Twisted Hessian curves

Last updated December 24, 2024

In mathematics, twisted Hessian curves are a generalization of Hessian curves; they were introduced in elliptic curve cryptography to speed up the addition and doubling formulas and to have strongly unified arithmetic. In some operations (see the last sections), it is close in speed to Edwards curves. Twisted Hessian curves were introduced by Bernstein, Lange, and Kohel.^[1]

Definition

Let $K$ be a field. The twisted Hessian form in affine coordinates is given by:

$a\cdot x^{3}+y^{3}+1=d\cdot x\cdot y$

and in projective coordinates by

$a\cdot X^{3}+Y^{3}+Z^{3}=d\cdot X\cdot Y\cdot Z,$

where $x = X / Z$ and $y = Y / Z$ and $a, d \in K$ . These curves are birationally equivalent to Hessian curves, and Hessian curves are just the special case of twisted Hessian curves in which $a = 1$ .

Considering the equation $a \cdot x 3 + y 3 + 1 = d \cdot x \cdot y$ , note that, if $a$ has a cube root in $K$ , then there exists a unique $b$ such that $a = b 3$ ; otherwise, it is necessary to consider an extension field of $K$ , such as $K (a 1/3)$ . Then, since $b 3 x 3 = ax 3$ , defining $t = bx$ , the following equation is needed (in Hessian form) to do the transformation:

$t^{3}+y^{3}+1=d\cdot x\cdot y$ .

This means that twisted Hessian curves are birationally equivalent to elliptic curves in Weierstrass form.

Group law

It is interesting to analyze the group law of the elliptic curve, defining the addition and doubling formulas (because the simple power analysis and differential power analysis attacks are based on the running time of these operations). In general, the group law is defined in the following way: if three points lies in the same line then they sum up to zero. So, by this property, the explicit formulas for the group law depend on the curve shape.

Let $P = (x 1, y 1)$ be a point; its inverse is then $- P = (x 1 / y 1, 1/ y 1)$ in the plane. In projective coordinates, let $P = (X : Y : Z)$ be a point; then $- P = (X 1 / Y 1 : 1/ Y 1 : Z)$ is its inverse. Furthermore, the neutral element in affine plane is $θ = (0, - 1)$ , and in projective coordinates it is $θ = (0 : - 1 : 1)$ .

In some applications of elliptic curves for cryptography and integer factorization, it is necessary to compute scalar multiples of $P$ , say $[n] P$ for some integer $n$ , and they are based on the double-and-add method, so the addition and doubling formulas are needed. Using affine coordinates, the addition and doubling formulas for this elliptic curve are as follows.

Addition formulas

Let $P = (x 1, y 1)$ and $Q = (x 2, y 2)$ ; then, $R = P + Q = (x 3, y 3)$ , where

$x_{3}={\frac {x_{1}-y_{1}^{2}\cdot x_{2}\cdot y_{2}}{a\cdot x_{1}\cdot y_{1}\cdot x_{2}^{2}-y_{2}}}$

$y_{3}={\frac {y_{1}\cdot y_{2}^{2}-a\cdot x_{1}^{2}\cdot x_{2}}{a\cdot x_{1}\cdot y_{1}\cdot x_{2}^{2}-y_{2}}}$

Doubling formulas

Let $P = (x, y)$ ; then $[2] P = (x 1, y 1)$ , where

$x_{1}={\frac {x-y^{3}\cdot x}{a\cdot y\cdot x^{3}-y}}$

$y_{1}={\frac {y^{3}-a\cdot x^{3}}{a\cdot y\cdot x^{3}-y}}$

Algorithms and examples

Here some efficient algorithms of the addition and doubling law are given; they can be important in cryptographic computations, and the projective coordinates are used to this purpose.

Addition

$A=X_{1}\cdot Z_{2}$

$B=Z_{1}\cdot Z_{2}$

$C=Y_{1}X_{2}$

$D=Y_{1}\cdot Y_{2}$

$E=Z_{1}\cdot Y_{2}$

$F=a\cdot X_{1}\cdot X_{2}$

$X_{3}=A\cdot B-C\cdot D$

$Y_{3}=D\cdot E-F\cdot A$

$Z_{3}=F\cdot C-B\cdot E$

The cost of this algorithm is 12 multiplications, one multiplication by a constant, and 3 additions.

Example:

Let $P 1 = (1 : - 1 : 1)$ and $P 2 = (- 2 : 1 : 1)$ be points over a twisted Hessian curve with $(a, d) = (2, - 2)$ . Then $R = P 1 + P 2$ is given by:

$A=-1;B=-1;C=-1;D=-1;E=1;F=2;$

x_{3}=0

y_{3}=-3

z_{3}=-3

That is, $R = (0 : - 3 : - 3)$ .

Doubling

$D=X_{1}^{3}$

$E=Y_{1}^{3}$

$F=Z_{1}^{3}$

$G=a\cdot D$

$X_{3}=X_{1}\cdot (E-F)$

$Y_{3}=Z_{1}\cdot (G-E)$

$Z_{3}=Y_{1}\cdot (F-G)$

The cost of this algorithm is 3 multiplications, one multiplication by a constant, 3 additions, and 3 cubings. This is the best result obtained for this curve.

Example:

Let $P = (1 : - 1 : 1)$ be a point over the curve defined by $(a, d) = (2, - 2)$ as above; then, $R = [2] P = (x 3, y 3, z 3)$ is given by:

$D=1;E=-1;F=1;G=-4;$

x_{3}=-2

y_{3}=-3

z_{3}=-5

That is, $R = (- 2 : - 3 : 5)$ .

External links

http://hyperelliptic.org/EFD/g1p/index.html

Related Research Articles

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in Galois fields, such as the RSA cryptosystem and ElGamal cryptosystem.

<span class="mw-page-title-main">Elliptic curve</span> Algebraic curve

In mathematics, an elliptic curve is a smooth, projective, algebraic curve of genus one, on which there is a specified point $O$ . An elliptic curve is defined over a field $K$ and describes points in $K 2$ , the Cartesian product of $K$ with itself. If the field's characteristic is different from 2 and 3, then the curve can be described as a plane algebraic curve which consists of solutions $(x, y)$ for:

<span class="mw-page-title-main">Gradient</span> Multivariate derivative (mathematics)

In vector calculus, the gradient of a scalar-valued differentiable function $of several variables is the vector field whose value at a point gives the direction and the rate of fastest increase. The gradient transforms like a vector under change of basis of the space of variables of . If the gradient of a function is non-zero at a point, the direction of the gradient is the direction in which the function increases most quickly from, and the magnitude of the gradient is the rate of increase in that direction, the greatest absolute directional derivative. Further, a point where the gradient is the zero vector is known as a stationary point. The gradient thus plays a fundamental role in optimization theory, where it is used to minimize a function by gradient descent. In coordinate-free terms, the gradient of a function may be defined by:$

In mathematics, especially in abstract algebra, a quasigroup is an algebraic structure that resembles a group in the sense that "division" is always possible. Quasigroups differ from groups mainly in that the associative and identity element properties are optional. In fact, a nonempty associative quasigroup is a group.

In probability theory, a probability density function (PDF), density function, or density of an absolutely continuous random variable, is a function whose value at any given sample in the sample space can be interpreted as providing a relative likelihood that the value of the random variable would be equal to that sample. Probability density is the probability per unit length, in other words, while the absolute likelihood for a continuous random variable to take on any particular value is 0, the value of the PDF at two different samples can be used to infer, in any particular draw of the random variable, how much more likely it is that the random variable would be close to one sample compared to the other sample.

The Lenstra elliptic-curve factorization or the elliptic-curve factorization method (ECM) is a fast, sub-exponential running time, algorithm for integer factorization, which employs elliptic curves. For general-purpose factoring, ECM is the third-fastest known factoring method. The second-fastest is the multiple polynomial quadratic sieve, and the fastest is the general number field sieve. The Lenstra elliptic-curve factorization is named after Hendrik Lenstra.

In mathematics, the Laplace operator or Laplacian is a differential operator given by the divergence of the gradient of a scalar function on Euclidean space. It is usually denoted by the symbols $, (where is the nabla operator), or . In a Cartesian coordinate system, the Laplacian is given by the sum of second partial derivatives of the function with respect to each independent variable. In other coordinate systems, such as cylindrical and spherical coordinates, the Laplacian also has a useful form. Informally, the Laplacian Δ f (p) of a function f at a point p measures by how much the average value of f over small spheres or balls centered at p deviates from f (p) .$

In mathematics, an affine algebraic plane curve is the zero set of a polynomial in two variables. A projective algebraic plane curve is the zero set in a projective plane of a homogeneous polynomial in three variables. An affine algebraic plane curve can be completed in a projective algebraic plane curve by homogenizing its defining polynomial. Conversely, a projective algebraic plane curve of homogeneous equation $h (x, y, t) = 0$ can be restricted to the affine algebraic plane curve of equation $h (x, y, 1) = 0$ . These two operations are each inverse to the other; therefore, the phrase algebraic plane curve is often used without specifying explicitly whether it is the affine or the projective case that is considered.

In geometry, an incidence relation is a heterogeneous relation that captures the idea being expressed when phrases such as "a point lies on a line" or "a line is contained in a plane" are used. The most basic incidence relation is that between a point, $P$ , and a line, $l$ , sometimes denoted $P I l$ . If P and l are incident, $P I l$ , the pair $(P, l)$ is called a flag.

In mathematics, complex multiplication (CM) is the theory of elliptic curves E that have an endomorphism ring larger than the integers. Put another way, it contains the theory of elliptic functions with extra symmetries, such as are visible when the period lattice is the Gaussian integer lattice or Eisenstein integer lattice.

In geometry, the Hessian curve is a plane curve similar to folium of Descartes. It is named after the German mathematician Otto Hesse. This curve was suggested for application in elliptic curve cryptography, because arithmetic in this curve representation is faster and needs less memory than arithmetic in standard Weierstrass form.

In model theory, interpretation of a structure M in another structure N is a technical notion that approximates the idea of representing M inside N. For example, every reduct or definitional expansion of a structure N has an interpretation in N.

<span class="mw-page-title-main">Edwards curve</span> Family of elliptic curves used in cryptography

In mathematics, the Edwards curves are a family of elliptic curves studied by Harold Edwards in 2007. The concept of elliptic curves over finite fields is widely used in elliptic curve cryptography. Applications of Edwards curves to cryptography were developed by Daniel J. Bernstein and Tanja Lange: they pointed out several advantages of the Edwards form in comparison to the more well known Weierstrass form.

In mathematics, the Jacobi curve is a representation of an elliptic curve different from the usual one defined by the Weierstrass equation. Sometimes it is used in cryptography instead of the Weierstrass form because it can provide a defence against simple and differential power analysis style (SPA) attacks; it is possible, indeed, to use the general addition formula also for doubling a point on an elliptic curve of this form: in this way the two operations become indistinguishable from some side-channel information. The Jacobi curve also offers faster arithmetic compared to the Weierstrass curve.

In mathematics, the doubling-oriented Doche–Icart–Kohel curve is a form in which an elliptic curve can be written. It is a special case of the Weierstrass form and it is also important in elliptic-curve cryptography because the doubling speeds up considerably. It was introduced by Christophe Doche, Thomas Icart, and David R. Kohel in Efficient Scalar Multiplication by Isogeny Decompositions.

In mathematics, the Montgomery curve is a form of elliptic curve introduced by Peter L. Montgomery in 1987, different from the usual Weierstrass form. It is used for certain computations, and in particular in different cryptography applications.

The tripling-oriented Doche–Icart–Kohel curve is a form of an elliptic curve that has been used lately in cryptography; it is a particular type of Weierstrass curve. At certain conditions some operations, as adding, doubling or tripling points, are faster to compute using this form. The tripling-oriented Doche–Icart–Kohel curve, often called with the abbreviation 3DIK was introduced by Christophe Doche, Thomas Icart, and David R. Kohel in.

In algebraic geometry, the twisted Edwards curves are plane models of elliptic curves, a generalisation of Edwards curves introduced by Bernstein, Birkner, Joye, Lange and Peters in 2008. The curve set is named after mathematician Harold M. Edwards. Elliptic curves are important in public key cryptography and twisted Edwards curves are at the heart of an electronic signature scheme called EdDSA that offers high performance while avoiding security problems that have surfaced in other digital signature schemes.

In mathematics, and especially differential topology and singularity theory, the Eisenbud–Levine–Khimshiashvili signature formula gives a way of computing the Poincaré–Hopf index of a real, analytic vector field at an algebraically isolated singularity. It is named after David Eisenbud, Harold I. Levine, and George Khimshiashvili. Intuitively, the index of a vector field near a zero is the number of times the vector field wraps around the sphere. Because analytic vector fields have a rich algebraic structure, the techniques of commutative algebra can be brought to bear to compute their index. The signature formula expresses the index of an analytic vector field in terms of the signature of a certain quadratic form.

In mathematical analysis and its applications, a function of several real variables or real multivariate function is a function with more than one argument, with all arguments being real variables. This concept extends the idea of a function of a real variable to several variables. The "input" variables take real values, while the "output", also called the "value of the function", may be real or complex. However, the study of the complex-valued functions may be easily reduced to the study of the real-valued functions, by considering the real and imaginary parts of the complex function; therefore, unless explicitly specified, only real-valued functions will be considered in this article.

References

↑ "Twisted Hessian curves" . Retrieved 28 February 2010.

http://hyperelliptic.org/EFD/g1p/auto-twistedhessian.html

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Twisted Hessian curves" . Retrieved 28 February 2010.

[1]