INVERTED BINARY EDWARDS
COORDINATES
(MAIRE MODEL OF AN ELLIPTIC CURVE)
by
STEVEN M. MAIRE
Submitted in partial fulfillment of the requirements
for the degree of Master of Science
Dissertation Advisor: Dr. David Singer
Department of Mathematics
CASE WESTERN RESERVE UNIVERSITY
May, 2014 CASE WESTERN RESERVE UNIVERSITY
SCHOOL OF GRADUATE STUDIES
We hereby approve the thesis/dissertation of
STEVEN M. MAIRE
candidate for the Master of Science degree*.
Dr. David Singer
Dr. Elisabeth Werner
Dr. Johnathan Duncan
(date) March 25, 2014
*We also certify that written approval has been obtained for any proprietary material contained therein. Dedication
To my mother, Lynda O. Maire, whose lessons to me as a child came as encrypted signals, where the only cipher, is time.
i Contents
Dedication i
List of Tables iv
List of Figures v
Acknowledgements vi
Abstract vii
1 Introduction 1 1.1 Elliptic Curves in Cryptography ...... 1
2 Weierstrass Form: Paving the Way 3 2.1 Weierstrass Addition Law ...... 4 2.1.1 Geometric Interpretation ...... 4 2.1.2 Algebraic Interpretation ...... 6
3 Edwards Curves: Unifying Finite Field Operations 9 3.1 The Addition Law ...... 10 3.1.1 Geometric Interpretation ...... 11 3.1.2 Algebraic Interpretation ...... 12
4 Binary Edwards Curves: Doubling down on Deuces 14 4.1 Building the New Shape for the Edwards’ Form ...... 14 4.2 The First Complete Addition Law Over a Binary Field ...... 16
ii CONTENTS CONTENTS
5 Maire Model 18 5.1 Inverted Binary Edwards ...... 19 5.2 The Addition Law ...... 21 5.3 Operations Unification ...... 23
6 Elliptic Curves in Cryptography: A Revolution 25 6.1 Advantages of the Edwards’ Forms ...... 25 6.2 Further Research ...... 27
iii List of Tables
iv List of Figures
2.1 A graph depicting the geometrical ’chord and tangent method’ of elliptic curve addtion. The solid red line denotes the ’addition line’ while the dashed line denotes reflection. (Left) distinct point addi- tion, and (Right) point doubling...... 5
3.1 A graph depicting the geometry of Edwards curve addition. The solid red line denotes the ’addition line’ while the dashed line de- notes reflection. (Left) distinct point addition, and (Right) point doubling...... 12
v Acknowledgements
I would like to thank Dr. David Singer for his knowledge and guidance througout this entire process. Without the influence and passion that he shows inside and outside the classroom, I am sure that I would never have gained the appreciation and joy that I have today for mathematics.
I would also like to thank my committee for their time, and patience as well as intellectual input they have had within this process. I could not ask for a better group of mathematicians who could help guide me along my way.
And last, but certainly not least, each and all of the faculty of the Department of Mathematics, Applied Mathematics, and Statistics. My career at this university has been different to say the least. I am only able to be where I am today with their continued support as an undergraduate, while oversees, and now with my pursuit as a Master’s.
vi INVERTED BINARY EDWARDS COORDINATES
(MAIRE MODEL OF AN ELLIPTIC CURVE)
Abstract
by
STEVEN M. MAIRE
Edwards curves are a fairly new way of expressing a family of elliptic curves that contain extremely desirable cryptographic properties over other forms that have been used. The most notable is the notion of a complete and unified addition law. This property makes Edwards curves extremely strong against side-channel attacks.
In the analysis and continual development of Edwards curves, it has been seen in the original Edwards form that the use of inverted coordinates creates a more efficient addition/doubling algorithm. Using inverted coordinates, the field oper- ations drop from 10M + 1S (given correctly chosen curve parameters), to 9M + 1S. The sarcrifice is the loss of completeness, but unification remains. This pa- per examines the use of the inverted coordinates system over the binary Edwards form, and shows the underlying advantages of this transformation.
vii Chapter 1
Introduction
1.1 Elliptic Curves in Cryptography
Ten years after the beginning of the idea of asymmetric cryptosystems, elliptic curves came onto the scene of public key cryptography. In 1985, Neal Koblitz and Victor Miller independently came up with a scheme that implemented the algebra that exists over an elliptic curve. The Diffie-Hellman key exchange, which was originally published in 1976, based its security on the non-existence of sub- exponential algorithms to solve the discrete log problem. Using this as a model, Koblitz and Miller proposed the elliptic curve discrete log problem. The use of elliptic curves allowed for the same level of security as the original Diffie-Hellman algorithm, except with smaller key sizes.
In utilizing the power of finite fields in computation, Koblitz and Miller were able to take advantage of the geometric, and algebraic, structure of elliptic curves in order to create a more difficult trap-door function. Although mathematically speaking, elliptic curves are a completely valid way to securing information, the implementation leaves it vulnerable to attack. In 1999, Paul Kocher along with others in [2] published one of the first type of attacks known as side-channel at- tacks. This class of attacks used information within the implementation to give
1 1.1. ELLIPTIC CURVES IN CRYPTOGRAPHYCHAPTER1. INTRODUCTION them clues to the solution. Differential power analysis, timing analysis, acoustic cryptanalysis, and data reminiscence are all examples of how the attacker can gain information about the solution before even beginning to compute a solution through any brute force algorithm.
To side-step the side-channel attacks, Harold Edwards, published his paper in 2007 that presented a form of elliptic curves (over a large prime characteristic fields) that contained an addition law on the group that was strongly unified, successfully negating the ability to gain information about secured data from the side-channel information.
In the following chapter, we first begin by defining the geometric and algebraic definition of the Weierstrass form. After establishing that understanding, in chap- ter 3, we move directly into the contribution of Edwards as well as Bernstein and Lange through the introduction of the binary Edwards curves. In chapter 4, we examine a different map into the homogeneous coordinate system and how it can improve upon the original binary Edwards curve.
2 Chapter 2
Weierstrass Form: Paving the Way
To define most simply, an elliptic curve is “a smooth, projective algebraic curve of genus one.” We begin our examination by defining this idea of an elliptic curve in the affine coordinate system (x, y) over some field K. Let us, for now, say that char(K) 6= 2, 3, then an elliptic curve is an equation of the form:
E(K): y2 = x3 + Ax + B where A, B are constants in the algebraic closure the field K (although these constants are most likely within the actual field). Together with the point at infinity, denoted ∞, the points on this curve form a group where the identity (or neutral) element is ∞. We must ensure that the elliptic curve stated above is non − singular, i.e. contains no cusps, or self-intersections. The way that we can guarantee that is by going back to the original definition of an elliptic curve. There is an assumption that an elliptic curve has genus one, ensures that the discriminant (denoted ∆) must not be zero. If the disciminant was zero, then we have a double root. This double root causes issues topologically because is would imply that the curve is no longer genus one, and therefore not elliptic. For this form of the elliptic curve, the discriminant is defined as:
∆ = 4A3 + 27B2
3 2.1. WEIERSTRASS ADDITION WEIERSTRASS LAWCHAPTER2. FORM: PAVING THE WAY
We can include characteristic 2 and 3 fields to yield more generalized form of the Weierstrass equation, which would give us an elliptic curve:
2 3 2 y + a1xy + a3y = x + a2x + a4x + a6
where a1, ..., a6 are constants within the algebraic closure of the field K. When we begin to define the properties of an elliptic curve, we will start with the Weier- strass form, and move more generally to include fields of characteristic 2, and 3 as necessary. Now that we have a more explicit definition of what an elliptic curve will be, we can construct the addition law that makes up the group operation.
2.1 Weierstrass Addition Law
Now that we have the parameters that make up the Weierstrass form of what an elliptic curve is within the affine coordinate system we can define the addition law that is found over this family of curves. We will examine these, both from the geometric as well as the algebraic perspectives. Both examinations will be important later on when we begin to transform our elliptic curve.
2.1.1 Geometric Interpretation
In order to understand the addition law geometrically, we start by stating a the- orem from algebraic geometry.
Theorem: B´ezout’sTheorem. Let f, g ∈ R be nonzero polynomials of degrees m, n, respectively, that share no common factors. Let C, and D be two plane curves, described by equations f(X,Y ) = 0 and g(X,Y ) = 0 Then the total number of intersection points of C and D, including multiplicities and ideal intersections, is exactly mn.
The proof of B´ezout’stheorem can be found in any algebraic geometry textbook, so here we omit it. When we are considering the cubic elliptic curve as defined above, we can see that a line of the form y = mx+b must intersect the curve three
4 2.1. WEIERSTRASS ADDITION WEIERSTRASS LAWCHAPTER2. FORM: PAVING THE WAY
Figure 2.1: A graph depicting the geometrical ’chord and tangent method’ of elliptic curve addtion. The solid red line denotes the ’addition line’ while the dashed line denotes reflection. (Left) distinct point addition, and (Right) point doubling.
times. This gives us a natural place for which to define the addition law over an elliptic curve. The general standpoint of addition now can be defined by a simple process. Draw a line between two points P and Q to intersect the curve again at R0. Then draw a line from the identity element (∞), through R0 to hit the curve once more at R. The sum of point P and Q is then R. The figures on the next page shed some light on how this type of addition works.
Now, with this sense of geometry in place, we make a more formal definition of geometric addition over an elliptic curve:
Definition: Geometric Addition on the Weierstrass Form. Let K be a field whose characteristic is not 2 or 3. The elliptic curve is then given in the form of
2 3 the equation y = x + Ax + B. Let P = (xP , yP ), Q = (xQ, yQ), and R = (xR, yR) where P, Q, R ∈ E(K). Addition then one of the following cases: (i) If P = ∞, then P + Q = Q. (ii) If Q = ∞, then P + Q = P .
(iii) If xP = xQ, and yP = −yQ, then P + Q = ∞. Corresponding to the vertical line between two points on the curve, going to the ’point at infinity.’
5 2.1. WEIERSTRASS ADDITION WEIERSTRASS LAWCHAPTER2. FORM: PAVING THE WAY
(iv) If P = Q and yP = 0, then P + Q = ∞. Corresponding to doubling a point whose vertical line from ∞ comes tangent to the curve. (v) Otherwise, if P = Q, then draw a line tangent to the curve at P , and connect- ing that point R0 to ∞ yields 2P = R. (vi) If P 6= Q, then drawing the secant line between P and Q will hit the elliptic curve at an additional point R0.
It is easy to see the addition law is has many cases (nonunified), and handling these different cases will bring issues later. In future cases we will attempt to bring these 6 different cases together to yield more efficient addition algorithms that hold the security of the system. With this new found geometric interpretation of how addition works on elliptic curves, we can define the laws algebraically and start to build how they can be implemented in a cryptosystem.
2.1.2 Algebraic Interpretation
With the understanding that we have from the construction of the additon law in previous sections, constructing the algebraic expressions to do so is fairly simple. We start again with the result of B´ezout’stheorem. With the knowledge that an elliptic curve, which is a cubic in Weierstrass form, intersects a straight line exactly three times, including multiplicities, gives us all the information we need to derive the addition law.
Definition: Algebraic Addition on the Weierstrass Form. Let K be a field as before whose characteristic is not 2, or 3. An elliptic curve is then given as it
2 3 is above, y = x + Ax + B. Let P = (xP , yP ), Q = (xQ, yQ), and R = (xR, yR) where P, Q, R ∈ E(K). Addition then is defined to be one of the following: (i) If P = ∞, then P + Q = Q. (ii) If Q = ∞, then P + Q = P .
(iii) If xP = xQ, and yP = −yQ, then P + Q = ∞.
6 2.1. WEIERSTRASS ADDITION WEIERSTRASS LAWCHAPTER2. FORM: PAVING THE WAY
(iv) If P = Q and yP = 0, then P + Q = ∞. (v) If P = Q, then 2P = R is found by:
3x2 +A m = P 2yP 2 xR = m − 2xP
yR = m(xP − xR) − yP
(vi) If P 6= Q, then P + Q = R is found by:
m = yQ−yR xQ−xR 2 xr = m − xP − xQ
yR = m(xP − xR) − yP
The proof of this is long and can be found in any cryptographic text. For this reason alone, we omit it. So now that we have an algebraic expression for the group addition law on an elliptic curve, there is a way of measuring the efficiency of the algorithm. The way that is commonplace to measure this effectiveness is counting the field multiplication and squarings. This is because the algorithms for multiplication and squaring over some fields require their own sub-method algo- rithms.
In the case of the Weierstrass form, we can handle all of the cases that have to do with ∞ with if-then statements. Addition and subtraction within finite fields are operations that take negligible time compared to field multiplication (denoted M), squaring (S), or inversion (I). Then, these are the three different types of field operations which we would consider with respect to operational time. Field multiplication (denoted M in our analysis) is the standard, and field squaring is anywhere from 0.8M to M. We will assume these two as equal. Field inversion, on the other hand, is much more costly on the system and is approximately 100M in comparison. The Weierstrass form, then, from the above equations has a distinct point addition operations count of 2M + 1S + 1I and a point doubling operations count 2M + 2S + 1I.
7 2.1. WEIERSTRASS ADDITION WEIERSTRASS LAWCHAPTER2. FORM: PAVING THE WAY
From this simple analysis of how the group operations would work on the field, we can already start to see the disadvantages of the Weierstrass form. The existence of field inversion in both components of the addition law causes huge inefficiencies in the point addition and doubling. Also there exists an asymmetry between the distinct addition and doubling field operations counts. Due to this asymmetry, there have risen a class of attacks that are called side-channel attacks that were mentioned earlier. The development of elliptic curve cryptography is now dedi- cated to the idea of getting around these side-channel leakages.
In the following section we present the discovery of Harold Edwards, and the ad- vantages that arise from the development of the family of Edwards curves.
8 Chapter 3
Edwards Curves: Unifying Finite Field Operations
In 2007, Harold Edwards published [3] for which he unified the work of Euler and Gauss with respect fo elliptic curves. The result of which is an elliptic curve de- noted by a quartic polynomial which contains many desirable cryptographic prop- erties. Bernstein and Lange noted these cryptographic advantages in [4], where they laid out a comparison between Edwards curves and other existing forms. We begin by stating the Edwards form of an elliptic curve as Bernstein and Lange did in their paper:
Definition: Edwards (Normal) Form of an Elliptic Curve. Let K be a field in which 2 6= 0. Let E be and elliptic curve over K such that the group E(K) has an element of order 4. Then (1) There exists d ∈ K−{0, 1} such that the curve x2+y2 = 1+dx2y2 is birationally equivalent over K to a quadratic twist of E. (2)If E(K) has a unique element of order 2 then there is a non-square d ∈ K such that the curve x2 + y2 = 1 + dx2y2 is birationally equivalent over K to a quadratic twist of E; and (3) If K is finite and E(K) has a unique element of order 2 then there is a non-
9 CHAPTER 3. EDWARDS CURVES: UNIFYING FINITE FIELD 3.1. THE ADDITION LAW OPERATIONS square d ∈ K such that the curve x2 + y2 = 1 + dx2y2 is birationally equivalent over K to E
Edwards restricts his case to when d = 1, but through the work of Bernstein and Lange in [4], the parameter d has been expanded to all cases when d ∈ K\{0, 1}. The transformation from the standard Weierstrass form to the Edwards form, is that given an elliptic curve over K with the Weierstrass form:
E(K): y2 = (x − c4d − 1)(x2 − 4c4d) is equivalent to the curve above through the transformation, Φ, such that:
Φ:(u, v) 7→ (x, y) where,
−2c(w−c) 4c2(w−c)+2c(c4d+1)u2 x = u2 , y = u3 where w = v(c2du2 − 1)
Now we define the neutral group element under the transformation, as (0, c). The point (0, −c) is a point of order two on the curve. The points at infinity then become two singular points (1, 0, 0) and (0, 1, 0) of the curve, and blow up into two points each [4]. From this point on we will denote the neutral element as O,
0 the point of order two as O , and the singular elements Ω1 and Ω2. Now that we have the definition of the neutral group element as affine points on the curve we can begin to define the addition law over the points that lie on the curve more generally, instead of in cases as was for Weierstrass.
3.1 The Addition Law
The largest advantage of the Edwards form over other forms is the idea of a gen- eralized addition law. A strongly unified group law states that for P,Q ∈ E(K) for some field K, that group law for finding P + Q and P + P = 2P are identical. The Edwards forms unified addition law makes the idea of deciphering between
10 CHAPTER 3. EDWARDS CURVES: UNIFYING FINITE FIELD 3.1. THE ADDITION LAW OPERATIONS distinct addition and point doubling nearly impossible to side-channel attacks. We begin as we did before by giving some geometric sense to how the addition law works before stating the formal definition.
3.1.1 Geometric Interpretation
The geometric interpretation of the addition law on an Edwards curve actually stems from the twisted Edwards curve. A twisted Edwards curve is a more gen- eralized form of the Edwards curve, so its geometric interpretation is valid for the original Edwards form. Just as with the Weierstrass curve, we note that from B´ezout’stheorem that now that we have an elliptic quartic curve that intersects the parabola 8 times. Let γ be the parabola with vertical and horizontal asym- totes, that passes through three points on the elliptic curve: P , Q, and O0. Then γ meets the curve five more times. Of those five times, four are at ideal points, and therefore the last is uniquely defined as R0. As stated above, the singularities
Ω1 and Ω2 are both double points of the elliptic curve.
Now, just as before, we connected the point R0 with the neutral element in order to reflect it. The problem that occurs now is that instead of having one neutral elements, we have also have a point of order two that doubles to the group identity. Reflection will come them from connecting O and O0 and reflecting the point R0 over that line. In the case of the Edwards curve, this will involve a reflection over
0 the y-axis as we stated above making R = (xR, yR) from R = (−xR, yR). Below we present graphs to help visualize the Edwards for addition law.
With this understanding we can set out to now express algebraically the Edwards addition law, as well as verify that it produces points on the curve.
11 CHAPTER 3. EDWARDS CURVES: UNIFYING FINITE FIELD 3.1. THE ADDITION LAW OPERATIONS
Figure 3.1: A graph depicting the geometry of Edwards curve addition. The solid red line denotes the ’addition line’ while the dashed line denotes reflection. (Left) distinct point addition, and (Right) point doubling.
3.1.2 Algebraic Interpretation
In the Weierstrass form, there are six distinct cases for the addition law. In presenting the group addition law on the Edwards’ form, we will show that it is at least (i) unified, and (ii) complete when certain conditions hold. Before that, we first state the map of the addition law as presented by Edwards in [3]. Given
two points (x1, y1), (x2, y2) ∈ E(K) their sum (x1, y1) + (x2, y2) is defined as:
x1y2+x2y1 y1y2−x1x2 (x1, y1) + (x2, y2) 7→ ( , ) c(1+dx1y1x2y2) c(1−dx1y1x2y2)
From this definition we see from the result of Bernstein and Lange that, in fact, this is the correct addition law corresponding to the Edwards form. Verification and proofs of this definition can be found in [4] through theorems 3.1, 3,2, and 3.3.
Since there is no constraint in the theorem that x1 6= x2 or y1 6= y2, it tells us that the addition law of the Edwards’ form is the same for P + P and P + Q for any P,Q ∈ E(K). To get from unification to the idea of completeness, we must make one more assumption. The added assumption here is that the curve parameter d is not a perfect square within the field K. As stated in [4], ”when d is not a square, the Edwards’ addition law is complete: it is defined for all pairs of input points on the Edwards’ curve over K.” The Edwards’ addition law can then be
12 CHAPTER 3. EDWARDS CURVES: UNIFYING FINITE FIELD 3.1. THE ADDITION LAW OPERATIONS carried out on all pairs of points on the elliptic curve and the algorithm has been distilled into the one case stated above.
13 Chapter 4
Binary Edwards Curves: Doubling down on Deuces
In the previous sections of this paper we introduced the Edwards’ form, and showed that it was, indeed, birationally equivalent to the Weierstrass form. We then showed that the points on an Edwards’ curve over a field, K, that has prime char- acteristic, possessed a unified addition law. Given certain conditions (mainly that the curve parameter d was not a square in K), we could generalize that addition law into the idea of being complete. In this section we show that there exists an Edwards’ form that is elliptic over a binary field, and present its associated addition law.
4.1 Building the New Shape for the Edwards’
Form
Unfortunately the form x2 + y2 = 1 + dx2y2 that was presented by Edwards, and implemented by Bernstein and Lange is not elliptic over a binary field. In 2011, Wegner and Hutter, published in [5], an examination of finite field operations for elliptic curve cryptography and found that binary fields out performed large- prime characteristic fields in both runtime and energy usage. This makes binary
14 CHAPTER 4. BINARY EDWARDS CURVES: DOUBLING DOWN ON 4.1. BUILDING THE NEW SHAPE FOR THE EDWARDS’ FORM DEUCES
fields a more natural choice for field representation in elliptic curve cryptography. The motivation here now becomes to build an elliptic curve whose addition law is unified and preferably complete. It is from this vantage point that we come to the second family of elliptic curves by Bernstein and Lange, the binary Edwards curve. In their paper from 2008, Bernstein, Lange, and Farashahi present the binary form:
Definition. (Binary Edwards Form)[6]Let K be a field with char(K) = 2. Let
2 d1, d2 be elements of K with d1 6= 0 and d2 6= d1 + d1. The binary Edwards curve with coefficients d1 and d2 is the affine curve:
2 2 2 2 EB,d1,d2 : d1(x + y) + d2(x + y ) = xy + xy(x + y) + x y
Now in order to create the binary Edwards form we have to go back to Weierstrass. Since char(K) = 2 the original elliptic curve form y2 = x3 + Ax + B will not be sufficient. Therefore we move back to the generalized Weierstrass form:
2 3 2 y + a1xy + a3y = x + a2x + a4x + a6
we have two cases which we need to handle. They are when a1 6= 0 and a1 = 0.
2 If a1 6= 0 then making the change of variables x = a1x1 + (a3/a1) and y =
3 −3 2 2 2 3 0 2 0 a1y1 +a1 (a1a4 +a3) will change the equation to the form y1 +x1y1 = x1 +a2x1 +a6,
0 which is a non-singular elliptic curve if and only if a6 6= 0. If on the other hand a1 = 0 then the correct substitution becomes x = x1 + a2 and y = y1 to obtain
2 0 3 0 0 another form of an elliptic curve over a binary field of y1 + a3y1 = x1 + a4x1 + a6.
0 This curve is non-singular, on the other hand, when a3 6= 0.
With these two binary elliptic curve forms we now have the ability to trace the steps of Bernstain and Lange as they did in [6] in developing the binary Edwards form. We first look how to map from the Weierstrass form of characteristic 2 into this binary form. Of the two Weierstrass forms for binary fields we choose to look at:
15 CHAPTER 4. BINARY EDWARDS CURVES: DOUBLING DOWN ON 4.2. THE FIRST COMPLETE ADDITION LAW OVER A BINARY FIELDDEUCES
2 3 2 C(K): y + xy = x + a2x + a6
with a6 6= 0, as stated above. Now, the map that takes the Weierstrass form to the binary Edwards’ form called Φ, is defined as ΦB :(x, y) 7→ (u, v) where:
d (d2+d +d )(u+v) x = 1 1 1 2 (xy+d1(x+y) 2 u y = d1(d + d1 + d2)( + d1 + 1) 1 xy+d1(x+y) which is equivalent to:
2 2 2 2 C(K): d1(u + v) + d2(u + v ) = uv + uv(u + v) + u v
This map though does not have a transformation for the point at infinity. Bern- stein and Lange define it separately as going to (0, 0). This element, before and after the transformation, remains the neutral element of the group. With this new form being a quartic, as the original Edwards form is, we must be concerned with singularities of the curve. A point is defined as singular if both partial derivatives of the curve are zero at that point. The authors of [6] put this aside with a simple theorem that states that each binary Edwards curve is non-singular. They state immediately after the proof that there are singularities within the projective clo- sure of the curve defined above, but that those singularities do not exist within the binary field K. They state explicitly that, ”These points are non-singular since
2 the partial derivative d1z + z + 1 does not vanish for z = 0. These blowups are
2 defined over the smallest extension of K in which d1z + 1 + 1 as roots.”
4.2 The First Complete Addition Law Over a
Binary Field
With the parameters of the curve defined as well as its relation back to the Weier- strass form, we can define the addition law on this curve. In order to move directly into the cryptographic sense, we add one more restriction. We will say that the
16 CHAPTER 4. BINARY EDWARDS CURVES: DOUBLING DOWN ON 4.2. THE FIRST COMPLETE ADDITION LAW OVER A BINARY FIELDDEUCES
2 curve parameter d2 can not be put into the form z + z. The effect of this new as- sumption is that we take the the addition law that was originally strongly unified to completeness. Just as in the Edwards form over a prime characteristic field, we have a set of conditions that allow no special cases when doing the group addition. Before we go any deeper, we state the addition rule for complete addition:
Theorem: Completeness of the addition law . Let K be a field in with
2 char(K) = 2. Let d1, d2 ∈ K where d1 6= 0 and for any element z ∈ K, z +z+d2 =
0. The addition law for two points (x1, y1), (x2, y2) on a binary Edwards curve is defined as:
(x1, y1) + (x2, y2) = (x3, y3), where
2 d1(x1+x2)+d2(x1+y1)(x2+y2)+(x1+x1)(x2(y1+y2+1)+y1y2) x3 = 2 d1+(x1+x1)(x2+y2) 2 d1(y1+y2)+d2(y1+x1)(y2+x2)+(y1+y1 )(y2(x1+x2+1)+x1x2) y3 = 2 d1+(y1+y1 )(y2+x2)
The condition that created completeness from strongly unified is more understand- able after seeing the addition law. This addition law will always be well defined as
2 2 long as d1 +(x1 +x1)(x2 +y2) and d1 +(y1 +y1)(x2 +y2) are always nonzero. Since
2 d1 is nonzero by assumption, we must only ensure that (x2 + y2), (x1 + x1), and
2 (y1 + y1) are nonzero. The proofs of these statements are non-trivial but tedious. For that reason, the reader should refer to [6] if they wish to see the proofs. With this idea of completeness more understood we can state the following theorem:
Theorem. Let n be and integer such that n ≥ 3. Each non-supersingular curve over F2n is birationally equivalent over F2n to a complete binary Edwards curve.
This theorem not only verifies the existence of binary Edwards’ curves with a complete addition law, but also that there are plenty that can be implemented. The number of curves that can utilized with this principle are found to be ap- proximately 50% of the curves over a given field [6]. With this knowledge we now move into a transformation of the binary Edwards curve that has shown progress in elliptic forms.
17 Chapter 5
Maire Model
The Edwards and binary Edwards form has gained much popularity since H. M. Edwards publication in 2007. Now that we have reviewed the properties of the Edwards’ forms and their equivalence to the standard Weierstrass form, we can begin to move into combining similar ideas that are utilized in other elliptic forms, to the Edwards’ form. One of the ways that was immediately sought in trying to make elliptic curve addition more efficient was the implementation of the projec- tive coordinate system (x, y, z) for a way of eliminating field inversion. The map from the standard coordinate system to the projective is: (X,Y ) 7→ (x/z, y/z). The original curves and points can easily be found again by setting z = 1. Field inversion is by far the most difficult field operation, costing approximately forty times more algorithmically than multiplication, squaring, or addition. Converting to the projective plane was extremely advantageous and immediately algorithm times and field operations counts went down.
The transformation to the projective plane above was defined by the substitution X = x/z and Y = y/z. This, though, is not the only possible way of moving into the projective plane. In [7], Bernstein and Lange took a little different path to the projective plane over a standard Edward’ curve. Using the inverted substitution X = z/x and Y = z/y, of that above, he found that the group had different
18 5.1. INVERTED BINARY EDWARDS CHAPTER 5. MAIRE MODEL
structure and had the possibility of creating a more efficient algorithm.
5.1 Inverted Binary Edwards
What has been done now is to work toward using that same idea into the binary Edwards’ curve. It has been mentioned that binary fields offer faster field mul- tiplication and lower power than those fields of large prime characteristic. With that being said we move forward and define the Maire form of an elliptic curve:
Definition: Maire Form of an Elliptic Curve. Let K be a field in which
2 char(K) = 2. Let d1, d2 be elements within K such that d1 6= 0 and d2 6= d1 + d1.
The Maire curve with coefficients d1 and d2 is the projective curve
2 2 2 2 EM,d1,d2 : d1(x y + xy ) + d2(x + y )z = z(x + z)(y + z)
The curve, just as with the binary Edwards curve, is symmetric in x and y, there- fore if (x, y, z) is a point on the curve so is (y, x, z). Also points on the curve are part of an equivalence class in which (x, y, z) = (λx.λy, λz) for any nonzero λ ∈ K. It is for this reason that for future points on the Maire curve that we will denote them (x : y : z). Now that we have a definition of what the curve looks like we must ensure that it is nonsingular, so that it can have cryptographic usefulness. The following theorem and proof is now presented:
Theorem. Each Maire curve is nonsingular.
2 Proof. By definition, we have that the curve EM,d1,d2 has d1 6= 0 and d2 6= d1 + d1. An elliptic curve then is defined to be singular if for some (x, y, z) that all partial derivatives at that point are equal to zero. Therefore, we must look for a possi-
2 2 2 2 ble (x, y, z) such that d1y +y+1 = 0, d1x +x+1 = 0, and d2(x +y )+xy+1 = 0.
19 5.1. INVERTED BINARY EDWARDS CHAPTER 5. MAIRE MODEL
Let Ex,Ey,Ez denote the partial derivatives with respect to x, y, and z, respec- tively. We look at the sum of the first two partial derivatives, which represent
2 2 Ex + Ey = 0 and see that is d1(x + y ) + x + y = 0. If x + y = 0 then x = y. If we then look at Ez when x = y we see that xy = 1. This implies that x = y = 1.
That is not singular because then when Ez = 0, then looking at either Ex or Ey wee see that d1 = 0, which is a contradiction.
The remaining argument is that let x + y 6= 0. Then we can factor out (x + y) of
2 2 d1(x + y ) + x + y = 0 and get d1(x + y) = 1. Again we examine Ez and see that
2 2 2 2 2 2 2 since d2(x +y ) = 1+xy multiplying by d1 gets us d1d2(x +y ) = d1(1+xy). This
2 2 2 becomes d2 = d1(d1 + d1xy) after noticing d1(x + y ) = 1. Now we multiply x by
2 d1(x + y) = 1 to get d1x(x + y) = x. This becomes d1x + d1xy = x so the partial
2 derivative must satisfy d2 = d1(d1 + dx + x). Since Ey = 0 must also be satisfied
2 then d2 = d1(d1 + 1). This is a contradiction of the assumption d2 6= d1 + d1, therefore the family of Maire curves is nonsingular.
Birational Equivalence. Normally, elliptic curves are displayed in Weierstrass form. An elliptic curve that lies over a binary field can be given in homogeneous coordinates by:
2 3 2 v w + uvw = u + a2u + a6
where a6 6= 0. The map from the Maire form to the homogeneous Weierstrass form is then given by the map:
2 u = d1(d1 + d1 + d2)(x + y)
2 v = d1(d1 + d1 + d2)y + (d1 + 1)(z + d1(x + y))
w = z + d1(x + y)
The above map then states that the homogeneous Weierstrass form, v2w + uvw =
3 2 2 4 4 2 2 u + (d1 + d2)u + d1(d1 + d1 + d2), is equivalent to the Maire form.
20 5.2. THE ADDITION LAW CHAPTER 5. MAIRE MODEL
5.2 The Addition Law
Now that we have implemented the inverted transformation on the binary Edwards curve and come up with our new model, we can start to understand its geometry and addition law. After the transformation the Maire form is a cubic curve, therefore we can go back to the original Weierstrass interpretation of intersecting the cubic curve with a straight line. The difference now that was not done before is that now we are in homogeneous coordinates. Therefore we must intersect the curve with a line within that same homogeneous system. With that idea in mind, we can state the Maire form addition law:
Theorem: Maire Addition Law. Let EM be an elliptic curve as defined above and let P = (x1 : y1 : z1) and Q = (x2 : y2 : z2) be points on EM . Then the sum of these two points is the point N = (x3 : y3 : z3) defined by:
α = d1R(R + S)z1z2
2 β = d1S(Rx1 + Sy1)z2 + [d2(R + S) + RS]z1z2 + d1R(R + S)(x1z2 + x2z1)
y3 = R(βz1 + x1α) + Sy1α
x3 = Sz1β
z3 = Sz1α
2 2 where R and S are defined such that if P = Q then R = d1y + yz + z and
2 2 S = d1x + xz + z . If P 6= Q then R = y1z2 + y2z1 and S = x1z2 + x2z1.
The addition law here has some different features that are usually seen. We will start by proving the addition law, then describing the mysterious properties of the parameters that are explained below.
2 Proof. Let EM be a curve as described above, with d1 6= 0 and d2 6= d1 + d1.
Also, let P = (x1 : y1 : z1), Q = (x2 : y2 : z2), and N = (x3 : y3 : z3) be three points on EM . First we make the substitution x = Xz and y = Y z to give
2 2 2 2 us the curve d1(X Y + XY ) + d2(X + Y )1 = 1(X + 1)(Y + 1). Then the line
21 5.2. THE ADDITION LAW CHAPTER 5. MAIRE MODEL
2 2 2 2 Y = m(X+X1)+Y1 intersects the curve d1(x y+xy )+d2(x +y )1 = 1(x+1)(y+1) exactly three times, at X1,X2, and X3. Therefore plugging the equation of the line into the form of the curve yields:
2 2 2 2 d1(X m(X + X1) + Y1 + Xm(X + X1) + Y1 ) + d2(X + m(X + X1) + Y1 )1 =
1(X + 1)(m(X + X1) + Y1 + 1)
With the regrouping of terms we get a cubic polynomial of X in the form Ax3 + BX2 + CX + D = 0. We know that the roots of a monic, cubic polynomial sum to the coefficient of the quadratic term. Therefore X1 + X2 + X3 = B/A where
2 A = d1m(m + 1) and B = d1(mX1 + Y1) + d2(m + 1) + m. We solve for AX3 to give us AX3 = B + A(X1 + X2).
The corresponding Y3 is then found by going back to the original line equation
Y3 = m(X3 + X1) + Y1. We multiply this by the factor A to get us AY3 =
Am(X3 + X1) + AY1. With both an expression for X3 and Y3 now we can de- fine the slope m as a simple ratio R/S. If the points P and Q on the curve are not equal then we use a simple secant line to connect them, whose slope is just
(Y1 + Y2)/(X1 + X2). It is easily seen that R = Y1 + Y2 and S = X1 + X2.
If on the other hand P = Q on the curve the we must implicitly define m by computing dY/dX as:
2 dY d1Y +Y +1 m = = 2 dX d1X +X+1
2 2 where R = d1Y + Y + 1 and then S = d1X + X + 1. To avoid complication, we will use R and S in all expressions with this understanding of how they are defined.
We now have expressions for X3 and Y3 with respect to the slope m, and the point X1, and Y1. We substitute R and S into their expressions and multiply to eliminate division. This gives us the expressions:
22 5.3. OPERATIONS UNIFICATION CHAPTER 5. MAIRE MODEL
2 2 d1RS(R + S)X3 = d1S (RX1 + SY1) + d2S(R + S) + RS + d1RS(R + S)(X1 + X2)
d1RS(R + S)Y3 = d1RS(R + S)[R(X3 + X1) + SY1]
To get us back to the original curve we substitute Xi = xi/zi and Yi = yi/zi for i = 1, 2 and again multiply through to get expressions that avoids division. This is also done for the terms R and S which makes them the homogeneous expressions
2 2 2 2 d1y + yz + z and d1x + xz + z , respectively. For X3 and Y3 we note that they would be equal to x3 and y3 if z3 = 1. Then because of the equivalence of points through scalar multiplication we simply define z3 as the coefficient on the left hand side of the above expressions, making it d1RS(R + S)z1z2 (after the most recent
substitution), and the expressions for x3 and y3 are as they are stated in the above theorem.
5.3 Operations Unification
This section is dedicated to give conditions for which the the above stated addition law is unified in operations counts. While the addition expression is the same for distinct point addition and doubling, with no special cases necessary, the definition of R and S yields slightly different operations counts for the overall addition law. In an effort to disguise ourselves from falling victim to side-channel attacks, we must attempt to negotiate this obstacle. We show again the expression for R and S:
2 2 d1y + yz + z : P = Q R = y1z2 + y2z1 : P 6= Q 2 2 d1x + xz + z : P = Q S = y1x2 + x2z1 : P 6= Q
For point doubling we see an operations count of 1M + 2S for both R and S. Then with distinct addition has operations counts of just 2M. If, though we choose
23 5.3. OPERATIONS UNIFICATION CHAPTER 5. MAIRE MODEL
the curve parameter d1 to be a perfect square in K, then we take advantage that squaring is a linear operation in a binary field, which means that R and S become:
(δy + z)2 + yz : P = Q R = y1z2 + y2z1 : P 6= Q (δx + z)2 + xz : P = Q S = y1x2 + x2z1 : P 6= Q where δ is the square root of the parameter d1. With this organization and the fact that field squaring and multiplications are very close in power consumption and algorithm run time, we are able to conceal the operations over the course of consecutive elliptic curve point operations.
24 Chapter 6
Elliptic Curves in Cryptography: A Revolution
Since 1985 elliptic curves have become more and more prominent within the cryp- tographic community thanks to mathematicians like Neal Koblitz, Victor Miller, and Harold Edwards. As time steps forward notable groups and agencies have started to put more trust into elliptic curves as the future of public key cryptog- raphy. The National Security Agency in 2005 published their Suite B algorithms which utilized ECC to secure material up to the level of classified. Bitcoin uses ECC in the form of the Elliptic Curve Digital Signatures Algorithm to secure all of its financial transactions. Sony uses the same EC-DSA to secure its software on the Playstation 3 game console. It should be noted that the only successful attacks on Playstation 3 have been due to cutting the corners in the implementation by using static, instead of random, algorithm parameters. It is from this perspective that we look at the advantages and disadvantages of each curve form.
6.1 Advantages of the Edwards’ Forms
In earlier sections we established conditions when the Edwards’ curve can be most advantageous to us, we can look at the implementation, and compare it to other forms used in cryptography. The complete addition law that we were seeking is
25 6.1. ADVANTAGES ELLIPTIC OF THE CURVES EDWARDS’ IN CRYPTOGRAPHY: FORMSCHAPTER6. A REVOLUTION useful as a way to minimize the vulnerability of side-channel attacks. The easiest way to defend against side-channel attacks is to use algorithms that, when possible, don’t take short cuts with the point doubling or distinct addition. This is done by ’hiding’ the field multiplications by designing algorithms whose timing, power usage, etc. are independent of their input. While one way of guarding against cryptographic attacks can be done algorithmi- cally, speed of a given algorithm is always a concern. Faster algorithms will always be preferred and showing the Edwards’ curve doesn’t sacrifice speed for security is a definite plus to its implementation. In the table below we compare the Edwards’ curve to other forms that have been used for cryptographic implementation. Each of these prior forms, unlike the Edwards’ form, do not have a unified addition law. That is why you will notice larger differences in their algorithmic run times as compared to the consistent Edwards. When looking at the table below M denotes field multiplication, S denotes field squaring, and I is field inversion.
Coordinate System Addition Doubling
Weierstrass 2M + S + I 2M + 2S + I
Projective 12M + 2S 8M + 5S
Jacobian 12M + 4S 4M + 6S
Edwards 10M + I 10M + I
The disadvantage of using the Edwards form, is the waste of memory that oc- curs when operating within the field prescribed. We defined the field for when the Edwards form was birationally equivalent to be non-binary. This implies that char(K) 6= 2 or similarly that 2 6= 0 within the field, as stated in some of the theorems above. The NIST (National Institute for Standards and Technology) standard for ECC states that there is only one elliptic curve recommended for the five prime characteristic fields, where there is one elliptic curve, and one Koblitz curve recommended for each of the five binary fields. In the next section, we will see that Bernstein and Lange’s work has transitioned the advantages of the Ed-
26 6.2. FURTHER ELLIPTIC RESEARCHCHAPTER6. CURVES IN CRYPTOGRAPHY: A REVOLUTION wards’ form to the advantageous binary field.
In the previous section we saw that there are more choice options that fit the NIST guidelines over binary fields. Besides curve parameter and field choice, the algorithms for binary fields are much faster overall. In [4], Wedner and Hutter compared binary field operations to prime field operations. They found that binary field based processor ran 69.6% faster than its prime counterpart and saved 15.9% in power. We can immediately see now the advantages of using a binary field over one with prime characteristic. Through the work of Bernstein and Lange we have found a set of Edwards’ curves, which take advantage of both faster computing, efficient power use, as well as complete addition law to guard against side-channel attacks.
6.2 Further Research
Although elliptic curves have come far in their cryptographic implementation, there is still much to be done. Having a more solid understanding of the geometry of the binary Edwards form will surely take us a good deal forward. The geomet- ric interpretation used in the study of twisted Edwards curves works fine for the understanding of the conic that is used to create the addition law. This easily can be taken back to the original Edwards form, but the binary Edwards form does present a different problem completely.
Mapping ourselves into the projective plane does a good job of lowering the field operation costs by the elimination of field inversion as well as taking advantage of the equivalence classes between points. To continue to work in the projective plane would be wise in order to continue to make addition algorithms more efficient. In the Maire form, a more implicit definition for the slope parameter m would allow
27 6.2. FURTHER ELLIPTIC RESEARCHCHAPTER6. CURVES IN CRYPTOGRAPHY: A REVOLUTION for a complete and strongly unified addition law in the binary field.
28 Bibliography
[1] Neal Koblitz. Elliptic Curve Cryptosystems. Mathematics of Compu- tation, 1985.
[2] Paul Kocher. Differential Power Analysis. 19th International Advances in Cryptology Conference, 1999.
[3] Harold Edwards. A Normal Form of Elliptic Curves. Bulletin of the American Mathematics Society, 2007.
[4] Daniel Bernstein & Tanja Lange. Faster Addition and Doubling on Elliptic Curves. Lecture Notes on Computer Science, 2007.
[5] Erich Wegner & Michael Hutter. Exploring the Design Space of Prime Field vs. Binary Field ECC-Harware Implementations. Infor- mation Security Technology for Applications, 2012.
[6] Daniel Bernstein, Tanja Lange, & R.R. Farashahi. Binary Ed- wards Curves. International Association of Cryptologic Research, 2008.
[7] Daniel Bernstein & Tanja Lange. Inverted Edwards Coordinates. Lecture Notes in Computer Science, 1993.
[8] AJ Menezes, T. Okamoto, & SA Vanstone. Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field. IEEE Trans. Information Theory, 1993.
29 BIBLIOGRAPHY BIBLIOGRAPHY
[9] Samta Gajbhiye, Monisha Sharma, & Samir Dashputre. A Sur- vey Report on Elliptic Curve Cryptography. International Journal of Electrical and Computer Engineering, 2011.
[10] Christophe Arene, Tanja Lange, Michael Naehrig, Christophe Ritzenthaler. Faster Computation of the Tate Pairing. Journal of Number Theory, 2011.
[11] R.R. Farashahi. On the Number of Distinct Legendre, Jacobi, Hes- sian and Edwards Curves. Workshop on coding and Cryptography, 2011.
30