Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

7.2 Elliptic arithmetic 327 Algorithm 7.2.3 (Elliptic addition: Modified projective coordinates). We assume an elliptic curve E(F ) over a field F with characteristic = 2, 3 (but see the note preceding Algorithm 7.2.2), given by the affine equation y 2 = x 3 +ax+b. For modified projective points of the general form P = 〈X, Y, Z〉, with 〈0, 1, 0〉, 〈0, −1, 0〉 both denoting the point at infinity P = O, this algorithm provides functions for point negation, doubling, addition, and subtraction. 1. [Elliptic negate function] neg(P ) return 〈X, −Y,Z〉; 2. [Elliptic double function] double(P ) { if(Y == 0 or Z == 0) return 〈0, 1, 0〉; M =(3X 2 + aZ 4 ); S =4XY 2 ; X ′ = M 2 − 2S; Y ′ = M(S − X2) − 8Y 4 ; Z ′ =2YZ; return 〈X ′ ,Y ′ ,Z ′ 〉; } 3. [Elliptic add function] add(P1,P2) { if(Z1 == 0) return P2; // Point P1 = O. if(Z2 == 0) return P1; // Point P2 = O. U1 = X2Z 2 1; U2 = X1Z 2 2; S1 = Y2Z 3 1; S2 = Y1Z 3 2; W = U1 − U2; R = S1 − S2; if(W == 0) { // x-coordinates match. if(R == 0) return double(P1); return 〈0, 1, 0〉; } T = U1 + U2; M = S1 + S2; X3 = R 2 − TW 2 ; Y3 = 1 2 ((TW2 − 2X3)R − MW 3 ); Z3 = Z1Z2W ; return 〈X3,Y3,Z3〉; } 4. [Elliptic subtract function] sub(P1,P2) { return add(P1,neg(P2)); } It should be stressed that in all of our elliptic addition algorithms, if arithmetic is in Zn, modular reductions are taken whenever intermediate numbers exceed the modulus. This option (3) algorithm (modified projective coordinates) obviously has more field multiplications than does option (1) (affine coordinates), but as we have said, the idea is to avoid inversions (see Exercise 7.9). It is to be understood that in implementing Algorithm 7.2.3 one should save some of the intermediate calculations for further use; not all of these are explicitly described in our algorithm display above. In particular,

328 Chapter 7 ELLIPTIC CURVE ARITHMETIC for the elliptic add function, the value W 2 used for X3 is recalled in the calculation of W 3 needed for Y3, asisthevalueofTW 2 .Ifsuchcareis taken, the function double() consumes 10 field multiplications. (However, for small a or the special case a = −3 in the field, this count of 10 can be reduced further; see Exercise 7.10.) The general addition function add(), on the other hand, requires 16 field multiplications, but there is an important modification of this estimate: When Z1 = 1 only 11 multiplies are required. And this side condition is very common; in fact, it is forced to hold within certain classes of multiplication ladders. (In the case of ordinary projective coordinates discussed before Algorithm 7.2.3 assuming Z1 = 1 reduces the 14 multiplies necessary for general addition also to 11.) Having discussed options (1), (2), (3) for elliptic arithmetic, we are now at an appropriate juncture to discuss elliptic multiplication, the problem of evaluating [n]P for integer n acting on points P ∈ E. One can, of course, use Algorithm 2.1.5 for this purpose. However, since doubling is so much cheaper than adding two unequal points, and since subtracting has the same cost as adding, the method of choice is a modified binary ladder, the so-called addition–subtraction ladder. For most numbers n the ratio of doublings to addition–subtraction operations is higher than for standard binary ladders as in Algorithm 2.1.5, and the overall number of calls to elliptic arithmetic is lower. Such a method is good whenever the group inverse (i.e., negation) is easy—for elliptic curves one just flips the sign of the y-coordinate. (Note that a yet different ladder approach to elliptic multiplication will be exhibited later, as Algorithm 7.2.7.) Algorithm 7.2.4 (Elliptic multiplication: Addition–subtraction ladder). This algorithm assumes functions double(),add(),sub() from either Algorithm 7.2.2 or 7.2.3, and performs the elliptic multiplication [n]P for nonnegative integer n and point P ∈ E. We assume a B-bit binary representation of m =3n as a sequence of bits (mB−1,...,m0), and a corresponding B-bit representation (nj) for n (which representation is zero-padded on the left to B bits), with B =0for n =0understood. 1. [Initialize] if(n == 0) return O; //Pointatinfinity. Q = P ; 2. [Compare bits of 3n, n] for(B − 2 ≥ j ≥ 1) { Q = double(Q); if((mj,nj) ==(1, 0)) Q = add(Q, P ); if((mj,nj) ==(0, 1)) Q = sub(Q, P ); } return Q; The proof that this algorithm works is encountered later as Exercise 9.30. There is a fascinating open research area concerning the best way to construct a ladder. See Exercise 9.77 in this regard.

328 Chapter 7 ELLIPTIC CURVE ARITHMETIC<br />

for the elliptic add function, the value W 2 used for X3 is recalled in the<br />

calculation of W 3 needed for Y3, asisthevalueofTW 2 .Ifsuchcareis<br />

taken, the function double() consumes 10 field multiplications. (However, for<br />

small a or the special case a = −3 in the field, this count of 10 can be<br />

reduced further; see Exercise 7.10.) The general addition function add(), on<br />

the other hand, requires 16 field multiplications, but there is an important<br />

modification of this estimate: When Z1 = 1 only 11 multiplies are required.<br />

And this side condition is very common; in fact, it is forced to hold within<br />

certain classes of multiplication ladders. (In the case of ordinary projective<br />

coordinates discussed before Algorithm 7.2.3 assuming Z1 = 1 reduces the 14<br />

multiplies necessary for general addition also to 11.)<br />

Having discussed options (1), (2), (3) for elliptic arithmetic, we are now<br />

at an appropriate juncture to discuss elliptic multiplication, the problem of<br />

evaluating [n]P for integer n acting on points P ∈ E. One can, of course, use<br />

Algorithm 2.1.5 for this purpose. However, since doubling is so much cheaper<br />

than adding two unequal points, and since subtracting has the same cost<br />

as adding, the method of choice is a modified binary ladder, the so-called<br />

addition–subtraction ladder. For most numbers n the ratio of doublings to<br />

addition–subtraction operations is higher than for standard binary ladders<br />

as in Algorithm 2.1.5, and the overall number of calls to elliptic arithmetic<br />

is lower. Such a method is good whenever the group inverse (i.e., negation)<br />

is easy—for elliptic curves one just flips the sign of the y-coordinate. (Note<br />

that a yet different ladder approach to elliptic multiplication will be exhibited<br />

later, as Algorithm 7.2.7.)<br />

Algorithm 7.2.4 (Elliptic multiplication: Addition–subtraction ladder).<br />

This algorithm assumes functions double(),add(),sub() from either Algorithm<br />

7.2.2 or 7.2.3, and performs the elliptic multiplication [n]P for nonnegative integer<br />

n and point P ∈ E. We assume a B-bit binary representation of m =3n as a<br />

sequence of bits (mB−1,...,m0), and a corresponding B-bit representation (nj)<br />

for n (which representation is zero-padded on the left to B bits), with B =0for<br />

n =0understood.<br />

1. [Initialize]<br />

if(n == 0) return O; //Pointatinfinity.<br />

Q = P ;<br />

2. [Compare bits of 3n, n]<br />

for(B − 2 ≥ j ≥ 1) {<br />

Q = double(Q);<br />

if((mj,nj) ==(1, 0)) Q = add(Q, P );<br />

if((mj,nj) ==(0, 1)) Q = sub(Q, P );<br />

}<br />

return Q;<br />

The proof that this algorithm works is encountered later as Exercise 9.30.<br />

There is a fascinating open research area concerning the best way to construct<br />

a ladder. See Exercise 9.77 in this regard.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!