Differential addition on Binary Elliptic Curvescage.ugent.be/waifi/talks/Farashahi.pdf · 2017. 1....

Differential addition on Binary Elliptic Curves

Reza Rezaeian Farashahi

Dept. of Mathematical Sciences,Isfahan University of Technology, Isfahan, Iran

joint work with S. Gholamhossein Hosseini

WAIFI 2016, Ghent , Belgium .

July 13 , 2016

Reza Rezaeian Farashahi ( Dept. of Mathematical Sciences, Isfahan University of Technology, Isfahan, Iran joint work with S. Gholamhossein Hosseini WAIFI 2016, Ghent , Belgium . )Differential addition on Binary Elliptic Curves July 13 , 2016 1 / 38

Introduction to elliptic curves

Elliptic Curves

Definition (Elliptic curve)A nonsingular absolutely irreducible projective curve defined over afield F of genus 1 with at least one F-rational point is called an ellipticcurve over F.

An elliptic curve E over F can be given by the so-calledWeierstrass equation

E : y2 + a1xy + a3y = x3 + a2x2 + a4x+ a6,

where the coefficients a1, a2, a3, a4, a6 ∈ F.We note that E has to be nonsingular.

Elliptic Curves

Definition (Elliptic curve)A nonsingular absolutely irreducible projective curve defined over afield F of genus 1 with at least one F-rational point is called an ellipticcurve over F.

An elliptic curve E over F can be given by the so-calledWeierstrass equation

E : y2 + a1xy + a3y = x3 + a2x2 + a4x+ a6,

where the coefficients a1, a2, a3, a4, a6 ∈ F.We note that E has to be nonsingular.

Elliptic Curves

The set of F-rational points on E is defined by the set of points

E(F) = {(x, y) ∈ F×F : y2+a1xy+a3y = x3+a2x2+a4x+a6}∪{O},

where O is the point at infinity.The set of F-rational points on E by means of the chord-tangentprocess turns E(F) into an abelian group with O as the neutralelement.

Elliptic Curves

Examples (I)

E/F31 : y2 = x3 + 19

The point P = (8, 29) is agenerator of the groupE(F31).

Examples (I)

E/F31 : y2 = x3 + 19

The point P = (8, 29) is agenerator of the groupE(F31).

Examples (II)

E/F25 : y2 + y = x3 + 1

Here, g is a primitive elementof F25 .

The point P = (g2, g7) is agenerator of the group E(F25).

Examples (II)

E/F25 : y2 + y = x3 + 1

Here, g is a primitive elementof F25 .

The point P = (g2, g7) is agenerator of the group E(F25).

Some applications of Elliptic Curves

Elliptic curves everywhere1984 (published 1987) Lenstra: ECM, the elliptic-curve method offactoring integers.

1984 (published 1985) Miller, and independently 1984 (published1987) Koblitz: ECC, elliptic-curve cryptography.

Bosma, Goldwasser-Kilian, Chudnovsky-Chudnovsky, Atkin:elliptic-curve primality proving.

These applications are different but share many optimizations.

Elliptic curves over finite fields are used for cryptosystems basedon the Discrete Logarithm problem.The use of elliptic curves in public-key cryptography can offerimproved efficiency and bandwidth.

Some applications of Elliptic Curves

Elliptic curves everywhere1984 (published 1987) Lenstra: ECM, the elliptic-curve method offactoring integers.

1984 (published 1985) Miller, and independently 1984 (published1987) Koblitz: ECC, elliptic-curve cryptography.

Bosma, Goldwasser-Kilian, Chudnovsky-Chudnovsky, Atkin:elliptic-curve primality proving.

These applications are different but share many optimizations.

Elliptic curves over finite fields are used for cryptosystems basedon the Discrete Logarithm problem.The use of elliptic curves in public-key cryptography can offerimproved efficiency and bandwidth.

One application of ECC

Diffie-Hellman Key ExchangeA and B would like to establish a common secret key.Let G be an additive cyclic group of order p, with generator P .

A Ba ∈R Zp, aP −→ aP

bP ←− bP , b ∈R Zp

a(bP ) = b(aP )A and B come up with the common secret abP .Decisional Diffie-Hellman assumption, (DDH) for G :Given aP , bP , then abP is indistinguishablefrom a random element of G.

A suitable group for Diffie-Hellman Key Exchange is the set ofFq-rational points of an elliptic curve over a finite field Fq.

An Example

Letq = 2255 − 19

= 57896044618658097711785492504343953926634992332820282019728792003956564819949

The elliptic curve Curve25519 (released by D.J. Bernstein in 2005) isgiven over Fq by the Montgomery equation

y2 = x3 + 486662x2 + x.

The order of the curve is 8p, where

p = 7237005577332262213973186563042994240857116359379907606001950938285454250989.

The point

P = (9, 14781619447589544791020593568409986887264606134616475288964881837755586237401).

has prime order p.Reza Rezaeian Farashahi ( Dept. of Mathematical Sciences, Isfahan University of Technology, Isfahan, Iran joint work with S. Gholamhossein Hosseini WAIFI 2016, Ghent , Belgium . )Differential addition on Binary Elliptic Curves July 13 , 2016 9 / 38

An Example

Letq = 2255 − 19

= 57896044618658097711785492504343953926634992332820282019728792003956564819949

y2 = x3 + 486662x2 + x.

p = 7237005577332262213973186563042994240857116359379907606001950938285454250989.

The point

P = (9, 14781619447589544791020593568409986887264606134616475288964881837755586237401).

An Example

Letq = 2255 − 19

= 57896044618658097711785492504343953926634992332820282019728792003956564819949

y2 = x3 + 486662x2 + x.

p = 7237005577332262213973186563042994240857116359379907606001950938285454250989.

The point

P = (9, 14781619447589544791020593568409986887264606134616475288964881837755586237401).

An Example

Letq = 2255 − 19

= 57896044618658097711785492504343953926634992332820282019728792003956564819949

y2 = x3 + 486662x2 + x.

p = 7237005577332262213973186563042994240857116359379907606001950938285454250989.

The point

P = (9, 14781619447589544791020593568409986887264606134616475288964881837755586237401).

An Example: DH Key Exchange with Curve25519

Diffie-Hellman Key Exchange (I)A and B would like to establish a common secret key.Let G =< P > be the additive cyclic subgroup of order p, withgenerator P .

A Ba =∈R Zp, aP −→ aP

a = 7002795360926005236158031219650239309203026301432757465078200000239489250289.

aP = (42893789189856250035404803941079571724271486408133017798848824700022159322712,22439803914438105279521055321022560390080973083595789427331495506599274095920).

An Example: DH Key Exchange with Curve25519

Diffie-Hellman Key Exchange (I)A and B would like to establish a common secret key.Let G =< P > be the additive cyclic subgroup of order p, withgenerator P .

A Ba =∈R Zp, aP −→ aP

a = 7002795360926005236158031219650239309203026301432757465078200000239489250289.

aP = (42893789189856250035404803941079571724271486408133017798848824700022159322712,22439803914438105279521055321022560390080973083595789427331495506599274095920).

An Example: DH Key Exchange (II)

A BbP ←− bP , b ∈R Zp

b = 6720321799762067449695674342847346924086085522917293355219065092423688810512.

bP = (57315574341413190983122910289922764985262828293529260037469962229334790984915,22103347272562472751120509101396143585689578289734754848957235099182798437740).

a(bP ) = b(aP )

abP = (18299485880284209830446057154751784763139609939657307830264903724385459872053,6810933623096629446700852568990867709514351401706814818415196871624790984662).

An Example: DH Key Exchange (II)

A BbP ←− bP , b ∈R Zp

b = 6720321799762067449695674342847346924086085522917293355219065092423688810512.

bP = (57315574341413190983122910289922764985262828293529260037469962229334790984915,22103347272562472751120509101396143585689578289734754848957235099182798437740).

a(bP ) = b(aP )

abP = (18299485880284209830446057154751784763139609939657307830264903724385459872053,6810933623096629446700852568990867709514351401706814818415196871624790984662).

Arithmetic on ECC

Finite fileds arithmetic (odd and even characteristic)

Elliptic curve arithmeticThe shape of the curveThe coordinate systems

The addition formulas:What is the cost?Is it unified?Is it complete?

The doubling formulasThe differential addition and doubling formulasThe tripling formulas

Scalar multiplication

Forms of elliptic curves

Some forms of elliptic curves

There are many ways to represent an elliptic curve such as:Long Weierstrass: y2 + a1xy + a3y = x3 + a2x

2 + a4x+ a6.Short Weierstrass: y2 = x3 + ax+ b.Legendre: y2 = x(x− 1)(x− λ).Montgomery: by2 = x3 + ax2 + x.Jacobi intersection: x2 + y2 = 1, ax2 + z2 = 1.Jacobi quartic: y2 = x4 + 2ax2 + 1.Hessian: x3 + y3 + 1 = 3dxy.Generalized Hessian: x3 + y3 + c = dxy.Doche-Icart-Kohel: y2 = x3 + ax2 + 16ax.Doche-Icart-Kohel: y2 = x3 + 3a(x+ 1)2.Edwards: x2 + y2 = c2(1 + x2y2).Twisted Edwards: ax2 + y2 = 1 + dx2y2.

Newton Polygons, in odd characteristic

• Short Weierstrass: y2 = x3 + ax+ b x

• Montgomery: by2 = x3 + ax2 + x x

• Jacobi quartic: y2 = x4 + 2ax2 + 1 x

• Hessian: x3 + y3 + 1 = 3dxy x

• Edwards: x2 + y2 = 1 + dx2y2x

Edwards curves

The addition law on Ed : x2 + y2 = 1 + dx2y2 is given by

(x1, y1), (x2, y2) 7→(

x1y2 + y1x2

1 + dx1x2y1y2,y1y2 − x1x2

1− dx1x2y1y2

An Example

Letq = 2255 − 19

= 57896044618658097711785492504343953926634992332820282019728792003956564819949

y2 = x3 + 486662x2 + x.

The Twisted Edwards model of curve25519 is given by

486664x2 + y2 = 1 + 486660x2y2.

The curve is birationally equivalent to the curve Ed25519 given by

−x2 + y2 = 1− 121665121666

An Example

Letq = 2255 − 19

= 57896044618658097711785492504343953926634992332820282019728792003956564819949

y2 = x3 + 486662x2 + x.

486664x2 + y2 = 1 + 486660x2y2.

−x2 + y2 = 1− 121665121666

An Example

Letq = 2255 − 19

= 57896044618658097711785492504343953926634992332820282019728792003956564819949

y2 = x3 + 486662x2 + x.

486664x2 + y2 = 1 + 486660x2y2.

−x2 + y2 = 1− 121665121666

An Example

Letq = 2255 − 19

= 57896044618658097711785492504343953926634992332820282019728792003956564819949

y2 = x3 + 486662x2 + x.

486664x2 + y2 = 1 + 486660x2y2.

−x2 + y2 = 1− 121665121666

Binary Elliptic curves

Some forms of binary elliptic curves

There are several ways to represent a binary elliptic curve such as:

Long Weierstrass: y2 + a1xy + a3y = x3 + a2x2 + a4x+ a6.

Short Weierstrass: y2 + xy = x3 + ax2 + b,

Hessian: x3 + y3 + 1 = dxy.

Generalized Hessian: x3 + y3 + c = dxy.

Binary Huff: ax(y2 + y + 1) = y(x2 +X + 1).

Binary Edwards: c(x+ y) + d(x2 + y2) = xy + xy(x+ y) + x2y2.

Binary Edwards Curves

Definition (Binary Edwards curve)

Let F be a field with char(F) = 2. Let d1, d2 be elements of F withd1 6= 0 and d2 6= d2

1 + d1. The binary Edwards curve with coefficients d1

and d2 is the affine curve

EB,d1,d2 : d1(x+ y) + d2(x2 + y2) = xy + xy(x+ y) + x2y2.

Binary Edwards Curves

Definition (Binary Edwards curve)

Let F be a field with char(F) = 2. Let d1, d2 be elements of F withd1 6= 0 and d2 6= d2

1 + d1. The binary Edwards curve with coefficients d1

and d2 is the affine curve

EB,d1,d2 : d1(x+ y) + d2(x2 + y2) = xy + xy(x+ y) + x2y2.

Birational map to Weierstrass form

Let d = d21 + d1 + d2.

The map (x, y) 7→ (u, v) defined by

u =d1d(x+ y)

xy + d1(x+ y),

v = d1d(x

xy + d1(x+ y)+ d1 + 1)

is a birational equivalence from EB,d1,d2 to the elliptic curve

v2 + uv = u3 + (d21 + d2)u2 + d4

with j-invariant 1/(d41d

2).An inverse map is given as follows:

x =d1(u+ d)

u+ v + (d21 + d1)d

y =d1(u+ d)

v + (d21 + d1)d

Birational map to Weierstrass form

Let d = d21 + d1 + d2.

The map (x, y) 7→ (u, v) defined by

u =d1d(x+ y)

xy + d1(x+ y),

v = d1d(x

xy + d1(x+ y)+ d1 + 1)

is a birational equivalence from EB,d1,d2 to the elliptic curve

v2 + uv = u3 + (d21 + d2)u2 + d4

with j-invariant 1/(d41d

2).An inverse map is given as follows:

x =d1(u+ d)

u+ v + (d21 + d1)d

y =d1(u+ d)

v + (d21 + d1)d

Properties of Binary Edwards Curves

(x3, y3) = (x1, y1) + (x2, y2) with

x3 =d1(x1 + x2) + d2(x1 + y1)(x2 + y2) + (x1 + x2

1)(x2(y1 + y2 + 1) + y1y2)d1 + (x1 + x2

1)(x2 + y2),

y3 =d1(y1 + y2) + d2(x1 + y1)(x2 + y2) + (y1 + y2

1)(y2(x1 + x2 + 1) + x1x2)d1 + (y1 + y2

1)(x2 + y2).

(x3, y3) = 2(x1, y1) with

x3 = 1 +d1(1 + x1 + y1)

d1 + x1y1 + x21(1 + x1 + y1)

y3 = 1 +d1(1 + x1 + y1)

d1 + x1y1 + y21(1 + x1 + y1)

(0, 0) is the neutral element; (1, 1) has order 2.−(x1, y1) = (y1, x1).(x1, y1) + (1, 1) = (x1 + 1, y1 + 1).

Properties of Binary Edwards Curves

(x3, y3) = (x1, y1) + (x2, y2) with

x3 =d1(x1 + x2) + d2(x1 + y1)(x2 + y2) + (x1 + x2

1)(x2(y1 + y2 + 1) + y1y2)d1 + (x1 + x2

1)(x2 + y2),

y3 =d1(y1 + y2) + d2(x1 + y1)(x2 + y2) + (y1 + y2

1)(y2(x1 + x2 + 1) + x1x2)d1 + (y1 + y2

1)(x2 + y2).

(x3, y3) = 2(x1, y1) with

x3 = 1 +d1(1 + x1 + y1)

d1 + x1y1 + x21(1 + x1 + y1)

y3 = 1 +d1(1 + x1 + y1)

d1 + x1y1 + y21(1 + x1 + y1)

(0, 0) is the neutral element; (1, 1) has order 2.−(x1, y1) = (y1, x1).(x1, y1) + (1, 1) = (x1 + 1, y1 + 1).

Complete binary Edwards curve

Addition law for curves with Tr(d2) = 1 is complete,Trace is map Tr : F2n → F2; α 7→

∑n−1i=0 α

No exceptional points, completely uniform group operation.In particular, addition formulas can be used to double.Unified group operation!The first complete binary elliptic curves!Even better, every ordinary elliptic curve over F2n is birationallyequivalent to a complete binary Edwards curves EB,d1,d2 , for n ≥ 3.

Differential addition

Let E be an elliptic curve over Fq.The differential addition on E means to compute P +Q given P,Q, andQ− P .

Suppose w is a rational function defined over E;i.e. given by fraction of polynomials in the coordinate ring of E over Fq.Let w(P ) = w(−P ) for any point on E(Fq).

The w-coordinate differential addition and doubling means to computew(P +Q) and w(2P ) from w(P ), w(Q) and w(P −Q), where P,Q arepoints on E(Fq).

The Montgomery ladder with some w-coordinate dADD performsscalar multiplication efficiently.

Montgomery ladder

Algorithm 1 Projective w-coordinate dADDInput : E/Fq, w : E(Fq)→ P(Fq), . The elliptic curve E over Fq

(Wi : Zi) = w(Pi), i = 0, 1, 2. . w(P0) = w(P1 − P2)Output : (Wi : Zi) = w(Pi), i = 3, 4. . w(P3) = w(P1 + P2), w(P4) = w(2P1)

1: function dADD((W0 : Z0), (W1 : Z1), (W2 : Z2))2: W3 = fa(W0, Z0, W1, Z1, W2, Z2) . Differential addition computation3: Z3 = ga(W0, Z0, W1, Z1, W2, Z2)4: W4 = fd(W1, Z1) . Doubling computation5: Z4 = gd(W1, Z1)6: return ((W4 : Z4), (W3 : Z3)) . The differential addition and doubling7: end function

Algorithm 2 The Montgomery scalar multiplicationInput : E/Fq, w : E(Fq)→ P(Fq), . The elliptic curve E over Fq

Projective w-coordinate dADD funtion,P ∈ E(Fq), k = (km−1, · · · , k1, k0) . k is a positive integer, km−1 = 1(W0 : Z0) := w(P ), (W1 : Z1) := w(P ), (W2 : Z2) := w(2P ).

Output : w(kP )

1: for i := m− 2 down to 0 do2: if ki = 0 then3: ((W1 : Z1), (W2 : Z2)) := dADD((W0 : Z0), (W1 : Z1), (W2 : Z2))4: else5: ((W2 : Z2), (W1 : Z1)) := dADD((W0 : Z0), (W2 : Z2), (W1 : Z1))6: end if7: end for8: return (W1 : Z1), (W2 : Z2) . The differential addition and doubling

Complete differential addition

The w-coordinate differential addition and doubling is complete if theAlgorithm 1 works for any inputs without any exception.

The w-coordinate dADD is almost complete if the Algorithm 1 works forall inputs except where w(P0) = w(O).

The Montgomery ladder is (almost) complete if its correspondingw-coordinate dADD is (almost) complete.

The (almost) complete Montgomery ladder is suitable for cryptographicapplication.

Montgomery ladder with LD coordinates

Algorithm 3 Lopez and Dahab projective x-coordinate dADDInput : E/Fq : y2 + xy = x3 + ax2 + b . The elliptic curve E over F2m

(Xi : Zi) = x(Pi), i = 0, 1, 2. . x(P0) = x(P1 − P2)Output : (Xi : Zi) = x(Pi), i = 3, 4. . x(P3) = x(P1 + P2), x(P4) = x(2P1)

1: function dADD((X0 : Z0), (X1 : Z1), (X2 : Z2))2: X3 = X0 (X1Z2 + X2Z1)2 + Z0 (X1Z1X2Z2)3: Z3 = Z0 (X1Z2 + X2Z1)2

4: X4 = (X41 + bZ4

1 )5: Z4 = X2

6: return ((X4 : Z4), (X3 : Z3)) . The differential addition and doubling7: end function

Algorithm 4 The modified Montgomery scalar multiplicationInput : E/Fq : y2 + xy = x3 + ax2 + b . The elliptic curve E over Fq

P = (x : y : z) ∈ E(Fq) . P 6= O = (0 : 1 : 0)k = (km−1, · · · , k1, k0) . 0 ≤ k ∈ Z(X0 : Z0) := (x : z), (X1 : Z1) := (1 : 0), (X2 : Z2) := (x : z).

Output : w(kP )

1: for i := m− 1 down to 0 do2: if ki = 0 then3: ((X1 : Z1), (X2 : Z2)) := dADD((X0 : Z0), (X1 : Z1), (X2 : Z2))4: else5: ((X2 : Z2), (X1 : Z1)) := dADD((X0 : Z0), (X2 : Z2), (X1 : Z1))6: end if7: end for8: return (X1 : Z1), (X2 : Z2) . The differential addition and doubling

Differential addition for Binary Edwards

Let EB,d1,d2 be the binary Edwards curve

EB,d1,d2 : d1(x+ y) + d2(x+ y)2 = xy(x+ 1)(y + 1).

Represent P = (x, y) by w(P ) = x+ y.Have w(P ) = w(−P ) = w(P + (1, 1)) = w(−P + (1, 1)).Let (x0, y0) = (x1, y1)− (x2, y2), (x3, y3) = (x1, y1) + (x2, y3),(x4, y4) = 2(x2, y2).

w4 =w2

1 + w41

d1 + w21 + (d2/d1)w4

w3 + w0 =d2w1w2(1 + w1)(1 + w2)

d21 + w1w2(d1(1 + w1 + w2) + d2(w1w2)

Some operations can be shared between differential addition anddoubling.

EB,d1,d2 : d1(x+ y) + d2(x+ y)2 = xy(x+ 1)(y + 1).

w4 =w2

1 + w41

d1 + w21 + (d2/d1)w4

w3 + w0 =d2w1w2(1 + w1)(1 + w2)

d21 + w1w2(d1(1 + w1 + w2) + d2(w1w2)

EB,d1,d2 : d1(x+ y) + d2(x+ y)2 = xy(x+ 1)(y + 1).

w4 =w2

1 + w41

d1 + w21 + (d2/d1)w4

w3 + w0 =d2w1w2(1 + w1)(1 + w2)

d21 + w1w2(d1(1 + w1 + w2) + d2(w1w2)

EB,d1,d2 : d1(x+ y) + d2(x+ y)2 = xy(x+ 1)(y + 1).

w4 =w2

1 + w41

d1 + w21 + (d2/d1)w4

w3 + w0 =d2w1w2(1 + w1)(1 + w2)

d21 + w1w2(d1(1 + w1 + w2) + d2(w1w2)

EB,d1,d2 : d1(x+ y) + d2(x+ y)2 = xy(x+ 1)(y + 1).

w4 =w2

1 + w41

d1 + w21 + (d2/d1)w4

w3 + w0 =d2w1w2(1 + w1)(1 + w2)

d21 + w1w2(d1(1 + w1 + w2) + d2(w1w2)

EB,d1,d2 : d1(x+ y) + d2(x+ y)2 = xy(x+ 1)(y + 1).

w4 =w2

1 + w41

d1 + w21 + (d2/d1)w4

w3 + w0 =d2w1w2(1 + w1)(1 + w2)

d21 + w1w2(d1(1 + w1 + w2) + d2(w1w2)

Cost of differential addition for BE

Mixed differential addition: w1 given as affine, w2 = W2/Z2,w3 = W3/Z3 in projective.

general case d2 = d1

mixed diff addition 6M+1S+2D 5M+1S+1Dmixed diff addition+doubling 6M+4S+4D 5M+4S+2Dprojective diff addition 8M+1S+2D 7M+1S+1Dprojective diff addition+doubling 8M+4S+4D 7M+4S+2DNote that the diff addition formulas are complete.Lopez and Dahab use 6M+5S for mixed dADD&DBL.Stam uses 6M+1S for projective dADD; 4M+1S for mixed dADDaddition; and 1M+3S+1D for DBL.Gaudry uses 5M+5S+1D for mixed dADD&DBL.

Cost of differential addition for BE

Mixed differential addition: w1 given as affine, w2 = W2/Z2,w3 = W3/Z3 in projective.

general case d2 = d1

mixed diff addition 6M+1S+2D 5M+1S+1Dmixed diff addition+doubling 6M+4S+4D 5M+4S+2Dprojective diff addition 8M+1S+2D 7M+1S+1Dprojective diff addition+doubling 8M+4S+4D 7M+4S+2DNote that the diff addition formulas are complete.Lopez and Dahab use 6M+5S for mixed dADD&DBL.Stam uses 6M+1S for projective dADD; 4M+1S for mixed dADDaddition; and 1M+3S+1D for DBL.Gaudry uses 5M+5S+1D for mixed dADD&DBL.

Differential addition & doubling for binary elliptic curvesCurve shape Representation Projective MixedShort Weierstraß XZ(x=X/Z)[Lo-Da] 7M+5S+1D 5M+5S+1Dy2+ xy=x3+a2x

2+a6 XZ(x=X/Z)[Ga-Lu] 6M+5S+1D 5M+5S+1DXZ(x=X/Z)[St] 7M+4S+1D 5M+4S+1DXZ(x=X/Z)[St] 6M+5S+2D 5M+5S+2D

Hessianx3 + y3 + 1 = dxy WZ(1+dxy=W/Z) 7M+4S+2D 5M+4S+2DGeneralized Hessianx3 + y3 + c = dxy WZ(c+dxy=W/Z) 7M+4S+3D 5M+4S+3D

WZ with small d 7M+4S+1D 5M+4S+1DBinary Edwards [Be-La-RF]d1(x+y)+d2(x2+y2) WZ(x+y = W/Z) 8M+4S+4D 6M+4S+4D=xy+xy(x+y)+x2y2 WZ with d1 = d2 7M+4S+2D 5M+4S+2DRevisited [Kim-Lee-Negre]Binary Edwards WZ(x+y = W/Z) 7M+4S+3D 5M+4S+3D(2014) WZ with d1 = d2 7M+4S+1D 5M+4S+1D

New differential addition for Binary Edwards (I)

EB,d1,d2 : d1(x+ y) + d2(x+ y)2 = xy(x+ 1)(y + 1).

Represent P = (x, y) by w(P ) =(x+ y)

d1(x+ y + 1).

w4 =w2

21 + d1 + d2)w4

1 + 1.

w3 + w0 =w1w2

21 + d1 + d2)w2

1w22 + 1

w3w0 =w2

1 + w22

21 + d1 + d2)w2

1w22 + 1

(w1 + w2)2.

EB,d1,d2 : d1(x+ y) + d2(x+ y)2 = xy(x+ 1)(y + 1).

d1(x+ y + 1).

w4 =w2

21 + d1 + d2)w4

1 + 1.

w3 + w0 =w1w2

21 + d1 + d2)w2

1w22 + 1

w3w0 =w2

1 + w22

21 + d1 + d2)w2

1w22 + 1

(w1 + w2)2.

EB,d1,d2 : d1(x+ y) + d2(x+ y)2 = xy(x+ 1)(y + 1).

d1(x+ y + 1).

w4 =w2

21 + d1 + d2)w4

1 + 1.

w3 + w0 =w1w2

21 + d1 + d2)w2

1w22 + 1

w3w0 =w2

1 + w22

21 + d1 + d2)w2

1w22 + 1

(w1 + w2)2.

EB,d1,d2 : d1(x+ y) + d2(x+ y)2 = xy(x+ 1)(y + 1).

d1(x+ y + 1).

w4 =w2

21 + d1 + d2)w4

1 + 1.

w3 + w0 =w1w2

21 + d1 + d2)w2

1w22 + 1

w3w0 =w2

1 + w22

21 + d1 + d2)w2

1w22 + 1

(w1 + w2)2.

EB,d1,d2 : d1(x+ y) + d2(x+ y)2 = xy(x+ 1)(y + 1).

d1(x+ y + 1).

w4 =w2

21 + d1 + d2)w4

1 + 1.

w3 + w0 =w1w2

21 + d1 + d2)w2

1w22 + 1

w3w0 =w2

1 + w22

21 + d1 + d2)w2

1w22 + 1

(w1 + w2)2.

New differential addition for Binary Edwards (II)

For i=0,1,2,3,4, let wi = Wi/Zi be in projective coordinates.

(d41 + d3

1 + d21d2) W 4

1 + Z41

Z3=W0((d4

1 + d31 + d2

1d2) W 21W

22 + Z2

1Z22 ) + Z0(W1W2Z1Z2)

Z0((d41 + d3

1 + d21d2) W 2

1W22 + Z2

1Z22 ))

The cost in Projective is 7M + 4S + 2D.If Z0 = 1, the cost in mixed projective is 5M + 4S + 2D.For the complete binary Edwards curve EB,d1,d2 with Tr(d2) = 1,if Tr(d1) = 0 then the projective w-coordinates dADD is complete.

(d41 + d3

1 + d21d2) W 4

1 + Z41

Z3=W0((d4

1 + d31 + d2

1d2) W 21W

22 + Z2

1Z22 ) + Z0(W1W2Z1Z2)

Z0((d41 + d3

1 + d21d2) W 2

1W22 + Z2

1Z22 ))

(d41 + d3

1 + d21d2) W 4

1 + Z41

Z3=W0((d4

1 + d31 + d2

1d2) W 21W

22 + Z2

1Z22 ) + Z0(W1W2Z1Z2)

Z0((d41 + d3

1 + d21d2) W 2

1W22 + Z2

1Z22 ))

(d41 + d3

1 + d21d2) W 4

1 + Z41

Z3=W0((d4

1 + d31 + d2

1d2) W 21W

22 + Z2

1Z22 ) + Z0(W1W2Z1Z2)

Z0((d41 + d3

1 + d21d2) W 2

1W22 + Z2

1Z22 ))

(d41 + d3

1 + d21d2) W 4

1 + Z41

Z3=W0((d4

1 + d31 + d2

1d2) W 21W

22 + Z2

1Z22 ) + Z0(W1W2Z1Z2)

Z0((d41 + d3

1 + d21d2) W 2

1W22 + Z2

1Z22 ))

New differential addition for Binary Edwards (III)

W3=Z0(W1Z2 +W2Z1)2 +W0(W1Z2W2Z1)

W0(W1Z2 +W2Z1)2.

The cost in Projective is 7M + 4S + 2D.If W0 = 1, the cost in mixed projective is 5M + 4S + 1D.The projective w-coordinates dADD is almost complete

W3=Z0(W1Z2 +W2Z1)2 +W0(W1Z2W2Z1)

W0(W1Z2 +W2Z1)2.

W3=Z0(W1Z2 +W2Z1)2 +W0(W1Z2W2Z1)

W0(W1Z2 +W2Z1)2.

New differential addition for Binary Hessian

Let Hc,d be the general binary Hessian curve by

Hc,d : x3 + y3 + c+ dxy = 0,

where c, d are elements of F2m such that c 6= 0 and d3 6= 27c.

Represent P = (x, y) by w(P ) =(x3 + y3)

w4 =w4

1 + (c4 + c3d3)/(d12)w2

w3 + w0 =w1w2

w21 + w2

The cost of the mixed projective is 5M + 4S + 1D.

Hc,d : x3 + y3 + c+ dxy = 0,

w4 =w4

1 + (c4 + c3d3)/(d12)w2

w3 + w0 =w1w2

w21 + w2

Hc,d : x3 + y3 + c+ dxy = 0,

w4 =w4

1 + (c4 + c3d3)/(d12)w2

w3 + w0 =w1w2

w21 + w2

Hc,d : x3 + y3 + c+ dxy = 0,

w4 =w4

1 + (c4 + c3d3)/(d12)w2

w3 + w0 =w1w2

w21 + w2

Hc,d : x3 + y3 + c+ dxy = 0,

w4 =w4

1 + (c4 + c3d3)/(d12)w2

w3 + w0 =w1w2

w21 + w2

New differential addition for Binary Huff

Let HFa be the binary Huff curve by

ax(y2 + y + 1) = y(x2 + x+ 1)

Represent P = (x, y) by w(P ) = (a2+1)a xy.

w4 =w2

(a/(a2 + 1))4w41 + 1

(w1 + w2)2.

ax(y2 + y + 1) = y(x2 + x+ 1)

w4 =w2

(a/(a2 + 1))4w41 + 1

(w1 + w2)2.

ax(y2 + y + 1) = y(x2 + x+ 1)

w4 =w2

(a/(a2 + 1))4w41 + 1

(w1 + w2)2.

ax(y2 + y + 1) = y(x2 + x+ 1)

w4 =w2

(a/(a2 + 1))4w41 + 1

(w1 + w2)2.

ax(y2 + y + 1) = y(x2 + x+ 1)

w4 =w2

(a/(a2 + 1))4w41 + 1

(w1 + w2)2.

Comparison with Previous Works

Projective MixedModel differential differential Completeness

Short Weierstraß[LD] 7M + 4S + 1D 5M + 4S + 1D almostBinary Edwards(general) [BLF] 8M + 4S + 4D 6M + 4S + 4D yes(d1 = d2) [BLF] 7M + 4S + 2D 5M + 4S + 2D yes(d1 = d2) [KLN] 7M + 4S + 2D 5M + 4S + 1D almost(general) this work 7M + 4S + 2D 5M + 4S + 2D yes(general) this work 7M + 4S + 1D 5M + 4S + 1D almostBinary Hessian [FJ] 7M + 4S + 2D 5M + 4S + 2D almostThis work 7M + 4S + 1D 5M + 4S + 1D almostBinary Huff [DJ] 6M + 4S + 2D 5M + 5S + 1D almostThis work 7M + 4S + 1D 5M + 4S + 1D almost

Differential addition on Binary Elliptic Curvescage.ugent.be/waifi/talks/Farashahi.pdf · 2017. 1....

Documents

Transcript of Differential addition on Binary Elliptic Curvescage.ugent.be/waifi/talks/Farashahi.pdf · 2017. 1....

new bounds for solutions of second order elliptic partial differential

THE APPLICATIONS OF CG AND PCG ON ELLIPTIC PARTIAL DIFFERENTIAL …asmarya.edu.ly/journal/wp-content/uploads/2016/04/17THE... · 2019. 3. 31. · ELLIPTIC PARTIAL DIFFERENTIAL EQUATIONS

ELLIPTIC PARTIAL DIFFERENTIAL EQUATIONS - Courses · ELLIPTIC PARTIAL DIFFERENTIAL EQUATIONS 3 1.B. Standing assumptions on the operator L, or its matrix A. We will only consider

On some non-linear elliptic differential-functional …archive.ymsc.tsinghua.edu.cn › pacm_download › 117 › 6012...ON SOME NON-LINEAR ELLIPTIC DIFFERENTIAL-FUNCTIONAL EQUATIONS

Fast Software Implementation of Binary Elliptic Curve ...Fast Software Implementation of Binary Elliptic Curve Cryptography Manuel Bluhm1 and Shay Gueron2;3 1 Ruhr University Bochum,

THE ESSENTIAL SPECTRUM OF ELLIPTIC DIFFERENTIAL OPERATORS ... · PDF fileTHE ESSENTIAL SPECTRUM OF ELLIPTIC DIFFERENTIAL OPERATORS IN Lp ... spectrum of elliptic differential operators

Hilbert Space Methods in Elliptic Partial Differential Equations Edward Milton Landesman

Numerical methods for elliptic partial differential equations Arnold

Chapter 10.03 Elliptic Partial Differential Equationsmathforcollege.com/.../10pde/mws_gen_pde_txt_elliptic.pdf · 2019-12-17 · Equation (1) is considered to be elliptic if B. 2

Sturmian Theory of Second-Order Elliptic Differential Equations and Inequalities … · 2017. 2. 17. · Sturmian theory of elliptic partial differential equations and inequalities

OPTIMAL CONTROL OF ELLIPTIC PARTIAL DIFFERENTIAL · 2016. 6. 30. · OPTIMAL CONTROL OF ELLIPTIC PARTIAL DIFFERENTIAL EQUATIONS S. VOLKWEIN Abstract. This lecture is an introduction

u On Nonlinear Elliptic Partial Differential Equations and ...

Fast direct solvers for elliptic partial differential equations

Non-Dominated Sorting Binary Differential Evolution for ...

9/16/2015 1 Elliptic Partial Differential Equations - Introduction Transforming.

Binary quadratic forms, elliptic curves and Schoof's algorithm

Numerical Studies in Partial-Differential Equations of Elliptic Type

Hybrid binary-ternary number system for elliptic curve cryptosystems

Elliptic Partial Differential Equations - MATH FOR COLLEGEmathforcollege.com/nm/mws/gen/10pde/mws_gen_pde_ppt_elliptic.pdf · Defining Elliptic PDE’s The general form for a second

THE ESSENTIAL SPECTRUM OF ELLIPTIC DIFFERENTIAL OPERATORS ... · PDF fileTHE ESSENTIAL SPECTRUM OF ELLIPTIC DIFFERENTIAL OPERATORS IN Lp(Rn) BY ERIK BALSLEV(') Introduction. The main