Montgomery curve explained

In mathematics, the Montgomery curve is a form of elliptic curve introduced by Peter L. Montgomery in 1987,^[1] different from the usual Weierstrass form. It is used for certain computations, and in particular in different cryptography applications.

Definition

A Montgomery curve over a field is defined by the equation

M_A,B:By²=x³+Ax²+x

for certain and with .

Generally this curve is considered over a finite field K (for example, over a finite field of elements,) with characteristic different from 2 and with and, but they are also considered over the rationals with the same restrictions for and .

Montgomery arithmetic

It is possible to do some "operations" between the points of an elliptic curve: "adding" two points

P,Q

consists of finding a third one

such that

R=P+Q

; "doubling" a point consists of computing

[2]P=P+P

(For more information about operations see The group law) and below.

A point

P=(x,y)

on the elliptic curve in the Montgomery form

By²=x³+Ax²+x

can be represented in Montgomery coordinates

P=(X:Z)

, where

P=(X:Z)

are projective coordinates and

x=X/Z

for

Z\ne0

(x,y)

and

(x,-y)

because they are both given by the point

(X:Z)

. However, with this representation it is possible to obtain multiples of points, that is, given

P=(X:Z)

, to compute

[n]P=(X_n:Z_n)

Now, considering the two points

P_n=[n]P=(X_n:Z_n)

and

P_m=[m]P=(X_m:Z_m)

: their sum is given by the point

P_m+n=P_m+P_n=(X_m+n:Z_m+n)

whose coordinates are:

X_m+n=Z_m-n((X_m-Z_m)(X_n+Z_n)+(X_m+Z_m)(X_n-Z

	2

	n))

Z_m+n=X_m-n((X_m-Z_m)(X_n+Z_n)-(X_m+Z_m)(X_n-Z

	2

	n))

m=n

, then the operation becomes a "doubling"; the coordinates of

[2]P_n=P_n+P_n=P_2n=(X_2n:Z_2n)

are given by the following equations:

4X_nZ_n=(X_n+Z

	2

	n)

-(X_n-Z

	2

	n)

X_2n=(X_n+Z

	2(X

	n-Z

	2

	n)

Z_2n=(4X_nZ_n)((X_n-Z

	2+((A+2)/4)(4X

	nZ

_n))

The first operation considered above (addition) has a time-cost of 3M+2S, where M denotes the multiplication between two general elements of the field on which the elliptic curve is defined, while S denotes squaring of a general element of the field.

The second operation (doubling) has a time-cost of 2M + 2S + 1D, where D denotes the multiplication of a general element by a constant; notice that the constant is

(A+2)/4

, so

can be chosen in order to have a small D.

Algorithm and example

The following algorithm represents a doubling of a point

P_1=(X_1:Z₁₎

on an elliptic curve in the Montgomery form.

It is assumed that

Z₁₌₁

. The cost of this implementation is 1M + 2S + 1*A + 3add + 1*4. Here M denotes the multiplications required, S indicates the squarings, and a refers to the multiplication by A.

XX₁=

	2
X
	1

X₂=

	2
(XX
	1-1)

Z₂=4X_1(XX_1+aX₁₊₁₎

Example

Let

P_{1=(2,\sqrt{3})}

be a point on the curve

2y²=x³-x²+x

.In coordinates

(X_1:Z₁₎

, with

x_1=X_1/Z₁

P_1=(2:1)

Then:

XX₁=

	2
X
	1

X₂=

	2
(XX
	1-1)

Z₂=4X_1(XX_1+AX₁₊₁₎=24

The result is the point

P_2=(X_2:Z_2)=(9:24)

such that

P_2=2P₁

Addition

Given two points

P_1=(x_1,y₁₎

P_2=(x_2,y₂₎

on the Montgomery curve

M_A,B

in affine coordinates, the point

P_3=P_1+P₂

represents, geometrically the third point of intersection between

M_A,B

and the line passing through

P₁

and

P₂

. It is possible to find the coordinates

(x_3,y₃₎

P₃

, in the following way:

1) consider a generic line

~y=lx+m

in the affine plane and let it pass through

P₁

and

P₂

(impose the condition), in this way, one obtains

l=	y_2-y₁
	x_2-x₁

and

m=y

1-\left(	y_2-y₁
	x_2-x₁

\right)x₁

;

2) intersect the line with the curve

M_A,B

, substituting the

variable in the curve equation with

~y=lx+m

; the following equation of third degree is obtained:

x^3+(A-Bl^2)x^{2+(1-2Blm)x-Bm}^2=0.

As it has been observed before, this equation has three solutions that correspond to the

coordinates of

P₁

P₂

and

P₃

. In particular this equation can be re-written as:

(x-x_1)(x-x_2)(x-x₃₎₌₀

3) Comparing the coefficients of the two identical equations given above, in particular the coefficients of the terms of second degree, one gets:

-x_1-x_2-x

	2

	3=A-Bl

So,

x₃

can be written in terms of

x₁

y₁

x₂

y₂

, as:

x₃=B\left(

	y_2-y₁
	x_2-x₁

	2-A-x
\right)
	1-x

_2.

4) To find the

coordinate of the point

P₃

it is sufficient to substitute the value

x₃

in the line

~y=lx+m

. Notice that this will not give the point

P₃

directly. Indeed, with this method one find the coordinates of the point

such that

R+P_1+P_2=P_infty

, but if one needs the resulting point of the sum between

P₁

and

P₂

, then it is necessary to observe that:

R+P_1+P_2=P_infty

if and only if

-R=P_1+P₂

. So, given the point

, it is necessary to find

~-R

, but this can be done easily by changing the sign to the

coordinate of

. In other words, it will be necessary to change the sign of the

coordinate obtained by substituting the value

x₃

in the equation of the line.

Resuming, the coordinates of the point

P_3=(x_3,y₃₎

P_3=P_1+P₂

are:

x₃=

B(y

	2

	1)

2-y

	2

	1)

2-x

-A-x_1-x₂

y₃=

	(2x_1+x_2+A)(y_2-y₁₎	-
	x_2-x₁

B(y

	3

	1)

2-y

	3

	1)

2-x

-y₁

Doubling

Given a point

P₁

on the Montgomery curve

M_A,B

, the point

[2]P₁

represents geometrically the third point of intersection between the curve and the line tangent to

P₁

; so, to find the coordinates of the point

P_3=2P₁

it is sufficient to follow the same method given in the addition formula; however, in this case, the line y = lx + m has to be tangent to the curve at

P₁

, so, if

M_A,B:f(x,y)=0

with

f(x,y)=x^3+Ax^2+x-By^2,

then the value of l, which represents the slope of the line, is given by:

l=-\left.	\partialf	\right/
	\partialx

	\partialf
	\partialy

by the implicit function theorem.

	2
3x		+2Ax₁+1
	1

2By₁

and the coordinates of the point

P₃

P_3=2P₁

are:

\begin{align} x₃&=

	2-A-x
Bl
	1-x

₁=

	2
B(3x
	1+1)

	2
(2By
	1)

-A-x_1-x₁\\ y₃&=(2x_1+x

	3-y

	1

\\ &=

	(2x_1+x_1+A)(3{x₁
	^2+2Ax

_1+1)}{2By

1}-	B(3{x₁
	^2+2Ax

	3}-y

	1. \end{align}

Equivalence with twisted Edwards curves

Let

be a field with characteristic different from 2.

Let

M_A,B

be an elliptic curve in the Montgomery form:

M_A,B:Bv²=u³+Au²+u

with

A\inK\smallsetminus\{-2,2\}

B\inK\smallsetminus\{0\}

and let

E_a,d

be an elliptic curve in the twisted Edwards form:

E_a,d : ax²+y²=1+dx^2y^2,

with

a,d\inK\smallsetminus\{0\}, a ≠ d.

The following theorem shows the birational equivalence between Montgomery curves and twisted Edwards curve:^[2]

Theorem (i) Every twisted Edwards curve is birationally equivalent to a Montgomery curve over

.In particular, the twisted Edwards curve

E_a,d

is birationally equivalent to the Montgomery curve

M_A,B

where

	2(a+d)
	a-d

, and

	4
	a-d

The map:

\psi:E_a,d → M_A,B

(x,y)\mapsto(u,v)=\left(

	1+y	,
	1-y

	1+y
	(1-y)x

\right)

is a birational equivalence from

E_a,d

M_A,B

, with inverse:

\psi^-1

M_A,B → E_a,d

(u,v)\mapsto(x,y)=\left(

	u	,
	v

	u-1	\right), a=
	u+1

	A+2
	B

,d=

	A-2
	B

Notice that this equivalence between the two curves is not valid everywhere: indeed the map

\psi

is not defined at the points

v=0

u+1=0

of the

M_A,B

Equivalence with Weierstrass curves

Any elliptic curve can be written in Weierstrass form. In particular, the elliptic curve in the Montgomery form

M_A,B

By²=x³+Ax²+x,

can be transformed in the following way:divide each term of the equation for

M_A,B

B³

, and substitute the variables x and y, with

u=	x
	B

and

v=	y
	B

respectively, to get the equation

v²=u³+

	A
	B

u²+

	1
	B²

To obtain a short Weierstrass form from here, it is sufficient to replace u with the variable

t-	A
	3B

v²=\left(t-

	A
	3B

\right)³+

	A	\left(t-
	B

	A
	3B

\right)²+

	1	\left(t-
	B²

	A
	3B

\right);

finally, this gives the equation:

v²=t³+\left(

	3-A²
	3B²

\right)t+\left(

	2A^3-9A
	27B³

\right).

Hence the mapping is given as

\psi

M_A,B → E_a,b

(x,y)\mapsto(t,v)=\left(

	x
	B

	A
	3B

	y	\right), a=
	B

	3-A²
	3B²

,b=

	2A^3-9A
	27B³

In contrast, an elliptic curve over base field

in Weierstrass form

E_a,b

v²=t³+at+b

can be converted to Montgomery form if and only if

E_a,b

has order divisible by four and satisfies the following conditions:^[3]

z³+az+b=0

has at least one root

\alpha\inF

; and

3\alpha²+a

is a quadratic residue in

When these conditions are satisfied, then for

s=(\sqrt{3\alpha²+a})^-1

we have the mapping

\psi^-1

E_a,b → M_A,B

(t,v)\mapsto(x,y)= \left(s(t-\alpha),sv\right), A=3\alphas, B=s

References

. 1987 . Speeding the Pollard and Elliptic Curve Methods of Factorization . Mathematics of Computation . 48 . 177 . 243–264 . 2007888 . 10.2307/2007888 . free .
Book: Daniel J. Bernstein, Peter Birkner, Marc Joye, Tanja Lange and Christiane Peters . Progress in Cryptology – AFRICACRYPT 2008 . 5023 . 389–405 . 2008 . Springer-Verlag Berlin Heidelberg . 978-3-540-68159-5 . 10.1007/978-3-540-68164-9_26 . Lecture Notes in Computer Science . Twisted Edwards Curves . http://eprint.iacr.org/2008/013 .
Wouter Castryck . Steven Galbraith . Reza Rezaeian Farashahi . 2008 . Efficient Arithmetic on Elliptic Curves using a Mixed Edwards-Montgomery Representation .

External links

Genus-1 curves over large-characteristic fields

Notes and References

. 1987 . Speeding the Pollard and Elliptic Curve Methods of Factorization . Mathematics of Computation . 48 . 177 . 243–264 . 2007888 . 10.2307/2007888 . free .
Book: Daniel J. Bernstein, Peter Birkner, Marc Joye, Tanja Lange and Christiane Peters . Progress in Cryptology – AFRICACRYPT 2008 . 5023 . 389–405 . 2008 . Springer-Verlag Berlin Heidelberg . 978-3-540-68159-5 . 10.1007/978-3-540-68164-9_26 . Lecture Notes in Computer Science . Twisted Edwards Curves . http://eprint.iacr.org/2008/013 .
Katsuyuki Okeya, Hiroyuki Kurumatani, and Kouichi Sakurai. 2000. Elliptic Curves with the Montgomery-Form and Their Cryptographic Applications. Public Key Cryptography (PKC2000). 10.1007/978-3-540-46588-1_17. free.

Montgomery curve explained

Definition

Montgomery arithmetic

Algorithm and example

Example

Addition

Doubling

Equivalence with twisted Edwards curves

Equivalence with Weierstrass curves

See also

References

External links

Notes and References