DOCSLIB.ORG

Tutorial of Twisted Edwards Curves in Elliptic Curve Cryptography Emilie Menard Barnard

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Tutorial of Twisted Edwards Curves in Elliptic Curve Cryptography Emilie Menard Barnard UC SANTA BARBARA, CS 290G, FALL 2015 1 Tutorial of Twisted Edwards Curves in Elliptic Curve Cryptography Emilie Menard Barnard Abstract| This is a tutorial of Twisted Edwards curves. III. Twisted Edwards Curves I plan to introduce them in comparison to Edwards curves, and review standard group law operations. I will then relate These Edwards curves are a specific kind of Twisted Ed- Twisted Edwards curves and Montgomery curves. I will also wards curves. That is, Twisted Edwards curves are a gen- introduce a projective and other popular coordinate systems for Twisted Edwards curves. In addition, I will compare and eralization of Edwards curves. Specifically, every Twisted contrast Twisted Edwards curves with Edwards curves, and Edwards curve is a quadratic twist of a corresponding Ed- briefly discuss the EdDSA application of Twisted Edwards wards curve[13]. A twist is defined as follows: curves. Lastly, I will present the latest research regarding Twisted Edwards curves and their applications. Definition 1: An elliptic curve E over field k has an asso- ciated quadratic twist when there is another elliptic curve which is isomorphic to E over an algebraic closure of k. I. Introduction Specifically, let E be an elliptic curve over a field k such Edwards curves are a family of elliptic curves often used that the field characteristic is not equal to 2 and E is of for cryptographic schemes. They exist over finite fields and the following form: are not only practically used in security measures, but also often studied for their mathematical properties. 2 3 2 y = x + a2x + a4x + a6 Twisted Edwards curves are a generalization of the more popular Edwards curves. These generalized curves are used Then, if d 6= 0, the quadratic twist of E is the curve Ed in important security schemes as well, and thus are also defined below: worth studying. In this paper, I will introduce Twisted Edwards curves y2 = x3 + da x2 + d2a x + d3a and provide sufficient background information so that one 2 4 6 may apply them in their future studies. d Moreover, the curvesp E and E are isomorphic over the II. Edwards Curves field extension k( d) [14]. Before discussing Twisted Edwards curves, I will briefly In general, a Twisted Edwards curve over the field k review the more commonly-known Edwards curves and (where the characteristic of k is no equal to 2) takes the their group law operations. following form: The original form of an Edwards curve, proposed by 2 2 2 2 Harold Edwards in 2007, is as follows [7]: ax + y = 1 + dx y (2) x2 + y2 = c2 + c2x2y2 with non-zeros a 6= d. It can be shown that eq. (2) is a quadratic twist of the Bernstein and Lange then presented a simpler form given following Edwards curve: below [9]: x2 + y2 = 1 + dx2y2 (1) x¯2 +y ¯2 = 1 + (d=a)¯x2y¯2 where d is a quadratic non-residue, that is, the congruence p x2 ≡ d (mod p) where the mapp (¯x; y¯) ! (x; y) = (¯x a; y¯) is an isomor- phism over k( a) [2]. for an integer 0 < x < p has no solution [15]. Note further that a Twisted Edwards curve is just an The zero or neutral element is (0; 1), meaning (x; y) ⊕ Edwards curve with a = 1: (0; 1) = (x; y) for all x; y. The inverse of (x; y) is given by 2 2 2 2 (−x; y). The addition law for two points P = (x1; y1) and ax + y = 1 + dx y eq. (2) Q = (x ; y ) on an Edwards curve is as follows: 2 2 1 · x2 + y2 = 1 + dx2y2 (let a = 1) x y + x y y y − x x 2 2 2 2 P ⊕ Q = 1 2 2 1 ; 1 2 1 2 x + y = 1 + dx y eq. (1) 1 + dx1x2y1y2 1 − dx1x2y1y2 Note that the resulting point P ⊕ Q is also a point on the IV. Group Law Operations Edwards curve [9]. Just like with Edwards curves, the zero or neutral ele- Author is with the Department of Computer Science, University of ment on a Twisted Edwards curve is (0; 1), and the inverse California, Santa Barbara, CA 93106. E-mail: [email protected] of point (x; y) is (−x; y) [13]. UC SANTA BARBARA, CS 290G, FALL 2015 2 A. Addition B. Doubling Let P = (x1; y1) and Q = (x2; y2) be two points on a We can derive a doubling formula for Twisted Edwards curve. Then the addition law is given [2]P = (x1; y1) ⊕ (x1; y1) from the addition formula given below [2]: by eq (3): x1y2 + y1x2 y1y2 − ax1x2 x1y2 + y1x2 y1y2 − ax1x2 P ⊕ Q = ; P ⊕ Q = ; (3) 1 + dx1x2y1y2 1 − dx1x2y1y2 1 + dx1x2y1y2 1 − dx1x2y1y2 x y + y x y y − ax x 2[P ] = 1 1 1 1 ; 1 1 1 1 For example, consider the following Twisted Edwards 1 + dx1x1y1y1 1 − dx1x1y1y1 curve with a = 3 and d = 2: 2x y y2 − ax2 = 1 1 ; 1 1 1 + dx2y2 1 − dx2y2 3x2 + y2 = 1 + 2x2y2 (4) 1 1 1 1 p This is equivalent to the following: Note that the point (1; 2) is on the curve. We can verify 2x y y2 − ax2 this by plugging the x and y values into eq (4): 1 1 1 1 2[P ] = 2 2 ; 2 2 (5) ax1 + y1 2 − ax1 − y1 2 2 2 2 p 3x + y = 1 + 2x y For example, consider doubling the point (1; 2) on the p p 3(1)2 + ( 2)2 =? 1 + 2(1)2( 2)2 curve given in eq. (4): ? 2x y y2 − ax2 3 · 1 + 2 = 1 + 2 · 1 · 2 2[P ] = 1 1 ; 1 1 ax2 + y2 2 − ax2 − y2 5 = 5 X 1 1 1 1 = (x ; y ) p 3 3 Similarly, we can also very that the point (1; − 2) is on =) the same curve: 2x y x = 1 1 3 ax2 + y2 3x2 + y2 = 1 + 2x2y2 1 p1 p p 2 · 1 · 2 2 2 ? 2 2 3(1) + (− 2) = 1 + 2(1) (− 2) = p 2 3 · 12 + 2 ? p 3 · 1 + 2 = 1 + 2 · 1 · 2 2 2 = 5 = 5 X 5 y2 − ax2 p p y = 1 1 Thus, we can use eq. (3) to find (1; 2) ⊕ (1; − 2): 2 2 2 2 − ax1 − y1 p 2 2 p p x1y2 + y1x2 y1y2 − ax1x2 2 − 3 · 1 (1; 2) ⊕ (1; − 2) = ; = p 2 2 1 + dx1x2y1y2 1 − dx1x2y1y2 2 − 3 · 1 − 2 −1 = (x3; y3) = =) −3 p p 1 1 · (− 2) + 1 · ( 2) = x3 = p p 3 1 + 2 · 1 · 1 · 2 · (− 2) p p Thus, [2](1; 2) = 2 2 ; 1 . Let's confirm that [2]P is 0 5 3 = 1 + 2 · (−2) indeed on the Twisted Edwards curve: = 0 3x2 + y2 = 1 + 2x2y2 p p p 2 p 2 2 · (− 2) − 3 · 1 · 1 ! 2 ! 2 2 2 1 ? 2 2 1 y3 = p p 3 + = 1 + 2 1 − 2 · 1 · 1 · 2 · (− 2) 5 3 5 3 −2 − 3 = 4 · 2 1 ? 4 · 2 1 1 − 2 · (−2) 3 + = 1 + 2 25 9 25 9 = −1 24 1 225 16 + =? + p p 25 9 225 255 Therefore, (1; 2)⊕(1; − 2) = (0; −1). We can also check 216 25 ? 241 that this point is on our curve given by eq. (4): + = 225 225 225 241 241 3x2 + y2 = 1 + 2x2y2 = 225 255 X 2 2 ? 2 2 3(0) + (−1) = 1 + 2(0) (−1) Therefore [2]P is on the Twisted Edwards curve, as ex- 1 = 1 X pected. UC SANTA BARBARA, CS 290G, FALL 2015 3 V. Twisted Edwards Curves and Montgomery C. Projective Coordinate System Curves An affine point (x; y) can also be considered in the pro- Twisted Edwards curves and Montgomery curves are jective coordinate system. X; Y and Z represent the x and closely related. First, I will provide a brief introduction y coordinates using the following rules: to Montgomery curves. Fix a field k with characteristic of k not equal to 2. Fix x = X=Z specific A; B 2 k. Then the following: y = Y=Z By2 = x3 + Ax2 + x The corresponding projective Twisted Edwards curve is of the form below: is a Montgomery curve [11]. It can be shown that every Twisted Edwards curve over (aX2 + Y 2)Z = Z4 + dX2Y 2 a field k is birationally equivalent over k to a Montgomery curve [2]. A birational equivalence is defined as follows: where Z 6= 0 [3]. Definition 2: Two varieties are said to be birationally Using the projective coordinate system, inversion costs equivalent if there exits a birational map between them, or can be avoided [13]. an isomorphism of their function fields as extensions of the base field. VII. Twisted Edwards Curves versus Edwards In the case of Twisted Edwards curves and Montgomery Curves curves, their rational function fields are isomorphic. Simi- In some cases, there are advantages to using Twisted Ed- larly, every Montgomery curve over k is birationally equiv- wards curves over Edwards curves. Even when a curve can alent over k to a Twisted Edwards curve. Thus, the set be expressed in the form of an Edwards curve, expressing of Montgomery curves over k is equivalent to the set of it as a Twisted Edwards curve oven saves arithmetic time. Twisted Edwards curves over k [2]. If you are free to choose the curve in your application, you can use this knowledge to your advantage to save time [2]. VI. Alternate Coordinate Systems Twisted Edwards curves also cover more elliptic curves There are various alternate coordinate systems in which than Edwards curves over fields over prime p where one can work with coordinates on a given Twisted Edwards p ≡ 1 (mod 4).
Load more

Recommended publications
  • Elliptic Curve Arithmetic for Cryptography
    Elliptic Curve Arithmetic for Cryptography Srinivasa Rao Subramanya Rao August 2017 A Thesis submitted for the degree of Doctor of Philosophy of The Australian National University c Copyright by Srinivasa Rao Subramanya Rao 2017 All Rights Reserved Declaration I confirm that this thesis is a result of my own work, except as cited in the references. I also confirm that I have not previously submitted any part of this work for the purposes of an award of any degree or diploma from any University. Srinivasa Rao Subramanya Rao March 2017. Previously Published Content During the course of research contributing to this thesis, the following papers were published by the author of this thesis. This PhD thesis contains material from these papers: 1. Srinivasa Rao Subramanya Rao, A Note on Schoenmakers Algorithm for Multi Exponentiation, 12th International Conference on Security and Cryptography (Colmar, France), Proceedings of SECRYPT 2015, pages 384-391. 2. Srinivasa Rao Subramanya Rao, Interesting Results Arising from Karatsuba Multiplication - Montgomery family of formulae, in Proceedings of Sixth International Conference on Computer and Communication Technology 2015 (Allahabad, India), pages 317-322. 3. Srinivasa Rao Subramanya Rao, Three Dimensional Montgomery Ladder, Differential Point Tripling on Montgomery Curves and Point Quintupling on Weierstrass' and Edwards Curves, 8th International Conference on Cryptology in Africa, Proceedings of AFRICACRYPT 2016, (Fes, Morocco), LNCS 9646, Springer, pages 84-106. 4. Srinivasa Rao Subramanya Rao, Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form, 13th International Conference on Security and Cryptography (Lisbon, Portugal), Proceedings of SECRYPT 2016, pages 336-343 and 5.
    [Show full text]
  • The Complete Cost of Cofactor H = 1
    The complete cost of cofactor h = 1 Peter Schwabe and Daan Sprenkels Radboud University, Digital Security Group, P.O. Box 9010, 6500 GL Nijmegen, The Netherlands [email protected], [email protected] Abstract. This paper presents optimized software for constant-time variable-base scalar multiplication on prime-order Weierstraß curves us- ing the complete addition and doubling formulas presented by Renes, Costello, and Batina in 2016. Our software targets three different mi- croarchitectures: Intel Sandy Bridge, Intel Haswell, and ARM Cortex- M4. We use a 255-bit elliptic curve over F2255−19 that was proposed by Barreto in 2017. The reason for choosing this curve in our software is that it allows most meaningful comparison of our results with optimized software for Curve25519. The goal of this comparison is to get an under- standing of the cost of using cofactor-one curves with complete formulas when compared to widely used Montgomery (or twisted Edwards) curves that inherently have a non-trivial cofactor. Keywords: Elliptic Curve Cryptography · SIMD · Curve25519 · scalar multiplication · prime-field arithmetic · cofactor security 1 Introduction Since its invention in 1985, independently by Koblitz [34] and Miller [38], elliptic- curve cryptography (ECC) has widely been accepted as the state of the art in asymmetric cryptography. This success story is mainly due to the fact that attacks have not substantially improved: with a choice of elliptic curve that was in the 80s already considered conservative, the best attack for solving the elliptic- curve discrete-logarithm problem is still the generic Pollard-rho algorithm (with minor speedups, for example by exploiting the efficiently computable negation map in elliptic-curve groups [14]).
    [Show full text]
  • Montgomery Curves and the Montgomery Ladder
    Montgomery curves and the Montgomery ladder Daniel J. Bernstein and Tanja Lange Technische Universiteit Eindhoven, The Netherlands University of Illinois at Chicago, USA Abstract. The Montgomery ladder is a remarkably simple method of computing scalar multiples of points on a broad class of elliptic curves. This article surveys a wide range of topics related to the Montgomery ladder, both from the historical perspective of Weierstrass curves and from the modern perspective of Edwards curves. New material includes a full proof of a complete constant-time ladder algorithm suitable for cryptographic applications. This article is planned to appear as Chapter 4 of the book Topics in Com- putational Number Theory inspired by Peter L. Montgomery, edited by Joppe W. Bos and Arjen K. Lenstra. Two cross-references are to de- scriptions of ECM in FFT extension for algebraic-group factorization algorithms, by Richard P. Brent, Alexander Kruppa, and Paul Zimmer- mann, which is planned to appear as Chapter 9 of the same book. Author list in alphabetical order; see https://www.ams.org/profession/ leaders/culture/CultureStatement04.pdf. This work was supported by the Commission of the European Communities through the Horizon 2020 program under project ICT-645421 (ECRYPT-CSA), by the U.S. National Sci- ence Foundation under grants 1018836 and 1314919, and by the Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005. “Any opinions, findings, and conclusions or recommendations expressed in this ma- terial are those of the author(s) and do not necessarily reflect the views of the National Science Foundation” (or other funding agencies).
    [Show full text]
  • 18.783 S17 Elliptic Curves Lecture 11: Index Calculus, Smooth Numbers, Factoring Integers
    18.783 Elliptic Curves Spring 2017 Lecture #11 03/15/2017 11 Index calculus, smooth numbers, and factoring integers Having explored generic algorithms for the discrete logarithm problem in some detail, we now consider a non-generic algorithm that uses index calculus. 1 This algorithm depends critically on the distribution of smooth numbers (integers with small prime factors), which naturally leads to a discussion of two algorithms for factoring integers that also depend on smooth numbers: the Pollard p − 1 method and the elliptic curve method (ECM). 11.1 Index calculus Index calculus is a method for computing discrete logarithms in the multiplicative group of a finite field. This might not seem directly relevant to the elliptic curve discrete logarithm problem, but aswe shall see whenwe discuss pairing-based cryptography, thesetwo problems are not unrelated. Moreover, the same approach can be applied to elliptic curves over non- prime finite fields, as well as abelian varieties of higher dimension [7, 8, 9].2 We will restrict our attention to the simplest case, a finite field of prime order p. Let us identify Fp ' Z=pZ with our usual choice of representatives for Z=pZ, integers in the interval [0;N], with N = p − 1. This innocent looking statement is precisely what will allow us to “cheat”, that is, to do something that a generic algorithm cannot. It lets us lift elements of Fp ' Z=pZ to the ring Z where we may consider their prime factorizations, something that makes no sense in a multiplicative group (every element is a unit) and is not available to a generic algorithm.
    [Show full text]
  • Twisted Edwards Curves
    Twisted Edwards Curves Daniel J. Bernstein1, Peter Birkner2, Marc Joye3, Tanja Lange2, and Christiane Peters2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at Chicago, Chicago, IL 60607–7045, USA [email protected] 2 Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB Eindhoven, Netherlands [email protected], [email protected], [email protected] 3 Thomson R&D France Technology Group, Corporate Research, Security Laboratory 1 avenue de Belle Fontaine, 35576 Cesson-S´evign´eCedex, France [email protected] Abstract. This paper introduces “twisted Edwards curves,” a general- ization of the recently introduced Edwards curves; shows that twisted Edwards curves include more curves over finite fields, and in particular every elliptic curve in Montgomery form; shows how to cover even more curves via isogenies; presents fast explicit formulas for twisted Edwards curves in projective and inverted coordinates; and shows that twisted Edwards curves save time for many curves that were already expressible as Edwards curves. Keywords: Elliptic curves, Edwards curves, twisted Edwards curves, Montgomery curves, isogenies. 1 Introduction Edwards in [13], generalizing an example from Euler and Gauss, introduced an addition law for the curves x2 + y2 = c2(1 + x2y2) over a non-binary field k. Edwards showed that every elliptic curve over k can be expressed in the form x2 + y2 = c2(1 + x2y2) if k is algebraically closed. However, over a finite field, only a small fraction of elliptic curves can be expressed in this form. Bernstein and Lange in [4] presented fast explicit formulas for addition and doubling in coordinates (X : Y : Z) representing (x, y) = (X/Z, Y/Z) on an Edwards curve, and showed that these explicit formulas save time in elliptic- curve cryptography.
    [Show full text]
  • Isomorphism Classes of Edwards Curves Over Finite Fields
    Isomorphism classes of Edwards curves over finite fields Reza Rezaeian Farashahi Department of Computing Macquarie University Sydney, NSW 2109, Australia and Department of Mathematical Sciences Isfahan University of Technology P.O. Box 85145 Isfahan, Iran [email protected] Dustin Moody National Institute of Standards and Technology (NIST) 100 Bureau Drive, Gaithersburg, MD, 20899, USA [email protected] Hongfeng Wu College of Sciences North China University of Technology Beijing 100144, P.R. China [email protected] Abstract Edwards curves are an alternate model for elliptic curves, which have attracted notice in cryptography. We give exact formulas for the number of Fq-isomorphism classes of Edwards curves and twisted Ed­ wards curves. This answers a question recently asked by R. Farashahi and I. Shparlinski. 1 1 Introduction Elliptic curves have been an object of much study in mathematics. Recall that an elliptic curve is a smooth projective genus 1 curve, with a given rational point. The traditional model for an elliptic curve has been the Weierstrass equation 2 3 2 Y + a1XY + a3Y = X + a2X + a4X + a6; where the ai are elements in some field F. While other models for elliptic curves have long been known, in the past few years there has been renewed interest in these alternate models. This attention has primarily come from the cryptographic community. In 2007, Edwards proposed a new model for elliptic curves [10]. Let F be a field with characteristic p 6= 2. These original Edwards curves, defined over F, are given by the equation 2 2 2 2 2 EE;c : X + Y = c (1 + X Y ); (1) with c 2 F and c5 6= c.
    [Show full text]
  • Efficient Elliptic Curve Diffie-Hellman Computation at the 256-Bit Security
    Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level Kaushik Nath and Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B. T. Road Kolkata - 700108 India fkaushikn r,[email protected] Abstract In this paper we introduce new Montgomery and Edwards form elliptic curve targeted at the 506 510 256-bit security level. To this end, we work with three primes, namely p1 := 2 − 45, p2 = 2 − 75 521 and p3 := 2 − 1. While p3 has been considered earlier in the literature, p1 and p2 are new. We define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agree- ment protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over p1 leads to a 3%-4% slowdown and the new Montgomery curve over p2 leads to a 4:5%-5% slowdown; on the other hand, 29 and 30.5 extra bits of security respectively are gained. For designers aiming for the 256-bit security level, the new curves over p1 and p2 provide an acceptable trade-off between security and efficiency. Keywords: Elliptic curve cryptography, Elliptic curve Diffie-Hellman key agreement, Montgomery form, Edwards form, 256-bit security.
    [Show full text]
  • The Elliptic Curve Method and Other Integer Factorization Algorithms
    The Elliptic Curve Method and Other Integer Factorization Algorithms John Wright April 12, 2012 Contents 1 Introduction 2 2 Preliminaries 3 2.1 Greatest common divisors and modular arithmetic . 3 2.2 Basic definitions and theorems . 6 2.3 RSACryptosystem........................ 9 3 Factorization Algorithms 11 3.1 TheSieveofEratosthenes . 11 3.2 TrialDivision ........................... 12 3.3 Fermat’sLittleTheorem . 13 3.4 PseudoprimeTest......................... 14 3.5 StrongPseudoprimeTest . 16 3.6 AmethodofFermat ....................... 17 3.7 TheQuadraticSieve . 20 3.8 Pollard Rho Factorization Method . 22 4 Elliptic curves 24 4.1 Additiononanellipticcurve . 28 4.2 Reduction of elliptic curves defined modulo N ......... 31 4.3 Reduction of curves modulo p .................. 33 4.4 Lenstra’s Elliptic Curve Integer Factorization Method . 34 4.5 TheECMintheprojectiveplane . 36 5 Improving the Elliptic Curve Method 38 5.1 MontgomeryCurves . 38 5.2 Addition for elliptic curves in Montgomery form . 42 5.3 Montgomery multiplication . 47 5.4 Recentdevelopments . 49 5.5 Conclusion ............................ 50 1 Chapter 1 Introduction The Fundamental Theorem of Arithmetic, first proved by Gauss [2], states that every positive integer has a unique factorization into primes. That is, for every positive integer N, a1 a2 ak N = p1 p2 ...pk where the pi’s are distinct primes and each ai is a positive integer. This paper is motivated by a computational question: given an arbitrary integer N, how might we find a non-trivial factor of N? That is, a factor of N other than N and 1. ± ± While it is computationally easy to multiply numbers together, factor- ing a general integer is “generally believed to be hard” [4].
    [Show full text]
  • BINARY EDWARDS CURVES in ELLIPTIC CURVE CRYPTOGRAPHY by Graham Enos a Dissertation Submitted to the Faculty of the University Of
    BINARY EDWARDS CURVES IN ELLIPTIC CURVE CRYPTOGRAPHY by Graham Enos A dissertation submitted to the faculty of The University of North Carolina at Charlotte in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Applied Mathematics Charlotte 2013 Approved by: Dr. Yuliang Zheng Dr. Gabor Hetyei Dr. Thomas Lucas Dr. Evan Houston Dr. Shannon Schlueter ii ©2013 Graham Enos ALL RIGHTS RESERVED iii ABSTRACT GRAHAM ENOS. Binary edwards curves in elliptic curve cryptography. (Under the direction of DR. YULIANG ZHENG) Edwards curves are a new normal form for elliptic curves that exhibit some cryp- tographically desirable properties and advantages over the typical Weierstrass form. Because the group law on an Edwards curve (normal, twisted, or binary) is complete and unified, implementations can be safer from side channel or exceptional procedure attacks. The different types of Edwards provide a better platform for cryptographic primitives, since they have more security built into them from the mathematic foun- dation up. Of the three types of Edwards curves|original, twisted, and binary|there hasn't been as much work done on binary curves. We provide the necessary motivation and background, and then delve into the theory of binary Edwards curves. Next, we examine practical considerations that separate binary Edwards curves from other recently proposed normal forms. After that, we provide some of the theory for bi- nary curves that has been worked on for other types already: pairing computations. We next explore some applications of elliptic curve and pairing-based cryptography wherein the added security of binary Edwards curves may come in handy.
    [Show full text]
  • Two Kinds of Division Polynomials for Twisted Edwards Curves
    Two Kinds of Division Polynomials For Twisted Edwards Curves Richard Moloney and Gary McGuire∗ School of Mathematical Sciences University College Dublin Ireland Email: [email protected], [email protected] December 1, 2018 Abstract This paper presents two kinds of division polynomials for twisted Edwards curves. Their chief property is that they characterise the n-torsion points of a given twisted Edwards curve. We also present results concerning the coefficients of these polynomials, which may aid computation. 1 Introduction The famous last entry in the diary of Gauss concerns the curve with equation x2 + y2 + x2y2 = 1 (1) 2 3 and its rational points over Fp. This curve is related to the elliptic curve y = 4x − 4x. The idea of division polynomials on a curve with a group law on its points, is that we try to write down a formula for [n]P in terms of the coordinates of P , where [n]P denotes P added to itself n times under the group law. In this paper we shall give two distinct arXiv:0907.4347v1 [math.AG] 24 Jul 2009 solutions to this problem, in the general context of twisted Edwards curves, of which (1) is a special case. Edwards [5], generalising (1), introduced an addition law on the curves x2 + y2 = c2(1 + x2y2) for c ∈ k, where k is a field of characteristic not equal to 2. He showed that every elliptic curve over k is birationally equivalent (over some extension of k) to a curve of this form. ∗ Research supported by Claude Shannon Institute, Science Foundation Ireland Grant 06/MI/006, and Grant 07/RFP/MATF846, and the Irish Research Council for Science, Engineering and Technology 1 In [3], Bernstein and Lange generalised this addition law to the curves x2+y2 = 1+dx2y2 for d ∈ k \ {0, 1}.
    [Show full text]
  • Elliptic Curve Factorization Method (ECM), Introduced by Hendrik Lenstra [4], a Heuristically Subexponential Running
    18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring integers, we first present an older algorithm of Pollard that motivates the ECM approach. 12.1 Pollard p − 1 method In 1974, Pollard introduced a randomized (Monte Carlo) algorithm for factoring integers [6]. It makes use of a smoothness parameter B. Algorithm 12.1 (Pollard p − 1 factorization). Input: An integer N to be factored and a smoothness bound B. Output: A proper divisor of N or failure. 1. Pick a random integer a 2 [1;N − 1]. 2. If d = gcd(a; N) is not 1 then return d. 3. Set b = a and for each prime ` ≤ B: a. Set b = b`e mod N, where `e−1 < N ≤ `e. b. If d = gcd(b − 1;N) is not 1 then return d if d < N or failure if d = N. 4. Return failure Rather than using a fixed bound B, we could simply let the algorithm keep running through primes ` until it either succeeds or fails in step 3b. But in practice one typically uses a very small smoothness bound B and switches to a different algorithm if the p − 1 method fail. In any case, it is convenient to have B fixed for the purposes of analysis. Theorem 12.2. Let p and q be prime divisors of N, and let `p and `q be the largest prime divisors of p − 1 and q − 1, respectively.
    [Show full text]
  • Curves, Codes, and Cryptography Copyright C 2011 by Christiane Peters
    Curves, Codes, and Cryptography Copyright c 2011 by Christiane Peters. Printed by Printservice Technische Universiteit Eindhoven. Cover: Starfish found in Bouldin Creek, Austin, Texas. Fossils originate from the late Cretaceous, about 85 million years ago. Picture taken by Laura Hitt O’Connor at the Texas Natural Science Center, Austin, Texas. Design in cooperation with Verspaget & Bruinink. CIP-DATA LIBRARY TECHNISCHE UNIVERSITEIT EINDHOVEN Peters, Christiane Curves, Codes, and Cryptography / by Christiane Peters. – Eindhoven: Technische Universiteit Eindhoven, 2011. Proefschrift. – ISBN 978-90-386-2476-1 NUR 919 Subject heading: Cryptology 2000 Mathematics Subject Classification: 94A60, 11Y16, 11T71 Curves, Codes, and Cryptography PROEFSCHRIFT ter verkrijging van de graad van doctor aan de Technische Universiteit Eindhoven, op gezag van de rector magnificus, prof.dr.ir. C.J. van Duijn, voor een commissie aangewezen door het College voor Promoties in het openbaar te verdedigen op dinsdag 10 mei 2011 om 16.00 uur door Christiane Pascale Peters geboren te Paderborn, Duitsland Dit proefschrift is goedgekeurd door de promotoren: prof.dr. T. Lange en prof.dr. D.J. Bernstein Fur¨ meine Eltern Angelika und Jurgen¨ Peters Thanks I would like to thank many people for their support and company during my Ph.D. studies. First of all, I am most grateful to my supervisors Tanja Lange and Daniel J. Bernstein. I thank Tanja for giving me the opportunity to come to Eindhoven to do research and to get to know the (crypto) world. I thank Tanja and Dan for letting me participate in great projects such as working on Edwards curves in cryptographic and number-theoretic settings, and for helping me find my way into the world of code-based cryptography.
    [Show full text]