Inversion-free arithmetic on elliptic curves through isomorphisms

Abstract

This paper presents inversion-free formulas for the efficient implementation of a scalar multiplication over elliptic curves. Specifically, it proposes to make use of curve isomorphisms as a way to avoid the computation of inverses in point addition formulas. Interestingly, the presented techniques are independent of the model used to represent the elliptic curve and of the coordinate system used to represent the points. In particular, they apply to affine representations. Further, whereas certain inversion-free techniques are mostly limited to specific scalar multiplication algorithms, the proposed techniques apply to all scalar multiplication algorithms. The so-obtained formulas are well suited to embedded systems and can easily be combined with existing countermeasures to provide secure implementations.

Appendices

Appendix 1: Mathematical background

Let \(\mathbb {K}\) be a field. An elliptic curve E defined over \(\mathbb {K}\) is given by the Weierstraß equation

$$\begin{aligned} E :y^2 + a_1xy + a_3y= x^3 + a_2x^2 + a_4x + a_6. \end{aligned}$$

The set of points on E together with the formal point at infinity \(\varvec{O}\) form a group under the chord-and-tangent law [34, Chapter III].

Any two elliptic curves given the Weierstraß equations

$$\begin{aligned} E :y^2 + a_1xy + a_3y= x^3 + a_2x^2 + a_4x + a_6 \end{aligned}$$

and

$$\begin{aligned} E' :y^2 + a'_1xy + a'_3y= x^3 + a'_2x^2 + a'_4x + a'_6 \end{aligned}$$

are isomorphic over \(\mathbb {K}\) if and only if there exist \(u,r,s,t \in \mathbb {K}\), \(u \ne 0\), such that the linear change of variables

$$\begin{aligned} (x, y) \leftarrow (u^2x + r, u^3y + u^2sx + t) \end{aligned}$$

transforms E into \(E'\) [25, Theorem 2.2]. Such a transformation is said admissible and is the only change of variables fixing \(\varvec{O}\) and preserving the Weierstraß form. The corresponding curve parameters are related by

$$\begin{aligned} u a'_1= & {} a_1 + 2s ,\\ u^2 a'_2= & {} a_2 - sa_1 + 3r - s^2 ,\\ u^3 a'_3= & {} a_3 + ra_1 + 2t ,\\ u^4 a'_4= & {} a_4 - sa_3 + 2ra_2 - (t+rs)a_1 + 3r^2 - 2st ,\\ u^6 a'_6= & {} a_6 + ra_4 + r^2a_2 + r^3 - ta_3 - t^2 - rta_1. \end{aligned}$$

Two settings are commonly used in cryptographic applications (e.g., see [8, 15]): elliptic curves over a large prime field \(\mathbb {K}\) and non-supersingular elliptic curves over a large binary field \(\mathbb {K}\). When the characteristic of \(\mathbb {K}\) is not 2 or 3, one can without loss of generality select \(a_1 = a_2 = a_3 = 0\). Likewise, when the characteristic of \(\mathbb {K}\) is 2 (binary field), provided that the elliptic curve is non-supersingular, one can select \(a_1 = 1\) and \(a_3 = a_4 = 0\).

Appendix 2: Short Weierstraß model

Over a field of characteristic not equal to 2 or 3, the short Weierstraß model can be used to represent the points of an elliptic curve \(E_1\).

We define \(E_1: y^2 = x^3 + ax +b\) and use the notation of Sect. 2.1.

1.1 \(\hbox {iADD}\)nd \(\hbox {iADDU}\)perations

From the addition formula [Eq. (2)], letting \(\varphi := x_1 - x_2\), we get

$$\begin{aligned} \varphi ^2 x_3= & {} (y_1 - y_2)^2 - \varphi ^2 x_1 - \varphi ^2 x_2\quad \text {and}\\ \varphi ^3y_3= & {} (\varphi ^2x_1 - \varphi ^2x_3)(y_1 - y_2) - \varphi ^3y_1. \end{aligned}$$

That is, given points \(\varvec{P_1} = (x_1,y_1)\) and \(\varvec{P_2} = (x_2,y_2)\) on \(E_1\), one can easily obtain \(\varvec{\tilde{P_3}} := \varPsi _\varphi (\varvec{P_1} + \varvec{P_2}) = (\varphi ^2x_3, \varphi ^3y_3)\) on \(E_\varphi \) without inversion. In more detail, the evaluation of \(\varvec{\tilde{P_3}} = (\widetilde{x_3}, \widetilde{y_3})\) can be done as

$$\begin{aligned} \varphi= & {} x_1 - x_2, C = \varphi ^2, W_1 = x_1 C, W_2 = x_2 C,\\ D= & {} (y_1 - y_2)^2, A_1 = (W_1 - W_2)y_1,\\ \widetilde{x_3}= & {} D - W_1 - W_2, \widetilde{y_3} = (W_1 - \widetilde{x_3})(y_1 - y_2) - A_1. \end{aligned}$$

We let \(\hbox {iADD}\) denote this operation; the cost of which amounts to \(\underline{{4\mathsf {M}+2\mathsf {S}}}\) —where \(\mathsf {M}\) and \(\mathsf {S}\) denote the cost of a field multiplication and of a squaring, respectively.

Obtaining \(\varvec{\tilde{P_1}} := \varPsi _\varphi (\varvec{P_1}) = (\varphi ^2x_1, \varphi ^3y_1)\) comes from free during the course of the evaluation of \(\varvec{\tilde{P_3}}\). Indeed, we immediately have \(\varvec{\tilde{P_1}} = (\widetilde{x_1}, \widetilde{y_1})\) with

$$\begin{aligned} \widetilde{x_1} = W_1\quad \text {and}\quad \widetilde{y_1} = A_1. \end{aligned}$$

We let \(\hbox {iADDU}\) denote the operation of getting \(\varvec{\tilde{P_3}}\) together with \(\varvec{\tilde{P_1}}\); the total cost of which is \(\underline{{4\mathsf {M}+2\mathsf {S}}}\).

1.2 \(\hbox {iADDC}\)peration

Since \(-\varvec{P_2} = (x_2, -y_2)\), it follows that \(\varvec{P_1} - \varvec{P_2} = (x_3', y_3')\) satisfies

$$\begin{aligned} \varphi ^2 x_3'= & {} (y_1 + y_2)^2 - \varphi ^2 x_1 - \varphi ^2 x_2\quad \text {and}\\ \varphi ^3y_3'= & {} (\varphi ^2x_1 - \varphi ^2x_3')(y_1 + y_2) - \varphi ^3y_1. \end{aligned}$$

Hence, once \(\varvec{\tilde{P_3}}\) has been evaluated, the evaluation of \(\varvec{\tilde{P_3'}} := \varPsi _\varphi (\varvec{P_1} - \varvec{P_2}) = (\widetilde{x_3'}, \widetilde{y_3'})\) only requires an additional cost of \(1\mathsf {M}+ 1\mathsf {S}\), since

$$\begin{aligned} \widetilde{x_3'}= & {} (y_1+y_2)^2 - W_1 - W_2\quad \text {and}\\ \widetilde{y_3'}= & {} (W_1 - \widetilde{x_3'})(y_1 + y_2) - A_1. \end{aligned}$$

We let \(\hbox {iADDC}\) denote the corresponding operation, the total cost of which is \(\underline{{5\mathsf {M}+3\mathsf {S}}}\).

1.3 \(\hbox {iDBL}\)nd \(\hbox {iDBLU}\)perations

From the doubling formula [Eq. (3)], letting now \(\varphi := 2y_1\), we get

$$\begin{aligned} \varphi ^2 x_4= & {} (3 x_1^2+a)^2 - 2 \varphi ^2 x_1\quad \text {and}\\ \varphi ^3y_4= & {} (\varphi ^2x_1 - \varphi ^2x_4)(3 x_1^2+a) - \varphi ^3y_1. \end{aligned}$$

(Note here that a is the parameter on the current curve.)

That is, given points \(\varvec{P_1}\) on \(E_1\), one can obtain \(\varvec{\tilde{P_4}} := \varPsi _\varphi (2\varvec{P_1}) = (\varphi ^2x_4, \varphi ^3y_4)\) on \(E_\varphi \). In more detail, the evaluation of \(\varvec{\tilde{P_4}} = (\widetilde{x_4}, \widetilde{y_4})\) can be done as

$$\begin{aligned} B= & {} {x_1}^2, E = {y_1}^2, L = E^2,\\ M= & {} 3B + a, S = 2((x_1+E)^2 - B - L),\\ \widetilde{x_4}= & {} M^2 -2S, \widetilde{y_4} = M(S - \widetilde{x_4}) - 8L. \end{aligned}$$

We let \(\hbox {iDBL}\) denote this operation; the cost of which amounts to \(\underline{{1\mathsf {M}+ 5\mathsf {S}}}\).

Moreover, obtaining \(\varvec{\tilde{P_1}} := \varPsi _\varphi (\varvec{P_1}) = (\varphi ^2x_1, \varphi ^3y_1)\) comes from free during the course of the evaluation of \(\varvec{\tilde{P_4}}\). We have \(\varvec{\tilde{P_1}} = (\widetilde{x_1}, \widetilde{y_1})\) with \(\widetilde{x_1} = S\) and \(\widetilde{y_1} = 8L\). The corresponding operation is denoted \(\hbox {iDBLU}\).

1.4 \(\hbox {iDAU}\)peration and the likes

Let \(\varvec{R} = 2\varvec{P_1} + \varvec{P_2}\) on \(E_1\). One can easily obtain \(\varvec{\tilde{R}} := \varPsi _{\varphi }(\varvec{R})\) together with \(\varvec{\tilde{P_1}} := \varPsi _{\varphi }(\varvec{P_1})\) as \((\varvec{T}, \varvec{V}, \varphi _1) = \hbox {iADDU}(\varvec{P_1}, \varvec{P_2})\) followed by \((\varvec{\tilde{R}}, \varvec{\tilde{P_1}}, \varphi _2) = \hbox {iADDU}(\varvec{V}, \varvec{T})\), and \(\varphi = \varphi _1 \varphi _2\). A straightforward implementation requires \(2\times (4\mathsf {M}+2\mathsf {S})+1\mathsf {M}= 9\mathsf {M}+ 4\mathsf {S}\). In a way similar to [10, 11], two (field) multiplications can be traded against two squarings using the basic identity \(2AB = (A+B)^2 - A^2 - B^2\), which leads to a cost of \(\underline{{7\mathsf {M}+6\mathsf {S}}}\). Explicitly, if \(\varvec{P_1} = (x_1, y_1)\) and \(\varvec{P_2} = (x_2, y_2)\) then \(\varvec{\tilde{P_1}} = (\widetilde{x_1}, \widetilde{y_1})\) and \(\varvec{\tilde{R}} = (\widetilde{x_R}, \widetilde{y_R})\) on \(E_\varphi \) where

$$\begin{aligned} C'= & {} (x_1 - x_2)^2, W_1' = x_1C', W_2' = x_2C',\\ D'= & {} (y_1 - y_2)^2, A_1' = 2y_1(W_1' - W_2'),\\ x_3'= & {} D' - W_1' - W_2', C = (x_3' - W_1')^2,\\ y_3'= & {} (y_1 - y_2 + W_1' - x_3')^2 - D' - C - A_1',\\ \widetilde{x_1}= & {} 4W_1'C, W_2 = 4x_3'C, \widetilde{y_1} = A_1'(\widetilde{x_1} - W_2),\\ D= & {} (A_1' - y_3')^2,\\ \widetilde{x_R}= & {} D - \widetilde{x_1} - W_2, \widetilde{y_R} = (\widetilde{x_1} - \widetilde{x_R})(A_1' - y_3') - \widetilde{y_1},\\ \varphi= & {} (x_1 - x_2 + W_1' - x_3')^2 - C' - C. \end{aligned}$$

In the same way, when one wants \(\varvec{\tilde{R}} := \varPsi _{\varphi }(\varvec{R})\) together with \(\varvec{\tilde{P_2}} := \varPsi _{\varphi }(\varvec{P_2})\), the \(\hbox {iDAU}\) operation can be evaluated with \(\underline{{8\mathsf {M}+7\mathsf {S}}}\) (instead of \(10\mathsf {M}+ 5\mathsf {S}\) from a straightforward application of \(\hbox {iADDU}\) followed by \(\hbox {iADDC}\)). In more detail, with the same notations as above, one can obtain \(\varvec{\tilde{P_2}} = (\widetilde{x_2}, \widetilde{y_2})\) and \(\varvec{\tilde{R}} = (\widetilde{x_R}, \widetilde{y_R})\) on \(E_\varphi \) together with \(\varphi \) as

$$\begin{aligned} C'= & {} (x_1 - x_2)^2, W_1' = x_1C', W_2' = x_2C',\\ D'= & {} (y_1 - y_2)^2, A_1' = 2y_1(W_1' - W_2'),\\ x_3'= & {} D' - W_1' - W_2', C = (x_3' - W_1')^2,\\ y_3'= & {} (y_1 - y_2 + W_1' - x_3')^2 - D' - C - A_1',\\ W_1= & {} 4x_3'C, W_2 = 4W_1'C, A_1 = y_3'(W_1 - W_2),\\ D= & {} (y_3' - A_1')^2,\\ \widetilde{x_R}= & {} D - W_1 - W_2, \widetilde{y_R} = (W_1 - \widetilde{x_R})(y_3' - A_1') - A_1,\\ \varphi= & {} (x_1 - x_2 + x_3' - W_1')^2 - C' - C, \overline{D} = (y_3' + A_1')^2,\\ \widetilde{x_2}= & {} \overline{D} - W_1 - W_2, \widetilde{y_2} = (y_3' + A_1')(W_1 - \widetilde{x_2}) - A_1. \end{aligned}$$

When \(\varphi \) does not need to be returned, we see that one squaring is saved. In other words, \(\hbox {iDAU}^\prime \) can be evaluated with \(\underline{{8\mathsf {M}+ 6\mathsf {S}}}\).

For completeness, we describe \(\hbox {iACAU}^\prime \) as the combination of operation \(\hbox {iADDC}'\) followed by the operation \(\hbox {iADDU}^\prime \). A straightforward implementation requires \((5\mathsf {M}+ 3\mathsf {S})+(4\mathsf {M}+2\mathsf {S}) = 9\mathsf {M}+5\mathsf {S}\). However, we can mimic the trick of [10] by adding the squared difference of the x-coordinates as an input to \(\hbox {iACAU}^\prime \). This allows one to trade \(1\mathsf {M}\) against \(1\mathsf {S}\), yielding a cost of \(\underline{{8\mathsf {M}+ 6\mathsf {S}}}\). A detailed implementation follows.

The input is \(\varvec{P_1} = (x_1,y_1)\), \(\varvec{P_2} = (x_2, y_2)\), and \(C = (x_1 - x_2)^2\), and the output is \((\varvec{\tilde{R}}, \varvec{\tilde{S}}, {\tilde{C}}) = \hbox {iACAU}^\prime (\varvec{P_1}, \varvec{P_2}, C)\) with \(\varvec{\tilde{R}} = (\widetilde{x_R}, \widetilde{y_R})\), \(\varvec{S} = (\widetilde{x_S}, \widetilde{y_S})\) and where

$$\begin{aligned} (\varvec{\tilde{R}}, \varvec{\tilde{S}}) = \hbox {iADDU}\bigl (\hbox {iADDC}(\varvec{P_1}, \varvec{P_2})\bigr ) \end{aligned}$$

and \({\tilde{C}} = (\widetilde{x_R} - \widetilde{x_S})^2\).

$$\begin{aligned} W_1\leftarrow & {} x_1C, W_2 \leftarrow x_2C, D \leftarrow (y_1 - y_2)^2,\\ A_1\leftarrow & {} y_1(W_1-W_2),\\ x'_1\leftarrow & {} D - W_1 - W_2, y'_1 \leftarrow (y_1 - y_2)(W_1 - x'_1) - A_1,\\ \overline{D}\leftarrow & {} (y_1 + y_2)^2,\\ x'_2\leftarrow & {} \overline{D} - W_1 - W_2, y'_2 \leftarrow (y_1 + y_2)(W_1 - x'_2) - A_1,\\ C'\leftarrow & {} (x'_1 - x'_2)^2,\\ x_4\leftarrow & {} x'_1C', W'_2 \leftarrow x'_2C', D' \leftarrow (y'_1 - y'_2)^2,\\ y_4\leftarrow & {} 2y'_1(x_4-W'_2),\\ x_3\leftarrow & {} D' - x_4 - W'_2, \overline{C} \leftarrow (x_3 - x_4)^2,\\ y_3\leftarrow & {} (y'_1 - y'_2 + x_4 - x_3)^2 - D' - \overline{C} - y_4,\\ \widetilde{x_R}\leftarrow & {} 4x_3, \widetilde{y_R} \leftarrow 4y_3, \widetilde{x_S} \leftarrow 4x_4, \widetilde{y_S} \leftarrow 4y_4, {\tilde{C}} \leftarrow 16\overline{C}. \end{aligned}$$

Remark 3

The formulas presented in this section make use of the square-multiply replacement technique. On some architectures, depending on the cost of a field addition, this is counterproductive. We refer the reader to [21] for some dedicated optimizations.

Appendix 3: More Scalar Multiplication Algorithms

We describe in this appendix a number of scalar multiplication algorithms.

1.1 Right-to-left scalar multiplication

We review two scalar multiplication algorithms. They both process the bits of scalar k from the right to the left. Algorithm 7 is the classical right-to-left method [19]. Algorithm 8 is a dual version of the Montgomery ladder. It was proposed in [16].

1.2 Scalar multiplication with elliptic curve isomorphisms

Below are some examples of scalar multiplication algorithms when used with the methodology of elliptic curve isomorphisms.