The tangent FFT

The split-radix FFT computes a size-n complex DFT, when n is a large power of 2, using just arithmetic operations on real numbers. This operation count was first announced in 1968, stood unchallenged for more than thirty years, and was widely believed to be best possible. Recently James Van Buskirk posted software demonstrating that the split-radix FFT is not optimal. Van Buskirk’s software computes a size-n complex DFT using only arithmetic operations on real numbers. There are now three papers attempting to explain the improvement from 4 to 34/9: Johnson and Frigo, IEEE Transactions on Signal Processing, 2007; Lundy and Van Buskirk, Computing, 2007; and this paper. This paper presents the "tangent FFT," a straightforward in-place cache-friendly DFT algorithm having exactly the same operation counts as Van Buskirk’s algorithm. This paper expresses the tangent FFT as a sequence of standard polynomial operations, and pinpoints how the tangent FFT saves time compared to the split-radix FFT. This description is helpful not only for understanding and analyzing Van Buskirk’s improvement but also for minimizing the memory-access costs of the FFT

Faster binary-field multiplication and faster binary-field MACs

This paper shows how to securely authenticate messages using just 29 bit operations per authenticated bit, plus a constant overhead per message. The authenticator is a standard type of "universal" hash function providing information-theoretic security; what is new is computing this type of hash function at very high speed. At a lower level, this paper shows how to multiply two elements of a field of size 2^128 using just 9062 \approx 71 * 128 bit operations, and how to multiply two elements of a field of size 2^256 using just 22164 \approx 87 * 256 bit operations. This performance relies on a new representation of field elements and new FFT-based multiplication techniques. This paper's constant-time software uses just 1.89 Core 2 cycles per byte to authenticate very long messages. On a Sandy Bridge it takes 1.43 cycles per byte, without using Intel's PCLMULQDQ polynomial-multiplication hardware. This is much faster than the speed records for constant-time implementations of GHASH without PCLMULQDQ (over 10 cycles/byte), even faster than Intel's best Sandy Bridge implementation of GHASH with PCLMULQDQ (1.79 cycles/byte), and almost as fast as state-of-the-art 128-bit prime-field MACs using Intel's integer-multiplication hardware (around 1 cycle/byte). Keywords: Performance, FFTs, Polynomial multiplication, Universal hashing, Message authenticatio

Efficient arithmetic on elliptic curves in characteristic 2

International audienceWe present normal forms for elliptic curves over a field of characteristic 2 analogous to Edwards normal form, and determine bases of addition laws, which provide strikingly simple expressions for the group law. We deduce efficient algorithms for point addition and scalar multiplication on these forms. The resulting algorithms apply to any elliptic curve over a field of characteristic 2 with a 4-torsion point, via an isomorphism with one of the normal forms. We deduce algorithms for duplication in time $2M + 5S + 2m_c$ and for addition of points in time $7M + 2S$, where $M$ is the cost of multiplication, $S$ the cost of squaring , and $m_c$ the cost of multiplication by a constant. By a study of the Kummer curves $\mathcal{K} = E/\{\pm1]\}$, we develop an algorithm for scalar multiplication with point recovery which computes the multiple of a point P with $4M + 4S + 2m_c + m_t$ per bit where $m_t$ is multiplication by a constant that depends on $P$

Using LDGM Codes and Sparse Syndromes to Achieve Digital Signatures

In this paper, we address the problem of achieving efficient code-based digital signatures with small public keys. The solution we propose exploits sparse syndromes and randomly designed low-density generator matrix codes. Based on our evaluations, the proposed scheme is able to outperform existing solutions, permitting to achieve considerable security levels with very small public keys.Comment: 16 pages. The final publication is available at springerlink.co

Elliptic Curve Scalar Multiplication Combining Yao’s Algorithm and Double Bases

Abstract. In this paper we propose to take one step back in the use of double base number systems for elliptic curve point scalar multiplication. Using a mod-ified version of Yao’s algorithm, we go back from the popular double base chain representation to a more general double base system. Instead of representing an integer k as Pn i=1 2 bi3ti where (bi) and (ti) are two decreasing sequences, we only set a maximum value for both of them. Then, we analyze the efficiency of our new method using different bases and optimal parameters. In particular, we pro-pose for the first time a binary/Zeckendorf representation for integers, providing interesting results. Finally, we provide a comprehensive comparison to state-of-the-art methods, including a large variety of curve shapes and latest point addition formulae speed-ups

What fraction of stars formed in infrared galaxies at high redshift?

Star formation happens in two types of environment: ultraviolet-bright starbursts (like 30 Doradus and HII galaxies at low redshift and Lyman-break galaxies at high redshift) and infrared-bright dust-enshrouded regions (which may be moderately star-forming like Orion in the Galaxy or extreme like the core of Arp 220). In this work I will estimate how many of the stars in the local Universe formed in each type of environment, using observations of star-forming galaxies at all redshifts at different wavelengths and of the evolution of the field galaxy population.Comment: 7 pages, 0 figs, to appear in proceedings of "Starbursts - From 30 Doradus to Lyman break galaxies", edited by Richard de Grijs and Rosa M. Gonzalez Delgado, published by Kluwe

A faster pseudo-primality test

We propose a pseudo-primality test using cyclic extensions of $\mathbb Z/n \mathbb Z$. For every positive integer $k \leq \log n$, this test achieves the security of $k$ Miller-Rabin tests at the cost of $k^{1/2+o(1)}$ Miller-Rabin tests.Comment: Published in Rendiconti del Circolo Matematico di Palermo Journal, Springe

Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products

International audienceLet $E$ be an elliptic curve, $\mathcal{K}_1$ its Kummer curve $E/\{\pm1\}$, $E^2$ its square product, and $\mathcal{K}_2$ the split Kummer surface $E^2/\{\pm1\}$. The addition law on $E^2$ gives a large endomorphism ring, which induce endomorphisms of $\mathcal{K}_2$. With a view to the practical applications to scalar multiplication on $\mathcal{K}_1$, we study the explicit arithmetic of $\mathcal{K}_2$

Algebraic Attack against Variants of McEliece with Goppa Polynomial of a Special Form

International audienceIn this paper, we present a new algebraic attack against some special cases of Wild McEliece Incognito, a generalization of the original McEliece cryptosystem. This attack does not threaten the original McEliece cryptosystem. We prove that recovering the secret key for such schemes is equivalent to solving a system of polynomial equations whose solutions have the structure of a usual vector space. Consequently, to recover a basis of this vector space, we can greatly reduce the number of variables in the corresponding algebraic system. From these solutions, we can then deduce the basis of a GRS code. Finally, the last step of the cryptanalysis of those schemes corresponds to attacking a McEliece scheme instantiated with particular GRS codes (with a polynomial relation between the support and the multipliers) which can be done in polynomial-time thanks to a variant of the Sidelnikov-Shestakov attack. For Wild McEliece & Incognito, we also show that solving the corresponding algebraic system is notably easier in the case of a non-prime base eld Fq. To support our theoretical results, we have been able to practically break several parameters de ned over a non-prime base field q in {9; 16; 25; 27; 32}, t < 7, extension degrees m in {2,3}, security level up to 2^129 against information set decoding in few minutes or hours