## Huff’s Model for Elliptic Curves

Citations: | 6 - 2 self |

### BibTeX

@MISC{Joye_huff’smodel,

author = {Marc Joye and Mehdi Tibouchi and Damien Vergnaud},

title = {Huff’s Model for Elliptic Curves},

year = {}

}

### OpenURL

### Abstract

Abstract. This paper revisits a model for elliptic curves over Q introduced by Huff in 1948 to study a diophantine problem. Huff’s model readily extends over fields of odd characteristic. Every elliptic curve over such a field and containing a copy of Z/4Z × Z/2Z is birationally equivalent to a Huff curve over the original field. This paper extends and generalizes Huff’s model. It presents fast explicit formulæ for point addition and doubling on Huff curves. It also addresses the problem of the efficient evaluation of pairings over Huff curves. Remarkably, the so-obtained formulæ feature some useful properties, including completeness and independence of the curve parameters.

### Citations

697 |
Elliptic curve cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...recently, they have been used to devise efficient algorithms for factoring large integers [19, 22] or for primality proving [2, 13, 23]. They also revealed useful in the construction of cryptosystems =-=[18, 20]-=-. In this paper, we develop an elliptic curve model introduced by Huff in 1948 to study a diophantine problem. We present fast explicit formulæ for adding or doubling points on Huff curves. We also de... |

531 |
Use of elliptic curves in cryptography
- Miller
- 1986
(Show Context)
Citation Context ...recently, they have been used to devise efficient algorithms for factoring large integers [19, 22] or for primality proving [2, 13, 23]. They also revealed useful in the construction of cryptosystems =-=[18, 20]-=-. In this paper, we develop an elliptic curve model introduced by Huff in 1948 to study a diophantine problem. We present fast explicit formulæ for adding or doubling points on Huff curves. We also de... |

233 |
Factoring integers with elliptic curves
- Lenstra
- 1987
(Show Context)
Citation Context ... extensively studied in algebraic geometry and number theory since the middle of the nineteenth century. More recently, they have been used to devise efficient algorithms for factoring large integers =-=[19, 22]-=- or for primality proving [2, 13, 23]. They also revealed useful in the construction of cryptosystems [18, 20]. In this paper, we develop an elliptic curve model introduced by Huff in 1948 to study a ... |

162 | Elliptic curves and primality proving
- Atkin, Morain
(Show Context)
Citation Context ...geometry and number theory since the middle of the nineteenth century. More recently, they have been used to devise efficient algorithms for factoring large integers [19, 22] or for primality proving =-=[2, 13, 23]-=-. They also revealed useful in the construction of cryptosystems [18, 20]. In this paper, we develop an elliptic curve model introduced by Huff in 1948 to study a diophantine problem. We present fast ... |

56 | A normal form for elliptic curves
- Edwards
(Show Context)
Citation Context ...to Montgomery, Doche-Icart-Kohel or Edwards (see [6] for an encyclopedic overview of these models). For instance, since 2007, there has been a rapid development of the curves introduced by Edwards in =-=[12]-=- and their use in cryptology. Bernstein and Lange proposed a more general version of these curves in [7] and the inverted Edwards coordinates in [8]. Bernstein, Birkner, Joye, Lange, and Peters studie... |

47 | Efficient implementation of pairing-based cryptosystems
- Barreto, Lynn, et al.
(Show Context)
Citation Context ...dwards curves or Jacobi quartics, Huff curves are represented as plane cubics. This makes Miller’s algorithm, along with a number of improvements proposed for Weierstraß curves (e.g., as presented in =-=[3]-=-), directly applicable to the computation of pairings over Huff curves.4.2 Pairing formulæ for Huff curves Throughout the for-loop of Algorithm 1, the line function is always evaluated at the same po... |

45 | On the Selection of Pairing-Friendly Groups
- Barreto, Lynn, et al.
- 2004
(Show Context)
Citation Context ...the embedding degree k is even, the field Fqk can be represented as Fqk/2(α), where α is any quadratic non-residue in Fqk/2. As a result, Q can be chosen of the form Q = (yQ, zQα) with yQ, zQ ∈ Fqk/2 =-=[4]-=-. To do so, it suffices to pick a point on a quadratic twist of E over Fqk/2 and take its image under the isomorphism over Fqk. Now, for any two points R, P in E(Fq), let ℓR,P denote the rational func... |

36 | Twisted Edwards curves
- Bernstein, Birkner, et al.
- 2008
(Show Context)
Citation Context .... Bernstein and Lange proposed a more general version of these curves in [7] and the inverted Edwards coordinates in [8]. Bernstein, Birkner, Joye, Lange, and Peters studied twisted Edwards curves in =-=[5]-=-. Hisil, Wong, Carter and Dawson proposed extended twisted Edwards coordinates in [14]. Bernstein, Lange, and Farashahi covered the binary case in [9]. The first formulæ for computing pairings over Ed... |

22 | Primality testing using elliptic curves
- Goldwasser, Kilian
- 1999
(Show Context)
Citation Context ...geometry and number theory since the middle of the nineteenth century. More recently, they have been used to devise efficient algorithms for factoring large integers [19, 22] or for primality proving =-=[2, 13, 23]-=-. They also revealed useful in the construction of cryptosystems [18, 20]. In this paper, we develop an elliptic curve model introduced by Huff in 1948 to study a diophantine problem. We present fast ... |

20 |
Twisted edwards curves revisited
- Hı¸sıl, Wong, et al.
- 2008
(Show Context)
Citation Context ...inverted Edwards coordinates in [8]. Bernstein, Birkner, Joye, Lange, and Peters studied twisted Edwards curves in [5]. Hisil, Wong, Carter and Dawson proposed extended twisted Edwards coordinates in =-=[14]-=-. Bernstein, Lange, and Farashahi covered the binary case in [9]. The first formulæ for computing pairings over Edwards curves were published by Das and Sarkar [11]. They were subsequently improved by... |

14 |
Speeding up the Pollard and elliptic curve methods of factorization
- Montgomery
- 1987
(Show Context)
Citation Context ... extensively studied in algebraic geometry and number theory since the middle of the nineteenth century. More recently, they have been used to devise efficient algorithms for factoring large integers =-=[19, 22]-=- or for primality proving [2, 13, 23]. They also revealed useful in the construction of cryptosystems [18, 20]. In this paper, we develop an elliptic curve model introduced by Huff in 1948 to study a ... |

12 | Inverted Edwards coordinates
- Bernstein, Lange
- 2007
(Show Context)
Citation Context ...development of the curves introduced by Edwards in [12] and their use in cryptology. Bernstein and Lange proposed a more general version of these curves in [7] and the inverted Edwards coordinates in =-=[8]-=-. Bernstein, Birkner, Joye, Lange, and Peters studied twisted Edwards curves in [5]. Hisil, Wong, Carter and Dawson proposed extended twisted Edwards coordinates in [14]. Bernstein, Lange, and Farasha... |

12 | The arithmetic of elliptic curves, volume 106 - Silverman - 1986 |

10 | R.: Binary Edwards Curves
- Bernstein, Lange, et al.
(Show Context)
Citation Context ...nge, and Peters studied twisted Edwards curves in [5]. Hisil, Wong, Carter and Dawson proposed extended twisted Edwards coordinates in [14]. Bernstein, Lange, and Farashahi covered the binary case in =-=[9]-=-. The first formulæ for computing pairings over Edwards curves were published by Das and Sarkar [11]. They were subsequently improved by Ionica and Joux [16]. The best implementation to date is due to... |

9 | Elliptic curve cryptography: The serpentine course of a paradigm shift
- Koblitz, Koblitzb, et al.
- 2011
(Show Context)
Citation Context ...ze compared with systems based on either integer factorization or the discrete log problem in the multiplicative group of a finite field, while maintaining the same (heuristic) level of security (see =-=[17]-=- for a recent survey on elliptic curve cryptography). The use of elliptic curves in cryptography makes the key sizes smaller but the arithmetic of the underlying group is more tedious (for example, wi... |

8 |
Diophantine problems in geometry and elliptic ternary forms
- Huff
- 1948
(Show Context)
Citation Context ...due to Arène, Lange, Naehrig, and Ritzenhaler [1]. The present paper is aimed at providing a similar study for a forgotten model of elliptic curves hinted by Huff in 1948. A diophantine problem. Huff =-=[15]-=- considered rational distance sets S (i.e., subsets S of the plane R 2 such that for all s, t ∈ S, the distance between s and t is a rational number) of the following form: given distinct a, b ∈ Q, S ... |

8 | Primality proving using elliptic curves: An update
- Morain
- 1998
(Show Context)
Citation Context ...geometry and number theory since the middle of the nineteenth century. More recently, they have been used to devise efficient algorithms for factoring large integers [19, 22] or for primality proving =-=[2, 13, 23]-=-. They also revealed useful in the construction of cryptosystems [18, 20]. In this paper, we develop an elliptic curve model introduced by Huff in 1948 to study a diophantine problem. We present fast ... |

6 |
Another approach to pairing computation in Edwards coordinates
- Ionica, Joux
- 2011
(Show Context)
Citation Context ...e, and Farashahi covered the binary case in [9]. The first formulæ for computing pairings over Edwards curves were published by Das and Sarkar [11]. They were subsequently improved by Ionica and Joux =-=[16]-=-. The best implementation to date is due to Arène, Lange, Naehrig, and Ritzenhaler [1]. The present paper is aimed at providing a similar study for a forgotten model of elliptic curves hinted by Huff ... |

4 |
Faster computation of the Tate pairing. Cryptology ePrint Archive, Report 2009/155
- Arène, Lange, et al.
- 2009
(Show Context)
Citation Context ...gs over Edwards curves were published by Das and Sarkar [11]. They were subsequently improved by Ionica and Joux [16]. The best implementation to date is due to Arène, Lange, Naehrig, and Ritzenhaler =-=[1]-=-. The present paper is aimed at providing a similar study for a forgotten model of elliptic curves hinted by Huff in 1948. A diophantine problem. Huff [15] considered rational distance sets S (i.e., s... |

4 |
Explicit-formulas database
- Bernstein, Lange
- 2007
(Show Context)
Citation Context ...the mathematical literature: Weierstraß cubics, Jacobi intersections, Hessian curves, Jacobi quartics, or the more recent forms of elliptic curves due to Montgomery, Doche-Icart-Kohel or Edwards (see =-=[6]-=- for an encyclopedic overview of these models). For instance, since 2007, there has been a rapid development of the curves introduced by Edwards in [12] and their use in cryptology. Bernstein and Lang... |

4 |
Pairing computation on twisted Edwards form elliptic curves
- Das, Sarkar
- 2008
(Show Context)
Citation Context ...nded twisted Edwards coordinates in [14]. Bernstein, Lange, and Farashahi covered the binary case in [9]. The first formulæ for computing pairings over Edwards curves were published by Das and Sarkar =-=[11]-=-. They were subsequently improved by Ionica and Joux [16]. The best implementation to date is due to Arène, Lange, Naehrig, and Ritzenhaler [1]. The present paper is aimed at providing a similar study... |

2 |
Elliptic curves and rational distance sets
- Peeples
- 1954
(Show Context)
Citation Context ...2 and x 2 + b 2 = v 2 with u, v ∈ Q. The system of associated homogeneous equations x 2 + a 2 z 2 = u 2 and x 2 + b 2 z 2 = v 2 defines a curve of genus 1 in P 3 . Huff, and later his student Peeples =-=[24]-=-, provided examples where this curve has positive rank over Q, thus exhibiting examples of arbitrarily large rational distance sets of cardinality k > 4 such that exactly k − 4 points are on one line.... |

1 |
The Weil paring, and its efficient implementation
- Miller
(Show Context)
Citation Context ...Q) (qk −1)/n . This definition does not depend on the choice of fP with the appropriate divisor, nor on the class of Q mod [n]E(F q k). In practice, Tn can be computed using a technique due to Miller =-=[21]-=-, in terms of rational functions gR,P depending on P and on a variable point R. Function gR,P is the so-called line function with divisor R + P − O − (R ⊕ P ), which arises in addition formulæ when E ... |