Algebraic Closed Geodesics on a Triaxial Ellipsoid

We propose a simple method of explicit description of families of closed geodesics on a triaxial ellipsoid $Q$ that are cut out by algebraic surfaces in ${\mathbb R}^3$. Such geodesics are either connected components of spatial elliptic curves or rational curves. Our approach is based on elements of the Weierstrass--Poncar\'e reduction theory for hyperelliptic tangential covers of elliptic curves and the addition law for elliptic functions. For the case of 3-fold and 4-fold coverings, explicit formulas for the cutting algebraic surfaces are provided and some properties of the corresponding geodesics are discussed.Comment: 15 figure

Addition law structure of elliptic curves

The study of alternative models for elliptic curves has found recent interest from cryptographic applications, once it was recognized that such models provide more efficiently computable algorithms for the group law than the standard Weierstrass model. Examples of such models arise via symmetries induced by a rational torsion structure. We analyze the module structure of the space of sections of the addition morphisms, determine explicit dimension formulas for the spaces of sections and their eigenspaces under the action of torsion groups, and apply this to specific models of elliptic curves with parametrized torsion subgroups

Arithmetic using compression on elliptic curves in Huff's form and its applications

In this paper for elliptic curves provided by Huff's equation $H_{a,b}: ax(y^2-1) = by(x^2-1)$ and general Huff's equation $G_{\overline{a},\overline{b}}\ :\ {\overline{x}}(\overline{a}{\overline{y}}^2-1)={\overline{y}}(\overline{b}{\overline{x}}^2-1)$ and degree 2 compression function $f(x,y) = xy$ on these curves, herein we provide formulas for doubling and differential addition after compression, which for Huff's curves are as efficient as Montgomery's formulas for Montgomery's curves $By^2 = x^3 + Ax^2 + x$. For these curves we also provided point recovery formulas after compression, which for a point $P$ on these curves allows to compute $[n]f(P)$ after compression using the Montgomery ladder algorithm, and then recover $[n]P$. Using formulas of Moody and Shumow for computing odd degree isogenies on general Huff's curves, we have also provide formulas for computing odd degree isogenies after compression for these curves.Moreover, it is shown herein how to apply obtained formulas using compression to the ECM algorithm. In the appendix, we present examples of Huff's curves convenient for the isogeny-based cryptography, where compression can be used

Arithmetic using compression on elliptic curves in Huff\u27s form and its applications

In this paper for elliptic curves provided by Huff\u27s equation $H_{a,b}: ax(y^2-1) = by(x^2-1)$ and general Huff\u27s equation $G_{\overline{a},\overline{b}}\ :\ {\overline{x}}(\overline{a}{\overline{y}}^2-1)={\overline{y}}(\overline{b}{\overline{x}}^2-1)$ and degree 2 compression function $f(x,y) = xy$ on these curves, herein we provide formulas for doubling and differential addition after compression, which for Huff\u27s curves are as efficient as Montgomery\u27s formulas for Montgomery\u27s curves $By^2 = x^3 + Ax^2 + x$. For these curves we also provided point recovery formulas after compression, which for a point $P$ on these curves allows to compute $[n]f(P)$ after compression using the Montgomery ladder algorithm, and then recover $[n]P$. Using formulas of Moody and Shumow for computing odd degree isogenies on general Huff\u27s curves, we have also provide formulas for computing odd degree isogenies after compression for these curves.Moreover, it is shown herein how to apply obtained formulas using compression to the ECM algorithm. In the appendix, we present examples of Huff\u27s curves convenient for the isogeny-based cryptography, where compression can be used

The projective translation equation and unramified 2-dimensional flows with rational vector fields

Let X=(x,y). Previously we have found all rational solutions of the 2-dimensional projective translation equation, or PrTE, (1-z)f(X)=f(f(Xz)(1-z)/z); here f(X)=(u(x,y),v(x,y)) is a pair of two (real or complex) functions. Solutions of this functional equation are called projective flows. A vector field of a rational flow is a pair of 2-homogenic rational functions. On the other hand, only special pairs of 2-homogenic rational functions give rise to rational flows. In this paper we are interested in all non-singular (satisfying the boundary condition) and unramified (without branching points, i.e. single-valued functions in C^2\{union of curves}) projective flows whose vector field is still rational. We prove that, up to conjugation with 1-homogenic birational plane transformation, these are of 6 types: 1) the identity flow; 2) one flow for each non-negative integer N - these flows are rational of level N; 3) the level 1 exponential flow, which is also conjugate to the level 1 tangent flow; 4) the level 3 flow expressable in terms of Dixonian (equianharmonic) elliptic functions; 5) the level 4 flow expressable in terms of lemniscatic elliptic functions; 6) the level 6 flow expressable in terms of Dixonian elliptic functions again. This reveals another aspect of the PrTE: in the latter four cases this equation is equivalent and provides a uniform framework to addition formulas for exponential, tangent, or special elliptic functions (also addition formulas for polynomials and the logarithm, though the latter appears only in branched flows). Moreover, the PrTE turns out to have a connection with Polya-Eggenberger urn models. Another purpose of this study is expository, and we provide the list of open problems and directions in the theory of PrTE; for example, we define the notion of quasi-rational projective flows which includes curves of arbitrary genus.Comment: 34 pages, 2 figure

Curves, codes, and cryptography

This thesis deals with two topics: elliptic-curve cryptography and code-based cryptography. In 2007 elliptic-curve cryptography received a boost from the introduction of a new way of representing elliptic curves. Edwards, generalizing an example from Euler and Gauss, presented an addition law for the curves x2 + y2 = c2(1 + x2y2) over non-binary fields. Edwards showed that every elliptic curve can be expressed in this form as long as the underlying field is algebraically closed. Bernstein and Lange found fast explicit formulas for addition and doubling in coordinates (X : Y : Z) representing (x, y) = (X/Z, Y/Z) on these curves, and showed that these explicit formulas save time in elliptic-curve cryptography. It is easy to see that all of these curves are isomorphic to curves x2 + y2 = 1 + dx2y2 which now are called "Edwards curves" and whose shape covers considerably more elliptic curves over a finite field than x2 + y2 = c2(1 + x2y2). In this thesis the Edwards addition law is generalized to cover all curves ax2 +y2 = 1+dx2y2 which now are called "twisted Edwards curves." The fast explicit formulas for addition and doubling presented here are almost as fast in the general case as they are for the special case a = 1. This generalization brings the speed of the Edwards addition law to every Montgomery curve. Tripling formulas for Edwards curves can be used for double-base scalar multiplication where a multiple of a point is computed using a series of additions, doublings, and triplings. The use of double-base chains for elliptic-curve scalar multiplication for elliptic curves in various shapes is investigated in this thesis. It turns out that not only are Edwards curves among the fastest curve shapes, but also that the speed of doublings on Edwards curves renders double bases obsolete for this curve shape. Elliptic curves in Edwards form and twisted Edwards form can be used to speed up the Elliptic-Curve Method for integer factorization (ECM). We show how to construct elliptic curves in Edwards form and twisted Edwards form with large torsion groups which are used by the EECM-MPFQ implementation of ECM. Code-based cryptography was invented by McEliece in 1978. The McEliece public-key cryptosystem uses as public key a hidden Goppa code over a finite field. Encryption in McEliece’s system is remarkably fast (a matrix-vector multiplication). This system is rarely used in implementations. The main complaint is that the public key is too large. The McEliece cryptosystem recently regained attention with the advent of post-quantum cryptography, a new field in cryptography which deals with public-key systems without (known) vulnerabilities to attacks by quantum computers. The McEliece cryptosystem is one of them. In this thesis we underline the strength of the McEliece cryptosystem by improving attacks against it and by coming up with smaller-key variants. McEliece proposed to use binary Goppa codes. For these codes the most effective attacks rely on information-set decoding. In this thesis we present an attack developed together with Daniel J. Bernstein and Tanja Lange which uses and improves Stern’s idea of collision decoding. This attack is faster by a factor of more than 150 than previous attacks, bringing it within reach of a moderate computer cluster. We were able to extract a plaintext from a ciphertext by decoding 50 errors in a [1024, 524] binary code. The attack should not be interpreted as destroying the McEliece cryptosystem. However, the attack demonstrates that the original parameters were chosen too small. Building on this work the collision-decoding algorithm is generalized in two directions. First, we generalize the improved collision-decoding algorithm for codes over arbitrary fields and give a precise analysis of the running time. We use the analysis to propose parameters for the McEliece cryptosystem with Goppa codes over fields such as F31. Second, collision decoding is generalized to ball-collision decoding in the case of binary linear codes. Ball-collision decoding is asymptotically faster than any previous attack against the McEliece cryptosystem. Another way to strengthen the system is to use codes with a larger error-correction capability. This thesis presents "wild Goppa codes" which contain the classical binary Goppa codes as a special case. We explain how to encrypt and decrypt messages in the McEliece cryptosystem when using wild Goppa codes. The size of the public key can be reduced by using wild Goppa codes over moderate fields which is explained by evaluating the security of the "Wild McEliece" cryptosystem against our generalized collision attack for codes over finite fields. Code-based cryptography not only deals with public-key cryptography: a code-based hash function "FSB"was submitted to NIST’s SHA-3 competition, a competition to establish a new standard for cryptographic hashing. Wagner’s generalized birthday attack is a generic attack which can be used to find collisions in the compression function of FSB. However, applying Wagner’s algorithm is a challenge in storage-restricted environments. The FSBday project showed how to successfully mount the generalized birthday attack on 8 nodes of the Coding and Cryptography Computer Cluster (CCCC) at Technische Universiteit Eindhoven to find collisions in the toy version FSB48 which is contained in the submission to NIST

Efficient and Complete Formulas for Binary Curves

Binary elliptic curves are elliptic curves defined over finite fields of characteristic 2. On software platforms that offer carryless multiplication opcodes (e.g. pclmul on x86), they have very good performance. However, they suffer from some drawbacks, in particular that non-supersingular binary curves have an even order, and that most known formulas for point operations have exceptional cases that are detrimental to safe implementation. In this paper, we show how to make a prime order group abstraction out of standard binary curves. We describe a new canonical compression scheme that yields a canonical and compact encoding. We also describe complete formulas for operations on the group. The formulas have no exceptional case, and are furthermore faster than previously known complete and incomplete formulas (general point addition in cost 8M+2S+2mb on all curves, 7M+2S+2mb on half of the curves). We also show how the same formulas can be applied to computations on the entire original curve, if full backward compatibility with standard curves is needed. Finally, we implemented our method over the standard NIST curves B-233 and K-233. Our strictly constant-time code achieves generic point multiplication by a scalar on curve K-233 in as little as 29600 clock cycles on an Intel x86 CPU (Coffee Lake core)

Efficient Montgomery-like formulas for general Huff\u27s and Huff\u27s elliptic curves and their applications to the isogeny-based cryptography

In this paper for elliptic curves provided by Huff\u27s equation $H_{a,b}: ax(y^2-1) = by(x^2-1)$ and general Huff\u27s equation $G_{\overline{a},\overline{b}}\ :\ {\overline{x}}(\overline{a}{\overline{y}}^2-1)={\overline{y}}(\overline{b}{\overline{x}}^2-1)$ and degree 2 compression function $f(x,y) = xy$ on these curves, herein we provide formulas for doubling and differential addition after compression, which for Huff\u27s curves are as efficient as Montgomery\u27s formulas for Montgomery\u27s curves $By^2 = x^3 + Ax^2 + x$. For these curves we also provided point recovery formulas after compression, which for a point $P$ on these curves allows to compute $[n]f(P)$ after compression using the Montgomery ladder algorithm, and then recover $[n]P$. Using formulas of Moody and Shumow for computing odd degree isogenies on general Huff\u27s curves, we have also provide formulas for computing odd degree isogenies after compression for these curves. Moreover, it is shown herein how to apply obtained formulas using compression to the ECM algorithm. In the appendix, we present examples of Huff\u27s curves convenient for the isogeny-based cryptography, where compression can be used

Isogenies of Elliptic Curves: A Computational Approach

Isogenies, the mappings of elliptic curves, have become a useful tool in cryptology. These mathematical objects have been proposed for use in computing pairings, constructing hash functions and random number generators, and analyzing the reducibility of the elliptic curve discrete logarithm problem. With such diverse uses, understanding these objects is important for anyone interested in the field of elliptic curve cryptography. This paper, targeted at an audience with a knowledge of the basic theory of elliptic curves, provides an introduction to the necessary theoretical background for understanding what isogenies are and their basic properties. This theoretical background is used to explain some of the basic computational tasks associated with isogenies. Herein, algorithms for computing isogenies are collected and presented with proofs of correctness and complexity analyses. As opposed to the complex analytic approach provided in most texts on the subject, the proofs in this paper are primarily algebraic in nature. This provides alternate explanations that some with a more concrete or computational bias may find more clear.Comment: Submitted as a Masters Thesis in the Mathematics department of the University of Washingto

Faster computation of the Tate pairing

This paper proposes new explicit formulas for the doubling and addition step in Miller's algorithm to compute the Tate pairing. For Edwards curves the formulas come from a new way of seeing the arithmetic. We state the first geometric interpretation of the group law on Edwards curves by presenting the functions which arise in the addition and doubling. Computing the coefficients of the functions and the sum or double of the points is faster than with all previously proposed formulas for pairings on Edwards curves. They are even competitive with all published formulas for pairing computation on Weierstrass curves. We also speed up pairing computation on Weierstrass curves in Jacobian coordinates. Finally, we present several examples of pairing-friendly Edwards curves.Comment: 15 pages, 2 figures. Final version accepted for publication in Journal of Number Theor