Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products

Transcription

1 1 Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products David Kohel Institut de Mathématiques de Luminy International Workshop on Codes and Cryptography 2011 Qingdao, 2 June 2011

2 Elliptic curve scalar multiplication The cryptographic use of elliptic curves over finite fields in place of the multiplicative group of a finite field in cryptography, in an ElGamal or Diffie Hellman protocol, is based on performance relative to security. For the same security level, one can take a significantly smaller sized field which compensates for the additional complexity of elliptic curve operations. On the other hand, the additional complexity of addition on elliptic curves leaves room for more sophisticated ideas for minimizing its cost. In the Diffie Hellman protocol, it suffices to have a scalar multiplication P np, rather than a group. Here we focus on the arithmetic of the Kummer curve and split Kummer surface K 1 = E/ 1, and K 2 = E E/ ( 1, 1). which admit scalar multiplications (induced from E). 2

3 Montogomery scalar multiplication Let A be an additive abelian group and M 2 (Z) End(A 2 ), such that ( ) a b α(x, y) = (ax + by, cx + dy) where α = c d Define endomorphisms σ by σ(x, y) = (y, x) and ϕ i by ( ) ( ϕ = ϕ 0 =, and ϕ = σ ϕ σ = 1 1 The Montgomery ladder for scalar multiplication by an integer n is expressed on A 2 by the recursion v r = (x, 0) and v i = ϕ ni (v i+1 ) for i = r 1,..., 1, 0, ), where n has binary representation n r 1... n 1 n 0. 3

4 Montogomery endomorphism The successive steps v i in the ladder are of the form ((k + 1)x, kx) and v 0 = (nx, (n 1)x), from which we output nx. We refer to ϕ (= ϕ 0 and ϕ 1 ) as the Montgomery endomorphism(s). Example. For n = 13 = , we have (x, 0) ϕ 1 (2x, x) ϕ 1 (4x, 3x) ϕ 0 (7x, 6x) ϕ 1 (13x, 12x) Moreover, since 1 is an automorphism in the center of M 2 (Z), an endomorphism of A 2 also acts on the quotient A 2 / 1. In particular, we will derive expressions for certain endomorphisms of the split Kummer surface associated to an elliptic curve E (as a means of computing ϕ), when E is in Edwards normal form. 4

5 5 Montgomery endomorphism factorizations There exists a close relation between the Montgomery endomorphism ϕ and another endomorphism ρ: ( ) ( ) ϕ = and ρ = Both have determinant 2, up to sign, but the symmetry properties of ρ make it more suitable for its efficient evaluation in the context of elliptic curve products. We observe that τ(x, y) = (x + y, y) determined by a single addition allows us to compute ϕ: ( ) ( )( )( ) ϕ 1 = = τ σ ρ =, and ϕ = σ ϕ 1 σ (where the cost of σ is trivial).

6 Application to Kummer quotients Prior work has considered Montgomery addition in relation to the Kummer curves (of a Weierstrass model): K 1 = E/{±1} = P 1, determined by the quotient π(= x) : E K 1. Such work is usually expresses as operating only on the x-coordinate. Caution: Due to an unfortunate choice of coordinate names, an Edwards curve has the traditional roles of the functions x and y reversed: x is anti-invariant and y invariant under [ 1]. Thus for an Edwards curve, eliminating the x-coordinate refers to the Kummer quotient π(= y) : E K 1. This Kummer curve approaches focus on arithmetic of K 1 and the full quotient K1 2 ; we introduce the study of the intermediate surface K 2 : E 2 K 2 = E 2 / ( 1, 1) K 2 1 = E 2 / (±1, ±1). 6

7 Kummer quotients and endomorphisms In the study of the arithmetic of Kummer quotients, the endomorphism of E 2, ( ) 1 1 ρ = 1 1 satisfying ρ 2 = 2, plays an important role. The successive quotients, and the endomorphism ρ, give a hierarchy of commuting maps E 2 ρ E 2 ρ K 2 K 2 K 2 1 K 2 1. Note that ρ induces an endomorphism of K 2, also denoted ρ, but no such map is induced on K

8 8 Differential addition of Kummer quotients Although ρ does not extend to an endomorphism of K1 2 we obtain a system of polynomial equations in K1 2 K2 1 from the graph: Γ ρ = {( (P, Q), ρ(p, Q) ) : (P, Q) E 2} E 2 E 2, where ρ(p, Q) = (P + Q, P Q). We denote by Γ ρ the image of Γ ρ in K 2 or K 2 1. One recovers π(p + Q) by specializing this system at known points π(p ), π(q), π(p Q). Such an interpolation algorithm is called a pseudo-addition or differential addition on K 1.

9 9 Edwards model for elliptic curves In 2007, Edwards introduced a new model for elliptic curves, defined by the affine model x 2 + y 2 = a 2 (1 + z 2 ), z = xy, over any field k of characteristic different from 2. The complete linear system associated to the degree 4 model determines a nonsingular model in P 3 with identity O = (1 : 0 : a : 0): a 2 (X X2 3 ) = X2 1 + X2 2, X 0X 3 = X 1 X 2, as a family of curves over k(a) = k(x(4)). Lange and Bernstein introduced a rescaling to descend to k(d) = k(a 4 ) = k(x 1 (4)), and subsequently (with Joye, Birkner, and Peters) a quadratic twist by c, to define the twisted Edwards model with O = (1 : 0 : 1 : 0): X dx2 3 = cx2 1 + X2 2, X 0X 3 = X 1 X 2.

10 10 Edwards model factorization The (twisted) Edwards model... X dx2 3 = cx2 1 + X2 2, X 0X 3 = X 1 X 2 with O = (1 : 0 : 1 : 0) admits a factorization S (π 1 π 2 ) = id through P 1 P 1, where π 1 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 1 ) = (X 2 : X 3 ), π 2 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 2 ) = (X 1 : X 3 ), and S : P 1 P 1 P 3 is the Segre embedding S((U 0 : U 1 ), (V 0 : V 1 )) = (U 0 V 0 : U 1 V 0 : U 0 V 1 : U 1 V 1 ). Remark: The inverse morphism is [ 1](X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 1 : X 2 : X 3 ), π 2 : E P 1 = K 1 is the Kummer quotient, and π 2 (O) = (1 : 1).

11 11 Edwards addition law The remarkable property of the Edwards model is that the composition of the addition morphism µ : E E E with each of the projectons π i : E P admits a basis of bilinear defining polynomials. For µ π 1, we have { } (X0 Y 0 + dx 3 Y 3, X 1 Y 2 + X 2 Y 1 ),, (cx 1 Y 1 + X 2 Y 2, X 0 Y 3 + X 3 Y 0 ) and for µ π 2, we have { (X1 Y 2 X 2 Y 1, X 0 Y 3 + X 3 Y 0 ), (X 0 Y 0 dx 3 Y 3, cx 1 Y 1 + X 2 Y 2 ) }. Addition laws given by polynomial maps of bidegree (2, 2) are recovered by composing with the Segre embedding.

12 Models for Kummer quotients The Edwards Kummer curve K 1 = P 1 is determined by the projection π 2 to (X 0 : X 2 ), however on K 1 we denote the coordinate functions (X 0 : X 1 ). The following lemma is a consequence of the addition law projection for π 2. Lemma The duplication morphism on E induces [2] : K 1 K 1, given by (X 0 : X 1 ) ((d 1)X 4 0 d(x 2 0 X 2 1) 2 : (X 2 0 X 2 1) 2 +(d 1)X 4 1). This polynomial map is unique and determines [2] everywhere. Remark. Clearly π 2 (O) = (1 : 1) maps to itself, and the pre-image of (1 : 1) are the solutions to X 4 0 (d + 1)X 2 0X dx 4 1 = (X 2 0 dx 2 1)(X 2 0 X 2 1) = 0, which are the equations cutting out E[2]. 12

13 13 Product Kummer curve model The Segre embedding maps a projective space product P r P s into a projective space P (r+1)(s+1) 1, given by ((X 0 : : X r ), (Y 0 : : Y s )) (X 0 Y 0 : X 1 Y 0 : : X r Y s ). For the Kummer curve product, this gives S : K 2 1 = P 1 P 1 P 3 ((X 0 : X 1 ), (Y 0 : Y 1 )) (X 0 Y 0 : X 1 Y 0 : X 0 Y 1 : X 1 Y 1 ) = (U 0 : U 1 : U 2 : U 3 ). whose image is U 0 U 3 = U 1 U 2. We use this representation for S(K 2 1 ) P3 and construct K 2 as a double cover: E 2 K 2 = E 2 / ( 1, 1) S(K 2 1) = K 2 1 = E 2 / (±1, ±1).

14 14 Split Kummer surface models We now describe the embeddings of K 2 as a double cover of K 2 1. Theorem The Kummer surface K 2 has a model as a hypersurface in K 2 1 P1 given by (X 2 0 X 2 1)(Y 2 0 Y 2 1 )Z 2 0 = (X 2 0 dx 2 1)(Y 2 0 dy 2 1 )Z 2 1, with base point π(o) = ((1 : 1), (1 : 1), (1 : 0)). Under the Segre embedding S : K 2 1 P3, this determines the variety in P 3 P 1 cut out by (U 2 0 U 2 1 U U 2 3 )Z 2 0 = (U 2 0 du 2 1 du d 2 U 2 3 )Z 2 1, on the hypersurface U 0 U 3 = U 1 U 2 defining S(K 2 1 ).

15 15 Edwards Kummer quotient maps Recall that E : X dx2 3 = X2 1 + X2 2, X 0X 3 = X 1 X 3 is an Edwards elliptic curve in P 3 with identity O = (1 : 0 : 1 : 0). For a pair (P, Q) = ( (X 0 : X 1 : X 2 : X 3 ), (Y 0 : Y 1 : Y 2 : Y 3 ) ), the projection E 2 K 2 K 2 1 P 1 is given by and π 1 (P, Q) = (X 0 : X 2 ), π 2 (P, Q) = (Y 0 : Y 2 ), π 3 (P, Q) = (X 0 Y 0 : X 1 Y 1 ) = (X 2 Y 0 : X 3 Y 1 ) = (X 0 Y 2 : X 1 Y 3 ) = (X 2 Y 2 : X 3 Y 3 ) = (Z 0 : Z 1 ). After composition with the Segre embedding, we find (P, Q) (X 0 Y 0 : X 2 Y 0 : X 0 Y 2 : X 2 Y 2 ) = (U 0 : U 1 : U 2 : U 3 ).

16 16 Kummer endomorphisms Recall that our objective is to compute ϕ 0 and ϕ 1, which can be defined by ϕ 1 = τ σ ρ and ϕ = σ ϕ 1 σ. For ρ (and τ) we describe explicit polynomial maps: ((U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 )) ((V 0 : V 1 : V 2 : V 3 ), (W 0 : W 1 )), for V i and W j, for which it suffices to define: π 1 ((V 0 : V 1 : V 2 : V 3 ), (W 0 : W 1 )) = (V 0 : V 1 ) = (V 2 : V 3 ), π 2 ((V 0 : V 1 : V 2 : V 3 ), (W 0 : W 1 )) = (V 0 : V 2 ) = (V 1 : V 3 ), π 3 ((V 0 : V 1 : V 2 : V 3 ), (W 0 : W 1 )) = (W 0 : W 1 ). The image point ((V 0 : V 1 : V 2 : V 3 ), (W 0 : W 1 )) requires the composition of the Segre embedding with (π 1 ρ) (π 2 ρ).

17 17 Kummer automorphism σ Theorem The automorphism σ is given on K 2 K1 2 P1 by ((X 0 : X 1 ), (Y 0 : Y 1 ), (Z 0 : Z 1 )) ((Y 0 : Y 1 ), (X 0 : X 1 ), (Z 0 : Z 1 )), and on K 2 S(K1 2) P1, by ((U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 )) ((U 0 : U 2 : U 1 : U 3 ), (Z 0 : Z 1 )). Note. This is on O(1) algorithm (change of pointers).

18 18 Kummer endomorphism ρ Theorem The projections of the endomorphism ρ : K 2 K 2 are uniquely represented by polynomials of bidegree (1, 1), (1, 1), and (2, 0), explicitly: π 1 ρ ( (U 0 : U 1 : U 2 : U 3 ),(Z 0 : Z 1 ) ) = (U 0 Z 0 du 3 Z 1 : U 0 Z 1 + U 3 Z 0 ) π 2 ρ ( (U 0 : U 1 : U 2 : U 3 ),(Z 0 : Z 1 ) ) = (U 0 Z 0 + du 3 Z 1 : U 0 Z 1 + U 3 Z 0 ) π 3 ρ ( (U 0 : U 1 : U 2 : U 3 ),(Z 0 : Z 1 ) ) Note. This is fast. = (U 2 0 du 2 3 : U U 2 2 )

19 Kummer endomorphism τ Theorem The projections π i τ : K 2 K 1, for 1 i 2, are uniquely represented by polynomials of bidegree (1, 1) and (1, 0), π 1 τ ( (U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 ) ) = (U 0 Z 0 du 3 Z 1 : U 0 Z 1 + U 3 Z 0 ), π 2 τ ( (U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 ) ) = (U 0 : U 2 ) = (U 1 : U 3 ), and π 3 τ ( (U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 ) ) is given by any linear combination of the expressions of bidegree (2, 1): ( (U 2 0 du 2 3 )Z 0 : (U 0 U 1 U 2 U 3 )Z 0 + (U 0 U 2 du 1 U 3 )Z 1 ) ( (U0 U 2 U 1 U 3 )Z 0 + (U 0 U 1 du 2 U 3 )Z 1 : (U 2 1 U 2 2 )Z 1) Note. This is not. 19

20 A Kummer pseudo-addition for ϕ The efficient computation of ϕ 1 = τ σ ρ : K 2 K 2 and ϕ 0 = σ ϕ 1 σ using the previous theorems is hindered by the expensive computation of the one bit of information lost in the map K 2 S(K1 2 ). But so far we haven t use the special properties of the sequence of points which arise in scalar multiplication. In the application we apply this map to a sequence (P, Q) = ((k + 1)T, kt ) for a fixed point T, hence we remain on the irreducible curve T = δ (T ) = {(P, Q) E 2 δ(p, Q) = T }, where δ is the difference morphism (δ(p, Q) = P Q). We can derive more efficient algorithms based on the restrictions to T. In particular note that ϕ determines a well-defined morphism ϕ T : T T. 20

21 21 Expressing ϕ T as a conjugate duplication More precisely, each ϕ i factors through the duplication map: T [2] T. In particular, setting τ T to be the translation by T map τ T (P ) = P + T, we have taking ϕ 0 = (τ T [1]) [2] (τ T [1]) 1 (P + T, P ) (P, P ) (2P, 2P ) (2P + T, 2P ), and similarly for ϕ 1 = ([1] τ T ) 1 [2] ([1] τ T ).

22 22 A Kummer differential morphism for ϕ T Theorem Let T = (T 0 : T 1 : T 2 : T 3 ) be a fixed point of E\E[2]. Then the restriction of ϕ to T S(K1 2 ) determines a morphism ϕ T : T T defined by ϕ T (U 0 : U 1 : U 2 : U 3 ) = S((S 0, S 1 ), (R 0, R 1 )), where (S 0, S 1 ) = ((U du 2 3 )T 0 2dU 0 U 3 T 2, 2U 0 U 3 T 0 (U du 2 3 )T 2), (R 0, R 1 ) = [2](U 0 : U 2 ) = ((d 1)U 4 0 d(u 2 0 U 2 2 )2, (U 2 0 U 2 2 )2 + (d 1)U 4 2 ). Note. This is relatively fast.

23 23 Lifting back from S(K 2 1) to K 2 and E 2 Let T = (T 0 : T 1 : T 2 : T 3 ) be a fixed point in E. When T is not in E[2], the quotient K 2 S(K1 2 ) is easily seen to be injective on T. Consequently there exists a lifting back to T K 2. Algebraically, it suffices to define (Z 0 : Z 1 ), which is given by: (Z 0 : Z 1 ) = (U 0 T 0 du 3 T 2 : U 0 T 2 U 3 T 0 ). As expected, this fails if and only if (T 0 : T 2 ) = (U 0 : U 3 ) and U0 2 du 3 2 this defines the 2-torsion subgroup E[2]. Similarly, the map T T K 2 is injective on all points except E[2] T = {(P + T, P ) : P E[2]}. This gives the following theorem.

24 24 Lifting T back to E 2 Theorem For all T be in E, the quotient T T K 2 is injective for all points outside of E[2] T T. The inverse ((X 0 : X 1 : X 2 : X 3 ), (Y 0 : Y 1 : Y 2 : Y 3 )) of ((U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 )) is defined by and then (Y 0 : Y 1 ) = (Y 2 : Y 3 ) = (U 2 T 0 U 1 T 2 : U 0 T 3 U 3 T 1 ) = (U 0 T 1 du 3 T 3 : U 1 T 0 + U 2 T 2 ) (Y 0 : Y 2 ) = (Y 1 : Y 3 ) = (U 0 : U 2 ) = (U 1 : U 3 ), (X 0 : X 1 ) = (X 2 : X 3 ) = (Y 0 T 0 + dy 3 T 3 : Y 1 T 2 + Y 2 T 1 ) = (Y 1 T 1 + Y 2 T 2 : Y 0 T 3 + Y 3 T 0 ) (X 0 : X 2 ) = (X 1 : X 3 ) = (U 0 : U 1 ) = (U 2 : U 3 ),

25 25 A lifted Kummer differential morphism for ϕ T Theorem Let T = (T 0 : T 1 : T 2 : T 3 ) be a fixed point of E\E[2]. Then the morphism ϕ T : T T is defined by ((U 0 : U 1 : U 2 : U 3 ), (Z 0 : Z 1 )) ((V 0 : V 1 : V 2 : V 3 ), (W 0 : W 1 )), where (V 0 : V 1 : V 2 : V 3 ) = S((S 0, S 1 ), (R 0, R 1 )) is determined by (S 0, S 1 ) = (U 0 Z 0 du 3 Z 1 : U 0 Z 1 + U 3 Z 0 ), (R 0, R 1 ) = [2](U 0 : U 2 ) = ((d 1)U 4 0 d(u 2 0 U 2 2 )2, (U 2 0 U 2 2 )2 + (d 1)U 4 2 ), and then (W 0 : W 1 ) = (V 0 T 0 dv 3 T 2 : V 0 T 2 V 3 T 0 ). Note. This is fast (compared to one addition and one doubling)?