Montgomery curve

Last updated February 03, 2022

In mathematics the Montgomery curve is a form of elliptic curve introduced by Peter L. Montgomery in 1987,^[1] different from the usual Weierstrass form. It is used for certain computations, and in particular in different cryptography applications.

Definition

A Montgomery curve over a field $K$ is defined by the equation

M_{A,B}:By^{2}=x^{3}+Ax^{2}+x

for certain $A, B \in K$ and with $B (A 2 - 4) \neq 0$ .

Generally this curve is considered over a finite field K (for example, over a finite field of $q$ elements, $K = F q$ ) with characteristic different from 2 and with $A \neq \pm2$ and $B \neq 0$ , but they are also considered over the rationals with the same restrictions for $A$ and $B$ .

Montgomery arithmetic

It is possible to do some "operations" between the points of an elliptic curve: "adding" two points $P,Q$ consists of finding a third one $R$ such that $R=P+Q$ ; "doubling" a point consists of computing $[2]P=P+P$ (For more information about operations see The group law) and below.

A point $P=(x,y)$ on the elliptic curve in the Montgomery form $By^{2}=x^{3}+Ax^{2}+x$ can be represented in Montgomery coordinates $P=(X:Z)$ , where $P=(X:Z)$ are projective coordinates and $x=X/Z$ for $Z\neq 0$ .

Notice that this kind of representation for a point loses information: indeed, in this case, there is no distinction between the affine points $(x,y)$ and $(x,-y)$ because they are both given by the point $(X:Z)$ . However, with this representation it is possible to obtain multiples of points, that is, given $P=(X:Z)$ , to compute $[n]P=(X_{n}:Z_{n})$ .

Now, considering the two points $P_{n}=[n]P=(X_{n}:Z_{n})$ and $P_{m}=[m]P=(X_{m}:Z_{m})$ : their sum is given by the point $P_{m+n}=P_{m}+P_{n}=(X_{m+n}:Z_{m+n})$ whose coordinates are:

X_{m+n}=Z_{m-n}((X_{m}-Z_{m})(X_{n}+Z_{n})+(X_{m}+Z_{m})(X_{n}-Z_{n}))^{2}

Z_{m+n}=X_{m-n}((X_{m}-Z_{m})(X_{n}+Z_{n})-(X_{m}+Z_{m})(X_{n}-Z_{n}))^{2}

If $m=n$ , then the operation becomes a "doubling"; the coordinates of $[2]P_{n}=P_{n}+P_{n}=P_{2n}=(X_{2n}:Z_{2n})$ are given by the following equations:

4X_{n}Z_{n}=(X_{n}+Z_{n})^{2}-(X_{n}-Z_{n})^{2}

X_{2n}=(X_{n}+Z_{n})^{2}(X_{n}-Z_{n})^{2}

Z_{2n}=(4X_{n}Z_{n})((X_{n}-Z_{n})^{2}+((A+2)/4)(4X_{n}Z_{n}))

The first operation considered above (addition) has a time-cost of 3M+2S, where M denotes the multiplication between two general elements of the field on which the elliptic curve is defined, while S denotes squaring of a general element of the field.

The second operation (doubling) has a time-cost of 2M + 2S + 1D, where D denotes the multiplication of a general element by a constant; notice that the constant is $(A+2)/4$ , so $A$ can be chosen in order to have a small D.

Algorithm and example

The following algorithm represents a doubling of a point $P_{1}=(X_{1}:Z_{1})$ on an elliptic curve in the Montgomery form.

It is assumed that $Z_{1}=1$ . The cost of this implementation is 1M + 2S + 1*A + 3add + 1*4. Here M denotes the multiplications required, S indicates the squarings, and a refers to the multiplication by A.

XX_{1}=X_{1}^{2}\,

X_{2}=(XX_{1}-1)^{2}\,

Z_{2}=4X_{1}(XX_{1}+aX_{1}+1)\,

Example

Let $P_{1}=(2,{\sqrt {3}})$ be a point on the curve $2y^{2}=x^{3}-x^{2}+x$ . In coordinates $(X_{1}:Z_{1})$ , with $x_{1}=X_{1}/Z_{1}$ , $P_{1}=(2:1)$ .

Then:

XX_{1}=X_{1}^{2}=4\,

X_{2}=(XX_{1}-1)^{2}=9\,

Z_{2}=4X_{1}(XX_{1}+AX_{1}+1)=24\,

The result is the point $P_{2}=(X_{2}:Z_{2})=(9:24)$ such that $P_{2}=2P_{1}$ .

Addition

Given two points $P_{1}=(x_{1},y_{1})$ , $P_{2}=(x_{2},y_{2})$ on the Montgomery curve $M_{A,B}$ in affine coordinates, the point $P_{3}=P_{1}+P_{2}$ represents, geometrically the third point of intersection between $M_{A,B}$ and the line passing through $P_{1}$ and $P_{2}$ . It is possible to find the coordinates $(x_{3},y_{3})$ of $P_{3}$ , in the following way:

1) consider a generic line $~y=lx+m$ in the affine plane and let it pass through $P_{1}$ and $P_{2}$ (impose the condition), in this way, one obtains $l={\frac {y_{2}-y_{1}}{x_{2}-x_{1}}}$ and $m=y_{1}-\left({\frac {y_{2}-y_{1}}{x_{2}-x_{1}}}\right)x_{1}$ ;

2) intersect the line with the curve $M_{A,B}$ , substituting the $~y$ variable in the curve equation with $~y=lx+m$ ; the following equation of third degree is obtained:

x^{3}+(A-Bl^{2})x^{2}+(1-2Blm)x-Bm^{2}=0.

As it has been observed before, this equation has three solutions that correspond to the $~x$ coordinates of $P_{1}$ , $P_{2}$ and $P_{3}$ . In particular this equation can be re-written as:

(x-x_{1})(x-x_{2})(x-x_{3})=0

3) Comparing the coefficients of the two identical equations given above, in particular the coefficients of the terms of second degree, one gets:

-x_{1}-x_{2}-x_{3}=A-Bl^{2}

.

So, $x_{3}$ can be written in terms of $x_{1}$ , $y_{1}$ , $x_{2}$ , $y_{2}$ , as:

x_{3}=B\left({\frac {y_{2}-y_{1}}{x_{2}-x_{1}}}\right)^{2}-A-x_{1}-x_{2}.

4) To find the $~y$ coordinate of the point $P_{3}$ it is sufficient to substitute the value $x_{3}$ in the line $~y=lx+m$ . Notice that this will not give the point $P_{3}$ directly. Indeed, with this method one find the coordinates of the point $~R$ such that $R+P_{1}+P_{2}=P_{\infty }$ , but if one needs the resulting point of the sum between $P_{1}$ and $P_{2}$ , then it is necessary to observe that: $R+P_{1}+P_{2}=P_{\infty }$ if and only if $-R=P_{1}+P_{2}$ . So, given the point $~R$ , it is necessary to find $~-R$ , but this can be done easily by changing the sign to the $~y$ coordinate of $~R$ . In other words, it will be necessary to change the sign of the $~y$ coordinate obtained by substituting the value $x_{3}$ in the equation of the line.

Resuming, the coordinates of the point $P_{3}=(x_{3},y_{3})$ , $P_{3}=P_{1}+P_{2}$ are:

x_{3}={\frac {B(y_{2}-y_{1})^{2}}{(x_{2}-x_{1})^{2}}}-A-x_{1}-x_{2}

y_{3}={\frac {(2x_{1}+x_{2}+A)(y_{2}-y_{1})}{x_{2}-x_{1}}}-{\frac {B(y_{2}-y_{1})^{3}}{(x_{2}-x_{1})^{3}}}-y_{1}

Doubling

Given a point $P_{1}$ on the Montgomery curve $M_{A,B}$ , the point $[2]P_{1}$ represents geometrically the third point of intersection between the curve and the line tangent to $P_{1}$ ; so, to find the coordinates of the point $P_{3}=2P_{1}$ it is sufficient to follow the same method given in the addition formula; however, in this case, the line y = lx + m has to be tangent to the curve at $P_{1}$ , so, if $M_{A,B}:f(x,y)=0$ with

f(x,y)=x^{3}+Ax^{2}+x-By^{2},

then the value of l, which represents the slope of the line, is given by:

l=-\left.{\frac {\partial f}{\partial x}}\right/{\frac {\partial f}{\partial y}}

by the implicit function theorem.

So $l={\frac {3x_{1}^{2}+2Ax_{1}+1}{2By_{1}}}$ and the coordinates of the point $P_{3}$ , $P_{3}=2P_{1}$ are:

{\begin{aligned}x_{3}&=Bl^{2}-A-x_{1}-x_{1}={\frac {B(3x_{1}^{2}+2Ax_{1}+1)^{2}}{(2By_{1})^{2}}}-A-x_{1}-x_{1}\\y_{3}&=(2x_{1}+x_{1}+A)l-Bl^{3}-y_{1}\\&={\frac {(2x_{1}+x_{1}+A)(3{x_{1}}^{2}+2Ax_{1}+1)}{2By_{1}}}-{\frac {B(3{x_{1}}^{2}+2Ax_{1}+1)^{3}}{(2By_{1})^{3}}}-y_{1}.\end{aligned}}

Equivalence with twisted Edwards curves

Let $K$ be a field with characteristic different from 2.

Let $M_{A,B}$ be an elliptic curve in the Montgomery form:

M_{A,B}:Bv^{2}=u^{3}+Au^{2}+u

with $A\in K\smallsetminus \{-2,2\}$ , $B\in K\smallsetminus \{0\}$

and let $E_{a,d}$ be an elliptic curve in the twisted Edwards form:

{\displaystyle E_{a,d}\

with $a,d\in K\smallsetminus \{0\},\quad a\neq d.$

The following theorem shows the birational equivalence between Montgomery curves and twisted Edwards curve:^[2]

Theorem (i) Every twisted Edwards curve is birationally equivalent to a Montgomery curve over $K$ . In particular, the twisted Edwards curve $E_{a,d}$ is birationally equivalent to the Montgomery curve $M_{A,B}$ where $A={\frac {2(a+d)}{a-d}}$ , and $B={\frac {4}{a-d}}$ .

The map:

\psi \,:\,E_{a,d}\rightarrow M_{A,B}

(x,y)\mapsto (u,v)=\left({\frac {1+y}{1-y}},{\frac {1+y}{(1-y)x}}\right)

is a birational equivalence from $E_{a,d}$ to $M_{A,B}$ , with inverse:

\psi ^{-1}

:

M_{A,B}\rightarrow E_{a,d}

(u,v)\mapsto (x,y)=\left({\frac {u}{v}},{\frac {u-1}{u+1}}\right),a={\frac {A+2}{B}},d={\frac {A-2}{B}}

Notice that this equivalence between the two curves is not valid everywhere: indeed the map $\psi$ is not defined at the points $v=0$ or $u+1=0$ of the $M_{A,B}$ .

Equivalence with Weierstrass curves

Any elliptic curve can be written in Weierstrass form. In particular, the elliptic curve in the Montgomery form

M_{A,B}

:

By^{2}=x^{3}+Ax^{2}+x,

can be transformed in the following way: divide each term of the equation for $M_{A,B}$ by $B^{3}$ , and substitute the variables x and y, with $u={\frac {x}{B}}$ and $v={\frac {y}{B}}$ respectively, to get the equation

v^{2}=u^{3}+{\frac {A}{B}}u^{2}+{\frac {1}{B^{2}}}u.

To obtain a short Weierstrass form from here, it is sufficient to replace u with the variable $t-{\frac {A}{3B}}$ :

v^{2}=\left(t-{\frac {A}{3B}}\right)^{3}+{\frac {A}{B}}\left(t-{\frac {A}{3B}}\right)^{2}+{\frac {1}{B^{2}}}\left(t-{\frac {A}{3B}}\right);

finally, this gives the equation:

v^{2}=t^{3}+\left({\frac {3-A^{2}}{3B^{2}}}\right)t+\left({\frac {2A^{3}-9A}{27B^{3}}}\right).

Hence the mapping is given as

\psi

:

M_{A,B}\rightarrow E_{a,b}

(x,y)\mapsto (t,v)=\left({\frac {x}{B}}+{\frac {A}{3B}},{\frac {y}{B}}\right),a={\frac {3-A^{2}}{3B^{2}}},b={\frac {2A^{3}-9A}{27B^{3}}}

In contrast, an elliptic curve over base field $\mathbb {F}$ in Weierstrass form

E_{a,b}

:

v^{2}=t^{3}+at+b

can be converted to Montgomery form if and only if $E_{a,b}$ has order divisible by four and satisfies the following conditions:^[3]

$z^{3}+az+b=0$ has at least one root $\alpha \in \mathbb {F}$ ; and
$3\alpha ^{2}+a$ is a quadratic residue in $\mathbb {F}$ .

When these conditions are satisfied, then for $s=({\sqrt {3\alpha ^{2}+a}})^{-1}$ we have the mapping

\psi ^{-1}

:

E_{a,b}\rightarrow M_{A,B}

(t,v)\mapsto (x,y)=\left(s(t-\alpha ),sv\right),A=3\alpha s,B=s

.

Notes

↑ Peter L. Montgomery (1987). "Speeding the Pollard and Elliptic Curve Methods of Factorization". Mathematics of Computation. 48 (177): 243–264. doi: 10.2307/2007888 . JSTOR 2007888.
↑ Daniel J. Bernstein, Peter Birkner, Marc Joye, Tanja Lange and Christiane Peters (2008). "Twisted Edwards Curves". Progress in Cryptology – AFRICACRYPT 2008. Lecture Notes in Computer Science. Vol. 5023. Springer-Verlag Berlin Heidelberg. pp. 389–405. doi:10.1007/978-3-540-68164-9_26. ISBN 978-3-540-68159-5.{{cite book}}: CS1 maint: multiple names: authors list (link)
↑ Katsuyuki Okeya, Hiroyuki Kurumatani, and Kouichi Sakurai (2000). Elliptic Curves with the Montgomery-Form and Their Cryptographic Applications. Public Key Cryptography (PKC2000). doi: 10.1007/978-3-540-46588-1_17 .{{cite conference}}: CS1 maint: multiple names: authors list (link)

Related Research Articles

In analytic geometry, an asymptote of a curve is a line such that the distance between the curve and the line approaches zero as one or both of the x or y coordinates tends to infinity. In projective geometry and related contexts, an asymptote of a curve is a line which is tangent to the curve at a point at infinity.

In mathematics, an ellipse is a plane curve surrounding two focal points, such that for all points on the curve, the sum of the two distances to the focal points is a constant. As such, it generalizes a circle, which is the special type of ellipse in which the two focal points are the same. The elongation of an ellipse is measured by its eccentricity $, a number ranging from to .$

In mathematics, an elliptic curve is a smooth, projective, algebraic curve of genus one, on which there is a specified point O. An elliptic curve is defined over a field K and describes points in K², the Cartesian product of K with itself. If the field's characteristic is different from 2 and 3, then the curve can be described as a plane algebraic curve which, after a linear change of variables, consists of solutions (x,y) for:

In mathematics, a parabola is a plane curve which is mirror-symmetrical and is approximately U-shaped. It fits several superficially different mathematical descriptions, which can all be proved to define exactly the same curves.

The Lenstra elliptic-curve factorization or the elliptic-curve factorization method (ECM) is a fast, sub-exponential running time, algorithm for integer factorization, which employs elliptic curves. For general-purpose factoring, ECM is the third-fastest known factoring method. The second-fastest is the multiple polynomial quadratic sieve, and the fastest is the general number field sieve. The Lenstra elliptic-curve factorization is named after Hendrik Lenstra.

Quadratic function Polynomial function of degree two

In algebra, a quadratic function, a quadratic polynomial, a polynomial of degree 2, or simply a quadratic, is a polynomial function with one or more variables in which the highest-degree term is of the second degree.

In mathematics, an affine algebraic plane curve is the zero set of a polynomial in two variables. A projective algebraic plane curve is the zero set in a projective plane of a homogeneous polynomial in three variables. An affine algebraic plane curve can be completed in a projective algebraic plane curve by homogenizing its defining polynomial. Conversely, a projective algebraic plane curve of homogeneous equation $h (x, y, t) = 0$ can be restricted to the affine algebraic plane curve of equation $h (x, y, 1) = 0$ . These two operations are each inverse to the other; therefore, the phrase algebraic plane curve is often used without specifying explicitly whether it is the affine or the projective case that is considered.

In mathematics, the Jacobi elliptic functions are a set of basic elliptic functions. They are found in the description of the motion of a pendulum, as well as in the design of electronic elliptic filters. While trigonometric functions are defined with reference to a circle, the Jacobi elliptic functions are a generalization which refer to other conic sections, the ellipse in particular. The relation to trigonometric functions is contained in the notation, for example, by the matching notation $for . The Jacobi elliptic functions are used more often in practical problems than the Weierstrass elliptic functions as they do not require notions of complex analysis to be defined and/or understood. They were introduced by Carl Gustav Jakob Jacobi (1829). Carl Friedrich Gauss had already studied special Jacobi elliptic functions in 1797, the lemniscate elliptic functions in particular, but his work was published much later.$

In mathematics, a parametric equation defines a group of quantities as functions of one or more independent variables called parameters. Parametric equations are commonly used to express the coordinates of the points that make up a geometric object such as a curve or surface, in which case the equations are collectively called a parametric representation or parameterization of the object.

In mathematics, deformation theory is the study of infinitesimal conditions associated with varying a solution P of a problem to slightly different solutions P_ε, where ε is a small number, or a vector of small quantities. The infinitesimal conditions are the result of applying the approach of differential calculus to solving a problem with constraints. The name is an analogy to non-rigid structures that deform slightly to accommodate external forces.

Three-dimensional space is a geometric setting in which three values are required to determine the position of an element. This is the informal meaning of the term dimension.

In mathematics, the lemniscate elliptic functions are elliptic functions related to the arc length of the lemniscate of Bernoulli. They were first studied by Giulio Fagnano in 1718 and later by Leonhard Euler and Carl Friedrich Gauss, among others.

In geometry, the trilinear coordinatesx:y:z of a point relative to a given triangle describe the relative directed distances from the three sidelines of the triangle. Trilinear coordinates are an example of homogeneous coordinates. The ratio x:y is the ratio of the perpendicular distances from the point to the sides opposite vertices A and B respectively; the ratio y:z is the ratio of the perpendicular distances from the point to the sidelines opposite vertices B and C respectively; and likewise for z:x and vertices C and A.

In numerical linear algebra, the alternating-direction implicit (ADI) method is an iterative method used to solve Sylvester matrix equations. It is a popular method for solving the large matrix equations that arise in systems theory and control, and can be formulated to construct solutions in a memory-efficient, factored form. It is also used to numerically solve parabolic and elliptic partial differential equations, and is a classic method used for modeling heat conduction and solving the diffusion equation in two or more dimensions. It is an example of an operator splitting method.

In mathematics the division polynomials provide a way to calculate multiples of points on elliptic curves and to study the fields generated by torsion points. They play a central role in the study of counting points on elliptic curves in Schoof's algorithm.

In mathematics, the doubling-oriented Doche–Icart–Kohel curve is a form in which an elliptic curve can be written. It is a special case of Weierstrass form and it is also important in elliptic-curve cryptography because the doubling speeds up considerably. It has been introduced by Christophe Doche, Thomas Icart, and David R. Kohel in Efficient Scalar Multiplication by Isogeny Decompositions.

The tripling-oriented Doche–Icart–Kohel curve is a form of an elliptic curve that has been used lately in cryptography; it is a particular type of Weierstrass curve. At certain conditions some operations, as adding, doubling or tripling points, are faster to compute using this form. The Tripling oriented Doche–Icart–Kohel curve, often called with the abbreviation 3DIK has been introduced by Christophe Doche, Thomas Icart, and David R. Kohel in

In algebraic geometry, the twisted Edwards curves are plane models of elliptic curves, a generalisation of Edwards curves introduced by Bernstein, Birkner, Joye, Lange and Peters in 2008. The curve set is named after mathematician Harold M. Edwards. Elliptic curves are important in public key cryptography and twisted Edwards curves are at the heart of an electronic signature scheme called EdDSA that offers high performance while avoiding security problems that have surfaced in other digital signature schemes.

In mathematics, elliptic curve primality testing techniques, or elliptic curve primality proving (ECPP), are among the quickest and most widely used methods in primality proving. It is an idea put forward by Shafi Goldwasser and Joe Kilian in 1986 and turned into an algorithm by A. O. L. Atkin the same year. The algorithm was altered and improved by several collaborators subsequently, and notably by Atkin and François Morain, in 1993. The concept of using elliptic curves in factorization had been developed by H. W. Lenstra in 1985, and the implications for its use in primality testing followed quickly.

Elliptic curve scalar multiplication is the operation of successively adding a point along an elliptic curve to itself repeatedly. It is used in elliptic curve cryptography (ECC) as a means of producing a one-way function. The literature presents this operation as scalar multiplication, as written in Hessian form of an elliptic curve. A widespread name for this operation is also elliptic curve point multiplication, but this can convey the wrong impression of being a multiplication between two points.

References

Peter L. Montgomery (1987). "Speeding the Pollard and Elliptic Curve Methods of Factorization". Mathematics of Computation. 48 (177): 243–264. doi: 10.2307/2007888 . JSTOR 2007888.
Daniel J. Bernstein, Peter Birkner, Marc Joye, Tanja Lange and Christiane Peters (2008). "Twisted Edwards Curves". Progress in Cryptology – AFRICACRYPT 2008. Lecture Notes in Computer Science. Vol. 5023. Springer-Verlag Berlin Heidelberg. pp. 389–405. doi:10.1007/978-3-540-68164-9_26. ISBN 978-3-540-68159-5.{{cite book}}: CS1 maint: multiple names: authors list (link)
Wouter Castryck; Steven Galbraith; Reza Rezaeian Farashahi (2008). "Efficient Arithmetic on Elliptic Curves using a Mixed Edwards-Montgomery Representation" (PDF).{{cite journal}}: Cite journal requires |journal= (help)

External links

Genus-1 curves over large-characteristic fields

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Peter L. Montgomery (1987). "Speeding the Pollard and Elliptic Curve Methods of Factorization". Mathematics of Computation. 48 (177): 243–264. doi: 10.2307/2007888 . JSTOR 2007888.

[2] Daniel J. Bernstein, Peter Birkner, Marc Joye, Tanja Lange and Christiane Peters (2008). "Twisted Edwards Curves". Progress in Cryptology – AFRICACRYPT 2008. Lecture Notes in Computer Science. Vol. 5023. Springer-Verlag Berlin Heidelberg. pp. 389–405. doi:10.1007/978-3-540-68164-9_26. ISBN 978-3-540-68159-5.{{cite book}}: CS1 maint: multiple names: authors list (link)

[3] Katsuyuki Okeya, Hiroyuki Kurumatani, and Kouichi Sakurai (2000). Elliptic Curves with the Montgomery-Form and Their Cryptographic Applications. Public Key Cryptography (PKC2000). doi: 10.1007/978-3-540-46588-1_17 .{{cite conference}}: CS1 maint: multiple names: authors list (link)

[1]

[2]

[3]