Table of contents :
Content: Preface
1. Introduction
2. Finite field arithmetic
3. Arithmetic on an elliptic curve
4. Efficient implementation of elliptic curves
5. The elliptic curve discrete logarithm problem
6. Determining the group order
7. Schoof's algorithm and extensions
8. Generating curves using complex multiplication
9. Other applications of elliptic curves
10. Hyperelliptic curves
Appendix A. Curve examples
Bibliography
Author index
Subject index.

##### Citation preview

Elliptic Curves in Cryptography I.F. Blake, G. Seroussi and N.P. Smart

To Elizabeth, Lauren and Michael, Lidia, Ariel and Dahlia, Maggie, Ellie and Oliver.

Contents Preface

Xl

Abbreviations and Standard Notation Chapter I.

Xlll

1

Introduction

1.1.

Cryptography Based on Groups

2

1.2.

W hat Types of Group are Used

6

1.3.

W hat it Means in Practice

8

Finite Field Arithmetic

11

II.1.

Fields of Odd Characteristic

11

II.2.

Fields of Characteristic Two

19

Chapter II.

Chapter III.

Arithmetic on an Elliptic Curve

29

III.1.

General Elliptic Curves

30

III.2.

The Group Law

31

III.3.

Elliptic Curves over Finite Fields

34

III.4.

The Division Polynomials

39

III.5.

The Weil Pairing

42

III.6.

Isogenies, Endomorphisms and Torsion

44

III.7.

Various Functions and q- Expansions

46

III.8.

Modular Polynomials and Variants

50

Chapter IV.

Efficient Implementation of Elliptic Curves

57

IV.1.

Point Addition

57

IV.2.

Point Multiplication

62

IV.3.

Frobenius Expansions

73

IV.4.

Point Compression

76

Chapter V.

The Elliptic Curve Discrete Logarithm Problem

79

V.1.

The Simplification of Pohlig and Hellman

80

V.2.

The MOY Attack

82

V.3.

The Anomalous Attack

88

V.4.

Baby Step/ Giant Step

91

V.5.

Methods based on Random Walks

93

V.6.

Index Calculus Methods

97

V.7.

Summary

98 vii

viii

CONTENTS

Chapter VI.

Determining the Group Order

101

Main Approaches

101

VI.2.

Checking the Group Order

103

VI.3.

The Method of Shanks and Mestre

104

VI.4.

Subfield Curves

104

VI.5.

Searching for Good Curves

106

VI.1.

Chapter VII.

Schoof's Algorithm and Extensions

109

VII.1.

Schoof's Algorithm

109

VII.2.

Beyond Schoof

114 118

VII.3.

More on the Modular Polynomials

VII.4.

Finding Factors of Division Polynomials

VII.5.

Finding Factors of Division Polynomials

VII.6.

Determining the Trace Modulo a Prime Power

VII.7.

The Elkies Procedure

139

VII.8.

The Atkin Procedure

140

VII.9.

Combining the Information from Elkies and Atkin Primes

through Isogenies: Odd Characteristic through Isogenies: Characteristic Two

122 133 138

142

VII.10.

Examples

144

VII.11.

Further Discussion

147

Chapter VIII.

Generating Curves using Complex Multiplication

149

VIII.1.

The Theory of Complex Multiplication

149

VIII.2.

Generating Curves over Large Prime Fields using CM

151

VIII.3.

Weber Polynomials

155

VIII.4.

Further Discussion

157

Chapter IX.

Other Applications of Elliptic Curves

159

IX.1.

Factoring Using Elliptic Curves

159

IX.2.

The Pocklington-Lehmer Primality Test

162

IX.3.

The ECPP Algorithm

164

IX.4.

Equivalence between DLP and DHP

166

Chapter X.

Hyperelliptic Cryptosystems

171

X.1.

Arithmetic of Hyperelliptic Curves

171

X.2.

Generating Suitable Curves

173

X.3.

The Hyperelliptic Discrete Logarithm Problem

176

Appendix A.

Curve Examples

181

A.1.

Odd Characteristic

181

A.2.

Characteristic Two

186

Bibliography

191

Author Index

199

CONTENTS

Subject Index

ix

201

x

CONTENTS

Preface Much attention has recently been focused on the use of elliptic curves in public key cryptography, first proposed in the work of Koblitz

[62]

and Miller

[103].

The motivation for this is the fact that there is no known sub-exponential algorithm to solve the discrete logarithm problem on a general elliptic curve. In addition, as will be discussed in Chapter I, the standard protocols in cryp­ tography which make use of the discrete logarithm problem in finite fields, such as Diffie-Hellman key exchange, ElGamal encryption and digital signa­ ture, Massey-Omura encryption and the Digital Signature Algorithm ( DSA) , all have analogues in the elliptic curve case. Cryptosystems based on elliptic curves are an exciting technology because for the same level of security as systems such as RSA

[134],

using the current

knowledge of algorithms in the two cases, they offer the benefits of smaller key sizes and hence of smaller memory and processor requirements. This makes them ideal for use in smart cards and other environments where resources such as storage, time, or power are at a premium. Some researchers have expressed concern that the basic problem on which elliptic curve systems are based has not been looked at in as much detail as, say, the factoring problem, on which systems such as RSA are based. However, all such systems based on the perceived difficulty of a mathematical problem live in fear of a dramatic breakthrough to some extent, and this issue is not addressed further in this work. This book discusses various issues surrounding the use of elliptic curves in cryptography, including: •

The basic arithmetic operations, not only on the curves but also over finite fields.

Ways of efficiently implementing the basic operation of adding a point to itself a large number of times ( point multiplication) .

Known attacks on systems based on elliptic curves.

A large section devoted to computing the number of rational points on

A discussion on the generalization of elliptic curve systems to hyperel­

elliptic curves over finite fields. liptic systems. The book is written for a wide audience ranging from the mathematician who knows about elliptic curves ( or has been acquainted with them) and who wants a quick survey of the main results pertaining to cryptography, to an xi

xii

PREFACE

implementer who requires some knowledge of elliptic curve mathematics for use in a practical cryptosystem. Clearly, aiming for such diverse audiences is hard, and not all parts of the book will be of the same level of interest to all readers. However, most of the important points such as implementation issues, security issues and point counting issues can be acquired with only a moderate understanding of the underlying mathematics. We try and give a flavour of the mathematics involved for those who are interested.

We decided however not to include most proofs since that

not only would dramatically increase the size of the book but also would not serve its main purpose. It is hoped that the numerous references cited and the extensive bibliography provided will direct the interested reader to appropriate sources for all the missing details. In fact, much of the necessary mathematical background can be found in the books by Silverman,

[147]

and

[148]. Some of the topics covered in the book by Menezes

[97]

are expanded

upon. In particular the improvements made to the algorithm of Schoof

[141]

for determining the number of rational points on an elliptic curve are ex­ plained, and the method of finding curves using the theory of complex mul­ tiplication is discussed. This latter method has other applications when one uses elliptic curves to construct proofs of primality. We also give the first treatment in book form of such methods as point compression (including x-coordinate compression), the attack on anomalous curves and the general­ ization of the MOY attack to curves such as those with the trace of Frobenius equal to two. Two chapters are devoted to implementation issues. One cov­ ers finite fields while the second covers the various techniques available for point multiplication. In addition, the chapter on Schoof's algorithm and its improvements provides algorithmic summaries intended to facilitate the im­ plementation of these point counting techniques. We would like to thank D. Boneh, S. Galbraith, A.J. Menezes, K. Pater­ son, M. Rubinstein, E. Scheafer, R. Schoof and S. Zaba who have looked over various portions of the manuscript and given us their comments. All of the remaining mistakes and problems are our own and we apologize in advance for any you may find. The authors would also like to thank Dan Boneh, Jo­ hannes Buchmann, Markus Maurer and Volker Muller for many discussions on elliptic curves, their assistance with the implementation of point count­ ing algorithms and the prompt answering of many queries. Thanks are due also to John Cremona for his g\'JEX algorithm template which we modified to produce the algorithms in this book. Finally thanks are due to Hewlett-Packard Company and our colleagues and managers there for their support, assistance and encouragement during the writing of this book.

Abbreviations and Standard Notation

Abbreviations

The following abbreviations of standard phrases are used throughout the book: Advanced Encryption Standard AES baby step/ giant step method BSGS Complex multiplication CM Chinese Remainder Theorem CRT Data Encryptionproblem Standard DES DHP Diffie-Hellman DLP Discrete logarithm problem Digital Signature Algorithm DSA ECDLP Elliptic curve curve discrete logarithm problem ECM Elliptic factoring method ECPP Elliptic curve primality proving method GCD Greatest commonmultiple divisor Least common LCM MOY Menezes-Okamoto-Vanstone attack NAF Non-adjacent form NFS Number field sievebasis ONB Optimal normal Residue number system encryption scheme RNS RSA Rivest-Shamir-Adleman SDSEA Signed digit Schoof-Elkies-Atkin algorithm

xiii

xiv

ABBREVIATIONS AND STANDARD NOTATION

Standard notation

standard throughout out The furtherfollowing definition. Othernotation notationis used is defined locally thenearbook, its firstoftenuse.with­ K* ' K+ ' K forandaalgebraic field K, theclosure, multiplicative group, additive group, respectively Galois group of group K overofFG Gal(K/F) Aut(G) Automorphism characteristic off Kand g char(K) GCD, LCM of gcd(f, g), lcm(f, g) degree ofana polynomial f deg(!) order of element g in a group ord(g) integers, rationals,thanrealsk; similarly and complex numbers Z, Q, integers greater for � ' integers modulo n Z/nZ p-adic integers andelements numbers, respectively IFTrZqP , 1pQ(x)P finite field with n trace of x E IFq over IFP , p q cyclic group generated by g (g)#S cardinality of (equation) the set S elliptic curve EE(K) group of K-rational points on E to the point P multiplication-by-m map applied [E[mm]P] group of m-torsionringpoints on the elliptic curve E Endormorphism of E End(E) point at infinity (onfunction an elliptic curve) Weierstrass ' p ay' Frobenius map Euler totient function ¢ GL2(R) general linear group over the ring R: 2 2 matrices over R with determinant a unit in R PGL2(K) projective general linearidentified group over the field K, with scalar multiples S L2 ( Z ) special linear grouponeof 2 2 matrices over Z with determinant Legendre symbol (�) Re(z), Im(z) real and imaginary parts of z E respectively Poincare g(n) half-plane Im (z)lg(n)0 clf(n) for some function such that O(f (n)) I I constant c 0 and all sufficiently large n function g(n) such that lim -+oo(g(n)/ f(n)) 0 o(f(n)) n logarithm to base b of x; natural log if b omitted logb x z>k

JR, C

1l

>

C,

=

ABBREVIATIONS AND STANDARD NOTATION

xv

Oftenare wetoowilllongneed toonpresent binary, hexadecimal or decimalconvention numbers which to fit one line. We shall use the standard oflinebreaking number into multiple lines, with a backslash atFortheexample end of a indicatingthethat the number is continued in the next line. 20 p

2 3 + 67

1725436586697640946858688965569256363 1 1 27772430425

9663879063 1055949891 .

\

xvi

ABBREVIATIONS AND STANDARD NOTATION

CHAPTER I Introduction

We introduce the three main characters in public key cryptography. As in many booksofoncommunication the subject, itwhilst is assumed that Alice and Bobwhowishwishes to perform some form Eve is an eavesdropper to spy on (oristamper with) thethatcommunications between Aliceactually and Bob.human. Of course there no assumption Alice and Bob (or Eve) are They mayModern (and probably will) beascomputers onthesomecommercial network such as the Internet. cryptography, applied in world, is concerned with a number of problems. The most important of these are: A message sent from Alice to Bob cannot be read 1. byConfidentiality: anyone else. 2. Authenticity: Bob knows that only Alice could have sent the message heIntegrity: has just received. Bobtransit. knows that the message from Alice has not been tam­ pered with in 4. Non-repudiation: It is impossible for Alice to turn around later and say she did not send the message. To Alice see whywishes all four properties areover important considerfromtheBob.following sce­ nario. to buy some item the Internet She sends her instruction to Bobthatwhich contains her credit card numbersinceandshepayment details. She requires this communication be confidential, wants otherneeds peopletotoknow knowthatneither her creditis authentic card detailsin nor what shefrom is buying. Bob the message that it came Alice and not ssome impostor. Both Alice and Bobtheneedamount to becannot certainbethataltered the message' integrity is preserved, for example byrepudiation some thirdproperty, party whilst it isthatin Alice transit.should Finally Bob requires theshenon­ meaning not be able to say did not Insendotherthewords, instruction. we require transactions to take place between two mutu­ ally distrusting parties oversucha aspublic network. This is different from conven­ tional private networks, those used in banking, where there are key hierarchies and tamper proof hardware which canpublic storekeysymmetric keys.in the It is common in the literature to introduce techniques area of confidentiality protection. Public keybeingtechniques are,magnitude however,slower usu­ ally infeasible to use directly in this context, orders of than symmetric techniques. Their use in confidentiality is often limited to 3.

1

2

I. INTRODUCTION

the transmission of symmetric cipher keys. On the other hand digital signa­ tures, which give the user the authentication, integrity and non-repudiation properties required in electronic commerce, seem to require the use of public key cryptography. A tocomputer which is thousands processing ofpayments for a bankevery or a business may need verify or create digital signatures second. This has led toWhilst the demand forschemes publicarekeybased digitalonsignature schemes which problem are very efficient. many the discrete logarithm inuse.a finite abelianis group, thereof ispoints someondebate as to curve what over type aoffinite groupsfield.to One choice the group an elliptic This choice is becoming increasingly popular, precisely the because ofknowledge efficiency considerations. In this book, we attempt to summarize latest available on both theoretical and practical issues related to elliptic curve cryptosystems. 1.1. Cryptography Based on Groups Insurveyed. this section, some of the standard protocols of public key cryptography are A more detailed discussion of alltheofbooks these protocols andvanotherOorschot related areas of cryptography can be found in by Menezes, and Vanstone [99] curves and Schneier [139], although neither ofdiscussed these booksherecovers the use of elliptic in cryptography. The protocols only theTheusegroup of a finite abelianingroup G, ofisorder #G, which is assumed to berequire cyclic. of interest this work the additive group of points on anassume ellipticthecurve. However, it is convenient for the remainder of this chapter to group is multiplicative, with generator g, and that the order, #G, isof aGprime. Ifgroup, this is with not theno case, wesecurity. can alwaysThetakeadditive a primevs. order subgroup as our loss of multiplicative issue ofwhencourse, just one offocuses notation.on theWe elliptic will revert togroups. additive notation laterTheon,is, group the discussion curve G should be presented in such a way as to make multiplication and exponentiation easy, whilst computing discretealsologarithms is tohard. The reason for this will become clearer below. It should be possible generate random elements from the group with an almost uniform distribution. By the discrete logarithm problem (DLP) we mean the problem of deter­ mining the least positive integer, if it exists, which satisfies the equation h = gx forof alltwo,of given, elementsschemes h and gisinthatthe ifgroup G.is aNotefastthat atocommon feature the following there way solve the DLP inG isG,ofthenprimetheyorder are allsuchinsecure for thelogarithm group G.always Sinceexists. we have assumed that a discrete 1.1.1. Diffie-Hellman key exchange. Alice and Bob wish to agree on a secret random element in the group, which could be of use as a key for a x,

1. 1 . CRYPTOGRAPHY BASED ON GROUPS

3

higherwish speedtosymmetric algorithm likeovertheanData Encryption Standard (DES). They make this agreement insecure channel, without having exchanged any information previously. Thegroup onlyGpublic items, whichg EcanG beof shared amongst a group of users, are the and an element large known order. 1. Alice xA E { 1, . . . , #G 1}. She sends to Bob thegenerates elementa random integer g XA. 2. Bob generates a random integer E {1, . . . , #G 1}. He sends to Alice the element Alice can then compute 4. Likewise, Bob can compute The only information that Eve knows is G, g, g xA and g xs. If Eve can recover A x x g s from this data then Eve is said to have solved a Diffie-Hellman problem (DHP). It is easy to see that if Eve can find discrete logarithms in G then she can solve theandDHP. It is believed for most[94],groups incomplexity-theoretic use in cryptographysense that the DHP the DLP are equivalent in a (there is a polynomial time reduction of one problem to the other, and vice versa). 1.1.2. ElGamal encryption [ 3 9]. Alice wishes to send a message to Bob. Her message, m, is assumed to be encoded as an element in the group. Bob has a public key consisting of g and h = gx, where x is the private key. 1. Alice generates a random integer k E {1, . . . , #G 1} and computes a = g k, b = h km. 2. Alice sends the cipher text (a, b) to Bob. Bob can recover the message from the equation -

XB

-

3.

-

3.

ba-x = h kmg-kx = g xk-xkm = m.

1.1.3.(Z/(#G)Z). ElGamal digital signature [ 3 9]. Here, Bob wants to sign a message He can use the same public and private key pair, h and x, as he used for the encryption scheme. We will need a bij ection f from G to Z/(#G)Z. 1. Bob generates a random integer k E {1, . . . , #G 1 }, and computes a = g k. 2. Bob computes a solution, b E Z/(#G)Z, to the congruence m xf(a) +bk (mod #G).

mE

-

I. INTRODUCTION

4

3. Alice Bob sends thethesignature, (a, b), and the message, m, to Alice. verifies signature by checking that the following equation holds: 1 . 1 .4. Digital Signature Algorithm. A version of ElGamal signatures, called the Digital Signature Algorithm (DSA), is the basis of the Digital Sig­ nature Standard [FIPS186] . An elliptic curve version of DSA (ECDSA) is described in the IEEE P1363 standard draft [P1363] . The signature proce­ dure is almost identical toasthewellElGamal scheme above. It isdifferent describedsignature here for the sake of completeness, as to introduce a slightly verification procedure with some computational advantages. Bob wants to sign a message m E Z/(#G)Z. He uses the same public privatemapping, key pairf,hfrom and Gastobefore, and both he and Alice use a common biandj ective Z/(#G)Z. 1. Bob generates a random integer k E {1, . . . , #G - 1 }, and computes a = g k. 2. He computes the solution, b, to the congruence m -xf(a) +kb (mod #G). 3.4. Alice He sendscomputes the signature, (a, b), and the message, m, to Alice. = mb-1 (mod #G) , = f (a ) b-1 (mod #G). 5. She then computes and verifies that 4.

x

u

v

W

guhv = gmb-1gvx = gmb-1+xf(a)b-1 g(m+xf(a))b-1 = lbb-1 = l

a.

Although theglance, signature verification procedure implemented by theAliceElGa­ ap­ pears, at first more complicated than the one described for mal scheme, it verification is in fact computationally simpler.forUpon closer scrutiny, one notes that the procedure described DSA requires two group exponentiations, while the are,one ofdescribed for the ElGamalequivalent. scheme requires three.In itsThestandardized two procedures course, mathematically versions, the DSA requires also a secure hashing func­ tion. This is a many-to-one function that maps the original message to a shorter digest, in a way that is infeasible to invert in practice. The mes­ sage digest is the quantity actually operated on, in lieu of m. See, e. g ., [99] or [P1363] for the details.

1. 1 . CRYPTOGRAPHY BASED ON GROUPS

5

Here Aliceor public wishes key. to sendThea message tois encoded Bob. They do not need to have a private message as anme-to-you' element method. E G. This protocol is sometimes described as the ' y ou-to-me, It requires Alice and Bob to carry out a conversation rather than just a single transmission of encrypted text. 1. Alice computes a random integer, X A , coprime to #G, and sends Bob the element 2. Bob computes a random integer, xB, coprime to #G, and sends back to Alice the element 1 . 1 . 5 . Massey-Omura encryption. m

3. Alice can compute x::;:1 (mod #G) and so sends back to Bob the element 4. Finally Bob computes xB1 (mod #G) and can decrypt the message as This algorithm, also referred to as the ' d ouble lock' algorithm, is seldom used in practice but is of historical interest. 1 . 1 . 6 . Nyberg-Rueppel digital signature [113] . Nyberg and Rueppel present a give seriesa variant of digitalof onesignature schemes which allow messageofrecovery. Below we of these schemes, based on a system Piveteau [122] . However, here it is given as a standard signature scheme without any message recovery. For details on how to add message recovery, to this and to otherOurschemes, wefor refer the reader to [1 13] scheme . reason including the following is that the message to be signed, different is a member ofElGamal the groupandGDSA and schemes not Z/(#G)Z. This makes it slightly from the above. Oncea again we assume f is a bij ection from G to Z/(#G)Z. Alice wishes toa public sign message, E G. She has a private key x E Z, coprime to #G, and key 1. She computes a random integer, k, coprime to #G, and computes r 2. Alice then computes a solution, s, to the congruence 1 f(r)x+ sk (mod #G). 3.4. Bob She sends the message, and the digital signature, (r, s), to Bob. tion can verify that the message came from Alice by verifying the equa­ m,

m x y = g .

g

-k

=

m.

m,

6

I. INTRODUCTION

7. Problem reductions. It is not proven that breaking any of the above schemes is equivalent to solving the DLP, but this is believed to be the case. That no proof forof this fact has been found isthatsimilar to otherthe situations in cryptography: example there is no proof breaking RSA system ([1Boneh 33] [134]) isVenkatesan equivalent[1to9]factoring the modulus, although theberecent work ofThere and gives evidence that they may not equivalent. arethea fewsystem publiciskeyat cryptographic schemes forsome whichhard one canmathematical prove that breaking least as hard as solving problem,are such as factoringhere.a number or taking discrete logarithms. However, these not discussed Webreaking do notethethatDiffie-Hellman for some classeskey ofexchange finite abelian groups one can prove that protocol is polynomial time equivalent toauxiliary solvinggroups a DLP.which Whatareis interesting about thistaken worktoisbethatelliptic this result uses themselves usually curves. The interestedinreader should consult [9for4],a[9bi5],j ective [18] and Sectionf, IX.from4. The requirement the signature schemes function, G to Z/(#G)Z may seem aFor littleother restrictive. For the groups,thatIF; , ftheis bibijj ective ective function to use is obvious. groups the condition can be weakened. What is really required is a function f : G -----+ Z/MZ forwhichsomeis almost numberinjective. M, of theIn other orderwords of magnitude of the size of the group G, its degreeareaspresented a map should be ' s(x,mall'.y), For elliptic curve systems the group elements as pairs, over some finitefields,field.IF Such a pair represents a point on an elliptic curve. Over large prime ,P field elements are naturally represented as integers modulopoints p, and one usually just uses the x-coordinate of the curve as the map from (group elements) to integers modulo p (the latter prime turns out toandbewillcloseclearly to #G,sufficeandforis thus used for For M above). Thisfields is a ofdegree two map applications. large finite characteristic two, oneinteger performsis needed. a similarAmethod, but a wayused of converting theisx-coordinate into an simple method, in practice, to take the representation of x relative to a given basis of IF2n over IF2 , and interpret the sameusing coefficients as internal the binaryrepresentation digits of an integer. Asconventions, long as Aliceorandat least Bob are the same and order Bob knows how toshould convertbe from his internal representation into Alice's, their implementations interoperable. 1.1.

1.2. What Types of Group are Used

All of thevarious above protocols worktoforusea general abelian group,However, G, so onesincecould consider other groups in such protocols. the protocolsbearesimple to betoimplemented inwayhardware or software,thisthecondition, group operation should realize. One of interpreting but not the only way, is to insist that the group operation be given by simple algebraic

1.2.

WHAT TYPES OF GROUP ARE USED

7

formulae. Inrestricts other words G must be a thecommutative finitegroups algebraicwhichgroup.are This then quite considerably types of such available. A commutative finite algebraic group is essentially equivalent to the prod­ uct offields a finiteandnumber of copiesofofabelian the additive andFormultiplicative groups of finite a finite number varieties. all practical purposes, the latter cantobea general taken topurpose be Jacobians of curves. It willandbeHellman, seen in Chapter V that, owing algorithm of Pohlig the group G should have a largesingle subgroup ofofprime order.andThusmultiplicative we can restrict ourselvesof tofinite onlyfields considering copies additive subgroups orinJacobians. The DLP some additive groups is clearly easy, e. g . the additive group ofgroup a finite field.ellipticFortunately, thissurprisingly, is not the case, asthefarabove as is known, forwere the of an curve. Not all of protocols originally described insuchterms of thethe finite (multiplicative) abelian groupindeed, IF; . However, if one uses groups choice of needs to be very large because there[8are8]). known sub-exponential methods foronsolving the behind DLP in theIF; (see [ 1 ] and These methods are usually based the ideas wellThis knownsituation numberledfieldMillersieve[103]factoring method[62](seeto[7propose 7]). the technique, and Koblitz common in number theory, of replacing a group such as IF; with the group, E(IFq), of rational points on an elliptic curve, E, defined over IFq (these con­ ceptselliptic will becurve precisely definedmethod later).andThisthe technique willprimality be seen again in the factoring elliptic curve proving method. Elliptic curves areItJacobians ofthat dimension one and DLP so areintheelliptic sim­ plest case of a Jacobian. turns out the (additive) curve groupsinis,theat multiplicative present, ordersgroup of magnitude harder than the correspond­ ing problem of a finite field of a similar size, a fact thatIfisonemorewantsprecisely quantified in groups the nextthensection. to avoid algebraic only one other type of group is knownof which is fields. secure and almost practical. These are bythe Buchmann class groupsandof orders number These were originally proposed Williams [23]situation for classdiffer groupsslightly of imaginary quadratic orders. Thebutprotocols used in this from those described earlier, the es­ sential features thebe same. In imaginary quadratic orders the elements ofThesethe forms class can groupremain can represented by reduced binary quadratic forms. bedatemultiplied using the(seestandard composition and reduction algorithms which back to Gauss [ 2 9] and [ 5 0]). We shall see in a later chapter curve that theis closely arithmetic on anto elliptic curve and inof thebinaryJacobian of a hyperelliptic related this composition quadratic forms.Such schemes based on class groups are particularly interesting, as break­ ing some of the proposed cryptosystems is provably as hard as factoring the q

I. INTRODUCTION

8

discriminant ofcomplexity the order.ofHowever, theoperations. protocols areFor atotherpresent veryon class slow owing to the the group work groupTherebasedaresystems, see [10],based [20], on[22]elliptic and [5curves 2]. which are provably as cryptosystems hardelliptic as known mathematical problems. For example there are systems based onthe curves over Z/nZ, where n is the product of two primes, for which ability to break the system is asHowever, hard asJoye factoring the modulus[57]n (see the work of Meyer and Muller [101]). and Quisquater pointed out that the system of Meyer and Muller is reducible toMeyer-Muller the system ofsystem Rabin and Williams (see [129] and [ 1 63]). Hence, since the is probably slower than the Rabin-Williams system, we shall not discuss the former system further. Theresense are other systems based on elliptic curvesscheme over Z/nZ, which are inKoyama some elliptic curve analogues of the RSA (see for example et al.to[6offer 8]). noHowever, theseoverare RSA not provably asofhard as factoring and they appear advantage in terms security but do give a decrease further in performance when The compared withis referred RSA. These schemes are[5not8], discussed in this book. reader instead to [17], [70], [90], [121] and [159]. 1.3. What it Means in Practice Inof athissuitably sectionchosen we discuss thecurvepractical implications ofimplement using the agroup E(IFq) elliptic over a finite field to DLF-based cryptosystem, as opposed to the more 'conventional' choice of the multiplica­ tive group IF; of a finite field. Notice that, in the comparison, IFq and IFP need not be the same field. The key observation is that, for a well-chosen curve (in a senseDLPtoonbeEmade clear later in the book), the best known method for solving the (IFq) is of complexity exponential in the size n = f1og2 l of the field elements, while algorithms that are sub-exponential in N = f1og2 pl are available for the DLP in IF;. More specifically, the best known general algorithms for the elliptic curve DLP are of complexity proportional to 2 CEc (n) = 2 n/ (seeDefine ChaptertheV).function Lp(v, c) = exp (c(logp) v (loglogp) (l- v ) ) , where ' l og' without base specification denotes real natural logarithms. When v = 1, the function LP is exponential in logp, while for v = 0 it is polynomial inexponential, log p. Whenand0 is referred v 1, the behaviour is strictly between polynomial and to as sub-exponential. Discrete logarithms in IFP can be found in time proportional to Lp(l/3, c0 ), where c0 = (64/9)113 1. 92, using a general number field sieve method ([9 9, q

3,

p > 3.

p > 3

'

3

0,

IIl.3. ELLIPTIC CURVES OVER FINITE FIELDS

37

3 +aX +b, so that the curve equation is Y2 = g(X). The Write g(X) = X rational points of order two on the curve are of the form (�, 0) , where � is a zero ofAllg(X)otherin values K. Theofpolynomial g(X) canis ahave zero, one, or three such zeros. X for which g(X) quadratic residue in K yield two points on the2), where curve. s Therefore, counting alsoovertheK, point we haveAdistinct #E(K) s (mod = 1 i f g i s irreducible 0 otherwise. twist ofv2aa,curve given short quadratic Weierstrassnon-residue form Ea,b isv given by Ea' ,b' 3 b forin some where a' = E K. By the b' = v characterization ofK,isomorphism classes above, tothethetwistoriginal is unique upover to iso­K morphisms over and it is itself isomorphic curve, it is soof over IFq2 ,points where ofv becomes a quadratic of(inthefact,groups rational the two curves satisfyresidue). the relationThe orders #Ea,b (K) + #Ea' ,b'(K) = 2q + 2. 3g(X/v), so that we have Ea' ,b' : Y2 = gv (X). ToForverify this, write g (X) = v v Ecurves. K, if gIfv g(x)(x)= is0 athennon-zero g(x/v)quadratic = 0, contributing a single point= gto(x)/v each3 ofis athexnon-residue; residue, then g(x/v) v a' ,b' gets two points, Ea,b gets none. Similarly, if gvv(x) is a E non-residue, then E gets two points, E gets none. Hence, each element of , , b b ' a' a K contributes twoat infinity counts tocounted the sumtwice, #Eaa,b total giving, together (K)+#E a'+,b' (K), with the point of 2q 2 points. This propertywhereof theit istwist is useful when searching for 'ofgood'the curves inof cryptography, required to determine the order group rational points. This is a computationally intensive problem, whichorder we deal with extensively in Chapters VI, VII and VIII. Once the group has been determined a curve, determination Thus, we get the fororders of twoits groups ' for theforpricetheoftwistone'.is straightforward. 111.3.2. Curves in fields of characteristic two. We now specialize to n2 , n � 1. In this case, the expression for the j-invariant the case where q = 2 reduces tois j(E) = ai /to�the In curve characteristic two, the condition j(E) = 0, thisi.e. = 0, equivalent being supersingular. As mentioned, avery 1 special type of curve is avoided in cryptography (see details on the MOY attackUnderin Chapter V). We assume, therefore, that j(E) =J. 0. theseoverassumptions, elliptic curves IFq is given abyrepresentative [147]: for each isomorphism class of (III.8) where in IFqfrom of trace TrIFq12. (rThis a2 E {O,II/}thatwithTr/ 1a isfixedtheelement )= 6 E IF;fromandChapter 1.function We arecall linear trace IF to q 2 trace of Frobenius, and qno confusion 2 is not directly related to the shouldThearise since they are used in quite different contexts. formulae for the group law in Lemma III. 2 then simplify to -Pi = (x 1 , Y1 +x 1 ). 0,

38

III. ARITHMETIC ON AN ELLIPTIC CURVE

When x 1 # x2 we set

A = Y2 ++ Y1 X2 X1

and when x 1 = x2 # 0 we set

,=

/\

'

µ=

x i + Y1 X1

'

Y1X2 + Y2X1 X2 + X 1

µ=

X 21 .

If P3 = (x3 , y3 ) = P1 + P2 # 0, then x3 and y3 are given by the formulae x3 y3

= =

A 2 + A + a2 + x 1 + x 2 , (A + l )x3 +µ (x 1 + x 3 )A + X 3 + Y i·

func­ Theof thefollowing lemma class. restrictsRecall the possible values of #aEaE2 ,a6IFq(IFhasq) asa aunique tion isomorphism that each element square root, -JO, = aq/2 , in the field. 111. 4 . Consider an elliptic curve defined by Equation (III. 8) over IFq , n q = 2 . Then, mod 4)4) ifif TrTrqq112 (a(a2 )) == 0,1 . { 20 ((mod #Ea 2 ,a6 (IF q ) = 2 2 Setting X = 0 yields (0, .Ja6) , the unique point of order two on the curve. To count points with X # 0, we divide Equation (111. 8) by X 2 , and write U = Y/X, obtaining the equivalent equation LEMMA

-

PROOF.

u

2 + u = x + a2 + a5 . x2

Itequation is well hasknown ( see, e. g ., [ 8 6]) that, for a given X E IF;, this quadratic two distinct solutions U and U+ 1 in IFq if and only if Trq 1 2 (X + 2 a2 + a6 /X ) = 0 or, equivalently, Trq1 2 (a2 ) = Trq 1 2 (X 2 + a6 /X 2 ). If X satisfies this equality, so does .Ja5/ X. These two values are different whenever X # ..ya6. Hence, the values of X in IF; - { ..ya5} contribute a number of points divisible by four to #Ea 2 ,a6 (IFq)· When Trq 1 2 (a2 ) = 0, X = ..ya6 contributes two points. Counting also the points (0, .Ja6) and 0 yields the result of themorelemma. a6 , the two curves Eo,a6 and Ey,a6 are twists of each otherForanda given their value ordersofsatisfy the relation D

#Eo,a6 (IFq) + #Ey ,a6 (IFq) = 2 q + 2.

This is verified by inspecting the proof of Lemma 111. 4 : each value of X E IF; contributes two points to exactly one of the curves, for a total of 2q - 2 points.

IIl.4. THE DIVISION POLYNOMIALS

39

Incounted addition, thein points (0, .Ja5) and 0 are common to both curves and are twice the sum, bringing the total up to 2q + 2. Similarly to over the case of odd characteristic, the curves Eo,a6 and Ey,a6 are non-isomorphic IFq, but are isomorphic over IFq2 , as Trq2 2 ( ) = 0 for all / E IFq. 111.4. The Division Polynomials The division polynomials are of fundamental importance in Schoof' s finite algo­ rithm for computing the number of points on an elliptic curve over a field, the subject ofof Chapter VII.properties. In this section we define theseofpolynomials and discuss some their basic References for much the follow­ ing general are [147]caseandfollow [72]. [The specific formulae for the division polynomials in the 8 1] and [ 8 5]. From111.2, inspection of that the algebraic expressions forsumthePgroup lawtwogiven in Section it is clear the coordinates of the + P of points 1 2 onrepeated the curve are rational functions of the coordinates of P1 and P2 . By map application of the formulae, it follows that the multiplication-by-m (x, y) H [m] (x, y) be expressed in terms wecanhave the following result.of rational functions in x and y. More specifically, 111.5. Let E be an elliptic curve defined over a field K, and let m be a positive integer. There exist polynomials 1/Jm , Om , Wm E K[x, y] such that, for P = (x, y) E E(K) such that [m]P =f. 0, we have (111. 9 ) [mJ P = ( 1/JmOm((xx,, yy)) 2 1/JmWm((xx,,y)y)3 ) . The polynomial 1/Jm (x, y) is called the m th division polynomial of the curve E. As will be shown below, the sequences Om and Wm can be expressed in termsWeofnowthe present sequenceexplicit 1/Jm · (recursive) formulae for the polynomials 1/Jm , ()m and WmK ·given Consider the general Weierstrass equation E of the elliptic curve over in Equation (111.3) , and the constants derived from the curve given in Equations (III.4). The mth division polynomial 1/Jm (x, y), mparameters � 0, is defined by the following recursion, in which we suppress the vari­ ables: 1/Jo = 0, 1/J1 = 1 , 1/J2 = 2y + aix + a3 , 4 = 3x + b2x3 + 3b4x22 + 3b5x + bs, 1/ J 3 1/J4 = (2x6 + b2 x 5 + 5b4x 4 + l 0b5x3 + 1 0bsx + (b2 bs - b4 b6 )x + b4 bs - bn 1/J2 , 1/J2m+ i = 1/Jm+21/J!i - 1/Jm- 11/J!i+l , m � 2, 1

LEMMA

'

r

40

III. ARITHMETIC ON AN ELLIPTIC CURVE

and

( 1/Jm+21/J�- l - 1/Jm-21/J�+l ) 1/Jm 1/J2

, m 2. Itiscandivisible be shown, by Therefore, induction, that, mthe�numerator in the expression forby i. by 1, is a polynomial divisible m m 1/J 1/J2 1/J2 'lj;2 . Since the division polynomials will always be evaluated at points on the curve, the computation of 1/Jm can be carried out modulo the equation of the curve. In particular, wewillcanbeassume thatassumed the degreein the of 1/Jsequel m in y never exceeds one. This reduction implicitly when dealing with the polynomials 1/Jm · With the 1/Jm computed according to the above recursion, the polynomials Om are given by ()m = x'lj;� - 1/Jm- 11/Jm+ i , m � 1, and, when char(K) -=/=- 2, the polynomials Wm are defined by 21/JmWm = 1/J2m - (a 1 0m + a3 1/J� ) 1/J� , m � 1. With the, Lemma given recursion for thedirectly polynomials 1/Jm , and the formulae for Om and 111. 5 follows from the formulae for the group law, Wm and somerequire symbolic manipulation dexterity. InThisthe case case will of characteristic two,for the a slightly different treatment. be addressed, Wm non-supersingular curves, in Section 111. 4 . 2 . Expressions for the supersingular caseWhen can beKfound in [ 6 4]. is the finite field IFq , E(K) is a torsion group, that is, every point P on the curve E has finite order. For a non-negative integer m, the set of m-torsion points of E, denoted by E[m], is defined by E[m] = { P E E(K) I [m]P = O }. Itin isK-rational readily verified thatin E[E[mm],] iswea subgroup of E(K). When wemare] =interested points will use the notation E(K)[ E(K) E[m]. Thus, E(K)[m] as= E[themsubgroup ]. Clearly,relation. E(K)[m] E[m] E(K), where inclusion is interpreted By definition, E E[m-torsion m] for allpoints m. The mthas division polynomial 1/Jm characterizes the other on E, stated in the following theorem. 111. 6 . Let P be a point in E(K) \ { O}, and let m � 1. Then, P E E[m] if and only if 1/Jm (P) = 0. It turns out that the characterization of m-torsion points can be achieved with univariate polynomials derived from the bivariate 1/Jm · Define m odd, fm = { 1/Jm /, , m even. m 1/J 1/J2 Bypolynomial observing'lj; ,that y enters into the recursion for the 1/Jm only through the 2 and that 1/Ji mod E does not depend on y, it is readily verified 1/J2m =

0

T HEOREM

>

n

IIl.4. THE DIVISION POLYNOMIALS

41

that fm is a polynomial that depends only on x. The degree offm is at most (arem2 exact - 1)/2 if m is odd, and at most (m2 - 4)/ 2 if m is even (the degrees not divide odd, or m/2f for· m even). Theorem 111.if 6char(K) can nowdoesbe recast in termsm forof them polynomials m 111.7. Let P (x, y) be a point in E(K)-{0}, such that [2] P =f. 0, and let m � 2. Then, P E E[m] if and only if fm (x) 0. Corollary excludesout2-torsion points. These pointsmsatisfy 1fJ2 (P) 0, the Let partF(x) that 111.was4x73divided of when is even. to obtain f m 1/J m +b2x 2 +2b4 x+b6 . The polynomials fm satisfy the following recursion, where variables are again omitted, and 1/J2 , 'lj;3 and 'lj;4 are as defined before: m odd, m � 3, m even, m � 2, m 2. Our interest this book will involve the twoto cases char(K) and char(K) 2. Theinabove discussion is specialized these two cases, in3turn. 111. 4 .1. Characteristic 3. For this case the curve equation can be assumed in the form C OROLLARY

=

=

=

=

>

>

=

p >

Y2 = X 3 + aX + b, a, b E IFP , 1/Jm a, a6 = b, b2 = b4 = 2a, b6 = 4b,

and so, in the above formulae for the0, polynomials andandfm'b we have a1 2 . The a2 a3 0, a4 -a 8 recursion for 1/Jm then simplifies to 0, 1/Jo =

=

=

1/J1 1/J2 1/J3 1/J4 1/J2m+ i 1/J2m

=

=

1, 2y, 3x4 + 6ax2 + 12bx - a2 , 4y(x6 + 5ax4 + 20bx3 - 5a2x 2 - 4abx - 8b2 - a3 ), 1/Jm+21/J!i - 1/Jm- 11/J!i+l , m (1/Jm+2 1/J�- l - 1/Jm-21/J�+1 ) 1/Jm /2y, m > m P = (x, y) E E(K) \ E [m] ,

� 2,

integer � 2, and a point takesFortheanform [ml p =

(x

_

2.

Lemma 111. 5

)

1/Jm- 11/Jm+ i ' 1/Jm+2 1/J�- l - 1/Jm- 21/J�+l ' n/,2 4Yn/,3 'f/m 'f/m

where 1/Jm 1/Jm (x, y). This formula is easily cast in terms of the univariate polynomials fm ' by noting that for the particular form of the curve equation =

42

III. ARITHMETIC ON AN ELLIPTIC CURVE

under we have 1/Jm = 2y fm when m is even, 1/Jm = fm when m4(xis3 +odd.consideration, The recursions for the fm are as in the general case, with F(x) = ax + b) (which is equal to 4y 2 modulo the curve equation). 111.4.2. Characteristic two. We consider only non-supersingular curves, defined by equations of the form Y2 + XY = X 3 + a2 X 2 + a5 .

Thus, we have a 1 = 1, a3 = a4 = 0, and consequently b2 = 1, b4 = b6 = 0, b8 = a6 . The recursion for the polynomials 1/Jm simplifies to 0, 1/Jo 1, 1/J1 1/J2 1/J3 1/J4 1/J2m+l 1/J2m

x, x 4 + x 3 + a5 , x 6 + a6 x 2 ' 2, 1/Jm+21/J!i + 1/Jm- 11/J!i+l , (1/Jm+21/J�- l + 1/Jm-21/J�+l ) 'l/Jm /X ,

m� m > 3. We observe that, with this recursion, all the 1/Jm are polynomials in x only. We shall emphasize this fact[m]bythendefining, formulae for the mapping take2 thein this formcase, fm (x) = 1/Jm (x, y). The [mJ P = (x + fm-1ifm2 m+i , x + y + (x + X + y)fm- ifx!mm3fm+i + fm-2 f:/n+l ) , fordefined m �in 2theandgeneral pointscaseP =satisfy, (x, y) E E(K) \ E[m]. The polynomials fm in this case, xfm = fm when m is even, fm = fm otherwise. In fact, in our description of point counting algorithms in ChapterbyVII,defining we shallf =usef mostly them inpolynomials fm , a notation which is extended for all the odd characteristic case. m m Formally, theofpolynomials 1/Jm are called the division polynomials. How­ ever, in the cases interest here, the similar role of the univariate polynomials fm will justify our referring to these also as division polynomials. 111.5. The Weil Pairing Let E denote anIt elliptic curve overthatathere field areK, with ] its group ofcasem­ 2 suchE[mpoints torsion points. can be shown m in the gcd(m,p) =group 1, where is the characteristic of the field. structureresult:of the m-torsion of anpelliptic curve is determined by theThefollowing m E Z>O 111. · 8 . Let E be an elliptic curve over K and let char(K) = p and If p = 0 or p does not divide m then E[m] ,...., (Z/mZ) (Z/mZ). LEMMA

x

III.5. THE WEIL PAIRING

43

0 the m-torsion ellipticby curve overAnother a finite important field, whichfactwillabout be required in a laterstructure chapter,ofisangiven 111. 9 ([8]). Let E denote an elliptic curve over IFq , and suppose that mnotisequal a prime which divides #E(IFq ) but which does not divide q - 1 and is to the characteristic of IFq . Then E(IFqk) contains the m2 points of order m if and only if m divides qk - 1. now let m0. ETheZ>-2Weildenote an integer, coprime to the characteristic of K ifWechar(K) pairing [ 1 47] is a function E[m] E[m] -----+ µm, where µm is the group of mth roots of unity in K, which occurs throughout the theory of elliptic curves. We can define the Weil pairing as follows. Let S, T E E[m] and choose a function g on E whose divisor satisfies div(g) REE[Lm] (T' + R) - (R) , with T' E E (K) such that [m] T' T. Then E[m] E[m] -----+ • If p > then

LEMMA

>

X

=

=

x

em: {

(S, T)

f----+

g (X + S) g (X)

forX +anyS . point ) for which g is both defined and non-zero at X and It canXthenE Ebe(Kshown that the following holds. 111. 1 0. The Weil pairing is a bilinear, alternating, non-degenerate pairing which is Galois equivariant. In other words, LEMMA

em(S1 + S2 , T) em (S, Ti + T2 ) em (S, T) em (S, T) em (Su, Tu)

em (S1 , T)em(S2 , T) , em (S, Ti )em (S, T2 ) , em (T, S) - 1 , for all S if and only em (S, Tt for all CJ

1 if T 0, E Gal(K/K). There We is another definition of the Weil pairing which makes it easier to compute. let P and Q denote two elements of E[m] and let A, B denote divisors of degree zero such that A and B have disjoint support and A rv (P) - (0), B rv (Q) - (0). InT =J.practice we choose points T, U E E such that P + T =J. U, P + T =J. Q + U, U and T =J. Q + U. We then see that A (P + T) - (T) and B (Q + U) - (U) satisfy our requirements. =

=

=

44

III. ARITHMETIC ON AN ELLIPTIC CURVE

then let fATheandWeilfB denote whose bydivisors are mA and mBWerespectively. pairingtwocan functions then be defined em(P, Q) = fA (B) j fB (A), which, owing to our choice of A and B, becomes (Q + U) fB (T) em (p Q) = ffA (U) A JB (P + T) " Soof Miller all thatwhich remains is to compute fA and fB . This can be done by a method is explained in [97] and [are98].non-zero One hasattothebe careful thatpoints, the functions one produces are defined and relevant but by careful choice of T and U this can be accomplished with no problem. 111.6. Isogenies, Endomorphisms and Torsion Let E and E be elliptic curves defined over a field K, with respective func­ 1 2 tion fields K(E1 )atandeveryK(Epoint from E1 to Emorphism, is a rational map 2 2 ). Aofmorphism which is regular E . A non-constant ¢, which 1the identity element on E2 is called an maps the identity element on E to 1 zsogeny, ¢ : E1 -----+ E2 . The map which sends every point on E to on E is also called an isogeny. 1 2 Itroleis thein thezerotheory isogeny,of and is thecurves. only constant isogeny.weIsogenies playthea crucial elliptic In this section summarize main resultsSuppose that will betherequired later. that isogeny ¢ is non-constant, i. e . ¢(E ) =J. { O}. Then, ¢ 1 induces an injection of function fields which fixes K, -----+ K(E1 ) ¢* . { K(Ef 2 ) f---+ f ¢. We say that the isogeny is separable, inseparable or purely inseparable if the corresponding extension of function fields, K(Ewe1 ) /define ¢* K(Eits2 ) degree is separable, inseparable or purely inseparable. If ¢ is constant to be zero, otherwise we define its degree by deg¢ = [K (E1 ) : ¢* K(E2)]. Everyis non-constant isogeny ¢ is surjectiveandovertheK,kernel that isof¢(Ea non-constant 1 ) = E2 . An isogeny always a group homomorphism, isogenyn¢ ofis always a finiteisogeny subgroup¢ isofequal E1 (K),to usually denoted by E[¢map ]. Theof degree a separable its degree as a finite curvesTheandsimplest is henceexample equal toof thea separable size of Eisogeny [¢] . is the multiplication-by-m map, [mdefined ], fromovera curve to itself.the Ifsimplest K is a finite fieldofIFqa andpurelyE isinseparable an elliptic curve K, then example isogeny is the Frobenius endomorphism If E is an elliptic curve over IFq '

0

.

0

rp.

IIl.6. ISOGENIES, ENDOMORPHISMS AND TORSION

45

with then they the isogenies [1], [Nwhen + 1] and are identical as maps onclosure E(NIFqof)points However, are all different considered over the algebraic IFq . Some basic facts about isogenies are 111.11 (Theorem 11. 66 of [60]). Let E denote an elliptic curve de­ fined over a field K and let S denote a finite subgroup of E which is Galois stable over K. Then there exist an elliptic curve E', also defined over K, and a unique separable isogeny cf> : E -----+ E' with kernel equal to S. When K IFq , the subgroup S in Theorem 111.11 is Galois stable if and only if itEis/Sclosed the Frobenius map. Also,thattheis, notation is oftenunder used thefor theoperation curve E'ofdescribed in the theorem, cf> : E -----+ EIS. This notation isobvious obviousfactfromthata the group-theoretic pointE/Sofcorresponds view, but ittoalso conveys the less quotient group the groupTo ofevery pointsnon-constant of an ellipticisogeny, curve.¢, there is a unique dual isogeny cf> : E2 -----+ E1 suchA that (/> cf> is equal to multiplication by n, where n deg(cf>) , on E1 and is multiplication by n on E2 . The existence of the dual isogeny implies cf>thatcf>being We then haveisogenous is an equivalence relation on the set of all elliptic curves. 111. 1 2 (Lemma 15. 1 of [ 2 5]). Two isogenous abelian varieties (and hence two isogenous elliptic curves) over a finite field have the same number rp

·

T HEOREM

=

o

o

=

LEMMA

of rational points.

111. 1 3 (Lemma 8. 4 of [25]).

cf> : E

E'

Suppose -----+ is a separable isogeny defined over K, whose kernel has exponent d, with d coprime to the characteristic of K. Assume that the elements of the kernel of and all the dth roots of unity are defined over K. Then all the elements in are also defined over K and there is a natural non-degenerate pairing x -----+ µd (K) . e

] When the isogeny in the previous lemma is equal to the multiplication-by­ mis sometimes map the pairing is totheasWeil pairing mentioned earlier. The above pairing referred the ¢-Weil pairing. Thea ring. set ofThis all isogenies from a curve to itself, together with the zero map, form is the ring of endomorphisms of E, denoted by End(E). Clearly End(E)fromcontains aofsubring isomorphic as multiplication bythem 2 . There toareZ,three isstructure an isogeny E to E degree m possibilities for of the ring End(E) (see [147, Section 111. 9]). 1. End(E) Z; this does not occur for elliptic curves over a finite field. =

III. ARITHMETIC ON AN ELLIPTIC CURVE

46

End(E)curvesis anareorder in ordinary. an imaginary quadratic field. Over finite fields such called 3. End(E) is the maximal order in a quarternion algebra. Over finite fields such curves are called supersingular but over fields of characteristic zero this case does not occur. Recallonlythatif a curve, E, is supersingular over a field, IFq , of characteristic if and =� 25 orand3 theandtrace j (E) of= Frobenius 0. satisfies t = 0. Inthealltracecharacteristics we have that E is supersingular if and only if divides the curve hastoanpossess endomorphism ring which is strictly largerNowthanletof Frobenius. Z,l bethena prime theIfcurve is said complex multiplication (CM). fromfixedthevalue characteristic of K and consider n],different the l-power torsion, E[ l for some of n. The group E[l n ] can nz)-module clearly be considered as a (Z/l of rank two. The absolute Galois n group, G = Gal(K / K), acts on E[ l ] as a linear map. So we obtain a Galois representation: : G -----+ Aut(E[l n ]) GL2 (Z/l n z). We torsion at once by taking the Tate module (see can[147])also consider all l-power T1(E) = lim E[ln]. This isuseda rank two Z1-module, where Z1 iswiththethel-adicinverse integers. The inverse limit to produce T is ' c ompatible' limit used to de­ 1 will factor through fine absolute group Galoisofgroup G, in the sense that arepresentation: finitethe quotient G. Hence, we obtain a continuous l-adic Galois : G -----+ Aut(T1(E)) GL2 (Z1). If K = Q then sitting inside G are special elements, for each prime called thegenerate Frobeniusthe elements. These aredecomposition defined up to conjugation andinertia their images quotient of their group by the group, DP/IP =(J Gal( IFp/IFcurve p )· Weis non-singular then look atover the IFimage under p1 ofp1((}p) a Frobe­ nius element, , if the . The element is a P P matrixtracewhose characteristic defined and independent of l. The of p((}p) we denotepolynomial by tp and isisthewelltrace of Frobenius at the prime If K = IF then G is generated by the Frobenius element (}q · The element q pindependent polynomial is well defined and 1 ((}p) is alsoofa l.matrix Its tracewhoseis thecharacteristic trace of Frobenius, t, mentioned earlier. III. 7. Various Functions and q-Expansions Itdifferential is a standard fact [ 1 47], used in complex analysis, the theory of partial equations and number theory, that an elliptic curve over defines 2.

p

p p

p

Pl,n

c

+-

Pl,n

Pl

c

p,

p.

C

111.7.

VARIOUS FUNCTIONS AND q-EXPANSIONS

47

a lattice inwhere C (andw , whenceE Caaretorus). The oflattice will be denoted A the periods the associated, doubly byperiodic

Zw 1 +Zw2 ,

1 2

Weierstrass SJ-function

SJ(z) = :2 + L ( (z � w) 2 - �2 ) ThisThefunction the differential Equation (111.1). periods,satisfies w 1 and w2 , can be suitably chosen so that the quantity T = W-W21 lies in the upper half of the complex plane, 1l = {z E C : Im(z) O}. The map by from C (modulo A) to points on the corresponding elliptic curve is given C/A -----+ E z + A f------+ { 0,( (SJ'(z) - ai xA - a3 )/2 ) , zz Eti. A.A, where SJ(z) -ofbthe 2 /1 2 . The codomain of this map corresponds to the long Weierstrass= form curve. The special case z + A H (SJ(z), SJ1/2) , z tj. A, corresponds to the short form Y 3 = X 3 + aX + b. The coefficients of the short form are obtained with the 1formulae 1 g3 = 140 z= 92 = 60 z= W W and a = -gof2 fthe.if4_,curve b = -g3 . The inverse correspondence, leading from the coefficients to the periods w 1 and w2 , can also be computed (see, for instance, [29]).number T E characterizes elliptic curves up to isomor­ The complex phism, i.Ae.=ifZwT =+ wZwi fwand 2 = wUw�, then the elliptic curves derived from the lattices 1 2 A' = Zw� + Zw� are isomorphic. An elliptic curve over C associatedof theto Tcurve in thisas awayfunction is denoted the j-invariant on 1l byandE7.writeWe can also consider w EA\ O

>

XA ,

XA

w EA\{O }

4,

w EA\{O }

6,

F

which is well defined due to the invariance of j(E7) under curve isomorphisms. What function j (T) so[147].exciting is that it is one of the simplest examplesmakesof athis modular function 111. 1 4. For any matrix A = ( � � ) E SL2 (Z) LEMMA

III. ARITHMETIC ON AN ELLIPTIC CURVE

48

we have

j (�;:�) = j(T). Also, j ( T) is periodic of period one, and has the Fourier series j(T) = -q1 + 744 + nL>l Cnqn , where q = e 27riT , and the Cn are positive integers. Here, SL2 (Z) is the special linear group of 2 2 matrices over the inte­ gers, of determinant 1. Any complex number T* is equivalent to a T, under SL2 (Z) transformations, which lies in the standard fundamental region for such transformations, = {T E C : Im(T) 0, -1/2 :::; Re(T) 1/2, I T I � 1}. by Lemma 111.14, when considering En we can assume that T is inTherefore, Weinnow present various functions and series which are defined via expan­ sions the variable q = e27riT and are related to the j-invariant above. We shall them use these in various in the book, it is convenient to have definedfunctions in a single place. places For example, we canso define �(T) = q nII=l (1 - qn) 24 ' where, again, q = e27riT . It can be shown that this series may be written as 24 2 2 1 n n n 3n+l 3n ) �(T) = q ( l + nZ::>l (- l ) (q ( - ) / + q ( ) / ) , (111.10) Also, expected, theof thepowercurveseriesdefined satisfies �(T)in =the�(E7), whereThethefunction latter is�(T)the isasdiscriminant earlier chapter. also related to j(T) using the formulae �(27) (T) = (256h (T) + 1) 3 h ( T) = �(T) h (T ) The coefficients Tn of �(T) in Equation (111. 1 0) define a function, n H Tn , called the Ramanujan This is a very interesting number-theoretic function which has theT-function. following properties: 111.15. The following all hold for the function Tn : x

F

>

l

(

)

The Dedekind TJ-function satisfies the following identities: TJ (T + 1) = e27ri/24 TJ (T), TJ (-1/T) = v'=lTTJ (T) where therealbranch inWethewillcomplex square root function isEisenstein taken to series, be on thefor positive axis. also require the following k = 0, 1, 2, ... : k E2k (T) = 1 - ; L 0"2k- 1 (n)qn , 2k n>l O"i (n)

where Bi represents the ith Bernoulli number and ample we have n '"°' nq , 1 - 24 L...J n=l 1 - qn '""' 1n-3qqnn ' 1 + 240 L...J n=l 5n 1 - 504 z= 1n-qqn . n=l These are related to � (T) by Jacobi's formula oo

00

00

2 3 � (T) = E4 (T) - E5 (T) 1728

and to the function j (T) by

=

L:dl n di .

For ex­

III. ARITHMETIC ON AN ELLIPTIC CURVE

50

111.8. Modular Polynomials and Variants

Modular polynomials play a significant role in the improvements by Atkin andwellElkies toother Schoof'mores point counting algorithm considered in Chapter VII, asare as in recent variants. The properties of these polynomials reviewed here ( without proof) drawing from the references [148] , [142] andThe[85]correspondence . between lattices Zw1 + Zw2 , w1 , w2 E C, and elliptic curves over C was noted in the previous section, as was the invariance of j ( T) under transformations of the form T1 = (aT + b) / ( T + d) , where C

More generally, for a matrix a=

define

( � � ) E SL2 (Z) .

( � � ) E GL2 (1R) , det a 0, . aT + b J O O: ( T ) = J ( ). CT + d ( )

>

.

This is the j-invariant of the elliptic curve C/(Z + ZT') with T1 (aT + b) j (cT + d) . For a positive integer n, define D� = { ( � � ) : a, b, c, d E Z, ad - be = n, gcd ( a, b, c, d) = 1 } , and S� = { ( � � ) E D� : d 0, 0 b d } It can be shown that 1 # S� = n II (1 + -) whereNotice the product is overn =primes dividingwen. have #S£ = £ + 1. This case that when £, a prime, will be of special interest in the study of isogenies, andintheir application in the context of the point counting algorithms described Chapter VII. The following lemma establishes a connection between the matrices S� , and the j­ invariants of images of isogenies of degree n from a given curve. It is adapted from a problem in [148] . 111. 1 6. Let E1 and E2 be two elliptic curves over C, with j -invariants j (E ) = j (T) and j (E ), respectively, and let n be a positive integer. Then, :::;

>

pi n

p

LEMMA

1

2

a E S� ,

p >

TABLE

IV. 1.2. Fields of characteristic two. Affine coordinates.

Chapter III the formulae for point addition on a curve

Recall from

with a2 , a6 E IFq , = 2 n , a5 -=/=- 0. Let Pi = (x i , Yi ) and P2 = (x 2 , Y2 ) be points in E(IF ) given in affine coordinates, where some convention is used q topointrepresent (inthethiscurve). case, (0,Assume 0) can Pbe, Pused# for that purpose since such a is never on and Pi # -P2 . The sum i 2 P = (x , y ) = Pi + P is computed as follows. q

0

3

3 3

2

0,

IV. 1 . POINT ADDITION

If P1 =/. P2 , A X3 Y3

If P1 = P2 , A X3 Y3

61

Y1 + Y2 X 1 + X2 A 2 + A + x 1 + x 2 + a2 , (x 1 + x 3 )A + X 3 + Yi · '

Y1 + x , 1 X1 A 2 + A + a2 ,

(x 1 + x 3 )A + X 3 + Yi ·

Inplications, either case, the computation requires one field inversion, two field multi­ andofonea squaring squaring,operation, or 11 + 2M + l S . In the case of characteristic two, the cost denoted by S , is much lower than that ofin afact,general multiplication. Therefore, squarings are counted separately, and we will later on neglect their cost completely. Projective coordinates. As in the case of characteristic 3, we will use weighted projective coordinates, where a projective point (X, Y, Z) , Z =f. 0, maps to the affine point (X/Z2 , Y/Z3 ) . This corresponds to using a weighted projective curve equation of the form Y2 + XYZ = X 3 + a2 X 2 Z2 + a6 Z6 . Conversion from projective to affine coordinates costs, in this case, 11 + 3M + l S . The computation sequences for point addition in this representa­ tion are[P 1363] presented in Figures IV. 3 and IV.4. They are adapted, as before, from . The total cost for general point addition is 15M + 5S . This is reduced toclasses 14M + 4 S when a2 = 0, which accounts for one of the two isomorphism of non-supersingular elliptic curves over IF2n . The mixed-addition case where Z1 = 1 costs, in the case of characteristic two, llM + 4S (lOM + 3 S whenAsain2 =the0).odd characteristic case, the condition P = ±P is equivalent to 1 2 A 3 = 0, then P1 = P2 is equivalent to A 6 = 0. The detection of the conditions P1 = ±P2 is similar to the odd characteristic case. The point doubling routine is shown in Figure IV.4, where the field element d6 is defined as d6 = � = 2 ar • The point doubling computation costs 5M + 5 S . Notice that, since squaring is much faster than general multiplication in characteristic two, point doublingaddition. in projective coordinateswith is close to threecase,times asboth fast operations as general point This is contrasted the affine where are The of about the same arithmetic complexity.and doubling in characteristic two different costs for point addition are summarized in Table IV. 2 . p >

62

IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

IV . 3 . Point addition in projective coordinates, char­ acteristic 2. FIGURE

X1 Zi X2 Zi A i + A2 Y1 Z� Y2 Zf A4 + A5 Z1 A 3 A5X2 + A 7 Y2 A 7 Z2 A 6 + Z3 a2 Zi + A5A 9 + A� A 9 X3 + A s A¥

lM + l S lM + l S 2M 2M lM 2M lM 3M + 2S 2M + 1S 15M + 5S

acteristicIV2. .4. Point doubling in projective coordinates, char­ FIGURE

Z3 X3 A Y3

X1 Zi (X1 + d5Zf ) 4 Z3 + Xi + Y1 Z1 xtz3 + AX3

lM + l S 1M + 2S lM + l S 2M + 1S 5M + 5 S

IV . 2 . Cost of point addition, characteristic 2 . Operation Coordinates affine mixed projective General addition (a2 =J. 0) 11 + 2M + l S llM + 4S 15M + 5S + l S lOM + 3S 14M + 4S General addition (a2 = 0) 1111 ++ 2M Doubling 2M + l S n/a 5M + 5S TABLE

IV.2. Point Multiplication

Point multiplication in elliptic curvesAsissuch, a special case offrom the general problem of exponentiation in abelian groups. it benefits all the techniques available forfor integers. the generalTheproblem, and the asrelated shortest addition chain problem latter is defined follows. Let k be a positive integer (the input). Starting from the integer 1 , and computing at each step

IV. 2 . POINT MULTIPLICATION

63

sum k?of two previous results, what is the least number of steps required tothereach Efficient algorithms for group exponentiation have received much atten­ tion by researchers in recent years, owing to their central role in public key cryptography (see Chapter I).andThehistorical interestaccount in the ofproblem, however,andis the an­ cient. An excellent technical exponentiation additionto 200chainBC.problem is givenbybyGordon Knuth[4[68]1,describes Ch. 4], whovarious tracesfastthemethods, problem back The survey including some specialized to elliptic curve groups. Various techniques and algorithms for exponentiation in the context of cryptography are described, in fairly compact butmethods detailed ofalgorithmic form,canin [be99].used to compute point Although general exponentiation multiplication, certain idiosyncrasies of faster the elliptic curve version of the prob­ lem can be taken into account to obtain algorithms. First, elliptic curve subtraction has canvirtually the sametocost as addition, so the search space for fast algorithms be expanded include addition-subtraction chains and signed representations, which are discussed in Sections IV. 2 . 4-IV. 2 . 5 . Second, inand tuning-up algorithms, the relative complexities of general point addition pointdepends doublingonhave to be considered. Asused,we and saw onin Section IV.1,com­ this relation the coordinate system the relative plexitiescurves, of fieldspecific inversionshortcuts and multiplication. Third, forsignificantly certain families of elliptic are available that can reduce the computational cost of pointis discussed multiplication. An example of such a family andFor the theassociated shortcuts in Section IV. 3 . sake ofofconcreteness, whenwillanalysing computational complexity incharacteristic the remainder the section, we focus on the case of finite fields of two. Also, for simplicity, we will neglect the cost of squarings infieldsthesewithfields.onlyTheminormainadjustments. ideas and the analysis, however, carry to other finite IV.2.1. The binary method. The simplest (and oldest) efficient method for point multiplication relies on the binary expansion of k. IV Point Multiplication: Binary Method. INPUT : A po int P, an £-bit integer k = �j:6 kj2j , kj E {O, 1}. OUTPUT : Q = [k ]P. 1 . Q+-- 0. 2 . For j = £- l to 0 by - l do : Q+-[ 2 ]Q, 3. If kj = 1 then Q +--Q + P. 4. 5 . Return Q. ALG ORITHM

.1:

64

IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

The binary involving method requires £-1counted), point doublings andis the -1length pointandadditions (operations 0 are not where £ the weight (number=of£/2,ones)thatoftypically the binary£ expansion of k. Assuming that theon the average n, and neglecting 0(1) terms, number of fieldrepresentation. operations is 1.5nl + 3nM in affine representation, oraverage lOnM in projective We assume that P is given initially in affine (we alsorepresentation, assume a2 = so0) .Step 4 above involves a mixed addition costing lOM IV.2.2. The m-ary method. This method uses the m-ary expansion of k, where m = 2 r for some integer r � 1. The binary method is a special case corresponding to r = 1. IV.2: Point Multiplication: m-ary Method. INPUT : A po int P, an integer k = �j:6 kj mi , kj E {O, 1, . . . , m - 1}. OUTPUT : Q = [k] P . Precomputation. 1 . P1 +-- P . 2 . For i = 2 to m - 1 do Pi +-- Pi-l + P . (We have Pi = [i ] P . ) 3 . Q +-- 0 . Main loop. 4 . For j = d-1 t o 0 by -1 do : 5. Q +-- [m]Q . (This requires r doublings . ) Q +-- Q + 6. 7 . Return Q. Itrulecan[6be1]: readily verified that the algorithm computes [k] P, following Homer's [m]( . . . [m] ( [m] ( [k£-1 ]P) + [k£-2 ]P) + ) + [k0]P = [k]P. Thefirstnumber of doublings in the main loopstartsof thewithm-ary method is (d-1d )r= (the iteration is not counted, as it Q = 0). Since f£/ rl , where £ is the length of the binary representation of k, the number of doublings in the m-ary method may be up to r-1 less than the £-1 required byin doublings, the binarythemethod. For typical parameters, this isbeing a rather modest gainof main gains over the binary method in the number general point additions. The savings: doublingsbyinsplitting the maintheloop, however, ofcan[m]Qbe exploited to obtain additional computation into twoThis stages,leadswetocananskipimprovement the even multiples of P method, in the precomputation phase. on the m-ary shown below. For thismethod. modification, we assume r 1, otherwise we revert to the original binary W

W

ALG ORITHM

pkj .

· ··

>

W

IV. 2 . POINT MULTIPLICATION

65

IV.3: Point Multiplication: Modified m-ary Method. INPUT : A po int P, an integer k = �1:6 kjmi , kj E {O, 1, . . . , m - 1} . OUTPUT : = [k] P . ALG ORITHM

Q

Precomputation.

1. 2. 3.

P1 +-- P , P2 +-- [2] P .

For i = l t o (m-2) /2 do P2i + i +-- P2i - 1 + P2 .

Q +-- 0 .

Main loop. 4 . For j = d-1 t o 0 by -1 If kj =J. 0 then do : 5.

do :

Let Sj , hj be such that kj 6. 7 Q f- [2T - Sj ] Q ' 8. Q +-- Q + phj . Else Sj +-- r . 9. 10. Q = [2 Sj ] Q . 11. Return Q .

= 2sj hj ,

hj odd .

Itblingis readily verified that the modified m-ary method requires one point dou­ 1 r and 2doublings -1 pointandadditions in the precomputation phase, and at most n-1 point d-1 point additions in the main loop (to simplify the analysis, we takeare aexpected pessimisticto beview,zeroandandignore thenofactadditions). that aboutIgnor­ one mth of the digits require ing integer constraints for the purpose of estimating complexity, and setting d = n/r, the total number of curve operations is estimated at n N(n, r) = n + - + 2 r -l - 2. (IV. 2) r The value of inr minimizing satisfies r = log2 n - (2 - o(l )) log2 log2 n. Substituting Equation (IV.N(n,2) r)yields n N(n, r) = n + (1 + o (l ) ) 1 -, og2 n which is asymptotically optimal for a generic addition chain method, due tocoordinates, a lower bound by Erdos [41] . This optimization is appropriate in affine where additions and doublings have ifsimilar costs. A slightly different optimization is required we use projective coordi­ nates. One possibility is to precompute the points P2 and P2i+l , 1 ::=; i ::=; ( m - 2) /2, in affine coordinates, and then run the main loop in projective coordinates, usingtotalmixed addition for multiplication the operation forQ +--theQ modified + Phj in Algo­ rithm IV. 3 . The cost of the point m-ary method is then estimated at n 2r - 1 (2M + I ) + 10(- - l )M + 5(n - l )M, r

66

IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

which can can be optimized with respect towhere r given the ratio I : M . A similar expression be derived for the case projective coordinates are used throughout. IV.2.3. Window methods. The m-ary scheme can be regarded as a special case of(windows) a window ofmethod, where bits of the multiplier k are processed in blocks length r. In the m-ary methods of the previous section, the windows m-ary are contiguous andAlgorithm in fixed bitIV. 3positions. Ainefficiency, closer scrutiny of the modified method in reveals an due to the fact that trailingat zeros are dropped fromiskjstill(to constrained obtain hj), butby thenewfixed bits are not appended the higher end, which digit boundary. Thus, higher values ofThis hi areinefficiency less likely,isandremedied the arrayin ofm-ary precomputed points P . is underutilized. h processes windows up to length r disregarding the following method, which fixed digit boundaries, and skips runs of zeros between them. These runs are point doublings, as we have seen, need to be computed intakenanycare case.ofAsby before, we assumewhich r 1. IV.4: Point Multiplication: Sliding Window Method. INPUT : A po int P, an integer k = l:j:6 kj2j , kj E {O, 1}. OUTPUT : Q = [k ]P. J

>

ALG ORITHM

Precomputation.

P1 +-- P , P2 +--2[r2-l_ ]P. l do P i i +-- P i 1 + P . 2+ 2- 2 j+-£ -1, Q+-0. Main loop. 4 . While j � 0 do : If kj = 0 then Q+-- [ 2]Q, j +-- j - 1 . 5. Else do : 6. Let t be the least integer such that 7. j(kjkj - t +1 1. .::=;. kth' r and kt = 1 , hj +-8. j-t+l- ]Q + 9. Q +-[ 2 10. j +-- t - 1 . 11. Return Q. 1. 2. 3.

For i = l to

phj '

Using sliding windows has an effect equivalent to using fixed windows one bit larger, butfor without increasing the 'precomputation cost. An intuitive explanation this effect is that the w hite space' of zeros between two consecutive sliding windows hasby anindependent expected length of aone,fairwhen weTherefore, assume that the bits of k are obtained tosses of coin. the total number of windows processed (and consequently, the number of

IV. 2 . POINT MULTIPLICATION

67

general additions in the This mainfactloop)is formally behaves like £/(rin+[71),1].as opposed to £/Ther forpoint the m-ary method. proven computational cost of the sliding window method is estimated at n (n + -- + 2 r -l - 2)(2M + I) r+l for affine coordinates, and 2r- 1 (2M + I) + (5n + 10 � r + l - 15)M for projective/mixed coordinates. IV.2.4. the Signed Digit representations. As mentioned, subtraction has virtually same cost as addition in the elliptic curve group. For the canoni­ calin characteristic curve equationstwo,of and interest, the group negative of a point (x, y) is (x, x+y) ( x , -y) in odd characteristic. This leads naturally tomaypointreducemultiplication methods based on addition-subtraction chains, which the number of curve operations. Consider integer representations of the form k = L:j=0 Sj2i , where Sj E 0, 1}. Weincludes call thisthea binary (binary)representation, signed digit (SD) representation. Clearly, {this-1,system integers k,£ 10 ::=; k ::=; £+1 -1, are included, along with their negatives. soButallthere + possible 2combinations, are 3 so represented the representation is orclearly redundant. For-1.example, the integer 3 can be as (011) (101) , where I = As it turns 2 for a sparsity 2 constraint that results out, this redundancy can be traded off insentation more efficient point multiplication algorithms. We say that an SD repre­ is sparse if it has no adjacent non-zero digits, i.e. SjSj+i = 0 for all j � 0. A sparse SD representation is also called a non-adjacent form (NAF). proofs of the[131];following literature, start­ ing Several with Reitwiesner see alsoresult [28],can[8 7,beCh.found10] inandthe[109]. IV.1. Every integer k has a unique NAF. The NAF has the lowest weight among all SD representations of k, and it is at most one digit longer LEMMA

than the shortest SD representation of k.

The following algorithm computes the NAF of a non-negative integer given inandbinary representation. Thein [131], description here follows [910]9]; other precursors variants can be found [ 9 3], [ 6 ], [ 8 7, Ch. and [ 5 6] (where the algorithm accepts general SD inputs). IV.5: Conversion to NAF. ALGORITHM

68

1. 2. 3. 4. 5.

IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

0. 0 £ Sj j

Co fFor j = to do : Cj +l +-- l (kj + kj +l + f- k + Cj - 2Cj +l . Return ( s£ S£- l · · · s o ) .

cj)/2J

(assume ki =

0 for i � £) ,

NAFsOlivos usuallyshowhaveinfewer non-zero digits than binary representations. Morain and [109] that the expected weight of an NAF of length £ is £/3. The resultwhich is alsohaveproved in [6] , where it(mis-extended to m-ary SD representations, an expected weight 1)£/(m + 1). The adaptationa subtraction of the binaryis method for inpointlieumultiplication towhenever NAFs is straightforward: performed of an addition a negative digit Sjcostis processed. Assuming an average NAF weight of n/3, the computation is �n(2M + I) for affine coordinates, and 2;nM for projective coordinates. Clearly, fixed window and sliding window methods can be implemented forr isNAFs. The maximum possible absolute value of a NAF window of size WT = � (2 T+l - 1) for r odd, and WT = � (2 T+l - 2) for r even, given bythe theprecomputation binary combinations (1010 . to. . 101) and (1010 . . . 010)points respectively. In step, we need compute and store of the form [i]P, for i = 2 and all odd values of i, 3 ::=; i ::=; WT (it is easily verified that WT has the same parity as r). Thus, the number of point operations in the precomputation step is � (2 T - ( - lY). To estimate the expected number ofconsider point additions in the main loop of an NAF sliding window scheme, we thethe binary sequence obtained byresults takingof the[109]absolute values of the digits in NAF. It follows from the and [6] that such a sequence can be modelled by a Markov chain with transition probabilities P(O I O) = P(l l O) = � ' P(O l l) = 1, P(l l l) = 0 where P(alb) denotes the prob­ ability a symbolinteger a immediately following a symbol b (we assume, asementary before,of observing that the original k is drawn with uniform probability). El­ analysis [42] of this transition matrix yields the expected length of a run of zeros between windows, which is given by a function 4 (-1y (IV. 3) v(r) = 3 - . T - 2 . 32 Therefore, the expected number of point operations in an NAF sliding window scheme is estimated at n+ 1 2 T - (-lY + ( IV. 4) n+ r + v (r ) 3 - 2. Ain similar scheme, which uses a non-sparse SD representation, is analysed [69] . The scheme produces SD representations of lower expected weights, but requires more precomputation, yielding what appears to be a slightly inferior trade off.

IV. 2 . POINT MULTIPLICATION

69

IV.2.5. Atradesigned m-ary sliding window method. A slightly better as­ ymptotic off can be obtained by using a signed m-ary scheme that is a extension of the sliding window method ofinSection IV. 2 . 3 . Although wenatural have found no reference to this specific scheme the literature, a sugges­ tion to combine m-ary and signed methods appears in the closing remarks of [109]. Indigitthissetmethod, we use a non-redundant signed m-ary representation, i. e . , our is B = {-2r - 1 +1, . . . , -1, 0, 1, . . . , 2r- l } with windows of size up to r. We decompose dthe positive multiplier k as -1 k = L bi 2ei , bi E B \ {O}, ei E Z2:o, (IV. 5) i=O where (IV. 6) Such a decomposition is obtained by the following algorithm, which operates on the binary representation of k. IV.6: Signed m-ary Window Decomposition ALGORITHM

.

INPUT : An integer k = l:j£ =O kj21, kj E {0, 1} , kl = 0 . OUTPUT : A sequence of pairs {(bi , e i)} f==-t . 1. d +-- 0 , j +-- 0 . 2 . While j ::=; do : If kj = 0 then j +-- j + 1 . 3. Else do : 4. t +-- {R j + r - 1} , hd +-- (ktkt- 1 · · · kj h · 5. If hd > 2r - l then do : 6. 7· bd +-- hd - 2r , increment the number (k£ k£- l · · · kt+ i h by 8. Else bd +-- hd . 9. 10. ed +-- j , d +-- d + 1 , j +-- t + 1 . 11. Return the sequence (b0 , e 0 ), (b 1 , e l ), . . . , (bd- 1 , ed- 1 ) .

£

min ,

1.

Noticeandthatas ittheprogresses, algorithmitscans themodify bits (ofinkStep from8)right ( least significant ) to left, may portions of the sequence { kj} that have not been processed yet. The correctness of the algorithm is verified inductively by assertingd the condition -1 £ k = z= bi 2ei + z= kj,2j' (IV. 7) j' =j i=O each time the loop condition in Step 2 is checked. Since the loop terminates with j £, the second term of the sum in Equation (IV. 7) vanishes, giving >

IV. EFFICIENT IMPLEMENTATION OF ELLIPTIC CURVES

70

the desiredbeing decomposition ofthek.condition The proofinisStepstraightforward, the7 subtracts only key2Hr ob­ servation that when 6 holds, Step from theholdsumin thisin Equation (IV.also 7) andthat,Stepby 8construction, adds it back,allsince t = j+r-1 must case. Notice bi produced are odd, and bdthe- l point must multiplication be positive whenalgorithm k 0. Once the sequence { (bi , e i ) } f�t is obtained, is a straightforward modification of the sliding window method. We assume r 1, and d � 1 (i.e . , k 0) . IV.7: Point Multiplication: Signed m-ary Windows. >

>

>

ALGORITHM

INPUT : A po int , P , and OUTPUT : Q = [k] P .

{(bi , ei )} f�t

such that k =

l:f�t bi 2ei .

Precomputation.

1. 2. 3.

P1 +-- P , P2 +-- [2] P . i = to 2r- 2 - l do P2i+i +-- P2i - l Q +-- Pbd - 1 ·

1

For

+ P2 .

Main loop.

4. 5. 6. 7. 8. 9.

-1 do : If bi 0 then Q +-- Q + Pbi , Else Q +-- Q - P_b

For i = d-2 to 0 by

Q +-- [2 ei+ 1 -ei ]Q . >

Q +-- [2 eo]Q . Return Q .

Using anIV.analysis similar to thattheof expected the unsigned slidingof general windowpoint schemeaddi­of Section 2 . 3 , we can estimate number tions in the main and loopuniform of Algorithm IV. 7 at of(n+l)/(r+l)-1. The assumption ofhere,independence distribution the bits kj is more questionable sinceathecertain modification of dependency. the sequence inHowever, Step 8 oftheAlgorithm IV.is6mini­ does introduce degree of deviation mal,much and the assumption, with respect to actual values usedsequence in practice, is not worse than the original assumption of the input kj being uniformly distributed. phase On theis other hand, the number of point operations inmethod. the precomputation 2r - 2 , i. e . , about a half that of the unsigned Thus, the expected total number of point operations is estimated at n+ l + 2r-2 - 2. n+ -( IV. 8 ) r+l Comparing this expression with the corresponding one for the NAF sliding window method in Equation (IV.4), we observe that the expression in Equa­ tion ( IV. 8 ) offers a trade off with more operations in the main loop (since v(r) 1), but fewer operations in the precomputation phase. To bring the >

IV. 2 . POINT MULTIPLICATION

71

trade offs to a common comparison basis, we define r ' so that 2r -2 = � 2r' , i.e. r' = r - (2 - log2 3). Then, Equation (IV.8)' can be rewritten as 1 + -2r - 2. n + r' + n3 +- log (IV. 9) 3 3 2 We conclude that theNAFsignedmethod m-arywhenever window method is asymptotically better than the windowed v (r ) 3 - log2 3 1. 4 15. This holds for all r 3, by the expression for v (r) in Equation (IV.3), which has v (r ) ---+ 4/3 as r ---+ oo. The margin of difference, however, is rather slim, and fortakenpractical values ofthentwoandschemes r, once integer constraints and 0(1) terms are into account, are very close in complexity. IV.2.6. Example. The following example illustrates the different consider­ ationsAssume and trade the choice[k]P,of awhere point multiplication algorithm. we needoffstoin compute k = 741155629426723268099912038573. binaryby expansion of k, which is one hundred bits long and has weight 53, The is given >