Montgomery curve

Montgomery curve

In mathematics the Montgomery curve is a form of elliptic curve, different from the usual representation (Weierstrass form). It has been introduced by Peter L.Montgomery in,[1] and it has been used since 1987 for certain computations, and in particular in different cryptography applications.

Contents

Definition

A Montgomery curve of equation 3y2 = x3 + 7x2 + x

A Montgomery curve over a field K is defined by the equation:

MA,B: By2 = x3 + Ax2 + x

for certain A,B \in K and with B(A^2-4)\neq 0.

Generally this curve is considered over a finite field K (for example over a finite field of q elements, K=\mathbb{F}_q) with characteristic different from 2 and with A\in K\backslash\{-2,2\}, B \in K\backslash\{0\} ; but they are also considered over the rationals with the same restrictions for A and B.

Montgomery arithmetic

It is possible to do some "operations" between the points of an elliptic curve: "adding" two points P,Q consists on finding a third one R such that R = P + Q; "doubling" a point consists on computing [2]P = P + P (For more information about operations see The group law) and below.

A point P = (x,y) on the elliptic curve in the Montgomery form By2 = x3 + Ax2 + x can be represented in Montgomery coordinates P = (X:Z), where P = (X:Z) are projective coordinates and x = X / Z for Z\ne 0.

Notice that this kind of representation for a point loses information: indeed, in this case, there is no distinction between the affine points (x,y) and (x, − y) because they are both given by the point (X:Z). However, with this representation it is possible to obtain multiples of points, that is, given P = (X:Z), to compute [n]P = (Xn:Zn).

Now, considering the two points Pn = [n]P = (Xn:Zn) and Pm = [m]P(Xm:Zm): their sum is given by the point Pm + n = Pm + Pn = (Xm + n:Zm + n) whose coordinates are:

Xm + n = Zmn((XmZm)(Xn + Zn) + (Xm + Zm)(XnZn))2

Zm + n = Xmn((XmZm)(Xn + Zn) − (Xm + Zm)(XnZn))2

If m = n, then the operation becomes a "doubling"; the coordinates of [2]Pn = Pn + Pn = P2n = (X2n:Z2n) are given by the following equations:

4XnZn = (Xn + Zn)2 − (XnZn)2

X2n = (Xn + Zn)2(XnZn)2

Z2n = (4XnZn)((XnZn)2 + ((A + 2) / 4)(4XnZn))

The first operation considered above (addition) has a time-cost of 3M+2S, where M denotes the multiplication between two general elements of the field on which the elliptic curve is defined, while S denotes squaring of a general element of the field.

The second operation (doubling) has a time-cost of 2M+2S+1D, where D denotes the multiplication of a general element by a constant; notice that the constant is (A + 2) / 4, so A can be chosen in order to have a small D.

Algorithm and example

The following algorithm represents a doubling of a point P1 = (X1:Z1) on an elliptic curve in the Montgomery form.

It is assumed that Z1 = 1. The cost of this implementation is 1M + 2S + 1*A + 3add + 1*4. Here M denotes the multiplications required, S indicates the squarings, and a refers to the multiplication by A.

XX_1 = X_1^2 \,
X_3 = (XX_1-1)^2 \,
Z_3 = 4X_1(XX_1+aX_1+1) \,

Example

Let P_1=(2,\sqrt{3}) be a point on the curve 2y2 = x3x2 + x. In coordinates (X1:Z1), with x1 = X1 / Z1, P1 = (2:1).

Then:

XX_1 = X_1^2 = 4 \,
X_3 = (XX_1-1)^2 = 9 \,
Z_3 = 4X_1(XX_1+aX_1+1) = 24 \,

The result is the point P3 = (X3:Z3) = (9:24), such that P3 = 2P1.

Addition

Given two points P1 = (x1,y1), P2 = (x2,y2) on the Montgomery curve MA,B in affine coordinates, the point P3 = P1 + P2 represents, geometrically the third point of intersection between MA,B and the line passing through P1 and P2. It is possible to find the coordinates (x3,y3) of P3, in the following way:

1) consider a generic line y=lx+m in the affine plane and let it pass through P1 and P2 (impose the condition), in this way, one obtains l=\frac{y_2-y_1}{x_2-x_1} and m=y_1-(\frac{y_2-y_1}{x_2-x_1})x_1;

2) intersect the line with the curve MA,B, substituting the y variable in the curve equation with y=lx+m; the following equation of third degree is obtained:

x3 + (ABl2)x2 + (1 − 2Blm)xm2 = 0.

As it has been observed before, this equation has three solutions that correspond to the x coordinates of P1, P2 and P3. In particular this equation can be re-written as:

(xx1)(xx2)(xx3) = 0

3) Comparing the coefficients of the two identical equations given above, in particular the coefficients of the terms of second degree, one gets:

x1x2x3 = ABl2.

So, x3 can be written in terms of x1, y1, x2, y2, as:

x_3 = B(\frac{y_2-y_1}{x_2-x_1})^2-A-x_1-x_2.

4) To find the y coordinate of the point P3 it is sufficient to substitute the value x3 in the line y=lx+m. Notice that this will not give the point P3 directly. Indeed, with this method one find the coordinates of the point R such that R+P_1+P_2=P_\infty, but if one needs the resulting point of the sum between P1 and P2, then it is necessary to observe that: R+P_1+P_2=P_\infty if and only if R = P1 + P2. So, given the point R, it is necessary to find -R, but this can be done easily by changing the sign to the y coordinate of R. In other words, it will be necessary to change the sign of the y coordinate obtained by substituting the value x3 in the equation of the line.

Resuming, the coordinates of the point P3 = (x3,y3), P3 = P1 + P2 are:

x_3 = \frac{B(y_2-y_1)^2}{(x_2-x_1)^2}-A-x_1-x_2

y_3 = \frac{(2x_1+x_2+A)(y_2-y_1)}{x_2-x_1}-\frac{B(y_2-y_1)^3}{(x_2-x_1)^3}-y_1

Doubling

Given a point P1 on the Montgomery curve MA,B, the point [2]P1 represents geometrically the third point of intersection between the curve and the line tangent to P1; so, to find the coordinates of the point P3 = 2P1 it is sufficient to follow the same method given in the addition formula; however, in this case, the line y=lx+m has to be tangent to the curve at P1, so, if MA,B:f(x,y) = 0 with

f(x,y) = x3 + Ax2 + xBy2,

then the value of l, which represents the slope of the line, is given by:

l=-\frac{\frac{\partial f}{\partial x}}{\frac{\partial f}{\partial y }}

by the implicit function theorem.

So l = \frac{3x_1^2 + 2Ax_1 + 1}{2By_1} and the coordinates of the point P3, P3 = 2P1 are:

x_3 = Bl^2-A-x_1-x_1 = \frac{B(3x_1^2+2Ax_1+1)^2}{(2By_1)^2}-A-x_1-x_1

y_3 = (2x_1+x_1+A)l-Bl^3-y_1 = \frac{(2x_1+x_1+A)(3{x_1}^2+2Ax_1+1)}{(2By_1)}-\frac{B(3{x_1}^2+2Ax_1+1)^3}{(2By_1)^3}-y_1.

Equivalence with twisted Edwards curves

Let K be a field with characteristic different from 2.

Let MA,B be an elliptic curve in the Montgomery form:

MA,B: Bv2 = u3 + Au2 + u

with A\in K\backslash\{-2,2\}, B \in K\backslash\{0\}

and let Ea,d be an elliptic curve in the twisted Edwards form:

E_{a,d}\  :\ ax^2 + y^2 = 1 + dx^2y^2, \,

with a,d\in K\backslash\{0\}, a\neq d.

The following theorem proved in,[2] shows the birational equivalence between Montgomery curves and an twisted Edwards curves:

Theorem (i) Every twisted Edwards curve is birationally equivalent to a Montgomery curve over K. In particular, the twisted Edwards curve Ea,d is birationally equivalent to the Montgomery curve MA,B where A = \frac{2(a+d)}{a-d}, and B = \frac{4}{a-d}.

The map:

\psi\,:\,E_{a,d} \rightarrow M_{A,B}
(x,y) \mapsto (u,v) = \left(\frac{1+y}{1-y},\frac{1+y}{(1-y)x}\right)

is a birational equivalence from Ea,d to MA,B, with inverse:

ψ − 1: M_{A,B} \rightarrow E_{a,d}
(u,v) \mapsto (x,y) = \left(\frac{u}{v},\frac{u-1}{u+1}\right)

Notice that this equivalence between the two curves is not valid everywhere: indeed the map ψ is not defined at the points v = 0 or u + 1 = 0 of the MA,B.

Equivalence with Weierstrass curves

Any elliptic curve can be written in Weierstrass form.

So, the elliptic curve in the Montogmery form

MA,B: By2 = x3 + Ax2 + x,

can be transformed in the following way: divide each term of the equation for MA,B by B3, and substitute the variables x and y, with u=\frac{x}{B} and v=\frac{y}{B} respectively, to get the equation

v^2 = u^3 + \frac{A}{B}u^2 + \frac{1}{B^2}u.

To obtain a short Weierstrass form from here, it is sufficient to replace u with the variable t-\frac{A}{3B}:

v^2 = \left(t-\frac{A}{3B}\right)^3 + \frac{A}{B}\left(t-\frac{A}{3B}\right)^2 + \frac{1}{B^2}\left(t-\frac{A}{3B}\right);

finally, this gives the equation:

v^2 = t^3 + \left(\frac{3-A^2}{3B^2}\right)t + \left(\frac{2A^3-9A}{27B^3}\right).

See also

  • Table of costs of operations in elliptic curves, information about the running-time required in a specific case

Notes

  1. ^ Peter L. Montgomery, Speeding the Pollard and Elliptic Curve Methods of Factorization, January 1987
  2. ^ Daniel J. Bernstein, Peter Birkner, Marc Joye, Tanja Lange and Christiane Peters, Twisted Edwards Curves

References

External links


Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • Montgomery Riverwalk Stadium — Location 200 Coosa Street Montgomery, Alabama 36104, United States Coordinates …   Wikipedia

  • Montgomery County Mathematically Precocious Youth Program — The Montgomery County Mathematically Precocious Youth Program (MCMPYP) is an out of school mathematics enrichment program for freshman, sophomore, and rarely, eighth grade students in Montgomery County, Pennsylvania. Because of its long name,… …   Wikipedia

  • Elliptic curve cryptography — (ECC) is an approach to public key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz[1] and Victor S. Miller[2] in 1985.… …   Wikipedia

  • John Warwick Montgomery — was born October 18, 1931 in Warsaw, New York. In 2007 he was named Distinguished Professor of Philosophy and Christian Thought at Patrick Henry College. [cite news last = Halbrook first = David title = Renowned Apologist John Warwick Montgomery… …   Wikipedia

  • Experience curve effects — Experience curve re directs here. For its use in video games see Experience point. The learning curve effect and the closely related experience curve effect express the relationship between experience and efficiency. As individuals and/or… …   Wikipedia

  • John Montgomery Ward — Infielder/Pitcher Born: March 3, 1860(1860 03 03) Bel …   Wikipedia

  • Peter Montgomery — 2009 Peter Lawrence Montgomery ist ein amerikanischer Mathematiker, der sich mit Kryptographie und Algorithmischer Zahlentheorie beschäftigt. 1967 war er Putnam Gewinner an der University of California, Berkeley, wo er 1969 seinen Bachelor… …   Deutsch Wikipedia

  • Peter Montgomery — Peter Lawrence Montgomery is an American mathematician who has published widely in the more mathematical end of the field of cryptography. He is currently a researcher in the cryptography group at Microsoft Research.Montgomery is particularly… …   Wikipedia

  • Schuylkill Expressway — Route information M …   Wikipedia

  • Riemann hypothesis — The real part (red) and imaginary part (blue) of the Riemann zeta function along the critical line Re(s) = 1/2. The first non trivial zeros can be seen at Im(s) = ±14.135, ±21.022 and ±25.011 …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”