DOCSLIB.ORG

Twisted Edwards Curves

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Twisted Edwards Curves Twisted Edwards Curves Daniel J. Bernstein1, Peter Birkner2, Marc Joye3, Tanja Lange2, and Christiane Peters2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at Chicago, Chicago, IL 60607–7045, USA [email protected] 2 Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB Eindhoven, Netherlands [email protected], [email protected], [email protected] 3 Thomson R&D France Technology Group, Corporate Research, Security Laboratory 1 avenue de Belle Fontaine, 35576 Cesson-S´evign´eCedex, France [email protected] Abstract. This paper introduces “twisted Edwards curves,” a general- ization of the recently introduced Edwards curves; shows that twisted Edwards curves include more curves over finite fields, and in particular every elliptic curve in Montgomery form; shows how to cover even more curves via isogenies; presents fast explicit formulas for twisted Edwards curves in projective and inverted coordinates; and shows that twisted Edwards curves save time for many curves that were already expressible as Edwards curves. Keywords: Elliptic curves, Edwards curves, twisted Edwards curves, Montgomery curves, isogenies. 1 Introduction Edwards in [13], generalizing an example from Euler and Gauss, introduced an addition law for the curves x2 + y2 = c2(1 + x2y2) over a non-binary field k. Edwards showed that every elliptic curve over k can be expressed in the form x2 + y2 = c2(1 + x2y2) if k is algebraically closed. However, over a finite field, only a small fraction of elliptic curves can be expressed in this form. Bernstein and Lange in [4] presented fast explicit formulas for addition and doubling in coordinates (X : Y : Z) representing (x, y) = (X/Z, Y/Z) on an Edwards curve, and showed that these explicit formulas save time in elliptic- curve cryptography. Bernstein and Lange also generalized the addition law to the curves x2 + y2 = c2(1 + dx2y2). This shape covers considerably more elliptic * Permanent ID of this document: c798703ae3ecfdc375112f19dd0787e4. Date of this document: 2008.03.13. This work has been supported in part by the European Com- mission through the IST Programme under Contract IST–2002–507932 ECRYPT, and in part by the National Science Foundation under grant ITR–0716498. Part of this work was carried out during a visit to INRIA Lorraine (LORIA). 2 D. J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters curves over a finite field than x2 +y2 = c2(1+x2y2). All curves in the generalized form are isomorphic to curves x2 + y2 = 1 + dx2y2. In this paper, we further generalize the Edwards addition law to cover all curves ax2 + y2 = 1 + dx2y2. Our explicit formulas for addition and doubling are almost as fast in the general case as they are for the special case a = 1. We show that our generalization brings the speed of the Edwards addition law to every Montgomery curve; we also show that, over prime fields Fp where p ≡ 1 (mod 4), many Montgomery curves are not covered by the special case a = 1. We further explain how to use isogenies to cover the odd part of every curve whose group order is a multiple of 4; over prime fields Fp where p ≡ 3 (mod 4), the special case a = 1 covers all Montgomery curves but does not cover all curves whose group order is a multiple of 4. Our generalization is also of interest for many curves that were already expressible in Edwards form; we explain how the twisting can save time in arithmetic. See [2] for a successful application of twisted Edwards curves to the elliptic-curve method of factorization. Section 2 reviews Edwards curves, introduces twisted Edwards curves, and shows that each twisted Edwards curve is (as the name would suggest) a twist of an Edwards curve. Section 3 shows that every Montgomery curve can be expressed as a twisted Edwards curve, and vice versa. Section 4 reports the percentages of elliptic curves (over various prime fields) that can be expressed as Edwards curves, twisted Edwards curves, “4 times odd” twisted Edwards curves, etc. Section 5 uses isogenies to cover even more curves: specifically, it shows that every curve with group order a multiple of 4 and with no point of order 4 is 2-isogenous to a twisted Edwards curve. Section 6 generalizes the Edwards addition law, the explicit formulas from [4], and the “inverted” formulas from [5] to handle twisted Edwards curves. Section 7 analyzes the benefits of the generalization for cryptographic applications. 2 Edwards Curves and Twisted Edwards Curves In this section we briefly review Edwards curves and the Edwards addition law at the level of generality of [4]. We then introduce twisted Edwards curves and discuss their relationship to Edwards curves. Review of Edwards Curves. Throughout the paper we consider elliptic curves over a non-binary field k, i.e., a field k whose characteristic char(k) is not 2. An Edwards curve over k is a curve E : x2+y2 = 1+dx2y2 where d ∈ k\{0, 1}. The sum of two points (x1, y1), (x2, y2) on this Edwards curve E is x1y2 + y1x2 y1y2 − x1x2 (x1, y1) + (x2, y2) = , . 1 + dx1x2y1y2 1 − dx1x2y1y2 The point (0, 1) is the neutral element of the addition law. The point (0, −1) has order 2. The points (1, 0) and (−1, 0) have order 4. The inverse of a point (x1, y1) on E is (−x1, y1). The addition law is strongly unified: i.e., it can also be used to double a point. The addition law also works for the neutral element Twisted Edwards Curves 3 and for inverses. If d is a nonsquare in k then, as proven in [4, Theorem 3.3], this addition law is complete: it works for all pairs of inputs. Twisted Edwards Curves. The existence of points of order 4 restricts the number of elliptic curves in Edwards form over k. We embed the set of Edwards curves in a larger set of elliptic curves of a similar shape by introducing twisted Edwards curves. Definition 2.1 (Twisted Edwards curve). Fix a field k with char(k) 6= 2. Fix distinct nonzero elements a, d ∈ k. The twisted Edwards curve with coeffi- cients a and d is the curve 2 2 2 2 E E,a,d : ax + y = 1 + dx y . An Edwards curve is a twisted Edwards curve with a = 1. In Section 3 we will show that every twisted Edwards curve is birationally equivalent to an elliptic curve in Montgomery form, and vice versa. The elliptic curve has j-invariant 16(a2 + 14ad + d2)3/ad(a − d)4. Twisted Edwards Curves as Twists of Edwards Curves. The twisted 2 2 2 2 Edwards curve E E,a,d : ax + y = 1 + dx y is a quadratic twist of the Edwards 2 2 2 2 √ curve E E,1,d/a :x ¯ +y ¯ = 1 + (d/a)¯x y¯ . The map√ (¯x, y¯) 7→ (x, y) = (¯x/ a, y¯) is an isomorphism from E E,1,d/a to E E,a,d over k( a). If a is a square in k then E E,a,d is isomorphic to E E,1,d/a over k. ¯ More generally, E E,a,d is a quadratic twist of E E,a,¯ d¯ for anya, ¯ d satisfying d/¯ a¯ = d/a. Conversely, every quadratic twist of a twisted Edwards curve is isomorphic to a twisted Edwards curve; i.e., the set of twisted Edwards curves is invariant under quadratic twists. 2 2 2 2 Furthermore, the twisted Edwards curve E E,a,d : ax + y = 1 + dx y is a quadratic twist of (actually is birationally equivalent to) the twisted Edwards 2 2 2 2 curve E E,d,a : dx¯ +y ¯ = 1 + ax¯ y¯ . The map (¯x, y¯) 7→ (x, y) = (¯x, 1/y¯) is a birational equivalence from E E,d,a to E E,a,d. More generally, E E,a,d is a quadratic ¯ ¯ twist of E E,a,¯ d¯ for anya, ¯ d satisfying d/a¯ = a/d. This generalizes the known fact, used in [4, proof of Theorem 2.1], that E E,1,d is a quadratic twist of E E,1,1/d. 3 Montgomery Curves and Twisted Edwards Curves Let k be a field with char(k) 6= 2. In this section we show that the set of Montgomery curves over k is equivalent to the set of twisted Edwards curves over k. We also analyze the extent to which this is true without twists. Standard algorithms for transforming a Weierstrass curve into a Montgomery curve if possible (see, e.g., [11, Section 13.2.3.c]) can be combined with our explicit transformation from a Montgomery curve to a twisted Edwards curve. Definition 3.1 (Montgomery curve). Fix a field k with char(k) 6= 2. Fix A ∈ k \ {−2, 2} and B ∈ k \{0}. The Montgomery curve with coefficients A and B is the curve 2 3 2 EM,A,B : Bv = u + Au + u. 4 D. J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters Theorem 3.2. Fix a field k with char(k) 6= 2. (i) Every twisted Edwards curve over k is birationally equivalent over k to a Montgomery curve. Specifically, fix distinct nonzero elements a, d ∈ k. The twisted Edwards curve E E,a,d is birationally equivalent to the Montgomery curve EM,A,B, where A = 2(a + d)/(a − d) and B = 4/(a − d). The map (x, y) 7→ (u, v) = ((1 + y)/(1 − y), (1 + y)/(1 − y)x) is a birational equivalence from E E,a,d to EM,A,B, with inverse (u, v) 7→ (x, y) = (u/v, (u − 1)/(u + 1)).
Load more

Recommended publications
  • Elliptic Curve Arithmetic for Cryptography
    Elliptic Curve Arithmetic for Cryptography Srinivasa Rao Subramanya Rao August 2017 A Thesis submitted for the degree of Doctor of Philosophy of The Australian National University c Copyright by Srinivasa Rao Subramanya Rao 2017 All Rights Reserved Declaration I confirm that this thesis is a result of my own work, except as cited in the references. I also confirm that I have not previously submitted any part of this work for the purposes of an award of any degree or diploma from any University. Srinivasa Rao Subramanya Rao March 2017. Previously Published Content During the course of research contributing to this thesis, the following papers were published by the author of this thesis. This PhD thesis contains material from these papers: 1. Srinivasa Rao Subramanya Rao, A Note on Schoenmakers Algorithm for Multi Exponentiation, 12th International Conference on Security and Cryptography (Colmar, France), Proceedings of SECRYPT 2015, pages 384-391. 2. Srinivasa Rao Subramanya Rao, Interesting Results Arising from Karatsuba Multiplication - Montgomery family of formulae, in Proceedings of Sixth International Conference on Computer and Communication Technology 2015 (Allahabad, India), pages 317-322. 3. Srinivasa Rao Subramanya Rao, Three Dimensional Montgomery Ladder, Differential Point Tripling on Montgomery Curves and Point Quintupling on Weierstrass' and Edwards Curves, 8th International Conference on Cryptology in Africa, Proceedings of AFRICACRYPT 2016, (Fes, Morocco), LNCS 9646, Springer, pages 84-106. 4. Srinivasa Rao Subramanya Rao, Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form, 13th International Conference on Security and Cryptography (Lisbon, Portugal), Proceedings of SECRYPT 2016, pages 336-343 and 5.
    [Show full text]
  • The Complete Cost of Cofactor H = 1
    The complete cost of cofactor h = 1 Peter Schwabe and Daan Sprenkels Radboud University, Digital Security Group, P.O. Box 9010, 6500 GL Nijmegen, The Netherlands [email protected], [email protected] Abstract. This paper presents optimized software for constant-time variable-base scalar multiplication on prime-order Weierstraß curves us- ing the complete addition and doubling formulas presented by Renes, Costello, and Batina in 2016. Our software targets three different mi- croarchitectures: Intel Sandy Bridge, Intel Haswell, and ARM Cortex- M4. We use a 255-bit elliptic curve over F2255−19 that was proposed by Barreto in 2017. The reason for choosing this curve in our software is that it allows most meaningful comparison of our results with optimized software for Curve25519. The goal of this comparison is to get an under- standing of the cost of using cofactor-one curves with complete formulas when compared to widely used Montgomery (or twisted Edwards) curves that inherently have a non-trivial cofactor. Keywords: Elliptic Curve Cryptography · SIMD · Curve25519 · scalar multiplication · prime-field arithmetic · cofactor security 1 Introduction Since its invention in 1985, independently by Koblitz [34] and Miller [38], elliptic- curve cryptography (ECC) has widely been accepted as the state of the art in asymmetric cryptography. This success story is mainly due to the fact that attacks have not substantially improved: with a choice of elliptic curve that was in the 80s already considered conservative, the best attack for solving the elliptic- curve discrete-logarithm problem is still the generic Pollard-rho algorithm (with minor speedups, for example by exploiting the efficiently computable negation map in elliptic-curve groups [14]).
    [Show full text]
  • Montgomery Curves and the Montgomery Ladder
    Montgomery curves and the Montgomery ladder Daniel J. Bernstein and Tanja Lange Technische Universiteit Eindhoven, The Netherlands University of Illinois at Chicago, USA Abstract. The Montgomery ladder is a remarkably simple method of computing scalar multiples of points on a broad class of elliptic curves. This article surveys a wide range of topics related to the Montgomery ladder, both from the historical perspective of Weierstrass curves and from the modern perspective of Edwards curves. New material includes a full proof of a complete constant-time ladder algorithm suitable for cryptographic applications. This article is planned to appear as Chapter 4 of the book Topics in Com- putational Number Theory inspired by Peter L. Montgomery, edited by Joppe W. Bos and Arjen K. Lenstra. Two cross-references are to de- scriptions of ECM in FFT extension for algebraic-group factorization algorithms, by Richard P. Brent, Alexander Kruppa, and Paul Zimmer- mann, which is planned to appear as Chapter 9 of the same book. Author list in alphabetical order; see https://www.ams.org/profession/ leaders/culture/CultureStatement04.pdf. This work was supported by the Commission of the European Communities through the Horizon 2020 program under project ICT-645421 (ECRYPT-CSA), by the U.S. National Sci- ence Foundation under grants 1018836 and 1314919, and by the Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005. “Any opinions, findings, and conclusions or recommendations expressed in this ma- terial are those of the author(s) and do not necessarily reflect the views of the National Science Foundation” (or other funding agencies).
    [Show full text]
  • 18.783 S17 Elliptic Curves Lecture 11: Index Calculus, Smooth Numbers, Factoring Integers
    18.783 Elliptic Curves Spring 2017 Lecture #11 03/15/2017 11 Index calculus, smooth numbers, and factoring integers Having explored generic algorithms for the discrete logarithm problem in some detail, we now consider a non-generic algorithm that uses index calculus. 1 This algorithm depends critically on the distribution of smooth numbers (integers with small prime factors), which naturally leads to a discussion of two algorithms for factoring integers that also depend on smooth numbers: the Pollard p − 1 method and the elliptic curve method (ECM). 11.1 Index calculus Index calculus is a method for computing discrete logarithms in the multiplicative group of a finite field. This might not seem directly relevant to the elliptic curve discrete logarithm problem, but aswe shall see whenwe discuss pairing-based cryptography, thesetwo problems are not unrelated. Moreover, the same approach can be applied to elliptic curves over non- prime finite fields, as well as abelian varieties of higher dimension [7, 8, 9].2 We will restrict our attention to the simplest case, a finite field of prime order p. Let us identify Fp ' Z=pZ with our usual choice of representatives for Z=pZ, integers in the interval [0;N], with N = p − 1. This innocent looking statement is precisely what will allow us to “cheat”, that is, to do something that a generic algorithm cannot. It lets us lift elements of Fp ' Z=pZ to the ring Z where we may consider their prime factorizations, something that makes no sense in a multiplicative group (every element is a unit) and is not available to a generic algorithm.
    [Show full text]
  • Isomorphism Classes of Edwards Curves Over Finite Fields
    Isomorphism classes of Edwards curves over finite fields Reza Rezaeian Farashahi Department of Computing Macquarie University Sydney, NSW 2109, Australia and Department of Mathematical Sciences Isfahan University of Technology P.O. Box 85145 Isfahan, Iran [email protected] Dustin Moody National Institute of Standards and Technology (NIST) 100 Bureau Drive, Gaithersburg, MD, 20899, USA [email protected] Hongfeng Wu College of Sciences North China University of Technology Beijing 100144, P.R. China [email protected] Abstract Edwards curves are an alternate model for elliptic curves, which have attracted notice in cryptography. We give exact formulas for the number of Fq-isomorphism classes of Edwards curves and twisted Ed­ wards curves. This answers a question recently asked by R. Farashahi and I. Shparlinski. 1 1 Introduction Elliptic curves have been an object of much study in mathematics. Recall that an elliptic curve is a smooth projective genus 1 curve, with a given rational point. The traditional model for an elliptic curve has been the Weierstrass equation 2 3 2 Y + a1XY + a3Y = X + a2X + a4X + a6; where the ai are elements in some field F. While other models for elliptic curves have long been known, in the past few years there has been renewed interest in these alternate models. This attention has primarily come from the cryptographic community. In 2007, Edwards proposed a new model for elliptic curves [10]. Let F be a field with characteristic p 6= 2. These original Edwards curves, defined over F, are given by the equation 2 2 2 2 2 EE;c : X + Y = c (1 + X Y ); (1) with c 2 F and c5 6= c.
    [Show full text]
  • Efficient Elliptic Curve Diffie-Hellman Computation at the 256-Bit Security
    Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level Kaushik Nath and Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B. T. Road Kolkata - 700108 India fkaushikn r,[email protected] Abstract In this paper we introduce new Montgomery and Edwards form elliptic curve targeted at the 506 510 256-bit security level. To this end, we work with three primes, namely p1 := 2 − 45, p2 = 2 − 75 521 and p3 := 2 − 1. While p3 has been considered earlier in the literature, p1 and p2 are new. We define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agree- ment protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over p1 leads to a 3%-4% slowdown and the new Montgomery curve over p2 leads to a 4:5%-5% slowdown; on the other hand, 29 and 30.5 extra bits of security respectively are gained. For designers aiming for the 256-bit security level, the new curves over p1 and p2 provide an acceptable trade-off between security and efficiency. Keywords: Elliptic curve cryptography, Elliptic curve Diffie-Hellman key agreement, Montgomery form, Edwards form, 256-bit security.
    [Show full text]
  • The Elliptic Curve Method and Other Integer Factorization Algorithms
    The Elliptic Curve Method and Other Integer Factorization Algorithms John Wright April 12, 2012 Contents 1 Introduction 2 2 Preliminaries 3 2.1 Greatest common divisors and modular arithmetic . 3 2.2 Basic definitions and theorems . 6 2.3 RSACryptosystem........................ 9 3 Factorization Algorithms 11 3.1 TheSieveofEratosthenes . 11 3.2 TrialDivision ........................... 12 3.3 Fermat’sLittleTheorem . 13 3.4 PseudoprimeTest......................... 14 3.5 StrongPseudoprimeTest . 16 3.6 AmethodofFermat ....................... 17 3.7 TheQuadraticSieve . 20 3.8 Pollard Rho Factorization Method . 22 4 Elliptic curves 24 4.1 Additiononanellipticcurve . 28 4.2 Reduction of elliptic curves defined modulo N ......... 31 4.3 Reduction of curves modulo p .................. 33 4.4 Lenstra’s Elliptic Curve Integer Factorization Method . 34 4.5 TheECMintheprojectiveplane . 36 5 Improving the Elliptic Curve Method 38 5.1 MontgomeryCurves . 38 5.2 Addition for elliptic curves in Montgomery form . 42 5.3 Montgomery multiplication . 47 5.4 Recentdevelopments . 49 5.5 Conclusion ............................ 50 1 Chapter 1 Introduction The Fundamental Theorem of Arithmetic, first proved by Gauss [2], states that every positive integer has a unique factorization into primes. That is, for every positive integer N, a1 a2 ak N = p1 p2 ...pk where the pi’s are distinct primes and each ai is a positive integer. This paper is motivated by a computational question: given an arbitrary integer N, how might we find a non-trivial factor of N? That is, a factor of N other than N and 1. ± ± While it is computationally easy to multiply numbers together, factor- ing a general integer is “generally believed to be hard” [4].
    [Show full text]
  • BINARY EDWARDS CURVES in ELLIPTIC CURVE CRYPTOGRAPHY by Graham Enos a Dissertation Submitted to the Faculty of the University Of
    BINARY EDWARDS CURVES IN ELLIPTIC CURVE CRYPTOGRAPHY by Graham Enos A dissertation submitted to the faculty of The University of North Carolina at Charlotte in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Applied Mathematics Charlotte 2013 Approved by: Dr. Yuliang Zheng Dr. Gabor Hetyei Dr. Thomas Lucas Dr. Evan Houston Dr. Shannon Schlueter ii ©2013 Graham Enos ALL RIGHTS RESERVED iii ABSTRACT GRAHAM ENOS. Binary edwards curves in elliptic curve cryptography. (Under the direction of DR. YULIANG ZHENG) Edwards curves are a new normal form for elliptic curves that exhibit some cryp- tographically desirable properties and advantages over the typical Weierstrass form. Because the group law on an Edwards curve (normal, twisted, or binary) is complete and unified, implementations can be safer from side channel or exceptional procedure attacks. The different types of Edwards provide a better platform for cryptographic primitives, since they have more security built into them from the mathematic foun- dation up. Of the three types of Edwards curves|original, twisted, and binary|there hasn't been as much work done on binary curves. We provide the necessary motivation and background, and then delve into the theory of binary Edwards curves. Next, we examine practical considerations that separate binary Edwards curves from other recently proposed normal forms. After that, we provide some of the theory for bi- nary curves that has been worked on for other types already: pairing computations. We next explore some applications of elliptic curve and pairing-based cryptography wherein the added security of binary Edwards curves may come in handy.
    [Show full text]
  • Two Kinds of Division Polynomials for Twisted Edwards Curves
    Two Kinds of Division Polynomials For Twisted Edwards Curves Richard Moloney and Gary McGuire∗ School of Mathematical Sciences University College Dublin Ireland Email: [email protected], [email protected] December 1, 2018 Abstract This paper presents two kinds of division polynomials for twisted Edwards curves. Their chief property is that they characterise the n-torsion points of a given twisted Edwards curve. We also present results concerning the coefficients of these polynomials, which may aid computation. 1 Introduction The famous last entry in the diary of Gauss concerns the curve with equation x2 + y2 + x2y2 = 1 (1) 2 3 and its rational points over Fp. This curve is related to the elliptic curve y = 4x − 4x. The idea of division polynomials on a curve with a group law on its points, is that we try to write down a formula for [n]P in terms of the coordinates of P , where [n]P denotes P added to itself n times under the group law. In this paper we shall give two distinct arXiv:0907.4347v1 [math.AG] 24 Jul 2009 solutions to this problem, in the general context of twisted Edwards curves, of which (1) is a special case. Edwards [5], generalising (1), introduced an addition law on the curves x2 + y2 = c2(1 + x2y2) for c ∈ k, where k is a field of characteristic not equal to 2. He showed that every elliptic curve over k is birationally equivalent (over some extension of k) to a curve of this form. ∗ Research supported by Claude Shannon Institute, Science Foundation Ireland Grant 06/MI/006, and Grant 07/RFP/MATF846, and the Irish Research Council for Science, Engineering and Technology 1 In [3], Bernstein and Lange generalised this addition law to the curves x2+y2 = 1+dx2y2 for d ∈ k \ {0, 1}.
    [Show full text]
  • Elliptic Curve Factorization Method (ECM), Introduced by Hendrik Lenstra [4], a Heuristically Subexponential Running
    18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring integers, we first present an older algorithm of Pollard that motivates the ECM approach. 12.1 Pollard p − 1 method In 1974, Pollard introduced a randomized (Monte Carlo) algorithm for factoring integers [6]. It makes use of a smoothness parameter B. Algorithm 12.1 (Pollard p − 1 factorization). Input: An integer N to be factored and a smoothness bound B. Output: A proper divisor of N or failure. 1. Pick a random integer a 2 [1;N − 1]. 2. If d = gcd(a; N) is not 1 then return d. 3. Set b = a and for each prime ` ≤ B: a. Set b = b`e mod N, where `e−1 < N ≤ `e. b. If d = gcd(b − 1;N) is not 1 then return d if d < N or failure if d = N. 4. Return failure Rather than using a fixed bound B, we could simply let the algorithm keep running through primes ` until it either succeeds or fails in step 3b. But in practice one typically uses a very small smoothness bound B and switches to a different algorithm if the p − 1 method fail. In any case, it is convenient to have B fixed for the purposes of analysis. Theorem 12.2. Let p and q be prime divisors of N, and let `p and `q be the largest prime divisors of p − 1 and q − 1, respectively.
    [Show full text]
  • Curves, Codes, and Cryptography Copyright C 2011 by Christiane Peters
    Curves, Codes, and Cryptography Copyright c 2011 by Christiane Peters. Printed by Printservice Technische Universiteit Eindhoven. Cover: Starfish found in Bouldin Creek, Austin, Texas. Fossils originate from the late Cretaceous, about 85 million years ago. Picture taken by Laura Hitt O’Connor at the Texas Natural Science Center, Austin, Texas. Design in cooperation with Verspaget & Bruinink. CIP-DATA LIBRARY TECHNISCHE UNIVERSITEIT EINDHOVEN Peters, Christiane Curves, Codes, and Cryptography / by Christiane Peters. – Eindhoven: Technische Universiteit Eindhoven, 2011. Proefschrift. – ISBN 978-90-386-2476-1 NUR 919 Subject heading: Cryptology 2000 Mathematics Subject Classification: 94A60, 11Y16, 11T71 Curves, Codes, and Cryptography PROEFSCHRIFT ter verkrijging van de graad van doctor aan de Technische Universiteit Eindhoven, op gezag van de rector magnificus, prof.dr.ir. C.J. van Duijn, voor een commissie aangewezen door het College voor Promoties in het openbaar te verdedigen op dinsdag 10 mei 2011 om 16.00 uur door Christiane Pascale Peters geboren te Paderborn, Duitsland Dit proefschrift is goedgekeurd door de promotoren: prof.dr. T. Lange en prof.dr. D.J. Bernstein Fur¨ meine Eltern Angelika und Jurgen¨ Peters Thanks I would like to thank many people for their support and company during my Ph.D. studies. First of all, I am most grateful to my supervisors Tanja Lange and Daniel J. Bernstein. I thank Tanja for giving me the opportunity to come to Eindhoven to do research and to get to know the (crypto) world. I thank Tanja and Dan for letting me participate in great projects such as working on Edwards curves in cryptographic and number-theoretic settings, and for helping me find my way into the world of code-based cryptography.
    [Show full text]
  • Curve25519 for the Cortex-M4 and Beyond
    Curve25519 for the Cortex-M4 and beyond Hayato Fujii and Diego F. Aranha Institute of Computing – University of Campinas [email protected], [email protected] Abstract. We present techniques for the implementation of a key ex- change protocol and digital signature scheme based on the Curve25519 elliptic curve and its Edwards form, respectively, in resource-constrained ARM devices. A possible application of this work consists of TLS deploy- ments in the ARM Cortex-M family of processors and beyond. These devices are located towards the lower to mid-end spectrum of ARM cores, and are typically used on embedded devices. Our implementa- tions improve the state-of-the-art substantially by making use of novel implementation techniques and features specific to the target platforms. Keywords: ECC, Curve25519, X25519, Ed25519, ARM processors, Cortex- M. 1 Introduction The growing number of devices connected to the Internet collecting and storing sensitive information raises concerns about the security of their communications and of the devices themselves. Many of them are equipped with microcontrollers constrained in terms of computing or storage capabilities, and lack tamper re- sistance mechanisms or any form of physical protection. Their attack surface is widely open, ranging from physical exposure to attackers and ease of access through remote availability. While designing and developing efficient and secure implementations of cryptography is not a new problem and has been an active area of research since at least the birth of public-key cryptography, the appli- cation scenarios for these new devices imposes new challenges to cryptographic engineering. A possible way to deploy security in new devices is to reuse well-known and well-analyzed building blocks, such as the Transport Layer Security (TLS) proto- col.
    [Show full text]