Elliptic curve arithmetic 2 1 ECC school, Nijmegen, 9-11 - - PowerPoint PPT Presentation

Elliptic curve arithmetic

Wouter Castryck

ECC school, Nijmegen, 9-11 November 2017

𝑄

1

𝑄

2

𝑄

1 + 𝑄 2

Tangent-chord arithmetic

• n cubic curves

Introduction

Consequence of Bézout’s theorem: on a cubic curve 𝐷 ∶ 𝑔 𝑦, 𝑧 = σ𝑗+𝑘=3 𝑏𝑗𝑘𝑦𝑗𝑧𝑘 = 0, new points can be constructed from known points using tangents and chords. This principle was already known to 17th century natives like Fermat and Newton. 𝑔 𝑦, 𝑧 = 0

Pierre de Fermat Isaac Newton

Introduction

This construction was known to respect the base field. This means: if 𝑔 𝑦, 𝑧 ∈ 𝑙[𝑦, 𝑧] with 𝑙 some field, and one starts from points having coordinates in 𝑙, then new points obtained through the tangent-chord method also have coordinates in 𝑙. Informal reason: Consider two points on the 𝑦-axis 𝑄

1 = 𝑏, 0 and 𝑄 2 = (𝑐, 0).

Then the “chord” is 𝑧 = 0. The intersection is computed by 𝑔 𝑦, 0 = 𝑦 − 𝑏 ⋅ 𝑦 − 𝑐 ⋅ linear factor

always has a root over 𝒍!

𝑄

1

𝑄

2

𝑔 𝑦, 𝑧 = 0

Introduction

Thus: tangents and chords give some sort of composition law on the set of 𝑙-rational points of a cubic curve. Later it was realized that by adding in a second step, this gives the curve an abelian group structure!

• nly after an incredible historical detour which took more than 200 years…

First formalized by Poincaré in 1901.

Henri Poincaré

choose a base point 𝑃 𝑄

1

𝑄

2

𝑄

1 + 𝑄 2

𝑄 2𝑄 commutativity: 𝑄

1 + 𝑄 2 = 𝑄 2 + 𝑄 1

associativity: 𝑄

1 + 𝑄 2 + 𝑄 3 = 𝑄 1 + (𝑄 2 + 𝑄 3)

neutral element: 𝑄 + 𝑃 = 𝑄 inverse element: ∃ −𝑄 ∶ 𝑄 + −𝑄 = 𝑃

Introduction

Conditions for this to work: 1) One should work projectively (as opposed to affinely): Homogenize 𝑔 𝑦, 𝑧 = σ𝑗+𝑘=3 𝑏𝑗𝑘𝑦𝑗𝑧𝑘 to 𝐺 𝑦, 𝑧, 𝑨 = σ𝑗+𝑘=3 𝑏𝑗𝑘𝑦𝑗𝑧𝑘𝑨3−𝑗−𝑘 and consider points 𝑦: 𝑧: 𝑨 ≠ (0: 0: 0), up to scaling. Two types of points: affine points points at infinity 𝑨 = 0 𝑨 ≠ 0: the point is of the form (𝑦: 𝑧: 1) But then 𝑦, 𝑧 is an affine point! 𝑨 = 0: points of the form (𝑦: 𝑧: 0) up to scaling. (Up to three such points.)

Introduction

Conditions for this to work: 2) The curve should be smooth, meaning that 𝑔 = 𝜖𝑔

𝜖𝑦 = 𝜖𝑔 𝜖𝑧 = 𝜖𝑔 𝜖𝑨 = 0

has no solutions.

  

This ensures that every point 𝑄 has a well-defined tangent line 𝑈 ∶ 𝜖𝑔

𝜖𝑦 𝑄 ⋅ 𝑦 + 𝜖𝑔 𝜖𝑧 𝑄 ⋅ 𝑧 + 𝜖𝑔 𝜖𝑨 𝑄 ⋅ 𝑨 = 0.

Introduction

Conditions for this to work: 3) 𝑃 should have coordinates in 𝑙, in order for the arithmetic to work over 𝑙. 𝑃 Definition: an elliptic curve over 𝑙 is a smooth projective cubic curve 𝐹/𝑙 equipped with a 𝑙-rational base point 𝑃. (Caution: there exist more general and less general definitions.) Under these assumptions we have as wanted: Tangent-chord arithmetic turns 𝐹 into an abelian group with neutral element 𝑃. The set of 𝑙-rational points 𝐹(𝑙) form a subgroup.

Exercises

1) Describe geometrically what it means to invert a point 𝑄, i.e. to find a point −𝑄 such that 𝑄 + −𝑄 = 𝑃. 𝑃 2) Why does this construction simplify considerably if 𝑃 is a flex (= point at which its tangent line meets the curve triply)? 3) If 𝑃 is a flex then 3𝑄 ≔ 𝑄 + 𝑄 + 𝑄 = 𝑃 if and only if 𝑄 is a flex. Explain why.

On the terminology “elliptic curves”

On the terminology

In the 18th century, unrelated to all this, Fagnano and Euler revisited the unsolved problem of determining the circumference of an ellipse.

Giulio Fagnano Leonhard Euler

?

They got stuck on difficult integrals, now called elliptic integrals.

On the terminology

In the 19th century Abel and Jacobi studied the inverse functions of elliptic integrals. 𝑢 = 𝑔(𝑡) ? When viewed as complex functions, they observed doubly periodic behaviour: there exist 𝜕1, 𝜕2 ∈ 𝐃 such that 𝑔 𝑨 + 𝜇1𝜕1 + 𝜇2𝜕2 = 𝑔 𝑨 for all 𝜇1, 𝜇2 ∈ 𝐚.

Niels H. Abel Carl G. Jacobi

Compare to: sin 𝑦 + 𝜇 ⋅ 2𝑙𝜌 = sin 𝑦 for all 𝜇 ∈ 𝐚, etc. Such generalized trigonometric functions became known as elliptic functions.

On the terminology

In other words: elliptic functions on 𝐃 are well-defined modulo 𝐚𝜕1 + 𝐚𝜕2. 𝜕1 𝜕2

Karl Weierstrass

Mid 19th century Weierstrass classified all elliptic functions for any given 𝜕1, 𝜕2, and used this to define a biholomorphism 𝐃/(𝐚𝜕1 + 𝐚𝜕2) → 𝐹: 𝑨 ↦ (℘ 𝑨 , ℘′ 𝑨 ) to a certain algebraic curve 𝐹… Note that 𝐃/(𝐚𝜕1 + 𝐚𝜕2) is an abelian group, almost by definition. The biholomorphism endows 𝐹 with the same group structure… … where it turns out to correspond to tangent-chord arithmetic! … which he called an elliptic curve!

Weierstrass curves and their arithmetic

The concrete type of elliptic curves found by Weierstrass now carry his name. They are the most famous shapes of elliptic curves. Assume char 𝑙 ≠ 2,3. 𝑧2 = 𝑦3 + 𝐵𝑦 + 𝐶 𝑧2𝑨 = 𝑦3 + 𝐵𝑦𝑨2 + 𝐶𝑨3 (typical plot for 𝑙 = 𝐒)

Weierstrass curves

𝑨 = 0 𝑃 = (0: 1: 0) Definition: a Weierstrass elliptic curve is defined by where 𝐵, 𝐶 ∈ 𝑙 satisfy 4𝐵3 + 27𝐶2 ≠ 0. The base point 𝑃 is the unique point at infinity. Can be shown: up to “isomorphism” every elliptic curve is Weierstrass.

Note: 1) the lines through 𝑃 = (0: 1: 0) are the vertical lines (except for the line at infinity 𝑨 = 0). 2) The equation 𝑧2 = 𝑦3 + 𝐵𝑦 + 𝐶 is symmetric in 𝑧.

Weierstrass curves

(𝑦, 𝑧) This gives a first feature: inverting a point on a Weierstrass curve is super easy! Indeed: if 𝑄 = (𝑦, 𝑧) is an affine point then −𝑄 = 𝑦, −𝑧 . 𝑃 𝑄 (𝑦, −𝑧)

What about point addition?

Weierstrass curves

Write 𝑄

1 + 𝑄 2 = 𝑦3, 𝑧3 .

Line through 𝑄

1 = (𝑦1, 𝑧1) and 𝑄 2 = (𝑦2, 𝑧2) is

𝑧 − 𝑧1 = 𝜇 𝑦 − 𝑦1 where 𝜇 = 𝑧2−𝑧1

𝑦2−𝑦1.

𝑄

1

𝑄

2

𝑄

1 + 𝑄 2

Substituting 𝑧 ← 𝑧1 + 𝜇 𝑦 − 𝑦1 in the curve equation 𝑦3 + 𝐵𝑦 + 𝐶 − 𝑧2 = 0: 𝑦3 + 𝐵𝑦 + 𝐶 − (𝜇2𝑦2 + ⋯ ) = 0. 𝑦3 + 𝐵𝑦 + 𝐶 − 𝑧1 + 𝜇 𝑦 − 𝑦1

2 = 0.

𝑦3 − 𝜇2𝑦2 + ⋯ = 0. So, sum of the roots is 𝜇2. But 𝑦1, 𝑦2 are roots! We find: ቊ𝑦3 = 𝜇2 − 𝑦1 − 𝑦2 𝑧3 = −𝑧1 − 𝜇(𝑦3 − 𝑦1)

Weierstrass curves

𝑄 2𝑄 where 𝜇 = 𝑧2−𝑧1

𝑦2−𝑦1.

We find: ቊ𝑦3 = 𝜇2 − 𝑦1 − 𝑦2 𝑧3 = −𝑧1 − 𝜇(𝑦3 − 𝑦1) But what if 𝑦1 = 𝑦2? Two cases: Either 𝑧1 = 𝑧2 ≠ 0, i.e. 𝑄

1 = 𝑄 2 = 𝑄.

In this case we need to replace 𝜇 by 𝜇 = 3𝑦1

2+2𝐵𝑦1

2𝑧1

. Or 𝑧1 = −𝑧2, in which case 𝑄

1 + 𝑄 2 = 𝑃.

𝑃 𝑄

1

𝑄

2

Conclusion: formulas for computing on a Weierstrass curve are not too bad, but case distinctive.

More efficient elliptic curve arithmetic?

The Weierstrass addition formulas are reasonably good for several purposes… … but can they be boosted? Huge amount of activity starting in the 1980’s. One reason: Koblitz and Miller’s suggestion to use elliptic curves in crypto! Initial reason: Lenstra’s elliptic curve method (ECM) for integer factorization.

agree on 𝐹/𝐆𝑟 and 𝑄 ∈ 𝐹(𝐆𝑟) chooses secret 𝒃 ∈ 𝐚 chooses secret 𝒄 ∈ 𝐚 computes 𝒃𝑄 computes 𝒄𝑄 receives receives computes 𝒃 𝒄𝑄 = 𝒃𝒄𝑄 computes 𝒄 𝒃𝑄 = 𝒃𝒄𝑄 (Example: Diffie-Hellman key exchange.)

Victor Miller Neal Koblitz

Generic methods for efficient scalar multiplication

Efficient scalar multiplication

The most important operation in both (discrete-log based) elliptic curve cryptography, the elliptic curve method for integer factorization, is scalar multiplication: given a point 𝑄 and a positive integer 𝑏, compute 𝑏𝑄 ≔ 𝑄 + 𝑄 + ⋯ + 𝑄 𝑏 times. Note: adding 𝑄 consecutively to itself 𝑏 − 1 times is not an option! in practice 𝑏 consists of hundreds of bits!

Efficient scalar multiplication: double-and-add

Much better idea: double-and-add, walking through the binary expansion of 𝑏. Toy example: replace the 15 additions in 16𝑄 = 𝑄 + 𝑄 + 𝑄 + 𝑄 + 𝑄 + 𝑄 + 𝑄 + 𝑄 + 𝑄 + 𝑄 + 𝑄 + 𝑄 + 𝑄 + 𝑄 + 𝑄 + 𝑄 by the 4 doublings in 16𝑄 = 2 2 2 2𝑄 . General method: 𝑏 = 101100010 … 0101 𝑸

double

𝟑𝑸

double and add

𝟑 𝟑𝑸 + 𝑸

double and add

𝟑 𝟑 𝟑𝑸 + 𝑸 + 𝑸

double

𝟑(𝟑 𝟑 𝟑𝑸 + 𝑸 + 𝑸)

double

𝟑(𝟑 𝟑 𝟑 𝟑𝑸 + 𝑸 + 𝑸 )

double

𝟑 𝟑 𝟑 𝟑 𝟑 𝟑𝑸 + 𝑸 + 𝑸

double and add

𝟑 𝟑 𝟑 𝟑 𝟑 𝟑 𝟑𝑸 + 𝑸 + 𝑸 + 𝑸

double

𝟑 𝟑 𝟑 𝟑 𝟑 𝟑 𝟑 𝟑𝑸 + 𝑸 + 𝑸 + 𝑸 Exercise: verify that this computes 𝑏𝑄 using 𝑃(log 𝑏) additions or doublings, as opposed to 𝑃(𝑏). (Horner’s rule, basically.)

Warning: finding the most optimal chain of additions and doublings to compute 𝑏𝑄 is a very difficult combinatorial problem. We don’t want to spend more time on it than on computing 𝑏𝑄 itself!

Efficient scalar multiplication: double-and-add

Asymptotically this is as good as we can expect… … but in practice, considerable speed-ups over naive double-and-add are possible! Example: double-and-add computes 15𝑄 as 𝑄, 2𝑄, 3𝑄, 6𝑄, 7𝑄, 14𝑄, 15𝑄. However it would have been more efficient to compute it as 𝑄, 2𝑄, 3𝑄, 6𝑄, 12𝑄, 15𝑄

𝟑𝑸

Efficient scalar multiplication: windowing

In double-and-add, processing a 0 (doubling) is less costly than processing a 1 (doubling and adding 𝑄). Is there a structural way of reducing the number of additions? Example with 𝑥 = 2: 𝑏 = 101100010 … 0101 𝟓 𝟑𝑸 + 𝟒𝑸

quadruple and add 𝟒𝑸

𝟓(𝟓 𝟑𝑸 + 𝟒𝑸)

quadruple

𝟓 𝟓 𝟓 𝟑𝑸 + 𝟒𝑸 + 𝑸

quadruple and add 𝑸

Requires precomputation of 𝑄, … , 2𝑥−1𝑄 which grows exponentially with 𝑥. Method can be spiced up by allowing the window to slide to the next window starting with a 1. One idea to achieve this: windowing, which is the same as double-and-add, but we now process blocks (= windows ) of 𝑥 bits in one time.

Efficient scalar multiplication: signed digits

Recall that on a Weierstrass elliptic curve, inverting a point is quasi cost-free: − 𝑦, 𝑧 = (𝑦, −𝑧). Idea: use negative digits in the expansion, at the benefit of having more 0’s. The non-adjacent form (NAF) of an integer 𝑏 is a base 2 expansion

• > with digits taken from {−1,0,1}
• > in which no two consecutive digits are non-zero.

Such an expansion always exists, is unique, and easy to find. 𝑸

double

𝟑𝑸

double

𝟑 𝟑𝑸

double and subtract

𝟑 𝟑 𝟑𝑸 − 𝑸

double

𝟑(𝟑 𝟑 𝟑𝑸 − 𝑸)

double and subtract

𝟑 𝟑 𝟑 𝟑 𝟑𝑸 − 𝑸 − 𝑸

double

𝟑 𝟑 𝟑 𝟑 𝟑 𝟑𝑸 − 𝑸 − 𝑸

double and add

𝟑 𝟑 𝟑 𝟑 𝟑 𝟑 𝟑𝑸 − 𝑸 − 𝑸 + 𝑸

double

𝟑 𝟑 𝟑 𝟑 𝟑 𝟑 𝟑 𝟑𝑸 − 𝑸 − 𝑸 + 𝑸 𝑏 = 1 0 0 -1 0 -1 0 1 0 … 0 1 0 0 1 This method also comes in a windowing version (𝑥-NAF).

Efficient scalar multiplication

Tons of variations to the foregoing ideas have been investigated and proposed. Some examples (far from exhaustive!): Work with respect to base 3 and use an expansion with digits ∈ {−1,0,1}. (Requires a tripling formula.) If 𝑄 has a known finite order 𝑜, check if 𝑏 ± 𝜇𝑜 has better properties for some small 𝜇 ∈ 𝐚. Multi-exponentiation: efficient methods for computing a 𝐚-linear combination σ𝑗 𝑏𝑗𝑄

𝑗.

Exercise: find a smarter way to compute 𝑏𝑄 + 𝑐𝑅 than first computing 𝑏𝑄, 𝑐𝑅 separately.

Caution with double-and-add and its variants

When working through the digits of the scalar 𝑏 = 110100110101100010 … 1110, an attacker might notice differences between processing a 0 and processing a 1. Parameters he can monitor are time, power consumption, noise, … If one is uncareful then this will give away 𝒃 for free! Huge threat, unless 𝑏 is public anyway (as in signature verification). Countermeasures: Adding unnecessary computations, using uniform addition formulas, … but the problem is somewhat inherent to double-and-add. Use a Montgomery ladder for scalar multiplication.

Elliptic-curve-specific speed-ups

Using projective coordinates

Remember the addition resp. doubling formula for Weierstrass curve arithmetic: ቊ𝑦3 = 𝜇2 − 𝑦1 − 𝑦2 𝑧3 = −𝑧1 − 𝜇(𝑦3 − 𝑦1) where 𝜇 = 𝑧2−𝑧1

𝑦2−𝑦1 resp. 𝜇 = 3𝑦1

2+2𝐵𝑦1

2𝑧1

. Each step in the addition/subtraction chain requires a computation of 𝜇, which involves a costly field inversion. Way around: use projective coordinates, computing 𝑄

3 = (𝑦3: 𝑧3: 𝑨3) from 𝑄 1 = 𝑦1: 𝑧1: 𝑨1 and 𝑄 2 = 𝑦2: 𝑧2: 𝑨2 .

Resulting formulas are inversion-free and even less case distinctive! At the end of the double-and-add iteration, we can do a single inversion of the 𝑨-coordinate to find a point of the form 𝑦, 𝑧 = (𝑦: 𝑧: 1), as wanted.

Using projective coordinates

Formulas for this are easy to establish: replace 𝑦1 ← 𝑦1

𝑨1 , 𝑧1 ← 𝑧1 𝑨1 , 𝑦2 ← 𝑦2 𝑨2 , 𝑧2 ← 𝑧2 𝑨2 and put on

common denominators. For example in the case of addition this gives: 𝑄

3 = ( 𝑦2𝑨1 − 𝑦1𝑨2

𝑧2𝑨1 − 𝑧1𝑨2 2𝑨1𝑨2 − 𝑦2𝑨1 + 𝑦1𝑨2 𝑦2𝑨1 − 𝑦1𝑨2 3: … : 𝑦2𝑨1 − 𝑦1𝑨2 3𝑨1𝑨2). Looks ugly, but is more efficient! Remember the addition resp. doubling formula for Weierstrass curve arithmetic: ቊ𝑦3 = 𝜇2 − 𝑦1 − 𝑦2 𝑧3 = −𝑧1 − 𝜇(𝑦3 − 𝑦1) where 𝜇 = 𝑧2−𝑧1

𝑦2−𝑦1 resp. 𝜇 = 3𝑦1

2+2𝐵𝑦1

2𝑧1

. Each step in the addition/subtraction chain requires a computation of 𝜇, which involves a costly field inversion. Literature contains various clever ways of evaluating these formulas efficiently. Useful other types of homogeneous coordinates (e.g. weighted).

Other formulas

The formulas for addition and doubling on a Weierstrass curve are not unique. Using the identities 𝑧1

2 = 𝑦1 3 + 𝐵𝑦1 + 𝐶

and 𝑧2

2 = 𝑦2 3 + 𝐵𝑦2 + 𝐶,

it is possible to rewrite them. One possibility: obtain a single formula that works for both addition and doubling! Interesting against side-channel attacks. Example: 𝑦3 = 𝑦1𝑦2 − 2𝐵 𝑦1𝑦2 − 4𝐶 𝑦1 + 𝑦2 + 𝐵2 𝑦1𝑦2 + 𝐵 𝑦1 + 𝑦2 + 2𝑧1𝑧2 + 2𝐶 𝑧3 = 𝑦1𝑦2 𝑦1 + 𝑦2 − 𝑦3 𝑦1 + 𝑦2 2 − 𝑦1𝑦2 + 𝐵 − 𝑧1𝑧2 − 𝐶 𝑧1 + 𝑧2 Remark: new exceptional point pairs will appear, but they are less likely to be hit by an addition/subtraction chain.

Other curve shapes

Weierstrass curves are not the only shapes of elliptic curves that have been studied! Among them

• ther cubics: Hessian curves, Montgomery curves, …

But it’s worth even leaving the realm of cubics! Annoying feature for this talk: arithmetic is no longer using tangents and chords. Most prominent example: if char 𝑙 ≠ 2 then we can consider the (twisted) Edwards curves 𝑏𝑦2 + 𝑧2 = 1 + 𝑒𝑦2𝑧2 where 𝑏, 𝑒 ∈ 𝑙 satisfy 𝑏𝑒 𝑏 − 𝑒 ≠ 0 and 𝑃 = (0,1). It admits the amazing addition formula 𝑦1, 𝑧1 + 𝑦2, 𝑧2 = 𝑦1𝑧2 + 𝑧1𝑦2 1 + 𝑒𝑦1𝑦2𝑧1𝑧2 , 𝑧1𝑧2 − 𝑏𝑦1𝑦2 1 − 𝑒𝑦1𝑦2𝑧1𝑧2 , which are very efficient and can be used for doubling as well (uniformity).

Other curve shapes

A priori annoying aspect of Edwards curves: there are two singular points at infinity, each of which secretly corresponds to two points on the complete non-singular model. But in fact this is a feature! If 𝑏 is a non-zero square and 𝑒 is a non-square, then these four points are not defined over 𝑙. Therefore they are never encountered during arithmetic over 𝑙, or in other words we have an entirely affine group structure.

𝑏𝑦2 + 𝑧2 = 1 + 𝑒𝑦2𝑧2

Moreover, the addition formula is complete in this case, i.e. it has no exceptional points.

𝒚-coordinate only arithmetic and the Montgomery ladder

As we have observed earlier: 𝑄 and 𝑅 have the same 𝑦-coordinate ⇔ 𝑄 = ±𝑅 Therefore the 𝑦-coordinate of 𝑏𝑄 only depends on the 𝑦-coordinate of 𝑄, so it should be possible to compute it without any involvement of 𝑧-coordinates. Problem: every double-and-add routine involves addition steps, and there the idea breaks down: 𝑦(𝑄) and 𝑦(𝑅) do not suffice to find 𝑦(𝑄 + 𝑅).

𝒚-coordinate only arithmetic and the Montgomery ladder

But it is true that 𝑦(𝑄 + 𝑅) is determined by 𝑦 𝑄 , 𝑦(𝑅) and 𝑦(𝑄 − 𝑅). Peter L. Montgomery Montgomery found a way to exploit this: recursively compute 𝑦 𝑏𝑄 , 𝑦( 𝑏 + 1 𝑄) from 𝑦

𝑏 2 𝑄 , 𝑦( 𝑏 2 + 1 𝑄)

using one doubling and one appropriate addition. Note that 𝑦(𝑄) is known. Very fast. Very uniform: good against side-channel attacks. Possible to recover the 𝑧-coordinate from the end result (Lopez-Dahab). Comes in projective version: coordinates 𝑦: 𝑨 ∈ 𝑄1(𝑙). Montgomery chose a more efficient curve form: 𝐶𝑧2 = 𝑦3 + 𝐵𝑦2 + 𝑦

Questions?