Elliptic Curve

A non-singular elliptic curve over real numbers is described by the following equation:

y²=x³+ax+b (2.13)

Where a, b are real numbers such that

0 27

4a³ + b² ≠ (2.14)

The elliptic curve is singular, if equation (2.14) fails[3]. The following diagram shows an example of an elliptic curve where a=b=1. Note that the diagram is symmetric with respect to x-axis.

Figure 2.1: the elliptic curve y²=x³+x+1

For finite field GF(p), the elliptic curve satisfies the congruence, where a, b∈GF(p):

y²≡x³+ax²+b(mod p) (2.15)

For finite field GF(2ⁿ), the elliptic curve is in a slightly different form as shown below, where a, b∈GF(2ⁿ):

y²+xy=x³+ax²+b (2.16)

An abelian group can be defined on the set E of solutions (x, y) to the elliptic curve equation plus a point O at infinity. Now consider the addition law of elliptic curve:

Given two points P and Q on elliptic curve E, consider the result of P+Q. First, we define L to be the line through P and Q. The L intersects E at point R’, then we reflect R’ in

the x-axis to get R. We define R to be the result of P+Q, that is, P+Q=R. An example is given below:

Figure 2.2: Point addition, P+Q=R

Now consider the situation when P=Q, namely, consider the result of 2P. Since P=Q, line L now become a tangent line passing through P. Similarly, the line L intersects E at point R’, then we reflect the x-axis to obtain the result R. The following diagram shows this condition:

P+O=O+P=P (2.17)

We consider the case when Q is the reflection of P in the x-axis. So if we draw a line L through P and Q, then line L will be an vertical through P and intersect E at infinity O and we can get P+Q=O. Since O is the identity element, we can consider that Q as the negative of P, that is Q=-P. We can conclude that the negative point of a given point is the reflection of the point in the x-axis.

Figure 2.4: Negative Point, P+(-P)=O

Given a point P∈E over finite field, then E is a finite abelian group. We can find an

integer r such that rP=

P P

P+ +...+ =O. The integer r is called the order of point P.

Next, I will derive the addition and doubling formula for points on elliptic curve according to the addition law mentioned above. Moreover, a different kind of representation called the projective coordinates representation will be introduced.

Affine Coordinates Representation

Affine coordinate representation is respect to projective coordinates representation.

2 3

y1), the negative of P is simply the corresponding point of the reflected P in the x-axis which is (x₁, -y₁).

-(x₁, y₁)=(x₁, -y₁) (2.18)

We next derive the formula for point addition P+Q=R. Let P, Q∈E, where P=(x1, y1), Q=(x2, y2), R=(x3, y3) and L is the line passing through P and Q represented as

ν λ +

= x

y (2.19)

, where the slope of L is:

1 2

x x

y y

−

= −

λ ^(2.20)

, and

2 2 1

1 x y x

y λ λ

ν = − = − (2.21)

L will intersects E at point R’. Substitute equation (2.19) into the equation for E to find the solution of the coordinates, we can get

b ax x

x+ )² = ³ + +

(λ ν (2.22)

, we can derive from above

0 )

( ²

2 2

3 −λ x + a− λν x+b−ν =

x (2.23)

We have to solve equation (2.23) for the x-coordinates. Since x and x are two roots of

For the case when doubling a point, we have to find the slope of the tangent line L to point P=(x₁, y₁). Let 2P=(x₃, y₃), using the implicit differentiation of the equation of E

a dx x

ydy =3 ² +

2 (2.27)

So the slope of the tangent line L with equation (2.22) to point P is

The line will intersects with E at R’=(x₃, -y₃) and substitute the line equation into E.

Regarding equation (2.23), the cubic equation has two roots at x1, and one root at x3. So x3

1 2

3 2x

x =λ − ^(2.30)

With the same procedure, we can find y3 by equation (2.26).

Finally, the formula for point addition and point doubling can be summarized as bellow.

Suppose P=(x₁, y₁), Q=(x₂, y₂), P+Q=(x₃, y₃), elliptic curve with equation (2.13) or (2.15), then the formula of point addition:

1 the formulas for point addition and point addition over finite field GF(2ⁿ) in a similar method.

As in the previous context, we will derive the negation of a point first. Given a point P=(x1,

x+x₁=0 (2.33)

, which implies that x₂+x₁=0 and the x-coordinate of –P is x₁. Substitute equation (2.33) into equation (2.16) in order to find the solution of the y-coordinate of –P. We will get:

y²+x1y=x13

+ax12

+b (2.34)

This square equation has two solutions and one of them is y1. The sum of the two solutions will equal to the coefficient of the term y. As the result,

y₁+y₂=x₁

, or

y₂=x₁ +y₁ (2.35)

So for P=(x₁, y₁), the negation of P over finite field GF(2ⁿ)

-(x₁, y₁)=(x₁, x₁+y₁) (2.36)

Again, let P, Q∈E, where P=(x1, y1), Q=(x2, y2), P+Q=R=(x3, y3) and L is the line passing through P and Q. L has the equation (2.19), where

1 2

x x

y y

= +

λ ^(2.25)

and

2 2 1

1 x y x

y λ λ

ν = + = + (2.26)

Substitute the equation of L (2.19) into the elliptic curve equation (2.16)

Derived from above,

Let’s move on to the formulas of doubling a point over GF(2ⁿ), using the implicit differentiation of the elliptic curve equation (2.16):

Applying the property of GF(2ⁿ), the equation is reduced to:

dy 2

+ (2.33)

differently over finite field GF(2ⁿ). Let P=(x1, y1), 2P=(x3, y3) and line L is the tangent line to P described by equation (2.19). The slope of the tangent line L would be:

1 1

1 x

x + y

λ= ^(2.34)

while

1 x

y λ

ν = + (2.35)

Following the same procedure, x1 is the two roots of equation (2.29), x3 is the other. So,

a x

x₁+ ₃ =λ²+λ+ 2

which 2x₁=0 over finite field GF(2ⁿ)

x₃ =λ² +λ+ ^(2.36)

Finally, y3 is the same as shown in equation (2.31)

The formulas for point addition and point doubling over finite field GF(2ⁿ) are given bellow:

Let P=(x₁, y₁), Q=(x₂, y₂), P+Q=(x₃, y₃), elliptic curve with equation (2.16), then the point addition formula:

1 2

x x

y y

= + λ

a x x

x₃ =λ² +λ+ ₁+ ₂+ + + +

=λ

(2.37)

And the formula of point doubling, where P=(x1, y1), 2P=(x3, y3)

1 1

1 x

x + y λ =

a x₃ =λ² +λ+

1 3 1 3

3 (x x ) x y

y =λ + + +

(2.38)

Projective Coordinates Representation

Finite field GF(2ⁿ) inversion is relatively expensive. If inversion could be avoided while performing point addition or point doubling, then the performance of the elliptic curve cryptosystems would be improved. This is done by using projective coordinates.

Points with projective coordinates have three coordinates, for example, a projective point P=(X, Y, Z). An affine point (x, y) corresponds to the projective coordinate point (x, y, 1), while a projective point (X, Y, Z) could be converted into an affine point (X/Z, Y/Z²).

Replacing x= X/Z, y= Y/Z²into equation (2.4), the resulting projective elliptic curve equation would be:

4 2 2 3

2 XYZ X Z aX Z bZ

Y + = + + (2.39)

The formulas for adding and doubling points on elliptic will be presented here. Let P=(X1, Y₁, Z₁) , Q=(X₂, Y₂, Z₂), and P+Q=R(X₃, Y₃, Z₃) are points with projective coordinates, then the formula for adding points is [4]:

When Z2=1, the formula becomes

Comparing with affine coordinates, projective coordinates doubling and adding requires more multiplications but no inversion. The performance analysis with affine coordinates doubling and adding is given below:

Table 2.3: The number of required operations for point doubling

Operations Affine coordinates Projective coordinates

Multiplication 2 4

Squaring 1 5

Inversion 1 0

Table 2.4: The number of required operations for point addition

Operations Affine coordinates Projective coordinates

Multiplication 2 13

Squaring 1 6

Inversion 1 0

Table 2.5: The number of required operations for point addition when Q= (X₂, Y₂, 1)

Operations Affine coordinates Projective coordinates

Multiplication 2 8

Squaring 1 5

Inversion 1 0

The performance comparison between the two coordinates is determined by the computational complexity of the finite field inversion in affine coordinates. For example, given the table 2.3 condition and neglecting the squaring operation, the affine coordinates will outperform projective coordinates if the computational complexity of the inversion is less than

C ^HAPTER 3

Scalar Multiplication Algorithms

Scalar multiplication, given a point P on elliptic curve and a scalar k find kP, is the mainly the Elliptic Curve Cryptosystems all about. In order to compute scalar multiplication efficiently, many algorithms are proposal. The basic one is the double-and-add algorithm and halve-and-add algorithm gives an efficiently way to compute scalar multiplication by acquiring point halving. These two algorithms will be introduced in this chapter. Besides, we can apply add-and-subtract algorithm to these two algorithms to achieve a better performance.

在文檔中橢圓曲線密碼系統之設計與實現 (頁 20-33)

C HAPTER 3

Scalar Multiplication Algorithms

C ^HAPTER 3