Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

7.2 Elliptic arithmetic 329 Before we discuss option (4) for elliptic arithmetic, we bring in an extraordinarily useful idea, one that has repercussions far beyond option (4). Definition 7.2.5. If E(F ) is an elliptic curve over a field F ,governedby the equation y 2 = x 3 + Cx 2 + Ax + B, andg isanonzeroelementofF , then the quadratic twist of E by g is the elliptic curve over F governed by the equation gy 2 = x 3 +Cx 2 +Ax+B. By a change of variables X = gx, Y = g 2 y, the Weierstrass form for this twist curve is Y 2 = X 3 + gCX 2 + g 2 AX + g 3 B. We shall find that in some contexts it will be useful to leave the curve in the form gy 2 = x 3 + Cx 2 + Ax + B, and in other contexts, we shall wish to use the equivalent Weierstrass form. An immediate observation is that if g, h are nonzero elements of the field F , then the quadratic twist of an elliptic curve by g gives a group isomorphic to the quadratic twist of the curve by gh 2 . (Indeed, just let a new variable Y be hy. To see that the groups are isomorphic, a simple check of the formulae involved suffices.) Thus, if Fq is a finite field, there is really only one quadratic twist of an elliptic curve E(Fq) that is different from the curve itself. This follows, since if g is not a square in Fq, thenash runs over the nonzero elements of Fq, gh 2 runs over all of the nonsquares. This unique nontrivial quadratic twist of E(Fq) is sometimes denoted by E ′ (Fq), especially when we are not particularly interested in which nonsquare is involved in the twist. Now for option (4), homogeneous coordinates with “Y ” dropped. We shall discuss this for a twist curve gy 2 = x 3 +Cx 2 +Ax+B; see Definition 7.2.5. We first develop the idea using affine coordinates. Suppose P1,P2 are affine points on an elliptic curve E(F )withP1 = ±P2. One can write down via Definition 7.1.2 (generalized for the presence of “g”) expressions for x+,x−, namely, the x-coordinates of P1 + P2 and P1 − P2, respectively. If these expressions are multiplied, one sees that the y-coordinates of P1,P2 appear only to even powers, and so may be replaced by x-expressions, using the defining curve gy 2 = x 3 + Cx 2 + Ax + B. Somewhat miraculously the resulting expression is subject to much cancellation, including the disappearance of the parameter g. The equations are stated in the following result from [Montgomery 1987, 1992a], though we generalize them here to a quadratic twist of any curve that is given by equation (7.5). Theorem 7.2.6 (Generalized Montgomery identities). Given an elliptic curve E determined by the cubic gy 2 = x 3 + Cx 2 + Ax + B, and two points P1 =(x1,y1), P2 =(x2,y2), neither being O, denote by x± respectively the x-coordinates of P1 ± P2. Then if x1 = x2, we have x+x− = (x1x2 − A) 2 − 4B(x1 + x2 + C) (x1 − x2) 2 ,

330 Chapter 7 ELLIPTIC CURVE ARITHMETIC whereas if x1 = x2 and 2P1 = O, we have x+ = (x2 1 − A) 2 − 4B(2x1 + C) 4(x 3 1 + Cx2 1 + Ax1 + B) . Note that g is irrelevant in the theorem, in the sense that the algebra for combining x-coordinates is independent of g; in fact, one would only use g if a particular starting y-coordinate were involved, but of course the main thrust of Montgomery parameterization is to ignore y-coordinates. We remind ourselves that the case C = 0 reduces to the ordinary Weierstrass form given by (7.4). However, as Montgomery noted, the case B = 0 is especially pleasant: For example, we have the simple relation x+x− = (x1x2 − A) 2 . (x1 − x2) 2 We shall see in what follows how this sort of relation leads to computationally efficient elliptic algebra. The idea is to use an addition chain to arrive at [n]P , where whenever we are to add two unequal points P1,P2, we happen to know already what P1 − P2 is. This magic is accomplished via the Lucas chain already discussed in Section 3.6.3. In the current notation, we will have at intermediate steps a pair [k]P, [k +1]P , and from this we shall form either the pair [2k]P, [2k +1]P or the pair [2k +1]P, [2k +2]P , depending on the bits of n. In either case, we perform one doubling and one addition. And for the addition, we already know the difference of the two points added, namely P itself. To avoid inversions, we adopt the homogeneous coordinates of option (2), but we drop the “Y ” coordinate. Since the coordinates are homogeneous, when we have the pair [X : Z], it is only the ratio X/Z that is determined (when Z = 0). The point at infinity is recognized as the pair [0 : 0]. Suppose we have points P1,P2 in homogeneous coordinates on an elliptic curve given by equation (7.5), and P1,P2 are not O, P1 = P2. If P1 =[X1,Y1,Z1], P2 =[X2,Y2,Z2], P1 + P2 =[X+,Y+,Z+], P1 − P2 =[X−,Y−,Z−], then on the basis of Theorem 7.2.6 it is straightforward to establish, in the case that X− = 0, that we may take X+ = Z− (X1X2 − AZ1Z2) 2 − 4B(X1Z2 + X2Z1 + CZ1Z2)Z1Z2 , (7.6) Z+ = X−(X1Z2 − X2Z1) 2 . These equations define the pair X+,Z+ as a function of the six quantities X1,Z1,X2, Z2,X−,Z−, withY1,Y2 being completely irrelevant. We denote this function by [X+ : Z+] =addh([X1 : Z1], [X2 : Z2], [X− : Z−]),

330 Chapter 7 ELLIPTIC CURVE ARITHMETIC<br />

whereas if x1 = x2 and 2P1 = O, we have<br />

x+ = (x2 1 − A) 2 − 4B(2x1 + C)<br />

4(x 3 1 + Cx2 1 + Ax1 + B) .<br />

Note that g is irrelevant in the theorem, in the sense that the algebra for<br />

combining x-coordinates is independent of g; in fact, one would only use g if a<br />

particular starting y-coordinate were involved, but of course the main thrust of<br />

Montgomery parameterization is to ignore y-coordinates. We remind ourselves<br />

that the case C = 0 reduces to the ordinary Weierstrass form given by (7.4).<br />

However, as Montgomery noted, the case B = 0 is especially pleasant: For<br />

example, we have the simple relation<br />

x+x− = (x1x2 − A) 2<br />

.<br />

(x1 − x2) 2<br />

We shall see in what follows how this sort of relation leads to computationally<br />

efficient elliptic algebra.<br />

The idea is to use an addition chain to arrive at [n]P , where whenever<br />

we are to add two unequal points P1,P2, we happen to know already what<br />

P1 − P2 is. This magic is accomplished via the Lucas chain already discussed<br />

in Section 3.6.3. In the current notation, we will have at intermediate steps a<br />

pair [k]P, [k +1]P , and from this we shall form either the pair [2k]P, [2k +1]P<br />

or the pair [2k +1]P, [2k +2]P , depending on the bits of n. In either case,<br />

we perform one doubling and one addition. And for the addition, we already<br />

know the difference of the two points added, namely P itself.<br />

To avoid inversions, we adopt the homogeneous coordinates of option (2),<br />

but we drop the “Y ” coordinate. Since the coordinates are homogeneous, when<br />

we have the pair [X : Z], it is only the ratio X/Z that is determined (when<br />

Z = 0). The point at infinity is recognized as the pair [0 : 0]. Suppose we<br />

have points P1,P2 in homogeneous coordinates on an elliptic curve given by<br />

equation (7.5), and P1,P2 are not O, P1 = P2. If<br />

P1 =[X1,Y1,Z1], P2 =[X2,Y2,Z2],<br />

P1 + P2 =[X+,Y+,Z+], P1 − P2 =[X−,Y−,Z−],<br />

then on the basis of Theorem 7.2.6 it is straightforward to establish, in the<br />

case that X− = 0, that we may take<br />

<br />

X+ = Z− (X1X2 − AZ1Z2) 2 <br />

− 4B(X1Z2 + X2Z1 + CZ1Z2)Z1Z2 ,<br />

(7.6)<br />

Z+ = X−(X1Z2 − X2Z1) 2 .<br />

These equations define the pair X+,Z+ as a function of the six quantities<br />

X1,Z1,X2, Z2,X−,Z−, withY1,Y2 being completely irrelevant. We denote<br />

this function by<br />

[X+ : Z+] =addh([X1 : Z1], [X2 : Z2], [X− : Z−]),

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!