Faster formulas for elliptic curves Hseyin H sl - - PowerPoint PPT Presentation

Faster formulas for elliptic curves

Hüseyin Hı¸ sıl hisil.huseyin@gmail.com www.huseyinhisil.net ECC2010, Redmond

Hüseyin Hı¸ sıl () October 19, 2010 1 / 36

Faster formulas for elliptic curves (A roadmap for formula-hunters)

Hüseyin Hı¸ sıl hisil.huseyin@gmail.com www.huseyinhisil.net ECC2010, Redmond

Hüseyin Hı¸ sıl () October 19, 2010 1 / 36

Faster formulas for elliptic curves (A roadmap for formula-hunters) (A roadmap for lazy formula-hunters)

Hüseyin Hı¸ sıl hisil.huseyin@gmail.com www.huseyinhisil.net ECC2010, Redmond

Hüseyin Hı¸ sıl () October 19, 2010 1 / 36

Outline

1

Overview

2

Automated tools

3

Inversion-free point addition

4

Conclusion

Hüseyin Hı¸ sıl () October 19, 2010 2 / 36

The classics

1 [CC86] Chudnovsky and Chudnovsky. Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Advances in Applied Mathematics, 1986. 2 [Mon87] Montgomery. Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation, 1987. 3 [CMO98] Cohen, Miyaji, and Ono. Efficient elliptic curve exponentiation using mixed coordinates. ASIACRYPT’98.

Hüseyin Hı¸ sıl () October 19, 2010 3 / 36

Remarkable strikes aganist the cubic

1 [LS01] Liardet and Smart, Preventing SPA/DPA in ECC systems using the Jacobi form. CHES 2001. 2 [BL07b] Bernstein and Lange, Faster addition and doubling on elliptic curves. ASIACRYPT 2007. Note: There are other papers not listed here.

Hüseyin Hı¸ sıl () October 19, 2010 4 / 36

This investigation

Concrete results for: 1 Short Weierstrass form, y2 = x3 + ax + b, 2 Extended Jacobi quartic form, y2 = dx4 + 2ax2 + 1, 3 Twisted Hessian form, ax3 + y3 + 1 = dxy, 4 Twisted Edwards form, ax2 + y2 = 1 + dx2y2, 5 Twisted Jacobi intersection form, bs2 + c2 = 1, as2 + d2 = 1. In fact, many other forms are checked for a better efficiency along the way. Extended Jacobi quartic curves will be used in all examples in the remainder of the talk.

Hüseyin Hı¸ sıl () October 19, 2010 5 / 36

Extended Jacobi quartics overview

K denotes a field of odd characteristic.

Definition

An extended Jacobi quartic curve defined over K is the curve EQ,d,a := {(x, y) ∈ A2(K) | y2 = dx4 + 2ax2 + 1}. EQ is non-singular if and only if d(a2 − d) = 0. The projective closure of EQ is given by the equation EQ,d,a : Y 2Z 2 = dX 4 + 2aX 2Z 2 + Z 4. A point (X : Y : Z) with Z = 0 on EQ corresponds to the affine point (X/Z, Y/Z) on EQ. The point (0: 1: 0) on EQ is singular. The resolution of singularities produces two points which are labeled as Ω1 and Ω2. These points are defined over K( √ d).

Hüseyin Hı¸ sıl () October 19, 2010 6 / 36

Extended Jacobi quartics overview

Let L = K( √ d). With a slight abuse of notation, EQ(L), the set of L-rational points on EQ is denoted by EQ(L) = {(x, y) ∈ L2 | y2 = dx4 + 2ax2 + 1} ∪ {Ω1, Ω2}. EQ,d,a is birationally equivalent over K to the Weierstrass curve EW : v2 = u3 − 4au2 + (4a2 − 4d)u with the maps

ψ: EQ → EW, (x, y) → 2y + 2 x2 + 2a, 4y + 4 x3 + 4a x

• ,

φ: EW → EQ, (u, v) →

• 2u

v , 2(u − 2a)u2 v 2 − 1

• .

Hüseyin Hı¸ sıl () October 19, 2010 7 / 36

Extended Jacobi quartics overview

ψ: EQ → EW, (x, y) → 2y + 2 x2 + 2a, 4y + 4 x3 + 4a x

• ,

φ: EW → EQ, (u, v) →

• 2u

v , 2(u − 2a)u2 v 2 − 1

• .

Hüseyin Hı¸ sıl () October 19, 2010 8 / 36

Extended Jacobi quartics overview

ψ: EQ → EW, (x, y) → 2y + 2 x2 + 2a, 4y + 4 x3 + 4a x

• ,

φ: EW → EQ, (u, v) →

• 2u

v , 2(u − 2a)u2 v 2 − 1

• .

It is trivial to check that φ ◦ ψ = idEQ and ψ ◦ φ = idEW. The map ψ is regular at all points on EQ except (0, 1) which corresponds to ∞ on EW.

Hüseyin Hı¸ sıl () October 19, 2010 8 / 36

Extended Jacobi quartics overview

ψ: EQ → EW, (x, y) → 2y + 2 x2 + 2a, 4y + 4 x3 + 4a x

• ,

φ: EW → EQ, (u, v) →

• 2u

v , 2(u − 2a)u2 v 2 − 1

• .

It is trivial to check that φ ◦ ψ = idEQ and ψ ◦ φ = idEW. The map ψ is regular at all points on EQ except (0, 1) which corresponds to ∞ on EW. At first glance, it may seem that ψ is not regular at (0, −1). However, it is possible to alter ψ to successfully map all points on EQ except (0, 1). For instance, the point (0, −1) can be sent to (0, 0) on EW with an alternative map given by

ψ′ : EQ → EW, (x, y) → 2dx2 + 2a(1 + y) y − 1 , 4a(dx2 + 2a) − 4d(1 − y) (1 − y)2 x

• .

Hüseyin Hı¸ sıl () October 19, 2010 8 / 36

Extended Jacobi quartics overview

ψ: EQ → EW, (x, y) → 2y + 2 x2 + 2a, 4y + 4 x3 + 4a x

• ,

φ: EW → EQ, (u, v) →

• 2u

v , 2(u − 2a)u2 v 2 − 1

• .

The map φ is regular at all points on EW except in two cases. Before investigating these cases observe that the point (0, 0) on EW : v2 = u3 − 4au2 + (4a2 − 4d)u can be sent to (0, −1) on EQ with an alternative map given by

φ′ : EW → EQ, (u, v) →

• 2v

(u − 2a)2 − 4d , u2 − 4(a2 − d) (u − 2a)2 − 4d

• .

Hüseyin Hı¸ sıl () October 19, 2010 8 / 36

Extended Jacobi quartics overview

ψ: EQ → EW, (x, y) → 2y + 2 x2 + 2a, 4y + 4 x3 + 4a x

• ,

φ: EW → EQ, (u, v) →

• 2u

v , 2(u − 2a)u2 v 2 − 1

• .

The map φ is regular at all points on EW except in two cases. Before investigating these cases observe that the point (0, 0) on EW : v2 = u3 − 4au2 + (4a2 − 4d)u can be sent to (0, −1) on EQ with an alternative map given by

φ′ : EW → EQ, (u, v) →

• 2v

(u − 2a)2 − 4d , u2 − 4(a2 − d) (u − 2a)2 − 4d

• .

The map φ is not regular at two points of the form (u, v) with u = 0 and v = 0. These exceptional points correspond to two points at infinity on the desingularization of EQ.

Hüseyin Hı¸ sıl () October 19, 2010 8 / 36

Extended Jacobi quartics overview

ψ: EQ → EW, (x, y) → 2y + 2 x2 + 2a, 4y + 4 x3 + 4a x

• ,

φ: EW → EQ, (u, v) →

• 2u

v , 2(u − 2a)u2 v 2 − 1

• .

Note: φ is a morphism if d is a non-square in K.

Hüseyin Hı¸ sıl () October 19, 2010 8 / 36

Extended Jacobi quartics overview

Every Weierstrass curve v2 = u3 + a2u2 + a4u is birationally equivalent over K to y2 = a2

2 − 4a4

16 x4 − a2 2 x2 + 1. The shape v2 = u3 + a2u2 + a4u covers all elliptic curves having at least one point of order two. Therefore every elliptic curve of even order can be written in extended Jacobi quartic form. This extended model covers approximately 1.33#K of 2#K isomorphism classes (assuming K is finite).

Hüseyin Hı¸ sıl () October 19, 2010 9 / 36

Extended Jacobi quartics overview

Every Weierstrass curve v2 = u3 + a2u2 + a4u is birationally equivalent over K to y2 = a2

2 − 4a4

16 x4 − a2 2 x2 + 1. The shape v2 = u3 + a2u2 + a4u covers all elliptic curves having at least one point of order two. Therefore every elliptic curve of even order can be written in extended Jacobi quartic form. This extended model covers approximately 1.33#K of 2#K isomorphism classes (assuming K is finite).

Hüseyin Hı¸ sıl () October 19, 2010 9 / 36

Outline

1

Overview

2

Automated tools

3

Inversion-free point addition

4

Conclusion

Hüseyin Hı¸ sıl () October 19, 2010 10 / 36

Automated Tools

Develop tools to: 1 Automate group law derivation algorithmically. 2 Automate minimal/low degree point doubling/addition formulas derivation. 3 Verify the correctness of derived formulas. 4 Find alternative formulas.

Hüseyin Hı¸ sıl () October 19, 2010 11 / 36

Automated Tools

Theorem (Automated Addition)

Let W/K and M/K be affine curves. Assume that W and M are birationally equivalent over K. Let φ : W → M and ψ : M → W be maps such that φ ◦ ψ and ψ ◦ φ are equal to the identity maps idM and idW, respectively. Assume that ˜ W and ˜ M, each with a distinguished K-rational point, are elliptic curves. Let +W : W × W → W be a map which is regular at all but finitely many pairs of points on W, describing some part of the unique addition law on ˜ W. The corresponding part of the unique addition law on ˜ M is then given by the compositions +M := φ ◦ +W ◦ (ψ × ψ) and +M is regular at all but finitely many pairs of points on M.

Hüseyin Hı¸ sıl () October 19, 2010 12 / 36

Automated Tools

Theorem (Automated Addition)

Let W/K and M/K be affine curves. Assume that W and M are birationally equivalent over K. Let φ : W → M and ψ : M → W be maps such that φ ◦ ψ and ψ ◦ φ are equal to the identity maps idM and idW, respectively. Assume that ˜ W and ˜ M, each with a distinguished K-rational point, are elliptic curves. Let +W : W × W → W be a map which is regular at all but finitely many pairs of points on W, describing some part of the unique addition law on ˜ W. The corresponding part of the unique addition law on ˜ M is then given by the compositions +M := φ ◦ +W ◦ (ψ × ψ) and +M is regular at all but finitely many pairs of points on M.

Hüseyin Hı¸ sıl () October 19, 2010 12 / 36

Automated Tools

Theorem (Automated Addition)

Let W/K and M/K be affine curves. Assume that W and M are birationally equivalent over K. Let φ : W → M and ψ : M → W be maps such that φ ◦ ψ and ψ ◦ φ are equal to the identity maps idM and idW, respectively. Assume that ˜ W and ˜ M, each with a distinguished K-rational point, are elliptic curves. Let +W : W × W → W be a map which is regular at all but finitely many pairs of points on W, describing some part of the unique addition law on ˜ W. The corresponding part of the unique addition law on ˜ M is then given by the compositions +M := φ ◦ +W ◦ (ψ × ψ) and +M is regular at all but finitely many pairs of points on M.

Hüseyin Hı¸ sıl () October 19, 2010 12 / 36

A case study on extended Jacobi quartics

The theorem provides us an automated tool to derive the addition law in a piece-wise fashion. Let a2 = −4a, a4 = 4(a2 − d). Recall:

M : y2 = dx4 + 2ax2 + 1, W : v 2 = u3 + a2u2 + a4u. ψ: 2y + 2 x2 + 2a, 4y + 4 x3 + 4a x

• ,

φ:

• 2u

v , 2(u − 2a)u2 v 2 − 1

• .

+W : v2 − v1 u2 − u1 2 − a2 − u1 − u2, v2 − v1 u2 − u1 (u1 − ( v2 − v1 u2 − u1 2 − a2 − u1 − u2)) − v1

• .

+M : φ ◦ +W ◦ (ψ × ψ).

Hüseyin Hı¸ sıl () October 19, 2010 13 / 36

A case study on extended Jacobi quartics

The theorem provides us an automated tool to derive the addition law in a piece-wise fashion. Let a2 = −4a, a4 = 4(a2 − d). Recall:

M : y2 = dx4 + 2ax2 + 1, W : v 2 = u3 + a2u2 + a4u. ψ: 2y + 2 x2 + 2a, 4y + 4 x3 + 4a x

• ,

φ:

• 2u

v , 2(u − 2a)u2 v 2 − 1

• .

+W : v2 − v1 u2 − u1 2 − a2 − u1 − u2, v2 − v1 u2 − u1 (u1 − ( v2 − v1 u2 − u1 2 − a2 − u1 − u2)) − v1

• .

+M : φ ◦ +W ◦ (ψ × ψ).

Hüseyin Hı¸ sıl () October 19, 2010 13 / 36

A case study on extended Jacobi quartics

The affine curve: y2 = dx4 + 2ax2 + 1. The derived map +M : M × M → M, ((x1, y1), (x2, y2)) →

• 2(((4y1 + 4)/x3

1 + 4a/x1 − (4y2 + 4)/x3 2 − 4a/x2)2/((2y1 + 2)/x2 1 −

(2y2 + 2)/x2

2)2 − (2y1 + 2)/x2 1 − (2y2 + 2)/x2 2)/(((4y1 + 4)/x3 1 +

4a/x1 −(4y2 +4)/x3

2 −4a/x2)(2(2y1 +2)/x2 1 +2a−((4y1 +4)/x3 1 +

4a/x1 − (4y2 + 4)/x3

2 − 4a/x2)2/((2y1 + 2)/x2 1 − (2y2 + 2)/x2 2)2 +

(2y2 + 2)/x2

2)/((2y1 + 2)/x2 1 − (2y2 + 2)/x2 2) − (4y1 + 4)/x3 1 −

4a/x1), 2(((4y1 + 4)/x3

1 + 4a/x1 − (4y2 + 4)/x3 2 − 4a/x2)2/((2y1 +

2)/x2

1 − (2y2 + 2)/x2 2)2 − (2y1 + 2)/x2 1 − (2y2 + 2)/x2 2 − 2a)(((4y1 +

4)/x3

1 + 4a/x1 − (4y2 + 4)/x3 2 − 4a/x2)2/((2y1 + 2)/x2 1 − (2y2 +

2)/x2

2)2 − (2y1 + 2)/x2 1 − (2y2 + 2)/x2 2)2/(((4y1 + 4)/x3 1 + 4a/x1 −

(4y2 +4)/x3

2 −4a/x2)(2(2y1 +2)/x2 1 +2a−((4y1 +4)/x3 1 +4a/x1 −

(4y2 + 4)/x3

2 − 4a/x2)2/((2y1 + 2)/x2 1 − (2y2 + 2)/x2 2)2 + (2y2 +

2)/x2

2)/((2y1 +2)/x2 1 −(2y2 +2)/x2 2)−(4y1 +4)/x3 1 −4a/x1)2 −1

• .

This map is regular at all but finitely many pairs (x1, y1), (x2, y2) on M.

Hüseyin Hı¸ sıl () October 19, 2010 14 / 36

Rational simplification

Problem: Well, we expected to see something “simple”, something which can be computed very efficiently. Solution: Monagan and Pearce’s algorithm [MP06] finds a fraction with minimal total degree sum of the numerator and denominator. The algorithm: “. . . walk up through the degrees of the numerator and denominator and at each step attempt to solve Nδ − Dη ≡ 0 mod I . . . ”. Here, I = y2

1 = dx4 1 + 2ax2 1 + 1, y2 2 = dx4 2 + 2ax2 2 + 1,

N is the original numerator, D is the original denominator, η is a lower-degree numerator candidate, δ is a lower-degree denominator candidate.

Hüseyin Hı¸ sıl () October 19, 2010 15 / 36

Rational simplification

Good news. An open-source implementation is available in Pearce’s

• thesis. The minimal degree simplified addition map is given by

+M : M × M → M, ((x1, y1), (x2, y2)) →

• x2

1 − x2 2

x1y2 − y1x2 , (x2

1 + x2 2)(y1y2 − 2ax1x2) − 2x1x2(1 + dx2 1x2 2)

(x1y2 − y1x2)2

• with credits to Chudnovsky & Chudnovsky [CC86].

An alternative minimal degree fraction:

• x2

1 − x2 2

x1y2 − y1x2 , (x2

1 − x2 2)2

(x1y2 − y1x2)2 (y1y2 − 2ax1x2 + 1 + dx2

1x2 2 ) − 1

• .

Hüseyin Hı¸ sıl () October 19, 2010 16 / 36

Rational simplification

Good news. An open-source implementation is available in Pearce’s

• thesis. The minimal degree simplified addition map is given by

+M : M × M → M, ((x1, y1), (x2, y2)) →

• x2

1 − x2 2

x1y2 − y1x2 , (x2

1 + x2 2)(y1y2 − 2ax1x2) − 2x1x2(1 + dx2 1x2 2)

(x1y2 − y1x2)2

• with credits to Chudnovsky & Chudnovsky [CC86].

An alternative minimal degree fraction:

• x2

1 − x2 2

x1y2 − y1x2 , (x2

1 − x2 2)2

(x1y2 − y1x2)2 (y1y2 − 2ax1x2 + 1 + dx2

1x2 2 ) − 1

• .

Hüseyin Hı¸ sıl () October 19, 2010 16 / 36

Rational simplification

Good news. An open-source implementation is available in Pearce’s

• thesis. The minimal degree simplified addition map is given by

+M : M × M → M, ((x1, y1), (x2, y2)) →

• x2

1 − x2 2

x1y2 − y1x2 , (x2

1 + x2 2)(y1y2 − 2ax1x2) − 2x1x2(1 + dx2 1x2 2)

(x1y2 − y1x2)2

• with credits to Chudnovsky & Chudnovsky [CC86].

An alternative minimal degree fraction:

• x2

1 − x2 2

x1y2 − y1x2 , (x2

1 − x2 2)2

(x1y2 − y1x2)2 (y1y2 − 2ax1x2 + 1 + dx2

1x2 2 ) − 1

• .

Hüseyin Hı¸ sıl () October 19, 2010 16 / 36

More formulas

Problem: When regarded as addition formulas this map does not give a complete description of the group law. Solution: Find alternative low-degree formulas. How to: Consider the polynomials N = x2

1 − x2 2 and D = x1y2 − y1x2 in

K[x1, x2, y1, y2] where K = Q(a, d). Since GCD(N, D) = 1, the fraction N/D does not simplify in K(x1, x2, y1, y2). Now assume that N/D is a function on M × M where a, d ∈ K with d(a2 − d) = 0. Let K be the ideal generated by the polynomials y2

1 − dx4 1 − 2ax2 1 − 1 and

y2

2 − dx4 2 − 2ax2 2 − 1. The reduced Gröbner basis of the colon ideal

J = (D + K) : N with respect to any graded monomial order must contain a minimal total degree denominator. See [MP06] for core ideas.

Hüseyin Hı¸ sıl () October 19, 2010 17 / 36

More formulas

In addition, it often contains other low degree denominators because

• f the graded order which dominates in reducing the total degree of the
• generators. Indeed the generators of the reduced Gröbner basis of J

with respect to graded reverse lexicographical order with x1 > y1 > x2 > y2 are given by 1 − dx2

1x2 2,

y1 − dx3

1x2y2,

1 − dy2

1 x4 2 + dx4 2 + 2ax2 2,

2a + dx2

1 − dy2 1x2 2 + dx2 2,

. . . Each one of these gives rise to another fraction.

Hüseyin Hı¸ sıl () October 19, 2010 18 / 36

More formulas

For instance, select the denominator 1 − dx2

1x2

• 2. Now, using a

multivariate exact division algorithm the new numerator is computed as (1 − dx2

1x2 2)f/g = x1y2 + y1x2. It follows that an alternative

(x-coordinate) addition formula is x1y2 + y1x2 1 − dx2

1x2 2

with credits to Euler. Compare with the initial formulas x2

1 − x2 2

x1y2 − y1x2 . For an exact division algorithm see [Pea05]. Even more fractions can be obtained by changing the lexicographical ordering.

Hüseyin Hı¸ sıl () October 19, 2010 19 / 36

More formulas

Some more alternatives for the y-coordinate:

y1y2 + 2ax1x2 ± √ dx2

1 ±

√ dx2

2

(1 ∓ √ dx1x2)2 ∓ √ dx2

3,

(x1 − x2)(y1 + y2 + dx1x2(x2

1y2 + y1x2 2))

(x1y2 − y1x2)(1 − dx2

1x2 2)

− 1, 2(x1y1 − x2y2) − (x1y2 − y1x2)(y1y2 + 2ax1x2) (x1y2 − y1x2)(1 − dx2

1x2 2)

, (x2

1 − x2 2)2 − (x1y2 − y1x2)(x3 1 y2 − y1x3 2)

x1x2(x1y2 − y1x2)2 , [CC86] (1 ± √ dx1x2)(x1y1 − x2y2 ± √ dx3

1y2 ∓

√ dy1x3

2)

(x1y2 − y1x2)(1 − dx2

1x2 2)

∓ √ dx2

3,

(x1 − x2)(1 ± √ dx1x2) (x1y2 − y1x2)(1 − dx2

1x2 2)(y1 + y2 ±

√ dx2

1y2 ±

√ dy1x2

2) ∓

√ dx2

3 − 1.

Hüseyin Hı¸ sıl () October 19, 2010 20 / 36

Special cases

Consider the minimal degree simplified addition map given by +M : M × M → M, ((x1, y1), (x2, y2)) →

• x2

1 − x2 2

x1y2 − y1x2 , (x2

1 + x2 2)(y1y2 − 2ax1x2) − 2x1x2(1 + dx2 1x2 2)

(x1y2 − y1x2)2

• .

If (x1, y1) + (x2, y2) is a point at infinity then x1y2 − y1x2 = 0. If x1y2 − y1x2 = 0 then (x1, y1) + (x2, y2) may not be a point at infinity. Let’s investigate. . .

Hüseyin Hı¸ sıl () October 19, 2010 21 / 36

Special cases

Consider the minimal degree simplified addition map given by +M : M × M → M, ((x1, y1), (x2, y2)) →

• x2

1 − x2 2

x1y2 − y1x2 , (x2

1 + x2 2)(y1y2 − 2ax1x2) − 2x1x2(1 + dx2 1x2 2)

(x1y2 − y1x2)2

• .

If (x1, y1) + (x2, y2) is a point at infinity then x1y2 − y1x2 = 0. If x1y2 − y1x2 = 0 then (x1, y1) + (x2, y2) may not be a point at infinity. Let’s investigate. . .

Hüseyin Hı¸ sıl () October 19, 2010 21 / 36

Special cases

Lemma

Let a, d ∈ K with d(a2 − d) = 0. Fix δ ∈ K so that δ2 = d. Fix x1 ∈ K − {0} and y1 ∈ K such that y2

1 = dx4 1 + 2ax2 1 + 1.

Let x2, y2 ∈ K such that y2

2 = dx4 2 + 2ax2 2 + 1.

Then x1y2 − y1x2 = 0 if and only if (x2, y2) ∈ S where

S =

• (x1, y1), (−x1, −y1), ( 1

δx1 , y1 δx2

1

), ( −1 δx1 , −y1 δx2

1

)

• .

Hüseyin Hı¸ sıl () October 19, 2010 22 / 36

Special cases

Consider the low-degree addition map given by +M : M × M → M, ((x1, y1), (x2, y2)) → x1y2 + y1x2 1 − dx2

1x2 2

, (y1y2 + 2ax1x2)(1 + dx2

1x2 2) + 2dx1x2(x2 1 + x2 2)

(1 − dx2

1x2 2)2

• with credits to Billet & Joye (2003).

If (x1, y1) + (x2, y2) is a point at infinity then 1 − dx2

1x2 2 = 0.

If 1 − dx2

1x2 2 = 0 then (x1, y1) + (x2, y2) may not be a point at infinity.

Let’s investigate. . .

Hüseyin Hı¸ sıl () October 19, 2010 23 / 36

Special cases

Consider the low-degree addition map given by +M : M × M → M, ((x1, y1), (x2, y2)) → x1y2 + y1x2 1 − dx2

1x2 2

, (y1y2 + 2ax1x2)(1 + dx2

1x2 2) + 2dx1x2(x2 1 + x2 2)

(1 − dx2

1x2 2)2

• with credits to Billet & Joye (2003).

If (x1, y1) + (x2, y2) is a point at infinity then 1 − dx2

1x2 2 = 0.

If 1 − dx2

1x2 2 = 0 then (x1, y1) + (x2, y2) may not be a point at infinity.

Let’s investigate. . .

Hüseyin Hı¸ sıl () October 19, 2010 23 / 36

Special cases

Lemma

Let a, d ∈ K with d(a2 − d) = 0. Fix δ ∈ K so that δ2 = d. Fix x1 ∈ K − {0} and y1 ∈ K such that y2

1 = dx4 1 + 2ax2 1 + 1. Let x2, y2 ∈ K

such that y2

2 = dx4 2 + 2ax2 2 + 1. Then 1 − dx2 1x2 2 = 0 if and only if

(x2, y2) ∈ S′ where

S′ =

• ( 1

δx1 , −y1 δx2

1

), ( −1 δx1 , y1 δx2

1

), ( 1 δx1 , y1 δx2

1

), ( −1 δx1 , −y1 δx2

1

)

• .

Compare with the exceptions of the minimal degree addition formulas:

S =

• (x1, y1), (−x1, −y1), ( 1

δx1 , y1 δx2

1

), ( −1 δx1 , −y1 δx2

1

)

• .

The first two entries of both S and S′ do not end up in point at infinity when added to (x1, y1).

Hüseyin Hı¸ sıl () October 19, 2010 24 / 36

input : P1, P2, Ω1, Ω2 ∈ EQ,d,a(K) and fixed δ ∈ K such that δ2 = d.

• utput

: P1 + P2. if P1 ∈ {Ω1, Ω2} then Pt ← P1, P1 ← P2, P2 ← Pt. if P2 = Ω1 then if P1 = Ω1 then return (0, 1). else if P1 = Ω2 then return (0, −1). else if P1 = (0, 1) then return Ω1. else if P1 = (0, −1) then return Ω2. else return (−1/(δx1), y1/(δx2

1 )).

else if P2 = Ω2 then if P1 = Ω1 then return (0, −1). else if P1 = Ω2 then return (0, 1). else if P1 = (0, −1) then return Ω1. else if P1 = (0, 1) then return Ω2. else return (1/(δx1), −y1/(δx2

1 )).

else if x1y2 − y1x2 = 0 then x3 ← (x2

1 − x2 2 )/(x1y2 − y1x2).

y3 ← ((x2

1 + x2 2 )(y1y2 − 2ax1x2) − 2x1x2(1 + dx2 1x2 2 ))/(x1y2 − y1x2)2.

return (x3, y3). else if 1 − dx2

1x2 2 = 0 then

x3 ← (x1y2 + y1x2)/(1 − dx2

1 x2 2 ).

y3 ← ((y1y2 + 2ax1x2)(1 + dx2

1 x2 2 ) + 2dx1x2(x2 1 + x2 2 ))/(1 − dx2 1x2 2 )2.

return (x3, y3). else if P2 = (1/(δx1), y1/(δx2

1 )) then return Ω1. else return Ω2.

end

Hüseyin Hı¸ sıl () October 19, 2010 25 / 36

Outline

1

Overview

2

Automated tools

3

Inversion-free point addition

4

Conclusion

Hüseyin Hı¸ sıl () October 19, 2010 26 / 36

Projective Group Laws

1 Efficient group laws. 2 New low-degree inversion-free formulae. 3 New and faster algorithms. 4 New coordinate systems. New mixed coordinates.

Hüseyin Hı¸ sıl () October 19, 2010 27 / 36

Operation Counts

For the best speed which space should we embed extended Jacobi quartic curves into? Operation counts (a = −1/2):

ADD y2 = dx4 + 2ax2 + 1 in A2 I + 5M + 3S + 1D Y 2Z 4 = dX 4T 2 + 2aX 2T 2Z 2 + T 2Z 4 in P1 × P1 21M + 4S + 1D Y 2Z 2 = dX 4 + 2aX 2Z 2 + Z 4 in P2, [His10] 10M + 5S + 1D Y 2 = dX 4 + 2aX 2Z 2 + Z 4 in P2

w, [BJ03]

10M + 3S + 1D Y 2 = dT 2 + 2aX 2 + Z 2 X 2 = TZ in P3, [HWCD09] 7M + 3S + 1D DBL y2 = dx4 + 2ax2 + 1 in A2 I + 2M + 2S Y 2Z 4 = dX 4T 2 + 2aX 2T 2Z 2 + T 2Z 4 in P1 × P1 10M + 2S Y 2Z 2 = dX 4 + 2aX 2Z 2 + Z 4 in P2, [HWCD09] 2M + 5S Y 2 = dX 4 + 2aX 2Z 2 + Z 4 in P2

w,

2M + 6S Y 2 = dT 2 + 2aX 2 + Z 2 X 2 = TZ in P3, [HWCD09] 8S

Hüseyin Hı¸ sıl () October 19, 2010 28 / 36

Operation Counts

For the best speed which space should we embed extended Jacobi quartic curves into? Operation counts (a = −1/2):

ADD y2 = dx4 + 2ax2 + 1 in A2 I + 5M + 3S + 1D Y 2Z 4 = dX 4T 2 + 2aX 2T 2Z 2 + T 2Z 4 in P1 × P1 21M + 4S + 1D Y 2Z 2 = dX 4 + 2aX 2Z 2 + Z 4 in P2, [His10] 10M + 5S + 1D Y 2 = dX 4 + 2aX 2Z 2 + Z 4 in P2

w, [BJ03]

10M + 3S + 1D Easier to think T as T = X 2/Z, [HWCD09] 7M + 3S + 1D DBL y2 = dx4 + 2ax2 + 1 in A2 I + 2M + 2S Y 2Z 4 = dX 4T 2 + 2aX 2T 2Z 2 + T 2Z 4 in P1 × P1 10M + 2S Y 2Z 2 = dX 4 + 2aX 2Z 2 + Z 4 in P2, [HWCD09] 2M + 5S Y 2 = dX 4 + 2aX 2Z 2 + Z 4 in P2

w,

2M + 6S Y 2 = dT 2 + 2aX 2 + Z 2 X 2 = TZ in P3, [HWCD09] 8S

Hüseyin Hı¸ sıl () October 19, 2010 28 / 36

Operation Counts

Table: Operation counts for extended Jacobi quartic form with a = −1/2 in different coordinate systems. System DBL ADD Qw

• 10M+3S+2D+14a, unified, [BJ03]

Q 3M+4S+ 4a 10M+7S+2D+17a, unified 2M+5S+ 7a 10M+5S+1D+10a, dedicated Qe 3M+5S+ 4a 8M+3S+2D+17a, unified 8S+13a 7M+3S+1D+19a, dedicated Qx 3M+4S+ 4a 7M+4S+3D+19a, unified 2M+5S+ 7a 6M+4S+2D+21a, dedicated

Qw: Weighted, Q: Projective, Qe: Extended, Qx: Mixed coordinates.

Hüseyin Hı¸ sıl () October 19, 2010 29 / 36

Operation Counts

Table: Operation counts for (twisted) Edwards form in different coordinate systems. System DBL ADD E, (a = 1), [BL07a] 3M+4S 10M +1S+1D, unified Ei, (a = 1), [BL07b] 3M+4S+1D 9M +1S+1D, unified E, [BBJLP08] 3M+4S+1D 10M +1S+2D, unified Ei, [BBJLP08] 3M+4S+2D 9M +1S+2D, unified Ee 4M+4S+1D 9M +2D, unified Ee, (a = −1) 4M+4S 8M +1D, unified Ex, (a = −1) 3M+4S 8M +1D, unified Ex, (a = −1) 3M+4S 8M, dedicated

(X1 : Y1 : T1 : Z1) + (X2 : Y2 : T2 : 1) costs only 7M.

Hüseyin Hı¸ sıl () October 19, 2010 30 / 36

Operation Counts

Table: Operation counts for (twisted) Jacobi intersection form with a = 1 in different coordinate systems. System DBL ADD I 3M+4S +6a, [BL07] 13M+2S+1D+ 7a, unified, [LS01] 2M+5S+1D+7a 13M+1S+2D+15a, unified 12M +11a, dedicated Im2

• 11M+1S+2D+15a, unified

Im1 3M+4S +6a, * 11M + 9a, dedicated 2M+5S+1D+7a

• *: Adapted from [BL07, dbl-2007-bl].

I: Projective, Im1: Modified version 1, Im2: Modified version 2 coordinates.

Hüseyin Hı¸ sıl () October 19, 2010 31 / 36

Operation Counts

Table: Operation counts for (twisted) Hessian form with a = 1 in different coordinate systems. System DBL ADD H 6M+3S+ 3a, [BKL09] 12M + 3a, unified, [BKL09] 7M+1S+ 8a 11M +17a, unified 3M+6S+18a 12M + 3a, dedicated 11M +17a, dedicated He 9M+3S+ 3a 9M+3S+ 3a, unified 9M+3S+ 3a, dedicated 5M+6S+29a 6M+6S+15a, unified 6M+6S+15a, dedicated

H: Projective, He: Extended coordinates.

Hüseyin Hı¸ sıl () October 19, 2010 32 / 36

Operation Counts

Table: Operation counts for short Weierstrass form with a = −3 in different coordinate systems.

System DBL ADD P, [CC86] 7M+3S+10a, [BL07] 12M+ 5S+1D+10a, unified, [BJ02] 11M+ 6S+1D+15a, unified, [BL07] 11M+ 5S+1D+16a, unified 12M+ 2S + 7a, dedicated, [CMO98] J , [CC86] 4M+4S+ 9a, [HMV03] 8M+10S+1D+24a, unified 3M+5S+12a, [BL07] 12M+ 4S + 7a, dedicated, [CMO98] 11M+ 5S +11a, dedicated, [BL07] J c, [CC86] 4M+6S+ 4a, [CMO98] 7M+ 9S+1D+24a, unified 11M+ 3S + 7a, dedicated, [CMO98] 10M+ 4S +13a, dedicated, [BL07]

P: Projective, J : Jacobian, J c: Chudnovsky Jacobian.

Hüseyin Hı¸ sıl () October 19, 2010 33 / 36

Operation Counts

Table: Cost estimate of SMUL per bit of scalar in M.

System OLD NEW Twisted Hessian form, H with a = 1 10.58M 10.17M Short Weierstrass form, J x with a = −3 9.92M

• Jacobi intersection form, I with a = 1

9.01M 8.43M Extended Jacobi quartic form, Qx with a = −1/2 10.00M 8.07M Twisted Edwards form, Ex with a = −1 8.31M 7.87M

Hüseyin Hı¸ sıl () October 19, 2010 34 / 36

SMUL

Table: Cycle-counts (rounded to the nearest one thousand) for 256-bit scalar multiplication with variable base-point (for Core 2).

Curve & coordinate system Approximate operation counts Cycles Short Weierstrass (a = −3), J I+1598M+1156S+ 0 D+2896a 468,000 (Twisted) Hessian (a = 1), H I+2093M+ 757S+ 0 D+1177a 447,000 (Twisted) Jacobi intersection (b = 1), Im1 I+1295M+1011S+ 0 D+2009a 383,000 Extended Jacobi quartic (a = −1/2), Qx I+1162M+1110S+102D+1796a 376,000 Twisted Edwards (a = −1), Ex I+1202M+ 969S+ 0 D+2025a 362,000

Note: Short Weierstrass (a = −3) was the fastest before 2006!

Hüseyin Hı¸ sıl () October 19, 2010 35 / 36

Thanks.

Hüseyin Hı¸ sıl () October 19, 2010 36 / 36

Eric Brier and Marc Joye, Weierstraß elliptic curves and side-channel attacks, PKC 2002, LNCS, vol. 2274, Springer, 2002,

• pp. 335–345.

Olivier Billet and Marc Joye, The Jacobi model of an elliptic curve and side-channel analysis, AAECC-15, LNCS, vol. 2643, Springer, 2003, pp. 34–42. Daniel J. Bernstein, David Kohel, and Tanja Lange, Twisted Hessian curves, Explicit-Formulas Database, 2009, http://www.hyperelliptic.org/EFD/g1p/auto-twistedhe Daniel J. Bernstein and Tanja Lange, Explicit-formulas database, 2007, http://www.hyperelliptic.org/EFD. David V. Chudnovsky and Gregory V. Chudnovsky, Sequences of numbers generated by addition in formal groups and new primality and factorization tests, Advances in Applied Mathematics 7 (1986),

• no. 4, 385–434.

Hüseyin Hı¸ sıl () October 19, 2010 36 / 36

Henri Cohen, Atsuko Miyaji, and Takatoshi Ono, Efficient elliptic curve exponentiation using mixed coordinates, ASIACRYPT’98, LNCS, vol. 1514, Springer, 1998, pp. 51–65. Huseyin Hisil, Elliptic curves, group law, and efficient computation, Ph.D. thesis, Queenslad University of Technology, 2010. Darrel Hankerson, Alfred J. Menezes, and Scott A. Vanstone, Guide to elliptic curve cryptography, Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2003. Huseyin Hisil, Kenneth Koon-Ho Wong, Gary Carter, and Ed Dawson, Jacobi quartic curves revisited, ACISP 2009, LNCS,

• vol. 5594, Springer, 2009, pp. 452–468.

Pierre Yvan Liardet and Nigel P . Smart, Preventing SPA/DPA in ECC systems using the Jacobi form., CHES 2001, LNCS, vol. 2162, Springer, 2001, pp. 391–401. Michael Monagan and Roman Pearce, Rational simplification modulo a polynomial ideal, ISSAC’06, ACM, 2006, pp. 239–245.

Hüseyin Hı¸ sıl () October 19, 2010 36 / 36

Roman Pearce, Rational expression simplification with side relations, Master’s thesis, Simon Fraser University, 2005.

Hüseyin Hı¸ sıl () October 19, 2010 36 / 36