Misplaced Pages

Doubling-oriented Doche–Icart–Kohel curve

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Type of elliptic curve
A Doubling-oriented Doche-Icart-Kohel curve of equation y 2 = x 3 x 2 16 x {\displaystyle y^{2}=x^{3}-x^{2}-16x}

In mathematics, the doubling-oriented Doche–Icart–Kohel curve is a form in which an elliptic curve can be written. It is a special case of the Weierstrass form and it is also important in elliptic-curve cryptography because the doubling speeds up considerably (computing as composition of 2-isogeny and its dual). It was introduced by Christophe Doche, Thomas Icart, and David R. Kohel in Efficient Scalar Multiplication by Isogeny Decompositions.

Definition

Let K {\displaystyle K} be a field and let a K {\displaystyle a\in K} . Then, the doubling-oriented Doche–Icart–Kohel curve with parameter a in affine coordinates is represented by:

y 2 = x 3 + a x 2 + 16 a x . {\displaystyle y^{2}=x^{3}+ax^{2}+16ax.}

Equivalently, in projective coordinates:

Z Y 2 = X 3 + a Z X 2 + 16 a X Z 2 , {\displaystyle ZY^{2}=X^{3}+aZX^{2}+16aXZ^{2},}

with x = X Z {\displaystyle x={\frac {X}{Z}}} and y = Y Z {\displaystyle y={\frac {Y}{Z}}} .

Since this curve is a special case of the Weierstrass form, transformations to the most common form of elliptic curve (Weierstrass form) are not needed.

Group law

It is interesting to analyze the group law in elliptic curve cryptography, defining the addition and doubling formulas, because these formulas are necessary to compute multiples of points P (see Exponentiation by squaring). In general, the group law is defined in the following way: if three points lie in the same line, then they sum up to zero. So, by this property, the group laws are different for every curve shape.

In this case, since these curves are special cases of Weierstrass curves, the addition is just the standard addition on Weierstrass curves. On the other hand, to double a point, the standard doubling formula can be used, but it would not be so fast. In this case, the neutral element is θ = (0 : 1 : 0) (in projective coordinates), for which θ = −θ. Then, if P = (x, y) is a non-trivial element (Pθ), then the inverse of this point (by addition) is −P = (x, −y).

Addition

In this case, affine coordinates will be used to define the addition formula:

( x 1 , y 1 ) + ( x 2 , y 2 ) = ( x 3 , y 3 ) , {\displaystyle (x_{1},y_{1})+(x_{2},y_{2})=(x_{3},y_{3}),}

where

x 3 = x 1 3 + ( x 2 a ) x 1 2 + ( x 2 2 + 2 a x 2 ) x 1 + y 1 2 2 y 2 y 1 x 2 3 a x 2 2 + y 2 2 x 1 2 2 x 2 x 1 + x 2 2 {\displaystyle x_{3}={\frac {-x_{1}^{3}+(x_{2}-a)x_{1}^{2}+(x_{2}^{2}+2ax_{2})x_{1}+y_{1}^{2}-2y_{2}y_{1}-x_{2}^{3}-ax_{2}^{2}+y_{2}^{2}}{x_{1}^{2}-2x_{2}x_{1}+x_{2}^{2}}}}

and y 3 = ( y 1 + 2 y 2 ) x 1 3 + ( a y 1 + ( 3 y 2 x 2 + a y 2 ) ) x 1 2 + ( ( 3 x 2 2 + 2 a x 2 ) y 1 2 a y 2 x 2 ) x 1 + ( y 1 3 3 y 2 y 1 2 + ( 2 x 2 3 a x 2 2 + 3 y 2 2 ) y 1 + ( y 2 x 2 3 + a y 2 x 2 2 y 2 3 ) ) x 1 3 + 3 x 2 x 1 2 3 x 2 2 x 1 + x 2 3 . {\displaystyle y_{3}={\frac {(-y_{1}+2y_{2})x_{1}^{3}+(-ay_{1}+(-3y_{2}x_{2}+ay_{2}))x_{1}^{2}+((3x_{2}^{2}+2ax_{2})y_{1}-2ay_{2}x_{2})x_{1}+(y_{1}^{3}-3y_{2}y_{1}^{2}+(-2x_{2}^{3}-ax_{2}^{2}+3y_{2}^{2})y_{1}+(y_{2}x_{2}^{3}+ay_{2}x_{2}^{2}-y_{2}^{3}))}{-x_{1}^{3}+3x_{2}x_{1}^{2}-3x_{2}^{2}x_{1}+x_{2}^{3}}}.}

Doubling

2 ( x 1 , y 1 ) = ( x 3 , y 3 ) {\displaystyle 2(x_{1},y_{1})=(x_{3},y_{3})} , where

x 3 = 1 / ( 4 y 1 2 x 1 4 8 a / y 1 2 x 1 2 + 64 a 2 / y 1 2 {\displaystyle x_{3}=1/(4y_{1}^{2}x_{1}^{4}-8a/y_{1}^{2}x_{1}^{2}+64a^{2}/y_{1}^{2}}

y 3 = 1 8 y 1 3 x 1 6 + a 2 + 40 a 4 y 1 3 x 1 4 + a y 1 2 + 16 a 3 640 a 2 4 y 1 3 x 1 2 + 4 a 2 y 1 2 512 a 3 y 1 3 {\displaystyle y_{3}={\frac {1}{8y_{1}^{3}}}x_{1}^{6}+{\frac {-a^{2}+40a}{4y_{1}^{3}}}x_{1}^{4}+{\frac {ay_{1}^{2}+16a^{3}-640a^{2}}{4y_{1}^{3}}}x_{1}^{2}+{\frac {-4a^{2}y_{1}^{2}-512a^{3}}{y_{1}^{3}}}}

Algorithms and examples

Addition

The fastest addition is the following one (comparing with the results given in: http://hyperelliptic.org/EFD/g1p/index.html), and the cost that it takes is 4 multiplications, 4 squaring and 10 addition.

A = Y2-Y1

AA = A

B = X2-X1

CC = B

F = X1CC

Z3 = 2CC

D = X2Z3

ZZ3 = Z3

X3 = 2(AA-F)-aZ3-D

Y3 = ((A+B)-AA-CC)(D-X3)-Y2ZZ3

Example

Let K = Q {\displaystyle K=\mathbb {Q} } . Let P=(X1,Y1)=(2,1), Q=(X2,Y2)=(1,-1) and a=1, then

A=2

AA=4

B=1

CC=1

F=2

Z3=4

D=4

ZZ3=16

X3=-4

Y3=336

Thus, P+Q=(-4:336:4)

Doubling

The following algorithm is the fastest one (see the following link to compare: http://hyperelliptic.org/EFD/g1p/index.html), and the cost that it takes is 1 multiplication, 5 squaring and 7 additions.

A = X1

B = A-a16

C = a2A

YY = Y1

YY2 = 2YY

Z3 = 2YY2

X3 = B

V = (Y1+B)2-YY-X3

Y3 = V(X3+64C+a(YY2-C))

ZZ3 = Z3

Example

Let K = Q {\displaystyle K=\mathbb {Q} } and a=1. Let P=(-1,2), then Q=P=(x3,y3) is given by:

A=1

B=-15

C=2

YY=4

YY2=8

Z3=16

X3=225

V=27

Y3=9693

ZZ3=256

Thus, Q=(225:9693:16).

Extended coordinates

The addition and doubling computations should be as fast as possible, so it is more convenient to use the following representation of the coordinates:

x , y {\displaystyle x,y} are represented by X , Y , Z , Z Z {\displaystyle X,Y,Z,ZZ} satisfying the following equations:

x = X Z {\displaystyle x={\frac {X}{Z}}}

y = Y Z Z {\displaystyle y={\frac {Y}{ZZ}}}

Z Z = Z 2 {\displaystyle ZZ=Z^{2}}

Then, the Doubling-oriented Doche–Icart–Kohel curve is given by the following equation:

Y 2 = Z X 3 + a Z 2 X 2 + 16 a Z 3 X {\displaystyle Y^{2}=ZX^{3}+aZ^{2}X^{2}+16aZ^{3}X} .

In this case, P = ( X : Y : Z : Z Z ) {\displaystyle P=(X:Y:Z:ZZ)} is a general point with inverse P = ( X : Y : Z : Z Z ) {\displaystyle -P=(X:-Y:Z:ZZ)} . Furthermore, the points over the curve satisfy: ( X : Y : Z : Z 2 ) = ( λ X : λ 2 Y : λ Z : λ 2 Z 2 ) {\displaystyle (X:Y:Z:Z^{2})=(\lambda X:\lambda ^{2}Y:\lambda Z:\lambda ^{2}Z^{2})} for all λ {\displaystyle \lambda } nonzero.

Faster doubling formulas for these curves and mixed-addition formulas were introduced by Doche, Icart and Kohel; but nowadays, these formulas are improved by Daniel J. Bernstein and Tanja Lange (see below the link of EFD).

Internal Link

For more information about the running-time required in a specific case, see Table of costs of operations in elliptic curves

Notes

  1. Christophe Doche, Thomas Icart, and David R. Kohel, Efficient Scalar Multiplication by Isogeny Decompositions

References

  • Christophe Doche, Thomas Icart and David R. Kohel (2006). "Efficient Scalar Multiplication by Isogeny Decompositions". Public Key Cryptography - PKC 2006. Lecture Notes in Computer Science. Vol. 3958. Springer Berlin / Heidelberg. pp. 191–206. doi:10.1007/11745853_13. ISBN 978-3-540-33851-2.

External links

Categories:
Doubling-oriented Doche–Icart–Kohel curve Add topic