Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

7.2 Elliptic arithmetic 325 with ECM, in which case inversion (mod n) for the composite n can be avoided altogether. As for explicit elliptic-curve arithmetic, we shall start for completeness with option (1), though the operations for this option are easy to infer directly from Definition 7.1.2. An important note: The operations are given here and in subsequent algorithms for underlying field F , although further work with “pseudocurves” as in factorization of composite n involves using the ring Zn with operations mod n instead of mod p, while extension to fields F p k involves straightforward polynomial or equivalent arithmetic, and so on. Algorithm 7.2.2 (Elliptic addition: Affine coordinates). We assume an elliptic curve E(F ) (see note preceding this algorithm), given by the affine equation Y 2 = X 3 + aX + b, where a, b ∈ F and the characteristic of the field F is not equal to 2 or 3. We represent points P as triples (x, y, z), where for an affine point, z =1and (x, y) lies on the affine curve, and for O, the point at infinity, z =0 (the triples (0, 1, 0), (0, −1, 0), both standing for the same point). This algorithm provides functions for point negation, doubling, addition, and subtraction. 1. [Elliptic negate function] neg(P ) return (x, −y, z); 2. [Elliptic double function] double(P ) return add(P, P); 3. [Elliptic add function] add(P1,P2){ if(z1 == 0) return P2; // Point P1 = O. if(z2 == 0) return P1; // Point P2 = O. if(x1 == x2) { if(y1 + y2 == 0) return (0, 1, 0); // i.e., return O. m =(3x 2 1 + a)(2y1) −1 ; // Inversion in the field F . } else { m =(y2 − y1)(x2 − x1) −1 ; // Inversion in the field F . } x3 = m 2 − x1 − x2; return (x3,m(x1 − x3) − y1, 1); } 4. [Elliptic subtract function] sub(P1,P2) return add(P1,neg(P2)); In the case of option (2) using ordinary projective coordinates, consider the curve Y 2 Z = X 3 + aXZ 2 + bZ 3 and points Pi =[Xi,Yi,Zi] fori =1, 2. Rule (5) of Definition 7.1.2, for P1 + P2 when P1 = ±P2 and neither P1,P2 is O, becomes P3 = P1 + P2 =[X3,Y3,Z3], where X3 = α γ 2 ζ − α 2 β ,

326 Chapter 7 ELLIPTIC CURVE ARITHMETIC and Y3 = 1 2 2 3 γ 3α β − γ ζ − α δ , 2 Z3 = α 3 ζ, α = X2Z1 − X1Z2, β = X2Z1 + X1Z2, γ = Y2Z1 − Y1Z2, δ = Y2Z1 + Y1Z2, ζ = Z1Z2. By holding on to the intermediate calculations of α 2 ,α 3 ,α 2 β,γ 2 ζ, the coordinates of P1 +P2 may be computed in 14 field multiplications and 8 field additions (multiplication by 1/2 can generally be accomplished by a shift or an add and a shift). In the case of doubling a point by rule (5), if [2]P = O, the projective equations for are where [2]P = [2][X, Y, Z] =[X ′ ,Y ′ ,Z ′ ] X ′ = ν(µ 2 − 2λν), Y ′ = µ 3λν − µ 2 − 2Y 2 1 ν 2 , Z ′ = ν 3 , λ =2XY, µ =3X 2 + aZ 2 , ν =2YZ. So doubling can be accomplished in 13 field multiplications and 4 field additions. In both adding and doubling, no field inversions of variables are necessary. When using projective coordinates and starting from a given affine point (u, v), one easily creates projective coordinates by tacking on a 1 at the end, namely, creating the projective point [u, v, 1]. If one wishes to recover an affine point from [X, Y, Z] at the end of a long calculation, and if this is not the point at infinity, one computes Z −1 in the field, and has the affine point (XZ −1 ,YZ −1 ). We shall see that option (3) also avoids field inversions. In comparison with option (2), the addition for option (3) is more expensive, but the doubling for option (3) is cheaper. Since in a typical elliptic multiplication [n]P we would expect about twice as many doublings as additions, one can see that option (3) could well be preferable to option (2). Recalling the notation, we understand 〈X, Y, Z〉 to be the affine point (X/Z 2 ,Y/Z 3 )ony 2 = x 3 + ax + b if Z = 0, and we understand 〈0, 1, 0〉 to be the point at infinity. Again, if we start with an affine point (u, v) on the curve and wish to convert to modified projective coordinates, we just tack on a 1 at the end, creating the point 〈u, v, 1〉. Andif one has a modified projective point 〈X, Y, Z〉 that is not the point at infinity, and one wishes to find the affine point corresponding to it, one computes Z −1 ,Z −2 ,Z −3 and the affine point (XZ −2 ,YZ −3 ). The following algorithm performs the algebra for modified projective coordinates, option (3).

326 Chapter 7 ELLIPTIC CURVE ARITHMETIC<br />

and<br />

Y3 = 1 2 2 3<br />

γ 3α β − γ ζ − α δ ,<br />

2<br />

Z3 = α 3 ζ,<br />

α = X2Z1 − X1Z2, β = X2Z1 + X1Z2,<br />

γ = Y2Z1 − Y1Z2, δ = Y2Z1 + Y1Z2, ζ = Z1Z2.<br />

By holding on to the intermediate calculations of α 2 ,α 3 ,α 2 β,γ 2 ζ, the<br />

coordinates of P1 +P2 may be computed in 14 field multiplications and 8 field<br />

additions (multiplication by 1/2 can generally be accomplished by a shift or<br />

an add and a shift). In the case of doubling a point by rule (5), if [2]P = O,<br />

the projective equations for<br />

are<br />

where<br />

[2]P = [2][X, Y, Z] =[X ′ ,Y ′ ,Z ′ ]<br />

X ′ = ν(µ 2 − 2λν),<br />

Y ′ = µ 3λν − µ 2 − 2Y 2<br />

1 ν 2 ,<br />

Z ′ = ν 3 ,<br />

λ =2XY, µ =3X 2 + aZ 2 , ν =2YZ.<br />

So doubling can be accomplished in 13 field multiplications and 4 field<br />

additions. In both adding and doubling, no field inversions of variables are<br />

necessary.<br />

When using projective coordinates and starting from a given affine point<br />

(u, v), one easily creates projective coordinates by tacking on a 1 at the end,<br />

namely, creating the projective point [u, v, 1]. If one wishes to recover an<br />

affine point from [X, Y, Z] at the end of a long calculation, and if this is not<br />

the point at infinity, one computes Z −1 in the field, and has the affine point<br />

(XZ −1 ,YZ −1 ).<br />

We shall see that option (3) also avoids field inversions. In comparison with<br />

option (2), the addition for option (3) is more expensive, but the doubling for<br />

option (3) is cheaper. Since in a typical elliptic multiplication [n]P we would<br />

expect about twice as many doublings as additions, one can see that option (3)<br />

could well be preferable to option (2). Recalling the notation, we understand<br />

〈X, Y, Z〉 to be the affine point (X/Z 2 ,Y/Z 3 )ony 2 = x 3 + ax + b if Z = 0,<br />

and we understand 〈0, 1, 0〉 to be the point at infinity. Again, if we start with<br />

an affine point (u, v) on the curve and wish to convert to modified projective<br />

coordinates, we just tack on a 1 at the end, creating the point 〈u, v, 1〉. Andif<br />

one has a modified projective point 〈X, Y, Z〉 that is not the point at infinity,<br />

and one wishes to find the affine point corresponding to it, one computes<br />

Z −1 ,Z −2 ,Z −3 and the affine point (XZ −2 ,YZ −3 ). The following algorithm<br />

performs the algebra for modified projective coordinates, option (3).

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!