Vorapong Suppakitpaisarn [email protected] , Eng. 6 Room 363

Discrete Methods in Mathematical InformaticsLecture 5: Elliptic Curve Cryptography

Implementation(I)8th January 2012

Vorapong [email protected], Eng. 6 Room 363

Download Slide: http://misojiro.t.u-tokyo.ac.jp/~vorapong/

Course Information 10/9 – Elliptic Curve I (2 Exercises)

(What is Elliptic Curve?)

10/16 – Elliptic Curve II (1 Exercises)

(Elliptic Curve Cryptography[1])

10/23 – Elliptic Curve III (2 Exercises)

(Elliptic Curve Cryptography[2])

10/30 – Cancelled

11/6 – Online Algorithm I (Prof. Han)

11/13 – Online Algorithm II (Prof. Han)

11/20 – Cancelled

11/27 – Elliptic Curve IV (1 Exercises)

(ECC Implementation I)

12/4 – Cancelled

12/11 – Computational Game Theory I

(Prof. Gurvich)

12/18 – Computational Game Theory II

(Prof. Elbassioni)

1/8 – Elliptic Curve V (3 Exercises)

(ECC Implementation II)

1/15 – Cancelled (Monday Schedule)

1/22~ – SAT Problem (Prof. Makino)

Schedule

For my part, you need to submit 2 Reports.

- Report 1: Select 3 from 6 exercises in Elliptic Curve I – III

Submission Deadline: 14 November

- Report 2: Select 2 from 4 exercises in Elliptic Curve IV – V

Submission Deadline: January 22nd

- Submit your report in this lecture room before the class

begins.

Grading

Elliptic Curve Cryptography

Field Arithmetic

Inversion Field Compute

Squaring Field Compute

tionMultiplica Field Compute

1

2 mod

mod

-

p

apa

pab a,b Z

Elliptic Curve Arithmetic

1133

212

3

12

12

33

2211

)(

),(),(),,(

yxxmyxxmx

xxyym

yxQPyxQyxP

where

Point Addition

A = -4, B = 4

Scalar Multiplication

Compute rP = 14P

r = 14 = (0 1 1 1 0)2

P 3P 7P 14P

6P2P 14PO

2 Point Additions

3 Point Doubles

ECC Protocol

Generate P 2 E(F)

Generate positive integers a

Receive Q = bP

Compute aQ = abP

Receive P

Receive S = aP

Generate positive integer b

Compute bS = abP

P

aP

bP

Last Time

This Time

Scalar Multiplication and Binary Representation

• Scalar Multiplication on Elliptic Curve Cryptography

S = P + P + … + P = rP

when r1 is positive integer, S,P is a member of the curve• Double-and-add method• Let r = 14 = (01110)2

Compute rP = 14P r = 14 = (0 1 1 1 0)2 Weight = 3

P 3P 7P 14P

6P2P 14P

3 – 1 = 2 Point Additions

4 – 1 = 3 Point Doubles

r times

O

For [0,2n

-1], n - 1 times.

Average # of Point Doubles?

For [0,2n

-1], n/2 - 1 times.

(Average Weight = n/2)

Average # of Point Additions?

Redundant Binary Representation• Change Digit Set can help Scalar Multiplication faster• Represent each digit using {0, 1, -1} instead of {0,1}. • Redundant, then use Minimum Weight Conversion to find

Minimum Weight Expansion (the expansion that have the minimum joint weight)

Weight = 2

P 2P 4P 7P

4P2P 8PO

Compute rP = 14P r = 14 = (1 0 0 -1 0)2

14P

14P

2 – 1 = 1 Point Additions

5 – 1 = 4 Point Doubles

3 – 1 = 2 Point Additions

4 – 1 = 3 Point Doubles

For [0,2n

-1], n + o(n) times.

Average # of Point Doubles?

For [0,2n

-1], n/3 + o(n) times.

(Average Weight = n/3 + o(n))

Average # of Point Additions?

For [0,2n

-1],

n - 1 times?

Average # of Point Doubles?

For [0,2n

-1],

n/2 - 1 times?

(Average Weight = n/2)

Average # of Point Additions?

Non-Adjacent Form

S = (sn-1 sn-2 … s0) is Non-Adjacent Form (NAF) of positive integer r iff

Definition

2.-0 for niss ii 01

S is Minimum Weight {0, ±1}-Expansion of r if S is Non-Adjacent Form of r

Optimality

S = (sn-1 sn-2 … s0) is DS-Expansion of positive integer r iff

Definition

1,- 0 for ntDs St ,0

1

2n

t

ttsr

S = (sn-1 sn-2 … s0) is Minimum Weight DS-Expansion of positive integer r iff

Definition

)()'( ,' ,of Expansion- all for SWSWS rDS

14 of Expansion-1}{0, is 0) 1 1 1 (0 14 of Expansion-1}{0, is 0) 1- 0 0 (1 14 of Expansion-1}{0, is 0) 1 1- 0 (1

and , of Expansion-1} {0, is rS

AlgorithmSimple Fact

122...8421 1 nn

22 1)- 0 0 (11) 1 1 (0

22 1)- 0 ... 0 (11) ... 1 1 (0 n - 1 consecutive 1’s n - 2 consecutive 0’s

Ex

Example

20) 1 1 1 1 0 1 1 1 (0 478 1 0 0 0 -11 0 0 0 -1

Algorithm

)...(

)...0(

021

021

rrrrRr

sssSr

nnn

nn

Integer of Form Adjacent-Non :

Integer of Expansion-{0,1} :

Output

Input

0.1 t do While nt .2

trs tt then If ,00

20,1

01

1

1

ttrr

ss

tt

tt

then and If

}0|min{11 1

c

tt

stcckss

and then and If

1tskctsc for 0

ktsk ,1 For [0,2

n-1], n/3 + o(n) times.

(Average Weight = n/3 + o(n))

Average # of Point Additions?

Markov Chain

w-NAF

S = (sn-1 sn-2 … s0) is Non-Adjacent Form (NAF) of positive integer r iff

Definition

2.-0 for niss ii 01

S is Minimum Weight {0, ±1}-Expansion of r if S is Non-Adjacent Form of r

Optimality

S = (sn-1 sn-2 … s0) is DS-Expansion of positive integer r iff

Definition

1,- 0 for ntDs St ,0

1

2n

t

ttsr

S = (sn-1 sn-2 … s0) is Minimum Weight DS-Expansion of positive integer r iff

Definition

)()'( ,' ,of Expansion- all for SWSWS rDS

and , of Expansion-1} {0, is rS

S = (sn-1 sn-2 … s0) is w-NAF of positive integer r iff

and , of Expansion-1)}-(2 , ... 5, 3, 1, {0, is rS w

number. zero-non is that one most at is there econsecutiv 1 any for ,...,ssssw wii i i 21,,

Definition

w-NAF of positive integer r is also NAF of r when w = 1

S is Minimum Weight {0, ±1, … , (2w

-1)}-Expansion of r if S is w-NAF of r

Optimality

Exercise 7Algorithm

)...( 0321 rrrrRrw

r

wnwnwn Integer of NAF- :

Integer Positive :

OutputInput

1 :8

:7

0 else :6 - :5

2 mods :4

then 1 2) mod ( if :3do 0) ( While:2

0 : 1

tt

rr

rrrr

rrr

rt

t

t

wt

2

1

otherwise22 mod 22 mod if2 mod

2 mods 11

111

)( ww

wwww

rrr

r

Exercise 7

. of NAF-outputs algorithm the thatShow 1.

rw

).(]1 nonw

rw n

2

1 is [0,2 of NAF-

of weightaverage the thatShow 2.

Memory and Speed

P 3P 7P 14P

6P2P 14PO

Compute rP = 14P

r = 14 = (0 1 1 1 0)2

online computed be Can (x,-y)P- y),(x,P If- and withpoint the add weNAF, In

.PP

memory. in store and compute-pre to Need

fromeasily compute cannot We

withpoint the add weNAF,- In

PPPPP

PPPw

w

w

w

)12(,...,3

.)12(,...,3

.)12(,...,3,

Average Weight {0, ±1, ±3, … , ±(2h+1)}

Digit Set Average Weight

{0, ±1}9 states

[Egecioglu 94]

{0, ±1, ±3}38 states[Muir 04]

{0, ±1, ±3, ±5} 70 states

[Moller 05]

{0, ±1,±3, ±5,±7} 119 states

[Moller 05]

{0, ±1,±3, ±5,±7,±9} 160 states

[Moller 05]

{0, ±1,±3, ±5,±7,±9,

±11}207 states[Moller 05]

nn 2222.092

nn 2.051

nn 1904.0214

nn 1818.0112

nn 3333.031

nn 25.041

Average Number of Additions

(Average Weight)

of r in [0,2n

-1] representing using

digit set {0, ±1, ±3, … , ±(2h+1)}

is

when

Theorem [Moller 05]

n tends to infinite

1212 1 ww hw that such integer an is

nhw w

w

)1(2)1(2

Average Number of Additions

(Average Weight)

of r in [0,2n

-1] representing using

digit set {0, ±1, ±3, … , ±(2w

-1)}

is

Theorem [Muir 04]

nw 2

1

n tends to infinite

r-radix Representation

0 0 -1 0)2(114 =

O

P

2P 4P 8P 14P

2P 4P 7P 14P

24

23

22

21

20

Base 2

1 -1 -1 -1)2(014 =

O3P 6P 15P

P 2P 5P 14P

34

33

32

31

30

Base 3

1 Point Additions

4 Point Doubles

3 Point Additions

3 Point Triples

Field with characteristic 3 (eg. F397) is used

in fast Pairing implementation.

[Barreto, Kim, Lynn, Scott CRYPTO2002]

[Galbraith, Harrison, Soldera ANTS, 2002]

[Granger, Page, Stam 2004]

In the field, point triple is very fast operation.

[Takagi, Reis, Yen, Wu, IEICE Trans., 2006]

Average Weight for 3-radix {0, ±1, ±2, … , ±h}

Digit Set Average Weight

{0, ±1}

{0, ±1, ±2}[Joye, Yen 04]

{0, ±1, ±2, ±4} [Takagi, Jeis, Yen, Wu 06]

{0, ±1,±2, ±4,±5} [New Result]

{0, ±1,±2, ±4,±5±7}

[New Result]

{0, ±1,±2, ±4,±5,±7,

±8} [Joye, Yen 04]

nn 4.052

nn 375.083

nn 3478.0238

nn 3333.031

nn 6667.032

nn 5.021

Average Number of Additions

(Average Weight)

of r in [0,2n

-1] representing using digit

set {0, ±1, ±3, … , ±(3w

-1)/2} – 3Z

is

Theorem [Takagi, Jeis, Yen, Wu 06]

n tends to infinite

nw 12

2

Average Number of Additions

(Average Weight)

of r in [0,2n

-1] representing using

digit set {0, ±1, ±2, … , ±(3w

-1)} – 3Z

is

Theorem [Joye, Yen 04]

nw 1

1

n tends to infinite

Our Observation

Average Number of Additions

(Average Weight)

of r in [0,2n

-1] representing using

digit set {0, ±1, ±2, … , ±h} – 3Z

is

when

when

when

nhw w

w

)13)(1(13

1

1

,32

13mod1 1

ww

hh1-3 and

nhw w

w

2)13)(1(13

1

1

,2

1313mod1

ww hh 1-3 and

nhw w

w

13)1(3

1

1

.2

132

13mod2

ww

hh1-3 and

We also found the relation for

4-radix and 6-radix!!!

Double-Base Number System [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995]

0 0 -1 0)2(114 =

O

P

2P 4P 8P 14P

2P 4P 7P 14P

24

23

22

21

20

Base 2

1 -1 -1 -1)3(014 =

O3P 6P 15P

P 2P 5P 14P

34

33

32

31

30

Base 3

1 Point Additions

4 Point Doubles

3 Point Additions

3 Point Triples

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 2030

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 20301

1

14 = 23

30

+ 21

31

Double-Base Number System (DBNS) [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995]

is DS-DBNS of positive integer r iff

Definition

,Skt Ds , ,0

1 1

0, 32

n

t

l

k

ktktsr

10,10,

lkntktsS

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 20301

1

14 = 23

30

+ 21

31

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 2030

11

14 = 22

31

+ 21

30

Example

Double-Base Number System (DBNS) [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995]

is Minimum Weight DS-DBNS of positive integer r iff

Definition

)()'( ,' ,of Expansion- all for SWSWS rDS 10,10,

lkntktsS

||}0|),{(||)( , ktsktSW Let

In this state, there exists no polynomial-time algorithm to compute

Minimum Weight DS-DBNS.

Note

Theorem

.

nnOrWr n

lg)( 1],[0,2 For

For Single-Base (Base 2,3,…), the weight is in for the average case.

For Double-Base, the weight is in , even for the worst case.

Note

)(n

n

nO lg

Hard to introduce to Scalar

Multiplication

Too General

Scalar Multiplication with DBNS [Meloni, Hasan, CHES2009]

rPS

sS

rP

lkntkt

:

Integer of DBNS , Point :

Output

Input

0,0,

Algorithm

PPP l 1-21 333 : ,...,,compute-Pre

SStPSS

sknt

OS

k

t,k

2 then 0 If :53 :4

that such all for :3 to 1- for :2

1:

10

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 2030

11

127 = 22

33

+ 21

32

+ 21

30

1

PSPPS

S

54227

0

S 3S : 32t

PSPPS

126263

S 3S : 21t

PPS 127 03S :0t

Need memory to store l elliptic

points

Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008]

mm1100 jijiji 323232 k ...

when m10 i...ii and m10 j...jj

Double-Base Number System

With More Restriction

Double Base Number System (DBNS)

Double-Base Number System [Dimitrov, Cooklev, IEEE Trans. on Circuits and Systems, 1995]

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 20301

1

14 = 23

30

+ 21

31

Double Base Chains (DBC)

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 2030

11

14 = 223

1 + 2

13

0

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 2030

11

127 = 223

3 + 2

13

2+ 2

13

01

2434 2433 2432 2431 2430

2334 2333 2332 2331 2330

2234 2233 2232 2231 2230

2134 2133 2132 2131 2130

2034 2033 2032 2031 2030

1

1

127 = 223

3 + 2

13

2+ 2

13

01

Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008]

k = 127 = 22

33

+ 213

2 + 2

03

0

Digit 1 0 1 0 0 1

Base 22

33

21

33

21

32

20

32

20

31

30

30

O

P

2P

2P

6P

7P

14P

14P

42P

42P

126P

127P

mm1100 jijiji 323232 k ...

when m10 i...ii and m10 j...jj

2 Point Additions, 2 Point Doubles, 3 Point Triples

Given k

Given Cadd - Computation time of a Point Addition

Given Cdbl - Computation time of a Point Double

Given Ctpl - Computation time of a Point Triple

Find the Chain With Smallest Total Computation Time

Problem

Double-Base Number System

With More Restriction

Similar to Double-and-

add Methods

Algorithms [Suppakitpaisarn, Edahiro, Imai, 2012]

k = 10, Ctpl = 1, Cdbl = 1, Cadd = 1

How to compute kP = 10P

1. Compute 5P

2. Double the point to 10P = 2 . 5P

Plan A

1. Compute 3P

2. Triple the point to 9P = 3 . 3P

3. Add the point with P (9P + P = 10P)

Plan B

Optimize Computation Time of 5P

+ Point Double

= C(5P) + Cdbl = 3 + 1 = 4

CostOptimize Computation Time of 3P

+ Point Triple + Point Addition

= C(3P) + Ctpl + Cadd = 1 + 1 + 1 = 3

Cost

2105

3103

Our R

esults

Algorithm

0032

1010

0132

105

1032

103

0232

102

1132

101

2032

101

• C(k) =min( , ) if k mod 6 == 0

min( , ) if k mod 6 == 1 min( , ) if k mod 6 == 2 min( , ) if k mod 6 == 3

min( , ) if k mod 6 == 4 min( , ) if k mod 6 == 5

C(k/2) + Pdbl

C(k/2) + Pdbl

C(k/2) + Pdbl

C(k/2) + Pdbl + Padd

C(k/2) + Pdbl + Padd

C(k/2) + Pdbl + Padd

C(k/3) + Ptpl

C(k/3) + Ptpl

C(k/3) + Ptpl + Padd

C(k/3) + Ptpl + Padd

infinity

infinity

Dynamic Programming

Time : lg2

k

Memory : lg2

k

1 0 0

3 1

3

Our R

esults

Prime Field (Fp )• Experiments on Inverted Edward Coordinates

[Bernstein, Lange, AAECC 2007]

• Cdbl = 6.2[m], Ctpl = 12.2[m], Cadd = 9.8[m]

Algorithm 192 bits 256 bits 320 bits 384 bits 512 bitsNAF[Egecioglu, Koc, Theo. Comp. Sci., 1994]

1817.6 2423.5 3029.3 3635.2 4241.1

Ternary/Binary[Dimitrov, Jullien, Miller, Information Processing Letters, 1998]

1761.2 2353.6 2944.9 3537.2 4129.6

DB-Chain[Dimitrov, Imbert, Mishra, Math. of Comp., April 2008]

1725.5 2302.0 2879.1 3455.2 4032.4

Tree-Based Approach[Doche, Habsieger, ACISP 2008, July 2008]

1691.3 2255.8 2821.0 3386.0 3950.3

Optimized DB-Chain[Our Result]

1624.5 2168.2 2710.9 3254.1 3796.3

3.95 % 3.88 % 3.90 % 3.90 % 3.90 %

Our R

esults

Double-Base Chain [Dimitrov, Imbert, Mishra, Math of Computation, 2008]

k = 127 = 22

33

+ 213

2 + 2

03

0

Digit 1 0 1 0 0 1

Base 22

33

21

33

21

32

20

32

20

31

30

30

O

P

2P

2P

6P

7P

14P

14P

42P

42P

126P

127P

mm1100 jijiji 323232 k ...

when m10 i...ii and m10 j...jj

2 Point Additions, 2 Point Doubles, 3 Point Triples

Given k

Given Cadd - Computation time of a Point Addition

Given Cdbl - Computation time of a Point Double

Given Ctpl - Computation time of a Point Triple

Find the Chain With Smallest Total Computation Time

Double-Base Number System

With More Restriction

Similar to Double-and-

add Methods

Given k

Given Cadd = 1, Cdbl = 0, Ctpl = 0Find the Chain With Smallest Total Computation Time

Given k

Given Cadd = 1, Cdbl = 0, Ctpl = 0

Find the shortest chain (the chain with smallest number of terms)

Problem

On-Going…DBNS

nnOmkk n

lgmax *

20

Double-Base Chain

Input: k

Output: mk*

Solved by DP [Our Results]

Input: k

Output: mk*

Tractable???

Approximation Algorithm???

kmmm

i

yxk

ii

1

* 32|min

[Dimitrov,

Cooklev, 1995]

and

11

1* 32|

min

jjjj

m

i

yx

k

yyxx

kmm

ii

nmkk n

*20

max[Our Results]

?2

12

0

*

nm

nk

k

n

?lg2

12

0

*

nn

m

nk

k

n

Exercise 8Exercise 8

and , , Let

11

1

* 32|min jjjj

m

i

yxk yyxxkmm ii

5) and when12 to algorithm our Apply :(Hint

thatShow (b)

thatShow (a)

0

FiFF

nOm

nm

ii

kk

kk

n

n

0

max

max

1

*20

*20

Efficiency of Multi-Scalar Multiplication• Multi-Scalar Multiplication on Elliptic Curve Cryptography

S = P + P + … + P + Q + Q + … + Q = r1P + r2Q

when r1, r2 is positive integer, S,P,Q is a member of the curve• General Technique - Double-and-add method• Let r1 = 12 = (01100)2, r2 = 21 = (10101)2

Compute r1P = 12P r1 = 12 = (0 1 1 0 0)2

Compute r2Q = 21Q r2 = 21 = (1 0 1 0 1)2

Weight = 2

Weight = 3

P 3P 6P 12P

6P2P 12P

Q 2Q 5Q 10Q

4Q2Q 10Q 20Q

21Q

4 Point Additions

7 Point Doubles

r1 times r2 times

O

O

Horner’s Method

Shamir’s Trick + Binary Representation [ElGamal, IEEE Trans. on Info. Theory, 1986]• Compute two number together to reduce the

redundant task.• Pre-compute P + Q

r1 = 12 = ( 0 1 1 0 0 )2

r2 = 21 = ( 1 0 1 0 1 )2Q P+2Q 3P+5Q

2P+4Q2Q 6P+10Q 12P+20Q

12P+21Q6P+10Q

Joint Weight = 4

3 Point Additions

4 Point Doubles

O

4 Point Additions

7 Point Doubles

For [0,2n

-1], 0.75n - 1 times.

(Average Weight = 0.75n)

Average # of Point Additions?

Shamir’s Trick + Joint Sparse Form (JSF) [Solinas, Combinatorics and Optimization Research, 2001]

Joint Weight = 3

P+Q 2P+2Q 3P+5Q

4P+4Q2P+2Q 6P+10Q 12P+20Q

12P+21Q6P+10Q

2 Point Additions

4 Point Doubles

• Represent each digit using {0, ±1} instead of {0,1}.

r1 = 12 = ( 1 0 -1 0 0 )2

r2 = 21 = ( 1 0 1 0 1 )2

For [0,2n

-1], 0.5n - 1 times.

(Average Weight = 0.5n)

Average # of Point Additions?

Average Joint Weight of {0, ±1, ±3}

Solinas, Comb. and Opt. Report, 2001

Avanzi, Crypto. e-Print Achieve, 2002

Kuang, Zhu, Zhang, ACNS 2004, 2004

Moller, ICISC 2004, 2004

Dahmen, Okeya, Takagi, IEICE Trans., 2007

Open

Problem

0.3750

0.3712

0.3636

0.3615

Our Result 0.3575

We prove that 0.3575 is the least number

and solve the open problem

Other Results {0, ±1, ±3, … , ±(2h+1)}

h Single Integer

Integer Pair Triple Quadruple

0[Egecioglu 94] [Solinas 01] [Heuberger 07] [Heuberger 07]

1[Muir 04]

[Improved Result][New Result]

2[Moller 05]

[New Result] [New Result]

3[Moller 05] [New Result]

4[Moller 05] [New Result]

5207 states[Moller 05] [New Result]

5.021 5897.0

3923

6424.0179115

3575.0786281

2222.092 3100.0

48269951496396

2.051

1904.0214

1818.0112

2660.0

2574.0

Match existing works3333.0

31

25.041 Improve existing works

New Results

2342.0

4090.0

3529.0

Exercise 9

Let P, Q be points in elliptic curve, and assume that P + Q can be computed much faster if P – Q is known.

(even much faster than point double)

Let T be a computation time for fast addition

(that P – Q is known), and n = max(lg r1, lg r2).

1. Develop an algorithm for computing S = r1P in 2nT with constant number of points stored in memory.

2. Develop an algorithm for computing S = r1P + r2Q in 3nT with constant number of points stored in memory.

Additional score will be given if you can find algorithm faster than 3nT.

Exercise 9

Course Information 10/9 – Elliptic Curve I (2 Exercises)

(What is Elliptic Curve?)

10/16 – Elliptic Curve II (1 Exercises)

(Elliptic Curve Cryptography[1])

10/23 – Elliptic Curve III (2 Exercises)

(Elliptic Curve Cryptography[2])

10/30 – Cancelled

11/6 – Online Algorithm I (Prof. Han)

11/13 – Online Algorithm II (Prof. Han)

11/20 – Cancelled (Friday Schedule)

11/27 – Elliptic Curve IV (1 Exercises)

(ECC Implementation I)

12/4 – Cancelled

12/11 – Computational Game Theory I

(Prof. Gurvich)

12/18 – Computational Game Theory II

(Prof. Elbassioni)

1/8 – Elliptic Curve V (3 Exercises)

(ECC Implementation II)

1/15 – Cancelled (Monday Schedule)

1/22~ – SAT Problem (Prof. Makino)

Schedule

For my part, you need to submit 2 Reports.

- Report 1: Select 3 from 6 exercises in Elliptic Curve I – III

Submission Deadline: 14 November

- Report 2: Select 2 from 4 exercises in Elliptic Curve IV – V

Submission Deadline: January 22nd

- Submit your report in this lecture room before the class

begins.

Grading

Thank you for your attentionPlease feel free to ask questions or comment.