cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J....
Transcript of cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J....
![Page 1: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/1.jpg)
Fast arithmetic on elliptic curves
D. J. Bernstein
University of Illinois at Chicago
EC point counting
1983 (published 1985) Schoof:
Algorithm to count points on
elliptic curves over finite fields.
Input: prime power q; a; b 2 Fqsuch that 6(4a3 + 27b2) 6= 0.
Output: #f(x; y) 2 Fq � Fq :
y2 = x3 + ax+ bg+ 1;
i.e., #E(Fq) where E is the
elliptic curve y2 = x3 + ax+ b.Time: (log q)O(1).
How? See this afternoon’s talk.
![Page 2: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/2.jpg)
Fast arithmetic on elliptic curves
D. J. Bernstein
University of Illinois at Chicago
EC point counting
1983 (published 1985) Schoof:
Algorithm to count points on
elliptic curves over finite fields.
Input: prime power q; a; b 2 Fqsuch that 6(4a3 + 27b2) 6= 0.
Output: #f(x; y) 2 Fq � Fq :
y2 = x3 + ax+ bg+ 1;
i.e., #E(Fq) where E is the
elliptic curve y2 = x3 + ax+ b.Time: (log q)O(1).
How? See this afternoon’s talk.
Elliptic curves everywhere
1984 (published 1987) Lenstra:
ECM, the elliptic-curve method
of factoring integers.
1984 (published 1985) Miller,
and independently
1984 (published 1987) Koblitz:
ECC, elliptic-curve cryptography.
Bosma, Goldwasser–Kilian,
Chudnovsky–Chudnovsky, Atkin:
elliptic-curve primality proving.
These applications are different
but share many optimizations.
![Page 3: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/3.jpg)
Fast arithmetic on elliptic curves
D. J. Bernstein
University of Illinois at Chicago
EC point counting
1983 (published 1985) Schoof:
Algorithm to count points on
elliptic curves over finite fields.
Input: prime power q; a; b 2 Fqsuch that 6(4a3 + 27b2) 6= 0.
Output: #f(x; y) 2 Fq � Fq :
y2 = x3 + ax+ bg+ 1;
i.e., #E(Fq) where E is the
elliptic curve y2 = x3 + ax+ b.Time: (log q)O(1).
How? See this afternoon’s talk.
Elliptic curves everywhere
1984 (published 1987) Lenstra:
ECM, the elliptic-curve method
of factoring integers.
1984 (published 1985) Miller,
and independently
1984 (published 1987) Koblitz:
ECC, elliptic-curve cryptography.
Bosma, Goldwasser–Kilian,
Chudnovsky–Chudnovsky, Atkin:
elliptic-curve primality proving.
These applications are different
but share many optimizations.
![Page 4: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/4.jpg)
Fast arithmetic on elliptic curves
D. J. Bernstein
University of Illinois at Chicago
EC point counting
1983 (published 1985) Schoof:
Algorithm to count points on
elliptic curves over finite fields.
Input: prime power q; a; b 2 Fqsuch that 6(4a3 + 27b2) 6= 0.
Output: #f(x; y) 2 Fq � Fq :
y2 = x3 + ax+ bg+ 1;
i.e., #E(Fq) where E is the
elliptic curve y2 = x3 + ax+ b.Time: (log q)O(1).
How? See this afternoon’s talk.
Elliptic curves everywhere
1984 (published 1987) Lenstra:
ECM, the elliptic-curve method
of factoring integers.
1984 (published 1985) Miller,
and independently
1984 (published 1987) Koblitz:
ECC, elliptic-curve cryptography.
Bosma, Goldwasser–Kilian,
Chudnovsky–Chudnovsky, Atkin:
elliptic-curve primality proving.
These applications are different
but share many optimizations.
![Page 5: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/5.jpg)
EC point counting
1983 (published 1985) Schoof:
Algorithm to count points on
elliptic curves over finite fields.
Input: prime power q; a; b 2 Fqsuch that 6(4a3 + 27b2) 6= 0.
Output: #f(x; y) 2 Fq � Fq :
y2 = x3 + ax+ bg+ 1;
i.e., #E(Fq) where E is the
elliptic curve y2 = x3 + ax+ b.Time: (log q)O(1).
How? See this afternoon’s talk.
Elliptic curves everywhere
1984 (published 1987) Lenstra:
ECM, the elliptic-curve method
of factoring integers.
1984 (published 1985) Miller,
and independently
1984 (published 1987) Koblitz:
ECC, elliptic-curve cryptography.
Bosma, Goldwasser–Kilian,
Chudnovsky–Chudnovsky, Atkin:
elliptic-curve primality proving.
These applications are different
but share many optimizations.
![Page 6: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/6.jpg)
EC point counting
1983 (published 1985) Schoof:
Algorithm to count points on
elliptic curves over finite fields.
Input: prime power q; a; b 2 Fqsuch that 6(4a3 + 27b2) 6= 0.
Output: #f(x; y) 2 Fq � Fq :
y2 = x3 + ax+ bg+ 1;
i.e., #E(Fq) where E is the
elliptic curve y2 = x3 + ax+ b.Time: (log q)O(1).
How? See this afternoon’s talk.
Elliptic curves everywhere
1984 (published 1987) Lenstra:
ECM, the elliptic-curve method
of factoring integers.
1984 (published 1985) Miller,
and independently
1984 (published 1987) Koblitz:
ECC, elliptic-curve cryptography.
Bosma, Goldwasser–Kilian,
Chudnovsky–Chudnovsky, Atkin:
elliptic-curve primality proving.
These applications are different
but share many optimizations.
Representing curve points
Crypto 1985, Miller, “Use of
elliptic curves in cryptography”:
Given n 2 Z, P 2 E(Fq),division-polynomial recurrence
computes nP 2 E(Fq)“in 26 log2 n multiplications”;
but can do better!
“It appears to be best to
represent the points on the curve
in the following form:
Each point is represented by the
triple (x; y; z) which corresponds
to the point (x=z2; y=z3).”
![Page 7: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/7.jpg)
EC point counting
1983 (published 1985) Schoof:
Algorithm to count points on
elliptic curves over finite fields.
Input: prime power q; a; b 2 Fqsuch that 6(4a3 + 27b2) 6= 0.
Output: #f(x; y) 2 Fq � Fq :
y2 = x3 + ax+ bg+ 1;
i.e., #E(Fq) where E is the
elliptic curve y2 = x3 + ax+ b.Time: (log q)O(1).
How? See this afternoon’s talk.
Elliptic curves everywhere
1984 (published 1987) Lenstra:
ECM, the elliptic-curve method
of factoring integers.
1984 (published 1985) Miller,
and independently
1984 (published 1987) Koblitz:
ECC, elliptic-curve cryptography.
Bosma, Goldwasser–Kilian,
Chudnovsky–Chudnovsky, Atkin:
elliptic-curve primality proving.
These applications are different
but share many optimizations.
Representing curve points
Crypto 1985, Miller, “Use of
elliptic curves in cryptography”:
Given n 2 Z, P 2 E(Fq),division-polynomial recurrence
computes nP 2 E(Fq)“in 26 log2 n multiplications”;
but can do better!
“It appears to be best to
represent the points on the curve
in the following form:
Each point is represented by the
triple (x; y; z) which corresponds
to the point (x=z2; y=z3).”
![Page 8: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/8.jpg)
EC point counting
1983 (published 1985) Schoof:
Algorithm to count points on
elliptic curves over finite fields.
Input: prime power q; a; b 2 Fqsuch that 6(4a3 + 27b2) 6= 0.
Output: #f(x; y) 2 Fq � Fq :
y2 = x3 + ax+ bg+ 1;
i.e., #E(Fq) where E is the
elliptic curve y2 = x3 + ax+ b.Time: (log q)O(1).
How? See this afternoon’s talk.
Elliptic curves everywhere
1984 (published 1987) Lenstra:
ECM, the elliptic-curve method
of factoring integers.
1984 (published 1985) Miller,
and independently
1984 (published 1987) Koblitz:
ECC, elliptic-curve cryptography.
Bosma, Goldwasser–Kilian,
Chudnovsky–Chudnovsky, Atkin:
elliptic-curve primality proving.
These applications are different
but share many optimizations.
Representing curve points
Crypto 1985, Miller, “Use of
elliptic curves in cryptography”:
Given n 2 Z, P 2 E(Fq),division-polynomial recurrence
computes nP 2 E(Fq)“in 26 log2 n multiplications”;
but can do better!
“It appears to be best to
represent the points on the curve
in the following form:
Each point is represented by the
triple (x; y; z) which corresponds
to the point (x=z2; y=z3).”
![Page 9: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/9.jpg)
Elliptic curves everywhere
1984 (published 1987) Lenstra:
ECM, the elliptic-curve method
of factoring integers.
1984 (published 1985) Miller,
and independently
1984 (published 1987) Koblitz:
ECC, elliptic-curve cryptography.
Bosma, Goldwasser–Kilian,
Chudnovsky–Chudnovsky, Atkin:
elliptic-curve primality proving.
These applications are different
but share many optimizations.
Representing curve points
Crypto 1985, Miller, “Use of
elliptic curves in cryptography”:
Given n 2 Z, P 2 E(Fq),division-polynomial recurrence
computes nP 2 E(Fq)“in 26 log2 n multiplications”;
but can do better!
“It appears to be best to
represent the points on the curve
in the following form:
Each point is represented by the
triple (x; y; z) which corresponds
to the point (x=z2; y=z3).”
![Page 10: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/10.jpg)
Elliptic curves everywhere
1984 (published 1987) Lenstra:
ECM, the elliptic-curve method
of factoring integers.
1984 (published 1985) Miller,
and independently
1984 (published 1987) Koblitz:
ECC, elliptic-curve cryptography.
Bosma, Goldwasser–Kilian,
Chudnovsky–Chudnovsky, Atkin:
elliptic-curve primality proving.
These applications are different
but share many optimizations.
Representing curve points
Crypto 1985, Miller, “Use of
elliptic curves in cryptography”:
Given n 2 Z, P 2 E(Fq),division-polynomial recurrence
computes nP 2 E(Fq)“in 26 log2 n multiplications”;
but can do better!
“It appears to be best to
represent the points on the curve
in the following form:
Each point is represented by the
triple (x; y; z) which corresponds
to the point (x=z2; y=z3).”
Note that each point
has many representations
in this traditional form:
e.g., (7=2; 5=3) can be
represented as (7=2 : 5=3 : 1)
or (126 : 360 : 6) or : : :Can use this flexibility
to avoid, or delay, divisions.
Most ECC software does this.
Good idea if I=M is big, where
M is cost of multiplying in Fq,I is cost of inverting in Fq.Typical software: I=M > 10.
![Page 11: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/11.jpg)
Elliptic curves everywhere
1984 (published 1987) Lenstra:
ECM, the elliptic-curve method
of factoring integers.
1984 (published 1985) Miller,
and independently
1984 (published 1987) Koblitz:
ECC, elliptic-curve cryptography.
Bosma, Goldwasser–Kilian,
Chudnovsky–Chudnovsky, Atkin:
elliptic-curve primality proving.
These applications are different
but share many optimizations.
Representing curve points
Crypto 1985, Miller, “Use of
elliptic curves in cryptography”:
Given n 2 Z, P 2 E(Fq),division-polynomial recurrence
computes nP 2 E(Fq)“in 26 log2 n multiplications”;
but can do better!
“It appears to be best to
represent the points on the curve
in the following form:
Each point is represented by the
triple (x; y; z) which corresponds
to the point (x=z2; y=z3).”
Note that each point
has many representations
in this traditional form:
e.g., (7=2; 5=3) can be
represented as (7=2 : 5=3 : 1)
or (126 : 360 : 6) or : : :Can use this flexibility
to avoid, or delay, divisions.
Most ECC software does this.
Good idea if I=M is big, where
M is cost of multiplying in Fq,I is cost of inverting in Fq.Typical software: I=M > 10.
![Page 12: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/12.jpg)
Elliptic curves everywhere
1984 (published 1987) Lenstra:
ECM, the elliptic-curve method
of factoring integers.
1984 (published 1985) Miller,
and independently
1984 (published 1987) Koblitz:
ECC, elliptic-curve cryptography.
Bosma, Goldwasser–Kilian,
Chudnovsky–Chudnovsky, Atkin:
elliptic-curve primality proving.
These applications are different
but share many optimizations.
Representing curve points
Crypto 1985, Miller, “Use of
elliptic curves in cryptography”:
Given n 2 Z, P 2 E(Fq),division-polynomial recurrence
computes nP 2 E(Fq)“in 26 log2 n multiplications”;
but can do better!
“It appears to be best to
represent the points on the curve
in the following form:
Each point is represented by the
triple (x; y; z) which corresponds
to the point (x=z2; y=z3).”
Note that each point
has many representations
in this traditional form:
e.g., (7=2; 5=3) can be
represented as (7=2 : 5=3 : 1)
or (126 : 360 : 6) or : : :Can use this flexibility
to avoid, or delay, divisions.
Most ECC software does this.
Good idea if I=M is big, where
M is cost of multiplying in Fq,I is cost of inverting in Fq.Typical software: I=M > 10.
![Page 13: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/13.jpg)
Representing curve points
Crypto 1985, Miller, “Use of
elliptic curves in cryptography”:
Given n 2 Z, P 2 E(Fq),division-polynomial recurrence
computes nP 2 E(Fq)“in 26 log2 n multiplications”;
but can do better!
“It appears to be best to
represent the points on the curve
in the following form:
Each point is represented by the
triple (x; y; z) which corresponds
to the point (x=z2; y=z3).”
Note that each point
has many representations
in this traditional form:
e.g., (7=2; 5=3) can be
represented as (7=2 : 5=3 : 1)
or (126 : 360 : 6) or : : :Can use this flexibility
to avoid, or delay, divisions.
Most ECC software does this.
Good idea if I=M is big, where
M is cost of multiplying in Fq,I is cost of inverting in Fq.Typical software: I=M > 10.
![Page 14: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/14.jpg)
Representing curve points
Crypto 1985, Miller, “Use of
elliptic curves in cryptography”:
Given n 2 Z, P 2 E(Fq),division-polynomial recurrence
computes nP 2 E(Fq)“in 26 log2 n multiplications”;
but can do better!
“It appears to be best to
represent the points on the curve
in the following form:
Each point is represented by the
triple (x; y; z) which corresponds
to the point (x=z2; y=z3).”
Note that each point
has many representations
in this traditional form:
e.g., (7=2; 5=3) can be
represented as (7=2 : 5=3 : 1)
or (126 : 360 : 6) or : : :Can use this flexibility
to avoid, or delay, divisions.
Most ECC software does this.
Good idea if I=M is big, where
M is cost of multiplying in Fq,I is cost of inverting in Fq.Typical software: I=M > 10.
1986 Chudnovsky–Chudnovsky,
“Sequences of numbers
generated by addition
in formal groups
and new primality
and factorization tests”:
“The crucial problem becomes
the choice of the model
of an algebraic group variety,
where computations mod pare the least time consuming.”
Most important computations:
ADD is P;Q 7! P +Q.
DBL is P 7! 2P .
![Page 15: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/15.jpg)
Representing curve points
Crypto 1985, Miller, “Use of
elliptic curves in cryptography”:
Given n 2 Z, P 2 E(Fq),division-polynomial recurrence
computes nP 2 E(Fq)“in 26 log2 n multiplications”;
but can do better!
“It appears to be best to
represent the points on the curve
in the following form:
Each point is represented by the
triple (x; y; z) which corresponds
to the point (x=z2; y=z3).”
Note that each point
has many representations
in this traditional form:
e.g., (7=2; 5=3) can be
represented as (7=2 : 5=3 : 1)
or (126 : 360 : 6) or : : :Can use this flexibility
to avoid, or delay, divisions.
Most ECC software does this.
Good idea if I=M is big, where
M is cost of multiplying in Fq,I is cost of inverting in Fq.Typical software: I=M > 10.
1986 Chudnovsky–Chudnovsky,
“Sequences of numbers
generated by addition
in formal groups
and new primality
and factorization tests”:
“The crucial problem becomes
the choice of the model
of an algebraic group variety,
where computations mod pare the least time consuming.”
Most important computations:
ADD is P;Q 7! P +Q.
DBL is P 7! 2P .
![Page 16: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/16.jpg)
Representing curve points
Crypto 1985, Miller, “Use of
elliptic curves in cryptography”:
Given n 2 Z, P 2 E(Fq),division-polynomial recurrence
computes nP 2 E(Fq)“in 26 log2 n multiplications”;
but can do better!
“It appears to be best to
represent the points on the curve
in the following form:
Each point is represented by the
triple (x; y; z) which corresponds
to the point (x=z2; y=z3).”
Note that each point
has many representations
in this traditional form:
e.g., (7=2; 5=3) can be
represented as (7=2 : 5=3 : 1)
or (126 : 360 : 6) or : : :Can use this flexibility
to avoid, or delay, divisions.
Most ECC software does this.
Good idea if I=M is big, where
M is cost of multiplying in Fq,I is cost of inverting in Fq.Typical software: I=M > 10.
1986 Chudnovsky–Chudnovsky,
“Sequences of numbers
generated by addition
in formal groups
and new primality
and factorization tests”:
“The crucial problem becomes
the choice of the model
of an algebraic group variety,
where computations mod pare the least time consuming.”
Most important computations:
ADD is P;Q 7! P +Q.
DBL is P 7! 2P .
![Page 17: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/17.jpg)
Note that each point
has many representations
in this traditional form:
e.g., (7=2; 5=3) can be
represented as (7=2 : 5=3 : 1)
or (126 : 360 : 6) or : : :Can use this flexibility
to avoid, or delay, divisions.
Most ECC software does this.
Good idea if I=M is big, where
M is cost of multiplying in Fq,I is cost of inverting in Fq.Typical software: I=M > 10.
1986 Chudnovsky–Chudnovsky,
“Sequences of numbers
generated by addition
in formal groups
and new primality
and factorization tests”:
“The crucial problem becomes
the choice of the model
of an algebraic group variety,
where computations mod pare the least time consuming.”
Most important computations:
ADD is P;Q 7! P +Q.
DBL is P 7! 2P .
![Page 18: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/18.jpg)
Note that each point
has many representations
in this traditional form:
e.g., (7=2; 5=3) can be
represented as (7=2 : 5=3 : 1)
or (126 : 360 : 6) or : : :Can use this flexibility
to avoid, or delay, divisions.
Most ECC software does this.
Good idea if I=M is big, where
M is cost of multiplying in Fq,I is cost of inverting in Fq.Typical software: I=M > 10.
1986 Chudnovsky–Chudnovsky,
“Sequences of numbers
generated by addition
in formal groups
and new primality
and factorization tests”:
“The crucial problem becomes
the choice of the model
of an algebraic group variety,
where computations mod pare the least time consuming.”
Most important computations:
ADD is P;Q 7! P +Q.
DBL is P 7! 2P .
“It is preferable to use
models of elliptic curves
lying in low-dimensional spaces,
for otherwise the number of
coordinates and operations is
increasing. This limits us : : : to
4 basic models of elliptic curves.”
Short Weierstrass:
y2 = x3 + ax+ b.Jacobi intersection:
s2 + 2 = 1, as2 + d2 = 1.
Jacobi quartic: y2 = x4+2ax2+1.
Hessian: x3 + y3 + 1 = 3dxy.
![Page 19: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/19.jpg)
Note that each point
has many representations
in this traditional form:
e.g., (7=2; 5=3) can be
represented as (7=2 : 5=3 : 1)
or (126 : 360 : 6) or : : :Can use this flexibility
to avoid, or delay, divisions.
Most ECC software does this.
Good idea if I=M is big, where
M is cost of multiplying in Fq,I is cost of inverting in Fq.Typical software: I=M > 10.
1986 Chudnovsky–Chudnovsky,
“Sequences of numbers
generated by addition
in formal groups
and new primality
and factorization tests”:
“The crucial problem becomes
the choice of the model
of an algebraic group variety,
where computations mod pare the least time consuming.”
Most important computations:
ADD is P;Q 7! P +Q.
DBL is P 7! 2P .
“It is preferable to use
models of elliptic curves
lying in low-dimensional spaces,
for otherwise the number of
coordinates and operations is
increasing. This limits us : : : to
4 basic models of elliptic curves.”
Short Weierstrass:
y2 = x3 + ax+ b.Jacobi intersection:
s2 + 2 = 1, as2 + d2 = 1.
Jacobi quartic: y2 = x4+2ax2+1.
Hessian: x3 + y3 + 1 = 3dxy.
![Page 20: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/20.jpg)
Note that each point
has many representations
in this traditional form:
e.g., (7=2; 5=3) can be
represented as (7=2 : 5=3 : 1)
or (126 : 360 : 6) or : : :Can use this flexibility
to avoid, or delay, divisions.
Most ECC software does this.
Good idea if I=M is big, where
M is cost of multiplying in Fq,I is cost of inverting in Fq.Typical software: I=M > 10.
1986 Chudnovsky–Chudnovsky,
“Sequences of numbers
generated by addition
in formal groups
and new primality
and factorization tests”:
“The crucial problem becomes
the choice of the model
of an algebraic group variety,
where computations mod pare the least time consuming.”
Most important computations:
ADD is P;Q 7! P +Q.
DBL is P 7! 2P .
“It is preferable to use
models of elliptic curves
lying in low-dimensional spaces,
for otherwise the number of
coordinates and operations is
increasing. This limits us : : : to
4 basic models of elliptic curves.”
Short Weierstrass:
y2 = x3 + ax+ b.Jacobi intersection:
s2 + 2 = 1, as2 + d2 = 1.
Jacobi quartic: y2 = x4+2ax2+1.
Hessian: x3 + y3 + 1 = 3dxy.
![Page 21: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/21.jpg)
1986 Chudnovsky–Chudnovsky,
“Sequences of numbers
generated by addition
in formal groups
and new primality
and factorization tests”:
“The crucial problem becomes
the choice of the model
of an algebraic group variety,
where computations mod pare the least time consuming.”
Most important computations:
ADD is P;Q 7! P +Q.
DBL is P 7! 2P .
“It is preferable to use
models of elliptic curves
lying in low-dimensional spaces,
for otherwise the number of
coordinates and operations is
increasing. This limits us : : : to
4 basic models of elliptic curves.”
Short Weierstrass:
y2 = x3 + ax+ b.Jacobi intersection:
s2 + 2 = 1, as2 + d2 = 1.
Jacobi quartic: y2 = x4+2ax2+1.
Hessian: x3 + y3 + 1 = 3dxy.
![Page 22: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/22.jpg)
1986 Chudnovsky–Chudnovsky,
“Sequences of numbers
generated by addition
in formal groups
and new primality
and factorization tests”:
“The crucial problem becomes
the choice of the model
of an algebraic group variety,
where computations mod pare the least time consuming.”
Most important computations:
ADD is P;Q 7! P +Q.
DBL is P 7! 2P .
“It is preferable to use
models of elliptic curves
lying in low-dimensional spaces,
for otherwise the number of
coordinates and operations is
increasing. This limits us : : : to
4 basic models of elliptic curves.”
Short Weierstrass:
y2 = x3 + ax+ b.Jacobi intersection:
s2 + 2 = 1, as2 + d2 = 1.
Jacobi quartic: y2 = x4+2ax2+1.
Hessian: x3 + y3 + 1 = 3dxy.
Some Newton polygons
���������������
��
�� JJJJJJ
J
Short Weierstrass
���������������
��
��//// JJJ
JJJJ
Montgomery
���������������
��
�� OOOOOOOO
Jacobi quartic
����
����
����
����
����
�
�
�� ??
????
??
Hessian
���������������
���
�Edwards
���������������
���
�����???
Binary Edwards
![Page 23: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/23.jpg)
1986 Chudnovsky–Chudnovsky,
“Sequences of numbers
generated by addition
in formal groups
and new primality
and factorization tests”:
“The crucial problem becomes
the choice of the model
of an algebraic group variety,
where computations mod pare the least time consuming.”
Most important computations:
ADD is P;Q 7! P +Q.
DBL is P 7! 2P .
“It is preferable to use
models of elliptic curves
lying in low-dimensional spaces,
for otherwise the number of
coordinates and operations is
increasing. This limits us : : : to
4 basic models of elliptic curves.”
Short Weierstrass:
y2 = x3 + ax+ b.Jacobi intersection:
s2 + 2 = 1, as2 + d2 = 1.
Jacobi quartic: y2 = x4+2ax2+1.
Hessian: x3 + y3 + 1 = 3dxy.
Some Newton polygons
���������������
��
�� JJJJJJ
J
Short Weierstrass
���������������
��
��//// JJJ
JJJJ
Montgomery
���������������
��
�� OOOOOOOO
Jacobi quartic
����
����
����
����
����
�
�
�� ??
????
??
Hessian
���������������
���
�Edwards
���������������
���
�����???
Binary Edwards
![Page 24: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/24.jpg)
1986 Chudnovsky–Chudnovsky,
“Sequences of numbers
generated by addition
in formal groups
and new primality
and factorization tests”:
“The crucial problem becomes
the choice of the model
of an algebraic group variety,
where computations mod pare the least time consuming.”
Most important computations:
ADD is P;Q 7! P +Q.
DBL is P 7! 2P .
“It is preferable to use
models of elliptic curves
lying in low-dimensional spaces,
for otherwise the number of
coordinates and operations is
increasing. This limits us : : : to
4 basic models of elliptic curves.”
Short Weierstrass:
y2 = x3 + ax+ b.Jacobi intersection:
s2 + 2 = 1, as2 + d2 = 1.
Jacobi quartic: y2 = x4+2ax2+1.
Hessian: x3 + y3 + 1 = 3dxy.
Some Newton polygons
���������������
��
�� JJJJJJ
J
Short Weierstrass
���������������
��
��//// JJJ
JJJJ
Montgomery
���������������
��
�� OOOOOOOO
Jacobi quartic
����
����
����
����
����
�
�
�� ??
????
??
Hessian
���������������
���
�Edwards
���������������
���
�����???
Binary Edwards
![Page 25: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/25.jpg)
“It is preferable to use
models of elliptic curves
lying in low-dimensional spaces,
for otherwise the number of
coordinates and operations is
increasing. This limits us : : : to
4 basic models of elliptic curves.”
Short Weierstrass:
y2 = x3 + ax+ b.Jacobi intersection:
s2 + 2 = 1, as2 + d2 = 1.
Jacobi quartic: y2 = x4+2ax2+1.
Hessian: x3 + y3 + 1 = 3dxy.
Some Newton polygons
���������������
��
�� JJJJJJ
J
Short Weierstrass
���������������
��
��//// JJJ
JJJJ
Montgomery
���������������
��
�� OOOOOOOO
Jacobi quartic
����
����
����
����
����
�
�
�� ??
????
??
Hessian
���������������
���
�Edwards
���������������
���
�����???
Binary Edwards
![Page 26: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/26.jpg)
“It is preferable to use
models of elliptic curves
lying in low-dimensional spaces,
for otherwise the number of
coordinates and operations is
increasing. This limits us : : : to
4 basic models of elliptic curves.”
Short Weierstrass:
y2 = x3 + ax+ b.Jacobi intersection:
s2 + 2 = 1, as2 + d2 = 1.
Jacobi quartic: y2 = x4+2ax2+1.
Hessian: x3 + y3 + 1 = 3dxy.
Some Newton polygons
���������������
��
�� JJJJJJ
J
Short Weierstrass
���������������
��
��//// JJJ
JJJJ
Montgomery
���������������
��
�� OOOOOOOO
Jacobi quartic
����
����
����
����
����
�
�
�� ??
????
??
Hessian
���������������
���
�Edwards
���������������
���
�����???
Binary Edwards
Optimizing Jacobian coordinates
For “traditional” (X=Z2; Y=Z3)
on y2 = x3 + ax+ b:1986 Chudnovsky–Chudnovsky
state explicit formulas using
10M for DBL; 16M for ADD.
Consequence:
��
10 lgn+ 16lgn
lg lgn
�M
to compute n; P 7! nPusing sliding-windows method
of scalar multiplication.
Notation: lg = log2.
![Page 27: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/27.jpg)
“It is preferable to use
models of elliptic curves
lying in low-dimensional spaces,
for otherwise the number of
coordinates and operations is
increasing. This limits us : : : to
4 basic models of elliptic curves.”
Short Weierstrass:
y2 = x3 + ax+ b.Jacobi intersection:
s2 + 2 = 1, as2 + d2 = 1.
Jacobi quartic: y2 = x4+2ax2+1.
Hessian: x3 + y3 + 1 = 3dxy.
Some Newton polygons
���������������
��
�� JJJJJJ
J
Short Weierstrass
���������������
��
��//// JJJ
JJJJ
Montgomery
���������������
��
�� OOOOOOOO
Jacobi quartic
����
����
����
����
����
�
�
�� ??
????
??
Hessian
���������������
���
�Edwards
���������������
���
�����???
Binary Edwards
Optimizing Jacobian coordinates
For “traditional” (X=Z2; Y=Z3)
on y2 = x3 + ax+ b:1986 Chudnovsky–Chudnovsky
state explicit formulas using
10M for DBL; 16M for ADD.
Consequence:
��
10 lgn+ 16lgn
lg lgn
�M
to compute n; P 7! nPusing sliding-windows method
of scalar multiplication.
Notation: lg = log2.
![Page 28: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/28.jpg)
“It is preferable to use
models of elliptic curves
lying in low-dimensional spaces,
for otherwise the number of
coordinates and operations is
increasing. This limits us : : : to
4 basic models of elliptic curves.”
Short Weierstrass:
y2 = x3 + ax+ b.Jacobi intersection:
s2 + 2 = 1, as2 + d2 = 1.
Jacobi quartic: y2 = x4+2ax2+1.
Hessian: x3 + y3 + 1 = 3dxy.
Some Newton polygons
���������������
��
�� JJJJJJ
J
Short Weierstrass
���������������
��
��//// JJJ
JJJJ
Montgomery
���������������
��
�� OOOOOOOO
Jacobi quartic
����
����
����
����
����
�
�
�� ??
????
??
Hessian
���������������
���
�Edwards
���������������
���
�����???
Binary Edwards
Optimizing Jacobian coordinates
For “traditional” (X=Z2; Y=Z3)
on y2 = x3 + ax+ b:1986 Chudnovsky–Chudnovsky
state explicit formulas using
10M for DBL; 16M for ADD.
Consequence:
��
10 lgn+ 16lgn
lg lgn
�M
to compute n; P 7! nPusing sliding-windows method
of scalar multiplication.
Notation: lg = log2.
![Page 29: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/29.jpg)
Some Newton polygons
���������������
��
�� JJJJJJ
J
Short Weierstrass
���������������
��
��//// JJJ
JJJJ
Montgomery
���������������
��
�� OOOOOOOO
Jacobi quartic
����
����
����
����
����
�
�
�� ??
????
??
Hessian
���������������
���
�Edwards
���������������
���
�����???
Binary Edwards
Optimizing Jacobian coordinates
For “traditional” (X=Z2; Y=Z3)
on y2 = x3 + ax+ b:1986 Chudnovsky–Chudnovsky
state explicit formulas using
10M for DBL; 16M for ADD.
Consequence:
��
10 lgn+ 16lgn
lg lgn
�M
to compute n; P 7! nPusing sliding-windows method
of scalar multiplication.
Notation: lg = log2.
![Page 30: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/30.jpg)
Some Newton polygons
���������������
��
�� JJJJJJ
J
Short Weierstrass
���������������
��
��//// JJJ
JJJJ
Montgomery
���������������
��
�� OOOOOOOO
Jacobi quartic
����
����
����
����
����
�
�
�� ??
????
??
Hessian
���������������
���
�Edwards
���������������
���
�����???
Binary Edwards
Optimizing Jacobian coordinates
For “traditional” (X=Z2; Y=Z3)
on y2 = x3 + ax+ b:1986 Chudnovsky–Chudnovsky
state explicit formulas using
10M for DBL; 16M for ADD.
Consequence:
��
10 lgn+ 16lgn
lg lgn
�M
to compute n; P 7! nPusing sliding-windows method
of scalar multiplication.
Notation: lg = log2.
Squaring is faster than M.
Here are the DBL formulas:
S = 4X1 � Y 21 ;
M = 3X21 + aZ4
1 ;
T = M2 � 2S;
X3 = T ;
Y3 = M � (S � T )� 8Y 41 ;
Z3 = 2Y1 � Z1.
Total cost 3M + 6S + 1D where
S is the cost of squaring in Fq,D is the cost of multiplying by a.The squarings produce
X21 ; Y 2
1 ; Y 41 ; Z2
1 ; Z41 ;M2.
![Page 31: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/31.jpg)
Some Newton polygons
���������������
��
�� JJJJJJ
J
Short Weierstrass
���������������
��
��//// JJJ
JJJJ
Montgomery
���������������
��
�� OOOOOOOO
Jacobi quartic
����
����
����
����
����
�
�
�� ??
????
??
Hessian
���������������
���
�Edwards
���������������
���
�����???
Binary Edwards
Optimizing Jacobian coordinates
For “traditional” (X=Z2; Y=Z3)
on y2 = x3 + ax+ b:1986 Chudnovsky–Chudnovsky
state explicit formulas using
10M for DBL; 16M for ADD.
Consequence:
��
10 lgn+ 16lgn
lg lgn
�M
to compute n; P 7! nPusing sliding-windows method
of scalar multiplication.
Notation: lg = log2.
Squaring is faster than M.
Here are the DBL formulas:
S = 4X1 � Y 21 ;
M = 3X21 + aZ4
1 ;
T = M2 � 2S;
X3 = T ;
Y3 = M � (S � T )� 8Y 41 ;
Z3 = 2Y1 � Z1.
Total cost 3M + 6S + 1D where
S is the cost of squaring in Fq,D is the cost of multiplying by a.The squarings produce
X21 ; Y 2
1 ; Y 41 ; Z2
1 ; Z41 ;M2.
![Page 32: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/32.jpg)
Some Newton polygons
���������������
��
�� JJJJJJ
J
Short Weierstrass
���������������
��
��//// JJJ
JJJJ
Montgomery
���������������
��
�� OOOOOOOO
Jacobi quartic
����
����
����
����
����
�
�
�� ??
????
??
Hessian
���������������
���
�Edwards
���������������
���
�����???
Binary Edwards
Optimizing Jacobian coordinates
For “traditional” (X=Z2; Y=Z3)
on y2 = x3 + ax+ b:1986 Chudnovsky–Chudnovsky
state explicit formulas using
10M for DBL; 16M for ADD.
Consequence:
��
10 lgn+ 16lgn
lg lgn
�M
to compute n; P 7! nPusing sliding-windows method
of scalar multiplication.
Notation: lg = log2.
Squaring is faster than M.
Here are the DBL formulas:
S = 4X1 � Y 21 ;
M = 3X21 + aZ4
1 ;
T = M2 � 2S;
X3 = T ;
Y3 = M � (S � T )� 8Y 41 ;
Z3 = 2Y1 � Z1.
Total cost 3M + 6S + 1D where
S is the cost of squaring in Fq,D is the cost of multiplying by a.The squarings produce
X21 ; Y 2
1 ; Y 41 ; Z2
1 ; Z41 ;M2.
![Page 33: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/33.jpg)
Optimizing Jacobian coordinates
For “traditional” (X=Z2; Y=Z3)
on y2 = x3 + ax+ b:1986 Chudnovsky–Chudnovsky
state explicit formulas using
10M for DBL; 16M for ADD.
Consequence:
��
10 lgn+ 16lgn
lg lgn
�M
to compute n; P 7! nPusing sliding-windows method
of scalar multiplication.
Notation: lg = log2.
Squaring is faster than M.
Here are the DBL formulas:
S = 4X1 � Y 21 ;
M = 3X21 + aZ4
1 ;
T = M2 � 2S;
X3 = T ;
Y3 = M � (S � T )� 8Y 41 ;
Z3 = 2Y1 � Z1.
Total cost 3M + 6S + 1D where
S is the cost of squaring in Fq,D is the cost of multiplying by a.The squarings produce
X21 ; Y 2
1 ; Y 41 ; Z2
1 ; Z41 ;M2.
![Page 34: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/34.jpg)
Optimizing Jacobian coordinates
For “traditional” (X=Z2; Y=Z3)
on y2 = x3 + ax+ b:1986 Chudnovsky–Chudnovsky
state explicit formulas using
10M for DBL; 16M for ADD.
Consequence:
��
10 lgn+ 16lgn
lg lgn
�M
to compute n; P 7! nPusing sliding-windows method
of scalar multiplication.
Notation: lg = log2.
Squaring is faster than M.
Here are the DBL formulas:
S = 4X1 � Y 21 ;
M = 3X21 + aZ4
1 ;
T = M2 � 2S;
X3 = T ;
Y3 = M � (S � T )� 8Y 41 ;
Z3 = 2Y1 � Z1.
Total cost 3M + 6S + 1D where
S is the cost of squaring in Fq,D is the cost of multiplying by a.The squarings produce
X21 ; Y 2
1 ; Y 41 ; Z2
1 ; Z41 ;M2.
Most ECC standards choose
curves that make formulas faster.
Curve-choice advice from
1986 Chudnovsky–Chudnovsky:
Can eliminate the 1D
by choosing curve with a = 1.
But “it is even smarter”
to choose curve with a = �3.
If a = �3 then M = 3(X21 � Z4
1 )
= 3(X1 � Z21 ) � (X1 + Z2
1 ).
Replace 2S with 1M.
Now DBL costs 4M + 4S.
![Page 35: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/35.jpg)
Optimizing Jacobian coordinates
For “traditional” (X=Z2; Y=Z3)
on y2 = x3 + ax+ b:1986 Chudnovsky–Chudnovsky
state explicit formulas using
10M for DBL; 16M for ADD.
Consequence:
��
10 lgn+ 16lgn
lg lgn
�M
to compute n; P 7! nPusing sliding-windows method
of scalar multiplication.
Notation: lg = log2.
Squaring is faster than M.
Here are the DBL formulas:
S = 4X1 � Y 21 ;
M = 3X21 + aZ4
1 ;
T = M2 � 2S;
X3 = T ;
Y3 = M � (S � T )� 8Y 41 ;
Z3 = 2Y1 � Z1.
Total cost 3M + 6S + 1D where
S is the cost of squaring in Fq,D is the cost of multiplying by a.The squarings produce
X21 ; Y 2
1 ; Y 41 ; Z2
1 ; Z41 ;M2.
Most ECC standards choose
curves that make formulas faster.
Curve-choice advice from
1986 Chudnovsky–Chudnovsky:
Can eliminate the 1D
by choosing curve with a = 1.
But “it is even smarter”
to choose curve with a = �3.
If a = �3 then M = 3(X21 � Z4
1 )
= 3(X1 � Z21 ) � (X1 + Z2
1 ).
Replace 2S with 1M.
Now DBL costs 4M + 4S.
![Page 36: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/36.jpg)
Optimizing Jacobian coordinates
For “traditional” (X=Z2; Y=Z3)
on y2 = x3 + ax+ b:1986 Chudnovsky–Chudnovsky
state explicit formulas using
10M for DBL; 16M for ADD.
Consequence:
��
10 lgn+ 16lgn
lg lgn
�M
to compute n; P 7! nPusing sliding-windows method
of scalar multiplication.
Notation: lg = log2.
Squaring is faster than M.
Here are the DBL formulas:
S = 4X1 � Y 21 ;
M = 3X21 + aZ4
1 ;
T = M2 � 2S;
X3 = T ;
Y3 = M � (S � T )� 8Y 41 ;
Z3 = 2Y1 � Z1.
Total cost 3M + 6S + 1D where
S is the cost of squaring in Fq,D is the cost of multiplying by a.The squarings produce
X21 ; Y 2
1 ; Y 41 ; Z2
1 ; Z41 ;M2.
Most ECC standards choose
curves that make formulas faster.
Curve-choice advice from
1986 Chudnovsky–Chudnovsky:
Can eliminate the 1D
by choosing curve with a = 1.
But “it is even smarter”
to choose curve with a = �3.
If a = �3 then M = 3(X21 � Z4
1 )
= 3(X1 � Z21 ) � (X1 + Z2
1 ).
Replace 2S with 1M.
Now DBL costs 4M + 4S.
![Page 37: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/37.jpg)
Squaring is faster than M.
Here are the DBL formulas:
S = 4X1 � Y 21 ;
M = 3X21 + aZ4
1 ;
T = M2 � 2S;
X3 = T ;
Y3 = M � (S � T )� 8Y 41 ;
Z3 = 2Y1 � Z1.
Total cost 3M + 6S + 1D where
S is the cost of squaring in Fq,D is the cost of multiplying by a.The squarings produce
X21 ; Y 2
1 ; Y 41 ; Z2
1 ; Z41 ;M2.
Most ECC standards choose
curves that make formulas faster.
Curve-choice advice from
1986 Chudnovsky–Chudnovsky:
Can eliminate the 1D
by choosing curve with a = 1.
But “it is even smarter”
to choose curve with a = �3.
If a = �3 then M = 3(X21 � Z4
1 )
= 3(X1 � Z21 ) � (X1 + Z2
1 ).
Replace 2S with 1M.
Now DBL costs 4M + 4S.
![Page 38: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/38.jpg)
Squaring is faster than M.
Here are the DBL formulas:
S = 4X1 � Y 21 ;
M = 3X21 + aZ4
1 ;
T = M2 � 2S;
X3 = T ;
Y3 = M � (S � T )� 8Y 41 ;
Z3 = 2Y1 � Z1.
Total cost 3M + 6S + 1D where
S is the cost of squaring in Fq,D is the cost of multiplying by a.The squarings produce
X21 ; Y 2
1 ; Y 41 ; Z2
1 ; Z41 ;M2.
Most ECC standards choose
curves that make formulas faster.
Curve-choice advice from
1986 Chudnovsky–Chudnovsky:
Can eliminate the 1D
by choosing curve with a = 1.
But “it is even smarter”
to choose curve with a = �3.
If a = �3 then M = 3(X21 � Z4
1 )
= 3(X1 � Z21 ) � (X1 + Z2
1 ).
Replace 2S with 1M.
Now DBL costs 4M + 4S.
2001 Bernstein:
3M + 5S for DBL.
11M + 5S for ADD.
How? Easy S�M tradeoff:
instead of computing 2Y1 � Z1,
compute (Y1 + Z1)2 � Y 2
1 � Z21 .
DBL formulas were already
computing Y 21 and Z2
1 .
Same idea for the ADD formulas,
but have to scale X; Y; Zto eliminate divisions by 2.
![Page 39: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/39.jpg)
Squaring is faster than M.
Here are the DBL formulas:
S = 4X1 � Y 21 ;
M = 3X21 + aZ4
1 ;
T = M2 � 2S;
X3 = T ;
Y3 = M � (S � T )� 8Y 41 ;
Z3 = 2Y1 � Z1.
Total cost 3M + 6S + 1D where
S is the cost of squaring in Fq,D is the cost of multiplying by a.The squarings produce
X21 ; Y 2
1 ; Y 41 ; Z2
1 ; Z41 ;M2.
Most ECC standards choose
curves that make formulas faster.
Curve-choice advice from
1986 Chudnovsky–Chudnovsky:
Can eliminate the 1D
by choosing curve with a = 1.
But “it is even smarter”
to choose curve with a = �3.
If a = �3 then M = 3(X21 � Z4
1 )
= 3(X1 � Z21 ) � (X1 + Z2
1 ).
Replace 2S with 1M.
Now DBL costs 4M + 4S.
2001 Bernstein:
3M + 5S for DBL.
11M + 5S for ADD.
How? Easy S�M tradeoff:
instead of computing 2Y1 � Z1,
compute (Y1 + Z1)2 � Y 2
1 � Z21 .
DBL formulas were already
computing Y 21 and Z2
1 .
Same idea for the ADD formulas,
but have to scale X; Y; Zto eliminate divisions by 2.
![Page 40: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/40.jpg)
Squaring is faster than M.
Here are the DBL formulas:
S = 4X1 � Y 21 ;
M = 3X21 + aZ4
1 ;
T = M2 � 2S;
X3 = T ;
Y3 = M � (S � T )� 8Y 41 ;
Z3 = 2Y1 � Z1.
Total cost 3M + 6S + 1D where
S is the cost of squaring in Fq,D is the cost of multiplying by a.The squarings produce
X21 ; Y 2
1 ; Y 41 ; Z2
1 ; Z41 ;M2.
Most ECC standards choose
curves that make formulas faster.
Curve-choice advice from
1986 Chudnovsky–Chudnovsky:
Can eliminate the 1D
by choosing curve with a = 1.
But “it is even smarter”
to choose curve with a = �3.
If a = �3 then M = 3(X21 � Z4
1 )
= 3(X1 � Z21 ) � (X1 + Z2
1 ).
Replace 2S with 1M.
Now DBL costs 4M + 4S.
2001 Bernstein:
3M + 5S for DBL.
11M + 5S for ADD.
How? Easy S�M tradeoff:
instead of computing 2Y1 � Z1,
compute (Y1 + Z1)2 � Y 2
1 � Z21 .
DBL formulas were already
computing Y 21 and Z2
1 .
Same idea for the ADD formulas,
but have to scale X; Y; Zto eliminate divisions by 2.
![Page 41: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/41.jpg)
Most ECC standards choose
curves that make formulas faster.
Curve-choice advice from
1986 Chudnovsky–Chudnovsky:
Can eliminate the 1D
by choosing curve with a = 1.
But “it is even smarter”
to choose curve with a = �3.
If a = �3 then M = 3(X21 � Z4
1 )
= 3(X1 � Z21 ) � (X1 + Z2
1 ).
Replace 2S with 1M.
Now DBL costs 4M + 4S.
2001 Bernstein:
3M + 5S for DBL.
11M + 5S for ADD.
How? Easy S�M tradeoff:
instead of computing 2Y1 � Z1,
compute (Y1 + Z1)2 � Y 2
1 � Z21 .
DBL formulas were already
computing Y 21 and Z2
1 .
Same idea for the ADD formulas,
but have to scale X; Y; Zto eliminate divisions by 2.
![Page 42: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/42.jpg)
Most ECC standards choose
curves that make formulas faster.
Curve-choice advice from
1986 Chudnovsky–Chudnovsky:
Can eliminate the 1D
by choosing curve with a = 1.
But “it is even smarter”
to choose curve with a = �3.
If a = �3 then M = 3(X21 � Z4
1 )
= 3(X1 � Z21 ) � (X1 + Z2
1 ).
Replace 2S with 1M.
Now DBL costs 4M + 4S.
2001 Bernstein:
3M + 5S for DBL.
11M + 5S for ADD.
How? Easy S�M tradeoff:
instead of computing 2Y1 � Z1,
compute (Y1 + Z1)2 � Y 2
1 � Z21 .
DBL formulas were already
computing Y 21 and Z2
1 .
Same idea for the ADD formulas,
but have to scale X; Y; Zto eliminate divisions by 2.
ADD for y2 = x3 + ax+ b:U1 = X1Z2
2 , U2 = X2Z21 ,
S1 = Y1Z32 , S2 = Y2Z3
1 ,
many more computations.
1986 Chudnovsky–Chudnovsky:
“We suggest to write
addition formulas involving
(X; Y; Z; Z2; Z3).”
Disadvantages:
Allocate space for Z2; Z3.
Pay 1S+1M in ADD and in DBL.
Advantages:
Save 2S + 2M at start of ADD.
Save 1S at start of DBL.
![Page 43: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/43.jpg)
Most ECC standards choose
curves that make formulas faster.
Curve-choice advice from
1986 Chudnovsky–Chudnovsky:
Can eliminate the 1D
by choosing curve with a = 1.
But “it is even smarter”
to choose curve with a = �3.
If a = �3 then M = 3(X21 � Z4
1 )
= 3(X1 � Z21 ) � (X1 + Z2
1 ).
Replace 2S with 1M.
Now DBL costs 4M + 4S.
2001 Bernstein:
3M + 5S for DBL.
11M + 5S for ADD.
How? Easy S�M tradeoff:
instead of computing 2Y1 � Z1,
compute (Y1 + Z1)2 � Y 2
1 � Z21 .
DBL formulas were already
computing Y 21 and Z2
1 .
Same idea for the ADD formulas,
but have to scale X; Y; Zto eliminate divisions by 2.
ADD for y2 = x3 + ax+ b:U1 = X1Z2
2 , U2 = X2Z21 ,
S1 = Y1Z32 , S2 = Y2Z3
1 ,
many more computations.
1986 Chudnovsky–Chudnovsky:
“We suggest to write
addition formulas involving
(X; Y; Z; Z2; Z3).”
Disadvantages:
Allocate space for Z2; Z3.
Pay 1S+1M in ADD and in DBL.
Advantages:
Save 2S + 2M at start of ADD.
Save 1S at start of DBL.
![Page 44: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/44.jpg)
Most ECC standards choose
curves that make formulas faster.
Curve-choice advice from
1986 Chudnovsky–Chudnovsky:
Can eliminate the 1D
by choosing curve with a = 1.
But “it is even smarter”
to choose curve with a = �3.
If a = �3 then M = 3(X21 � Z4
1 )
= 3(X1 � Z21 ) � (X1 + Z2
1 ).
Replace 2S with 1M.
Now DBL costs 4M + 4S.
2001 Bernstein:
3M + 5S for DBL.
11M + 5S for ADD.
How? Easy S�M tradeoff:
instead of computing 2Y1 � Z1,
compute (Y1 + Z1)2 � Y 2
1 � Z21 .
DBL formulas were already
computing Y 21 and Z2
1 .
Same idea for the ADD formulas,
but have to scale X; Y; Zto eliminate divisions by 2.
ADD for y2 = x3 + ax+ b:U1 = X1Z2
2 , U2 = X2Z21 ,
S1 = Y1Z32 , S2 = Y2Z3
1 ,
many more computations.
1986 Chudnovsky–Chudnovsky:
“We suggest to write
addition formulas involving
(X; Y; Z; Z2; Z3).”
Disadvantages:
Allocate space for Z2; Z3.
Pay 1S+1M in ADD and in DBL.
Advantages:
Save 2S + 2M at start of ADD.
Save 1S at start of DBL.
![Page 45: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/45.jpg)
2001 Bernstein:
3M + 5S for DBL.
11M + 5S for ADD.
How? Easy S�M tradeoff:
instead of computing 2Y1 � Z1,
compute (Y1 + Z1)2 � Y 2
1 � Z21 .
DBL formulas were already
computing Y 21 and Z2
1 .
Same idea for the ADD formulas,
but have to scale X; Y; Zto eliminate divisions by 2.
ADD for y2 = x3 + ax+ b:U1 = X1Z2
2 , U2 = X2Z21 ,
S1 = Y1Z32 , S2 = Y2Z3
1 ,
many more computations.
1986 Chudnovsky–Chudnovsky:
“We suggest to write
addition formulas involving
(X; Y; Z; Z2; Z3).”
Disadvantages:
Allocate space for Z2; Z3.
Pay 1S+1M in ADD and in DBL.
Advantages:
Save 2S + 2M at start of ADD.
Save 1S at start of DBL.
![Page 46: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/46.jpg)
2001 Bernstein:
3M + 5S for DBL.
11M + 5S for ADD.
How? Easy S�M tradeoff:
instead of computing 2Y1 � Z1,
compute (Y1 + Z1)2 � Y 2
1 � Z21 .
DBL formulas were already
computing Y 21 and Z2
1 .
Same idea for the ADD formulas,
but have to scale X; Y; Zto eliminate divisions by 2.
ADD for y2 = x3 + ax+ b:U1 = X1Z2
2 , U2 = X2Z21 ,
S1 = Y1Z32 , S2 = Y2Z3
1 ,
many more computations.
1986 Chudnovsky–Chudnovsky:
“We suggest to write
addition formulas involving
(X; Y; Z; Z2; Z3).”
Disadvantages:
Allocate space for Z2; Z3.
Pay 1S+1M in ADD and in DBL.
Advantages:
Save 2S + 2M at start of ADD.
Save 1S at start of DBL.
1998 Cohen–Miyaji–Ono:
Store point as (X : Y : Z).
If point is input to ADD,
also cache Z2 and Z3.
No cost, aside from space.
If point is input to another ADD,
reuse Z2; Z3. Save 1S + 1M!
Best Jacobian speeds today,
including S�M tradeoffs:
3M + 5S for DBL if a = �3.
11M + 5S for ADD.
10M + 4S for reADD.
7M + 4S for mADD (i.e. Z2 = 1).
![Page 47: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/47.jpg)
2001 Bernstein:
3M + 5S for DBL.
11M + 5S for ADD.
How? Easy S�M tradeoff:
instead of computing 2Y1 � Z1,
compute (Y1 + Z1)2 � Y 2
1 � Z21 .
DBL formulas were already
computing Y 21 and Z2
1 .
Same idea for the ADD formulas,
but have to scale X; Y; Zto eliminate divisions by 2.
ADD for y2 = x3 + ax+ b:U1 = X1Z2
2 , U2 = X2Z21 ,
S1 = Y1Z32 , S2 = Y2Z3
1 ,
many more computations.
1986 Chudnovsky–Chudnovsky:
“We suggest to write
addition formulas involving
(X; Y; Z; Z2; Z3).”
Disadvantages:
Allocate space for Z2; Z3.
Pay 1S+1M in ADD and in DBL.
Advantages:
Save 2S + 2M at start of ADD.
Save 1S at start of DBL.
1998 Cohen–Miyaji–Ono:
Store point as (X : Y : Z).
If point is input to ADD,
also cache Z2 and Z3.
No cost, aside from space.
If point is input to another ADD,
reuse Z2; Z3. Save 1S + 1M!
Best Jacobian speeds today,
including S�M tradeoffs:
3M + 5S for DBL if a = �3.
11M + 5S for ADD.
10M + 4S for reADD.
7M + 4S for mADD (i.e. Z2 = 1).
![Page 48: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/48.jpg)
2001 Bernstein:
3M + 5S for DBL.
11M + 5S for ADD.
How? Easy S�M tradeoff:
instead of computing 2Y1 � Z1,
compute (Y1 + Z1)2 � Y 2
1 � Z21 .
DBL formulas were already
computing Y 21 and Z2
1 .
Same idea for the ADD formulas,
but have to scale X; Y; Zto eliminate divisions by 2.
ADD for y2 = x3 + ax+ b:U1 = X1Z2
2 , U2 = X2Z21 ,
S1 = Y1Z32 , S2 = Y2Z3
1 ,
many more computations.
1986 Chudnovsky–Chudnovsky:
“We suggest to write
addition formulas involving
(X; Y; Z; Z2; Z3).”
Disadvantages:
Allocate space for Z2; Z3.
Pay 1S+1M in ADD and in DBL.
Advantages:
Save 2S + 2M at start of ADD.
Save 1S at start of DBL.
1998 Cohen–Miyaji–Ono:
Store point as (X : Y : Z).
If point is input to ADD,
also cache Z2 and Z3.
No cost, aside from space.
If point is input to another ADD,
reuse Z2; Z3. Save 1S + 1M!
Best Jacobian speeds today,
including S�M tradeoffs:
3M + 5S for DBL if a = �3.
11M + 5S for ADD.
10M + 4S for reADD.
7M + 4S for mADD (i.e. Z2 = 1).
![Page 49: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/49.jpg)
ADD for y2 = x3 + ax+ b:U1 = X1Z2
2 , U2 = X2Z21 ,
S1 = Y1Z32 , S2 = Y2Z3
1 ,
many more computations.
1986 Chudnovsky–Chudnovsky:
“We suggest to write
addition formulas involving
(X; Y; Z; Z2; Z3).”
Disadvantages:
Allocate space for Z2; Z3.
Pay 1S+1M in ADD and in DBL.
Advantages:
Save 2S + 2M at start of ADD.
Save 1S at start of DBL.
1998 Cohen–Miyaji–Ono:
Store point as (X : Y : Z).
If point is input to ADD,
also cache Z2 and Z3.
No cost, aside from space.
If point is input to another ADD,
reuse Z2; Z3. Save 1S + 1M!
Best Jacobian speeds today,
including S�M tradeoffs:
3M + 5S for DBL if a = �3.
11M + 5S for ADD.
10M + 4S for reADD.
7M + 4S for mADD (i.e. Z2 = 1).
![Page 50: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/50.jpg)
ADD for y2 = x3 + ax+ b:U1 = X1Z2
2 , U2 = X2Z21 ,
S1 = Y1Z32 , S2 = Y2Z3
1 ,
many more computations.
1986 Chudnovsky–Chudnovsky:
“We suggest to write
addition formulas involving
(X; Y; Z; Z2; Z3).”
Disadvantages:
Allocate space for Z2; Z3.
Pay 1S+1M in ADD and in DBL.
Advantages:
Save 2S + 2M at start of ADD.
Save 1S at start of DBL.
1998 Cohen–Miyaji–Ono:
Store point as (X : Y : Z).
If point is input to ADD,
also cache Z2 and Z3.
No cost, aside from space.
If point is input to another ADD,
reuse Z2; Z3. Save 1S + 1M!
Best Jacobian speeds today,
including S�M tradeoffs:
3M + 5S for DBL if a = �3.
11M + 5S for ADD.
10M + 4S for reADD.
7M + 4S for mADD (i.e. Z2 = 1).
Compare to speeds for Edwards
curves x2 + y2 = 1 + dx2y2
in projective coordinates
(2007 Bernstein–Lange):
3M + 4S for DBL.
10M + 1S + 1D for ADD.
9M + 1S + 1D for mADD.
Inverted Edwards coordinates
(2007 Bernstein–Lange):
3M + 4S + 1D for DBL.
9M + 1S + 1D for ADD.
8M + 1S + 1D for mADD.
Latest Edwards speed news:
2008.12 Hisil–Wong–Carter–Dawson.
![Page 51: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/51.jpg)
ADD for y2 = x3 + ax+ b:U1 = X1Z2
2 , U2 = X2Z21 ,
S1 = Y1Z32 , S2 = Y2Z3
1 ,
many more computations.
1986 Chudnovsky–Chudnovsky:
“We suggest to write
addition formulas involving
(X; Y; Z; Z2; Z3).”
Disadvantages:
Allocate space for Z2; Z3.
Pay 1S+1M in ADD and in DBL.
Advantages:
Save 2S + 2M at start of ADD.
Save 1S at start of DBL.
1998 Cohen–Miyaji–Ono:
Store point as (X : Y : Z).
If point is input to ADD,
also cache Z2 and Z3.
No cost, aside from space.
If point is input to another ADD,
reuse Z2; Z3. Save 1S + 1M!
Best Jacobian speeds today,
including S�M tradeoffs:
3M + 5S for DBL if a = �3.
11M + 5S for ADD.
10M + 4S for reADD.
7M + 4S for mADD (i.e. Z2 = 1).
Compare to speeds for Edwards
curves x2 + y2 = 1 + dx2y2
in projective coordinates
(2007 Bernstein–Lange):
3M + 4S for DBL.
10M + 1S + 1D for ADD.
9M + 1S + 1D for mADD.
Inverted Edwards coordinates
(2007 Bernstein–Lange):
3M + 4S + 1D for DBL.
9M + 1S + 1D for ADD.
8M + 1S + 1D for mADD.
Latest Edwards speed news:
2008.12 Hisil–Wong–Carter–Dawson.
![Page 52: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/52.jpg)
ADD for y2 = x3 + ax+ b:U1 = X1Z2
2 , U2 = X2Z21 ,
S1 = Y1Z32 , S2 = Y2Z3
1 ,
many more computations.
1986 Chudnovsky–Chudnovsky:
“We suggest to write
addition formulas involving
(X; Y; Z; Z2; Z3).”
Disadvantages:
Allocate space for Z2; Z3.
Pay 1S+1M in ADD and in DBL.
Advantages:
Save 2S + 2M at start of ADD.
Save 1S at start of DBL.
1998 Cohen–Miyaji–Ono:
Store point as (X : Y : Z).
If point is input to ADD,
also cache Z2 and Z3.
No cost, aside from space.
If point is input to another ADD,
reuse Z2; Z3. Save 1S + 1M!
Best Jacobian speeds today,
including S�M tradeoffs:
3M + 5S for DBL if a = �3.
11M + 5S for ADD.
10M + 4S for reADD.
7M + 4S for mADD (i.e. Z2 = 1).
Compare to speeds for Edwards
curves x2 + y2 = 1 + dx2y2
in projective coordinates
(2007 Bernstein–Lange):
3M + 4S for DBL.
10M + 1S + 1D for ADD.
9M + 1S + 1D for mADD.
Inverted Edwards coordinates
(2007 Bernstein–Lange):
3M + 4S + 1D for DBL.
9M + 1S + 1D for ADD.
8M + 1S + 1D for mADD.
Latest Edwards speed news:
2008.12 Hisil–Wong–Carter–Dawson.
![Page 53: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/53.jpg)
1998 Cohen–Miyaji–Ono:
Store point as (X : Y : Z).
If point is input to ADD,
also cache Z2 and Z3.
No cost, aside from space.
If point is input to another ADD,
reuse Z2; Z3. Save 1S + 1M!
Best Jacobian speeds today,
including S�M tradeoffs:
3M + 5S for DBL if a = �3.
11M + 5S for ADD.
10M + 4S for reADD.
7M + 4S for mADD (i.e. Z2 = 1).
Compare to speeds for Edwards
curves x2 + y2 = 1 + dx2y2
in projective coordinates
(2007 Bernstein–Lange):
3M + 4S for DBL.
10M + 1S + 1D for ADD.
9M + 1S + 1D for mADD.
Inverted Edwards coordinates
(2007 Bernstein–Lange):
3M + 4S + 1D for DBL.
9M + 1S + 1D for ADD.
8M + 1S + 1D for mADD.
Latest Edwards speed news:
2008.12 Hisil–Wong–Carter–Dawson.
![Page 54: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/54.jpg)
1998 Cohen–Miyaji–Ono:
Store point as (X : Y : Z).
If point is input to ADD,
also cache Z2 and Z3.
No cost, aside from space.
If point is input to another ADD,
reuse Z2; Z3. Save 1S + 1M!
Best Jacobian speeds today,
including S�M tradeoffs:
3M + 5S for DBL if a = �3.
11M + 5S for ADD.
10M + 4S for reADD.
7M + 4S for mADD (i.e. Z2 = 1).
Compare to speeds for Edwards
curves x2 + y2 = 1 + dx2y2
in projective coordinates
(2007 Bernstein–Lange):
3M + 4S for DBL.
10M + 1S + 1D for ADD.
9M + 1S + 1D for mADD.
Inverted Edwards coordinates
(2007 Bernstein–Lange):
3M + 4S + 1D for DBL.
9M + 1S + 1D for ADD.
8M + 1S + 1D for mADD.
Latest Edwards speed news:
2008.12 Hisil–Wong–Carter–Dawson.
y2 = x3 � 0:4x+ 0:7
![Page 55: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/55.jpg)
1998 Cohen–Miyaji–Ono:
Store point as (X : Y : Z).
If point is input to ADD,
also cache Z2 and Z3.
No cost, aside from space.
If point is input to another ADD,
reuse Z2; Z3. Save 1S + 1M!
Best Jacobian speeds today,
including S�M tradeoffs:
3M + 5S for DBL if a = �3.
11M + 5S for ADD.
10M + 4S for reADD.
7M + 4S for mADD (i.e. Z2 = 1).
Compare to speeds for Edwards
curves x2 + y2 = 1 + dx2y2
in projective coordinates
(2007 Bernstein–Lange):
3M + 4S for DBL.
10M + 1S + 1D for ADD.
9M + 1S + 1D for mADD.
Inverted Edwards coordinates
(2007 Bernstein–Lange):
3M + 4S + 1D for DBL.
9M + 1S + 1D for ADD.
8M + 1S + 1D for mADD.
Latest Edwards speed news:
2008.12 Hisil–Wong–Carter–Dawson.
y2 = x3 � 0:4x+ 0:7
![Page 56: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/56.jpg)
1998 Cohen–Miyaji–Ono:
Store point as (X : Y : Z).
If point is input to ADD,
also cache Z2 and Z3.
No cost, aside from space.
If point is input to another ADD,
reuse Z2; Z3. Save 1S + 1M!
Best Jacobian speeds today,
including S�M tradeoffs:
3M + 5S for DBL if a = �3.
11M + 5S for ADD.
10M + 4S for reADD.
7M + 4S for mADD (i.e. Z2 = 1).
Compare to speeds for Edwards
curves x2 + y2 = 1 + dx2y2
in projective coordinates
(2007 Bernstein–Lange):
3M + 4S for DBL.
10M + 1S + 1D for ADD.
9M + 1S + 1D for mADD.
Inverted Edwards coordinates
(2007 Bernstein–Lange):
3M + 4S + 1D for DBL.
9M + 1S + 1D for ADD.
8M + 1S + 1D for mADD.
Latest Edwards speed news:
2008.12 Hisil–Wong–Carter–Dawson.
y2 = x3 � 0:4x+ 0:7
![Page 57: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/57.jpg)
Compare to speeds for Edwards
curves x2 + y2 = 1 + dx2y2
in projective coordinates
(2007 Bernstein–Lange):
3M + 4S for DBL.
10M + 1S + 1D for ADD.
9M + 1S + 1D for mADD.
Inverted Edwards coordinates
(2007 Bernstein–Lange):
3M + 4S + 1D for DBL.
9M + 1S + 1D for ADD.
8M + 1S + 1D for mADD.
Latest Edwards speed news:
2008.12 Hisil–Wong–Carter–Dawson.
y2 = x3 � 0:4x+ 0:7
![Page 58: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/58.jpg)
Compare to speeds for Edwards
curves x2 + y2 = 1 + dx2y2
in projective coordinates
(2007 Bernstein–Lange):
3M + 4S for DBL.
10M + 1S + 1D for ADD.
9M + 1S + 1D for mADD.
Inverted Edwards coordinates
(2007 Bernstein–Lange):
3M + 4S + 1D for DBL.
9M + 1S + 1D for ADD.
8M + 1S + 1D for mADD.
Latest Edwards speed news:
2008.12 Hisil–Wong–Carter–Dawson.
y2 = x3 � 0:4x+ 0:7
(Thanks to Tanja Lange
for the pictures.)
![Page 59: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/59.jpg)
Compare to speeds for Edwards
curves x2 + y2 = 1 + dx2y2
in projective coordinates
(2007 Bernstein–Lange):
3M + 4S for DBL.
10M + 1S + 1D for ADD.
9M + 1S + 1D for mADD.
Inverted Edwards coordinates
(2007 Bernstein–Lange):
3M + 4S + 1D for DBL.
9M + 1S + 1D for ADD.
8M + 1S + 1D for mADD.
Latest Edwards speed news:
2008.12 Hisil–Wong–Carter–Dawson.
y2 = x3 � 0:4x+ 0:7
(Thanks to Tanja Lange
for the pictures.)
![Page 60: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/60.jpg)
Compare to speeds for Edwards
curves x2 + y2 = 1 + dx2y2
in projective coordinates
(2007 Bernstein–Lange):
3M + 4S for DBL.
10M + 1S + 1D for ADD.
9M + 1S + 1D for mADD.
Inverted Edwards coordinates
(2007 Bernstein–Lange):
3M + 4S + 1D for DBL.
9M + 1S + 1D for ADD.
8M + 1S + 1D for mADD.
Latest Edwards speed news:
2008.12 Hisil–Wong–Carter–Dawson.
y2 = x3 � 0:4x+ 0:7
(Thanks to Tanja Lange
for the pictures.)
![Page 61: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/61.jpg)
y2 = x3 � 0:4x+ 0:7
(Thanks to Tanja Lange
for the pictures.)
![Page 62: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/62.jpg)
y2 = x3 � 0:4x+ 0:7
(Thanks to Tanja Lange
for the pictures.)
x2 + y2 = 1� 300x2y2
![Page 63: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/63.jpg)
y2 = x3 � 0:4x+ 0:7
(Thanks to Tanja Lange
for the pictures.)
x2 + y2 = 1� 300x2y2
![Page 64: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/64.jpg)
y2 = x3 � 0:4x+ 0:7
(Thanks to Tanja Lange
for the pictures.)
x2 + y2 = 1� 300x2y2
![Page 65: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/65.jpg)
(Thanks to Tanja Lange
for the pictures.)
x2 + y2 = 1� 300x2y2
![Page 66: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/66.jpg)
(Thanks to Tanja Lange
for the pictures.)
x2 + y2 = 1� 300x2y2
![Page 67: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/67.jpg)
(Thanks to Tanja Lange
for the pictures.)
x2 + y2 = 1� 300x2y2
![Page 68: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/68.jpg)
(Thanks to Tanja Lange
for the pictures.)
x2 + y2 = 1� 300x2y2
![Page 69: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/69.jpg)
x2 + y2 = 1� 300x2y2
![Page 70: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/70.jpg)
x2 + y2 = 1� 300x2y2
![Page 71: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/71.jpg)
x2 + y2 = 1� 300x2y2
![Page 72: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/72.jpg)
x2 + y2 = 1� 300x2y2
![Page 73: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/73.jpg)
![Page 74: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/74.jpg)
![Page 75: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/75.jpg)
![Page 76: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/76.jpg)
![Page 77: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/77.jpg)
![Page 78: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/78.jpg)
![Page 79: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/79.jpg)
![Page 80: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/80.jpg)
![Page 81: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/81.jpg)
![Page 82: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/82.jpg)
![Page 83: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/83.jpg)
![Page 84: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/84.jpg)
![Page 85: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/85.jpg)
![Page 86: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/86.jpg)
![Page 87: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/87.jpg)
![Page 88: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/88.jpg)
![Page 89: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/89.jpg)
![Page 90: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/90.jpg)
Speed-oriented Jacobian standards
2000 IEEE “Std 1363”
uses Weierstrass curves
in Jacobian coordinates
to “provide the fastest
arithmetic on elliptic curves.”
Also specifies a method of
choosing curves y2 = x3 � 3x+ b.2000 NIST “FIPS 186–2”
standardizes five such curves.
2005 NSA “Suite B” recommends
two of the NIST curves as
the only public-key cryptosystems
for U.S. government use.
![Page 91: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/91.jpg)
Speed-oriented Jacobian standards
2000 IEEE “Std 1363”
uses Weierstrass curves
in Jacobian coordinates
to “provide the fastest
arithmetic on elliptic curves.”
Also specifies a method of
choosing curves y2 = x3 � 3x+ b.2000 NIST “FIPS 186–2”
standardizes five such curves.
2005 NSA “Suite B” recommends
two of the NIST curves as
the only public-key cryptosystems
for U.S. government use.
![Page 92: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/92.jpg)
Speed-oriented Jacobian standards
2000 IEEE “Std 1363”
uses Weierstrass curves
in Jacobian coordinates
to “provide the fastest
arithmetic on elliptic curves.”
Also specifies a method of
choosing curves y2 = x3 � 3x+ b.2000 NIST “FIPS 186–2”
standardizes five such curves.
2005 NSA “Suite B” recommends
two of the NIST curves as
the only public-key cryptosystems
for U.S. government use.
![Page 93: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/93.jpg)
Speed-oriented Jacobian standards
2000 IEEE “Std 1363”
uses Weierstrass curves
in Jacobian coordinates
to “provide the fastest
arithmetic on elliptic curves.”
Also specifies a method of
choosing curves y2 = x3 � 3x+ b.2000 NIST “FIPS 186–2”
standardizes five such curves.
2005 NSA “Suite B” recommends
two of the NIST curves as
the only public-key cryptosystems
for U.S. government use.
![Page 94: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/94.jpg)
Speed-oriented Jacobian standards
2000 IEEE “Std 1363”
uses Weierstrass curves
in Jacobian coordinates
to “provide the fastest
arithmetic on elliptic curves.”
Also specifies a method of
choosing curves y2 = x3 � 3x+ b.2000 NIST “FIPS 186–2”
standardizes five such curves.
2005 NSA “Suite B” recommends
two of the NIST curves as
the only public-key cryptosystems
for U.S. government use.
Projective for Weierstrass
1986 Chudnovsky–Chudnovsky:
Speed up ADD by switching from
(X=Z2; Y=Z3) to (X=Z; Y=Z).
7M + 3S for DBL if a = �3.
12M + 2S for ADD.
12M + 2S for reADD.
Option has been mostly ignored:
DBL dominates in ECDH etc.
But ADD dominates in
some applications: e.g.,
batch signature verification.
![Page 95: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/95.jpg)
Speed-oriented Jacobian standards
2000 IEEE “Std 1363”
uses Weierstrass curves
in Jacobian coordinates
to “provide the fastest
arithmetic on elliptic curves.”
Also specifies a method of
choosing curves y2 = x3 � 3x+ b.2000 NIST “FIPS 186–2”
standardizes five such curves.
2005 NSA “Suite B” recommends
two of the NIST curves as
the only public-key cryptosystems
for U.S. government use.
Projective for Weierstrass
1986 Chudnovsky–Chudnovsky:
Speed up ADD by switching from
(X=Z2; Y=Z3) to (X=Z; Y=Z).
7M + 3S for DBL if a = �3.
12M + 2S for ADD.
12M + 2S for reADD.
Option has been mostly ignored:
DBL dominates in ECDH etc.
But ADD dominates in
some applications: e.g.,
batch signature verification.
![Page 96: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/96.jpg)
Speed-oriented Jacobian standards
2000 IEEE “Std 1363”
uses Weierstrass curves
in Jacobian coordinates
to “provide the fastest
arithmetic on elliptic curves.”
Also specifies a method of
choosing curves y2 = x3 � 3x+ b.2000 NIST “FIPS 186–2”
standardizes five such curves.
2005 NSA “Suite B” recommends
two of the NIST curves as
the only public-key cryptosystems
for U.S. government use.
Projective for Weierstrass
1986 Chudnovsky–Chudnovsky:
Speed up ADD by switching from
(X=Z2; Y=Z3) to (X=Z; Y=Z).
7M + 3S for DBL if a = �3.
12M + 2S for ADD.
12M + 2S for reADD.
Option has been mostly ignored:
DBL dominates in ECDH etc.
But ADD dominates in
some applications: e.g.,
batch signature verification.
![Page 97: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/97.jpg)
Speed-oriented Jacobian standards
2000 IEEE “Std 1363”
uses Weierstrass curves
in Jacobian coordinates
to “provide the fastest
arithmetic on elliptic curves.”
Also specifies a method of
choosing curves y2 = x3 � 3x+ b.2000 NIST “FIPS 186–2”
standardizes five such curves.
2005 NSA “Suite B” recommends
two of the NIST curves as
the only public-key cryptosystems
for U.S. government use.
Projective for Weierstrass
1986 Chudnovsky–Chudnovsky:
Speed up ADD by switching from
(X=Z2; Y=Z3) to (X=Z; Y=Z).
7M + 3S for DBL if a = �3.
12M + 2S for ADD.
12M + 2S for reADD.
Option has been mostly ignored:
DBL dominates in ECDH etc.
But ADD dominates in
some applications: e.g.,
batch signature verification.
![Page 98: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/98.jpg)
Speed-oriented Jacobian standards
2000 IEEE “Std 1363”
uses Weierstrass curves
in Jacobian coordinates
to “provide the fastest
arithmetic on elliptic curves.”
Also specifies a method of
choosing curves y2 = x3 � 3x+ b.2000 NIST “FIPS 186–2”
standardizes five such curves.
2005 NSA “Suite B” recommends
two of the NIST curves as
the only public-key cryptosystems
for U.S. government use.
Projective for Weierstrass
1986 Chudnovsky–Chudnovsky:
Speed up ADD by switching from
(X=Z2; Y=Z3) to (X=Z; Y=Z).
7M + 3S for DBL if a = �3.
12M + 2S for ADD.
12M + 2S for reADD.
Option has been mostly ignored:
DBL dominates in ECDH etc.
But ADD dominates in
some applications: e.g.,
batch signature verification.
Montgomery curves
1987 Montgomery:
Use by2 = x3 + ax2 + x.
Choose small (a+ 2)=4.
2(x2; y2) = (x4; y4)
) x4 =(x2
2 � 1)2
4x2(x22 + ax2 + 1)
.
(x3; y3)� (x2; y2) = (x1; y1),
(x3; y3) + (x2; y2) = (x5; y5)
) x5 =(x2x3 � 1)2
x1(x2 � x3)2.
![Page 99: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/99.jpg)
Speed-oriented Jacobian standards
2000 IEEE “Std 1363”
uses Weierstrass curves
in Jacobian coordinates
to “provide the fastest
arithmetic on elliptic curves.”
Also specifies a method of
choosing curves y2 = x3 � 3x+ b.2000 NIST “FIPS 186–2”
standardizes five such curves.
2005 NSA “Suite B” recommends
two of the NIST curves as
the only public-key cryptosystems
for U.S. government use.
Projective for Weierstrass
1986 Chudnovsky–Chudnovsky:
Speed up ADD by switching from
(X=Z2; Y=Z3) to (X=Z; Y=Z).
7M + 3S for DBL if a = �3.
12M + 2S for ADD.
12M + 2S for reADD.
Option has been mostly ignored:
DBL dominates in ECDH etc.
But ADD dominates in
some applications: e.g.,
batch signature verification.
Montgomery curves
1987 Montgomery:
Use by2 = x3 + ax2 + x.
Choose small (a+ 2)=4.
2(x2; y2) = (x4; y4)
) x4 =(x2
2 � 1)2
4x2(x22 + ax2 + 1)
.
(x3; y3)� (x2; y2) = (x1; y1),
(x3; y3) + (x2; y2) = (x5; y5)
) x5 =(x2x3 � 1)2
x1(x2 � x3)2.
![Page 100: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/100.jpg)
Speed-oriented Jacobian standards
2000 IEEE “Std 1363”
uses Weierstrass curves
in Jacobian coordinates
to “provide the fastest
arithmetic on elliptic curves.”
Also specifies a method of
choosing curves y2 = x3 � 3x+ b.2000 NIST “FIPS 186–2”
standardizes five such curves.
2005 NSA “Suite B” recommends
two of the NIST curves as
the only public-key cryptosystems
for U.S. government use.
Projective for Weierstrass
1986 Chudnovsky–Chudnovsky:
Speed up ADD by switching from
(X=Z2; Y=Z3) to (X=Z; Y=Z).
7M + 3S for DBL if a = �3.
12M + 2S for ADD.
12M + 2S for reADD.
Option has been mostly ignored:
DBL dominates in ECDH etc.
But ADD dominates in
some applications: e.g.,
batch signature verification.
Montgomery curves
1987 Montgomery:
Use by2 = x3 + ax2 + x.
Choose small (a+ 2)=4.
2(x2; y2) = (x4; y4)
) x4 =(x2
2 � 1)2
4x2(x22 + ax2 + 1)
.
(x3; y3)� (x2; y2) = (x1; y1),
(x3; y3) + (x2; y2) = (x5; y5)
) x5 =(x2x3 � 1)2
x1(x2 � x3)2.
![Page 101: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/101.jpg)
Projective for Weierstrass
1986 Chudnovsky–Chudnovsky:
Speed up ADD by switching from
(X=Z2; Y=Z3) to (X=Z; Y=Z).
7M + 3S for DBL if a = �3.
12M + 2S for ADD.
12M + 2S for reADD.
Option has been mostly ignored:
DBL dominates in ECDH etc.
But ADD dominates in
some applications: e.g.,
batch signature verification.
Montgomery curves
1987 Montgomery:
Use by2 = x3 + ax2 + x.
Choose small (a+ 2)=4.
2(x2; y2) = (x4; y4)
) x4 =(x2
2 � 1)2
4x2(x22 + ax2 + 1)
.
(x3; y3)� (x2; y2) = (x1; y1),
(x3; y3) + (x2; y2) = (x5; y5)
) x5 =(x2x3 � 1)2
x1(x2 � x3)2.
![Page 102: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/102.jpg)
Projective for Weierstrass
1986 Chudnovsky–Chudnovsky:
Speed up ADD by switching from
(X=Z2; Y=Z3) to (X=Z; Y=Z).
7M + 3S for DBL if a = �3.
12M + 2S for ADD.
12M + 2S for reADD.
Option has been mostly ignored:
DBL dominates in ECDH etc.
But ADD dominates in
some applications: e.g.,
batch signature verification.
Montgomery curves
1987 Montgomery:
Use by2 = x3 + ax2 + x.
Choose small (a+ 2)=4.
2(x2; y2) = (x4; y4)
) x4 =(x2
2 � 1)2
4x2(x22 + ax2 + 1)
.
(x3; y3)� (x2; y2) = (x1; y1),
(x3; y3) + (x2; y2) = (x5; y5)
) x5 =(x2x3 � 1)2
x1(x2 � x3)2.
Represent (x; y)as (X:Z) satisfying x = X=Z.
B = (X2 + Z2)2,
C = (X2 � Z2)2,
D = B � C, X4 = B � C,
Z4 = D � (C +D(a+ 2)=4) )2(X2:Z2) = (X4:Z4).
(X3:Z3)� (X2:Z2) = (X1:Z1),
E = (X3 � Z3) � (X2 + Z2),
F = (X3 + Z3) � (X2 � Z2),
X5 = Z1 � (E + F )2,
Z5 = X1 � (E � F )2 )(X3:Z3) + (X2:Z2) = (X5:Z5).
![Page 103: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/103.jpg)
Projective for Weierstrass
1986 Chudnovsky–Chudnovsky:
Speed up ADD by switching from
(X=Z2; Y=Z3) to (X=Z; Y=Z).
7M + 3S for DBL if a = �3.
12M + 2S for ADD.
12M + 2S for reADD.
Option has been mostly ignored:
DBL dominates in ECDH etc.
But ADD dominates in
some applications: e.g.,
batch signature verification.
Montgomery curves
1987 Montgomery:
Use by2 = x3 + ax2 + x.
Choose small (a+ 2)=4.
2(x2; y2) = (x4; y4)
) x4 =(x2
2 � 1)2
4x2(x22 + ax2 + 1)
.
(x3; y3)� (x2; y2) = (x1; y1),
(x3; y3) + (x2; y2) = (x5; y5)
) x5 =(x2x3 � 1)2
x1(x2 � x3)2.
Represent (x; y)as (X:Z) satisfying x = X=Z.
B = (X2 + Z2)2,
C = (X2 � Z2)2,
D = B � C, X4 = B � C,
Z4 = D � (C +D(a+ 2)=4) )2(X2:Z2) = (X4:Z4).
(X3:Z3)� (X2:Z2) = (X1:Z1),
E = (X3 � Z3) � (X2 + Z2),
F = (X3 + Z3) � (X2 � Z2),
X5 = Z1 � (E + F )2,
Z5 = X1 � (E � F )2 )(X3:Z3) + (X2:Z2) = (X5:Z5).
![Page 104: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/104.jpg)
Projective for Weierstrass
1986 Chudnovsky–Chudnovsky:
Speed up ADD by switching from
(X=Z2; Y=Z3) to (X=Z; Y=Z).
7M + 3S for DBL if a = �3.
12M + 2S for ADD.
12M + 2S for reADD.
Option has been mostly ignored:
DBL dominates in ECDH etc.
But ADD dominates in
some applications: e.g.,
batch signature verification.
Montgomery curves
1987 Montgomery:
Use by2 = x3 + ax2 + x.
Choose small (a+ 2)=4.
2(x2; y2) = (x4; y4)
) x4 =(x2
2 � 1)2
4x2(x22 + ax2 + 1)
.
(x3; y3)� (x2; y2) = (x1; y1),
(x3; y3) + (x2; y2) = (x5; y5)
) x5 =(x2x3 � 1)2
x1(x2 � x3)2.
Represent (x; y)as (X:Z) satisfying x = X=Z.
B = (X2 + Z2)2,
C = (X2 � Z2)2,
D = B � C, X4 = B � C,
Z4 = D � (C +D(a+ 2)=4) )2(X2:Z2) = (X4:Z4).
(X3:Z3)� (X2:Z2) = (X1:Z1),
E = (X3 � Z3) � (X2 + Z2),
F = (X3 + Z3) � (X2 � Z2),
X5 = Z1 � (E + F )2,
Z5 = X1 � (E � F )2 )(X3:Z3) + (X2:Z2) = (X5:Z5).
![Page 105: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/105.jpg)
Montgomery curves
1987 Montgomery:
Use by2 = x3 + ax2 + x.
Choose small (a+ 2)=4.
2(x2; y2) = (x4; y4)
) x4 =(x2
2 � 1)2
4x2(x22 + ax2 + 1)
.
(x3; y3)� (x2; y2) = (x1; y1),
(x3; y3) + (x2; y2) = (x5; y5)
) x5 =(x2x3 � 1)2
x1(x2 � x3)2.
Represent (x; y)as (X:Z) satisfying x = X=Z.
B = (X2 + Z2)2,
C = (X2 � Z2)2,
D = B � C, X4 = B � C,
Z4 = D � (C +D(a+ 2)=4) )2(X2:Z2) = (X4:Z4).
(X3:Z3)� (X2:Z2) = (X1:Z1),
E = (X3 � Z3) � (X2 + Z2),
F = (X3 + Z3) � (X2 � Z2),
X5 = Z1 � (E + F )2,
Z5 = X1 � (E � F )2 )(X3:Z3) + (X2:Z2) = (X5:Z5).
![Page 106: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/106.jpg)
Montgomery curves
1987 Montgomery:
Use by2 = x3 + ax2 + x.
Choose small (a+ 2)=4.
2(x2; y2) = (x4; y4)
) x4 =(x2
2 � 1)2
4x2(x22 + ax2 + 1)
.
(x3; y3)� (x2; y2) = (x1; y1),
(x3; y3) + (x2; y2) = (x5; y5)
) x5 =(x2x3 � 1)2
x1(x2 � x3)2.
Represent (x; y)as (X:Z) satisfying x = X=Z.
B = (X2 + Z2)2,
C = (X2 � Z2)2,
D = B � C, X4 = B � C,
Z4 = D � (C +D(a+ 2)=4) )2(X2:Z2) = (X4:Z4).
(X3:Z3)� (X2:Z2) = (X1:Z1),
E = (X3 � Z3) � (X2 + Z2),
F = (X3 + Z3) � (X2 � Z2),
X5 = Z1 � (E + F )2,
Z5 = X1 � (E � F )2 )(X3:Z3) + (X2:Z2) = (X5:Z5).
This representation
does not allow ADD but it allows
DADD, “differential addition”:
Q;R;Q� R 7! Q+ R.
e.g. 2P; P; P 7! 3P .
e.g. 3P; 2P; P 7! 5P .
e.g. 6P; 5P; P 7! 11P .
2M + 2S + 1D for DBL.
4M + 2S for DADD.
Save 1M if Z1 = 1.
Easily compute n(X1 : Z1) using
� lgn DBL, � lgn DADD.
Almost as fast as Edwards nP .
Relatively slow for mP + nQ etc.
![Page 107: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/107.jpg)
Montgomery curves
1987 Montgomery:
Use by2 = x3 + ax2 + x.
Choose small (a+ 2)=4.
2(x2; y2) = (x4; y4)
) x4 =(x2
2 � 1)2
4x2(x22 + ax2 + 1)
.
(x3; y3)� (x2; y2) = (x1; y1),
(x3; y3) + (x2; y2) = (x5; y5)
) x5 =(x2x3 � 1)2
x1(x2 � x3)2.
Represent (x; y)as (X:Z) satisfying x = X=Z.
B = (X2 + Z2)2,
C = (X2 � Z2)2,
D = B � C, X4 = B � C,
Z4 = D � (C +D(a+ 2)=4) )2(X2:Z2) = (X4:Z4).
(X3:Z3)� (X2:Z2) = (X1:Z1),
E = (X3 � Z3) � (X2 + Z2),
F = (X3 + Z3) � (X2 � Z2),
X5 = Z1 � (E + F )2,
Z5 = X1 � (E � F )2 )(X3:Z3) + (X2:Z2) = (X5:Z5).
This representation
does not allow ADD but it allows
DADD, “differential addition”:
Q;R;Q� R 7! Q+ R.
e.g. 2P; P; P 7! 3P .
e.g. 3P; 2P; P 7! 5P .
e.g. 6P; 5P; P 7! 11P .
2M + 2S + 1D for DBL.
4M + 2S for DADD.
Save 1M if Z1 = 1.
Easily compute n(X1 : Z1) using
� lgn DBL, � lgn DADD.
Almost as fast as Edwards nP .
Relatively slow for mP + nQ etc.
![Page 108: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/108.jpg)
Montgomery curves
1987 Montgomery:
Use by2 = x3 + ax2 + x.
Choose small (a+ 2)=4.
2(x2; y2) = (x4; y4)
) x4 =(x2
2 � 1)2
4x2(x22 + ax2 + 1)
.
(x3; y3)� (x2; y2) = (x1; y1),
(x3; y3) + (x2; y2) = (x5; y5)
) x5 =(x2x3 � 1)2
x1(x2 � x3)2.
Represent (x; y)as (X:Z) satisfying x = X=Z.
B = (X2 + Z2)2,
C = (X2 � Z2)2,
D = B � C, X4 = B � C,
Z4 = D � (C +D(a+ 2)=4) )2(X2:Z2) = (X4:Z4).
(X3:Z3)� (X2:Z2) = (X1:Z1),
E = (X3 � Z3) � (X2 + Z2),
F = (X3 + Z3) � (X2 � Z2),
X5 = Z1 � (E + F )2,
Z5 = X1 � (E � F )2 )(X3:Z3) + (X2:Z2) = (X5:Z5).
This representation
does not allow ADD but it allows
DADD, “differential addition”:
Q;R;Q� R 7! Q+ R.
e.g. 2P; P; P 7! 3P .
e.g. 3P; 2P; P 7! 5P .
e.g. 6P; 5P; P 7! 11P .
2M + 2S + 1D for DBL.
4M + 2S for DADD.
Save 1M if Z1 = 1.
Easily compute n(X1 : Z1) using
� lgn DBL, � lgn DADD.
Almost as fast as Edwards nP .
Relatively slow for mP + nQ etc.
![Page 109: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/109.jpg)
Represent (x; y)as (X:Z) satisfying x = X=Z.
B = (X2 + Z2)2,
C = (X2 � Z2)2,
D = B � C, X4 = B � C,
Z4 = D � (C +D(a+ 2)=4) )2(X2:Z2) = (X4:Z4).
(X3:Z3)� (X2:Z2) = (X1:Z1),
E = (X3 � Z3) � (X2 + Z2),
F = (X3 + Z3) � (X2 � Z2),
X5 = Z1 � (E + F )2,
Z5 = X1 � (E � F )2 )(X3:Z3) + (X2:Z2) = (X5:Z5).
This representation
does not allow ADD but it allows
DADD, “differential addition”:
Q;R;Q� R 7! Q+ R.
e.g. 2P; P; P 7! 3P .
e.g. 3P; 2P; P 7! 5P .
e.g. 6P; 5P; P 7! 11P .
2M + 2S + 1D for DBL.
4M + 2S for DADD.
Save 1M if Z1 = 1.
Easily compute n(X1 : Z1) using
� lgn DBL, � lgn DADD.
Almost as fast as Edwards nP .
Relatively slow for mP + nQ etc.
![Page 110: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/110.jpg)
Represent (x; y)as (X:Z) satisfying x = X=Z.
B = (X2 + Z2)2,
C = (X2 � Z2)2,
D = B � C, X4 = B � C,
Z4 = D � (C +D(a+ 2)=4) )2(X2:Z2) = (X4:Z4).
(X3:Z3)� (X2:Z2) = (X1:Z1),
E = (X3 � Z3) � (X2 + Z2),
F = (X3 + Z3) � (X2 � Z2),
X5 = Z1 � (E + F )2,
Z5 = X1 � (E � F )2 )(X3:Z3) + (X2:Z2) = (X5:Z5).
This representation
does not allow ADD but it allows
DADD, “differential addition”:
Q;R;Q� R 7! Q+ R.
e.g. 2P; P; P 7! 3P .
e.g. 3P; 2P; P 7! 5P .
e.g. 6P; 5P; P 7! 11P .
2M + 2S + 1D for DBL.
4M + 2S for DADD.
Save 1M if Z1 = 1.
Easily compute n(X1 : Z1) using
� lgn DBL, � lgn DADD.
Almost as fast as Edwards nP .
Relatively slow for mP + nQ etc.
Doubling-oriented curves
2006 Doche–Icart–Kohel:
Use y2 = x3 + ax2 + 16ax.
Choose small a.Use (X : Y : Z : Z2)
to represent (X=Z; Y=Z2).
3M + 4S + 2D for DBL.
How? Factor DBL as '̂(')
where ' is a 2-isogeny.
2007 Bernstein–Lange:
2M + 5S + 2D for DBL
on the same curves.
![Page 111: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/111.jpg)
Represent (x; y)as (X:Z) satisfying x = X=Z.
B = (X2 + Z2)2,
C = (X2 � Z2)2,
D = B � C, X4 = B � C,
Z4 = D � (C +D(a+ 2)=4) )2(X2:Z2) = (X4:Z4).
(X3:Z3)� (X2:Z2) = (X1:Z1),
E = (X3 � Z3) � (X2 + Z2),
F = (X3 + Z3) � (X2 � Z2),
X5 = Z1 � (E + F )2,
Z5 = X1 � (E � F )2 )(X3:Z3) + (X2:Z2) = (X5:Z5).
This representation
does not allow ADD but it allows
DADD, “differential addition”:
Q;R;Q� R 7! Q+ R.
e.g. 2P; P; P 7! 3P .
e.g. 3P; 2P; P 7! 5P .
e.g. 6P; 5P; P 7! 11P .
2M + 2S + 1D for DBL.
4M + 2S for DADD.
Save 1M if Z1 = 1.
Easily compute n(X1 : Z1) using
� lgn DBL, � lgn DADD.
Almost as fast as Edwards nP .
Relatively slow for mP + nQ etc.
Doubling-oriented curves
2006 Doche–Icart–Kohel:
Use y2 = x3 + ax2 + 16ax.
Choose small a.Use (X : Y : Z : Z2)
to represent (X=Z; Y=Z2).
3M + 4S + 2D for DBL.
How? Factor DBL as '̂(')
where ' is a 2-isogeny.
2007 Bernstein–Lange:
2M + 5S + 2D for DBL
on the same curves.
![Page 112: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/112.jpg)
Represent (x; y)as (X:Z) satisfying x = X=Z.
B = (X2 + Z2)2,
C = (X2 � Z2)2,
D = B � C, X4 = B � C,
Z4 = D � (C +D(a+ 2)=4) )2(X2:Z2) = (X4:Z4).
(X3:Z3)� (X2:Z2) = (X1:Z1),
E = (X3 � Z3) � (X2 + Z2),
F = (X3 + Z3) � (X2 � Z2),
X5 = Z1 � (E + F )2,
Z5 = X1 � (E � F )2 )(X3:Z3) + (X2:Z2) = (X5:Z5).
This representation
does not allow ADD but it allows
DADD, “differential addition”:
Q;R;Q� R 7! Q+ R.
e.g. 2P; P; P 7! 3P .
e.g. 3P; 2P; P 7! 5P .
e.g. 6P; 5P; P 7! 11P .
2M + 2S + 1D for DBL.
4M + 2S for DADD.
Save 1M if Z1 = 1.
Easily compute n(X1 : Z1) using
� lgn DBL, � lgn DADD.
Almost as fast as Edwards nP .
Relatively slow for mP + nQ etc.
Doubling-oriented curves
2006 Doche–Icart–Kohel:
Use y2 = x3 + ax2 + 16ax.
Choose small a.Use (X : Y : Z : Z2)
to represent (X=Z; Y=Z2).
3M + 4S + 2D for DBL.
How? Factor DBL as '̂(')
where ' is a 2-isogeny.
2007 Bernstein–Lange:
2M + 5S + 2D for DBL
on the same curves.
![Page 113: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/113.jpg)
This representation
does not allow ADD but it allows
DADD, “differential addition”:
Q;R;Q� R 7! Q+ R.
e.g. 2P; P; P 7! 3P .
e.g. 3P; 2P; P 7! 5P .
e.g. 6P; 5P; P 7! 11P .
2M + 2S + 1D for DBL.
4M + 2S for DADD.
Save 1M if Z1 = 1.
Easily compute n(X1 : Z1) using
� lgn DBL, � lgn DADD.
Almost as fast as Edwards nP .
Relatively slow for mP + nQ etc.
Doubling-oriented curves
2006 Doche–Icart–Kohel:
Use y2 = x3 + ax2 + 16ax.
Choose small a.Use (X : Y : Z : Z2)
to represent (X=Z; Y=Z2).
3M + 4S + 2D for DBL.
How? Factor DBL as '̂(')
where ' is a 2-isogeny.
2007 Bernstein–Lange:
2M + 5S + 2D for DBL
on the same curves.
![Page 114: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/114.jpg)
This representation
does not allow ADD but it allows
DADD, “differential addition”:
Q;R;Q� R 7! Q+ R.
e.g. 2P; P; P 7! 3P .
e.g. 3P; 2P; P 7! 5P .
e.g. 6P; 5P; P 7! 11P .
2M + 2S + 1D for DBL.
4M + 2S for DADD.
Save 1M if Z1 = 1.
Easily compute n(X1 : Z1) using
� lgn DBL, � lgn DADD.
Almost as fast as Edwards nP .
Relatively slow for mP + nQ etc.
Doubling-oriented curves
2006 Doche–Icart–Kohel:
Use y2 = x3 + ax2 + 16ax.
Choose small a.Use (X : Y : Z : Z2)
to represent (X=Z; Y=Z2).
3M + 4S + 2D for DBL.
How? Factor DBL as '̂(')
where ' is a 2-isogeny.
2007 Bernstein–Lange:
2M + 5S + 2D for DBL
on the same curves.
12M + 5S + 1D for ADD.
Slower ADD than other systems,
typically outweighing benefit
of the very fast DBL.
But isogenies are useful.
Example, 2005 Gaudry:
fast DBL+DADD on Jacobians of
genus-2 hyperelliptic curves,
using similar factorization.
Tricky but potentially helpful:
tripling-oriented curves
(see 2006 Doche–Icart–Kohel),
double-base chains, : : :
![Page 115: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/115.jpg)
This representation
does not allow ADD but it allows
DADD, “differential addition”:
Q;R;Q� R 7! Q+ R.
e.g. 2P; P; P 7! 3P .
e.g. 3P; 2P; P 7! 5P .
e.g. 6P; 5P; P 7! 11P .
2M + 2S + 1D for DBL.
4M + 2S for DADD.
Save 1M if Z1 = 1.
Easily compute n(X1 : Z1) using
� lgn DBL, � lgn DADD.
Almost as fast as Edwards nP .
Relatively slow for mP + nQ etc.
Doubling-oriented curves
2006 Doche–Icart–Kohel:
Use y2 = x3 + ax2 + 16ax.
Choose small a.Use (X : Y : Z : Z2)
to represent (X=Z; Y=Z2).
3M + 4S + 2D for DBL.
How? Factor DBL as '̂(')
where ' is a 2-isogeny.
2007 Bernstein–Lange:
2M + 5S + 2D for DBL
on the same curves.
12M + 5S + 1D for ADD.
Slower ADD than other systems,
typically outweighing benefit
of the very fast DBL.
But isogenies are useful.
Example, 2005 Gaudry:
fast DBL+DADD on Jacobians of
genus-2 hyperelliptic curves,
using similar factorization.
Tricky but potentially helpful:
tripling-oriented curves
(see 2006 Doche–Icart–Kohel),
double-base chains, : : :
![Page 116: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/116.jpg)
This representation
does not allow ADD but it allows
DADD, “differential addition”:
Q;R;Q� R 7! Q+ R.
e.g. 2P; P; P 7! 3P .
e.g. 3P; 2P; P 7! 5P .
e.g. 6P; 5P; P 7! 11P .
2M + 2S + 1D for DBL.
4M + 2S for DADD.
Save 1M if Z1 = 1.
Easily compute n(X1 : Z1) using
� lgn DBL, � lgn DADD.
Almost as fast as Edwards nP .
Relatively slow for mP + nQ etc.
Doubling-oriented curves
2006 Doche–Icart–Kohel:
Use y2 = x3 + ax2 + 16ax.
Choose small a.Use (X : Y : Z : Z2)
to represent (X=Z; Y=Z2).
3M + 4S + 2D for DBL.
How? Factor DBL as '̂(')
where ' is a 2-isogeny.
2007 Bernstein–Lange:
2M + 5S + 2D for DBL
on the same curves.
12M + 5S + 1D for ADD.
Slower ADD than other systems,
typically outweighing benefit
of the very fast DBL.
But isogenies are useful.
Example, 2005 Gaudry:
fast DBL+DADD on Jacobians of
genus-2 hyperelliptic curves,
using similar factorization.
Tricky but potentially helpful:
tripling-oriented curves
(see 2006 Doche–Icart–Kohel),
double-base chains, : : :
![Page 117: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/117.jpg)
Doubling-oriented curves
2006 Doche–Icart–Kohel:
Use y2 = x3 + ax2 + 16ax.
Choose small a.Use (X : Y : Z : Z2)
to represent (X=Z; Y=Z2).
3M + 4S + 2D for DBL.
How? Factor DBL as '̂(')
where ' is a 2-isogeny.
2007 Bernstein–Lange:
2M + 5S + 2D for DBL
on the same curves.
12M + 5S + 1D for ADD.
Slower ADD than other systems,
typically outweighing benefit
of the very fast DBL.
But isogenies are useful.
Example, 2005 Gaudry:
fast DBL+DADD on Jacobians of
genus-2 hyperelliptic curves,
using similar factorization.
Tricky but potentially helpful:
tripling-oriented curves
(see 2006 Doche–Icart–Kohel),
double-base chains, : : :
![Page 118: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/118.jpg)
Doubling-oriented curves
2006 Doche–Icart–Kohel:
Use y2 = x3 + ax2 + 16ax.
Choose small a.Use (X : Y : Z : Z2)
to represent (X=Z; Y=Z2).
3M + 4S + 2D for DBL.
How? Factor DBL as '̂(')
where ' is a 2-isogeny.
2007 Bernstein–Lange:
2M + 5S + 2D for DBL
on the same curves.
12M + 5S + 1D for ADD.
Slower ADD than other systems,
typically outweighing benefit
of the very fast DBL.
But isogenies are useful.
Example, 2005 Gaudry:
fast DBL+DADD on Jacobians of
genus-2 hyperelliptic curves,
using similar factorization.
Tricky but potentially helpful:
tripling-oriented curves
(see 2006 Doche–Icart–Kohel),
double-base chains, : : :
Hessian curves
Credited to Sylvester
by 1986 Chudnovsky–Chudnovsky:
(X : Y : Z) represent (X=Z; Y=Z)
on x3 + y3 + 1 = 3dxy.12M for ADD:
X3 = Y1X2 � Y1Z2 � Z1Y2 �X1Y2,
Y3 = X1Z2 �X1Y2 � Y1X2 � Z1X2,
Z3 = Z1Y2 � Z1X2 �X1Z2 � Y1Z2.
6M + 3S for DBL.
![Page 119: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/119.jpg)
Doubling-oriented curves
2006 Doche–Icart–Kohel:
Use y2 = x3 + ax2 + 16ax.
Choose small a.Use (X : Y : Z : Z2)
to represent (X=Z; Y=Z2).
3M + 4S + 2D for DBL.
How? Factor DBL as '̂(')
where ' is a 2-isogeny.
2007 Bernstein–Lange:
2M + 5S + 2D for DBL
on the same curves.
12M + 5S + 1D for ADD.
Slower ADD than other systems,
typically outweighing benefit
of the very fast DBL.
But isogenies are useful.
Example, 2005 Gaudry:
fast DBL+DADD on Jacobians of
genus-2 hyperelliptic curves,
using similar factorization.
Tricky but potentially helpful:
tripling-oriented curves
(see 2006 Doche–Icart–Kohel),
double-base chains, : : :
Hessian curves
Credited to Sylvester
by 1986 Chudnovsky–Chudnovsky:
(X : Y : Z) represent (X=Z; Y=Z)
on x3 + y3 + 1 = 3dxy.12M for ADD:
X3 = Y1X2 � Y1Z2 � Z1Y2 �X1Y2,
Y3 = X1Z2 �X1Y2 � Y1X2 � Z1X2,
Z3 = Z1Y2 � Z1X2 �X1Z2 � Y1Z2.
6M + 3S for DBL.
![Page 120: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/120.jpg)
Doubling-oriented curves
2006 Doche–Icart–Kohel:
Use y2 = x3 + ax2 + 16ax.
Choose small a.Use (X : Y : Z : Z2)
to represent (X=Z; Y=Z2).
3M + 4S + 2D for DBL.
How? Factor DBL as '̂(')
where ' is a 2-isogeny.
2007 Bernstein–Lange:
2M + 5S + 2D for DBL
on the same curves.
12M + 5S + 1D for ADD.
Slower ADD than other systems,
typically outweighing benefit
of the very fast DBL.
But isogenies are useful.
Example, 2005 Gaudry:
fast DBL+DADD on Jacobians of
genus-2 hyperelliptic curves,
using similar factorization.
Tricky but potentially helpful:
tripling-oriented curves
(see 2006 Doche–Icart–Kohel),
double-base chains, : : :
Hessian curves
Credited to Sylvester
by 1986 Chudnovsky–Chudnovsky:
(X : Y : Z) represent (X=Z; Y=Z)
on x3 + y3 + 1 = 3dxy.12M for ADD:
X3 = Y1X2 � Y1Z2 � Z1Y2 �X1Y2,
Y3 = X1Z2 �X1Y2 � Y1X2 � Z1X2,
Z3 = Z1Y2 � Z1X2 �X1Z2 � Y1Z2.
6M + 3S for DBL.
![Page 121: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/121.jpg)
12M + 5S + 1D for ADD.
Slower ADD than other systems,
typically outweighing benefit
of the very fast DBL.
But isogenies are useful.
Example, 2005 Gaudry:
fast DBL+DADD on Jacobians of
genus-2 hyperelliptic curves,
using similar factorization.
Tricky but potentially helpful:
tripling-oriented curves
(see 2006 Doche–Icart–Kohel),
double-base chains, : : :
Hessian curves
Credited to Sylvester
by 1986 Chudnovsky–Chudnovsky:
(X : Y : Z) represent (X=Z; Y=Z)
on x3 + y3 + 1 = 3dxy.12M for ADD:
X3 = Y1X2 � Y1Z2 � Z1Y2 �X1Y2,
Y3 = X1Z2 �X1Y2 � Y1X2 � Z1X2,
Z3 = Z1Y2 � Z1X2 �X1Z2 � Y1Z2.
6M + 3S for DBL.
![Page 122: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/122.jpg)
12M + 5S + 1D for ADD.
Slower ADD than other systems,
typically outweighing benefit
of the very fast DBL.
But isogenies are useful.
Example, 2005 Gaudry:
fast DBL+DADD on Jacobians of
genus-2 hyperelliptic curves,
using similar factorization.
Tricky but potentially helpful:
tripling-oriented curves
(see 2006 Doche–Icart–Kohel),
double-base chains, : : :
Hessian curves
Credited to Sylvester
by 1986 Chudnovsky–Chudnovsky:
(X : Y : Z) represent (X=Z; Y=Z)
on x3 + y3 + 1 = 3dxy.12M for ADD:
X3 = Y1X2 � Y1Z2 � Z1Y2 �X1Y2,
Y3 = X1Z2 �X1Y2 � Y1X2 � Z1X2,
Z3 = Z1Y2 � Z1X2 �X1Z2 � Y1Z2.
6M + 3S for DBL.
2001 Joye–Quisquater:
2(X1 : Y1 : Z1) =
(Z1 : X1 : Y1) + (Y1 : Z1 : X1)
so can use ADD to double.
“Unified addition formulas,”
helpful against side channels.
But not strongly unified:
need to permute inputs.
2008.02 Hisil–Wong–Carter–Dawson:
(X : Y : Z : X2 : Y 2 : Z2
: 2XY : 2XZ : 2Y Z).
6M + 6S for ADD.
3M + 6S for DBL.
![Page 123: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/123.jpg)
12M + 5S + 1D for ADD.
Slower ADD than other systems,
typically outweighing benefit
of the very fast DBL.
But isogenies are useful.
Example, 2005 Gaudry:
fast DBL+DADD on Jacobians of
genus-2 hyperelliptic curves,
using similar factorization.
Tricky but potentially helpful:
tripling-oriented curves
(see 2006 Doche–Icart–Kohel),
double-base chains, : : :
Hessian curves
Credited to Sylvester
by 1986 Chudnovsky–Chudnovsky:
(X : Y : Z) represent (X=Z; Y=Z)
on x3 + y3 + 1 = 3dxy.12M for ADD:
X3 = Y1X2 � Y1Z2 � Z1Y2 �X1Y2,
Y3 = X1Z2 �X1Y2 � Y1X2 � Z1X2,
Z3 = Z1Y2 � Z1X2 �X1Z2 � Y1Z2.
6M + 3S for DBL.
2001 Joye–Quisquater:
2(X1 : Y1 : Z1) =
(Z1 : X1 : Y1) + (Y1 : Z1 : X1)
so can use ADD to double.
“Unified addition formulas,”
helpful against side channels.
But not strongly unified:
need to permute inputs.
2008.02 Hisil–Wong–Carter–Dawson:
(X : Y : Z : X2 : Y 2 : Z2
: 2XY : 2XZ : 2Y Z).
6M + 6S for ADD.
3M + 6S for DBL.
![Page 124: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/124.jpg)
12M + 5S + 1D for ADD.
Slower ADD than other systems,
typically outweighing benefit
of the very fast DBL.
But isogenies are useful.
Example, 2005 Gaudry:
fast DBL+DADD on Jacobians of
genus-2 hyperelliptic curves,
using similar factorization.
Tricky but potentially helpful:
tripling-oriented curves
(see 2006 Doche–Icart–Kohel),
double-base chains, : : :
Hessian curves
Credited to Sylvester
by 1986 Chudnovsky–Chudnovsky:
(X : Y : Z) represent (X=Z; Y=Z)
on x3 + y3 + 1 = 3dxy.12M for ADD:
X3 = Y1X2 � Y1Z2 � Z1Y2 �X1Y2,
Y3 = X1Z2 �X1Y2 � Y1X2 � Z1X2,
Z3 = Z1Y2 � Z1X2 �X1Z2 � Y1Z2.
6M + 3S for DBL.
2001 Joye–Quisquater:
2(X1 : Y1 : Z1) =
(Z1 : X1 : Y1) + (Y1 : Z1 : X1)
so can use ADD to double.
“Unified addition formulas,”
helpful against side channels.
But not strongly unified:
need to permute inputs.
2008.02 Hisil–Wong–Carter–Dawson:
(X : Y : Z : X2 : Y 2 : Z2
: 2XY : 2XZ : 2Y Z).
6M + 6S for ADD.
3M + 6S for DBL.
![Page 125: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/125.jpg)
Hessian curves
Credited to Sylvester
by 1986 Chudnovsky–Chudnovsky:
(X : Y : Z) represent (X=Z; Y=Z)
on x3 + y3 + 1 = 3dxy.12M for ADD:
X3 = Y1X2 � Y1Z2 � Z1Y2 �X1Y2,
Y3 = X1Z2 �X1Y2 � Y1X2 � Z1X2,
Z3 = Z1Y2 � Z1X2 �X1Z2 � Y1Z2.
6M + 3S for DBL.
2001 Joye–Quisquater:
2(X1 : Y1 : Z1) =
(Z1 : X1 : Y1) + (Y1 : Z1 : X1)
so can use ADD to double.
“Unified addition formulas,”
helpful against side channels.
But not strongly unified:
need to permute inputs.
2008.02 Hisil–Wong–Carter–Dawson:
(X : Y : Z : X2 : Y 2 : Z2
: 2XY : 2XZ : 2Y Z).
6M + 6S for ADD.
3M + 6S for DBL.
![Page 126: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/126.jpg)
Hessian curves
Credited to Sylvester
by 1986 Chudnovsky–Chudnovsky:
(X : Y : Z) represent (X=Z; Y=Z)
on x3 + y3 + 1 = 3dxy.12M for ADD:
X3 = Y1X2 � Y1Z2 � Z1Y2 �X1Y2,
Y3 = X1Z2 �X1Y2 � Y1X2 � Z1X2,
Z3 = Z1Y2 � Z1X2 �X1Z2 � Y1Z2.
6M + 3S for DBL.
2001 Joye–Quisquater:
2(X1 : Y1 : Z1) =
(Z1 : X1 : Y1) + (Y1 : Z1 : X1)
so can use ADD to double.
“Unified addition formulas,”
helpful against side channels.
But not strongly unified:
need to permute inputs.
2008.02 Hisil–Wong–Carter–Dawson:
(X : Y : Z : X2 : Y 2 : Z2
: 2XY : 2XZ : 2Y Z).
6M + 6S for ADD.
3M + 6S for DBL.
x3 � y3 + 1 = 0:3xy
![Page 127: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/127.jpg)
Hessian curves
Credited to Sylvester
by 1986 Chudnovsky–Chudnovsky:
(X : Y : Z) represent (X=Z; Y=Z)
on x3 + y3 + 1 = 3dxy.12M for ADD:
X3 = Y1X2 � Y1Z2 � Z1Y2 �X1Y2,
Y3 = X1Z2 �X1Y2 � Y1X2 � Z1X2,
Z3 = Z1Y2 � Z1X2 �X1Z2 � Y1Z2.
6M + 3S for DBL.
2001 Joye–Quisquater:
2(X1 : Y1 : Z1) =
(Z1 : X1 : Y1) + (Y1 : Z1 : X1)
so can use ADD to double.
“Unified addition formulas,”
helpful against side channels.
But not strongly unified:
need to permute inputs.
2008.02 Hisil–Wong–Carter–Dawson:
(X : Y : Z : X2 : Y 2 : Z2
: 2XY : 2XZ : 2Y Z).
6M + 6S for ADD.
3M + 6S for DBL.
x3 � y3 + 1 = 0:3xy
![Page 128: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/128.jpg)
Hessian curves
Credited to Sylvester
by 1986 Chudnovsky–Chudnovsky:
(X : Y : Z) represent (X=Z; Y=Z)
on x3 + y3 + 1 = 3dxy.12M for ADD:
X3 = Y1X2 � Y1Z2 � Z1Y2 �X1Y2,
Y3 = X1Z2 �X1Y2 � Y1X2 � Z1X2,
Z3 = Z1Y2 � Z1X2 �X1Z2 � Y1Z2.
6M + 3S for DBL.
2001 Joye–Quisquater:
2(X1 : Y1 : Z1) =
(Z1 : X1 : Y1) + (Y1 : Z1 : X1)
so can use ADD to double.
“Unified addition formulas,”
helpful against side channels.
But not strongly unified:
need to permute inputs.
2008.02 Hisil–Wong–Carter–Dawson:
(X : Y : Z : X2 : Y 2 : Z2
: 2XY : 2XZ : 2Y Z).
6M + 6S for ADD.
3M + 6S for DBL.
x3 � y3 + 1 = 0:3xy
![Page 129: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/129.jpg)
2001 Joye–Quisquater:
2(X1 : Y1 : Z1) =
(Z1 : X1 : Y1) + (Y1 : Z1 : X1)
so can use ADD to double.
“Unified addition formulas,”
helpful against side channels.
But not strongly unified:
need to permute inputs.
2008.02 Hisil–Wong–Carter–Dawson:
(X : Y : Z : X2 : Y 2 : Z2
: 2XY : 2XZ : 2Y Z).
6M + 6S for ADD.
3M + 6S for DBL.
x3 � y3 + 1 = 0:3xy
![Page 130: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/130.jpg)
2001 Joye–Quisquater:
2(X1 : Y1 : Z1) =
(Z1 : X1 : Y1) + (Y1 : Z1 : X1)
so can use ADD to double.
“Unified addition formulas,”
helpful against side channels.
But not strongly unified:
need to permute inputs.
2008.02 Hisil–Wong–Carter–Dawson:
(X : Y : Z : X2 : Y 2 : Z2
: 2XY : 2XZ : 2Y Z).
6M + 6S for ADD.
3M + 6S for DBL.
x3 � y3 + 1 = 0:3xy
![Page 131: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/131.jpg)
2001 Joye–Quisquater:
2(X1 : Y1 : Z1) =
(Z1 : X1 : Y1) + (Y1 : Z1 : X1)
so can use ADD to double.
“Unified addition formulas,”
helpful against side channels.
But not strongly unified:
need to permute inputs.
2008.02 Hisil–Wong–Carter–Dawson:
(X : Y : Z : X2 : Y 2 : Z2
: 2XY : 2XZ : 2Y Z).
6M + 6S for ADD.
3M + 6S for DBL.
x3 � y3 + 1 = 0:3xy
![Page 132: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/132.jpg)
2001 Joye–Quisquater:
2(X1 : Y1 : Z1) =
(Z1 : X1 : Y1) + (Y1 : Z1 : X1)
so can use ADD to double.
“Unified addition formulas,”
helpful against side channels.
But not strongly unified:
need to permute inputs.
2008.02 Hisil–Wong–Carter–Dawson:
(X : Y : Z : X2 : Y 2 : Z2
: 2XY : 2XZ : 2Y Z).
6M + 6S for ADD.
3M + 6S for DBL.
x3 � y3 + 1 = 0:3xy
![Page 133: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/133.jpg)
x3 � y3 + 1 = 0:3xy
![Page 134: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/134.jpg)
x3 � y3 + 1 = 0:3xy
Jacobi intersections
1986 Chudnovsky–Chudnovsky:
(S : C : D : Z) represent
(S=Z; C=Z;D=Z) on
s2 + 2 = 1, as2 + d2 = 1.
14M + 2S + 1D for ADD.
“Tremendous advantage”
of being strongly unified.
5M + 3S for DBL.
“Perhaps (?) : : : the most
efficient duplication formulas
which do not depend on the
coefficients of an elliptic curve.”
![Page 135: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/135.jpg)
x3 � y3 + 1 = 0:3xy
Jacobi intersections
1986 Chudnovsky–Chudnovsky:
(S : C : D : Z) represent
(S=Z; C=Z;D=Z) on
s2 + 2 = 1, as2 + d2 = 1.
14M + 2S + 1D for ADD.
“Tremendous advantage”
of being strongly unified.
5M + 3S for DBL.
“Perhaps (?) : : : the most
efficient duplication formulas
which do not depend on the
coefficients of an elliptic curve.”
![Page 136: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/136.jpg)
x3 � y3 + 1 = 0:3xy
Jacobi intersections
1986 Chudnovsky–Chudnovsky:
(S : C : D : Z) represent
(S=Z; C=Z;D=Z) on
s2 + 2 = 1, as2 + d2 = 1.
14M + 2S + 1D for ADD.
“Tremendous advantage”
of being strongly unified.
5M + 3S for DBL.
“Perhaps (?) : : : the most
efficient duplication formulas
which do not depend on the
coefficients of an elliptic curve.”
![Page 137: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/137.jpg)
Jacobi intersections
1986 Chudnovsky–Chudnovsky:
(S : C : D : Z) represent
(S=Z; C=Z;D=Z) on
s2 + 2 = 1, as2 + d2 = 1.
14M + 2S + 1D for ADD.
“Tremendous advantage”
of being strongly unified.
5M + 3S for DBL.
“Perhaps (?) : : : the most
efficient duplication formulas
which do not depend on the
coefficients of an elliptic curve.”
![Page 138: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/138.jpg)
Jacobi intersections
1986 Chudnovsky–Chudnovsky:
(S : C : D : Z) represent
(S=Z; C=Z;D=Z) on
s2 + 2 = 1, as2 + d2 = 1.
14M + 2S + 1D for ADD.
“Tremendous advantage”
of being strongly unified.
5M + 3S for DBL.
“Perhaps (?) : : : the most
efficient duplication formulas
which do not depend on the
coefficients of an elliptic curve.”
2001 Liardet–Smart:
13M + 2S + 1D for ADD.
4M + 3S for DBL.
2007 Bernstein–Lange:
3M + 4S for DBL.
2008.02 Hisil–Wong–Carter–Dawson:
13M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Also (S : C : D : Z : SC : DZ):
11M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
![Page 139: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/139.jpg)
Jacobi intersections
1986 Chudnovsky–Chudnovsky:
(S : C : D : Z) represent
(S=Z; C=Z;D=Z) on
s2 + 2 = 1, as2 + d2 = 1.
14M + 2S + 1D for ADD.
“Tremendous advantage”
of being strongly unified.
5M + 3S for DBL.
“Perhaps (?) : : : the most
efficient duplication formulas
which do not depend on the
coefficients of an elliptic curve.”
2001 Liardet–Smart:
13M + 2S + 1D for ADD.
4M + 3S for DBL.
2007 Bernstein–Lange:
3M + 4S for DBL.
2008.02 Hisil–Wong–Carter–Dawson:
13M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Also (S : C : D : Z : SC : DZ):
11M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
![Page 140: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/140.jpg)
Jacobi intersections
1986 Chudnovsky–Chudnovsky:
(S : C : D : Z) represent
(S=Z; C=Z;D=Z) on
s2 + 2 = 1, as2 + d2 = 1.
14M + 2S + 1D for ADD.
“Tremendous advantage”
of being strongly unified.
5M + 3S for DBL.
“Perhaps (?) : : : the most
efficient duplication formulas
which do not depend on the
coefficients of an elliptic curve.”
2001 Liardet–Smart:
13M + 2S + 1D for ADD.
4M + 3S for DBL.
2007 Bernstein–Lange:
3M + 4S for DBL.
2008.02 Hisil–Wong–Carter–Dawson:
13M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Also (S : C : D : Z : SC : DZ):
11M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
![Page 141: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/141.jpg)
Jacobi intersections
1986 Chudnovsky–Chudnovsky:
(S : C : D : Z) represent
(S=Z; C=Z;D=Z) on
s2 + 2 = 1, as2 + d2 = 1.
14M + 2S + 1D for ADD.
“Tremendous advantage”
of being strongly unified.
5M + 3S for DBL.
“Perhaps (?) : : : the most
efficient duplication formulas
which do not depend on the
coefficients of an elliptic curve.”
2001 Liardet–Smart:
13M + 2S + 1D for ADD.
4M + 3S for DBL.
2007 Bernstein–Lange:
3M + 4S for DBL.
2008.02 Hisil–Wong–Carter–Dawson:
13M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Also (S : C : D : Z : SC : DZ):
11M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
![Page 142: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/142.jpg)
Jacobi intersections
1986 Chudnovsky–Chudnovsky:
(S : C : D : Z) represent
(S=Z; C=Z;D=Z) on
s2 + 2 = 1, as2 + d2 = 1.
14M + 2S + 1D for ADD.
“Tremendous advantage”
of being strongly unified.
5M + 3S for DBL.
“Perhaps (?) : : : the most
efficient duplication formulas
which do not depend on the
coefficients of an elliptic curve.”
2001 Liardet–Smart:
13M + 2S + 1D for ADD.
4M + 3S for DBL.
2007 Bernstein–Lange:
3M + 4S for DBL.
2008.02 Hisil–Wong–Carter–Dawson:
13M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Also (S : C : D : Z : SC : DZ):
11M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Jacobi quartics
(X:Y :Z) represent (X=Z; Y=Z2)
on y2 = x4 + 2ax2 + 1.
1986 Chudnovsky–Chudnovsky:
3M + 6S + 2D for DBL.
Slow ADD.
2002 Billet–Joye:
New choice of neutral element.
10M + 3S + 1D for ADD,
strongly unified.
2007 Bernstein–Lange:
1M + 9S + 1D for DBL.
![Page 143: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/143.jpg)
Jacobi intersections
1986 Chudnovsky–Chudnovsky:
(S : C : D : Z) represent
(S=Z; C=Z;D=Z) on
s2 + 2 = 1, as2 + d2 = 1.
14M + 2S + 1D for ADD.
“Tremendous advantage”
of being strongly unified.
5M + 3S for DBL.
“Perhaps (?) : : : the most
efficient duplication formulas
which do not depend on the
coefficients of an elliptic curve.”
2001 Liardet–Smart:
13M + 2S + 1D for ADD.
4M + 3S for DBL.
2007 Bernstein–Lange:
3M + 4S for DBL.
2008.02 Hisil–Wong–Carter–Dawson:
13M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Also (S : C : D : Z : SC : DZ):
11M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Jacobi quartics
(X:Y :Z) represent (X=Z; Y=Z2)
on y2 = x4 + 2ax2 + 1.
1986 Chudnovsky–Chudnovsky:
3M + 6S + 2D for DBL.
Slow ADD.
2002 Billet–Joye:
New choice of neutral element.
10M + 3S + 1D for ADD,
strongly unified.
2007 Bernstein–Lange:
1M + 9S + 1D for DBL.
![Page 144: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/144.jpg)
Jacobi intersections
1986 Chudnovsky–Chudnovsky:
(S : C : D : Z) represent
(S=Z; C=Z;D=Z) on
s2 + 2 = 1, as2 + d2 = 1.
14M + 2S + 1D for ADD.
“Tremendous advantage”
of being strongly unified.
5M + 3S for DBL.
“Perhaps (?) : : : the most
efficient duplication formulas
which do not depend on the
coefficients of an elliptic curve.”
2001 Liardet–Smart:
13M + 2S + 1D for ADD.
4M + 3S for DBL.
2007 Bernstein–Lange:
3M + 4S for DBL.
2008.02 Hisil–Wong–Carter–Dawson:
13M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Also (S : C : D : Z : SC : DZ):
11M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Jacobi quartics
(X:Y :Z) represent (X=Z; Y=Z2)
on y2 = x4 + 2ax2 + 1.
1986 Chudnovsky–Chudnovsky:
3M + 6S + 2D for DBL.
Slow ADD.
2002 Billet–Joye:
New choice of neutral element.
10M + 3S + 1D for ADD,
strongly unified.
2007 Bernstein–Lange:
1M + 9S + 1D for DBL.
![Page 145: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/145.jpg)
2001 Liardet–Smart:
13M + 2S + 1D for ADD.
4M + 3S for DBL.
2007 Bernstein–Lange:
3M + 4S for DBL.
2008.02 Hisil–Wong–Carter–Dawson:
13M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Also (S : C : D : Z : SC : DZ):
11M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Jacobi quartics
(X:Y :Z) represent (X=Z; Y=Z2)
on y2 = x4 + 2ax2 + 1.
1986 Chudnovsky–Chudnovsky:
3M + 6S + 2D for DBL.
Slow ADD.
2002 Billet–Joye:
New choice of neutral element.
10M + 3S + 1D for ADD,
strongly unified.
2007 Bernstein–Lange:
1M + 9S + 1D for DBL.
![Page 146: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/146.jpg)
2001 Liardet–Smart:
13M + 2S + 1D for ADD.
4M + 3S for DBL.
2007 Bernstein–Lange:
3M + 4S for DBL.
2008.02 Hisil–Wong–Carter–Dawson:
13M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Also (S : C : D : Z : SC : DZ):
11M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Jacobi quartics
(X:Y :Z) represent (X=Z; Y=Z2)
on y2 = x4 + 2ax2 + 1.
1986 Chudnovsky–Chudnovsky:
3M + 6S + 2D for DBL.
Slow ADD.
2002 Billet–Joye:
New choice of neutral element.
10M + 3S + 1D for ADD,
strongly unified.
2007 Bernstein–Lange:
1M + 9S + 1D for DBL.
2007 Hisil–Carter–Dawson:
2M + 6S + 2D for DBL.
2007 Feng–Wu:
2M + 6S + 1D for DBL.
1M + 7S + 3D for DBL
on curves chosen with a2+ 2 = 1.
More speedups: 2007 Duquesne,
2007 Hisil–Carter–Dawson,
2008.02 Hisil–Wong–Carter–Dawson:
use (X : Y : Z : X2 : Z2)
or (X : Y : Z : X2 : Z2 : 2XZ).
Can combine with Feng–Wu.
Competitive with Edwards!
![Page 147: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/147.jpg)
2001 Liardet–Smart:
13M + 2S + 1D for ADD.
4M + 3S for DBL.
2007 Bernstein–Lange:
3M + 4S for DBL.
2008.02 Hisil–Wong–Carter–Dawson:
13M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Also (S : C : D : Z : SC : DZ):
11M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Jacobi quartics
(X:Y :Z) represent (X=Z; Y=Z2)
on y2 = x4 + 2ax2 + 1.
1986 Chudnovsky–Chudnovsky:
3M + 6S + 2D for DBL.
Slow ADD.
2002 Billet–Joye:
New choice of neutral element.
10M + 3S + 1D for ADD,
strongly unified.
2007 Bernstein–Lange:
1M + 9S + 1D for DBL.
2007 Hisil–Carter–Dawson:
2M + 6S + 2D for DBL.
2007 Feng–Wu:
2M + 6S + 1D for DBL.
1M + 7S + 3D for DBL
on curves chosen with a2+ 2 = 1.
More speedups: 2007 Duquesne,
2007 Hisil–Carter–Dawson,
2008.02 Hisil–Wong–Carter–Dawson:
use (X : Y : Z : X2 : Z2)
or (X : Y : Z : X2 : Z2 : 2XZ).
Can combine with Feng–Wu.
Competitive with Edwards!
![Page 148: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/148.jpg)
2001 Liardet–Smart:
13M + 2S + 1D for ADD.
4M + 3S for DBL.
2007 Bernstein–Lange:
3M + 4S for DBL.
2008.02 Hisil–Wong–Carter–Dawson:
13M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Also (S : C : D : Z : SC : DZ):
11M + 1S + 2D for ADD.
2M + 5S + 1D for DBL.
Jacobi quartics
(X:Y :Z) represent (X=Z; Y=Z2)
on y2 = x4 + 2ax2 + 1.
1986 Chudnovsky–Chudnovsky:
3M + 6S + 2D for DBL.
Slow ADD.
2002 Billet–Joye:
New choice of neutral element.
10M + 3S + 1D for ADD,
strongly unified.
2007 Bernstein–Lange:
1M + 9S + 1D for DBL.
2007 Hisil–Carter–Dawson:
2M + 6S + 2D for DBL.
2007 Feng–Wu:
2M + 6S + 1D for DBL.
1M + 7S + 3D for DBL
on curves chosen with a2+ 2 = 1.
More speedups: 2007 Duquesne,
2007 Hisil–Carter–Dawson,
2008.02 Hisil–Wong–Carter–Dawson:
use (X : Y : Z : X2 : Z2)
or (X : Y : Z : X2 : Z2 : 2XZ).
Can combine with Feng–Wu.
Competitive with Edwards!
![Page 149: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/149.jpg)
Jacobi quartics
(X:Y :Z) represent (X=Z; Y=Z2)
on y2 = x4 + 2ax2 + 1.
1986 Chudnovsky–Chudnovsky:
3M + 6S + 2D for DBL.
Slow ADD.
2002 Billet–Joye:
New choice of neutral element.
10M + 3S + 1D for ADD,
strongly unified.
2007 Bernstein–Lange:
1M + 9S + 1D for DBL.
2007 Hisil–Carter–Dawson:
2M + 6S + 2D for DBL.
2007 Feng–Wu:
2M + 6S + 1D for DBL.
1M + 7S + 3D for DBL
on curves chosen with a2+ 2 = 1.
More speedups: 2007 Duquesne,
2007 Hisil–Carter–Dawson,
2008.02 Hisil–Wong–Carter–Dawson:
use (X : Y : Z : X2 : Z2)
or (X : Y : Z : X2 : Z2 : 2XZ).
Can combine with Feng–Wu.
Competitive with Edwards!
![Page 150: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/150.jpg)
Jacobi quartics
(X:Y :Z) represent (X=Z; Y=Z2)
on y2 = x4 + 2ax2 + 1.
1986 Chudnovsky–Chudnovsky:
3M + 6S + 2D for DBL.
Slow ADD.
2002 Billet–Joye:
New choice of neutral element.
10M + 3S + 1D for ADD,
strongly unified.
2007 Bernstein–Lange:
1M + 9S + 1D for DBL.
2007 Hisil–Carter–Dawson:
2M + 6S + 2D for DBL.
2007 Feng–Wu:
2M + 6S + 1D for DBL.
1M + 7S + 3D for DBL
on curves chosen with a2+ 2 = 1.
More speedups: 2007 Duquesne,
2007 Hisil–Carter–Dawson,
2008.02 Hisil–Wong–Carter–Dawson:
use (X : Y : Z : X2 : Z2)
or (X : Y : Z : X2 : Z2 : 2XZ).
Can combine with Feng–Wu.
Competitive with Edwards!
x2 = y4 � 1:9y2 + 1
![Page 151: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/151.jpg)
Jacobi quartics
(X:Y :Z) represent (X=Z; Y=Z2)
on y2 = x4 + 2ax2 + 1.
1986 Chudnovsky–Chudnovsky:
3M + 6S + 2D for DBL.
Slow ADD.
2002 Billet–Joye:
New choice of neutral element.
10M + 3S + 1D for ADD,
strongly unified.
2007 Bernstein–Lange:
1M + 9S + 1D for DBL.
2007 Hisil–Carter–Dawson:
2M + 6S + 2D for DBL.
2007 Feng–Wu:
2M + 6S + 1D for DBL.
1M + 7S + 3D for DBL
on curves chosen with a2+ 2 = 1.
More speedups: 2007 Duquesne,
2007 Hisil–Carter–Dawson,
2008.02 Hisil–Wong–Carter–Dawson:
use (X : Y : Z : X2 : Z2)
or (X : Y : Z : X2 : Z2 : 2XZ).
Can combine with Feng–Wu.
Competitive with Edwards!
x2 = y4 � 1:9y2 + 1
![Page 152: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/152.jpg)
Jacobi quartics
(X:Y :Z) represent (X=Z; Y=Z2)
on y2 = x4 + 2ax2 + 1.
1986 Chudnovsky–Chudnovsky:
3M + 6S + 2D for DBL.
Slow ADD.
2002 Billet–Joye:
New choice of neutral element.
10M + 3S + 1D for ADD,
strongly unified.
2007 Bernstein–Lange:
1M + 9S + 1D for DBL.
2007 Hisil–Carter–Dawson:
2M + 6S + 2D for DBL.
2007 Feng–Wu:
2M + 6S + 1D for DBL.
1M + 7S + 3D for DBL
on curves chosen with a2+ 2 = 1.
More speedups: 2007 Duquesne,
2007 Hisil–Carter–Dawson,
2008.02 Hisil–Wong–Carter–Dawson:
use (X : Y : Z : X2 : Z2)
or (X : Y : Z : X2 : Z2 : 2XZ).
Can combine with Feng–Wu.
Competitive with Edwards!
x2 = y4 � 1:9y2 + 1
![Page 153: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/153.jpg)
2007 Hisil–Carter–Dawson:
2M + 6S + 2D for DBL.
2007 Feng–Wu:
2M + 6S + 1D for DBL.
1M + 7S + 3D for DBL
on curves chosen with a2+ 2 = 1.
More speedups: 2007 Duquesne,
2007 Hisil–Carter–Dawson,
2008.02 Hisil–Wong–Carter–Dawson:
use (X : Y : Z : X2 : Z2)
or (X : Y : Z : X2 : Z2 : 2XZ).
Can combine with Feng–Wu.
Competitive with Edwards!
x2 = y4 � 1:9y2 + 1
![Page 154: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/154.jpg)
2007 Hisil–Carter–Dawson:
2M + 6S + 2D for DBL.
2007 Feng–Wu:
2M + 6S + 1D for DBL.
1M + 7S + 3D for DBL
on curves chosen with a2+ 2 = 1.
More speedups: 2007 Duquesne,
2007 Hisil–Carter–Dawson,
2008.02 Hisil–Wong–Carter–Dawson:
use (X : Y : Z : X2 : Z2)
or (X : Y : Z : X2 : Z2 : 2XZ).
Can combine with Feng–Wu.
Competitive with Edwards!
x2 = y4 � 1:9y2 + 1
![Page 155: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/155.jpg)
2007 Hisil–Carter–Dawson:
2M + 6S + 2D for DBL.
2007 Feng–Wu:
2M + 6S + 1D for DBL.
1M + 7S + 3D for DBL
on curves chosen with a2+ 2 = 1.
More speedups: 2007 Duquesne,
2007 Hisil–Carter–Dawson,
2008.02 Hisil–Wong–Carter–Dawson:
use (X : Y : Z : X2 : Z2)
or (X : Y : Z : X2 : Z2 : 2XZ).
Can combine with Feng–Wu.
Competitive with Edwards!
x2 = y4 � 1:9y2 + 1
![Page 156: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/156.jpg)
2007 Hisil–Carter–Dawson:
2M + 6S + 2D for DBL.
2007 Feng–Wu:
2M + 6S + 1D for DBL.
1M + 7S + 3D for DBL
on curves chosen with a2+ 2 = 1.
More speedups: 2007 Duquesne,
2007 Hisil–Carter–Dawson,
2008.02 Hisil–Wong–Carter–Dawson:
use (X : Y : Z : X2 : Z2)
or (X : Y : Z : X2 : Z2 : 2XZ).
Can combine with Feng–Wu.
Competitive with Edwards!
x2 = y4 � 1:9y2 + 1
![Page 157: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/157.jpg)
x2 = y4 � 1:9y2 + 1
![Page 158: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/158.jpg)
x2 = y4 � 1:9y2 + 1
![Page 159: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/159.jpg)
x2 = y4 � 1:9y2 + 1
![Page 160: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/160.jpg)
x2 = y4 � 1:9y2 + 1
![Page 161: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/161.jpg)
![Page 162: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/162.jpg)
![Page 163: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/163.jpg)
![Page 164: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/164.jpg)
![Page 165: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/165.jpg)
![Page 166: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/166.jpg)
![Page 167: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/167.jpg)
![Page 168: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/168.jpg)
![Page 169: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/169.jpg)
![Page 170: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/170.jpg)
![Page 171: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/171.jpg)
![Page 172: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/172.jpg)
![Page 173: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/173.jpg)
![Page 174: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/174.jpg)
![Page 175: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/175.jpg)
![Page 176: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/176.jpg)
![Page 177: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/177.jpg)
![Page 178: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/178.jpg)
For more information
Explicit-Formulas Database,
joint work with Tanja Lange:
hyperelliptic.org/EFD
EFD has 316 computer-verified
formulas and operation counts
for ADD, DBL, etc.
in 22 representations
on 8 shapes of elliptic curves.
Not yet handled by computer:
generality of curve shapes
(e.g., Hessian order 2 3Z);
complete addition algorithms
(e.g., checking for 1).
![Page 179: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/179.jpg)
For more information
Explicit-Formulas Database,
joint work with Tanja Lange:
hyperelliptic.org/EFD
EFD has 316 computer-verified
formulas and operation counts
for ADD, DBL, etc.
in 22 representations
on 8 shapes of elliptic curves.
Not yet handled by computer:
generality of curve shapes
(e.g., Hessian order 2 3Z);
complete addition algorithms
(e.g., checking for 1).
![Page 180: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/180.jpg)
For more information
Explicit-Formulas Database,
joint work with Tanja Lange:
hyperelliptic.org/EFD
EFD has 316 computer-verified
formulas and operation counts
for ADD, DBL, etc.
in 22 representations
on 8 shapes of elliptic curves.
Not yet handled by computer:
generality of curve shapes
(e.g., Hessian order 2 3Z);
complete addition algorithms
(e.g., checking for 1).
![Page 181: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/181.jpg)
For more information
Explicit-Formulas Database,
joint work with Tanja Lange:
hyperelliptic.org/EFD
EFD has 316 computer-verified
formulas and operation counts
for ADD, DBL, etc.
in 22 representations
on 8 shapes of elliptic curves.
Not yet handled by computer:
generality of curve shapes
(e.g., Hessian order 2 3Z);
complete addition algorithms
(e.g., checking for 1).
![Page 182: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/182.jpg)
For more information
Explicit-Formulas Database,
joint work with Tanja Lange:
hyperelliptic.org/EFD
EFD has 316 computer-verified
formulas and operation counts
for ADD, DBL, etc.
in 22 representations
on 8 shapes of elliptic curves.
Not yet handled by computer:
generality of curve shapes
(e.g., Hessian order 2 3Z);
complete addition algorithms
(e.g., checking for 1).
Can do similar survey
for elliptic curves over
fields of characteristic 2.
Latest EFD updates now include
characteristic-2 formulas!
Currently 102 computer-verified
formulas and operation counts
for ADD, DBL, etc.
in 16 representations
on 2 shapes (binary Edwards
and short Weierstrass) of
ordinary binary elliptic curves.
![Page 183: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/183.jpg)
For more information
Explicit-Formulas Database,
joint work with Tanja Lange:
hyperelliptic.org/EFD
EFD has 316 computer-verified
formulas and operation counts
for ADD, DBL, etc.
in 22 representations
on 8 shapes of elliptic curves.
Not yet handled by computer:
generality of curve shapes
(e.g., Hessian order 2 3Z);
complete addition algorithms
(e.g., checking for 1).
Can do similar survey
for elliptic curves over
fields of characteristic 2.
Latest EFD updates now include
characteristic-2 formulas!
Currently 102 computer-verified
formulas and operation counts
for ADD, DBL, etc.
in 16 representations
on 2 shapes (binary Edwards
and short Weierstrass) of
ordinary binary elliptic curves.
![Page 184: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/184.jpg)
For more information
Explicit-Formulas Database,
joint work with Tanja Lange:
hyperelliptic.org/EFD
EFD has 316 computer-verified
formulas and operation counts
for ADD, DBL, etc.
in 22 representations
on 8 shapes of elliptic curves.
Not yet handled by computer:
generality of curve shapes
(e.g., Hessian order 2 3Z);
complete addition algorithms
(e.g., checking for 1).
Can do similar survey
for elliptic curves over
fields of characteristic 2.
Latest EFD updates now include
characteristic-2 formulas!
Currently 102 computer-verified
formulas and operation counts
for ADD, DBL, etc.
in 16 representations
on 2 shapes (binary Edwards
and short Weierstrass) of
ordinary binary elliptic curves.
![Page 185: cr.yp.tocr.yp.to/talks/2008.09.17/slides-twopage.pdf · Fast arithmetic on elliptic curves D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985)](https://reader035.fdocuments.in/reader035/viewer/2022081406/5f11c75e94548d45fc65215c/html5/thumbnails/185.jpg)
For more information
Explicit-Formulas Database,
joint work with Tanja Lange:
hyperelliptic.org/EFD
EFD has 316 computer-verified
formulas and operation counts
for ADD, DBL, etc.
in 22 representations
on 8 shapes of elliptic curves.
Not yet handled by computer:
generality of curve shapes
(e.g., Hessian order 2 3Z);
complete addition algorithms
(e.g., checking for 1).
Can do similar survey
for elliptic curves over
fields of characteristic 2.
Latest EFD updates now include
characteristic-2 formulas!
Currently 102 computer-verified
formulas and operation counts
for ADD, DBL, etc.
in 16 representations
on 2 shapes (binary Edwards
and short Weierstrass) of
ordinary binary elliptic curves.