vorapong suppakitpaisarn [email protected] , eng. 6 room 363
DESCRIPTION
Discrete Methods in Mathematical Informatics Lecture 5 : Elliptic Curve Cryptography Implementation(I) 8 th January 2012. Vorapong Suppakitpaisarn [email protected] , Eng. 6 Room 363 Download Slide: http://misojiro.t.u-tokyo.ac.jp/~vorapong/. Course Information . Grading. - PowerPoint PPT PresentationTRANSCRIPT
Discrete Methods in Mathematical InformaticsLecture 5: Elliptic Curve Cryptography
Implementation(I)8th January 2012
Vorapong [email protected], Eng. 6 Room 363
Download Slide: http://misojiro.t.u-tokyo.ac.jp/~vorapong/
Course Information 10/9 – Elliptic Curve I (2 Exercises)
(What is Elliptic Curve?)
10/16 – Elliptic Curve II (1 Exercises)
(Elliptic Curve Cryptography[1])
10/23 – Elliptic Curve III (2 Exercises)
(Elliptic Curve Cryptography[2])
10/30 – Cancelled
11/6 – Online Algorithm I (Prof. Han)
11/13 – Online Algorithm II (Prof. Han)
11/20 – Cancelled
11/27 – Elliptic Curve IV (1 Exercises)
(ECC Implementation I)
12/4 – Cancelled
12/11 – Computational Game Theory I
(Prof. Gurvich)
12/18 – Computational Game Theory II
(Prof. Elbassioni)
1/8 – Elliptic Curve V (3 Exercises)
(ECC Implementation II)
1/15 – Cancelled (Monday Schedule)
1/22~ – SAT Problem (Prof. Makino)
Schedule
For my part, you need to submit 2 Reports.
- Report 1: Select 3 from 6 exercises in Elliptic Curve I – III
Submission Deadline: 14 November
- Report 2: Select 2 from 4 exercises in Elliptic Curve IV – V
Submission Deadline: January 22nd
- Submit your report in this lecture room before the class
begins.
Grading
Elliptic Curve Cryptography
Field Arithmetic
Inversion Field Compute
Squaring Field Compute
tionMultiplica Field Compute
1
2 mod
mod
-
p
apa
pab a,b Z
Elliptic Curve Arithmetic
1133
212
3
12
12
33
2211
)(
),(),(),,(
yxxmyxxmx
xxyym
yxQPyxQyxP
where
Point Addition
A = -4, B = 4
Scalar Multiplication
Compute rP = 14P
r = 14 = (0 1 1 1 0)2
P 3P 7P 14P
6P2P 14PO
2 Point Additions
3 Point Doubles
ECC Protocol
Generate P 2 E(F)
Generate positive integers a
Receive Q = bP
Compute aQ = abP
Receive P
Receive S = aP
Generate positive integer b
Compute bS = abP
P
aP
bP
Last Time
This Time
Scalar Multiplication and Binary Representation
• Scalar Multiplication on Elliptic Curve Cryptography
S = P + P + … + P = rP
when r1 is positive integer, S,P is a member of the curve• Double-and-add method• Let r = 14 = (01110)2
Compute rP = 14P r = 14 = (0 1 1 1 0)2 Weight = 3
P 3P 7P 14P
6P2P 14P
3 – 1 = 2 Point Additions
4 – 1 = 3 Point Doubles
r times
O
For [0,2n
-1], n - 1 times.
Average # of Point Doubles?
For [0,2n
-1], n/2 - 1 times.
(Average Weight = n/2)
Average # of Point Additions?
Redundant Binary Representation• Change Digit Set can help Scalar Multiplication faster• Represent each digit using {0, 1, -1} instead of {0,1}. • Redundant, then use Minimum Weight Conversion to find
Minimum Weight Expansion (the expansion that have the minimum joint weight)
Weight = 2
P 2P 4P 7P
4P2P 8PO
Compute rP = 14P r = 14 = (1 0 0 -1 0)2
14P
14P
2 – 1 = 1 Point Additions
5 – 1 = 4 Point Doubles
3 – 1 = 2 Point Additions
4 – 1 = 3 Point Doubles
For [0,2n
-1], n + o(n) times.
Average # of Point Doubles?
For [0,2n
-1], n/3 + o(n) times.
(Average Weight = n/3 + o(n))
Average # of Point Additions?
For [0,2n
-1],
n - 1 times?
Average # of Point Doubles?
For [0,2n
-1],
n/2 - 1 times?
(Average Weight = n/2)
Average # of Point Additions?
Non-Adjacent Form
S = (sn-1 sn-2 … s0) is Non-Adjacent Form (NAF) of positive integer r iff
Definition
2.-0 for niss ii 01
S is Minimum Weight {0, ±1}-Expansion of r if S is Non-Adjacent Form of r
Optimality
S = (sn-1 sn-2 … s0) is DS-Expansion of positive integer r iff
Definition
1,- 0 for ntDs St ,0
1
2n
t
ttsr
S = (sn-1 sn-2 … s0) is Minimum Weight DS-Expansion of positive integer r iff
Definition
)()'( ,' ,of Expansion- all for SWSWS rDS
14 of Expansion-1}{0, is 0) 1 1 1 (0 14 of Expansion-1}{0, is 0) 1- 0 0 (1 14 of Expansion-1}{0, is 0) 1 1- 0 (1
and , of Expansion-1} {0, is rS
AlgorithmSimple Fact
122...8421 1 nn
22 1)- 0 0 (11) 1 1 (0
22 1)- 0 ... 0 (11) ... 1 1 (0 n - 1 consecutive 1’s n - 2 consecutive 0’s
Ex
Example
20) 1 1 1 1 0 1 1 1 (0 478 1 0 0 0 -11 0 0 0 -1
Algorithm
)...(
)...0(
021
021
rrrrRr
sssSr
nnn
nn
Integer of Form Adjacent-Non :
Integer of Expansion-{0,1} :
Output
Input
0.1 t do While nt .2
trs tt then If ,00
20,1
01
1
1
ttrr
ss
tt
tt
then and If
}0|min{11 1
c
tt
stcckss
and then and If
1tskctsc for 0
ktsk ,1 For [0,2
n-1], n/3 + o(n) times.
(Average Weight = n/3 + o(n))
Average # of Point Additions?
Markov Chain
w-NAF
S = (sn-1 sn-2 … s0) is Non-Adjacent Form (NAF) of positive integer r iff
Definition
2.-0 for niss ii 01
S is Minimum Weight {0, ±1}-Expansion of r if S is Non-Adjacent Form of r
Optimality
S = (sn-1 sn-2 … s0) is DS-Expansion of positive integer r iff
Definition
1,- 0 for ntDs St ,0
1
2n
t
ttsr
S = (sn-1 sn-2 … s0) is Minimum Weight DS-Expansion of positive integer r iff
Definition
)()'( ,' ,of Expansion- all for SWSWS rDS
and , of Expansion-1} {0, is rS
S = (sn-1 sn-2 … s0) is w-NAF of positive integer r iff
and , of Expansion-1)}-(2 , ... 5, 3, 1, {0, is rS w
number. zero-non is that one most at is there econsecutiv 1 any for ,...,ssssw wii i i 21,,
Definition
w-NAF of positive integer r is also NAF of r when w = 1
S is Minimum Weight {0, ±1, … , (2w
-1)}-Expansion of r if S is w-NAF of r
Optimality
Exercise 7Algorithm
)...( 0321 rrrrRrw
r
wnwnwn Integer of NAF- :
Integer Positive :
OutputInput
1 :8
:7
0 else :6 - :5
2 mods :4
then 1 2) mod ( if :3do 0) ( While:2
0 : 1
tt
rr
rrrr
rrr
rt
t
t
wt
2
1
otherwise22 mod 22 mod if2 mod
2 mods 11
111
)( ww
wwww
rrr
r
Exercise 7
. of NAF-outputs algorithm the thatShow 1.
rw
).(]1 nonw
rw n
2
1 is [0,2 of NAF-
of weightaverage the thatShow 2.
Memory and Speed
P 3P 7P 14P
6P2P 14PO
Compute rP = 14P
r = 14 = (0 1 1 1 0)2
online computed be Can (x,-y)P- y),(x,P If- and withpoint the add weNAF, In
.PP
memory. in store and compute-pre to Need
fromeasily compute cannot We
withpoint the add weNAF,- In
PPPPP
PPPw
w
w
w
)12(,...,3
.)12(,...,3
.)12(,...,3,
Average Weight {0, ±1, ±3, … , ±(2h+1)}
Digit Set Average Weight
{0, ±1}9 states
[Egecioglu 94]
{0, ±1, ±3}38 states[Muir 04]
{0, ±1, ±3, ±5} 70 states
[Moller 05]
{0, ±1,±3, ±5,±7} 119 states
[Moller 05]
{0, ±1,±3, ±5,±7,±9} 160 states
[Moller 05]
{0, ±1,±3, ±5,±7,±9,
±11}207 states[Moller 05]
nn 2222.092
nn 2.051
nn 1904.0214
nn 1818.0112
nn 3333.031
nn 25.041
Average Number of Additions
(Average Weight)
of r in [0,2n
-1] representing using
digit set {0, ±1, ±3, … , ±(2h+1)}
is
when
Theorem [Moller 05]
n tends to infinite
1212 1 ww hw that such integer an is
nhw w
w
)1(2)1(2
Average Number of Additions
(Average Weight)
of r in [0,2n
-1] representing using
digit set {0, ±1, ±3, … , ±(2w
-1)}
is
Theorem [Muir 04]
nw 2
1
n tends to infinite
r-radix Representation
0 0 -1 0)2(114 =
O
P
2P 4P 8P 14P
2P 4P 7P 14P
24
23
22
21
20
Base 2
1 -1 -1 -1)2(014 =
O3P 6P 15P
P 2P 5P 14P
34
33
32
31
30
Base 3
1 Point Additions
4 Point Doubles
3 Point Additions
3 Point Triples
Field with characteristic 3 (eg. F397) is used
in fast Pairing implementation.
[Barreto, Kim, Lynn, Scott CRYPTO2002]
[Galbraith, Harrison, Soldera ANTS, 2002]
[Granger, Page, Stam 2004]
In the field, point triple is very fast operation.
[Takagi, Reis, Yen, Wu, IEICE Trans., 2006]
Average Weight for 3-radix {0, ±1, ±2, … , ±h}
Digit Set Average Weight
{0, ±1}
{0, ±1, ±2}[Joye, Yen 04]
{0, ±1, ±2, ±4} [Takagi, Jeis, Yen, Wu 06]
{0, ±1,±2, ±4,±5} [New Result]
{0, ±1,±2, ±4,±5±7}
[New Result]
{0, ±1,±2, ±4,±5,±7,
±8} [Joye, Yen 04]
nn 4.052
nn 375.083
nn 3478.0238
nn 3333.031
nn 6667.032
nn 5.021
Average Number of Additions
(Average Weight)
of r in [0,2n
-1] representing using digit
set {0, ±1, ±3, … , ±(3w
-1)/2} – 3Z
is
Theorem [Takagi, Jeis, Yen, Wu 06]
n tends to infinite
nw 12
2
Average Number of Additions
(Average Weight)
of r in [0,2n
-1] representing using
digit set {0, ±1, ±2, … , ±(3w
-1)} – 3Z
is
Theorem [Joye, Yen 04]
nw 1
1
n tends to infinite
Our Observation
Average Number of Additions
(Average Weight)
of r in [0,2n
-1] representing using
digit set {0, ±1, ±2, … , ±h} – 3Z
is
when
when
when
nhw w
w
)13)(1(13
1
1
,32
13mod1 1
ww
hh1-3 and
nhw w
w
2)13)(1(13
1
1
,2
1313mod1
ww hh 1-3 and
nhw w
w
13)1(3
1
1
.2
132
13mod2
ww
hh1-3 and
We also found the relation for
4-radix and 6-radix!!!
Double-Base Number System [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995]
0 0 -1 0)2(114 =
O
P
2P 4P 8P 14P
2P 4P 7P 14P
24
23
22
21
20
Base 2
1 -1 -1 -1)3(014 =
O3P 6P 15P
P 2P 5P 14P
34
33
32
31
30
Base 3
1 Point Additions
4 Point Doubles
3 Point Additions
3 Point Triples
2434 2433 2432 2431 2430
2334 2333 2332 2331 2330
2234 2233 2232 2231 2230
2134 2133 2132 2131 2130
2034 2033 2032 2031 2030
2434 2433 2432 2431 2430
2334 2333 2332 2331 2330
2234 2233 2232 2231 2230
2134 2133 2132 2131 2130
2034 2033 2032 2031 20301
1
14 = 23
30
+ 21
31
Double-Base Number System (DBNS) [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995]
is DS-DBNS of positive integer r iff
Definition
,Skt Ds , ,0
1 1
0, 32
n
t
l
k
ktktsr
10,10,
lkntktsS
2434 2433 2432 2431 2430
2334 2333 2332 2331 2330
2234 2233 2232 2231 2230
2134 2133 2132 2131 2130
2034 2033 2032 2031 20301
1
14 = 23
30
+ 21
31
2434 2433 2432 2431 2430
2334 2333 2332 2331 2330
2234 2233 2232 2231 2230
2134 2133 2132 2131 2130
2034 2033 2032 2031 2030
11
14 = 22
31
+ 21
30
Example
Double-Base Number System (DBNS) [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995]
is Minimum Weight DS-DBNS of positive integer r iff
Definition
)()'( ,' ,of Expansion- all for SWSWS rDS 10,10,
lkntktsS
||}0|),{(||)( , ktsktSW Let
In this state, there exists no polynomial-time algorithm to compute
Minimum Weight DS-DBNS.
Note
Theorem
.
nnOrWr n
lg)( 1],[0,2 For
For Single-Base (Base 2,3,…), the weight is in for the average case.
For Double-Base, the weight is in , even for the worst case.
Note
)(n
n
nO lg
Hard to introduce to Scalar
Multiplication
Too General
Scalar Multiplication with DBNS [Meloni, Hasan, CHES2009]
rPS
sS
rP
lkntkt
:
Integer of DBNS , Point :
Output
Input
0,0,
Algorithm
PPP l 1-21 333 : ,...,,compute-Pre
SStPSS
sknt
OS
k
t,k
2 then 0 If :53 :4
that such all for :3 to 1- for :2
1:
10
2434 2433 2432 2431 2430
2334 2333 2332 2331 2330
2234 2233 2232 2231 2230
2134 2133 2132 2131 2130
2034 2033 2032 2031 2030
11
127 = 22
33
+ 21
32
+ 21
30
1
PSPPS
S
54227
0
S 3S : 32t
PSPPS
126263
S 3S : 21t
PPS 127 03S :0t
Need memory to store l elliptic
points
Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008]
mm1100 jijiji 323232 k ...
when m10 i...ii and m10 j...jj
Double-Base Number System
With More Restriction
Double Base Number System (DBNS)
Double-Base Number System [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995]
2434 2433 2432 2431 2430
2334 2333 2332 2331 2330
2234 2233 2232 2231 2230
2134 2133 2132 2131 2130
2034 2033 2032 2031 20301
1
14 = 23
30
+ 21
31
Double Base Chains (DBC)
2434 2433 2432 2431 2430
2334 2333 2332 2331 2330
2234 2233 2232 2231 2230
2134 2133 2132 2131 2130
2034 2033 2032 2031 2030
11
14 = 223
1 + 2
13
0
2434 2433 2432 2431 2430
2334 2333 2332 2331 2330
2234 2233 2232 2231 2230
2134 2133 2132 2131 2130
2034 2033 2032 2031 2030
11
127 = 223
3 + 2
13
2+ 2
13
01
2434 2433 2432 2431 2430
2334 2333 2332 2331 2330
2234 2233 2232 2231 2230
2134 2133 2132 2131 2130
2034 2033 2032 2031 2030
1
1
127 = 223
3 + 2
13
2+ 2
13
01
Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008]
k = 127 = 22
33
+ 213
2 + 2
03
0
Digit 1 0 1 0 0 1
Base 22
33
21
33
21
32
20
32
20
31
30
30
O
P
2P
2P
6P
7P
14P
14P
42P
42P
126P
127P
mm1100 jijiji 323232 k ...
when m10 i...ii and m10 j...jj
2 Point Additions, 2 Point Doubles, 3 Point Triples
Given k
Given Cadd - Computation time of a Point Addition
Given Cdbl - Computation time of a Point Double
Given Ctpl - Computation time of a Point Triple
Find the Chain With Smallest Total Computation Time
Problem
Double-Base Number System
With More Restriction
Similar to Double-and-
add Methods
Algorithms [Suppakitpaisarn, Edahiro, Imai, 2012]
k = 10, Ctpl = 1, Cdbl = 1, Cadd = 1
How to compute kP = 10P
1. Compute 5P
2. Double the point to 10P = 2 . 5P
Plan A
1. Compute 3P
2. Triple the point to 9P = 3 . 3P
3. Add the point with P (9P + P = 10P)
Plan B
Optimize Computation Time of 5P
+ Point Double
= C(5P) + Cdbl = 3 + 1 = 4
CostOptimize Computation Time of 3P
+ Point Triple + Point Addition
= C(3P) + Ctpl + Cadd = 1 + 1 + 1 = 3
Cost
2105
3103
Our R
esults
Algorithm
0032
1010
0132
105
1032
103
0232
102
1132
101
2032
101
• C(k) =min( , ) if k mod 6 == 0
min( , ) if k mod 6 == 1 min( , ) if k mod 6 == 2 min( , ) if k mod 6 == 3
min( , ) if k mod 6 == 4 min( , ) if k mod 6 == 5
C(k/2) + Pdbl
C(k/2) + Pdbl
C(k/2) + Pdbl
C(k/2) + Pdbl + Padd
C(k/2) + Pdbl + Padd
C(k/2) + Pdbl + Padd
C(k/3) + Ptpl
C(k/3) + Ptpl
C(k/3) + Ptpl + Padd
C(k/3) + Ptpl + Padd
infinity
infinity
Dynamic Programming
Time : lg2
k
Memory : lg2
k
1 0 0
3 1
3
Our R
esults
Prime Field (Fp )• Experiments on Inverted Edward Coordinates
[Bernstein, Lange, AAECC 2007]
• Cdbl = 6.2[m], Ctpl = 12.2[m], Cadd = 9.8[m]
Algorithm 192 bits 256 bits 320 bits 384 bits 512 bitsNAF[Egecioglu, Koc, Theo. Comp. Sci., 1994]
1817.6 2423.5 3029.3 3635.2 4241.1
Ternary/Binary[Dimitrov, Jullien, Miller, Information Processing Letters, 1998]
1761.2 2353.6 2944.9 3537.2 4129.6
DB-Chain[Dimitrov, Imbert, Mishra, Math. of Comp., April 2008]
1725.5 2302.0 2879.1 3455.2 4032.4
Tree-Based Approach[Doche, Habsieger, ACISP 2008, July 2008]
1691.3 2255.8 2821.0 3386.0 3950.3
Optimized DB-Chain[Our Result]
1624.5 2168.2 2710.9 3254.1 3796.3
3.95 % 3.88 % 3.90 % 3.90 % 3.90 %
Our R
esults
Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008]
k = 127 = 22
33
+ 213
2 + 2
03
0
Digit 1 0 1 0 0 1
Base 22
33
21
33
21
32
20
32
20
31
30
30
O
P
2P
2P
6P
7P
14P
14P
42P
42P
126P
127P
mm1100 jijiji 323232 k ...
when m10 i...ii and m10 j...jj
2 Point Additions, 2 Point Doubles, 3 Point Triples
Given k
Given Cadd - Computation time of a Point Addition
Given Cdbl - Computation time of a Point Double
Given Ctpl - Computation time of a Point Triple
Find the Chain With Smallest Total Computation Time
Double-Base Number System
With More Restriction
Similar to Double-and-
add Methods
Given k
Given Cadd = 1, Cdbl = 0, Ctpl = 0Find the Chain With Smallest Total Computation Time
Given k
Given Cadd = 1, Cdbl = 0, Ctpl = 0
Find the shortest chain (the chain with smallest number of terms)
Problem
On-Going…DBNS
nnOmkk n
lgmax *
20
Double-Base Chain
Input: k
Output: mk*
Solved by DP [Our Results]
Input: k
Output: mk*
Tractable???
Approximation Algorithm???
kmmm
i
yxk
ii
1
* 32|min
[Dimitrov,
Cooklev, 1995]
and
11
1* 32|
min
jjjj
m
i
yx
k
yyxx
kmm
ii
nmkk n
*20
max[Our Results]
?2
12
0
*
nm
nk
k
n
?lg2
12
0
*
nn
m
nk
k
n
Exercise 8Exercise 8
and , , Let
11
1
* 32|min jjjj
m
i
yxk yyxxkmm ii
5) and when12 to algorithm our Apply :(Hint
thatShow (b)
thatShow (a)
0
FiFF
nOm
nm
ii
kk
kk
n
n
0
max
max
1
*20
*20
Efficiency of Multi-Scalar Multiplication• Multi-Scalar Multiplication on Elliptic Curve Cryptography
S = P + P + … + P + Q + Q + … + Q = r1P + r2Q
when r1, r2 is positive integer, S,P,Q is a member of the curve• General Technique - Double-and-add method• Let r1 = 12 = (01100)2, r2 = 21 = (10101)2
Compute r1P = 12P r1 = 12 = (0 1 1 0 0)2
Compute r2Q = 21Q r2 = 21 = (1 0 1 0 1)2
Weight = 2
Weight = 3
P 3P 6P 12P
6P2P 12P
Q 2Q 5Q 10Q
4Q2Q 10Q 20Q
21Q
4 Point Additions
7 Point Doubles
r1 times r2 times
O
O
Horner’s Method
Shamir’s Trick + Binary Representation [ElGamal, IEEE Trans. on Info. Theory, 1986]• Compute two number together to reduce the
redundant task.• Pre-compute P + Q
r1 = 12 = ( 0 1 1 0 0 )2
r2 = 21 = ( 1 0 1 0 1 )2Q P+2Q 3P+5Q
2P+4Q2Q 6P+10Q 12P+20Q
12P+21Q6P+10Q
Joint Weight = 4
3 Point Additions
4 Point Doubles
O
4 Point Additions
7 Point Doubles
For [0,2n
-1], 0.75n - 1 times.
(Average Weight = 0.75n)
Average # of Point Additions?
Shamir’s Trick + Joint Sparse Form (JSF) [Solinas, Combinatorics and Optimization Research, 2001]
Joint Weight = 3
P+Q 2P+2Q 3P+5Q
4P+4Q2P+2Q 6P+10Q 12P+20Q
12P+21Q6P+10Q
2 Point Additions
4 Point Doubles
• Represent each digit using {0, ±1} instead of {0,1}.
r1 = 12 = ( 1 0 -1 0 0 )2
r2 = 21 = ( 1 0 1 0 1 )2
For [0,2n
-1], 0.5n - 1 times.
(Average Weight = 0.5n)
Average # of Point Additions?
Average Joint Weight of {0, ±1, ±3}
Solinas, Comb. and Opt. Report, 2001
Avanzi, Crypto. e-Print Achieve, 2002
Kuang, Zhu, Zhang, ACNS 2004, 2004
Moller, ICISC 2004, 2004
Dahmen, Okeya, Takagi, IEICE Trans., 2007
Open
Problem
0.3750
0.3712
0.3636
0.3615
Our Result 0.3575
We prove that 0.3575 is the least number
and solve the open problem
Other Results {0, ±1, ±3, … , ±(2h+1)}
h Single Integer
Integer Pair Triple Quadruple
0[Egecioglu 94] [Solinas 01] [Heuberger 07] [Heuberger 07]
1[Muir 04]
[Improved Result][New Result]
2[Moller 05]
[New Result] [New Result]
3[Moller 05] [New Result]
4[Moller 05] [New Result]
5207 states[Moller 05] [New Result]
5.021 5897.0
3923
6424.0179115
3575.0786281
2222.092 3100.0
48269951496396
2.051
1904.0214
1818.0112
2660.0
2574.0
Match existing works3333.0
31
25.041 Improve existing works
New Results
2342.0
4090.0
3529.0
Exercise 9
Let P, Q be points in elliptic curve, and assume that P + Q can be computed much faster if P – Q is known.
(even much faster than point double)
Let T be a computation time for fast addition
(that P – Q is known), and n = max(lg r1, lg r2).
1. Develop an algorithm for computing S = r1P in 2nT with constant number of points stored in memory.
2. Develop an algorithm for computing S = r1P + r2Q in 3nT with constant number of points stored in memory.
Additional score will be given if you can find algorithm faster than 3nT.
Exercise 9
Course Information 10/9 – Elliptic Curve I (2 Exercises)
(What is Elliptic Curve?)
10/16 – Elliptic Curve II (1 Exercises)
(Elliptic Curve Cryptography[1])
10/23 – Elliptic Curve III (2 Exercises)
(Elliptic Curve Cryptography[2])
10/30 – Cancelled
11/6 – Online Algorithm I (Prof. Han)
11/13 – Online Algorithm II (Prof. Han)
11/20 – Cancelled (Friday Schedule)
11/27 – Elliptic Curve IV (1 Exercises)
(ECC Implementation I)
12/4 – Cancelled
12/11 – Computational Game Theory I
(Prof. Gurvich)
12/18 – Computational Game Theory II
(Prof. Elbassioni)
1/8 – Elliptic Curve V (3 Exercises)
(ECC Implementation II)
1/15 – Cancelled (Monday Schedule)
1/22~ – SAT Problem (Prof. Makino)
Schedule
For my part, you need to submit 2 Reports.
- Report 1: Select 3 from 6 exercises in Elliptic Curve I – III
Submission Deadline: 14 November
- Report 2: Select 2 from 4 exercises in Elliptic Curve IV – V
Submission Deadline: January 22nd
- Submit your report in this lecture room before the class
begins.
Grading
Thank you for your attentionPlease feel free to ask questions or comment.