DOCSLIB.ORG

Generation of Twisted Edwards Elliptic Curves for Circuit Use

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Generation of Twisted Edwards Elliptic Curves for Circuit Use Community Standard Proposal Generation of twisted Edwards elliptic curves for circuit use Barry WhiteHat1, Jordi Baylina2, and Marta Bell´es2,3 1Ethereum foundation, 2iden3, 3Universitat Pompeu Fabra May 16, 2019 Contents 1 Scope 2 2 Motivation 2 3 Background and Terminology 2 3.1 Montgomery form.................................................2 3.2 Twisted Edwards form...............................................3 4 Generation of twisted Edwards and Montgomery elliptic curves3 4.1 Choice of Montgomery equation..........................................4 4.2 Choice of generator and base points.......................................4 4.3 Transformation to twisted Edwards........................................4 4.4 Optimisation of parameters............................................5 5 Safety criteria 5 6 Implementations 6 7 Example: Baby Jubjub 6 7.1 Arithmetic In Baby Jubjub............................................6 7.1.1 Addition Of Points.............................................7 7.1.2 Multiplication Of A Point Of E By A Scalar..............................7 8 Intellectual Property 8 References 8 A Generation of curves 10 B Safety criteria 11 C Generation of Baby Jubjub 19 1 1 Scope algorithm for checking its security. The algorithms have already been implemented and tested: in ZCash, the new This proposal defines a deterministic algorithm for gener- curve derived from the order of BLS12-381, is called Jub- ating twisted Edwards elliptic curves defined over a given jub [10], and in Ethereum, the adopted curve is called prime field. It also provides an algorithm for checking the Baby Jubjub [19]. safety of the curve against best known security attacks. Although the generation of other types of curves, such Additionally, we present an example that puts theory as pairing-friendly and prime order curves, is out of scope into practice: we detail the generation of the twisted Ed- of this proposal, we hope the procedures of generating wards curve Baby Jubjub and explain how the arithmetic them get standardised and available to the community of the curve can be efficiently implemented inside a circuit. soon. 2 Motivation 3 Background and Terminology The study of pairing-friendly elliptic curves and the effi- In this section we present the main definitions needed cient implementation of cryptographic functions inside cir- to understand the document. We restrict the concepts cuits has reached a lot of popularity since the appearance and results to elliptic curves defined over a prime finite of zero-knowledge protocols such as zkSNARKs [15,7]. In field. For general results about elliptic curves see [17] and blockchain community these protocols have become a cru- [16] (this second book requires high mathematical back- cial ingredient, not only in privacy aspects but also as a ground). The following table contains the notation used solution to scalability problems. across the document. Inside a SNARK circuit one deals with elements of a certain finite field Fp where p is determined by the order of certain pairing-friendly elliptic curve used to generate the zero-knowledge proof. If one wants to implement func- tions involving elliptic curves inside a SNARK, such as the Pedersen hash function [10, Sec. 5.4.1.7] or EdDSA [11], a new curve defined over Fp is needed. Choosing this new curve in twisted Edwards [2] or Montgomery form [14] seems the optimal choice for cir- cuit use, as addition in the first case has a single complete formula and in the second, operating is very efficient. As we will see later, twisted Edwards and Montgomery curves are birationally equivalent, which allows as to easily com- bine both forms inside a circuit. It is important that the generation of this new curve is done in a transparent and deterministic way, so that it is clear no external considerations are taken for defining it. This is paramount as it significantly reduces the possi- bility of a backdoor being present, thus leading to better security. Moreover, it is crucial that the new curve is also safe against best known attacks [6]. In this proposal we cover both aspects. We provide 3.1 Montgomery form and algorithm that given a prime number p, determinis- tically generates a Montgomery and a birationally equiv- In this part we define and describe elliptic curves in Mont- alent twisted Edwards curve defined over Fp and also an gomery form. We follow [14] and [2]. 2 Definition 3.1 (Montgomery curve). Let p ≥ 3 be a Theorem 3.5. Let P1 = (x1; y1) and P2 = (x2; y2) be prime and Fp the finite field of order p. For A 2 Fp\{−2; 2g points a twisted Edwards elliptic curve E. The sum P1+P2 and B 2 Fpnf0g, an elliptic curve defined by is a third point P3 = (x3; y3) with M 2 3 2 E : By = x + Ax + x λ = dx1x2y1y2; x3 = (x1y2 + y1x2)=(1 + λ); is called a Montgomery (elliptic) curve. y3 = (y1y2 − x1x2)=(1 − λ): The following theorem presents the addition formulas in Montgomery curves. Note that the neutral element is the point O = (0; 1) and the inverse of a point (x; y) is (−x; y). Theorem 3.2. Let P1 = (x1; y1) 6= O and P2 = (x2; y2) 6= O be two points of the Baby-JubJub elliptic curve EM in Proof. [4, Sec. 3]. Montgomery form. If P1 6= P2, then the sum P1 + P2 is a third point As the following theorem states, Montgomery and P3 = (x3; y3) with coordinates twisted Edwards curves are birationally equivalent. The theorem also gives the birational map that allows the Λ = (y2 − y1)=(x2 − x1); transformation from one form to the other. 2 x3 = BΛ − A − x1 − x2; (1) Theorem 3.6. Every twisted Edwards curve E over Fp y3 = Λ(x1 − x3) − y1: is birationally equivalent over Fp to a Montgomery curve EM with parameters If P1 = P2, then 2 · P1 is a point P3 = (x3; y3) with coor- dinates a + d 4 A = 2 and B = : 2 a − d a − d Λ = (3x1 + 2Ax1 + 1)=(2By1); 2 M x3 = BΛ − A − 2x1; (2) The birational equivalence form E to E is the map y3 = Λ(x1 − x3) − y1: 1 + y 1 + y (x; y) ! (u; v) = ; 1 − y (1 − y)x Proof. See [12]. with inverse Theorem 3.3. The order of a Montgomery curve is a multiple of 4. u u − 1 (u; v) ! (x; y) = ; : (3) v u + 1 Proof. See [14, Sec. 10.3.2]. Conversely, every Montgomery curve over Fp is bira- 3.2 Twisted Edwards form tionally equivalent over Fp to a twisted Edwards curve with In this section we describe twisted Edwards curves follow- parameters ing the definition and results from [2]. A + 2 A − 2 a = and d = : Definition 3.4 (Twisted Edwards curve). Let p ≥ 3 be B B a prime and Fp the finite field of order p. For distinct Proof. See [2, Thm. 3.2]. a; b 2 Fpnf0g, an elliptic curve defined by E : ax2 + y2 = 1 + dx2y2 4 Generation of twisted Edwards is called a twisted Edwards (elliptic) curve. and Montgomery elliptic curves As next theorem shows, twisted Edwards curves have We present a method that, given a prime number p, we complete addition formulas. This makes these curves very get a twisted Edwards curve defined over Fp. The specific efficient inside circuits. outputs of the algorithm are: 3 • The prime order of the finite field the curve is defined a prime congruent to 3 mod 4, both the curve and twist over (which is the input p). cofactors can be 4, and this is minimal. • Parameters a and d of the equation that defines the Algorithm 1: Generation of EM curve. Input: p Output: A, B, n, h, l • Order of the curve and its decomposition into the 1 Fix B = 1. product of a cofactor and a large prime. 2 Start with A = 3. • Generator and base points. 3 Check that (A − 2) 6= 0 mod 4. Otherwise, increment A by 1 and check this condition again. 2 3 2 As the finite field is defined by the input p, no spec- 4 Check that the equation y = x + Ax + x ification of this parameter is required. In the same way, defines an elliptic curve over Fp. Otherwise, the order of the curve and its decomposition is determined increment A by 1 and go back to step 3. once the parameters of the equation describing the curve 5 Compute the group order n. are fixed. Hence, the only remaining specifications are pa- 6 If p = 1 mod 4 : Check that the cofactor is 8 rameters a and d and the choice of a generator and a base and the cofactor of the twist is 4. Otherwise, point. increment A by 1 and go back to step 3. We have divided the procedure in four steps. We 7 If p = 3 mod 4 : Check that the cofactor of the start by deterministically generating a Montgomery ellip- curve and its twist is 4. Otherwise, increment A M tic curve E over Fp and then setting the generator and by 1 and go back to step 3. base points. Afterwards, we convert the curve and the 8 Compute l. points to twisted Edwards using theorem 3.6. Last step 9 Return A, B, n, h and l. consists on rescaling all parameters so that less operations are required when doing arithmetic in the curve [8]. All 4.2 Choice of generator and base points algorithms are implemented in appendixA. To pick a generator G0 of the curve, we choose the small- 4.1 Choice of Montgomery equation est element of Fp that corresponds to an x-coordinate of a point in the curve of order n. Then as a base point, we We start by finding a Montgomery curve defined over Fp define G1 = 8 · G0, which has order l.
Load more

Recommended publications
  • Elliptic Curve Arithmetic for Cryptography
    Elliptic Curve Arithmetic for Cryptography Srinivasa Rao Subramanya Rao August 2017 A Thesis submitted for the degree of Doctor of Philosophy of The Australian National University c Copyright by Srinivasa Rao Subramanya Rao 2017 All Rights Reserved Declaration I confirm that this thesis is a result of my own work, except as cited in the references. I also confirm that I have not previously submitted any part of this work for the purposes of an award of any degree or diploma from any University. Srinivasa Rao Subramanya Rao March 2017. Previously Published Content During the course of research contributing to this thesis, the following papers were published by the author of this thesis. This PhD thesis contains material from these papers: 1. Srinivasa Rao Subramanya Rao, A Note on Schoenmakers Algorithm for Multi Exponentiation, 12th International Conference on Security and Cryptography (Colmar, France), Proceedings of SECRYPT 2015, pages 384-391. 2. Srinivasa Rao Subramanya Rao, Interesting Results Arising from Karatsuba Multiplication - Montgomery family of formulae, in Proceedings of Sixth International Conference on Computer and Communication Technology 2015 (Allahabad, India), pages 317-322. 3. Srinivasa Rao Subramanya Rao, Three Dimensional Montgomery Ladder, Differential Point Tripling on Montgomery Curves and Point Quintupling on Weierstrass' and Edwards Curves, 8th International Conference on Cryptology in Africa, Proceedings of AFRICACRYPT 2016, (Fes, Morocco), LNCS 9646, Springer, pages 84-106. 4. Srinivasa Rao Subramanya Rao, Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form, 13th International Conference on Security and Cryptography (Lisbon, Portugal), Proceedings of SECRYPT 2016, pages 336-343 and 5.
    [Show full text]
  • The Complete Cost of Cofactor H = 1
    The complete cost of cofactor h = 1 Peter Schwabe and Daan Sprenkels Radboud University, Digital Security Group, P.O. Box 9010, 6500 GL Nijmegen, The Netherlands [email protected], [email protected] Abstract. This paper presents optimized software for constant-time variable-base scalar multiplication on prime-order Weierstraß curves us- ing the complete addition and doubling formulas presented by Renes, Costello, and Batina in 2016. Our software targets three different mi- croarchitectures: Intel Sandy Bridge, Intel Haswell, and ARM Cortex- M4. We use a 255-bit elliptic curve over F2255−19 that was proposed by Barreto in 2017. The reason for choosing this curve in our software is that it allows most meaningful comparison of our results with optimized software for Curve25519. The goal of this comparison is to get an under- standing of the cost of using cofactor-one curves with complete formulas when compared to widely used Montgomery (or twisted Edwards) curves that inherently have a non-trivial cofactor. Keywords: Elliptic Curve Cryptography · SIMD · Curve25519 · scalar multiplication · prime-field arithmetic · cofactor security 1 Introduction Since its invention in 1985, independently by Koblitz [34] and Miller [38], elliptic- curve cryptography (ECC) has widely been accepted as the state of the art in asymmetric cryptography. This success story is mainly due to the fact that attacks have not substantially improved: with a choice of elliptic curve that was in the 80s already considered conservative, the best attack for solving the elliptic- curve discrete-logarithm problem is still the generic Pollard-rho algorithm (with minor speedups, for example by exploiting the efficiently computable negation map in elliptic-curve groups [14]).
    [Show full text]
  • Montgomery Curves and the Montgomery Ladder
    Montgomery curves and the Montgomery ladder Daniel J. Bernstein and Tanja Lange Technische Universiteit Eindhoven, The Netherlands University of Illinois at Chicago, USA Abstract. The Montgomery ladder is a remarkably simple method of computing scalar multiples of points on a broad class of elliptic curves. This article surveys a wide range of topics related to the Montgomery ladder, both from the historical perspective of Weierstrass curves and from the modern perspective of Edwards curves. New material includes a full proof of a complete constant-time ladder algorithm suitable for cryptographic applications. This article is planned to appear as Chapter 4 of the book Topics in Com- putational Number Theory inspired by Peter L. Montgomery, edited by Joppe W. Bos and Arjen K. Lenstra. Two cross-references are to de- scriptions of ECM in FFT extension for algebraic-group factorization algorithms, by Richard P. Brent, Alexander Kruppa, and Paul Zimmer- mann, which is planned to appear as Chapter 9 of the same book. Author list in alphabetical order; see https://www.ams.org/profession/ leaders/culture/CultureStatement04.pdf. This work was supported by the Commission of the European Communities through the Horizon 2020 program under project ICT-645421 (ECRYPT-CSA), by the U.S. National Sci- ence Foundation under grants 1018836 and 1314919, and by the Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005. “Any opinions, findings, and conclusions or recommendations expressed in this ma- terial are those of the author(s) and do not necessarily reflect the views of the National Science Foundation” (or other funding agencies).
    [Show full text]
  • 18.783 S17 Elliptic Curves Lecture 11: Index Calculus, Smooth Numbers, Factoring Integers
    18.783 Elliptic Curves Spring 2017 Lecture #11 03/15/2017 11 Index calculus, smooth numbers, and factoring integers Having explored generic algorithms for the discrete logarithm problem in some detail, we now consider a non-generic algorithm that uses index calculus. 1 This algorithm depends critically on the distribution of smooth numbers (integers with small prime factors), which naturally leads to a discussion of two algorithms for factoring integers that also depend on smooth numbers: the Pollard p − 1 method and the elliptic curve method (ECM). 11.1 Index calculus Index calculus is a method for computing discrete logarithms in the multiplicative group of a finite field. This might not seem directly relevant to the elliptic curve discrete logarithm problem, but aswe shall see whenwe discuss pairing-based cryptography, thesetwo problems are not unrelated. Moreover, the same approach can be applied to elliptic curves over non- prime finite fields, as well as abelian varieties of higher dimension [7, 8, 9].2 We will restrict our attention to the simplest case, a finite field of prime order p. Let us identify Fp ' Z=pZ with our usual choice of representatives for Z=pZ, integers in the interval [0;N], with N = p − 1. This innocent looking statement is precisely what will allow us to “cheat”, that is, to do something that a generic algorithm cannot. It lets us lift elements of Fp ' Z=pZ to the ring Z where we may consider their prime factorizations, something that makes no sense in a multiplicative group (every element is a unit) and is not available to a generic algorithm.
    [Show full text]
  • Twisted Edwards Curves
    Twisted Edwards Curves Daniel J. Bernstein1, Peter Birkner2, Marc Joye3, Tanja Lange2, and Christiane Peters2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at Chicago, Chicago, IL 60607–7045, USA [email protected] 2 Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB Eindhoven, Netherlands [email protected], [email protected], [email protected] 3 Thomson R&D France Technology Group, Corporate Research, Security Laboratory 1 avenue de Belle Fontaine, 35576 Cesson-S´evign´eCedex, France [email protected] Abstract. This paper introduces “twisted Edwards curves,” a general- ization of the recently introduced Edwards curves; shows that twisted Edwards curves include more curves over finite fields, and in particular every elliptic curve in Montgomery form; shows how to cover even more curves via isogenies; presents fast explicit formulas for twisted Edwards curves in projective and inverted coordinates; and shows that twisted Edwards curves save time for many curves that were already expressible as Edwards curves. Keywords: Elliptic curves, Edwards curves, twisted Edwards curves, Montgomery curves, isogenies. 1 Introduction Edwards in [13], generalizing an example from Euler and Gauss, introduced an addition law for the curves x2 + y2 = c2(1 + x2y2) over a non-binary field k. Edwards showed that every elliptic curve over k can be expressed in the form x2 + y2 = c2(1 + x2y2) if k is algebraically closed. However, over a finite field, only a small fraction of elliptic curves can be expressed in this form. Bernstein and Lange in [4] presented fast explicit formulas for addition and doubling in coordinates (X : Y : Z) representing (x, y) = (X/Z, Y/Z) on an Edwards curve, and showed that these explicit formulas save time in elliptic- curve cryptography.
    [Show full text]
  • Isomorphism Classes of Edwards Curves Over Finite Fields
    Isomorphism classes of Edwards curves over finite fields Reza Rezaeian Farashahi Department of Computing Macquarie University Sydney, NSW 2109, Australia and Department of Mathematical Sciences Isfahan University of Technology P.O. Box 85145 Isfahan, Iran [email protected] Dustin Moody National Institute of Standards and Technology (NIST) 100 Bureau Drive, Gaithersburg, MD, 20899, USA [email protected] Hongfeng Wu College of Sciences North China University of Technology Beijing 100144, P.R. China [email protected] Abstract Edwards curves are an alternate model for elliptic curves, which have attracted notice in cryptography. We give exact formulas for the number of Fq-isomorphism classes of Edwards curves and twisted Ed­ wards curves. This answers a question recently asked by R. Farashahi and I. Shparlinski. 1 1 Introduction Elliptic curves have been an object of much study in mathematics. Recall that an elliptic curve is a smooth projective genus 1 curve, with a given rational point. The traditional model for an elliptic curve has been the Weierstrass equation 2 3 2 Y + a1XY + a3Y = X + a2X + a4X + a6; where the ai are elements in some field F. While other models for elliptic curves have long been known, in the past few years there has been renewed interest in these alternate models. This attention has primarily come from the cryptographic community. In 2007, Edwards proposed a new model for elliptic curves [10]. Let F be a field with characteristic p 6= 2. These original Edwards curves, defined over F, are given by the equation 2 2 2 2 2 EE;c : X + Y = c (1 + X Y ); (1) with c 2 F and c5 6= c.
    [Show full text]
  • Efficient Elliptic Curve Diffie-Hellman Computation at the 256-Bit Security
    Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level Kaushik Nath and Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B. T. Road Kolkata - 700108 India fkaushikn r,[email protected] Abstract In this paper we introduce new Montgomery and Edwards form elliptic curve targeted at the 506 510 256-bit security level. To this end, we work with three primes, namely p1 := 2 − 45, p2 = 2 − 75 521 and p3 := 2 − 1. While p3 has been considered earlier in the literature, p1 and p2 are new. We define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agree- ment protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over p1 leads to a 3%-4% slowdown and the new Montgomery curve over p2 leads to a 4:5%-5% slowdown; on the other hand, 29 and 30.5 extra bits of security respectively are gained. For designers aiming for the 256-bit security level, the new curves over p1 and p2 provide an acceptable trade-off between security and efficiency. Keywords: Elliptic curve cryptography, Elliptic curve Diffie-Hellman key agreement, Montgomery form, Edwards form, 256-bit security.
    [Show full text]
  • The Elliptic Curve Method and Other Integer Factorization Algorithms
    The Elliptic Curve Method and Other Integer Factorization Algorithms John Wright April 12, 2012 Contents 1 Introduction 2 2 Preliminaries 3 2.1 Greatest common divisors and modular arithmetic . 3 2.2 Basic definitions and theorems . 6 2.3 RSACryptosystem........................ 9 3 Factorization Algorithms 11 3.1 TheSieveofEratosthenes . 11 3.2 TrialDivision ........................... 12 3.3 Fermat’sLittleTheorem . 13 3.4 PseudoprimeTest......................... 14 3.5 StrongPseudoprimeTest . 16 3.6 AmethodofFermat ....................... 17 3.7 TheQuadraticSieve . 20 3.8 Pollard Rho Factorization Method . 22 4 Elliptic curves 24 4.1 Additiononanellipticcurve . 28 4.2 Reduction of elliptic curves defined modulo N ......... 31 4.3 Reduction of curves modulo p .................. 33 4.4 Lenstra’s Elliptic Curve Integer Factorization Method . 34 4.5 TheECMintheprojectiveplane . 36 5 Improving the Elliptic Curve Method 38 5.1 MontgomeryCurves . 38 5.2 Addition for elliptic curves in Montgomery form . 42 5.3 Montgomery multiplication . 47 5.4 Recentdevelopments . 49 5.5 Conclusion ............................ 50 1 Chapter 1 Introduction The Fundamental Theorem of Arithmetic, first proved by Gauss [2], states that every positive integer has a unique factorization into primes. That is, for every positive integer N, a1 a2 ak N = p1 p2 ...pk where the pi’s are distinct primes and each ai is a positive integer. This paper is motivated by a computational question: given an arbitrary integer N, how might we find a non-trivial factor of N? That is, a factor of N other than N and 1. ± ± While it is computationally easy to multiply numbers together, factor- ing a general integer is “generally believed to be hard” [4].
    [Show full text]
  • BINARY EDWARDS CURVES in ELLIPTIC CURVE CRYPTOGRAPHY by Graham Enos a Dissertation Submitted to the Faculty of the University Of
    BINARY EDWARDS CURVES IN ELLIPTIC CURVE CRYPTOGRAPHY by Graham Enos A dissertation submitted to the faculty of The University of North Carolina at Charlotte in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Applied Mathematics Charlotte 2013 Approved by: Dr. Yuliang Zheng Dr. Gabor Hetyei Dr. Thomas Lucas Dr. Evan Houston Dr. Shannon Schlueter ii ©2013 Graham Enos ALL RIGHTS RESERVED iii ABSTRACT GRAHAM ENOS. Binary edwards curves in elliptic curve cryptography. (Under the direction of DR. YULIANG ZHENG) Edwards curves are a new normal form for elliptic curves that exhibit some cryp- tographically desirable properties and advantages over the typical Weierstrass form. Because the group law on an Edwards curve (normal, twisted, or binary) is complete and unified, implementations can be safer from side channel or exceptional procedure attacks. The different types of Edwards provide a better platform for cryptographic primitives, since they have more security built into them from the mathematic foun- dation up. Of the three types of Edwards curves|original, twisted, and binary|there hasn't been as much work done on binary curves. We provide the necessary motivation and background, and then delve into the theory of binary Edwards curves. Next, we examine practical considerations that separate binary Edwards curves from other recently proposed normal forms. After that, we provide some of the theory for bi- nary curves that has been worked on for other types already: pairing computations. We next explore some applications of elliptic curve and pairing-based cryptography wherein the added security of binary Edwards curves may come in handy.
    [Show full text]
  • Two Kinds of Division Polynomials for Twisted Edwards Curves
    Two Kinds of Division Polynomials For Twisted Edwards Curves Richard Moloney and Gary McGuire∗ School of Mathematical Sciences University College Dublin Ireland Email: [email protected], [email protected] December 1, 2018 Abstract This paper presents two kinds of division polynomials for twisted Edwards curves. Their chief property is that they characterise the n-torsion points of a given twisted Edwards curve. We also present results concerning the coefficients of these polynomials, which may aid computation. 1 Introduction The famous last entry in the diary of Gauss concerns the curve with equation x2 + y2 + x2y2 = 1 (1) 2 3 and its rational points over Fp. This curve is related to the elliptic curve y = 4x − 4x. The idea of division polynomials on a curve with a group law on its points, is that we try to write down a formula for [n]P in terms of the coordinates of P , where [n]P denotes P added to itself n times under the group law. In this paper we shall give two distinct arXiv:0907.4347v1 [math.AG] 24 Jul 2009 solutions to this problem, in the general context of twisted Edwards curves, of which (1) is a special case. Edwards [5], generalising (1), introduced an addition law on the curves x2 + y2 = c2(1 + x2y2) for c ∈ k, where k is a field of characteristic not equal to 2. He showed that every elliptic curve over k is birationally equivalent (over some extension of k) to a curve of this form. ∗ Research supported by Claude Shannon Institute, Science Foundation Ireland Grant 06/MI/006, and Grant 07/RFP/MATF846, and the Irish Research Council for Science, Engineering and Technology 1 In [3], Bernstein and Lange generalised this addition law to the curves x2+y2 = 1+dx2y2 for d ∈ k \ {0, 1}.
    [Show full text]
  • Elliptic Curve Factorization Method (ECM), Introduced by Hendrik Lenstra [4], a Heuristically Subexponential Running
    18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring integers, we first present an older algorithm of Pollard that motivates the ECM approach. 12.1 Pollard p − 1 method In 1974, Pollard introduced a randomized (Monte Carlo) algorithm for factoring integers [6]. It makes use of a smoothness parameter B. Algorithm 12.1 (Pollard p − 1 factorization). Input: An integer N to be factored and a smoothness bound B. Output: A proper divisor of N or failure. 1. Pick a random integer a 2 [1;N − 1]. 2. If d = gcd(a; N) is not 1 then return d. 3. Set b = a and for each prime ` ≤ B: a. Set b = b`e mod N, where `e−1 < N ≤ `e. b. If d = gcd(b − 1;N) is not 1 then return d if d < N or failure if d = N. 4. Return failure Rather than using a fixed bound B, we could simply let the algorithm keep running through primes ` until it either succeeds or fails in step 3b. But in practice one typically uses a very small smoothness bound B and switches to a different algorithm if the p − 1 method fail. In any case, it is convenient to have B fixed for the purposes of analysis. Theorem 12.2. Let p and q be prime divisors of N, and let `p and `q be the largest prime divisors of p − 1 and q − 1, respectively.
    [Show full text]
  • Curves, Codes, and Cryptography Copyright C 2011 by Christiane Peters
    Curves, Codes, and Cryptography Copyright c 2011 by Christiane Peters. Printed by Printservice Technische Universiteit Eindhoven. Cover: Starfish found in Bouldin Creek, Austin, Texas. Fossils originate from the late Cretaceous, about 85 million years ago. Picture taken by Laura Hitt O’Connor at the Texas Natural Science Center, Austin, Texas. Design in cooperation with Verspaget & Bruinink. CIP-DATA LIBRARY TECHNISCHE UNIVERSITEIT EINDHOVEN Peters, Christiane Curves, Codes, and Cryptography / by Christiane Peters. – Eindhoven: Technische Universiteit Eindhoven, 2011. Proefschrift. – ISBN 978-90-386-2476-1 NUR 919 Subject heading: Cryptology 2000 Mathematics Subject Classification: 94A60, 11Y16, 11T71 Curves, Codes, and Cryptography PROEFSCHRIFT ter verkrijging van de graad van doctor aan de Technische Universiteit Eindhoven, op gezag van de rector magnificus, prof.dr.ir. C.J. van Duijn, voor een commissie aangewezen door het College voor Promoties in het openbaar te verdedigen op dinsdag 10 mei 2011 om 16.00 uur door Christiane Pascale Peters geboren te Paderborn, Duitsland Dit proefschrift is goedgekeurd door de promotoren: prof.dr. T. Lange en prof.dr. D.J. Bernstein Fur¨ meine Eltern Angelika und Jurgen¨ Peters Thanks I would like to thank many people for their support and company during my Ph.D. studies. First of all, I am most grateful to my supervisors Tanja Lange and Daniel J. Bernstein. I thank Tanja for giving me the opportunity to come to Eindhoven to do research and to get to know the (crypto) world. I thank Tanja and Dan for letting me participate in great projects such as working on Edwards curves in cryptographic and number-theoretic settings, and for helping me find my way into the world of code-based cryptography.
    [Show full text]