 OK, welcome to the session on the second, well it's the first paper invited to the Journal of Cryptology. So it's pretty good honour and this is about elliptic curve, fish and elliptic curve cryptography, which I like. And the author is a Savyachi Karati in Palashasaka, and Savyachi is from, there's a PhD in India, but he's now post-op in Calgary and I'm going to give him the microphone, so there you go, thanks. Good afternoon everyone and thank you Stephen for the introduction. This work as Stephen said is basically on efficient and scalar multiplication using umber line over large quantities. As you know this elliptic curve cryptography was introduced in 1985 and from then till now, lots of public key schemes are implemented and designed based on these algebraic curves. And the, because of the efficiency and security these curves provides. And the security of these protocols are based on the well-known hard problem elliptic curve crystalline problem. And suppose that we have a elliptic curve, there are two points P and Q and a scalar N and they are related in such a fashion, then the hard problem is that if you are given P and Q you have to find the N. On the other hand if you are given P and N and you have to compute that Q, then this operation is known as scalar multiplication. And this operation is the building block of all the elliptic curve based protocols. Now when we use the algebraic curves in cryptography normally we consult about ourselves what genus we should use, what type of form the underlying field we should use and whether endomorphism is possible or if possible whether should we use it or not. Now in our world we have basically focused on a spectacular setup we call it conservative setup, where the genus of the curve is 1, underlying field is the prime last field and we do not use endomorphism. Here I have listed some of the curves which are proposed in the last few years where first few curves are in the conservative setup. Among these curves this curve P256 was widely used over at least one to two decades to actually wanted big security. But after Snowden controversy in 2013 it was started looking for an alternative. And among all the other curves curve 259 has emerged as one of the most popular choice in the conservative setup. Here I list some of the uses of carto-fitrient line team. You can see that lighted is like open SSH, open SSH to activation light, face wound manager, whatsapp, all these applications are using carto-fitrient line team for gain security. In this world we explore the idea of kumal line which was basically proposed by Guardian Lubis in 2009. And in our work we proposed three kumal lines which may be first alternative for carto-fitrient line team. And these kumal lines are defined by Rheymal theta function in genus 1 and this is the definition of the Rheymal theta function. Where Xi1 and Xi2 are characteristic known as characteristic come from the arsenal fields. W is a complex number and tau is a complex number with positive imaginary part. Now if we fix the tau and choose the characteristics from 0 and half then from the definition of the Rheymal theta function we can have these four theta functions and these four theta functions are interrelated among themselves by these identities. Now I define the kumal line. First we fix a tau which has a positive imaginary part and P1 defines a positive line over the complex field. Then a kumal line associated with tau is defined by the map phi from C to P1. Where theta1 and theta2 constants the points on the kumal line and theta1 is the x coordinate and theta2 is the z coordinate. Another way to define the kumal line by these two constants s square and b square. And for the derivative purpose on the kumal line we need two more theta constants capital s square and b square. And these two theta constants can be computed from these two theta constants using the theta identity 1 as given here. Now also these theta identities defines the arithmetic on the kumal line and for arithmetic we need two particular operations doubling operation and addition operation. Now here P is a point and 2P is the double on this point. So, this is the arithmetic of how we compute the doubling. Here the doubling operation takes input of the square coordinate of P and outputs the square coordinate of 2P. On the other hand if you want to compute the addition on kumal line by the knowledge of P and Q are not sufficient data. We need the knowledge of P minus Q in order to compute the value of P plus Q. That is why this addition operation also known as differential addition operation. It takes input the square coordinate of P Q and P minus Q and outputs the square coordinate of P plus Q. Suppose the P and R are two points on the kumal line and N is a scalar and P and R are related in this fashion that is R is equal to N P. Then we compute the scalar multiplication using Montgomery style uniform ladder as given in this algorithm. Which takes input the square coordinate of P and outputs the square coordinate of R. Now here this shows one particular ladder step on the kumal line. The ladder step can also be seen in this way where this H stands for Hadamann transformation. This while this part computes the differential addition this part computes the W operation. Also you can visualize the diagram in this fashion where each ellipse or the block contests four independent same operation or same sequence of operation which can be computed in path. On the other hand this is one ladder step on card to fitline line which is basically a Montgomery card. Now notice that this ladder step does not have the symmetricity which the kumal ladder step on kumal line has. So this makes the kumal line a better and suitable choice for S and D implementation than the R to 50 and 90. As the kumal line does not form a good group itself. So we define the security of kumal line through the associated legendary curve. If we define the legendary curve this way then the associativity can be computed this fashion where mu is computed by the defining parameter s square and d square in this fashion. And psi here gives the mapping from kumal line to legendary curve which takes the input of the square coordinate of a point on kumal line and outputs are exported on the legendary curve. And this is the inverse mapping but the problem is that this mapping psi itself does not preserve the consistency of scalar multiplication on the kumal line and the legendary curve. So for that purpose we need this particular point of order 2 mu 0 on the legendary curve. And this is the consistency diagrams which shows how psi along with this d2 preserve the consistency of scalar multiplication over the kumal line and the legendary curve. And these diagrams also gives us the equivalence of the security among the kumal line and the legendary curves. Now you have noticed that all the theta identities and the arithmetic I have been presented till now is a complex field. But in cryptography we prefer to use finite fields but by nature's principles all these theta identities and mappings are equally advocated over large prime fields. Based on this theory we propose three concrete kumal lines k1, k2 and k3 over three different prime fields defined by this a square v square pair and notice that these values are small values. This slide contains the comparison of different features of the kumal lines and three most most important cards and the jenus one cards in conservative setup. And these kumal lines will provide security approximately 128 bit sorry 126 bit and the cofactors are small and also the base points are small. So for implementation reasons I would like to give you the overview due to lack of time I would not go through all the details. Where we have represented each prime field element using a linear polynomial where theta serves as the radix. During the lattice strip on the kumal line we have used a radius to intrinsic for parallelization and the elements are represented using these values of n and theta. On the other hand when we compute the applied coordinate from the positive coordinate we have used assembly language and the values have been used for n and theta are like this. Now you have noticed that the primes we have used for our implementation are jenus mass reply of the form 2 to the power m minus delta. And for this type of prime we can use this lazy reduction method for modular reduction. But the problem is that after each reduction there are exactly delta element which can have two distinct representation in the prime field. But that does not create any problem with the element. So we find the distinct implementation unique implementation of the prime fields at the end of the scalar multiplication. Now this is the overview of the multiplication how we computed the multiplication of two prime to prime field element. For the prime field 251 9 the each elements are represented by 9 in polynomial. So we can break down these polynomials in this fashion. So and we can write the multiplication in this way. Now notice that this is a multiplication of two integers. This is a multiplication of two 8-limb polynomial by a integer and this is a 8 cross 8 multiplication. This 8 cross 8 multiplication we have broken down into three 4 cross 4 multiplication by kairasuba. Then again we use kairasuba to break down these 4 cross 4 multiplication into three 2 cross 2 multiplication. And these 2 cross 2 multiplication has been computed using schoolbook method. In our multiplication method we did not use the kairasuba totally or the schoolbook method. So normally we call it this is a hybrid method. On the other hand on the prime field 251 9 and 266 3 the elements are represented using 10-limb polynomial. So we have broken down these multiplication into 3 5 cross 5 multiplication by kairasuba. Now if we represent 5-limb polynomial using this fashion then again the multiplication becomes like this. So this is a integer multiplication. This is a multiplication of a 4-limb polynomial by a integer and this is a 4 cross 4 multiplication. For our purpose we have broken down these 4 cross 4 multiplication into 3 2 cross 2 multiplication. And each of these multiplication are computed using schoolbook method. Now for the other features we have used S.I.M.D. parallelization for ladder scale. And the kumallal arithmetic is totally x coordinate based arithmetic. And we have used Montgomery ladder to implement the scalar multiplication. This x coordinate based implementation and Montgomery ladder based implementation led us to a constant nth implementation. The time I am going to show you in the few slides later. Those slides those time count 10s includes the timing of computers at x by j. That means that our output is in f coordinate. We have computed the inverse in using fixed addition chain by p-2. The codes are publicly available here. But our experiment we have used two different platforms. Hashtag architecture and Skylight architecture. The operating system was 64 bit 1 to 16.04 LTS. We have compiled our code using GCC version 5.4.0. For S.I.M.D. parallelization we have used Intel ABS-2 Intrig6. During our experiment the turbo boosts and hyper-threading were turned off. We warmed the castle using 25000 iteration. The recorded time is the median over 100000 iteration. Now we read the timings from the timestamp counter of the CPU to RAS and RDS registered by RDTS instructors. This is a comparative study of the variable based scalar multiplication over Hashtag architecture. Notice that these kumar lines are all faster than NIST curve 255 by 9 to 256. On the other hand the kumar lines K1 and K2 are faster than K1 to 252 by 19. But K3 is slightly slower than this one. On the other hand this 4-Q kumar surface and coverage curve. These three curves are not in the conservative setup as we defined. But I have included these results here due to the sake of complete list. In this slide I have included all the competitive results of the kumar lines and k2 to 252 by 19. Whether the fixed base scalar multiplication or variable base scalar multiplication on two different platforms. Notice that the kumar line k1 provides two less bits of equity than k2 to 252 by 19. But these are at most 25% faster than the k2 to 252 by 19. Now in this picture shows the comparisons on the Hashtag architecture for fixed base scalar multiplication. All the kumar lines are much faster than k2 to 252 by 19. But for the variable base as I said earlier K1 and K2 are faster than k2 to 252 by 19. But K3 is slightly slower. But for the scalar, but for the scalar architecture all the fixed base and variable base scalar multiplication. The kumar lines are much faster than the k2 to 252 by 19. From these results we can conclude we suggest that if someone is ready to sacrifice two bits of security. Then they can get around 25% of speed up using kumar line 1. On the other hand if they do not want to sacrifice any security. Then K3 can give us the speed up and also give us the six extra bits of security. Now I summarize my work in this slide. Our work is based on the previous proposition of kumar lines by Gaurian Rubich in 2009. We proposed kumar lines where the three concrete kumar lines where the associated legionary curve satisfies all the necessary security conditions. These kumar lines has small base point and also small parameters. The kumar ladder or the monogamy ladder or kumar line supports SIMD parallelization which led us to a constant implementation. On the other hand this implies that these scalar multiplication on the kumar line are side-challenged lateral resistance. The proposed kumar lines are faster than part 52 and 90 if we have the SIMD and these are practical and deployable. The full version of this work is available at BitPrint. Thank you for your all attention. So we have 15 minutes for questions so I want to hear lots of questions. There's one back there from the same. Just yeah just shout it out. Have you considered the tune cook partitioning for the multiplication part? Sorry? So the question is have you considered tune cook multiplication? Yeah we have implemented those using tune cook but those are much slower than these hybrid methods so at the end we discarded that method. Anyone else? So I've got a question since you're using squared coordinates. So is it really you want one your kumar representation or is it like corresponding to a pair of points? Sorry it's always a pair of points because the white one is a full typical of points because you're doing squared representation. Yeah but the thing is that if we use a square coordinate on kumar line or do not use but at the end it will give us the x-squared not the square x-squared in the linear. So that doesn't make any difference but on the other hand if we use the square coordinate setup for kumar line it gives us a lot more number of points. So we have a number of legendary card on which satisfies the necessary security condition. So it doesn't create any problem for the arithmetic too. So I think that square coordinate setup is good for the kumar line. And is it related to like these generalized Jacobian coordinates and they have like a z-squared in them or is it something related to this or is it something to be different? You can find here you see that here we have defined this thing as a theta 1 and theta 2 this is x and z not x square and z square. But when we are using a square and b square here and we can use also a and b here but you know you see that by this relation yeah this relation uses a to the f 4 b to the f 4. So if we use a where this terms has to be this way and if we use a square then a can be a quantity residue or cannot be. Then we have lots more legendary card which satisfies the necessary security condition. So we have lot more options to choose the kumar line but even though we can use this a square b square you can easily find the point theta 1 theta 2 x and z. And notice that in this activity if you remove this square part then you will get the x 3 and z 3. And now as we define a square and b square so we have we have speak to the square on the coordinate. We have the questions. Yeah we are planning to our next objective is at least 5 to help with security. But for the present moment when we are working we will consider 120 to help with security because there is the card 250 and 90 with which we can compare our work completely. But for the price to help with security we do not have such a complete cards and we did not want it to compare with the least card. So we are thinking to go that way in near future. That will be just final the theory will be same. So that will be finding new kumar lines which satisfy the new security constant and the implementers. Sorry. The link for the implementation was missing in the actual paper. Ok. Could you show again. This one. No you missed the URL. Oh sorry sir. Oh yeah I noticed at the end yeah that is we are sorry for because yeah I found it yesterday live so. Any other questions. Alright let's thank the speaker and now it's lunch break.