Forms of elliptic curves Wouter Castryck Forms of elliptic curves - PowerPoint PPT Presentation

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Elliptic curves An elliptic curve over a field k is a nonsingular curve defined by an equation y 2 + a 1 xy + a 0 y = x 3 + b 2 x 2 + b 1 x + b 0 a i , b i ∈ k , along with a point O at infinity. nonsingular � no ‘self-intersections’ � the system y 2 + a 1 xy + a 0 y x 3 + b 2 x 2 + b 1 x + b 0  =  2 y + a 1 x + a 0 = 0 a 1 y 3 x 2 + 2 b 2 x + b 1 . =  has no solutions (over any extension field). Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Typical graphs over k = R and a 1 = a 2 = 0 y 2 = x 3 − x y 2 = x 3 + x 2 + x + 1 y 2 = x 3 + x 2 singularity at ( 0 , 0 ) Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Typical graphs over k = R and a 1 or a 2 � = 0 y 2 + xy = x 3 + x Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Addition law P Q P P P + Q 2 P Q P + Q = O E ( k ) ∪ { O } is a group with O as neutral element. In general, the reflection map is ( x 1 , y 1 ) �→ ( x 1 , − y 1 − a 1 x 1 − a 0 ) . Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Diffie-Hellman key exchange P ∈ E ( F q ) aP a ∈ N bP b ∈ N ( ab ) P = a ( bP ) ( ab ) P = b ( aP ) Security is believed to depend on the hardness of the discrete log problem (DLP): given P and nP , find n . Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Add and double Alice can compute aP in O ( log a ) steps using classical ‘adding and doubling’. Let a = a 1 a 2 a 3 · · · a n be the binary expansion of a . Let Q := P . Read a from a 2 to a n . If a i = 1, then Q ← 2 Q + P , otherwise Q ← 2 Q . Tiny effort: check whether a + ord ( P ) has a smaller number of 1’s in its binary expansion (e.g. in a 161 bit setting, this reduces the expected number of EC operations from 240 to 237). Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Explicit formulas Point addition: computing ( x 3 , y 3 ) = ( x 1 , y 1 ) + ( x 2 , y 2 ) . Set λ = y 2 − y 1 x 2 − x 1 . Compute x 3 = λ 2 + a 1 λ − b 2 − x 1 − x 2 and y 3 = λ ( x 1 − x 3 ) − y 1 − a 1 x 3 − a 0 . Needs 4M + 1S + 1I . Point doubling: computing ( x 3 , y 3 ) = 2 ( x 1 , y 1 ) . Set λ = 3 x 2 1 + 2 b 2 x 1 + b 1 − a 1 y 1 . 2 y 1 + a 1 x 1 + a 0 Compute x 3 := λ 2 + a 1 λ − b 2 − 2 x 1 and y 3 = λ ( x 1 − x 3 ) − y 1 − a 1 x 3 − a 0 . Needs 7M + 2S + 1I . Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Weierstrass form If char ( k ) � = 2 , 3 then we can assume that a 0 , a 1 , b 2 = 0. Resolving the square if char ( k ) � = 2: y 2 + a 1 xy + a 0 y x 3 + b 2 x 2 + b 1 x + b 0 = � 2 y + 1 2 ( a 1 x + a 0 ) x 3 + b 2 x 2 + b 1 x + b 0 + 1 4 ( a 1 x + a 0 ) 2 � = y ′ 2 x 3 + b ′ 2 x 2 + b ′ 1 x + b ′ = 0 . Resolving the cube if char ( k ) � = 3: similar. Leads to classical Weierstrass form y 2 = x 3 + Ax + B (nonsingularity � 4 A 3 + 27 B 2 � = 0) Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Explicit formulas for y 2 = x 3 + Ax + B Hardness of DLP does not change under transformation, but formulas for arithmetic do! Point addition: computing ( x 3 , y 3 ) = ( x 1 , y 1 ) + ( x 2 , y 2 ) . Set λ = y 2 − y 1 x 2 − x 1 . Compute x 3 = λ 2 − x 1 − x 2 and y 3 = λ ( x 1 − x 3 ) − y 1 . Needs 2M + 1S + 1I . Point doubling: computing ( x 3 , y 3 ) = 2 ( x 1 , y 1 ) . Set λ = 3 x 2 1 + A 2 y 1 . Compute x 3 := λ 2 − 2 x 1 and y 3 = λ ( x 1 − x 3 ) − y 1 . Needs 2M + 2S + 1I . Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Projective coordinates Field inversion can be avoided using projective coordinates, which is a much more natural setting anyway. Make the equation of the curve homogeneous. y 2 z = x 3 + Axz 2 + Bz 3 A point is a triplet ( x 1 , y 1 , z 1 ) satisfying this equation. Projective points are only determined up to scaling ( λ x 1 , λ y 1 , λ z 1 ) for λ ∈ k \ { 0 } ; and ( 0 , 0 , 0 ) is excluded. An affine point ( x 1 , y 1 ) becomes a projective point ( x 1 , y 1 , 1 ) . The point O becomes the projective point ( 0 , 1 , 0 ) . Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Projective coordinates O z = 0 Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Projective coordinates The projective setting allows one to carry denominators to the third coordinate, in this way avoiding field inversions: � f h , g � = ( f , g , h ) h , 1 (first proposed by the Chudnovsky brothers, 1986). Point addition needs 12M + 2S . Point doubling needs 5M + 6S . Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Isomorphisms Our reduction towards y 2 = x 3 + Ax + B was a particular example of an isomorphism. Very general: a morphism between two projective curves C ⊂ P n and C ′ ⊂ P m is a map ( x 0 , x 1 , . . . , x n ) �→ ( F 0 ( x 0 , x 1 , . . . , x n ) , F 1 ( x 0 , x 1 , . . . , x n ) , . . . , F m ( x 0 , x 1 , . . . , x n )) where the F i are homogeneous polynomials of the same degree. In fact, the F i may change ‘locally’ . . . An isomorphism is a morphism that has an inverse. Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Example The parabola P : xz = y 2 in P 2 and the projective line P 1 are isomorphic. P 1 → P : ( x 0 , z 0 ) �→ ( x 2 0 , x 0 z 0 , z 2 0 ) � ( x 0 , y 0 ) if x 0 � = 0 P → P 1 : ( x 0 , y 0 , z 0 ) �→ ( y 0 , z 0 ) if z 0 � = 0 . If x 0 , z 0 � = 0 then ( x 0 , y 0 ) = ( y 0 , z 0 ) since x 0 z 0 = y 2 0 . Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Better definition of elliptic curve An elliptic curve E over a field k is a projective curve, along with a base point O ∈ E ( k ) , that is isomorphic to a nonsingular curve in P 2 defined by an equation of the form y 2 z + a 1 xyz + a 0 yz 2 = x 3 + b 2 x 2 z + b 1 xz 2 + b 0 z 3 . The isomorphism should map O to the point at infinity ( 0 , 1 , 0 ) . Theorem A plane curve C ⊂ P 2 along with a base point O ∈ C ( k ) is elliptic if and only if it is nonsingular and of degree 3. Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms General group law on plane cubics If O is an inflection point . . . P + Q O Q P − ( P + Q ) Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms General group law on plane cubics If O is a general point, addition is completely analogous but negation is not . . . O P � = − P − P Wouter Castryck Forms of elliptic curves

First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves Weigthed projective coordinates Other forms Weighted projective coordinates It is advantageous to look at the Weierstrass form in weighted projective space P ( 2 , 3 , 1 ) . The equation now reads y 2 = x 3 + Axz 4 + Bz 6 . A point on the curve is a triplet ( x 1 , y 1 , z 1 ) subject to weighted scaling ( λ 2 x 1 , λ 3 y 1 , λ z 1 ) for λ ∈ k \ { 0 } ; again ( 0 , 0 , 0 ) is excluded. The point O has weighted coordinates ( 1 , 1 , 0 ) . P ( 2 , 3 , 1 ) can itself be given the structure of a surface in P 6 . Wouter Castryck Forms of elliptic curves