Forms of elliptic curves - COSIC slides/wouter.pdf · An elliptic curve E over a ﬁeld k is a projective curve, along with a base point O ∈E(k), that is isomorphic to a nonsingular

Well-known forms of elliptic curvesToric forms of elliptic curves

Forms of elliptic curves

Wouter Castryck Forms of elliptic curves


First definitionsProjective coordinatesWeigthed projective coordinatesOther forms

Elliptic curves

An elliptic curve over a field k is a nonsingular curvedefined by an equation

y2 + a1xy + a0y = x3 + b2x2 + b1x + b0 ai , bi ∈ k ,

along with a point O at infinity.

nonsingular! no ‘self-intersections’! the system

y2 + a1xy + a0y = x3 + b2x2 + b1x + b0

2y + a1x + a0 = 0a1y = 3x2 + 2b2x + b1.

has no solutions (over any extension field).




Typical graphs over k = R and a1 = a2 = 0

y2 = x3 − x y2 = x3 + x2 + x + 1 y2 = x3 + x2

singularity at (0, 0)




Typical graphs over k = R and a1 or a2 6= 0

y2 + xy = x3 + x




Addition law

PQ

P + Q

P

2P

P

Q

P + Q = O

E(k) ∪ {O} is a group with O as neutral element.

In general, the reflection map is(x1, y1) 7→ (x1,−y1 − a1x1 − a0).




Diffie-Hellman key exchange

P ∈ E(Fq)

a ∈ NaP

bPb ∈ N

(ab)P = a(bP) (ab)P = b(aP)

Security is believed to depend on the hardness of thediscrete log problem (DLP): given P and nP, find n.




Add and double

Alice can compute aP in O(log a) steps using classical ‘addingand doubling’.

Let a = a1a2a3 · · · an be the binary expansion of a.

Let Q := P.

Read a from a2 to an.

If ai = 1, then Q ← 2Q + P, otherwise Q ← 2Q.

Tiny effort: check whether a + ord(P) has a smallernumber of 1’s in its binary expansion (e.g. in a 161 bitsetting, this reduces the expected number of ECoperations from 240 to 237).




Explicit formulas

Point addition: computing (x3, y3) = (x1, y1) + (x2, y2).

Set λ = y2−y1x2−x1

.

Compute x3 = λ2 + a1λ− b2 − x1 − x2 andy3 = λ(x1 − x3)− y1 − a1x3 − a0.

Needs 4M + 1S +1I.

Point doubling: computing (x3, y3) = 2(x1, y1).

Set λ =3x2

1 +2b2x1+b1−a1y12y1+a1x1+a0

.

Compute x3 := λ2 + a1λ− b2 − 2x1 andy3 = λ(x1 − x3)− y1 − a1x3 − a0.

Needs 7M + 2S +1I.




Weierstrass form

If char(k) 6= 2, 3 then we can assume that a0, a1, b2 = 0.

Resolving the square if char(k) 6= 2:

y2 + a1xy + a0y = x3 + b2x2 + b1x + b0(

y + 12(a1x + a0)

)2= x3 + b2x2 + b1x + b0 + 1

4(a1x + a0)2

y ′2 = x3 + b′

2x2 + b′

1x + b′

0.

Resolving the cube if char(k) 6= 3: similar.

Leads to classical Weierstrass form

y2 = x3 + Ax + B

(nonsingularity! 4A3 + 27B2 6= 0)




Explicit formulas for y2 = x3 + Ax + B

Hardness of DLP does not change under transformation, butformulas for arithmetic do!

Point addition: computing (x3, y3) = (x1, y1) + (x2, y2).

Set λ = y2−y1x2−x1

.

Compute x3 = λ2 − x1 − x2 and y3 = λ(x1 − x3)− y1.

Needs 2M + 1S +1I.

Point doubling: computing (x3, y3) = 2(x1, y1).

Set λ =3x2

1 +A2y1

.

Compute x3 := λ2 − 2x1 and y3 = λ(x1 − x3)− y1.

Needs 2M + 2S +1I.




Projective coordinates

Field inversion can be avoided using projective coordinates,which is a much more natural setting anyway.

Make the equation of the curve homogeneous.

y2z = x3 + Axz2 + Bz3

A point is a triplet (x1, y1, z1) satisfying this equation.

Projective points are only determined up to scaling(λx1, λy1, λz1) for λ ∈ k \ {0}; and (0, 0, 0) is excluded.

An affine point (x1, y1) becomes a projective point(x1, y1, 1).

The point O becomes the projective point (0, 1, 0).





z = 0

O





The projective setting allows one to carry denominators tothe third coordinate, in this way avoiding field inversions:

(

fh

,gh

, 1)

= (f , g, h)

(first proposed by the Chudnovsky brothers, 1986).

Point addition needs 12M + 2S.

Point doubling needs 5M + 6S.




Isomorphisms

Our reduction towards y2 = x3 + Ax + B was a particularexample of an isomorphism.

Very general: a morphism between two projective curvesC ⊂ P

n and C′ ⊂ Pm is a map

(x0, x1, . . . , xn) 7→ (F0(x0, x1, . . . , xn), F1(x0, x1, . . . , xn), . . . ,Fm(x0, x1, . . . , xn))

where the Fi are homogeneous polynomials of the samedegree.

In fact, the Fi may change ‘locally’ . . .

An isomorphism is a morphism that has an inverse.




Example

The parabola P : xz = y2 in P2 and the projective line P

1

are isomorphic.

P1 → P : (x0, z0) 7→ (x2

0 , x0z0, z20 )

P → P1 : (x0, y0, z0) 7→

{

(x0, y0) if x0 6= 0(y0, z0) if z0 6= 0.

If x0, z0 6= 0 then (x0, y0) = (y0, z0) since x0z0 = y20 .




Better definition of elliptic curve

An elliptic curve E over a field k is a projective curve, along witha base point O ∈ E(k), that is isomorphic to a nonsingularcurve in P

2 defined by an equation of the form

y2z + a1xyz + a0yz2 = x3 + b2x2z + b1xz2 + b0z3.

The isomorphism should map O to the point at infinity (0, 1, 0).

Theorem

A plane curve C ⊂ P2 along with a base point O ∈ C(k) is

elliptic if and only if it is nonsingular and of degree 3.




General group law on plane cubics

If O is an inflection point . . .

O

PQ

−(P + Q)

P + Q




General group law on plane cubics

If O is a general point, addition is completely analogous butnegation is not . . .

P

6= −P

O

−P




Weighted projective coordinates

It is advantageous to look at the Weierstrass form inweighted projective space P(2, 3, 1).

The equation now reads

y2 = x3 + Axz4 + Bz6.

A point on the curve is a triplet (x1, y1, z1) subject toweighted scaling (λ2x1, λ

3y1, λz1) for λ ∈ k \ {0}; again(0, 0, 0) is excluded.

The point O has weighted coordinates (1, 1, 0).

P(2, 3, 1) can itself be given the structure of a surface in P6.




Weighted projective coordinates

Proposed by the Chudnovsky brothers for fast arithmetic,1986.



When caching z2 and z3, one can do addition in 10M + 4S.

Weighted projective form is often called Jacobian form.




Montgomery form

An elliptic curve is said to be in Montgomery form (1987) ifit has equation

y2 = x3 + Ax2 + x .

Can be rewritten in Weierstrass form

y2 =

(

3x + A3

)3

+3− A2

3

(

3x + A3

)

+2A3 − 9A

27.

Is nonsingular if and only if B(A2 − 4) 6= 0.




Montgomery form

Point doubling can be done in 3M + 5S using weightedcoordinates.

Point doubling and addition (at once!) can be done in6M + 4S.

Not a fair comparison: this only computes x-coordinates.Typical formulas: P = (x1, y1, 1), nP = (xn, yn, zn),

{

x2n = (x2n − z2

n )2,

z2n = 4xnzn(x2n + Axnzn + z2

n ).

Main application: ECM method for factoring integers(Lenstra, 1987)

Also useful for ECC, see Bernstein’s ‘Curve25519’.




Hessian form

A Hessian form is a cubic x3 + y3 + 1 = 3Dxy , withD3 − 1 6= 0, and base point O = (1,−1, 0).

O is an inflection point: −(x1, y1, z1) = (y1, x1, z1).

Old form, reconsidered by Joye/Quisquater, Smart (2001).

Point addition needs 12M.





Edwards form x2z2 + y2z2 = A2(z4 + x2y2)

An Edwards form is a curve in P3 given by

{

xy = zwx2 + y2 = A2(z2 + w2),

where A5 − A 6= 0 and O = (0, A, 1, 0).

Projecting onto P2 corresponds to substituting(

x y z wxz yz z2 xy

)

,

from which we retrieve the plane Edwards equation

x2z2 + y2z2 = A2(z4 + x2y2).





The plane form is not an elliptic curve 2 singularities atinfinity, which represent 4 points on the nonsingular model.

O

Space curve is isomorphic to plane cubic

y2 = (2Ax − 1)((1− A2)x + A)((1 + A2)x − A).





Linear functions αx + βy + γ on cubic form read

αy(1− A2x2)(A + x)3 + β + γ(A + x)

A + x

on the Edwards form. . .

Yet miraculously, the addition law in the affine part reads

(x1, y1) + (x2, y2) =

(

x1y2 + y1x2

A(1 + x1x2y1y2),

y1y2 − x1x2

A(1− x1x2y1y2)

)

(both for addition and doubling) and

−(x1, y1) = (−x1, y1).





Bernstein/Lange: consider slightly bigger family of curves

x2z2 + y2z2 = A2(z4 + Bx2y2).

Affine addition law reads

(x1, y1)+(x2, y2) =

(

x1y2 + y1x2

A(1 + Bx1x2y1y2),

y1y2 − x1x2

A(1− Bx1x2y1y2)

)

If B is nonsquare in k , the affine points form a subgroup.






And more. . .

More forms . . .

More tasks than just efficient adding and doubling: tripling,re-adding, unified addition (to avoid side-channel attacks),wider applicability (e.g. include small characteristics), . . .

More people . . . (sorry for not mentioning)

See also Bernstein and Lange’s EFD.



Toric surfacesThe Newton polytopePolytopes of genus oneNew forms?

Toric surfaces

A lattice polytope ∆ is a convex polytope in R2 with integer

vertex coordinates.

The genus of a lattice polytope is the number of latticepoints in the interior of ∆.

In this example, the genus is 14.




Toric surfaces

To a lattice polytope, one can associate a surface in PN−1,

where N is the total number of lattice points in ∆.

We denote this surface with P∆.

Associate to any lattice point (i , j) ∈ ∆ ∩ Z2 a variable x(i,j).

Then the surface is defined by all homogeneous binomialrelations of the form

x i(a,b)x

j(c,d) = xk

(e,f )x`(g,h)

for which i(a, b) + j(c, d) = k(e, f ) + `(g, h).




Toric surfaces

Example: let ∆ be the polytope

There are four variables: x(0,0), x(1,0), x(0,1), x(1,1), subject tothe single relation

x(0,0)x(1,1) = x(1,0)x(0,1).

Thus P∆ is the surface xy = zw in P3.




Toric surfaces


There are three variables: x(0,0), x(1,0), x(0,1), subject to norelations.

Thus P∆ is the projective plane P2.




Toric surfaces


There are four variables: x(0,0), x(1,0), x(2,0), x(0,1), subject tothe single relation

x2(1,0) = x(0,0)x(2,0).

Thus P∆ is the cone z2 = xy in P3, which is in fact the

weigthed projective plane P(1, 2, 1).




Toric surfaces

Theorem

If ∆ = k∆′ for some smaller lattice polytope ∆′, then P∆∼= P∆′ .

Thus for all triangles ∆ = (0, 0)-(0, d)-(d , 0) we have P∆∼= P

2.




The Newton polytope

The Newton polytope of a bivariate polynomial is theconvex hull in R of its exponent vectors.

Example: consider f = x3y2 + 2y5 − x + 4xy + 8y .

We denote the Newton polytope with ∆(f ).




The Newton polytope

Let f be a bivariate polynomial over a field k , and let ∆(f )be its Newton polytope. Let N = #(∆(f ) ∩ Z

2).Remember: P∆(f ) defines a surface in P

N−1 by all relations

x i(a,b)x

j(c,d) = xk

(e,f )x`(g,h)

for which i(a, b) + j(c, d) = k(e, f ) + `(g, h).f (x , y) itself defines an extra relation cuts out a curve inP∆(f )

Theorem

Generically (condition can be made explicit), this curve is thenonsingular model of f .




The Newton polytope

Example: consider L : f (x , y) = αx + βy + γ = 0. TheNewton polytope generically equals ∆:

Remember that P∆ = P2 (no relations).

f defines the relation

αx(1,0) + βx(0,1) + γx(0,0).

We find the projective closure (homogenization) of L in P2!




The Newton polytope

Example: consider E : f (x , y) = y2 − x3 − Ax − B = 0,whose Newton polytope equals ∆:

P∆ ⊂ P6 is defined by 5 binomial relations.

f defines the additional linear relation

x(0,2) − x(3,0) − Ax(1,0) − Bx(0,0) = 0.

This cuts out the weighted projective form of E in P6!




The Newton polytope

Example: consider f (x , y) = x2 + y2 − A2(1 + x2y2),whose Newton polytope equals 2∆, where ∆ is

Remember P∆ ⊂ P3 was defined by

x(0,0)x(1,1) = x(1,0)x(0,1).

f defines the additional degree 2 relation

x2(1,0) + x2

(0,1) = A2(x2(0,0) + x2

(1,1)).

We find the nonsingular Edwards model in P3!




Observation

Observation: all nonsingular forms of elliptic curves thathave proven to be useful, canonically lie in a toric surface.

Plane cubics (e.g. Hessian) lie in P2.

Weighted Weierstrass curves lie in P(2, 3, 1).

Edwards curves lie in P1 × P

1.

Quartic Jacobian forms lie in P(1, 2, 1).




The genus of a curve

The genus is the most robust invariant one can associateto a curve.Over C, it is the number of ‘holes’ in the associated surfaceover R.

Can be given sense over arbitrary fields.The genus of an elliptic curve is 1, and conversely. . .




Modern definition of elliptic curve

An elliptic curve E over a field k is a smooth projective curve ofgenus 1, along with a base point P ∈ E(k).

Theorem

Any elliptic curve E/k is isomorphic to a plane nonsingularcurve defined by an equation of the form

y2 + a1xy + a0y = x3 + b2x2 + b1x + b0

The base point P is mapped to the unique point at infinity.

Theorem

A smooth projective curve has an algebraic group structure ifand only if its genus equals 1.




Back to the Newton polytope

Theorem

If a bivariate polynomial f cuts out a nonsingular curve in P∆(f ),then its genus equals the genus of ∆(f ).

Examples: a Weierstrass curve y2 = x3 + Ax + B,an Edwards curve x2 + y2 = A2(1 + x2y2)and a hyperelliptic curve y2 = x5 + x + 1.




Lattice polytopes of genus one

Theorem

Up to affine equivalence, for every genus g there is a finitenumber of lattice polytopes.

The lattice polytopes of genus 1 (Poonen/Rodriguez-Villegas):




New forms?

Idea: investigating these polytopes should either result innew useful forms, either provide evidence for the optimalityof the Edwards form.

Tried a few examples, e.g. f (x , y) = 1 + Axy + x2y + xy2

with O = (1,−1, 0) gives relatively simple formulas, butdoes not beat Hessian form.




New forms?

Might serve as inspiration to define binary Edwards forms.Problem: find a way to systematically investigate thesepolytopes.

Choice of O? Toric infinity provides natural choices. . .How many parameters?Which representants? Minimal degree. . .How to algorithmically count squarings and multiplications?

At least seems an interesting pool of forms to fish in.


Documents

Forms of elliptic curves - COSIC slides/wouter.pdf · An elliptic curve E over a ﬁeld k is a projective curve, along with a base point O ∈E(k), that is isomorphic to a nonsingular