Tripling-oriented Doche–Icart–Kohel curve explained

The tripling-oriented Doche–Icart–Kohel curve is a form of an elliptic curve that has been used lately in cryptography; it is a particular type of Weierstrass curve. At certain conditions some operations, as adding, doubling or tripling points, are faster to compute using this form.The Tripling oriented Doche–Icart–Kohel curve, often called with the abbreviation 3DIK has been introduced by Christophe Doche, Thomas Icart, and David R. Kohel in [1]

Definition

Let

K

be a field of characteristic different form 2 and 3.

An elliptic curve in tripling oriented Doche–Icart–Kohel form is defined by the equation:

Ta:y2=x3+3a(x+1)2

with

a\inK

.

A general point P on

Ta

has affine coordinates

(x,y)

. The "point at infinity" represents the neutral element for the group law and it is written in projective coordinates as O = (0:1:0). The negation of a point P = (xy) with respect to this neutral element is -P = (x, -y).

The group law

Consider an elliptic curve in the Tripling-oriented Doche-Icart-Kohel form in affine coordinates:

Ta:y2=x3+3a(x+1)2,    a0,\tfrac{9}{4}.

As in other forms of elliptic curves, it is possible to define some "operations" between points, such as adding points, or doubling (See also The group law). In the following sections formulas to add, negate and doubling points are given. The addition and doubling formulas are often used for other operations: given a point P on an elliptic curve it is possible to compute [n]P, where n is an integer, using addition and doubling; computing multiples of points is important in elliptic curve cryptography and in Lenstra elliptic curve factorization.

Addition

Given

P1=(x1,y1)

and

P2=(x2,y2)

on

Ta

, the point

P3=(x3,y3)=P1+P2

has coordinates:

\begin{align} x3&=

1
(x-
2
x
1)
2

\left\{

3+(x
-x
2-3a)x
2+6ax
2)x

1+(y

2-2y
2y

1+(-x

2))
2

\right\}\\ y3&=

1
(x-
3
x
1)
2

\left\{(-y1+2y2)x

3+(-3ay
1-3y

2x2+3ay2)x

2y
1+6ax

2y1-6ay2x2)x1\right.\\ &            

3-3y
\left.+(y
2y
2)y
1+(y

2x

3+3ay
2x
3))
2

\right\} \end{align}

Doubling

Given a point

P1=(x1,y1)

on

Ta

, the point

P3=(x3,y3)=2P1

has coordinates:

\begin{align} x3&=

9+
2
4y
4
x
1
1
9
3
y
1

+\left(

9+
2a
y2
1
9
2a
y
1

\right

2+
)x
1

\left(

18
2a
y2
1

-2\right)

x
1+9
2a
y2-3a
1

\\ y3&=-

27-
6
8y
1
81
5
4y
1

+\left(-

81-
3a
2y2
1
81
3a
4y
1

\right

4+
)x
1

\left(-

27-
3a
y3
1
81+
3a
y2
1
9
2y1

\right

3+
)x
1

\left(-

81-
3a
y3
1
81
3
2y
1
2+27
2y1a
a
2
\right)x
1

\\ &             +\left(-

81+
3a
y3
1
9+
2
y
1a
9
y1a

\right)x1+\left(-

27+
3a
y3
1
9
2
y
1a

-y1\right) \end{align}

Negation

Given a point

P1=(x1,y1)

on

Ta

, its negation with respect to the neutral element

(0:1:0)

is

-P1=(x1,-y1)

.

There are also other formulas given in [2] for Tripling-oriented Doche–Icart–Kohel curves for fast tripling operation and mixed-addition.

New Jacobian coordinates

For computing on these curves points are usually represented in new Jacobian coordinates (Jn):

a point in the new Jacobian coordinates is of the form

P=(X:Y:Z:Z2)

; moreover:

P=(X:Y:Z:Z2)=(λ2X:λ3Y:λZ:λ2Z2),

for any

λ\inK

.

This means, for example, that the point

P=(X:Y:Z:Z2)

and the point

Q=(4X:8Y:2Z:4Z2)

(for

λ=2

) are actually the same.

P=(x,y)

on

Ta

is written in the new Jacobian coordinates as

P=(X:Y:Z:Z2)

, where

x=X/Z2

and

y=Y/Z3

; in this way, the equation for

Ta

becomes:

Ta:Y2=X3+3aZ2(X+Z2)2.

The term

Z2

of a point on the curve makes the mixed addition (that is the addition between two points in different systems of coordinates) more efficient.

The neutral element in new Jacobian coordinates is

(1:1:0:0)

.

Algorithms and examples

Addition

The following algorithm represents the sum of two points

P1

and

P2

on an elliptic curve in the Tripling-oriented Doche-Icart-Kohel form. The result is a point

P3=(X3,Y3,Z3,ZZ3)

.It is assumed that

Z2=1

and that

a3=3a

.The cost of this implementation is 7M + 4S + 1*a3 + 10add + 3*2 + 1*4, where M indicates the multiplications, S the squarings, a3 indicates the multiplication by the constant a3, add represents the number of additions required.

A=X2ZZ1

B=Y2ZZ1Z1

C=X1-A

D=2(Y1-B)

F=C2

F4=4F

Z3=

2-ZZ
(Z
1-F

E=

2
{Z
3}

G=CF4

H=AF4

X3=

2-G-2H-a
D
3E

Y3=D(H-X3)-2BG

ZZ3=E

Example

Let

P1=(1,\sqrt{13})

and

P2=(0,\sqrt{3})

affine points on the elliptic curve over

R

:

y2=x3+3(x+1)2

.

Then:

A=X2ZZ1=0

B=Y2ZZ1Z1=\sqrt{3}

C=X1-A=1

D=2(Y1-B)=2(\sqrt{13}-\sqrt{3})

F=C2=1

F4=4F=4

Z3=

2-ZZ
(Z
1-F

=2

E=

2
{Z
3}

=4

G=CF4=4

H=AF4=0

X3=

2-G-2H-a
D
3E

=48-8\sqrt{39}

Y3=D(H-X3)-2BG=296\sqrt{3}-144\sqrt{13}

ZZ3=E=4

Notice that in this case

Z1=Z2=1

.The resulting point is

P3=(X3,Y3,Z3,ZZ3)=(48-8\sqrt{39},296\sqrt{3}-144\sqrt{13},2,4)

, that in affine coordinates is

P3=(12-2\sqrt{39},37\sqrt{3}-18\sqrt{13})

.

Doubling

The following algorithm represents the doubling of a point

P1

on an elliptic curve in the Tripling-oriented Doche-Icart-Kohel form.It is assumed that

a3=3a

,

a2=2a

.The cost of this implementation is 2M + 7S + 1*a2 + 1*a3 + 12add + 2*2 + 1*3 + 1*8; here M represents the multiplications, S the squarings, a2 and a3 indicates the multiplications by the constants a2 and a3 respectively, and add indicates the additions.

A=

2
{X
1}

B=a2ZZ1(X1+ZZ1)

C=3(A+B)

D=

2
{Y
1}

E=D2

Z3=(Y1+Z

2-D-ZZ
1

ZZ3=

2
Z
3

F=

2-A-E)
2((X
1+D)

X3=

2-a
C
3ZZ

3-2F

Y3=C(F-X3)-8E

Example

Let

P1=(0,\sqrt{3})

be a point on

y2=x3+3(x+1)2

.

Then:

A=

2
{X
1}

=0

B=a2ZZ1(X1+ZZ1)=2

C=3(A+B)=6

D=

2
{Y
1}

=3

E=D2=9

Z3=(Y1+Z

2-D-ZZ
1

=2\sqrt{3}

ZZ3=

2
Z
3

=12

F=

2-A-E)
2((X
1+D)

=0

X3=

2-a
C
3ZZ

3-2F=0

Y3=C(F-X3)-8E=-72

Notice that here the point is in affine coordinates, so

Z1=1

.The resulting point is

P3=(0,-72,2\sqrt{3},12)

, that in affine coordinates is

P3=(0,-\sqrt{3})

.

Equivalence with Weierstrass form

Any elliptic curve is birationally equivalent to another written in the Weierstrass form.

The following twisted tripling-oriented Doche-Icart-Kohel curve:

Ta,λ:y2=x3+a(x)2

can be transformed into the Weierstrass form by the map:

(x,y)\mapsto(xa,y).

In this way

Ta,λ

becomes:

y2=x3-3{λ}2a(a-2)x+{λ}3a(2a2-6a+3)

.

Conversely, given an elliptic curve in the Weierstrass form:

Ec,d:y2=x3+cx2+d

,

it is possible to find the "corresponding" Tripling-oriented Doche–Icart–Kohel curve, using the following relation:

λ=

-3d(a-2)
a(2a2-6a+3)

where is a root of the polynomial

6912a(a-2)3-j(4a-9),

where

j=6912c3
4c3+27d2

is the j-invariant of the elliptic curve

Ec,d

.

Notice that in this case the map given is not only a birational equivalence, but an isomorphism between curves.

Internal link

For more informations about the running-time required in a specific case, see Table of costs of operations in elliptic curves

External links

References

Notes and References

  1. Christophe Doche, Thomas Icart, and David R. Kohel, Efficient Scalar Multiplication by Isogeny Decompositions
  2. Christophe Doche, Thomas Icart, and David R. Kohel, Efficient Scalar Multiplication by Isogeny Decompositions, page 198-199

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Tripling-oriented Doche–Icart–Kohel curve".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2024, A B Cryer, All Rights Reserved. Cookie policy.