Presentation is loading. Please wait.

Presentation is loading. Please wait.

An x-Coordinate Point Compression Method for Elliptic Curves over Fp

Published byΆγνη Λαγός Modified over 5 years ago

Similar presentations

Presentation on theme: "An x-Coordinate Point Compression Method for Elliptic Curves over Fp"— Presentation transcript:

1 An x-Coordinate Point Compression Method for Elliptic Curves over Fp
2019/7/17 An x-Coordinate Point Compression Method for Elliptic Curves over Fp Author: Alina Dudeanu, George-Razvan Oancea, Sorin Iftene Publisher: IEEE, 12th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, 2010 Presenter: 柯懷貿 Date: 2019/04/17 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. 1 CSIE CIAL Lab

2 Background Usually, a point P on an elliptic curve over a finite field Fq, is represented by its affine coordinates (Xp , Yp ), thus requiring at most dlog2 bits for its representation. The main idea of point compression is to solve EC equation from when X or Y is known. The classical y-coordinate point compression needs , and the extra bit is used to identify correct value as have two roots. National Cheng Kung University CSIE Computer & Internet Architecture Lab

3 Quadratic Residue If there exists X such that , we , we call d is p’s quadratic residue. For determining if an integer is a quadratic residue, we use following formulas: 1. Fermat‘s little theorem : → 2. Euler‘s Criterion : Since a = X^2, a^((p-1)/2) ≡ X^(p-1) ≡ 1 (mod p is odd), vice versa. We can solve modular quadratic equation by finding square root of a. National Cheng Kung University CSIE Computer & Internet Architecture Lab

4 Tonelli–Shanks Algorithm
Find s, t such that p-1 = t*(2^s), and a random number d, which is not a quadratic residue. (d^((p-1)/2) = -1) Let b = a^((t+1)/2), r = a^t, c = d^t, and we know r^(2^s) = (a^t)^(2^s) = a^((2^s)*t) = a^(p-1) = 1, c^(2^s) = (d^t)^(2^s) = d^((2^s)*t) = d^(p-1) = 1 Let b^2 = a^(t+1) = (a^t)*a = r*a, b is square root of a if r = 1. In the case r is not 1, let (b^2)*(c^(2^(s-i-1))^2) = r*a* (c^(2^(s-i-1))^2) = (b*c^(2^(s-i-1)))^2. We can get b*c^(2^(s-i-1)) is square root of a if r* (c^(2^(s-i-1))^2) is 1. National Cheng Kung University CSIE Computer & Internet Architecture Lab

5 y-Coordinate Compression
The complexity of y-Coordinate Compression is O(1). -y -y ≡ p - y (mod p) The algorithms for computing square roots have worst-case complexity thus, the algorithm y-Coordinate Decompression has the same complexity. National Cheng Kung University CSIE Computer & Internet Architecture Lab

6 Cube Roots If p ≡ 2 (mod 3), because
If p ≡ 1 (mod 3) and a = 1, then a (trivial) cube root of a is 1. Moreover, we can determine a non-trivial cube root of 1 as If p ≡ 1 (mod 3) and a is not 1, then a is a cubic residue if and only if We will consider three subcases: 1. If p ≡ 7 (mod 9), 2. If p ≡ 4 (mod 9), 3. If p ≡ 1 (mod 9) then use the cubic variant of Tonelli-Shanks algorithm. National Cheng Kung University CSIE Computer & Internet Architecture Lab

7 Cubic Tonelli-Shanks Algo.rithm
The other two cube roots can be obtained as follows. Let U be a non-trivial cube root of 1. If is a cube root of a then U* and (U^2)* are also cube roots of a. using Pohlig-Hellman DLA to find k such that National Cheng Kung University CSIE Computer & Internet Architecture Lab

8 Modular Cubic Equation
The most popular polynomial factorization algorithms are Berlekamp with and Cantor-Zassenhaus , where n is the degree of the polynomial. Let us consider the equation with discriminant D = , and when D is not 0, the number of solutions Np is : When D = 0, Np = 3 and solutions are : National Cheng Kung University CSIE Computer & Internet Architecture Lab

9 Modular Cubic Equation with Single Solution
In this case, D is a quadratic non-residue modulo p in Assume , , if and the only solution is : There is an efficient algorithm for evaluating Lucas sequences based on the following properties which costs : National Cheng Kung University CSIE Computer & Internet Architecture Lab

10 Modular Cubic Equation with Three Solution
In this case, D is a quadratic residue modulo p in Assume , , if and there are three solutions for p ≡ 1 (mod 3) when existing Y such that Also, we can get a cubic residue 4(b − y), with three cube roots (z0, z1, z2) indicating three solutions of a cubic equation: The part of p ≡ 2 (mod 3) is rather complicated and thus we omit it. National Cheng Kung University CSIE Computer & Internet Architecture Lab

11 Modular Cubic Equation Algorithm
The most time-consuming part is computing square roots and cube roots. Thus, the worst-case complexity of the algorithm is National Cheng Kung University CSIE Computer & Internet Architecture Lab

12 x-Coordinate Point Compression
The size of the compressed point is at most for The main idea is to sort the solutions of the cubic and identify the component Xp by its index. National Cheng Kung University CSIE Computer & Internet Architecture Lab

13 x-Coordinate Point Compression
In our compression algorithm, because Xp ∈ {(00),(01),(10)}, we may use (11) to signal whether a cubic equation is a quadratic non-residue - thus, computing the discriminant is not required in the decompression phase. The worst-case complexities of x-Coordinate Compression and x-Coordinate Decompression algorithm are the same, namely We have to remark that in case of the equations with p ≡ 1 (mod 3) : The following are available: National Cheng Kung University CSIE Computer & Internet Architecture Lab

14 Experiments The implementation is written in Visual Studio 2008 on a Intel Core 2 Duo, running on a 2.53 GHz Dell laptop, under Windows 7 operating system. We have compared our algorithms with the algorithms implemented in NTL lib in case of solving cubic equations or finding a cube root. The average times have been measured in milliseconds. For the case of cubic equations with a single solution, we have implemented a binary algorithm for computing the Lucas number and we have compared our Cubic Equation algorithm with FindRoot from NTL lib. National Cheng Kung University CSIE Computer & Internet Architecture Lab

15 Experiments In case p ≡ 1 (mod 3) and the discriminant is a quadratic residue (the cubic equation has three solutions), we have compared our Cubic Equation algorithm with FindRoots from NTL. The results are presented in Table II. Finally, we have compared our Cubic Tonelli-Shanks algorithm (denoted as CTS) with FindRoot from NTL for the case of computing a cube root. The results are presented in Table III. National Cheng Kung University CSIE Computer & Internet Architecture Lab

Download ppt "An x-Coordinate Point Compression Method for Elliptic Curves over Fp"

Similar presentations

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.
Optimizing Regular Expression Matching with SR-NFA on Multi-Core Systems Authors : Yang, Y.E., Prasanna, V.K. Yang, Y.E. Prasanna, V.K. Publisher : Parallel.

Optimizing Regular Expression Matching with SR-NFA on Multi-Core Systems Authors : Yang, Y.E., Prasanna, V.K. Yang, Y.E. Prasanna, V.K. Publisher : Parallel.
An Efficient Regular Expressions Compression Algorithm From A New Perspective Authors : Tingwen Liu,Yifu Yang,Yanbing Liu,Yong Sun,Li Guo Tingwen LiuYifu.

An Efficient Regular Expressions Compression Algorithm From A New Perspective Authors : Tingwen Liu,Yifu Yang,Yanbing Liu,Yong Sun,Li Guo Tingwen LiuYifu.
Computability and Complexity

Computability and Complexity
Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou

Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Efficient generation of cryptographically strong elliptic curves Shahar Papini Michael Krel Instructor : Barukh Ziv 1.

Efficient generation of cryptographically strong elliptic curves Shahar Papini Michael Krel Instructor : Barukh Ziv 1.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Introduction Polynomials

Introduction Polynomials
Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.

Chapter 4 – Finite Fields Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public.
Dan Boneh Intro. Number Theory Modular e’th roots Online Cryptography Course Dan Boneh.

Dan Boneh Intro. Number Theory Modular e’th roots Online Cryptography Course Dan Boneh.
Topic 18: RSA Implementation and Security

Topic 18: RSA Implementation and Security
Peter Lam Discrete Math CS.  Sometimes Referred to Clock Arithmetic  Remainder is Used as Part of Value ◦ i.e Clocks  24 Hours in a Day However, Time.

Peter Lam Discrete Math CS.  Sometimes Referred to Clock Arithmetic  Remainder is Used as Part of Value ◦ i.e Clocks  24 Hours in a Day However, Time.
Let’s do some Further Maths

Let’s do some Further Maths

High-Performance Packet Classification on GPU Author: Shijie Zhou, Shreyas G. Singapura and Viktor K. Prasanna Publisher: HPEC 2014 Presenter: Gang Chi.

High-Performance Packet Classification on GPU Author: Shijie Zhou, Shreyas G. Singapura and Viktor K. Prasanna Publisher: HPEC 2014 Presenter: Gang Chi.
Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.

Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.
Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:

Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:
Scalable Many-field Packet Classification on Multi-core Processors Authors : Yun R. Qu, Shijie Zhou, Viktor K. Prasanna Publisher : International Symposium.

Scalable Many-field Packet Classification on Multi-core Processors Authors : Yun R. Qu, Shijie Zhou, Viktor K. Prasanna Publisher : International Symposium.

Similar presentations

Ads by Google