Montgomery curve: Difference between revisions

Template:Cleanup

The tripling-oriented Doche–Icart–Kohel curve is a form of an elliptic curve that has been used lately in cryptography; it is a particular type of Weierstrass curve. At certain conditions some operations, as adding, doubling or tripling points, are faster to compute using this form. The Tripling oriented Doche–Icart–Kohel curve, often called with the abbreviation 3DIK has been introduced by Christophe Doche, Thomas Icart, and David R. Kohel in ^[1]

Definition

Let ${\displaystyle K}$ be a field of characteristic different form 2 and 3.

An elliptic curve in tripling oriented Doche–Icart–Kohel form is defined by the equation:

${\displaystyle T_a:y^2=x^3+3a(x+1{)}^2}$

with ${\displaystyle a\in K}$.

A general point P on ${\displaystyle T_a}$ has affine coordinates ${\displaystyle (x,y)}$. The "point at infinity" represents the neutral element for the group law and it is written in projective coordinates as O = (0:1:0). The negation of a point P = (x, y) with respect to this neutral element is −P = (x, −y).

The group law

Consider an elliptic curve in the Tripling-oriented Doche-Icart-Kohel form in affine coordinates:

${\displaystyle T_a:y^2=x^3+3a(x+1{)}^2}$

with ${\displaystyle a\ne 0,\frac{9}{4}}$.

As in other forms of elliptic curves, it is possible to define some "operations" between points, such as adding points, or doubling (See also The group law). In the following sections formulas to add, negate and doubling points are given. The addition and doubling formulas are often used for other operations: given a point P on an elliptic curve it is possible to compute [n]P, where n is an integer, using addition and doubling; computing multiples of points is important in elliptic curve cryptography and in Lenstra elliptic curve factorization.

Addition

Given ${\displaystyle P_1=(x_1,y_1)}$ and ${\displaystyle P_2=(x_2,y_2)}$ on ${\displaystyle T_a}$, the point ${\displaystyle P_3=(x_3,y_3)=P_1+P_2}$ has coordinates:

${\displaystyle x_3=\frac{(-{x_1}^3+(x_2-3a){x_1}^2+({x_2}^2+6a{x}_2)x_1+({y_1}^2-2y_2{y}_1+(-{x_2}^3-3a{x_2}^2+{y_2}^2)))}{({x_1}^2-2x_2{x}_1+{x_2}^2)}}$

${\displaystyle y_3=\frac{((-y_1+2y_2){x_1}^3+(-3a{y}_1+(-3y_2{x}_2+3a{y}_2)){x_1}^2+((3{x_2}^2+6a{x}_2)y_1-6a{y}_2{x}_2)x_1+({y_1}^3-3y_2{y_1}^2+(-2{x_2}^3-3a{x_2}^2+3{y_2}^2)y_1+(y_2{x_2}^3+3a{y}_2{x_2}^2-{y_2}^3)))}{(-{x_1}^3+3x_2{x_1}^2-3{x_2}^2{x}_1+{x_2}^3)}}$

Doubling

Given a point ${\displaystyle P_1=(x_1,y_1)}$ on ${\displaystyle T_a}$, the point ${\displaystyle P_3=(x_3,y_3)=2P_1}$ has coordinates:

${\displaystyle x_3=\frac{9}{4{y_1}^2{x_1}^4}+\frac{9}{{y_1}^{2}a{x_1}^3}+(\frac{9}{{y_1}^2{a}^2}+\frac{9}{{y_1}^{2}a}){x_1}^2+(\frac{18}{{y_1}^2{a}^2}-2)x_1+\frac{9}{{y_1}^2{a}^2-3a}}$

${\displaystyle y_3=-\frac{27}{8{y_1}^3{x_1}^6}-\frac{81}{4{y_1}^{3}a{x_1}^5}+(-\frac{81}{2{y_1}^3{a}^2}-\frac{81}{4{y_1}^{3}a}){x_1}^4+(-\frac{27}{{y_1}^3{a}^3}-\frac{81}{{y_1}^3{a}^2}+\frac{9}{2y_1}){x_1}^3+(-\frac{81}{{y_1}^3{a}^3}-\frac{81}{2{y_1}^3}{a}^2+\frac{27}{2y_{1}a})x_{1}2+(-\frac{81}{{y_1}^3{a}^3}+\frac{9}{y_1{a}^2}+\frac{9}{y_{1}a})x_1+(-\frac{27}{{y_1}^3{a}^3}+\frac{9}{y_1{a}^2}-y_1)}$

Negation

Given a point ${\displaystyle P_1=(x_1,y_1)}$ on ${\displaystyle T_a}$, its negation with respect to the neutral element ${\displaystyle (0:1:0)}$ is ${\displaystyle -P_1=(x_1,-y_1)}$.

There are also other formulas given in ^[2] for Tripling-oriented Doche–Icart–Kohel curves for fast tripling operation and mixed-addition.

New Jacobian coordinates

For computing on these curves points are usually represented in new Jacobian coordinates (Jⁿ):

a point in the new Jacobian coordinates is of the form ${\displaystyle P=(X:Y:Z:Z^2)}$; moreover:

${\displaystyle P=(X:Y:Z:Z^2)=({\lambda }^{2}X:{\lambda }^{3}Y:\lambda Z:{\lambda }^2{Z}^2),}$

for any ${\displaystyle \lambda \in K}$.

This means, for example, that the point ${\displaystyle P=(X:Y:Z:Z^2)}$ and the point ${\displaystyle Q=(4X:8Y:2Z:4Z^2)}$ (for ${\displaystyle \lambda =2}$) are actually the same.

So, an affine point ${\displaystyle P=(x,y)}$ on ${\displaystyle T_a}$ is written in the new Jacobian coordinates as ${\displaystyle P=(X:Y:Z:Z^2)}$, where ${\displaystyle x=X/Z^2}$ and ${\displaystyle y=Y/Z^3}$; in this way, the equation for ${\displaystyle T_a}$ becomes:

${\displaystyle T_a:Y^2=X^3+3a{Z}^2(X+Z^2{)}^2.}$

The term ${\displaystyle Z^2}$ of a point on the curve makes the mixed addition (that is the addition between two points in different systems of coordinates) more efficient.

The neutral element in new Jacobian coordinates is ${\displaystyle (1:1:0:0)}$.

Algorithms and examples

Addition

The following algorithm represents the sum of two points ${\displaystyle P_1}$ and ${\displaystyle P_2}$ on an elliptic curve in the Tripling-oriented Doche-Icart-Kohel form. The result is a point ${\displaystyle P_3=(X_3,Y_3,Z_3,Z{Z}_3)}$. It is assumed that ${\displaystyle Z_2=1}$ and that ${\displaystyle a_3=3a}$. The cost of this implementation is 7M + 4S + 1*a3 + 10add + 3*2 + 1*4, where M indicates the multiplications, S the squarings, a3 indicates the multiplication by the constant a₃, add represents the number of additions required.

${\displaystyle A=X_{2}Z{Z}_1}$

${\displaystyle B=Y_{2}Z{Z}_1{Z}_1}$

${\displaystyle C=X_1-A}$

${\displaystyle D=2(Y_1-B)}$

${\displaystyle F=C^2}$

${\displaystyle F_4=4F}$

${\displaystyle Z_3=(Z_1+C{)}^2-Z{Z}_1-F}$

${\displaystyle E={Z_3}^2}$

${\displaystyle G=C{F}_4}$

${\displaystyle H=A{F}_4}$

${\displaystyle X_3=D^2-G-2H-a_{3}E}$

${\displaystyle Y_3=D(H-X_3)-2BG}$

${\displaystyle Z{Z}_3=E}$

Example

Let ${\displaystyle P_1=(1,\sqrt{13})}$ and ${\displaystyle P_2=(0,\sqrt{3})}$ affine points on the elliptic curve over ${\displaystyle \mathbb{ℝ}}$:

${\displaystyle y^2=x^3+3(x+1{)}^2}$.

Then:

${\displaystyle A=X_{2}Z{Z}_1=0}$

${\displaystyle B=Y_{2}Z{Z}_1{Z}_1=\sqrt{3}}$

${\displaystyle C=X_1-A=1}$

${\displaystyle D=2(Y_1-B)=2(\sqrt{13}-\sqrt{3})}$

${\displaystyle F=C^2=1}$

${\displaystyle F_4=4F=4}$

${\displaystyle Z_3=(Z_1+C{)}^2-Z{Z}_1-F=2}$

${\displaystyle E={Z_3}^2=4}$

${\displaystyle G=C{F}_4=4}$

${\displaystyle H=A{F}_4=0}$

${\displaystyle X_3=D^2-G-2H-a_{3}E=48-8\sqrt{39}}$

${\displaystyle Y_3=D(H-X_3)-2BG=296\sqrt{3}-144\sqrt{13}}$

${\displaystyle Z{Z}_3=E=4}$

Notice that in this case ${\displaystyle Z_1=Z_2=1}$. The resulting point is ${\displaystyle P_3=(X_3,Y_3,Z_3,Z{Z}_3)=(48-8\sqrt{39},296\sqrt{3}-144\sqrt{13},2,4)}$, that in affine coordinates is ${\displaystyle P_3=(12-2\sqrt{39},37\sqrt{3}-18\sqrt{13})}$.

Doubling

The following algorithm represents the doubling of a point ${\displaystyle P_1}$ on an elliptic curve in the Tripling-oriented Doche-Icart-Kohel form. It is assumed that ${\displaystyle a_3=3a}$, ${\displaystyle a_2=2a}$. The cost of this implementation is 2M + 7S + 1*a2 + 1*a3 + 12add + 2*2 + 1*3 + 1*8; here M represents the multiplications, S the squarings, a2 and a3 indicates the multiplications by the constants a₂ and a₃ respectively, and add indicates the additions.

${\displaystyle A={X_1}^2}$

${\displaystyle B=a_{2}Z{Z}_1(X_1+Z{Z}_1)}$

${\displaystyle C=3(A+B)}$

${\displaystyle D={Y_1}^2}$

${\displaystyle E=D^2}$

${\displaystyle Z_3=(Y_1+Z_1{)}^2-D-Z{Z}_1}$

${\displaystyle Z{Z}_3=Z_3^2}$

${\displaystyle F=2((X_1+D{)}^2-A-E)}$

${\displaystyle X_3=C^2-a_{3}Z{Z}_3-2F}$

${\displaystyle Y_3=C(F-X_3)-8E}$

Example

Let ${\displaystyle P_1=(0,\sqrt{3})}$ be a point on ${\displaystyle y^2=x^3+3(x+1{)}^2}$.

Then:

${\displaystyle A={X_1}^2=0}$

${\displaystyle B=a_{2}Z{Z}_1(X_1+Z{Z}_1)=2}$

${\displaystyle C=3(A+B)=6}$

${\displaystyle D={Y_1}^2=3}$

${\displaystyle E=D^2=9}$

${\displaystyle Z_3=(Y_1+Z_1{)}^2-D-Z{Z}_1=2\sqrt{3}}$

${\displaystyle Z{Z}_3=Z_3^2=12}$

${\displaystyle F=2((X_1+D{)}^2-A-E)=0}$

${\displaystyle X_3=C^2-a_{3}Z{Z}_3-2F=0}$

${\displaystyle Y_3=C(F-X_3)-8E=-72}$

Notice that here the point is in affine coordinates, so ${\displaystyle Z_1=1}$. The resulting point is ${\displaystyle P_3=(0,-72,2\sqrt{3},12)}$, that in affine coordinates is ${\displaystyle P_3=(0,-\sqrt{3})}$.

Equivalence with Weierstrass form

Any elliptic curve is birationally equivalent to another written in the Weierstrass form.

The following twisted tripling-oriented Doche-Icart-Kohel curve:

${\displaystyle T_{a,\lambda }}$: ${\displaystyle y^2=x^3+3\lambda a(x+\lambda {)}^2}$

can be transformed into the Weierstrass form by the map:

${\displaystyle (x,y)\mapsto (x-\lambda a,y)}$.

In this way ${\displaystyle T_{a,\lambda }}$ becomes:

${\displaystyle y^2=x^3-3{\lambda }^{2}a(a-2)x+{\lambda }^{3}a(2a^2-6a+3)}$.

Conversely, given an elliptic curve in the Weierstrass form:

${\displaystyle E_{c,d}}$: ${\displaystyle y^2=x^3+c{x}^2+d}$,

it is possible to find the "corresponding" Tripling-oriented Doche–Icart–Kohel curve, using the following relation:

${\displaystyle \lambda =\frac{-3d(a-2)}{a(2a^2-6a+3)}}$

where ${\displaystyle a}$ is a root of the polynomial ${\displaystyle 6912a(a-2{)}^3-j(4a-9)}$.

Here ${\displaystyle j=\frac{6912c^3}{4c^3+27d^2}}$ is the j-invariant of the elliptic curve ${\displaystyle E_{c,d}}$.

Notice that in this case the map given is not only a birational equivalence, but an isomorphism between curves.

Internal link

For more informations about the running-time required in a specific case, see Table of costs of operations in elliptic curves

External links

• http://hyperelliptic.org/EFD/g1p/index.html

Notes

43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.

References

• 20 year-old Real Estate Agent Rusty from Saint-Paul, has hobbies and interests which includes monopoly, property developers in singapore and poker. Will soon undertake a contiki trip that may include going to the Lower Valley of the Omo.
  
  My blog: http://www.primaboinca.com/view_profile.php?userid=5889534
• 20 year-old Real Estate Agent Rusty from Saint-Paul, has hobbies and interests which includes monopoly, property developers in singapore and poker. Will soon undertake a contiki trip that may include going to the Lower Valley of the Omo.
  
  My blog: http://www.primaboinca.com/view_profile.php?userid=5889534
• 20 year-old Real Estate Agent Rusty from Saint-Paul, has hobbies and interests which includes monopoly, property developers in singapore and poker. Will soon undertake a contiki trip that may include going to the Lower Valley of the Omo.
  
  My blog: http://www.primaboinca.com/view_profile.php?userid=5889534
• http://hyperelliptic.org/EFD/g1p/auto-3dik-standard.html