The elliptic-curve zoo D. J. Bernstein University of Illinois at - PDF document

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago

EC point counting 1983 (published 1985) Schoof: Algorithm to count points on elliptic curves over finite fields. Input: prime power q ; ❛❀ ❜ ✷ F q such that 6(4 ❛ 3 + 27 ❜ 2 ) ✻ = 0. Output: # ❢ ( ①❀ ② ) ✷ F q ✂ F q : ② 2 = ① 3 + ❛① + ❜ ❣ + 1; i.e., # ❊ ( F q ) where ❊ is the elliptic curve ② 2 = ① 3 + ❛① + ❜ . Time: (log q ) ❖ (1) .

Elliptic curves everywhere 1984 (published 1987) Lenstra: ECM, the elliptic-curve method of factoring integers. 1984 (published 1985) Miller, and independently 1984 (published 1987) Koblitz: ECC, elliptic-curve cryptography. Bosma, Goldwasser–Kilian, Chudnovsky–Chudnovsky, Atkin: elliptic-curve primality proving. These applications are different but share many optimizations.

Representing curve points Crypto 1985, Miller, “Use of elliptic curves in cryptography”: Given ♥ ✷ Z , P ✷ ❊ ( F q ), division-polynomial recurrence computes ♥P ✷ ❊ ( F q ) “in 26 log 2 ♥ multiplications”; but can do better! “It appears to be best to represent the points on the curve in the following form: Each point is represented by the triple ( ①❀ ②❀ ③ ) which corresponds to the point ( ①❂③ 2 ❀ ②❂③ 3 ).”

1986 Chudnovsky–Chudnovsky, “Sequences of numbers generated by addition in formal groups and new primality and factorization tests”: “The crucial problem becomes the choice of the model of an algebraic group variety, where computations mod ♣ are the least time consuming.” Most important computations: ADD is P❀ ◗ ✼✦ P + ◗ . DBL is P ✼✦ 2 P .

“It is preferable to use models of elliptic curves lying in low-dimensional spaces, for otherwise the number of coordinates and operations is increasing. This limits us ✿ ✿ ✿ to 4 basic models of elliptic curves.” Short Weierstrass: ② 2 = ① 3 + ❛① + ❜ . Jacobi intersection: s 2 + ❝ 2 = 1, ❛s 2 + ❞ 2 = 1. Jacobi quartic: ② 2 = ① 4 +2 ❛① 2 +1. Hessian: ① 3 + ② 3 + 1 = 3 ❞①② .

Some Newton polygons ✎ ✁ ✁ ✁ ✁ ✁ � � ✁ ✁ ✁ ✁ ✁ � � � ✎ ✁ ✎ ✁ ✁ � ✎ ✁ ✁ Short Weierstrass � ✎ ✁ ✁ ✁ ✁ ✁ ���� � � ✁ ✁ ✁ ✁ ✁ � � � � ✁ ✎ ✁ ✎ ✁ ✎ ✁ ✁ Montgomery � ✎ ✁ ✁ ✁ ✁ ✁ � � ✁ ✁ ✁ ✁ ✁ � � � � ✎ ✁ ✁ ✎ ✁ ✁ ✎ ✁ Jacobi quartic � � ✎ ✁ ✁ ✁ ✁ ✁ � � ✁ ✁ ✁ ✁ ✁ � � ✁ ✎ ✁ ✁ ✁ ✁ � � � ✎ ✁ ✁ ✁ ✎ ✁ ✁ Hessian � ✎ ✁ ✁ ✎ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✎ ✁ ✁ ✎ ✁ ✁ ✁ Edwards ✎ ✁ ✎ ✁ ✎ ✁ ✁ ✁ ✎ ✁ ✎ ✁ ✎ ✁ ✁ ✁ � � ✁ ✎ ✁ ✎ ✁ ✁ ✁ Binary Edwards �

Optimizing Jacobian coordinates For “traditional” ( ❳❂❩ 2 ❀ ❨❂❩ 3 ) on ② 2 = ① 3 + ❛① + ❜ : 1986 Chudnovsky–Chudnovsky state explicit formulas using 10 M for DBL; 16 M for ADD. Consequence: ✒ ✓ 10 lg ♥ + 16 lg ♥ ✙ M lg lg ♥ to compute ♥❀ P ✼✦ ♥P using “sliding windows” method of scalar multiplication. Notation: lg = log 2 ; M is cost of multiplying in F q .

Squaring is faster than M . Here are the DBL formulas: ❙ = 4 ❳ 1 ✁ ❨ 2 1 ; ▼ = 3 ❳ 2 1 + ❛❩ 4 1 ; ❚ = ▼ 2 � 2 ❙ ; ❳ 3 = ❚ ; ❨ 3 = ▼ ✁ ( ❙ � ❚ ) � 8 ❨ 4 1 ; ❩ 3 = 2 ❨ 1 ✁ ❩ 1 . Total cost 3 M + 6 S + 1 D where S is the cost of squaring in F q , D is the cost of multiplying by ❛ . The squarings produce ❳ 2 1 ❀ ❨ 2 1 ❀ ❨ 4 1 ❀ ❩ 2 1 ❀ ❩ 4 1 ❀ ▼ 2 .

Most ECC standards choose curves that make formulas faster. Curve-choice advice from 1986 Chudnovsky–Chudnovsky: Can eliminate the 1 D by choosing curve with ❛ = 1. But “it is even smarter” to choose curve with ❛ = � 3. If ❛ = � 3 then ▼ = 3( ❳ 2 1 � ❩ 4 1 ) = 3( ❳ 1 � ❩ 2 1 ) ✁ ( ❳ 1 + ❩ 2 1 ). Replace 2 S with 1 M . Now DBL costs 4 M + 4 S .

2001 Bernstein: 3 M + 5 S for DBL. 11 M + 5 S for ADD. How? Easy S � M tradeoff: instead of computing 2 ❨ 1 ✁ ❩ 1 , compute ( ❨ 1 + ❩ 1 ) 2 � ❨ 2 1 � ❩ 2 1 . DBL formulas were already computing ❨ 2 1 and ❩ 2 1 . Same idea for the ADD formulas, but have to scale ❳❀ ❨❀ ❩ to eliminate divisions by 2.

ADD for ② 2 = ① 3 + ❛① + ❜ : ❯ 1 = ❳ 1 ❩ 2 2 , ❯ 2 = ❳ 2 ❩ 2 1 , ❙ 1 = ❨ 1 ❩ 3 2 , ❙ 2 = ❨ 2 ❩ 3 1 , many more computations. 1986 Chudnovsky–Chudnovsky: “We suggest to write addition formulas involving ( ❳❀ ❨❀ ❩❀ ❩ 2 ❀ ❩ 3 ).” Disadvantages: Allocate space for ❩ 2 ❀ ❩ 3 . Pay 1 S +1 M in ADD and in DBL. Advantages: Save 2 S + 2 M at start of ADD. Save 1 S at start of DBL.

1998 Cohen–Miyaji–Ono: Store point as ( ❳ : ❨ : ❩ ). If point is input to ADD, also cache ❩ 2 and ❩ 3 . No cost, aside from space. If point is input to another ADD, reuse ❩ 2 ❀ ❩ 3 . Save 1 S + 1 M ! Best Jacobian speeds today, including S � M tradeoffs: 3 M + 5 S for DBL if ❛ = � 3. 11 M + 5 S for ADD. 10 M + 4 S for reADD. 7 M + 4 S for mADD (i.e. ❩ 2 = 1).

Compare to speeds for Edwards curves ① 2 + ② 2 = 1 + ❞① 2 ② 2 in projective coordinates (2007 Bernstein–Lange): 3 M + 4 S for DBL. 10 M + 1 S + 1 D for ADD. 9 M + 1 S + 1 D for mADD. Inverted Edwards coordinates (2007 Bernstein–Lange): 3 M + 4 S + 1 D for DBL. 9 M + 1 S + 1 D for ADD. 8 M + 1 S + 1 D for mADD.

② 2 = ① 3 � 0 ✿ 4 ① + 0 ✿ 7

(Thanks to Tanja Lange for the pictures.)

① 2 + ② 2 = 1 � 300 ① 2 ② 2

Speed-oriented Jacobian standards 2000 IEEE “Std 1363” uses Weierstrass curves in Jacobian coordinates to “provide the fastest arithmetic on elliptic curves.” Also specifies a method of choosing curves ② 2 = ① 3 � 3 ① + ❜ . 2000 NIST “FIPS 186–2” standardizes five such curves. 2005 NSA “Suite B” recommends two of the NIST curves as the only public-key cryptosystems for U.S. government use.

Projective for Weierstrass 1986 Chudnovsky–Chudnovsky: Speed up ADD by switching from ( ❳❂❩ 2 ❀ ❨❂❩ 3 ) to ( ❳❂❩❀ ❨❂❩ ). 7 M + 3 S for DBL if ❛ = � 3. 12 M + 2 S for ADD. 12 M + 2 S for reADD. Option has been mostly ignored: DBL dominates in ECDH etc. But ADD dominates in some applications: e.g., batch signature verification.

Montgomery curves 1987 Montgomery: Use ❜② 2 = ① 3 + ❛① 2 + ① . Choose small ( ❛ + 2) ❂ 4. 2( ① 2 ❀ ② 2 ) = ( ① 4 ❀ ② 4 ) ( ① 2 2 � 1) 2 ✮ ① 4 = 2 + ❛① 2 + 1). 4 ① 2 ( ① 2 ( ① 3 ❀ ② 3 ) � ( ① 2 ❀ ② 2 ) = ( ① 1 ❀ ② 1 ), ( ① 3 ❀ ② 3 ) + ( ① 2 ❀ ② 2 ) = ( ① 5 ❀ ② 5 ) ✮ ① 5 = ( ① 2 ① 3 � 1) 2 ① 1 ( ① 2 � ① 3 ) 2 .

Represent ( ①❀ ② ) as ( ❳ : ❩ ) satisfying ① = ❳❂❩ . ❇ = ( ❳ 2 + ❩ 2 ) 2 , ❈ = ( ❳ 2 � ❩ 2 ) 2 , ❉ = ❇ � ❈ , ❳ 4 = ❇ ✁ ❈ , ❩ 4 = ❉ ✁ ( ❈ + ❉ ( ❛ + 2) ❂ 4) ✮ 2( ❳ 2 : ❩ 2 ) = ( ❳ 4 : ❩ 4 ). ( ❳ 3 : ❩ 3 ) � ( ❳ 2 : ❩ 2 ) = ( ❳ 1 : ❩ 1 ), ❊ = ( ❳ 3 � ❩ 3 ) ✁ ( ❳ 2 + ❩ 2 ), ❋ = ( ❳ 3 + ❩ 3 ) ✁ ( ❳ 2 � ❩ 2 ), ❳ 5 = ❩ 1 ✁ ( ❊ + ❋ ) 2 , ❩ 5 = ❳ 1 ✁ ( ❊ � ❋ ) 2 ✮ ( ❳ 3 : ❩ 3 ) + ( ❳ 2 : ❩ 2 ) = ( ❳ 5 : ❩ 5 ).

This representation does not allow ADD but it allows DADD, “differential addition”: ◗❀ ❘❀ ◗ � ❘ ✼✦ ◗ + ❘ . e.g. 2 P❀ P❀ P ✼✦ 3 P . e.g. 3 P❀ 2 P❀ P ✼✦ 5 P . e.g. 6 P❀ 5 P❀ P ✼✦ 11 P . 2 M + 2 S + 1 D for DBL. 4 M + 2 S for DADD. Save 1 M if ❩ 1 = 1. Easily compute ♥ ( ❳ 1 : ❩ 1 ) using ✙ lg ♥ DBL, ✙ lg ♥ DADD. Almost as fast as Edwards ♥P . Relatively slow for ♠P + ♥◗ etc.

Doubling-oriented curves 2006 Doche–Icart–Kohel: Use ② 2 = ① 3 + ❛① 2 + 16 ❛① . Choose small ❛ . Use ( ❳ : ❨ : ❩ : ❩ 2 ) to represent ( ❳❂❩❀ ❨❂❩ 2 ). 3 M + 4 S + 2 D for DBL. How? Factor DBL as ˆ ✬ ( ✬ ) where ✬ is a 2-isogeny. 2007 Bernstein–Lange: 2 M + 5 S + 2 D for DBL on the same curves.

12 M + 5 S + 1 D for ADD. Slower ADD than other systems, typically outweighing benefit of the very fast DBL. But isogenies are useful. Example, 2005 Gaudry: fast DBL+DADD on Jacobians of genus-2 hyperelliptic curves, using similar factorization. Tricky but potentially helpful: tripling-oriented curves (see 2006 Doche–Icart–Kohel), double-base chains, ✿ ✿ ✿

Hessian curves Credited to Sylvester by 1986 Chudnovsky–Chudnovsky: ( ❳ : ❨ : ❩ ) represent ( ❳❂❩❀ ❨❂❩ ) on ① 3 + ② 3 + 1 = 3 ❞①② . 12 M for ADD: ❳ 3 = ❨ 1 ❳ 2 ✁ ❨ 1 ❩ 2 � ❩ 1 ❨ 2 ✁ ❳ 1 ❨ 2 , ❨ 3 = ❳ 1 ❩ 2 ✁ ❳ 1 ❨ 2 � ❨ 1 ❳ 2 ✁ ❩ 1 ❳ 2 , ❩ 3 = ❩ 1 ❨ 2 ✁ ❩ 1 ❳ 2 � ❳ 1 ❩ 2 ✁ ❨ 1 ❩ 2 . 6 M + 3 S for DBL.