DOCSLIB.ORG

Edwards Curves

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Edwards Curves Edwards Curves Christiane Peters Technische Universiteit Eindhoven S´eminaire de Cryptographie Rennes June 20, 2008 1. Elliptic curves in Edwards form 2. Addition law 3. Fast explicit formulas 4. Twisted Edwards Curves –p.2 Addition on a clock 2 2 Unit circle x + y = 1. y Let xi = sin(αi), yi = cos(αi). O neutral = (0, 1) • x3 = sin(α1 + α2) P1 = (x1,y1) α1 ÑÑ• = sin(α1) cos(α2) + cos(α1) sin(α2) ÑÑ Ñ iii• P2 = (x2,y2) iÑPÑiii y3 = cos(α1 + α2) PPP / x PPP = cos(α1)cos(α2) − sin(α1) sin(α2) • P3 = (x3,y3) Addition of angles defines commutative group law (x1,y1) + (x2,y2) = (x3,y3), where x3 = x1y2 + y1x2 and y3 = y1y2 − x1x2. Fast but not elliptic; low security. –p.3 Elliptic curve in Edwards form over a non-binary field k y O neutral = (0, 1) • 2 2 2 2 x + y =1+ dx y , P1 = (x1,y1) • P = (x ,y ) where d ∈ k \ {0, 1}. [f fffff• 2 2 2 [[[[[[• / x P3 = (x3,y3) We add two points (x1,y1), (x2,y2) on E according to the Edwards addition law x1y2 + x2y1 y1y2 − x1x2 (x1,y1), (x2,y2) 7→ , . 1+ dx1x2y1y2 1 − dx1x2y1y2 –p.4 Elliptic? Short answer: Projective coordinates (X2 + Y 2)Z2 = Z4 + dX2Y 2 imply at first glance two singular points at infinity: (1 : 0 : 0), (0 : 1 : 0). Blow up yields two points of order 2 and two points of order 4. Easy way to see is approach from curves in Montgomery form. –p.5 1. Elliptic curves in Edwards form 2. Addition law 3. Fast explicit formulas 4. Twisted Edwards Curves –p.6 Addition on Edwards curves x1y2 + y1x2 y1y2 − x1x2 (x1,y1) + (x2,y2)= , 1+ dx1x2y1y2 1 − dx1x2y1y2 The point (0, 1) is the neutral element of the addition law and the negative of P = (x1,y1) is −P = (−x1,y1). If d is a non-square in k the addition law is complete. The addition law is strongly unified, i.e., it can be also used for doublings. –p.7 Complete? – (1) x1y2 + y1x2 y1y2 − x1x2 (x1,y1) + (x2,y2)= , 1+ dx1x2y1y2 1 − dx1x2y1y2 Can the denominators be 0? Claim: They are never 0 if d is not a square in k. Proof : Let (x1,y1) and (x2,y2) be on the curve, i.e., 2 2 2 2 xi + yi =1+ dxi yi . Write ε = dx1x2y1y2 and suppose ε ∈ {−1, 1}. Then x1,x2,y1,y2 6= 0 and 2 2 2 2 2 2 2 2 dx1y1(x2 + y2) = dx1y1(1 + dx2y2) 2 2 2 2 2 2 2 = dx1y1 + d x1y1x2y2 2 2 2 = dx1y1 + ε 2 2 = 1+ dx1y1 //(ε = ±1) 2 2 = x1 + y1 –p.8 Complete? – (2) Show: ε = dx1x2y1y2 = ±1 implies d is a square. x1y2 + y1x2 y1y2 − x1x2 (x1,y1) + (x2,y2)= , 1+ dx1x2y1y2 1 − dx1x2y1y2 2 2 2 2 2 2 We have dx1y1(x2 + y2)= x1 + y1. Proof (continued): It follows that 2 2 2 (x1 + εy1) = x1 + y1 + 2εx1y1 2 2 2 2 = dx1y1(x2 + y2) + 2x1y1dx1x2y1y2 2 2 2 2 2 2 2 = dx1y1(x2 + 2x2y2 + y2)= dx1y1(x2 + y2) 2 x2 + y2 6= 0 ⇒ d = ((x1 + εy1)/x1y1(x2 + y2)) ⇒ d = 2 x2 − y2 6= 0 ⇒ d = ((x1 − εy1)/x1y1(x2 − y2)) ⇒ d = If x2 + y2 = 0 and x2 − y2 = 0, then x2 = y2 = 0, contradiction. –p.9 1. Elliptic curves in Edwards form 2. Addition law 3. Fast explicit formulas 4. Twisted Edwards Curves –p.10 Inversion-free addition Consider the homogenized Edwards equation E : (X2 + Y 2)Z2 = Z4 + dX2Y 2 A point (X1 : Y1 : Z1) with Z1 6= 0 on E corresponds to the affine point (X1/Z1,Y1/Z1). 2 A = Z1 · Z2; B = A ; C = X1 · X2; D = Y1 · Y2; E = (X1 + Y1) · (X2 + Y2) − C − D; F = d · C · D; XP +Q = A · E · (B − F ); YP +Q = A · (D − C) · (B + F ); ZP +Q = (B − F ) · (B + F ). Costs 10M+1S+1D (mixed ADD needs 9M+1S+1D). –p.11 Explicit fast doubling and tripling formulas (Non-unified) Doubling of a point (x1,y1) on x2 + y2 =1+ dx2y2: 2 2 2x1y1 y1 − x1 [2](x1,y1) = 2 2 , 2 2 1+ dx1y1 1 − dx1y1 2 2 2x1y1 y1 − x1 = 2 2 , 2 2 . x1 + y1 2 − (x1 + y1) Inversion-free version needs 3M + 4S. Tripling: [3](x1,y1)= 2 2 2 2 2 2 2 2 ((x1 + y1) − (2y1) ) ((x1 + y1) − (2x1) ) 2 2 2 2 2 x1, 2 2 2 2 2 y1 . 4(x1 − 1)x1 − (x1 − y1) −4(y1 − 1)y1 + (x1 − y1) Inversion-free explicit formulas cost 9M + 4S. –p.12 Inverted Edwards A point (X1 : Y1 : Z1) with X1Y1Z1 6= 0 on (X2 + Y 2)Z2 = X2Y 2 + dZ4 corresponds to (Z1/X1, Z1/Y1) on the Edwards curve x2 + y2 =1+ dx2y2. Costs: 9M + 1S for ADD, 8M + 1S for mixed ADD, 3M + 4S for DBL and 9M + 4S for TRI. –p.13 1. Elliptic curves in Edwards form 2. Addition law 3. Fast explicit formulas 4. Twisted Edwards Curves –p.14 What about Montgomery form? So far fastest ECC methods use curves in Montgomery form Bv2 = u3 + Au2 + u. Differential addition formulas for computing nP use 5M + 4S + 1A for each bit of n. Setting 1S = 0.8 M: Edwards faster than Montgomery curves when using scalars with more than 160 bits. nP + n′P ′ is hard to compute for n 6= n′ and P 6= P ′. Big advantage for Edwards. –p.15 Counting elliptic curves over Fp if p ≡ 1 (mod 4) ≈ 2p elliptic curves. ≈ 5p/6 curves with order ∈ 4Z. ≈ 5p/6 Montgomery curves. ≈ 2p/3 Edwards curves. ≈ p/2 complete Edwards curves. ≈ p/24 original Edwards curves. (more detailed description and more experiments in Bernstein, Birkner, Joye, Lange, P.: Twisted Edwards Curves in AFRICACRYPT ’08) –p.16 Counting elliptic curves over Fp if p ≡ 3 (mod 4) ≈ 2p elliptic curves. ≈ 5p/6 curves with order ∈ 4Z. ≈ 3p/4 Montgomery curves. ≈ 3p/4 Edwards curves. ≈ p/2 complete Edwards curves. ≈ p/4 original Edwards curves. Can we achieve Edwards-like speeds for more curves? –p.17 Twisted curves Points of order 4 restrict the number of elliptic curves in Edwards form over k. Define twisted Edwards curves ax2 + y2 =1+ dx2y2, with a, d 6= 0 and a 6= d. Every Edwards curve is a twisted Edwards curve (a = 1). –p.18 Why“twisted”? E′ :x ¯2 +y ¯2 =1+(d/a)¯x2y¯2 over k with a = α2 for some α ∈ k is isomorphic to E : ax2 + y2 =1+ dx2y2 by x =x/α ¯ and y =y ¯. In general: E′ and E are quadratic twists of each other, i.e., isomorphic over a quadratic extension of k. We have E′ :a ¯x¯2 +y ¯2 =1+ d¯x¯2y¯2 and E : ax2 + y2 =1+ dx2y2 are quadratic twists if ad¯=ad ¯ . –p.19 Convert Edwards curves into twisted form Get rid of huge denominators mod large primes p: E.g. Given x2 + y2 =1+ dx2y2 with d = n/m. Assume m “small”. Then m−1 mod p is almost as big as p! 2 3 2 Bernstein’s Curve25519: v = u + 486662u + u over Fp where p = 2255 − 19. Bernstein/Lange: Curve25519 is birationally equivalent to x2 + y2 = 1 + (121665/121666)x2 y2. But 121665/121666 ≡ 20800338683988658368647408995589388737092878452977063003340006470870624536394 mod p. Write curve as 121666 x2 + y2 = 1 + 121665 x2y2. –p.20 Addition on twisted Edwards curves x1y2 + y1x2 y1y2 − ax1x2 (x1,y1) + (x2,y2)= , . 1+ dx1x2y1y2 1 − dx1x2y1y2 Costs for inversion-free formulas: 10M + 1S + 1A + 1D for ADD, 3M + 4S + 1A for DBL. Speed in inverted coordinates: 9M + 1S + 1A + 1D for ADD, 3M + 4S + 1A + 1D for DBL. –p.21 Birational equivalence The Montgomery curve Bv2 = u3 + Au2 + u is birationally 2 2 2 2 equivalent to an Edwards curve Ea,d : ax + y =1+ dx y where a = (A + 2)/B and d = (A − 2)/B. (u, v) 7→ (x,y) = (u/v, (u − 1)/(u + 1)). inverse map (x,y) 7→ ((1 + y)/(1 − y), (1 + y)/((1 − y)x)). (B = 4/(a − d) and A = 2(a + d)/(a − d).) –p.22 Exceptional points Birational maps (u, v) 7→ (x,y) = (u/v, (u − 1)/(u + 1)). Exceptional points satisfy v(u + 1) = 0. (0, 0) ∈ EM corresponds to (0, −1). If EM (k) contains two more points of order 2, they are mapped to two points of order 2 at infinity of the desingularization of E. If d = δ2 in k: The point with u = −1 corresponds to points (−1, ±δ) which have order 4. They correspond to two points of order 4 at infinity of the desingularization of E. –p.23 Twisted Edwards speed for curves having group order ∈ 4Z Not every curve with group order ∈ 4Z can be written as a Montgomery curve. That’s the case iff p ≡ 3 mod 4 and the curve has 2-torsion Z/2 × Z/2. Write curve as v2 = u3 − (a + d)u2 + (ad)u. This curve is 2-isogenous to ax2 + y2 =1+ dx2y2: (u, v) 7→ (2v/(ad − u2), (v2 − (a − d)u2)/(v2 + (a − d)u2). –p.24 Make use of fast arithmetic on twisted Edwards curves Given n,m ∈ Z and two points P , Q on the Montgomery curve EM and a 2-isogeny ψ to a twisted Edwards curve Ea,d. P,Q7→[2n]P +[2m]Q EM × EM / EM O ψ×ψ ψˆ Ea,d × Ea,d / Ea,d P,˜ Q˜7→[n]P˜+[m]Q˜ –p.25 Benefits of twisted Edwards curves Fast addition formulas for a greater range of elliptic curves.
Load more

Recommended publications
  • Elliptic Curve Arithmetic for Cryptography
    Elliptic Curve Arithmetic for Cryptography Srinivasa Rao Subramanya Rao August 2017 A Thesis submitted for the degree of Doctor of Philosophy of The Australian National University c Copyright by Srinivasa Rao Subramanya Rao 2017 All Rights Reserved Declaration I confirm that this thesis is a result of my own work, except as cited in the references. I also confirm that I have not previously submitted any part of this work for the purposes of an award of any degree or diploma from any University. Srinivasa Rao Subramanya Rao March 2017. Previously Published Content During the course of research contributing to this thesis, the following papers were published by the author of this thesis. This PhD thesis contains material from these papers: 1. Srinivasa Rao Subramanya Rao, A Note on Schoenmakers Algorithm for Multi Exponentiation, 12th International Conference on Security and Cryptography (Colmar, France), Proceedings of SECRYPT 2015, pages 384-391. 2. Srinivasa Rao Subramanya Rao, Interesting Results Arising from Karatsuba Multiplication - Montgomery family of formulae, in Proceedings of Sixth International Conference on Computer and Communication Technology 2015 (Allahabad, India), pages 317-322. 3. Srinivasa Rao Subramanya Rao, Three Dimensional Montgomery Ladder, Differential Point Tripling on Montgomery Curves and Point Quintupling on Weierstrass' and Edwards Curves, 8th International Conference on Cryptology in Africa, Proceedings of AFRICACRYPT 2016, (Fes, Morocco), LNCS 9646, Springer, pages 84-106. 4. Srinivasa Rao Subramanya Rao, Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form, 13th International Conference on Security and Cryptography (Lisbon, Portugal), Proceedings of SECRYPT 2016, pages 336-343 and 5.
    [Show full text]
  • The Complete Cost of Cofactor H = 1
    The complete cost of cofactor h = 1 Peter Schwabe and Daan Sprenkels Radboud University, Digital Security Group, P.O. Box 9010, 6500 GL Nijmegen, The Netherlands [email protected], [email protected] Abstract. This paper presents optimized software for constant-time variable-base scalar multiplication on prime-order Weierstraß curves us- ing the complete addition and doubling formulas presented by Renes, Costello, and Batina in 2016. Our software targets three different mi- croarchitectures: Intel Sandy Bridge, Intel Haswell, and ARM Cortex- M4. We use a 255-bit elliptic curve over F2255−19 that was proposed by Barreto in 2017. The reason for choosing this curve in our software is that it allows most meaningful comparison of our results with optimized software for Curve25519. The goal of this comparison is to get an under- standing of the cost of using cofactor-one curves with complete formulas when compared to widely used Montgomery (or twisted Edwards) curves that inherently have a non-trivial cofactor. Keywords: Elliptic Curve Cryptography · SIMD · Curve25519 · scalar multiplication · prime-field arithmetic · cofactor security 1 Introduction Since its invention in 1985, independently by Koblitz [34] and Miller [38], elliptic- curve cryptography (ECC) has widely been accepted as the state of the art in asymmetric cryptography. This success story is mainly due to the fact that attacks have not substantially improved: with a choice of elliptic curve that was in the 80s already considered conservative, the best attack for solving the elliptic- curve discrete-logarithm problem is still the generic Pollard-rho algorithm (with minor speedups, for example by exploiting the efficiently computable negation map in elliptic-curve groups [14]).
    [Show full text]
  • Montgomery Curves and the Montgomery Ladder
    Montgomery curves and the Montgomery ladder Daniel J. Bernstein and Tanja Lange Technische Universiteit Eindhoven, The Netherlands University of Illinois at Chicago, USA Abstract. The Montgomery ladder is a remarkably simple method of computing scalar multiples of points on a broad class of elliptic curves. This article surveys a wide range of topics related to the Montgomery ladder, both from the historical perspective of Weierstrass curves and from the modern perspective of Edwards curves. New material includes a full proof of a complete constant-time ladder algorithm suitable for cryptographic applications. This article is planned to appear as Chapter 4 of the book Topics in Com- putational Number Theory inspired by Peter L. Montgomery, edited by Joppe W. Bos and Arjen K. Lenstra. Two cross-references are to de- scriptions of ECM in FFT extension for algebraic-group factorization algorithms, by Richard P. Brent, Alexander Kruppa, and Paul Zimmer- mann, which is planned to appear as Chapter 9 of the same book. Author list in alphabetical order; see https://www.ams.org/profession/ leaders/culture/CultureStatement04.pdf. This work was supported by the Commission of the European Communities through the Horizon 2020 program under project ICT-645421 (ECRYPT-CSA), by the U.S. National Sci- ence Foundation under grants 1018836 and 1314919, and by the Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005. “Any opinions, findings, and conclusions or recommendations expressed in this ma- terial are those of the author(s) and do not necessarily reflect the views of the National Science Foundation” (or other funding agencies).
    [Show full text]
  • 18.783 S17 Elliptic Curves Lecture 11: Index Calculus, Smooth Numbers, Factoring Integers
    18.783 Elliptic Curves Spring 2017 Lecture #11 03/15/2017 11 Index calculus, smooth numbers, and factoring integers Having explored generic algorithms for the discrete logarithm problem in some detail, we now consider a non-generic algorithm that uses index calculus. 1 This algorithm depends critically on the distribution of smooth numbers (integers with small prime factors), which naturally leads to a discussion of two algorithms for factoring integers that also depend on smooth numbers: the Pollard p − 1 method and the elliptic curve method (ECM). 11.1 Index calculus Index calculus is a method for computing discrete logarithms in the multiplicative group of a finite field. This might not seem directly relevant to the elliptic curve discrete logarithm problem, but aswe shall see whenwe discuss pairing-based cryptography, thesetwo problems are not unrelated. Moreover, the same approach can be applied to elliptic curves over non- prime finite fields, as well as abelian varieties of higher dimension [7, 8, 9].2 We will restrict our attention to the simplest case, a finite field of prime order p. Let us identify Fp ' Z=pZ with our usual choice of representatives for Z=pZ, integers in the interval [0;N], with N = p − 1. This innocent looking statement is precisely what will allow us to “cheat”, that is, to do something that a generic algorithm cannot. It lets us lift elements of Fp ' Z=pZ to the ring Z where we may consider their prime factorizations, something that makes no sense in a multiplicative group (every element is a unit) and is not available to a generic algorithm.
    [Show full text]
  • Twisted Edwards Curves
    Twisted Edwards Curves Daniel J. Bernstein1, Peter Birkner2, Marc Joye3, Tanja Lange2, and Christiane Peters2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at Chicago, Chicago, IL 60607–7045, USA [email protected] 2 Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB Eindhoven, Netherlands [email protected], [email protected], [email protected] 3 Thomson R&D France Technology Group, Corporate Research, Security Laboratory 1 avenue de Belle Fontaine, 35576 Cesson-S´evign´eCedex, France [email protected] Abstract. This paper introduces “twisted Edwards curves,” a general- ization of the recently introduced Edwards curves; shows that twisted Edwards curves include more curves over finite fields, and in particular every elliptic curve in Montgomery form; shows how to cover even more curves via isogenies; presents fast explicit formulas for twisted Edwards curves in projective and inverted coordinates; and shows that twisted Edwards curves save time for many curves that were already expressible as Edwards curves. Keywords: Elliptic curves, Edwards curves, twisted Edwards curves, Montgomery curves, isogenies. 1 Introduction Edwards in [13], generalizing an example from Euler and Gauss, introduced an addition law for the curves x2 + y2 = c2(1 + x2y2) over a non-binary field k. Edwards showed that every elliptic curve over k can be expressed in the form x2 + y2 = c2(1 + x2y2) if k is algebraically closed. However, over a finite field, only a small fraction of elliptic curves can be expressed in this form. Bernstein and Lange in [4] presented fast explicit formulas for addition and doubling in coordinates (X : Y : Z) representing (x, y) = (X/Z, Y/Z) on an Edwards curve, and showed that these explicit formulas save time in elliptic- curve cryptography.
    [Show full text]
  • Isomorphism Classes of Edwards Curves Over Finite Fields
    Isomorphism classes of Edwards curves over finite fields Reza Rezaeian Farashahi Department of Computing Macquarie University Sydney, NSW 2109, Australia and Department of Mathematical Sciences Isfahan University of Technology P.O. Box 85145 Isfahan, Iran [email protected] Dustin Moody National Institute of Standards and Technology (NIST) 100 Bureau Drive, Gaithersburg, MD, 20899, USA [email protected] Hongfeng Wu College of Sciences North China University of Technology Beijing 100144, P.R. China [email protected] Abstract Edwards curves are an alternate model for elliptic curves, which have attracted notice in cryptography. We give exact formulas for the number of Fq-isomorphism classes of Edwards curves and twisted Ed­ wards curves. This answers a question recently asked by R. Farashahi and I. Shparlinski. 1 1 Introduction Elliptic curves have been an object of much study in mathematics. Recall that an elliptic curve is a smooth projective genus 1 curve, with a given rational point. The traditional model for an elliptic curve has been the Weierstrass equation 2 3 2 Y + a1XY + a3Y = X + a2X + a4X + a6; where the ai are elements in some field F. While other models for elliptic curves have long been known, in the past few years there has been renewed interest in these alternate models. This attention has primarily come from the cryptographic community. In 2007, Edwards proposed a new model for elliptic curves [10]. Let F be a field with characteristic p 6= 2. These original Edwards curves, defined over F, are given by the equation 2 2 2 2 2 EE;c : X + Y = c (1 + X Y ); (1) with c 2 F and c5 6= c.
    [Show full text]
  • The Elliptic Curve Method and Other Integer Factorization Algorithms
    The Elliptic Curve Method and Other Integer Factorization Algorithms John Wright April 12, 2012 Contents 1 Introduction 2 2 Preliminaries 3 2.1 Greatest common divisors and modular arithmetic . 3 2.2 Basic definitions and theorems . 6 2.3 RSACryptosystem........................ 9 3 Factorization Algorithms 11 3.1 TheSieveofEratosthenes . 11 3.2 TrialDivision ........................... 12 3.3 Fermat’sLittleTheorem . 13 3.4 PseudoprimeTest......................... 14 3.5 StrongPseudoprimeTest . 16 3.6 AmethodofFermat ....................... 17 3.7 TheQuadraticSieve . 20 3.8 Pollard Rho Factorization Method . 22 4 Elliptic curves 24 4.1 Additiononanellipticcurve . 28 4.2 Reduction of elliptic curves defined modulo N ......... 31 4.3 Reduction of curves modulo p .................. 33 4.4 Lenstra’s Elliptic Curve Integer Factorization Method . 34 4.5 TheECMintheprojectiveplane . 36 5 Improving the Elliptic Curve Method 38 5.1 MontgomeryCurves . 38 5.2 Addition for elliptic curves in Montgomery form . 42 5.3 Montgomery multiplication . 47 5.4 Recentdevelopments . 49 5.5 Conclusion ............................ 50 1 Chapter 1 Introduction The Fundamental Theorem of Arithmetic, first proved by Gauss [2], states that every positive integer has a unique factorization into primes. That is, for every positive integer N, a1 a2 ak N = p1 p2 ...pk where the pi’s are distinct primes and each ai is a positive integer. This paper is motivated by a computational question: given an arbitrary integer N, how might we find a non-trivial factor of N? That is, a factor of N other than N and 1. ± ± While it is computationally easy to multiply numbers together, factor- ing a general integer is “generally believed to be hard” [4].
    [Show full text]
  • Elliptic Curve Factorization Method (ECM), Introduced by Hendrik Lenstra [4], a Heuristically Subexponential Running
    18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring integers, we first present an older algorithm of Pollard that motivates the ECM approach. 12.1 Pollard p − 1 method In 1974, Pollard introduced a randomized (Monte Carlo) algorithm for factoring integers [6]. It makes use of a smoothness parameter B. Algorithm 12.1 (Pollard p − 1 factorization). Input: An integer N to be factored and a smoothness bound B. Output: A proper divisor of N or failure. 1. Pick a random integer a 2 [1;N − 1]. 2. If d = gcd(a; N) is not 1 then return d. 3. Set b = a and for each prime ` ≤ B: a. Set b = b`e mod N, where `e−1 < N ≤ `e. b. If d = gcd(b − 1;N) is not 1 then return d if d < N or failure if d = N. 4. Return failure Rather than using a fixed bound B, we could simply let the algorithm keep running through primes ` until it either succeeds or fails in step 3b. But in practice one typically uses a very small smoothness bound B and switches to a different algorithm if the p − 1 method fail. In any case, it is convenient to have B fixed for the purposes of analysis. Theorem 12.2. Let p and q be prime divisors of N, and let `p and `q be the largest prime divisors of p − 1 and q − 1, respectively.
    [Show full text]
  • Montgomery Curves and Their Arithmetic the Case of Large Characteristic fields
    Montgomery curves and their arithmetic The case of large characteristic fields Craig Costello · Benjamin Smith A survey in tribute to Peter L. Montgomery Abstract Three decades ago, Montgomery introduced a new elliptic curve model for use in Lenstra's ECM factorization algorithm. Since then, his curves and the algorithms associated with them have become foundational in the implementation of elliptic curve cryptosystems. This article surveys the theory and cryptographic applications of Montgomery curves over non-binary finite fields, including Montgomery's x-only arithmetic and Ladder algorithm, x- only Diffie–Hellman, y-coordinate recovery, and 2-dimensional and Euclidean differential addition chains such as Montgomery's PRAC algorithm. Keywords Montgomery curve · Montgomery ladder · elliptic curve cryptog- raphy · scalar multiplication 1 Introduction Peter L. Montgomery's landmark 1987 paper Speeding the Pollard and elliptic curve methods of factorization [38] introduced what became known as Mont- gomery curves and the Montgomery ladder as a way of accelerating Lenstra's ECM factorization method [33]. However, they have gone on to have a far broader impact: while remaining a crucial component of modern factoring software, they have also become central to elliptic curve cryptography. Consider the following situation: let q be a prime power and let E be an elliptic curve over Fq, with group law ⊕, identity point O, and negation map . We have scalar multiplication endomorphisms on E defined by [k]: P 7−! P ⊕ · · · ⊕ P | {z } k times Craig Costello Microsoft Research, USA E-mail: [email protected] Benjamin Smith INRIA and Laboratoire d'Informatique de l'Ecole´ polytechnique (LIX), France E-mail: [email protected] 2 Craig Costello, Benjamin Smith for every k in Z (with [−k]P := [k]( P )).
    [Show full text]
  • Curve25519 for the Cortex-M4 and Beyond
    Curve25519 for the Cortex-M4 and beyond Hayato Fujii and Diego F. Aranha Institute of Computing – University of Campinas [email protected], [email protected] Abstract. We present techniques for the implementation of a key ex- change protocol and digital signature scheme based on the Curve25519 elliptic curve and its Edwards form, respectively, in resource-constrained ARM devices. A possible application of this work consists of TLS deploy- ments in the ARM Cortex-M family of processors and beyond. These devices are located towards the lower to mid-end spectrum of ARM cores, and are typically used on embedded devices. Our implementa- tions improve the state-of-the-art substantially by making use of novel implementation techniques and features specific to the target platforms. Keywords: ECC, Curve25519, X25519, Ed25519, ARM processors, Cortex- M. 1 Introduction The growing number of devices connected to the Internet collecting and storing sensitive information raises concerns about the security of their communications and of the devices themselves. Many of them are equipped with microcontrollers constrained in terms of computing or storage capabilities, and lack tamper re- sistance mechanisms or any form of physical protection. Their attack surface is widely open, ranging from physical exposure to attackers and ease of access through remote availability. While designing and developing efficient and secure implementations of cryptography is not a new problem and has been an active area of research since at least the birth of public-key cryptography, the appli- cation scenarios for these new devices imposes new challenges to cryptographic engineering. A possible way to deploy security in new devices is to reuse well-known and well-analyzed building blocks, such as the Transport Layer Security (TLS) proto- col.
    [Show full text]
  • CRYPTREC Review of Eddsa CRYPTREC EX-3003-2020
    CRYPTREC EX-3003-2020 CRYPTREC Review of EdDSA Steven D. Galbraith Mathematics Department, University of Auckland, Auckland, New Zealand. [email protected] 1 Executive summary The EdDSA signature scheme is a digital signature based on the Elliptic Curve Discrete Logarithm Problem (ECDLP). It was proposed by Bernstein, Duif, Lange, Schwabe and Yang in 2012 [18]. It builds on a long line of discrete logarithm based signature schemes, including Elgamal, Schnorr, DSA, and ECDSA. The security of signature schemes of this type is well-understood, and elliptic curve cryptography is a mature field. My conclusions and opinions: 1. EdDSA is a good design for a signature scheme (except perhaps for the key clamping, see Section 6.1, which seems to cause more difficulties than it provides benefits). 2. EdDSA is more closely related to Schnorr signatures than ECDSA, and so enjoys many of the rigorous security guarantees that are known for Schnorr signatures, including recent work on tight security proofs. 3. Deterministic signatures solve some of the security problems of discrete log signatures, but constant time imple- mentation is still critical in many settings. 4. EdDSA is superior to ECDSA when doing batch verification of a large number of signatures. 5. Curve 25519 provides a high level of security for the next 10-20 years, and 448-bit keys (such as in Ed448) are over-conservative and not recommended. 6. It is unlikely that quantum computers capable of solving 256-bit ECDLP instances can be built within the next 10 years. 7. I am confident that EdDSA using Curve25519 is a good signature scheme for use up to 2030.
    [Show full text]
  • Parallel Approaches for Efficient Scalar Multiplication Over Elliptic
    Parallel Approaches for Efficient Scalar Multiplication over Elliptic Curve Christophe Negre, Jean-Marc Robert To cite this version: Christophe Negre, Jean-Marc Robert. Parallel Approaches for Efficient Scalar Multiplication over Elliptic Curve. SECRYPT, Jul 2015, Colmar, France. pp.202-209, 10.5220/0005512502020209. hal- 01206530 HAL Id: hal-01206530 https://hal.archives-ouvertes.fr/hal-01206530 Submitted on 29 Sep 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Parallel Approaches for Efficient Scalar Multiplication over Elliptic Curve Christophe Negre1 and Jean-Marc Robert1 1 Equipe DALI (Universit´ede Perpignan) and LIRMM (Univ. de Montpellier, CNRS), Perpignan, France fchristophe.negre, [email protected] Keywords: Elliptic curve, parallel implementation, scalar multiplication, prime field, binary field. Abstract: This paper deals with parallel implementation of scalar multiplication over an elliptic curve. We present parallel approaches which split the scalar into two parts for E(Fp) or three parts for E(F2m ) and perform in parallel the scalar multiplication with each part of the scalar. We present timing results of these approaches implemented over an Intel Core i7 for NIST binary curves B233, B409 and for the twisted Edwards curve Curve25519 (Bernstein, 2006).
    [Show full text]