Kummer automorphism σ Theorem The automorphism σ is given on K 2 K1 2 P1 by ((X 0 : X 1 ), (Y 0 : Y 1 ), (Z 0 : Z 1 )) ((Y 0 : Y 1 ), (X 0 : X 1 ), (Z 0 : Z 1 )), and on K 2 S(K1 2) P1, by ((U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 )) ((U 0 : U 2 : U 1 : U 3 ), (Z 0 : Z 1 )). Note. This is on O(1) algorithm (change of pointers).
18 18 Kummer endomorphism ρ Theorem The projections of the endomorphism ρ : K 2 K 2 are uniquely represented by polynomials of bidegree (1, 1), (1, 1), and (2, 0), explicitly: π 1 ρ ( (U 0 : U 1 : U 2 : U 3 ),(Z 0 : Z 1 ) ) = (U 0 Z 0 du 3 Z 1 : U 0 Z 1 + U 3 Z 0 ) π 2 ρ ( (U 0 : U 1 : U 2 : U 3 ),(Z 0 : Z 1 ) ) = (U 0 Z 0 + du 3 Z 1 : U 0 Z 1 + U 3 Z 0 ) π 3 ρ ( (U 0 : U 1 : U 2 : U 3 ),(Z 0 : Z 1 ) ) Note. This is fast. = (U 2 0 du 2 3 : U U 2 2 )
19 Kummer endomorphism τ Theorem The projections π i τ : K 2 K 1, for 1 i 2, are uniquely represented by polynomials of bidegree (1, 1) and (1, 0), π 1 τ ( (U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 ) ) = (U 0 Z 0 du 3 Z 1 : U 0 Z 1 + U 3 Z 0 ), π 2 τ ( (U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 ) ) = (U 0 : U 2 ) = (U 1 : U 3 ), and π 3 τ ( (U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 ) ) is given by any linear combination of the expressions of bidegree (2, 1): ( (U 2 0 du 2 3 )Z 0 : (U 0 U 1 U 2 U 3 )Z 0 + (U 0 U 2 du 1 U 3 )Z 1 ) ( (U0 U 2 U 1 U 3 )Z 0 + (U 0 U 1 du 2 U 3 )Z 1 : (U 2 1 U 2 2 )Z 1) Note. This is not. 19
20 A Kummer pseudo-addition for ϕ The efficient computation of ϕ 1 = τ σ ρ : K 2 K 2 and ϕ 0 = σ ϕ 1 σ using the previous theorems is hindered by the expensive computation of the one bit of information lost in the map K 2 S(K1 2 ). But so far we haven t use the special properties of the sequence of points which arise in scalar multiplication. In the application we apply this map to a sequence (P, Q) = ((k + 1)T, kt ) for a fixed point T, hence we remain on the irreducible curve T = δ (T ) = {(P, Q) E 2 δ(p, Q) = T }, where δ is the difference morphism (δ(p, Q) = P Q). We can derive more efficient algorithms based on the restrictions to T. In particular note that ϕ determines a well-defined morphism ϕ T : T T. 20
21 21 Expressing ϕ T as a conjugate duplication More precisely, each ϕ i factors through the duplication map: T [2] T. In particular, setting τ T to be the translation by T map τ T (P ) = P + T, we have taking ϕ 0 = (τ T [1]) [2] (τ T [1]) 1 (P + T, P ) (P, P ) (2P, 2P ) (2P + T, 2P ), and similarly for ϕ 1 = ([1] τ T ) 1 [2] ([1] τ T ).
22 22 A Kummer differential morphism for ϕ T Theorem Let T = (T 0 : T 1 : T 2 : T 3 ) be a fixed point of E\E[2]. Then the restriction of ϕ to T S(K1 2 ) determines a morphism ϕ T : T T defined by ϕ T (U 0 : U 1 : U 2 : U 3 ) = S((S 0, S 1 ), (R 0, R 1 )), where (S 0, S 1 ) = ((U du 2 3 )T 0 2dU 0 U 3 T 2, 2U 0 U 3 T 0 (U du 2 3 )T 2), (R 0, R 1 ) = [2](U 0 : U 2 ) = ((d 1)U 4 0 d(u 2 0 U 2 2 )2, (U 2 0 U 2 2 )2 + (d 1)U 4 2 ). Note. This is relatively fast.
23 23 Lifting back from S(K 2 1) to K 2 and E 2 Let T = (T 0 : T 1 : T 2 : T 3 ) be a fixed point in E. When T is not in E[2], the quotient K 2 S(K1 2 ) is easily seen to be injective on T. Consequently there exists a lifting back to T K 2. Algebraically, it suffices to define (Z 0 : Z 1 ), which is given by: (Z 0 : Z 1 ) = (U 0 T 0 du 3 T 2 : U 0 T 2 U 3 T 0 ). As expected, this fails if and only if (T 0 : T 2 ) = (U 0 : U 3 ) and U0 2 du 3 2 this defines the 2-torsion subgroup E[2]. Similarly, the map T T K 2 is injective on all points except E[2] T = {(P + T, P ) : P E[2]}. This gives the following theorem.
24 24 Lifting T back to E 2 Theorem For all T be in E, the quotient T T K 2 is injective for all points outside of E[2] T T. The inverse ((X 0 : X 1 : X 2 : X 3 ), (Y 0 : Y 1 : Y 2 : Y 3 )) of ((U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 )) is defined by and then (Y 0 : Y 1 ) = (Y 2 : Y 3 ) = (U 2 T 0 U 1 T 2 : U 0 T 3 U 3 T 1 ) = (U 0 T 1 du 3 T 3 : U 1 T 0 + U 2 T 2 ) (Y 0 : Y 2 ) = (Y 1 : Y 3 ) = (U 0 : U 2 ) = (U 1 : U 3 ), (X 0 : X 1 ) = (X 2 : X 3 ) = (Y 0 T 0 + dy 3 T 3 : Y 1 T 2 + Y 2 T 1 ) = (Y 1 T 1 + Y 2 T 2 : Y 0 T 3 + Y 3 T 0 ) (X 0 : X 2 ) = (X 1 : X 3 ) = (U 0 : U 1 ) = (U 2 : U 3 ),
25 25 A lifted Kummer differential morphism for ϕ T Theorem Let T = (T 0 : T 1 : T 2 : T 3 ) be a fixed point of E\E[2]. Then the morphism ϕ T : T T is defined by ((U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 )) ((V 0 : V 1 : V 2 : V 3 ), (W 0 : W 1 )), where (V 0 : V 1 : V 2 : V 3 ) = S((S 0, S 1 ), (R 0, R 1 )) is determined by (S 0, S 1 ) = (U 0 Z 0 du 3 Z 1 : U 0 Z 1 + U 3 Z 0 ), (R 0, R 1 ) = [2](U 0 : U 2 ) = ((d 1)U 4 0 d(u 2 0 U 2 2 )2, (U 2 0 U 2 2 )2 + (d 1)U 4 2 ), and then (W 0 : W 1 ) = (V 0 T 0 dv 3 T 2 : V 0 T 2 V 3 T 0 ). Note. This is fast (compared to one addition and one doubling)?
A normal form for elliptic curves in characteristic 2
A normal form for elliptic curves in characteristic 2 David R. Kohel Institut de Mathématiques de Luminy Arithmetic, Geometry, Cryptography et Coding Theory 2011 CIRM, Luminy, 15 March 2011 Edwards model
More informationStructure of elliptic curves and addition laws
Structure of elliptic curves and addition laws David R. Kohel Institut de Mathématiques de Luminy Barcelona 9 September 2010 Elliptic curve models We are interested in explicit projective models of elliptic
More informationEfficient arithmetic on elliptic curves in characteristic 2
Efficient arithmetic on elliptic curves in characteristic 2 David Kohel arxiv:1601.03669v1 [math.nt] 14 Jan 2016 Institut de Mathématiques de Luminy Université d Aix-Marseille 163, avenue de Luminy, Case
More informationEdwards Curves and the ECM Factorisation Method
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and
More informationFast point multiplication algorithms for binary elliptic curves with and without precomputation
Fast point multiplication algorithms for binary elliptic curves with and without precomputation Thomaz Oliveira 1 Diego F. Aranha 2 Julio López 2 Francisco Rodríguez-Henríquez 1 1 CINVESTAV-IPN, Mexico
More informationParameterization of Edwards curves on the rational field Q with given torsion subgroups. Linh Tung Vo
Parameterization of Edwards curves on the rational field Q with given torsion subgroups Linh Tung Vo Email: vtlinh@bcy.gov.vn Abstract. This paper presents the basic concepts of the Edwards curves, twisted
More informationConnecting Legendre with Kummer and Edwards
Connecting Legendre with Kummer and Edwards Sabyasachi Karati icis Lab Department of Computer Science University of Calgary Canada e-mail: sabyasachi.karati@ucalgary.ca Palash Sarkar Applied Statistics
More informationHyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago
Hyperelliptic-curve cryptography D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS 0140542 NSF ITR 0716498 Alfred P. Sloan Foundation Two parts to this talk: 1. Elliptic curves; modern
More informationElliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.
Elliptic Curves I 1.0 Introduction The first three sections introduce and explain the properties of elliptic curves. A background understanding of abstract algebra is required, much of which can be found
More informationMappings of elliptic curves
Mappings of elliptic curves Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationOn hybrid SIDH schemes using Edwards and Montgomery curve arithmetic
On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic Michael Meyer 1,2, Steffen Reith 1, and Fabio Campos 1 1 Department of Computer Science, University of Applied Sciences Wiesbaden 2
More informationCORRESPONDENCE BETWEEN ELLIPTIC CURVES IN EDWARDS-BERNSTEIN AND WEIERSTRASS FORMS
CORRESPONDENCE BETWEEN ELLIPTIC CURVES IN EDWARDS-BERNSTEIN AND WEIERSTRASS FORMS DEPARTMENT OF MATHEMATICS AND STATISTICS UNIVERSITY OF OTTAWA SUPERVISOR: PROFESSOR MONICA NEVINS STUDENT: DANG NGUYEN
More informationLECTURE 7, WEDNESDAY
LECTURE 7, WEDNESDAY 25.02.04 FRANZ LEMMERMEYER 1. Singular Weierstrass Curves Consider cubic curves in Weierstraß form (1) E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6, the coefficients a i
More informationCurves, Cryptography, and Primes of the Form x 2 + y 2 D
Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible.
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013
18.782 Introduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013 As usual, a curve is a smooth projective (geometrically irreducible) variety of dimension one and k is a perfect field. 23.1
More informationFast arithmetic and pairing evaluation on genus 2 curves
Fast arithmetic and pairing evaluation on genus 2 curves David Freeman University of California, Berkeley dfreeman@math.berkeley.edu November 6, 2005 Abstract We present two algorithms for fast arithmetic
More informationFast Cryptography in Genus 2
Fast Cryptography in Genus 2 Joppe W. Bos, Craig Costello, Huseyin Hisil and Kristin Lauter EUROCRYPT 2013 Athens, Greece May 27, 2013 Fast Cryptography in Genus 2 Recall that curves are much better than
More informationElliptic Curves Spring 2013 Lecture #12 03/19/2013
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring
More informationAdvanced Constructions in Curve-based Cryptography
Advanced Constructions in Curve-based Cryptography Benjamin Smith Team GRACE INRIA and Laboratoire d Informatique de l École polytechnique (LIX) Summer school on real-world crypto and privacy Sibenik,
More informationScalar multiplication in compressed coordinates in the trace-zero subgroup
Scalar multiplication in compressed coordinates in the trace-zero subgroup Giulia Bianco and Elisa Gorla Institut de Mathématiques, Université de Neuchâtel Rue Emile-Argand 11, CH-2000 Neuchâtel, Switzerland
More informationACCELERATING THE SCALAR MULTIPLICATION ON GENUS 2 HYPERELLIPTIC CURVE CRYPTOSYSTEMS
ACCELERATING THE SCALAR MULTIPLICATION ON GENUS 2 HYPERELLIPTIC CURVE CRYPTOSYSTEMS by Balasingham Balamohan A thesis submitted to the Faculty of Graduate and Postdoctoral Studies in partial fulfillment
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013
18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and
More informationElliptic curves in Huff s model
Elliptic curves in Huff s model Hongfeng Wu 1, Rongquan Feng 1 College of Sciences, North China University of Technology, Beijing 1001, China whfmath@gmailcom LMAM, School of Mathematical Sciences, Peking
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationGenus 2 Curves of p-rank 1 via CM method
School of Mathematical Sciences University College Dublin Ireland and Claude Shannon Institute April 2009, GeoCrypt Joint work with Laura Hitt, Michael Naehrig, Marco Streng Introduction This talk is about
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationCOMPLEX MULTIPLICATION: LECTURE 13
COMPLEX MULTIPLICATION: LECTURE 13 Example 0.1. If we let C = P 1, then k(c) = k(t) = k(c (q) ) and the φ (t) = t q, thus the extension k(c)/φ (k(c)) is of the form k(t 1/q )/k(t) which as you may recall
More informationIsogeny invariance of the BSD conjecture
Isogeny invariance of the BSD conjecture Akshay Venkatesh October 30, 2015 1 Examples The BSD conjecture predicts that for an elliptic curve E over Q with E(Q) of rank r 0, where L (r) (1, E) r! = ( p
More informationElliptic Curves and Public Key Cryptography
Elliptic Curves and Public Key Cryptography Jeff Achter January 7, 2011 1 Introduction to Elliptic Curves 1.1 Diophantine equations Many classical problems in number theory have the following form: Let
More informationSpeeding up the Scalar Multiplication on Binary Huff Curves Using the Frobenius Map
International Journal of Algebra, Vol. 8, 2014, no. 1, 9-16 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ija.2014.311117 Speeding up the Scalar Multiplication on Binary Huff Curves Using the
More informationFormal groups. Peter Bruin 2 March 2006
Formal groups Peter Bruin 2 March 2006 0. Introduction The topic of formal groups becomes important when we want to deal with reduction of elliptic curves. Let R be a discrete valuation ring with field
More informationSoftware implementation of Koblitz curves over quadratic fields
Software implementation of Koblitz curves over quadratic fields Thomaz Oliveira 1, Julio López 2 and Francisco Rodríguez-Henríquez 1 1 Computer Science Department, Cinvestav-IPN 2 Institute of Computing,
More informationDieudonné Modules and p-divisible Groups
Dieudonné Modules and p-divisible Groups Brian Lawrence September 26, 2014 The notion of l-adic Tate modules, for primes l away from the characteristic of the ground field, is incredibly useful. The analogous
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationArithmetic Progressions Over Quadratic Fields
Arithmetic Progressions Over Quadratic Fields Alexander Diaz, Zachary Flores, Markus Vasquez July 2010 Abstract In 1640 Pierre De Fermat proposed to Bernard Frenicle de Bessy the problem of showing that
More information14 From modular forms to automorphic representations
14 From modular forms to automorphic representations We fix an even integer k and N > 0 as before. Let f M k (N) be a modular form. We would like to product a function on GL 2 (A Q ) out of it. Recall
More informationc ij x i x j c ij x i y j
Math 48A. Class groups for imaginary quadratic fields In general it is a very difficult problem to determine the class number of a number field, let alone the structure of its class group. However, in
More informationSiegel Moduli Space of Principally Polarized Abelian Manifolds
Siegel Moduli Space of Principally Polarized Abelian Manifolds Andrea Anselli 8 february 2017 1 Recall Definition 11 A complex torus T of dimension d is given by V/Λ, where V is a C-vector space of dimension
More informationMontgomery curves and their arithmetic
Montgomery curves and their arithmetic The case of large characteristic fields Craig Costello Benjamin Smith A survey in tribute to Peter L. Montgomery Abstract Three decades ago, Montgomery introduced
More informationw d : Y 0 (N) Y 0 (N)
Upper half-plane formulas We want to explain the derivation of formulas for two types of objects on the upper half plane: the Atkin- Lehner involutions and Heegner points Both of these are treated somewhat
More informationThe Hilbert-Mumford Criterion
The Hilbert-Mumford Criterion Klaus Pommerening Johannes-Gutenberg-Universität Mainz, Germany January 1987 Last change: April 4, 2017 The notions of stability and related notions apply for actions of algebraic
More informationTheorem 6.1 The addition defined above makes the points of E into an abelian group with O as the identity element. Proof. Let s assume that K is
6 Elliptic curves Elliptic curves are not ellipses. The name comes from the elliptic functions arising from the integrals used to calculate the arc length of ellipses. Elliptic curves can be parametrised
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationTHE JOHNS HOPKINS UNIVERSITY Faculty of Arts and Sciences FINAL EXAM - SPRING SESSION ADVANCED ALGEBRA II.
THE JOHNS HOPKINS UNIVERSITY Faculty of Arts and Sciences FINAL EXAM - SPRING SESSION 2006 110.402 - ADVANCED ALGEBRA II. Examiner: Professor C. Consani Duration: 3 HOURS (9am-12:00pm), May 15, 2006. No
More informationHolomorphic line bundles
Chapter 2 Holomorphic line bundles In the absence of non-constant holomorphic functions X! C on a compact complex manifold, we turn to the next best thing, holomorphic sections of line bundles (i.e., rank
More informationAutomorphism Groups and Invariant Theory on PN
Automorphism Groups and Invariant Theory on PN Benjamin Hutz Department of Mathematics and Computer Science Saint Louis University January 9, 2016 JMM: Special Session on Arithmetic Dynamics joint work
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationFIELD THEORY. Contents
FIELD THEORY MATH 552 Contents 1. Algebraic Extensions 1 1.1. Finite and Algebraic Extensions 1 1.2. Algebraic Closure 5 1.3. Splitting Fields 7 1.4. Separable Extensions 8 1.5. Inseparable Extensions
More informationExplicit Complex Multiplication
Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven,
More informationElliptic Curves Spring 2015 Lecture #23 05/05/2015
18.783 Elliptic Curves Spring 2015 Lecture #23 05/05/2015 23 Isogeny volcanoes We now want to shift our focus away from elliptic curves over C and consider elliptic curves E/k defined over any field k;
More information9. Birational Maps and Blowing Up
72 Andreas Gathmann 9. Birational Maps and Blowing Up In the course of this class we have already seen many examples of varieties that are almost the same in the sense that they contain isomorphic dense
More informationThe Montgomery ladder on binary elliptic curves
The Montgomery ladder on binary elliptic curves Thomaz Oliveira 1,, Julio López 2,, and Francisco Rodríguez-Henríquez 1, 1 Computer Science Department, Cinvestav-IPN thomaz.figueiredo@gmail.com, francisco@cs.cinvestav.mx
More informationCS 259C/Math 250: Elliptic Curves in Cryptography Homework 1 Solutions. 3. (a)
CS 259C/Math 250: Elliptic Curves in Cryptography Homework 1 Solutions 1. 2. 3. (a) 1 (b) (c) Alternatively, we could compute the orders of the points in the group: (d) The group has 32 elements (EF.order()
More informationElliptic Curve Cryptography
AIMS-VOLKSWAGEN STIFTUNG WORKSHOP ON INTRODUCTION TO COMPUTER ALGEBRA AND APPLICATIONS Douala, Cameroon, October 12, 2017 Elliptic Curve Cryptography presented by : BANSIMBA Gilda Rech BANSIMBA Gilda Rech
More informationTwisted Hessian curves
Twisted Hessian curves Daniel J. Bernstein 1,2, Chitchanok Chuengsatiansup 1, David Kohel 3, and Tanja Lange 1 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O. Box
More informationSide-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman
Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman Presenter: Reza Azarderakhsh CEECS Department and I-Sense, Florida Atlantic University razarderakhsh@fau.edu Paper by: Brian
More informationA gentle introduction to elliptic curve cryptography
A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 5, 2017 Šibenik, Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic
More informationALGEBRA QUALIFYING EXAM, FALL 2017: SOLUTIONS
ALGEBRA QUALIFYING EXAM, FALL 2017: SOLUTIONS Your Name: Conventions: all rings and algebras are assumed to be unital. Part I. True or false? If true provide a brief explanation, if false provide a counterexample
More informationFour-Dimensional GLV Scalar Multiplication
Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationComputing the image of Galois
Computing the image of Galois Andrew V. Sutherland Massachusetts Institute of Technology October 9, 2014 Andrew Sutherland (MIT) Computing the image of Galois 1 of 25 Elliptic curves Let E be an elliptic
More informationModular Multiplication in GF (p k ) using Lagrange Representation
Modular Multiplication in GF (p k ) using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe Nègre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier
More informationOn elliptic curves in characteristic 2 with wild additive reduction
ACTA ARITHMETICA XCI.2 (1999) On elliptic curves in characteristic 2 with wild additive reduction by Andreas Schweizer (Montreal) Introduction. In [Ge1] Gekeler classified all elliptic curves over F 2
More informationQuadratic reciprocity (after Weil) 1. Standard set-up and Poisson summation
(September 17, 010) Quadratic reciprocity (after Weil) Paul Garrett garrett@math.umn.edu http://www.math.umn.edu/ garrett/ I show that over global fields (characteristic not ) the quadratic norm residue
More informationInstitutionen för matematik, KTH.
Institutionen för matematik, KTH. Contents 7 Affine Varieties 1 7.1 The polynomial ring....................... 1 7.2 Hypersurfaces........................... 1 7.3 Ideals...............................
More informationChapter 10 Elliptic Curves in Cryptography
Chapter 10 Elliptic Curves in Cryptography February 15, 2010 10 Elliptic Curves (ECs) can be used as an alternative to modular arithmetic in all applications based on the Discrete Logarithm (DL) problem.
More informationSemigroup Crossed products
Department of Mathematics Faculty of Science King Mongkut s University of Technology Thonburi Bangkok 10140, THAILAND saeid.zk09@gmail.com 5 July 2017 Introduction In the theory of C -dynamical systems
More informationALGORITHMS FOR ALGEBRAIC CURVES
ALGORITHMS FOR ALGEBRAIC CURVES SUMMARY OF LECTURE 3 In this text the symbol Θ stands for a positive constant. 1. COMPLEXITY THEORY AGAIN : DETERMINISTIC AND PROBABILISTIC CLASSES We refer the reader to
More informationA gentle introduction to isogeny-based cryptography
A gentle introduction to isogeny-based cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Motivation Part 2: Preliminaries Part 3: Brief SIDH sketch
More information12. Hilbert Polynomials and Bézout s Theorem
12. Hilbert Polynomials and Bézout s Theorem 95 12. Hilbert Polynomials and Bézout s Theorem After our study of smooth cubic surfaces in the last chapter, let us now come back to the general theory of
More informationDifferential Addition in generalized Edwards Coordinates
Differential Addition in generalized Edwards Coordinates Benjamin Justus and Daniel Loebenberger Bonn-Aachen International Center for Information Technology Universität Bonn 53113 Bonn Germany Abstract.
More informationBelyi Lattès maps. Ayberk Zeytin. Department of Mathematics, Galatasaray University. İstanbul Turkey. January 12, 2016
Belyi Lattès maps Ayberk Zeytin Department of Mathematics, Galatasaray University Çırağan Cad. No. 36, 3357 Beşiktaş İstanbul Turkey January 1, 016 Abstract In this work, we determine all Lattès maps which
More informationA New Model of Binary Elliptic Curves with Fast Arithmetic
A New Model of Binary Elliptic Curves with Fast Arithmetic Hongfeng Wu 1 Chunming Tang 2 and Rongquan Feng 2 1 College of Science North China University of technology Beijing 100144 PR China whfmath@gmailcom
More informationA GLIMPSE OF ALGEBRAIC K-THEORY: Eric M. Friedlander
A GLIMPSE OF ALGEBRAIC K-THEORY: Eric M. Friedlander During the first three days of September, 1997, I had the privilege of giving a series of five lectures at the beginning of the School on Algebraic
More information9. Integral Ring Extensions
80 Andreas Gathmann 9. Integral ing Extensions In this chapter we want to discuss a concept in commutative algebra that has its original motivation in algebra, but turns out to have surprisingly many applications
More informationA remark on the arithmetic invariant theory of hyperelliptic curves
A remark on the arithmetic invariant theory of hyperelliptic curves Jack A. Thorne October 10, 2014 Abstract Let C be a hyperelliptic curve over a field k of characteristic 0, and let P C(k) be a marked
More informationQuadratic reciprocity (after Weil) 1. Standard set-up and Poisson summation
(December 19, 010 Quadratic reciprocity (after Weil Paul Garrett garrett@math.umn.edu http://www.math.umn.edu/ garrett/ I show that over global fields k (characteristic not the quadratic norm residue symbol
More informationOptimised versions of the Ate and Twisted Ate Pairings
Optimised versions of the Ate and Twisted Ate Pairings Seiichi Matsuda 1, Naoki Kanayama 1, Florian Hess 2, and Eiji Okamoto 1 1 University of Tsukuba, Japan 2 Technische Universität Berlin, Germany Abstract.
More informationMath 249B. Nilpotence of connected solvable groups
Math 249B. Nilpotence of connected solvable groups 1. Motivation and examples In abstract group theory, the descending central series {C i (G)} of a group G is defined recursively by C 0 (G) = G and C
More informationSome. Manin-Mumford. Problems
Some Manin-Mumford Problems S. S. Grant 1 Key to Stark s proof of his conjectures over imaginary quadratic fields was the construction of elliptic units. A basic approach to elliptic units is as follows.
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More informationGALOIS THEORY: LECTURE 20
GALOIS THEORY: LECTURE 0 LEO GOLDMAKHER. REVIEW: THE FUNDAMENTAL LEMMA We begin today s lecture by recalling the Fundamental Lemma introduced at the end of Lecture 9. This will come up in several places
More informationA SHORT PROOF OF ROST NILPOTENCE VIA REFINED CORRESPONDENCES
A SHORT PROOF OF ROST NILPOTENCE VIA REFINED CORRESPONDENCES PATRICK BROSNAN Abstract. I generalize the standard notion of the composition g f of correspondences f : X Y and g : Y Z to the case that X
More informationQUALIFYING EXAMINATION Harvard University Department of Mathematics Tuesday 10 February 2004 (Day 1)
Tuesday 10 February 2004 (Day 1) 1a. Prove the following theorem of Banach and Saks: Theorem. Given in L 2 a sequence {f n } which weakly converges to 0, we can select a subsequence {f nk } such that the
More informationOn the Optimal Pre-Computation of Window τ NAF for Koblitz Curves
On the Optimal Pre-Computation of Window τ NAF for Koblitz Curves William R. Trost and Guangwu Xu Abstract Koblitz curves have been a nice subject of consideration for both theoretical and practical interests.
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationGraduate Preliminary Examination
Graduate Preliminary Examination Algebra II 18.2.2005: 3 hours Problem 1. Prove or give a counter-example to the following statement: If M/L and L/K are algebraic extensions of fields, then M/K is algebraic.
More informationIsogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem
Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem Chloe Martindale 26th January, 2018 These notes are from a talk given in the Séminaire Géométrie et algèbre effectives
More informationOutline of the Seminar Topics on elliptic curves Saarbrücken,
Outline of the Seminar Topics on elliptic curves Saarbrücken, 11.09.2017 Contents A Number theory and algebraic geometry 2 B Elliptic curves 2 1 Rational points on elliptic curves (Mordell s Theorem) 5
More informationCOURSE SUMMARY FOR MATH 504, FALL QUARTER : MODERN ALGEBRA
COURSE SUMMARY FOR MATH 504, FALL QUARTER 2017-8: MODERN ALGEBRA JAROD ALPER Week 1, Sept 27, 29: Introduction to Groups Lecture 1: Introduction to groups. Defined a group and discussed basic properties
More informationCOMPRESSION FOR TRACE ZERO SUBGROUPS OF ELLIPTIC CURVES
COMPRESSION FOR TRACE ZERO SUBGROUPS OF ELLIPTIC CURVES A. SILVERBERG Abstract. We give details of a compression/decompression algorithm for points in trace zero subgroups of elliptic curves over F q r,
More informationExplicit Kummer Varieties for Hyperelliptic Curves of Genus 3
Explicit Kummer Varieties for Hyperelliptic Curves of Genus 3 Michael Stoll Universität Bayreuth Théorie des nombres et applications CIRM, Luminy January 17, 2012 Application / Motivation We would like
More informationUsing semidirect product of (semi)groups in public key cryptography
Using semidirect product of (semi)groups in public key cryptography Delaram Kahrobaei City University of New York Graduate Center: PhD Program in Computer Science NYCCT: Mathematics Department University
More informationOperads. Spencer Liang. March 10, 2015
Operads Spencer Liang March 10, 2015 1 Introduction The notion of an operad was created in order to have a well-defined mathematical object which encodes the idea of an abstract family of composable n-ary
More informationCounting points on genus 2 curves over finite
Counting points on genus 2 curves over finite fields Chloe Martindale May 11, 2017 These notes are from a talk given in the Number Theory Seminar at the Fourier Institute, Grenoble, France, on 04/05/2017.
More informationElliptic Curve of the Ring F q [ɛ]
International Mathematical Forum, Vol. 6, 2011, no. 31, 1501-1505 Elliptic Curve of the Ring F q [ɛ] ɛ n =0 Chillali Abdelhakim FST of Fez, Fez, Morocco chil2015@yahoo.fr Abstract Groups where the discrete
More information