Twisted Hessian curves

Last updated April 18, 2024

In mathematics, the Twisted Hessian curve represents a generalization of Hessian curves; it was introduced in elliptic curve cryptography to speed up the addition and doubling formulas and to have strongly unified arithmetic. In some operations (see the last sections), it is close in speed to Edwards curves.

Definition

Let K be a field. According to^[1] twisted Hessian curves were introduced by Bernstein, Lange, and Kohel.

The twisted Hessian form in affine coordinates is given by:

$a\cdot x^{3}+y^{3}+1=d\cdot x\cdot y$

and in projective coordinates :

$a\cdot X^{3}+Y^{3}+Z^{3}=d\cdot X\cdot Y\cdot Z$

where $x={\frac {X}{Z}}$ and $y={\frac {Y}{Z}}$ and a, d in K

Note that these curves are birationally equivalent to Hessian curves.

The Hessian curve is just a special case of Twisted Hessian curve, with a=1.

Considering the equation a · x³ + y³ + 1 = d · x · y, note that:

if a has a cube root in K, there exists a unique b such that a = b³.Otherwise, it is necessary to consider an extension field of K (e.g., K(a^1/3)). Then, since b³ · x³ = bx³, defining t = b · x, the following equation is needed (in Hessian form) to do the transformation:

$t^{3}+y^{3}+1=d\cdot x\cdot y$ .

This means that Twisted Hessian curves are birationally equivalent to elliptic curve in Weierstrass form.

Group law

It is interesting to analyze the group law of the elliptic curve, defining the addition and doubling formulas (because the simple power analysis and differential power analysis attacks are based on the running time of these operations). In general, the group law is defined in the following way: if three points lies in the same line then they sum up to zero. So, by this property, the explicit formulas for the group law depend on the curve shape.

Let P = (x₁, y₁) be a point, then its inverse is −P = (x₁/y₁, 1/y₁) in the plane. In projective coordinates, let P = (X : Y : Z) be one point, then −P = (X₁/Y₁ : 1/Y₁ : Z) is the inverse of P.

Furthermore, the neutral element (in affine plane) is: θ = (0, −1) and in projective coordinates: θ = (0 : −1 : 1).

In some applications of elliptic curve cryptography and the elliptic curve method of integer factorization (ECM) it is necessary to compute the scalar multiplications of P, say [n]P for some integer n, and they are based on the double-and-add method; so the addition and doubling formulas are needed.

The addition and doubling formulas for this elliptic curve can be defined, using the affine coordinates to simplify the notation:

Addition formulas

Let p = (x₁, y₁) and Q = (x₂, y₂); then, R = P + Q = (x₃, y₃) is given by the following equations:

$x_{3}={\frac {x_{1}-y_{1}^{2}\cdot x_{2}\cdot y_{2}}{a\cdot x_{1}\cdot y_{1}\cdot x_{2}^{2}-y_{2}}}$

$y_{3}={\frac {y_{1}\cdot y_{2}^{2}-a\cdot x_{1}^{2}\cdot x_{2}}{a\cdot x_{1}\cdot y_{1}\cdot x_{2}^{2}-y_{2}}}$

Doubling formulas

Let P = (x, y); then [2]P = (x₁, y₁) is given by the following equations:

$x_{1}={\frac {x-y^{3}\cdot x}{a\cdot y\cdot x^{3}-y}}$

$y_{1}={\frac {y^{3}-a\cdot x^{3}}{a\cdot y\cdot x^{3}-y}}$

Algorithms and examples

Here some efficient algorithms of the addition and doubling law are given; they can be important in cryptographic computations, and the projective coordinates are used to this purpose.

Addition

$A=X_{1}\cdot Z_{2}$

$B=Z_{1}\cdot Z_{2}$

$C=Y_{1}X_{2}$

$D=Y_{1}\cdot Y_{2}$

$E=Z_{1}\cdot Y_{2}$

$F=a\cdot X_{1}\cdot X_{2}$

$X_{3}=A\cdot B-C\cdot D$

$Y_{3}=D\cdot E-F\cdot A$

$Z_{3}=F\cdot C-B\cdot E$

The cost of this algorithm is 12 multiplications, one multiplication by a (constant) and 3 additions.

Example:

let P₁ = (1 : −1 : 1) and P₂ = (−2 : 1 : 1) be points over a twisted Hessian curve with a=2 and d=-2.Then R = P₁ + P₂ is given by:

$A=-1;B=-1;C=-1;D=-1;E=1;F=2;$

x_{3}=0

y_{3}=-3

z_{3}=-3

That is, R= (0 : −3 : −3).

Doubling

$D=X_{1}^{3}$

$E=Y_{1}^{3}$

$F=Z_{1}^{3}$

$G=a\cdot D$

$X_{3}=X_{1}\cdot (E-F)$

$Y_{3}=Z_{1}\cdot (G-E)$

$Z_{3}=Y_{1}\cdot (F-G)$

The cost of this algorithm is 3 multiplications, one multiplication by constant, 3 additions and 3 cube powers. This is the best result obtained for this curve.

Example:

let P = (1 : −1 : 1) be a point over the curve defined by a=2 and d=-2 as above, then R = [2]P = (x₃ : y₃ : z₃) is given by:

$D=1;E=-1;F=1;G=-4;$

x_{3}=-2

y_{3}=-3

z_{3}=-5

That is R = (−2 : −3 : 5).

External links

http://hyperelliptic.org/EFD/g1p/index.html

Related Research Articles

<span class="mw-page-title-main">Ellipse</span> Plane curve: conic section

In mathematics, an ellipse is a plane curve surrounding two focal points, such that for all points on the curve, the sum of the two distances to the focal points is a constant. It generalizes a circle, which is the special type of ellipse in which the two focal points are the same. The elongation of an ellipse is measured by its eccentricity $, a number ranging from to .$

<span class="mw-page-title-main">Elliptic curve</span> Algebraic curve

In mathematics, an elliptic curve is a smooth, projective, algebraic curve of genus one, on which there is a specified point $O$ . An elliptic curve is defined over a field $K$ and describes points in $K 2$ , the Cartesian product of $K$ with itself. If the field's characteristic is different from 2 and 3, then the curve can be described as a plane algebraic curve which consists of solutions $(x, y)$ for:

In mathematics, a parabola is a plane curve which is mirror-symmetrical and is approximately U-shaped. It fits several superficially different mathematical descriptions, which can all be proved to define exactly the same curves.

In vector calculus, the Jacobian matrix of a vector-valued function of several variables is the matrix of all its first-order partial derivatives. When this matrix is square, that is, when the function takes the same number of variables as input as the number of vector components of its output, its determinant is referred to as the Jacobian determinant. Both the matrix and the determinant are often referred to simply as the Jacobian in literature.

<span class="mw-page-title-main">Cubic function</span> Polynomial function of degree 3

In mathematics, a cubic function is a function of the form $that is, a polynomial function of degree three. In many texts, the coefficients a, b, c, and d are supposed to be real numbers, and the function is considered as a real function that maps real numbers to real numbers or as a complex function that maps complex numbers to complex numbers. In other cases, the coefficients may be complex numbers, and the function is a complex function that has the set of the complex numbers as its codomain, even when the domain is restricted to the real numbers.$

<span class="mw-page-title-main">Barycentric coordinate system</span> Coordinate system that is defined by points instead of vectors

In geometry, a barycentric coordinate system is a coordinate system in which the location of a point is specified by reference to a simplex. The barycentric coordinates of a point can be interpreted as masses placed at the vertices of the simplex, such that the point is the center of mass of these masses. These masses can be zero or negative; they are all positive if and only if the point is inside the simplex.

In mathematics, divided differences is an algorithm, historically used for computing tables of logarithms and trigonometric functions. Charles Babbage's difference engine, an early mechanical calculator, was designed to use this algorithm in its operation.

In geometry, Plücker coordinates, introduced by Julius Plücker in the 19th century, are a way to assign six homogeneous coordinates to each line in projective 3-space, . Because they satisfy a quadratic constraint, they establish a one-to-one correspondence between the 4-dimensional space of lines in and points on a quadric in . A predecessor and special case of Grassmann coordinates, Plücker coordinates arise naturally in geometric algebra. They have proved useful for computer graphics, and also can be extended to coordinates for the screws and wrenches in the theory of kinematics used for robot control.

In economics, an ordinal utility function is a function representing the preferences of an agent on an ordinal scale. Ordinal utility theory claims that it is only meaningful to ask which option is better than the other, but it is meaningless to ask how much better it is or how good it is. All of the theory of consumer decision-making under conditions of certainty can be, and typically is, expressed in terms of ordinal utility.

In geometry, the Hessian curve is a plane curve similar to folium of Descartes. It is named after the German mathematician Otto Hesse. This curve was suggested for application in elliptic curve cryptography, because arithmetic in this curve representation is faster and needs less memory than arithmetic in standard Weierstrass form.

In Euclidean geometry, the intersection of a line and a line can be the empty set, a point, or another line. Distinguishing these cases and finding the intersection have uses, for example, in computer graphics, motion planning, and collision detection.

<span class="mw-page-title-main">Edwards curve</span>

In mathematics, the Edwards curves are a family of elliptic curves studied by Harold Edwards in 2007. The concept of elliptic curves over finite fields is widely used in elliptic curve cryptography. Applications of Edwards curves to cryptography were developed by Daniel J. Bernstein and Tanja Lange: they pointed out several advantages of the Edwards form in comparison to the more well known Weierstrass form.

In mathematics, the Jacobi curve is a representation of an elliptic curve different from the usual one defined by the Weierstrass equation. Sometimes it is used in cryptography instead of the Weierstrass form because it can provide a defence against simple and differential power analysis style (SPA) attacks; it is possible, indeed, to use the general addition formula also for doubling a point on an elliptic curve of this form: in this way the two operations become indistinguishable from some side-channel information. The Jacobi curve also offers faster arithmetic compared to the Weierstrass curve.

In mathematics, the doubling-oriented Doche–Icart–Kohel curve is a form in which an elliptic curve can be written. It is a special case of Weierstrass form and it is also important in elliptic-curve cryptography because the doubling speeds up considerably. It has been introduced by Christophe Doche, Thomas Icart, and David R. Kohel in Efficient Scalar Multiplication by Isogeny Decompositions.

In mathematics, the Montgomery curve is a form of elliptic curve introduced by Peter L. Montgomery in 1987, different from the usual Weierstrass form. It is used for certain computations, and in particular in different cryptography applications.

The tripling-oriented Doche–Icart–Kohel curve is a form of an elliptic curve that has been used lately in cryptography; it is a particular type of Weierstrass curve. At certain conditions some operations, as adding, doubling or tripling points, are faster to compute using this form. The Tripling oriented Doche–Icart–Kohel curve, often called with the abbreviation 3DIK has been introduced by Christophe Doche, Thomas Icart, and David R. Kohel in

In algebraic geometry, the twisted Edwards curves are plane models of elliptic curves, a generalisation of Edwards curves introduced by Bernstein, Birkner, Joye, Lange and Peters in 2008. The curve set is named after mathematician Harold M. Edwards. Elliptic curves are important in public key cryptography and twisted Edwards curves are at the heart of an electronic signature scheme called EdDSA that offers high performance while avoiding security problems that have surfaced in other digital signature schemes.

Elliptic curve scalar multiplication is the operation of successively adding a point along an elliptic curve to itself repeatedly. It is used in elliptic curve cryptography (ECC). The literature presents this operation as scalar multiplication, as written in Hessian form of an elliptic curve. A widespread name for this operation is also elliptic curve point multiplication, but this can convey the wrong impression of being a multiplication between two points.

<span class="mw-page-title-main">Intersection (geometry)</span> Shape formed from points common to other shapes

In geometry, an intersection is a point, line, or curve common to two or more objects. The simplest case in Euclidean geometry is the line–line intersection between two distinct lines, which either is one point or does not exist. Other types of geometric intersection include:

In coordinate geometry, the Section formula is a formula used to find the ratio in which a line segment is divided by a point internally or externally. It is used to find out the centroid, incenter and excenters of a triangle. In physics, it is used to find the center of mass of systems, equilibrium points, etc.

References

↑ "Twisted Hessian curves" . Retrieved 28 February 2010.

http://hyperelliptic.org/EFD/g1p/auto-twistedhessian.html

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Twisted Hessian curves" . Retrieved 28 February 2010.

[1]