Forms of elliptic curves Wouter Castryck Forms of elliptic curves - - PowerPoint PPT Presentation

Well-known forms of elliptic curves Toric forms of elliptic curves

Forms of elliptic curves

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Elliptic curves

An elliptic curve over a field k is a nonsingular curve defined by an equation y2 + a1xy + a0y = x3 + b2x2 + b1x + b0 ai, bi ∈ k, along with a point O at infinity. nonsingular no ‘self-intersections’ the system    y2 + a1xy + a0y = x3 + b2x2 + b1x + b0 2y + a1x + a0 = a1y = 3x2 + 2b2x + b1. has no solutions (over any extension field).

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Typical graphs over k = R and a1 = a2 = 0

y2 = x3 − x y2 = x3 + x2 + x + 1 y2 = x3 + x2

singularity at (0, 0)

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Typical graphs over k = R and a1 or a2 = 0

y2 + xy = x3 + x

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Addition law

P Q P + Q P 2P P Q P + Q = O

E(k) ∪ {O} is a group with O as neutral element. In general, the reflection map is (x1, y1) → (x1, −y1 − a1x1 − a0).

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Diffie-Hellman key exchange

P ∈ E(Fq) a ∈ N aP bP b ∈ N (ab)P = a(bP) (ab)P = b(aP) Security is believed to depend on the hardness of the discrete log problem (DLP): given P and nP, find n.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Add and double

Alice can compute aP in O(log a) steps using classical ‘adding and doubling’. Let a = a1a2a3 · · · an be the binary expansion of a. Let Q := P. Read a from a2 to an. If ai = 1, then Q ← 2Q + P, otherwise Q ← 2Q. Tiny effort: check whether a + ord(P) has a smaller number of 1’s in its binary expansion (e.g. in a 161 bit setting, this reduces the expected number of EC

• perations from 240 to 237).

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Explicit formulas

Point addition: computing (x3, y3) = (x1, y1) + (x2, y2). Set λ = y2−y1

x2−x1 .

Compute x3 = λ2 + a1λ − b2 − x1 − x2 and y3 = λ(x1 − x3) − y1 − a1x3 − a0. Needs 4M + 1S +1I. Point doubling: computing (x3, y3) = 2(x1, y1). Set λ = 3x2

1 +2b2x1+b1−a1y1

2y1+a1x1+a0

. Compute x3 := λ2 + a1λ − b2 − 2x1 and y3 = λ(x1 − x3) − y1 − a1x3 − a0. Needs 7M + 2S +1I.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Weierstrass form

If char(k) = 2, 3 then we can assume that a0, a1, b2 = 0. Resolving the square if char(k) = 2: y2 + a1xy + a0y = x3 + b2x2 + b1x + b0

• y + 1

2(a1x + a0)

2 = x3 + b2x2 + b1x + b0 + 1

4(a1x + a0)2

y′2 = x3 + b′

2x2 + b′ 1x + b′ 0.

Resolving the cube if char(k) = 3: similar. Leads to classical Weierstrass form y2 = x3 + Ax + B (nonsingularity 4A3 + 27B2 = 0)

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Explicit formulas for y2 = x3 + Ax + B

Hardness of DLP does not change under transformation, but formulas for arithmetic do! Point addition: computing (x3, y3) = (x1, y1) + (x2, y2). Set λ = y2−y1

x2−x1 .

Compute x3 = λ2 − x1 − x2 and y3 = λ(x1 − x3) − y1. Needs 2M + 1S +1I. Point doubling: computing (x3, y3) = 2(x1, y1). Set λ = 3x2

1 +A

2y1 .

Compute x3 := λ2 − 2x1 and y3 = λ(x1 − x3) − y1. Needs 2M + 2S +1I.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Projective coordinates

Field inversion can be avoided using projective coordinates, which is a much more natural setting anyway. Make the equation of the curve homogeneous. y2z = x3 + Axz2 + Bz3 A point is a triplet (x1, y1, z1) satisfying this equation. Projective points are only determined up to scaling (λx1, λy1, λz1) for λ ∈ k \ {0}; and (0, 0, 0) is excluded. An affine point (x1, y1) becomes a projective point (x1, y1, 1). The point O becomes the projective point (0, 1, 0).

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Projective coordinates

z = 0 O

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Projective coordinates

The projective setting allows one to carry denominators to the third coordinate, in this way avoiding field inversions: f h, g h, 1

• = (f, g, h)

(first proposed by the Chudnovsky brothers, 1986). Point addition needs 12M + 2S. Point doubling needs 5M + 6S.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Isomorphisms

Our reduction towards y2 = x3 + Ax + B was a particular example of an isomorphism. Very general: a morphism between two projective curves C ⊂ Pn and C′ ⊂ Pm is a map (x0, x1, . . . , xn) → (F0(x0, x1, . . . , xn), F1(x0, x1, . . . , xn), . . . , Fm(x0, x1, . . . , xn)) where the Fi are homogeneous polynomials of the same degree. In fact, the Fi may change ‘locally’ . . . An isomorphism is a morphism that has an inverse.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Example

The parabola P : xz = y2 in P2 and the projective line P1 are isomorphic. P1 → P : (x0, z0) → (x2

0, x0z0, z2 0)

P → P1 : (x0, y0, z0) → (x0, y0) if x0 = 0 (y0, z0) if z0 = 0. If x0, z0 = 0 then (x0, y0) = (y0, z0) since x0z0 = y2

0.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Better definition of elliptic curve

An elliptic curve E over a field k is a projective curve, along with a base point O ∈ E(k), that is isomorphic to a nonsingular curve in P2 defined by an equation of the form y2z + a1xyz + a0yz2 = x3 + b2x2z + b1xz2 + b0z3. The isomorphism should map O to the point at infinity (0, 1, 0). Theorem A plane curve C ⊂ P2 along with a base point O ∈ C(k) is elliptic if and only if it is nonsingular and of degree 3.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

General group law on plane cubics

If O is an inflection point . . .

O P Q −(P + Q) P + Q

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

General group law on plane cubics

If O is a general point, addition is completely analogous but negation is not . . .

P = −P O −P

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Weighted projective coordinates

It is advantageous to look at the Weierstrass form in weighted projective space P(2, 3, 1). The equation now reads y2 = x3 + Axz4 + Bz6. A point on the curve is a triplet (x1, y1, z1) subject to weighted scaling (λ2x1, λ3y1, λz1) for λ ∈ k \ {0}; again (0, 0, 0) is excluded. The point O has weighted coordinates (1, 1, 0). P(2, 3, 1) can itself be given the structure of a surface in P6.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Weighted projective coordinates

Proposed by the Chudnovsky brothers for fast arithmetic, 1986. Point addition needs 11M + 5S. Point doubling needs 1M + 8S. When caching z2 and z3, one can do addition in 10M + 4S. Weighted projective form is often called Jacobian form.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Montgomery form

An elliptic curve is said to be in Montgomery form (1987) if it has equation y2 = x3 + Ax2 + x. Can be rewritten in Weierstrass form y2 = 3x + A 3 3 + 3 − A2 3 3x + A 3

• + 2A3 − 9A

27 . Is nonsingular if and only if B(A2 − 4) = 0.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Montgomery form

Point doubling can be done in 3M + 5S using weighted coordinates. Point doubling and addition (at once!) can be done in 6M + 4S. Not a fair comparison: this only computes x-coordinates. Typical formulas: P = (x1, y1, 1), nP = (xn, yn, zn), x2n = (x2

n − z2 n)2,

z2n = 4xnzn(x2

n + Axnzn + z2 n).

Main application: ECM method for factoring integers (Lenstra, 1987) Also useful for ECC, see Bernstein’s ‘Curve25519’.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Hessian form

A Hessian form is a cubic x3 + y3 + 1 = 3Dxy, with D3 − 1 = 0, and base point O = (1, −1, 0). O is an inflection point: −(x1, y1, z1) = (y1, x1, z1). Old form, reconsidered by Joye/Quisquater, Smart (2001). Point addition needs 12M. Point doubling needs 7M + 1S.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Edwards form x2z2 + y2z2 = A2(z4 + x2y2)

An Edwards form is a curve in P3 given by xy = zw x2 + y2 = A2(z2 + w2), where A5 − A = 0 and O = (0, A, 1, 0). Projecting onto P2 corresponds to substituting

• x

y z w xz yz z2 xy

• ,

from which we retrieve the plane Edwards equation x2z2 + y2z2 = A2(z4 + x2y2).

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Edwards form x2z2 + y2z2 = A2(z4 + x2y2)

The plane form is not an elliptic curve 2 singularities at infinity, which represent 4 points on the nonsingular model. O Space curve is isomorphic to plane cubic y2 = (2Ax − 1)((1 − A2)x + A)((1 + A2)x − A).

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Edwards form x2z2 + y2z2 = A2(z4 + x2y2)

Linear functions αx + βy + γ on cubic form read αy(1 − A2x2)(A + x)3 + β + γ(A + x) A + x

• n the Edwards form. . .

Yet miraculously, the addition law in the affine part reads (x1, y1) + (x2, y2) =

• x1y2 + y1x2

A(1 + x1x2y1y2), y1y2 − x1x2 A(1 − x1x2y1y2)

• (both for addition and doubling) and

−(x1, y1) = (−x1, y1).

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

Edwards form x2z2 + y2z2 = A2(z4 + x2y2)

Bernstein/Lange: consider slightly bigger family of curves x2z2 + y2z2 = A2(z4 + Bx2y2). Affine addition law reads (x1, y1)+(x2, y2) =

• x1y2 + y1x2

A(1 + Bx1x2y1y2), y1y2 − x1x2 A(1 − Bx1x2y1y2)

• If B is nonsquare in k, the affine points form a subgroup.

Point addition needs 11M + 1S. Point doubling needs 3M + 4S.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves First definitions Projective coordinates Weigthed projective coordinates Other forms

And more. . .

More forms . . . More tasks than just efficient adding and doubling: tripling, re-adding, unified addition (to avoid side-channel attacks), wider applicability (e.g. include small characteristics), . . . More people . . . (sorry for not mentioning) See also Bernstein and Lange’s EFD.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

Toric surfaces

A lattice polytope ∆ is a convex polytope in R2 with integer vertex coordinates. The genus of a lattice polytope is the number of lattice points in the interior of ∆. In this example, the genus is 14.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

Toric surfaces

To a lattice polytope, one can associate a surface in PN−1, where N is the total number of lattice points in ∆. We denote this surface with P∆. Associate to any lattice point (i, j) ∈ ∆ ∩ Z2 a variable x(i,j). Then the surface is defined by all homogeneous binomial relations of the form xi

(a,b)xj (c,d) = xk (e,f)xℓ (g,h)

for which i(a, b) + j(c, d) = k(e, f) + ℓ(g, h).

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

Toric surfaces

Example: let ∆ be the polytope There are four variables: x(0,0), x(1,0), x(0,1), x(1,1), subject to the single relation x(0,0)x(1,1) = x(1,0)x(0,1). Thus P∆ is the surface xy = zw in P3.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

Toric surfaces

Example: let ∆ be the polytope There are three variables: x(0,0), x(1,0), x(0,1), subject to no relations. Thus P∆ is the projective plane P2.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

Toric surfaces

Example: let ∆ be the polytope There are four variables: x(0,0), x(1,0), x(2,0), x(0,1), subject to the single relation x2

(1,0) = x(0,0)x(2,0).

Thus P∆ is the cone z2 = xy in P3, which is in fact the weigthed projective plane P(1, 2, 1).

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

Toric surfaces

Theorem If ∆ = k∆′ for some smaller lattice polytope ∆′, then P∆ ∼ = P∆′. Thus for all triangles ∆ = (0, 0)-(0, d)-(d, 0) we have P∆ ∼ = P2.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

The Newton polytope

The Newton polytope of a bivariate polynomial is the convex hull in R of its exponent vectors. Example: consider f = x3y2 + 2y5 − x + 4xy + 8y. We denote the Newton polytope with ∆(f).

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

The Newton polytope

Let f be a bivariate polynomial over a field k, and let ∆(f) be its Newton polytope. Let N = #(∆(f) ∩ Z2). Remember: P∆(f) defines a surface in PN−1 by all relations xi

(a,b)xj (c,d) = xk (e,f)xℓ (g,h)

for which i(a, b) + j(c, d) = k(e, f) + ℓ(g, h). f(x, y) itself defines an extra relation cuts out a curve in P∆(f) Theorem Generically (condition can be made explicit), this curve is the nonsingular model of f.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

The Newton polytope

Example: consider L : f(x, y) = αx + βy + γ = 0. The Newton polytope generically equals ∆: Remember that P∆ = P2 (no relations). f defines the relation αx(1,0) + βx(0,1) + γx(0,0). We find the projective closure (homogenization) of L in P2!

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

The Newton polytope

Example: consider E : f(x, y) = y2 − x3 − Ax − B = 0, whose Newton polytope equals ∆: P∆ ⊂ P6 is defined by 5 binomial relations. f defines the additional linear relation x(0,2) − x(3,0) − Ax(1,0) − Bx(0,0) = 0. This cuts out the weighted projective form of E in P6!

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

The Newton polytope

Example: consider f(x, y) = x2 + y2 − A2(1 + x2y2), whose Newton polytope equals 2∆, where ∆ is Remember P∆ ⊂ P3 was defined by x(0,0)x(1,1) = x(1,0)x(0,1). f defines the additional degree 2 relation x2

(1,0) + x2 (0,1) = A2(x2 (0,0) + x2 (1,1)).

We find the nonsingular Edwards model in P3!

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

Observation

Observation: all nonsingular forms of elliptic curves that have proven to be useful, canonically lie in a toric surface. Plane cubics (e.g. Hessian) lie in P2. Weighted Weierstrass curves lie in P(2, 3, 1). Edwards curves lie in P1 × P1. Quartic Jacobian forms lie in P(1, 2, 1).

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

The genus of a curve

The genus is the most robust invariant one can associate to a curve. Over C, it is the number of ‘holes’ in the associated surface

• ver R.

Can be given sense over arbitrary fields. The genus of an elliptic curve is 1, and conversely. . .

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

Modern definition of elliptic curve

An elliptic curve E over a field k is a smooth projective curve of genus 1, along with a base point P ∈ E(k). Theorem Any elliptic curve E/k is isomorphic to a plane nonsingular curve defined by an equation of the form y2 + a1xy + a0y = x3 + b2x2 + b1x + b0 The base point P is mapped to the unique point at infinity. Theorem A smooth projective curve has an algebraic group structure if and only if its genus equals 1.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

Back to the Newton polytope

Theorem If a bivariate polynomial f cuts out a nonsingular curve in P∆(f), then its genus equals the genus of ∆(f). Examples: a Weierstrass curve y2 = x3 + Ax + B, an Edwards curve x2 + y2 = A2(1 + x2y2) and a hyperelliptic curve y2 = x5 + x + 1.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

Lattice polytopes of genus one

Theorem Up to affine equivalence, for every genus g there is a finite number of lattice polytopes. The lattice polytopes of genus 1 (Poonen/Rodriguez-Villegas):

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

New forms?

Idea: investigating these polytopes should either result in new useful forms, either provide evidence for the optimality

• f the Edwards form.

Tried a few examples, e.g. f(x, y) = 1 + Axy + x2y + xy2 with O = (1, −1, 0) gives relatively simple formulas, but does not beat Hessian form.

Wouter Castryck Forms of elliptic curves

Well-known forms of elliptic curves Toric forms of elliptic curves Toric surfaces The Newton polytope Polytopes of genus one New forms?

New forms?

Might serve as inspiration to define binary Edwards forms. Problem: find a way to systematically investigate these polytopes.

Choice of O? Toric infinity provides natural choices. . . How many parameters? Which representants? Minimal degree. . . How to algorithmically count squarings and multiplications?

At least seems an interesting pool of forms to fish in.

Wouter Castryck Forms of elliptic curves