Combined small subgroups and side-channel attack on elliptic curves with cofactor divisible by 2m2^m

Nowadays, alternative models of elliptic curves like Montgomery, Edwards, twisted Edwards, Hessian, twisted Hessian, Huff\u27s curves and many others are very popular and many people use them in cryptosystems which are based on elliptic curve cryptography. Most of these models allow to use fast and complete arithmetic which is especially convenient in fast implementations that are side-channel attacks resistant. Montgomery, Edwards and twisted Edwards curves have always order of group of rational points divisible by 4. Huff\u27s curves have always order of rational points divisible by 8. Moreover, sometimes to get fast and efficient implementations one can choose elliptic curve with even bigger cofactor, for example 16. Of course the bigger cofactor is, the smaller is the security of cryptosystem which uses such elliptic curve. In this article will be checked what influence on the security has form of cofactor of elliptic curve and will be showed that in some situations elliptic curves with cofactor divisible by $2^m$ are vulnerable for combined small subgroups and side-channel attacks

Combined small subgroups and side-channel attack on elliptic curves with cofactor divisible by 2m2^m

Nowadays, alternative models of elliptic curves like Montgomery, Edwards, twisted Edwards, Hessian, twisted Hessian, Huff's curves and many others are very popular and many people use them in cryptosystems which are based on elliptic curve cryptography. Most of these models allow to use fast and complete arithmetic which is especially convenient in fast implementations that are side-channel attacks resistant. Montgomery, Edwards and twisted Edwards curves have always order of group of rational points divisible by 4. Huff's curves have always order of rational points divisible by 8. Moreover, sometimes to get fast and efficient implementations one can choose elliptic curve with even bigger cofactor, for example 16. Of course the bigger cofactor is, the smaller is the security of cryptosystem which uses such elliptic curve. In this article will be checked what influence on the security has form of cofactor of elliptic curve and will be showed that in some situations elliptic curves with cofactor divisible by $2^m$ are vulnerable for combined small subgroups and side-channel attacks

How to compute an isogeny on the extended Jacobi quartic curves?

Computing isogenies between elliptic curves is a significantpart of post-quantum cryptography with many practicalapplications (for example, in SIDH, SIKE, B-SIDH, or CSIDHalgorithms). Comparing to other post-quantum algorithms, themain advantages of these protocols are smaller keys, the similaridea as in the ECDH, and a large basis of expertise aboutelliptic curves. The main disadvantage of the isogeny-basedcryptosystems is their computational efficiency - they are slowerthan other post-quantum algorithms (e.g., lattice-based). That iswhy so much effort has been put into improving the hithertoknown methods of computing isogenies between elliptic curves.In this paper, we present new formulas for computing isogeniesbetween elliptic curves in the extended Jacobi quartic formwith two methods: by transforming such curves into the shortWeierstrass model, computing an isogeny in this form and thentransforming back into an initial model or by computing anisogeny directly between two extended Jacobi quartics

Completion of the causal completability problem

We give a few results concerning the notions of causal completability and causal closedness of classical probability spaces (Hofer-Szabó et al. [1999]; Gyenis and Rédei [2004]). We prove that (i) any classical probability space has a causally closed extension; (ii) any finite classical probability space with positive rational probabilities on the atoms of the event algebra can be extended to a causally up-to-three-closed finite space; and (iii) any classical probability space can be extended to a space in which all correlations between events that are logically independent modulo measure zero event have a countably infinite common-cause system. Collectively, these results show that it is surprisingly easy to find Reichenbach-style ‘explanations' for correlations, underlining doubts as to whether this approach can yield a philosophically relevant account of causality

A New Notion of Causal Closedness

In recent years part of the literature on probabilistic causality concerned notions stemming from Reichenbach’s idea of explaining correlations between not directly causally related events by referring to their common causes. A few related notions have been introduced, e.g. that of a “common cause system” (Hofer-Szabó and Rédei in Int J Theor Phys 43(7/8):1819–1826, 2004) and “causal (N-)closedness” of probability spaces (Gyenis and Rédei in Found Phys 34(9):1284–1303, 2004; Hofer-Szabó and Rédei in Found Phys 36(5):745–756, 2006). In this paper we introduce a new and natural notion similar to causal closedness and prove a number of theorems which can be seen as extensions of earlier results from the literature. Most notably we prove that a finite probability space is causally closed in our sense iff its measure is uniform. We also present a generalisation of this result to a class of non-classical probability spaces

How to compute an isogeny on the extended Jacobi quartic curves?

Computing isogenies between elliptic curves is a significantpart of post-quantum cryptography with many practicalapplications (for example, in SIDH, SIKE, B-SIDH, or CSIDHalgorithms). Comparing to other post-quantum algorithms, themain advantages of these protocols are smaller keys, the similaridea as in the ECDH, and a large basis of expertise aboutelliptic curves. The main disadvantage of the isogeny-basedcryptosystems is their computational efficiency - they are slowerthan other post-quantum algorithms (e.g., lattice-based). That iswhy so much effort has been put into improving the hithertoknown methods of computing isogenies between elliptic curves.In this paper, we present new formulas for computing isogeniesbetween elliptic curves in the extended Jacobi quartic formwith two methods: by transforming such curves into the shortWeierstrass model, computing an isogeny in this form and thentransforming back into an initial model or by computing anisogeny directly between two extended Jacobi quartics

Dutch books and nonclassical probability spaces

We investigate how Dutch Book considerations can be conducted in the context of two classes of nonclassical probability spaces used in philosophy of physics. In particular we show that a recent proposal by B. Feintzeig to find so called "generalized probability spaces" which would not be susceptible to a Dutch Book and would not possess a classical extension is doomed to fail. Noting that the particular notion of a nonclassical probability space used by Feintzeig is not the most common employed in philosophy of physics, and that his usage of the "classical" Dutch Book concept is not appropriate in "nonclassical" contexts, we then argue that if we switch to the more frequently used formalism and use the correct notion of a Dutch Book, then all probability spaces are not susceptible to a Dutch Book. We also settle a hypothesis regarding the existence of classical extensions of a class of generalized probability spaces

Practical solving of discrete logarithm problem over prime fields using quantum annealing

This paper investigates how to reduce discrete logarithm problem over prime fields to the QUBO problem to obtain as few logical qubits as possible. We show different methods of reduction of discrete logarithm problem over prime fields to the QUBO problem. In the best case, if $n$ is the bitlength of a characteristic of the prime field $\mathbb F_p$, there are required approximately $2n^2$ logical qubits for such reduction. We present practical attacks on discrete logarithm problem over the $4$-bit prime field $\mathbb F_{11}$, over $5$-bit prime field $\mathbb F_{23}$ and over $6$-bit prime field $\mathbb F_{59}$. We solved these problems using D-Wave Advantage QPU. It is worth noting that, according to our knowledge, until now, no one has made a practical attack on discrete logarithm over the prime field using quantum methods

Faster point scalar multiplication on NIST elliptic curves over GF(p) using (twisted) Edwards curves over GF(p³)

In this paper we present a new method for fast scalar multiplication on elliptic curves over GF(p) in FPGA using Edwards and twisted Edwards curves over GF(p³). The presented solution works for curves with prime group order (for example for all NIST curves over GF(p)). It is possible because of using 2-isogenous twisted Edwards curves over GF(p³) instead of using short Weierstrass curves over GF(p) for point scalar multiplication. This problem was considered by Verneuil in [1], but in software solutions it is useless, because multiplication in GF(p³) is much harder than multiplication in GF(p). Fortunately in hardware solutions it is possible to make in FPGA fast multiplication in GF(p³) using parallel computations. Single multiplication in GF(p³) is still a little bit slower than in GF(p) but operations on twisted Edwards curves require less multiplications than operations on short Weierstrass curves. Using these observations results in that scalar multiplication on twisted Edwards curve may be in some situations shorter than scalar multiplication on short Weierstrass curve up to 26%. Moreover, in Edwards and twisted Edwards curves arithmetic it is possible to use unified formula (the same formula for points addition and point doubling) which protects us against some kinds of side channel attacks. We also present full coprocessor for fast scalar multiplication in FPGA using described techniques

Faster arithmetic on elliptic curves using Fp2. Application to GLV-GLS and NIST elliptic curves over Fp isomorphic to twisted Hessian curves over fields extension

In this article we present how we can use fast F_{p²} multiplication to speed-up arithmetic on elliptic curves. We use parallel computations for multiplication in F_{p²} which is not much slower than multiplication in F_{p}. We show two applications of this method. In the first we show that using twisted Edwards curves over F_{p²} with fast computable endomorphism (GLV-GLS method) may be nowadays on of the fastest (or even the fastest) solution in hardware applications. In the second we show how we can speed-up point scalar multiplication on NIST P-224 and NIST P-256 curves. We use field extension (F_{p²}) to find isomorphic to these curves twisted Hessian curves over F_{p²}. Our solution is faster than classic solutions up to 28.5% for NIST P-256 and up to 27.2% for NIST P-224 if we consider solution invulnerable for side channel attacks. We can also use different formula for point doubling and points addition and then our solution is faster up to 21.4% for NIST P-256 and up to 19.9% for NIST P-224 comparing to classic solutions