Montgomery curve
In mathematics, the Montgomery curve is a form of elliptic curve introduced by Peter L. Montgomery in 1987,[1] different from the usual Weierstrass form. It is used for certain computations, and in particular in different cryptography applications.
Definition
A Montgomery curve over a field K is defined by the equation
- [math]\displaystyle{ M_{A,B}: By^2 = x^3 + Ax^2 + x }[/math]
for certain A, B ∈ K and with B(A2 − 4) ≠ 0.
Generally this curve is considered over a finite field K (for example, over a finite field of q elements, K = Fq) with characteristic different from 2 and with A ≠ ±2 and B ≠ 0, but they are also considered over the rationals with the same restrictions for A and B.
Montgomery arithmetic
It is possible to do some "operations" between the points of an elliptic curve: "adding" two points [math]\displaystyle{ P, Q }[/math] consists of finding a third one [math]\displaystyle{ R }[/math] such that [math]\displaystyle{ R=P+Q }[/math]; "doubling" a point consists of computing [math]\displaystyle{ [2]P=P+P }[/math] (For more information about operations see The group law) and below.
A point [math]\displaystyle{ P=(x,y) }[/math] on the elliptic curve in the Montgomery form [math]\displaystyle{ By^2 = x^3 + Ax^2 + x }[/math] can be represented in Montgomery coordinates [math]\displaystyle{ P=(X:Z) }[/math], where [math]\displaystyle{ P=(X:Z) }[/math] are projective coordinates and [math]\displaystyle{ x=X/Z }[/math] for [math]\displaystyle{ Z\ne 0 }[/math].
Notice that this kind of representation for a point loses information: indeed, in this case, there is no distinction between the affine points [math]\displaystyle{ (x,y) }[/math] and [math]\displaystyle{ (x,-y) }[/math] because they are both given by the point [math]\displaystyle{ (X:Z) }[/math]. However, with this representation it is possible to obtain multiples of points, that is, given [math]\displaystyle{ P=(X:Z) }[/math], to compute [math]\displaystyle{ [n]P=(X_n:Z_n) }[/math].
Now, considering the two points [math]\displaystyle{ P_n=[n]P=(X_n:Z_n) }[/math] and [math]\displaystyle{ P_m=[m]P=(X_m:Z_m) }[/math]: their sum is given by the point [math]\displaystyle{ P_{m+n}=P_m+P_n = (X_{m+n}:Z_{m+n}) }[/math] whose coordinates are:
- [math]\displaystyle{ X_{m+n} = Z_{m-n}((X_m-Z_m)(X_n+Z_n)+(X_m+Z_m)(X_n-Z_n))^2 }[/math]
- [math]\displaystyle{ Z_{m+n} = X_{m-n}((X_m-Z_m)(X_n+Z_n)-(X_m+Z_m)(X_n-Z_n))^2 }[/math]
If [math]\displaystyle{ m=n }[/math], then the operation becomes a "doubling"; the coordinates of [math]\displaystyle{ [2]P_n=P_n+P_n=P_{2n}=(X_{2n}:Z_{2n}) }[/math] are given by the following equations:
- [math]\displaystyle{ 4X_nZ_n = (X_n+Z_n)^2 - (X_n-Z_n)^2 }[/math]
- [math]\displaystyle{ X_{2n} = (X_n+Z_n)^2(X_n-Z_n)^2 }[/math]
- [math]\displaystyle{ Z_{2n} = (4X_nZ_n)((X_n-Z_n)^2+((A+2)/4)(4X_nZ_n)) }[/math]
The first operation considered above (addition) has a time-cost of 3M+2S, where M denotes the multiplication between two general elements of the field on which the elliptic curve is defined, while S denotes squaring of a general element of the field.
The second operation (doubling) has a time-cost of 2M + 2S + 1D, where D denotes the multiplication of a general element by a constant; notice that the constant is [math]\displaystyle{ (A+2)/4 }[/math], so [math]\displaystyle{ A }[/math] can be chosen in order to have a small D.
Algorithm and example
The following algorithm represents a doubling of a point [math]\displaystyle{ P_1=(X_1:Z_1) }[/math] on an elliptic curve in the Montgomery form.
It is assumed that [math]\displaystyle{ Z_1=1 }[/math]. The cost of this implementation is 1M + 2S + 1*A + 3add + 1*4. Here M denotes the multiplications required, S indicates the squarings, and a refers to the multiplication by A.
- [math]\displaystyle{ XX_1 = X_1^2 \, }[/math]
- [math]\displaystyle{ X_2 = (XX_1-1)^2 \, }[/math]
- [math]\displaystyle{ Z_2 = 4X_1(XX_1+aX_1+1) \, }[/math]
Example
Let [math]\displaystyle{ P_1=(2,\sqrt{3}) }[/math] be a point on the curve [math]\displaystyle{ 2y^2 = x^3 -x^2 + x }[/math]. In coordinates [math]\displaystyle{ (X_1:Z_1) }[/math], with [math]\displaystyle{ x_1=X_1/Z_1 }[/math], [math]\displaystyle{ P_1=(2:1) }[/math].
Then:
- [math]\displaystyle{ XX_1 = X_1^2 = 4 \, }[/math]
- [math]\displaystyle{ X_2 = (XX_1-1)^2 = 9 \, }[/math]
- [math]\displaystyle{ Z_2 = 4X_1(XX_1+AX_1+1) = 24 \, }[/math]
The result is the point [math]\displaystyle{ P_2=(X_2:Z_2)=(9:24) }[/math] such that [math]\displaystyle{ P_2=2P_1 }[/math].
Addition
Given two points [math]\displaystyle{ P_1=(x_1,y_1) }[/math], [math]\displaystyle{ P_2=(x_2,y_2) }[/math] on the Montgomery curve [math]\displaystyle{ M_{A,B} }[/math] in affine coordinates, the point [math]\displaystyle{ P_3=P_1+P_2 }[/math] represents, geometrically the third point of intersection between [math]\displaystyle{ M_{A,B} }[/math] and the line passing through [math]\displaystyle{ P_1 }[/math] and [math]\displaystyle{ P_2 }[/math]. It is possible to find the coordinates [math]\displaystyle{ (x_3,y_3) }[/math] of [math]\displaystyle{ P_3 }[/math], in the following way:
1) consider a generic line [math]\displaystyle{ ~y=lx+m }[/math] in the affine plane and let it pass through [math]\displaystyle{ P_1 }[/math] and [math]\displaystyle{ P_2 }[/math] (impose the condition), in this way, one obtains [math]\displaystyle{ l=\frac{y_2-y_1}{x_2-x_1} }[/math] and [math]\displaystyle{ m=y_1-\left(\frac{y_2-y_1}{x_2-x_1}\right)x_1 }[/math];
2) intersect the line with the curve [math]\displaystyle{ M_{A,B} }[/math], substituting the [math]\displaystyle{ ~y }[/math] variable in the curve equation with [math]\displaystyle{ ~y=lx+m }[/math]; the following equation of third degree is obtained:
- [math]\displaystyle{ x^3+(A-Bl^2)x^2+(1-2Blm)x-Bm^2=0. }[/math]
As it has been observed before, this equation has three solutions that correspond to the [math]\displaystyle{ ~x }[/math] coordinates of [math]\displaystyle{ P_1 }[/math], [math]\displaystyle{ P_2 }[/math] and [math]\displaystyle{ P_3 }[/math]. In particular this equation can be re-written as:
- [math]\displaystyle{ (x-x_1)(x-x_2)(x-x_3)=0 }[/math]
3) Comparing the coefficients of the two identical equations given above, in particular the coefficients of the terms of second degree, one gets:
- [math]\displaystyle{ -x_1-x_2-x_3=A-Bl^2 }[/math].
So, [math]\displaystyle{ x_3 }[/math] can be written in terms of [math]\displaystyle{ x_1 }[/math], [math]\displaystyle{ y_1 }[/math], [math]\displaystyle{ x_2 }[/math], [math]\displaystyle{ y_2 }[/math], as:
- [math]\displaystyle{ x_3 = B\left(\frac{y_2-y_1}{x_2-x_1}\right)^2-A-x_1-x_2. }[/math]
4) To find the [math]\displaystyle{ ~y }[/math] coordinate of the point [math]\displaystyle{ P_3 }[/math] it is sufficient to substitute the value [math]\displaystyle{ x_3 }[/math] in the line [math]\displaystyle{ ~y=lx+m }[/math]. Notice that this will not give the point [math]\displaystyle{ P_3 }[/math] directly. Indeed, with this method one find the coordinates of the point [math]\displaystyle{ ~R }[/math] such that [math]\displaystyle{ R+P_1+P_2=P_\infty }[/math], but if one needs the resulting point of the sum between [math]\displaystyle{ P_1 }[/math] and [math]\displaystyle{ P_2 }[/math], then it is necessary to observe that: [math]\displaystyle{ R+P_1+P_2=P_\infty }[/math] if and only if [math]\displaystyle{ -R=P_1+P_2 }[/math]. So, given the point [math]\displaystyle{ ~R }[/math], it is necessary to find [math]\displaystyle{ ~-R }[/math], but this can be done easily by changing the sign to the [math]\displaystyle{ ~y }[/math] coordinate of [math]\displaystyle{ ~R }[/math]. In other words, it will be necessary to change the sign of the [math]\displaystyle{ ~y }[/math] coordinate obtained by substituting the value [math]\displaystyle{ x_3 }[/math] in the equation of the line.
Resuming, the coordinates of the point [math]\displaystyle{ P_3=(x_3,y_3) }[/math], [math]\displaystyle{ P_3=P_1+P_2 }[/math] are:
- [math]\displaystyle{ x_3 = \frac{B(y_2-y_1)^2}{(x_2-x_1)^2}-A-x_1-x_2 }[/math]
- [math]\displaystyle{ y_3 = \frac{(2x_1+x_2+A)(y_2-y_1)}{x_2-x_1}-\frac{B(y_2-y_1)^3}{(x_2-x_1)^3}-y_1 }[/math]
Doubling
Given a point [math]\displaystyle{ P_1 }[/math] on the Montgomery curve [math]\displaystyle{ M_{A,B} }[/math], the point [math]\displaystyle{ [2]P_1 }[/math] represents geometrically the third point of intersection between the curve and the line tangent to [math]\displaystyle{ P_1 }[/math]; so, to find the coordinates of the point [math]\displaystyle{ P_3=2P_1 }[/math] it is sufficient to follow the same method given in the addition formula; however, in this case, the line y = lx + m has to be tangent to the curve at [math]\displaystyle{ P_1 }[/math], so, if [math]\displaystyle{ M_{A,B}: f(x,y)=0 }[/math] with
- [math]\displaystyle{ f(x,y)=x^3+Ax^2+x-By^2, }[/math]
then the value of l, which represents the slope of the line, is given by:
- [math]\displaystyle{ l=-\left.\frac{\partial f}{\partial x}\right/\frac{\partial f}{\partial y } }[/math]
by the implicit function theorem.
So [math]\displaystyle{ l = \frac{3x_1^2 + 2Ax_1 + 1}{2By_1} }[/math] and the coordinates of the point [math]\displaystyle{ P_3 }[/math], [math]\displaystyle{ P_3=2P_1 }[/math] are:
- [math]\displaystyle{ \begin{align} x_3 & = Bl^2-A-x_1-x_1 = \frac{B(3x_1^2+2Ax_1+1)^2}{(2By_1)^2}-A-x_1-x_1 \\ y_3 & = (2x_1+x_1+A)l-Bl^3-y_1 \\ & = \frac{(2x_1+x_1+A)(3{x_1}^2+2Ax_1+1)}{2By_1}-\frac{B(3{x_1}^2+2Ax_1+1)^3}{(2By_1)^3}-y_1. \end{align} }[/math]
Equivalence with twisted Edwards curves
Let [math]\displaystyle{ K }[/math] be a field with characteristic different from 2.
Let [math]\displaystyle{ M_{A,B} }[/math] be an elliptic curve in the Montgomery form:
- [math]\displaystyle{ M_{A,B} : Bv^2 = u^3 + Au^2 + u }[/math]
with [math]\displaystyle{ A\in K\smallsetminus\{-2,2\} }[/math], [math]\displaystyle{ B \in K\smallsetminus\{0\} }[/math]
and let [math]\displaystyle{ E_{a,d} }[/math] be an elliptic curve in the twisted Edwards form:
- [math]\displaystyle{ E_{a,d}\ :\ ax^2 + y^2 = 1 + dx^2y^2, \, }[/math]
with [math]\displaystyle{ a,d\in K\smallsetminus\{0\}, \quad a\neq d. }[/math]
The following theorem shows the birational equivalence between Montgomery curves and twisted Edwards curve:[2]
Theorem (i) Every twisted Edwards curve is birationally equivalent to a Montgomery curve over [math]\displaystyle{ K }[/math]. In particular, the twisted Edwards curve [math]\displaystyle{ E_{a,d} }[/math] is birationally equivalent to the Montgomery curve [math]\displaystyle{ M_{A,B} }[/math] where [math]\displaystyle{ A = \frac{2(a+d)}{a-d} }[/math], and [math]\displaystyle{ B = \frac{4}{a-d} }[/math].
The map:
- [math]\displaystyle{ \psi\,:\,E_{a,d} \rightarrow M_{A,B} }[/math]
- [math]\displaystyle{ (x,y) \mapsto (u,v) = \left(\frac{1+y}{1-y},\frac{1+y}{(1-y)x}\right) }[/math]
is a birational equivalence from [math]\displaystyle{ E_{a,d} }[/math] to [math]\displaystyle{ M_{A,B} }[/math], with inverse:
- [math]\displaystyle{ \psi^{-1} }[/math]: [math]\displaystyle{ M_{A,B} \rightarrow E_{a,d} }[/math]
- [math]\displaystyle{ (u,v) \mapsto (x,y) = \left(\frac{u}{v},\frac{u-1}{u+1}\right), a=\frac{A+2}{B}, d=\frac{A-2}{B} }[/math]
Notice that this equivalence between the two curves is not valid everywhere: indeed the map [math]\displaystyle{ \psi }[/math] is not defined at the points [math]\displaystyle{ v = 0 }[/math] or [math]\displaystyle{ u + 1 = 0 }[/math] of the [math]\displaystyle{ M_{A,B} }[/math].
Equivalence with Weierstrass curves
Any elliptic curve can be written in Weierstrass form. In particular, the elliptic curve in the Montgomery form
- [math]\displaystyle{ M_{A,B} }[/math]: [math]\displaystyle{ By^2 = x^3 + Ax^2 + x, }[/math]
can be transformed in the following way: divide each term of the equation for [math]\displaystyle{ M_{A,B} }[/math] by [math]\displaystyle{ B^3 }[/math], and substitute the variables x and y, with [math]\displaystyle{ u=\frac{x}{B} }[/math] and [math]\displaystyle{ v=\frac{y}{B} }[/math] respectively, to get the equation
- [math]\displaystyle{ v^2 = u^3 + \frac{A}{B}u^2 + \frac{1}{B^2}u. }[/math]
To obtain a short Weierstrass form from here, it is sufficient to replace u with the variable [math]\displaystyle{ t-\frac{A}{3B} }[/math]:
- [math]\displaystyle{ v^2 = \left(t-\frac{A}{3B}\right)^3 + \frac{A}{B}\left(t-\frac{A}{3B}\right)^2 + \frac{1}{B^2}\left(t-\frac{A}{3B}\right); }[/math]
finally, this gives the equation:
- [math]\displaystyle{ v^2 = t^3 + \left(\frac{3-A^2}{3B^2}\right)t + \left(\frac{2A^3-9A}{27B^3}\right). }[/math]
Hence the mapping is given as
- [math]\displaystyle{ \psi }[/math]: [math]\displaystyle{ M_{A,B} \rightarrow E_{a,b} }[/math]
- [math]\displaystyle{ (x,y) \mapsto (t,v) = \left(\frac{x}{B} + \frac{A}{3B}, \frac{y}{B}\right), a=\frac{3-A^2}{3B^2}, b=\frac{2A^3-9A}{27B^3} }[/math]
In contrast, an elliptic curve over base field [math]\displaystyle{ \mathbb{F} }[/math] in Weierstrass form
- [math]\displaystyle{ E_{a,b} }[/math]: [math]\displaystyle{ v^2 = t^3 + at + b }[/math]
can be converted to Montgomery form if and only if [math]\displaystyle{ E_{a,b} }[/math] has order divisible by four and satisfies the following conditions:[3]
- [math]\displaystyle{ z^3 + az + b = 0 }[/math] has at least one root [math]\displaystyle{ \alpha \in \mathbb{F} }[/math]; and
- [math]\displaystyle{ 3\alpha^2 + a }[/math] is a quadratic residue in [math]\displaystyle{ \mathbb{F} }[/math].
When these conditions are satisfied, then for [math]\displaystyle{ s = (\sqrt{3\alpha^2 + a})^{-1} }[/math] we have the mapping
- [math]\displaystyle{ \psi^{-1} }[/math]: [math]\displaystyle{ E_{a,b} \rightarrow M_{A,B} }[/math]
- [math]\displaystyle{ (t,v) \mapsto (x,y) = \left(s (t-\alpha), s v\right), A = 3 \alpha s, B = s }[/math].
See also
- Curve25519
- Table of costs of operations in elliptic curves – information about the running-time required in a specific case
Notes
- ↑ Peter L. Montgomery (1987). "Speeding the Pollard and Elliptic Curve Methods of Factorization". Mathematics of Computation 48 (177): 243–264. doi:10.2307/2007888.
- ↑ Daniel J. Bernstein, Peter Birkner, Marc Joye, Tanja Lange and Christiane Peters (2008). "Twisted Edwards Curves". Progress in Cryptology – AFRICACRYPT 2008. Lecture Notes in Computer Science. 5023. Springer-Verlag Berlin Heidelberg. pp. 389–405. doi:10.1007/978-3-540-68164-9_26. ISBN 978-3-540-68159-5. http://eprint.iacr.org/2008/013.
- ↑ Katsuyuki Okeya, Hiroyuki Kurumatani, and Kouichi Sakurai (2000). "Elliptic Curves with the Montgomery-Form and Their Cryptographic Applications". Public Key Cryptography (PKC2000). doi:10.1007/978-3-540-46588-1_17.
References
- Peter L. Montgomery (1987). "Speeding the Pollard and Elliptic Curve Methods of Factorization". Mathematics of Computation 48 (177): 243–264. doi:10.2307/2007888.
- Daniel J. Bernstein, Peter Birkner, Marc Joye, Tanja Lange and Christiane Peters (2008). "Twisted Edwards Curves". Progress in Cryptology – AFRICACRYPT 2008. Lecture Notes in Computer Science. 5023. Springer-Verlag Berlin Heidelberg. pp. 389–405. doi:10.1007/978-3-540-68164-9_26. ISBN 978-3-540-68159-5. http://eprint.iacr.org/2008/013.
- Wouter Castryck; Steven Galbraith; Reza Rezaeian Farashahi (2008). Efficient Arithmetic on Elliptic Curves using a Mixed Edwards-Montgomery Representation. https://eprint.iacr.org/2008/218.pdf.
External links
Original source: https://en.wikipedia.org/wiki/Montgomery curve.
Read more |