Prime Numbers

the point at infinity, define a commutative operation + with inverse operation

−as follows:

(1)−O = O;

(2)−P1 = (x1, −y1);

(3)O + P1 = P1;

(4)if P2 = −P1, then P1 + P2 = O;

(5)if P2 =−P1, then P1 + P2 = (x3, y3), with

x3 = m2 − C − x1 − x2,

The addition/subtraction operations thus defined have an interesting geometrical interpretation in the case that the underlying field F is the real number field. Namely, 3 points on the curve are collinear if and only if they sum to 0. This interpretation is generalized to allow for a double intersection at a point of tangency (unless it is an inflection point, in which case it is a triple intersection). Finally, the geometrical interpretation takes the view that vertical lines intersect the curve at the point at infinity. When the field is finite, say F = Fp, the geometrical interpretation is not evident, as we realize Fp as the integers modulo p; in particular, the division operations for the slope m are inverses (mod p).

It is a beautiful outcome of the theory that the curve operations in Definition 7.1.2 define a group; furthermore, this group has special properties, depending on the underlying field. We collect such results in the following theorem:

Theorem 7.1.3 (Cassels). An elliptic curve E(F ) together with the operations of Definition 7.1.2 is an abelian group. In the finite-field case the group E(Fpk ) is either cyclic or isomorphic to a product of two cyclic groups:

E Zd1 × Zd2 ,

=

with d1|d2 and d1|pk − 1.

That E is an abelian group is not hard to show, except that establishing associativity is somewhat tedious (see Exercise 7.7). The structure result for

the field F is finite, E(F ) is always a finite group, and the group order,

#E(F ), which is the number of points (x, y) on the a ne curve plus 1 for

the point at infinity, is a number that gives rise to fascinating and profound issues. Indeed, the question of order will arise in such domains as primality proving, factorization, and cryptography.

We define elliptic multiplication by integers in a natural manner: For point P E and positive integer n, we denote the n-th multiple of the point by

[n]P = P + P + · · · + P,

where exactly n copies of P appear on the right. We define [0]P as the group identity O, the point at infinity. Further, we define [−n]P to be −[n]P . From elementary group theory we know that when F is finite,

[#E(F )]P = O,

a fact of paramount importance in practical applications of elliptic curves. This issue of curve order is addressed in more detail in Section 7.5. As regards any group, we may consider the order of an element. In an elliptic-curve group, the order of a point P is the least positive integer n with [n]P = 0, while if no such integer n exists, we say that P has infinite order. If E(F ) is finite, then every point in E(F ) has finite order dividing #E(F ).

The fundamental relevance of elliptic curves for factorization will be the fact that, if one has a composite n to be factored, one can try to work on an elliptic curve over Zn, even though Zn is not a field and treating it as such might be considered “illegal.” When an illegal curve operation is encountered, it is exploited to find a factor of n. This idea of what we might call “pseudocurves” is the starting point of H. Lenstra’s elliptic curve method (ECM) for factorization, whose details are discussed in Section 7.4. Before we get to this wonderful algorithm we first discuss “legal” elliptic curve arithmetic over a field.

7.2Elliptic arithmetic

Armed with some elliptic curve fundamentals, we now proceed to develop practical algorithms for elliptic arithmetic. For simplicity we shall adopt a finite field Fp for prime p > 3, although generally speaking the algorithm structures remain the same for other fields. We begin with a simple method for finding explicit points (x, y) on a given curve, the idea being that we require the relevant cubic form in x to be a square modulo p:

Algorithm 7.2.1 (Finding a point on a given elliptic curve). For a prime p > 3 we assume an elliptic curve E(Fp) determined by cubic y2 = x3 + ax + b. This algorithm returns a point (x, y) on E.

Either square root of the residue may be returned, since (x, y) E(Fp) implies (x, −y) E(Fp). Though the algorithm is probabilistic, the method can be expected to require just a few iterations of the do-loop. There is another important issue here: For certain problems where the y-coordinate is not needed, one can always check that some point (x, ?) exists—i.e., that x is a valid x-coordinate—simply by checking whether the Jacobi symbol pt is not −1.

These means of finding a point on a given curve are useful in primality proving and cryptography. But there is an interesting modified question: How can one find both a random curve and a point on said curve? This question is important in factorization. We defer this algorithm to Section 7.4, where “pseudocurves” with arithmetic modulo composite n are indicated.

But given a point P , or some collection of points, on a curve E, how do we add them pairwise, and most importantly, how do we calculate elliptic multiples [n]P ? For these operations, there are several ways to proceed:

Option (1): A ne coordinates. Use the fundamental group operations of Definition 7.1.2 in a straightforward manner, this approach generally involving an inversion for a curve operation.

Option (2): Projective coordinates. Use the group operations, but for projective coordinates [X, Y, Z] to avoid inversions. When Z = 0, X,[ Y, Z] corresponds to the a ne point (X/Z, Y /Z) on the curve. The point [0, 1, 0] is O, the point at infinity.

the point 0, 1, 0 corresponding to O, the point at infinity. This system also avoids inversions, and has a lower operation count than projective coordinates.

Option (4): X, Z coordinates, sometimes called Montgomery coordinates. Use coordinates [X : Z], which are the same as the projective coordinates [X, Y, Z], but with “Y ” dropped. One can recover the x coordinate of the a ne point when Z = 0 asx = X/Z. There are generally two possibilities for y, and this is left ambiguous. This option tends to work well in elliptic multiplication and when y-coordinates are not needed at any stage, as sometimes happens in certain factorization and cryptography work, or when the elliptic algebra must be carried out in higher domains where coordinates themselves can be polynomials.

Which of these algorithmic approaches is best depends on various side issues. For example, assuming an underlying field Fp, if one has a fast inverse (mod p), one might elect option (1) above. On the other hand, if one has already implemented option (1) and wishes to reduce the expensive time for a (slow) inverse, one might move to (2) or (3) with, as we shall see, minor changes in the algorithm flow. If one wishes to build an implementation from scratch, option (4) may be indicated, especially in factorization of very large numbers

and

α = X2Z1 − X1Z2, β = X2Z1 + X1Z2,

γ = Y2Z1 − Y1Z2, δ = Y2Z1 + Y1Z2, ζ = Z1Z2.

By holding on to the intermediate calculations of α2, α3, α2β, γ2ζ, the coordinates of P1 + P2 may be computed in 14 field multiplications and 8 field additions (multiplication by 1/2 can generally be accomplished by a shift or an add and a shift). In the case of doubling a point by rule (5), if [2]P =O, the projective equations for

[2]P = [2][X, Y, Z] = [X , Y , Z ]

are

X = ν(µ2 − 2λν),

Y = µ 3λν − µ2 − 2Y12ν2,

Z = ν3,

where

λ = 2XY, µ = 3X2 + aZ2, ν = 2Y Z.

So doubling can be accomplished in 13 field multiplications and 4 field additions. In both adding and doubling, no field inversions of variables are necessary.

When using projective coordinates and starting from a given a ne point (u, v), one easily creates projective coordinates by tacking on a 1 at the end, namely, creating the projective point [u, v, 1]. If one wishes to recover an a ne point from [X, Y, Z] at the end of a long calculation, and if this is not

the point at infinity, one computes Z−1 in the field, and has the a ne point (XZ−1, Y Z−1).

We shall see that option (3) also avoids field inversions. In comparison with option (2), the addition for option (3) is more expensive, but the doubling for option (3) is cheaper. Since in a typical elliptic multiplication [n]P we would expect about twice as many doublings as additions, one can see that option (3) could well be preferable to option (2). Recalling the notation, we understandX, Y, Z to be the a ne point (X/Z2, Y /Z3) on y2 = x3 + ax + b if Z = 0, and we understand 0, 1, 0 to be the point at infinity. Again, if we start with an a ne point (u, v) on the curve and wish to convert to modified projective coordinates, we just tack on a 1 at the end, creating the point u, v, 1 . And if one has a modified projective point X, Y, Z that is not the point at infinity, and one wishes to find the a ne point corresponding to it, one computes Z−1, Z−2, Z−3 and the a ne point (XZ−2, Y Z−3). The following algorithm performs the algebra for modified projective coordinates, option (3).

y2 = x3 +ax+b. For modified projective points of the general form P = X, Y, Z , with 0, 1, 0 , 0, −1, 0 both denoting the point at infinity P = O, this algorithm provides functions for point negation, doubling, addition, and subtraction.

1. [Elliptic negate function] neg(P ) return X, −Y, Z ;

2. [Elliptic double function] double(P ) {

if(Y == 0 or Z == 0) return 0, 1, 0 ;

M = (3X2 + aZ4); S = 4XY 2;

X = M 2 − 2S; Y = M (S − X2) − 8Y 4; Z = 2Y Z; return X , Y , Z ;

}

T = U1 + U2; M = S1 + S2; X3 = R2 − T W 2;

Y3 = 12 ((T W 2 − 2X3)R − M W 3); Z3 = Z1Z2W ;

return X3, Y3, Z3 ;

}

4. [Elliptic subtract function] sub(P1, P2) {

return add(P1, neg(P2));

}

It should be stressed that in all of our elliptic addition algorithms, if arithmetic is in Zn, modular reductions are taken whenever intermediate numbers exceed the modulus. This option (3) algorithm (modified projective coordinates) obviously has more field multiplications than does option (1) (a ne coordinates), but as we have said, the idea is to avoid inversions (see Exercise 7.9). It is to be understood that in implementing Algorithm 7.2.3 one should save some of the intermediate calculations for further use; not all of these are explicitly described in our algorithm display above. In particular,

for the elliptic add function, the value W 2 used for X3 is recalled in the calculation of W 3 needed for Y3, as is the value of T W 2. If such care is taken, the function double() consumes 10 field multiplications. (However, for small a or the special case a = −3 in the field, this count of 10 can be reduced further; see Exercise 7.10.) The general addition function add(), on the other hand, requires 16 field multiplications, but there is an important modification of this estimate: When Z1 = 1 only 11 multiplies are required. And this side condition is very common; in fact, it is forced to hold within certain classes of multiplication ladders. (In the case of ordinary projective coordinates discussed before Algorithm 7.2.3 assuming Z1 = 1 reduces the 14 multiplies necessary for general addition also to 11.)

Having discussed options (1), (2), (3) for elliptic arithmetic, we are now at an appropriate juncture to discuss elliptic multiplication, the problem of evaluating [n]P for integer n acting on points P E. One can, of course, use Algorithm 2.1.5 for this purpose. However, since doubling is so much cheaper than adding two unequal points, and since subtracting has the same cost as adding, the method of choice is a modified binary ladder, the so-called addition–subtraction ladder. For most numbers n the ratio of doublings to addition–subtraction operations is higher than for standard binary ladders as in Algorithm 2.1.5, and the overall number of calls to elliptic arithmetic is lower. Such a method is good whenever the group inverse (i.e., negation) is easy—for elliptic curves one just flips the sign of the y-coordinate. (Note that a yet di erent ladder approach to elliptic multiplication will be exhibited later, as Algorithm 7.2.7.)

Algorithm 7.2.4 (Elliptic multiplication: Addition–subtraction ladder).

This algorithm assumes functions double(), add(), sub() from either Algorithm 7.2.2 or 7.2.3, and performs the elliptic multiplication [n]P for nonnegative integer n and point P E. We assume a B-bit binary representation of m = 3n as a sequence of bits (mB−1, . . . , m0), and a corresponding B-bit representation (nj ) for n (which representation is zero-padded on the left to B bits), with B = 0 for n = 0 understood.

Q = P ;

2.[Compare bits of 3n, n] for(B − 2 ≥ j ≥ 1) {

Q = double(Q);

if((mj , nj ) == (1, 0)) Q = add(Q, P ); if((mj , nj ) == (0, 1)) Q = sub(Q, P );

}

return Q;

The proof that this algorithm works is encountered later as Exercise 9.30. There is a fascinating open research area concerning the best way to construct a ladder. See Exercise 9.77 in this regard.

Before we discuss option (4) for elliptic arithmetic, we bring in an extraordinarily useful idea, one that has repercussions far beyond option (4).

Definition 7.2.5. If E(F ) is an elliptic curve over a field F , governed by the equation y2 = x3 + Cx2 + Ax + B, and g is a nonzero element of F , then the quadratic twist of E by g is the elliptic curve over F governed by the equation gy2 = x3 +Cx2 +Ax+B. By a change of variables X = gx, Y = g2y, the Weierstrass form for this twist curve is Y 2 = X3 + gCX2 + g2AX + g3B.

We shall find that in some contexts it will be useful to leave the curve in the form gy2 = x3 + Cx2 + Ax + B, and in other contexts, we shall wish to use the equivalent Weierstrass form.

An immediate observation is that if g, h are nonzero elements of the field F , then the quadratic twist of an elliptic curve by g gives a group isomorphic to the quadratic twist of the curve by gh2. (Indeed, just let a new variable Y be hy. To see that the groups are isomorphic, a simple check of the formulae involved su ces.) Thus, if Fq is a finite field, there is really only one quadratic twist of an elliptic curve E(Fq ) that is di erent from the curve itself. This follows, since if g is not a square in Fq , then as h runs over the nonzero elements of Fq , gh2 runs over all of the nonsquares. This unique nontrivial quadratic twist of E(Fq ) is sometimes denoted by E (Fq ), especially when we are not particularly interested in which nonsquare is involved in the twist.

Now for option (4), homogeneous coordinates with “Y ” dropped. We shall discuss this for a twist curve gy2 = x3 +Cx2 +Ax+B; see Definition 7.2.5. We first develop the idea using a ne coordinates. Suppose P1, P2 are a ne points on an elliptic curve E(F ) with P1 =±P2. One can write down via Definition 7.1.2 (generalized for the presence of “g”) expressions for x+, x−, namely, the x-coordinates of P1 + P2 and P1 − P2, respectively. If these expressions are multiplied, one sees that the y-coordinates of P1, P2 appear only to even powers, and so may be replaced by x-expressions, using the defining curve gy2 = x3 + Cx2 + Ax + B. Somewhat miraculously the resulting expression is subject to much cancellation, including the disappearance of the parameter g. The equations are stated in the following result from [Montgomery 1987, 1992a], though we generalize them here to a quadratic twist of any curve that is given by equation (7.5).

Theorem 7.2.6 (Generalized Montgomery identities). Given an elliptic curve E determined by the cubic

gy2 = x3 + Cx2 + Ax + B,

and two points P1 = (x1, y1), P2 = (x2, y2), neither being O, denote by x± respectively the x-coordinates of P1 ± P2. Then if x1 =x2, we have

whereas if x1 = x2 and 2P1 =O, we have

(x2 − A)2 − 4B(2x1 + C)

x+ = 1 3 2 .

4(x1 + Cx1 + Ax1 + B)

Note that g is irrelevant in the theorem, in the sense that the algebra for combining x-coordinates is independent of g; in fact, one would only use g if a particular starting y-coordinate were involved, but of course the main thrust of Montgomery parameterization is to ignore y-coordinates. We remind ourselves that the case C = 0 reduces to the ordinary Weierstrass form given by (7.4). However, as Montgomery noted, the case B = 0 is especially pleasant: For example, we have the simple relation

(x1x2 − A)2 x+x− = (x1 − x2)2 .

We shall see in what follows how this sort of relation leads to computationally e cient elliptic algebra.

The idea is to use an addition chain to arrive at [n]P , where whenever we are to add two unequal points P1, P2, we happen to know already what P1 − P2 is. This magic is accomplished via the Lucas chain already discussed in Section 3.6.3. In the current notation, we will have at intermediate steps a pair [k]P, [k + 1]P , and from this we shall form either the pair [2k]P, [2k + 1]P or the pair [2k + 1]P, [2k + 2]P , depending on the bits of n. In either case, we perform one doubling and one addition. And for the addition, we already know the di erence of the two points added, namely P itself.

To avoid inversions, we adopt the homogeneous coordinates of option (2), but we drop the “Y ” coordinate. Since the coordinates are homogeneous, when we have the pair [X : Z], it is only the ratio X/Z that is determined (when Z = 0). The point at infinity is recognized as the pair [0 : 0]. Suppose we have points P1, P2 in homogeneous coordinates on an elliptic curve given by equation (7.5), and P1, P2 are not O, P1 =P2. If

P1 = [X1, Y1, Z1], P2 = [X2, Y2, Z2],

P1 + P2 = [X+, Y+, Z+], P1 − P2 = [X−, Y−, Z−],

then on the basis of Theorem 7.2.6 it is straightforward to establish, in the case that X− = 0, that we may take

X+ = Z− (X1X2 − AZ1Z2)2 − 4B(X1Z2 + X2Z1 + CZ1Z2)Z1Z2 ,

(7.6)

Z+ = X−(X1Z2 − X2Z1)2.

These equations define the pair X+, Z+ as a function of the six quantities X1, Z1, X2, Z2, X−, Z−, with Y1, Y2 being completely irrelevant. We denote this function by

[X+ : Z+] = addh([X1 : Z1], [X2 : Z2], [X− : Z−]),

the “h” in the function name emphasizing the homogeneous nature of each [X : Z] pair. The definition of addh can easily be extended to any case where X−Z− = 0. That is, it is possible to allow one of X[ 1 : Z1], [X2 : Z2] to be [0 : 0]. In particular, if [X1 : Z1] = [0 : 0] and [X2 : Z2] is not [0 : 0], then we may define addh([0 : 0], [X2 : Z2], [X2 : Z2]) as [X2 : Z2] (and so not use the above equations). We may proceed similarly if [X2 : Z2] = [0 : 0] and [X1 : Z1] is not [0 : 0]. In the case of P1 = P2, we have a doubling function

[X+ : Z+] = doubleh([X1 : Z1]),

where

X+ = X12 − AZ12 2 − 4B(2X1 + CZ1)Z13,

(7.7)

Z+ = 4Z1 X13 + CX12Z1 + AX1Z12 + BZ13 .

The function doubleh works in all cases, even [X1 : Z1] = [0 : 0]. Let us see, for example, how we might compute [X : Z] for [13]P , with P a point on an elliptic curve. Say [k]P = [Xk : Yk]. We have

[13]P = ([2]([2]P ) + ([2]P + P )) + ([2]([2]P + P )),

which is computed as follows:

[X2 : Z2] = doubleh([X1 : Z1]),

[X3 : Z3] = addh([X2 : Z2], [X1 : Z1], [X1 : Z1]),

[X4 : Z4] = doubleh([X2 : Z2]), [X6 : Z6] = doubleh([X3 : Z3]),

[X7 : Z7] = addh([X4 : Z4], [X3 : Z3], [X1 : Z1]), [X13 : Z13] = addh([X7 : Z7], [X6 : Z6], [X1 : Z1]).

(For this to be accurate, we must assume that X1 = 0.) In general, we may use the following algorithm, which essentially contains within it Algorithm 3.6.7 for computing a Lucas chain.

Algorithm 7.2.7 (Elliptic multiplication: Montgomery method). This algorithm assumes functions addh() and doubleh() as described above and attempts to perform the elliptic multiplication of nonnegative integer n by point P = [X : any : Z], in E(F ), with XZ = 0, returning the [X : Z] coordinates of [n]P . We assume a B-bit binary representation of n > 0 as a sequence of bits

(nB−1, . . . , n0).