Elliptic curves in Huff s model

Transcription

1 Elliptic curves in Huff s model Hongfeng Wu 1, Rongquan Feng 1 College of Sciences, North China University of Technology, Beijing 1001, China whfmath@gmailcom LMAM, School of Mathematical Sciences, Peking University, Beijing , China fengrq@mathpkueducn Abstract The general Huff curves which contains Huff s model as a special case is introduced in this paper It is shown that every elliptic curve with three points of order is isomorphic to a general Huff curve Some fast explicit formulae for general Huff curves in projective coordinates are presented These explicit formulae for addition and doubling are almost as fast as they are for the Huff curves in [9] Finally, the number of isomorphism classes of general Huff curves defined over a finite field is enumerated Keywords: elliptic curve, Huff curve, isomorphism classes, scalar multiplication, cryptography 1 Introduction The elliptic curve cryptosystem was independently proposed by Koblitz [10] and Miller [1] which relies on the difficulty of discrete logarithmic problem in the group of rational points on an elliptic curve One of the main operations and challenges in elliptic curve cryptosystems is the scalar multiplication Supported by NSF of China (No ) 1

2 The speed of scalar multiplication plays an important role in the efficiency of the whole system Elliptic curves can be represented in different forms To obtain faster scalar multiplications, various forms of elliptic curves have been extensively studied in the last two decades Some important elliptic curve families include Jacobi intersections, Edward curves, Jacobi quartics, Hessian curves etc Details of previous works can be found in [1, 3, 9] Recently, Joye, Tibouchi, and Vergnaud [9] revisit a model for elliptic curves over Q introduced by Huff [8] in 198 They presented fast explicit formulae for point addition and doubling on Huff curves They also addresses in [9] the problem of the efficient evaluation of pairings over Huff curves such as completeness and independence of the curve parameters In order to study the elliptic curve cryptosystem, one need first to answer how many curves there are up to isomorphism, because two isomorphic elliptic curves are the same in the point of cryptographic view So it is natural to count the isomorphism classes of some kinds of elliptic curves Some formulae about counting the number of the isomorphism classes of general elliptic curves over a finite field can be found in literatures, such as [6, 11, 13, 1] In this paper, the general Huff curves x(ay 1) = y(bx 1) which contains Huff curves ax(y 1) = by(x 1) as a special case is introduced We show that every elliptic curve with three points of order is isomorphic to a general Huff curve Some fast explicit formulae for general Huff curves in projective coordinates are presented These explicit formulae for addition and doubling are almost as fast in the general case as they are for the Huff curves Finally, the number of isomorphism classes of general Huff curves and Huff curves defined over a finite field is enumerated Throughout this paper, K will be a filed and F q a finite field with q elements The algebraic closure of K is denoted by K General Huff curves In [9], Joye, Tibouchi, and Vergnaud developed an elliptic curve model introduced by Huff [8] in 198 to study a diophantine problem The Huff s model for elliptic curves is given by the equation ax(y 1) = by(x 1) They also presented addition formula on Huff curves Using (0, 0, 1) as the neutral element, the addition formula was given by ( (x1 + x )(1 + x 1 x ) (x 1, y 1 ) + (x, y ) = (1 + x 1 x )(1 y 1 y ), (y ) 1 + y )(1 + x 1 x ) (1 x 1 x )(1 + y 1 y )

3 in affine coordinates Moreover, this addition law is unified, that is, it can be used to double a point Actually, curve families ax(y 1) = by(x 1) are included in curve families x(ay 1) = y(bx 1) We call the curve with the equation x(ay 1) = y(bx 1) the general Huff curve For the general Huff curve H a,b : x(ay 1) = y(bx 1), if a = µ and b = ν are square elements of the field K, and let x = νx and y = µy, then µx (y 1) = νy (x 1) That is, curve families ax(y 1) = by(x 1) are part of curve families x(ay 1) = y(bx 1) with a, b are square elements of the field K Note that H a,b : x(ay 1) = y(bx 1) is a smooth elliptic curve if ab(a b) 0 Let F (X, Y, Z) := axy bx Y XZ + Y Z, then the Hessian of the curve F (X, Y, Z) = 0 is H(F ) = F XX F XY F XZ F Y X F Y Y F Y Z F ZX F ZY F ZZ = 8 by (ay bx) Z (ay bx) ax Z Z Z (X Y ) where F XY is the second partial derivative of the polynomial F with respect to X and Y Since the general Huff curve is smooth, the inflection points of F are the intersection points of F and H(F ) Hence, it is clear that (0, 0, 1) is an inflection point and there is no inflection points with Z = 0 Theorem 1 Let K be a field of characteristic, and let a, b K with a b Then the curve is isomorphic to the elliptic curve H a,b : X(aY Z ) = Y (bx Z ) V W = U(U + aw )(U + bw ) via the change of variables ϕ(x, Y, Z) = (U, V, W ), where U = bx ay, V = (b a)z, and W = Y X The inverse change is ψ(u, V, W ) = (X, Y, Z), where X = U + aw, Y = U + bw, and Z = V Proof From U = bx ay, V = (b a)z, and W = Y X, we have V W = (b a) (Y X)Z and U(U +aw )(U +bw ) = (b a) XY (bx ay ) Therefore, V W = U(U + aw )(U + bw ) since X(aY Z ) = Y (bx Z ) 3,

4 On the other hand, since V W = U(U +aw )(U +bw ), X = U +aw, Y = U + bw, and Z = V, we have W = X Y ay bx and U = Therefore, a b a b Z (X Y ) = XY (ay bx), that is, X(aY Z ) = Y (bx Z ) Obviously, the maps ϕ and ψ are mutually inverse to each other For the affine edition, the general Huff curve x(ay 1) = y(bx 1) is isomorphic to y = x(x + a)(x + b) over K Tt was proposed in [7] that an elliptic curve E over an algebraic number field K contains a copy of Z/Z Z/Z if and only if E admits one of the normal forms y = x(x a)(x b), where a, b K and ab(a b) 0, and E over K contains a copy of Z/Z Z/Z if and only if E admits one of the normal forms y = x(x + (a + 1)x + (a 1) )), where a K and a 0, ±1 Noting that y = x(x + (a + 1)x + (a 1) )) = x(x + (a + 1) )(x + (a 1) ), E contains a copy of Z/Z Z/Z if and only if E admits one of the normal forms y = x(x + t )(x + (t + ) ), where t K and t 0, 1, For any a, b K with a b, let u = b a and t = a b a, then t u = a and t + = b Since y = x(x + t )(x + (t + ) ) is isomorphic to ( y u u 3 ) = x u ( x u +( t u ) )( x u +(t + u ) ), and then is isomorphic to y = x(x+a )(x+b ), E contains a copy of Z/Z Z/Z if and only if E is isomorphic over K to a Huff curve ax(y 1) = by(x 1) Therefore we give another proof of Theorem in [9] Note that the j-invariant of the curve x(ay 1) = y(bx 1) is 8 (a ab + b ) 3, and the j-invariant of the curve ax(y 1) = by(x 1) a b (a b) is j = 8 (a a b + b ) 3 a b (a b ) 1 Huff curves and twisted Jacobi intersections curves Twisted Jacobi intersections elliptic curves were introduced in [5] A twisted Jacobi intersections elliptic curve over the field K is defined by the affine equations au + v = 1, bu + w = 1 or by the projective equations au + V = Z, bu + W = Z, where a, b K with ab(a b) 0 In [5], it was shown that a twisted Jacobi intersections curve E a,b : au + v = 1, bu + w = 1 with ab(a b) 0 is a smooth curve and is isomorphic to an elliptic curve y = x(x a)(x b) over K However, every elliptic curve over K having three K-rational points of order is isomorphic to

5 a twisted Jacobi intersections curve Since the general Huff curve H a,b : x(ay 1) = y(bx 1) is isomorphic to y = x(x + a)(x + b) over K, the general Huff curve H a,b : x(ay 1) = y(bx 1) is isomorphic to a twisted Jacobi intersections curve au + v = 1, bu + w = 1 Especially, a Huff curve ax(y 1) = by(x 1) is isomorphic to a twisted Jacobi intersections curve a u + v = 1, b u + w = 1 Actually, as proposed in [9], Huff [8] considered rational distance sets S with some forms Such a point must then satisfy the equations x +a = u and x +b = v with u, v Q The system of associated homogeneous equations x +a z = u and x +b z = v defines a curve of genus 1 in P 3 This homogeneous equations is just a twisted Jacobi intersections curve a z + u = x, b z + v = x It is smooth if and only if a b and ab 0 according to Theorem 1 in [5] Huff curves and twisted Edwards curves In [] it is proved that every Edwards curve E d : x + y = 1 + dx y is birationally equivalent to a Montogomery curve M A,B : By = x 3 + Ax + x via ( x ϕ : M (1+d) 1 d, d E d with (x, y) 1 d y, x 1 ) x + 1 The map is not defined everywhere However, this maps can be extended to give an everywhere-defined isomorphism between the respective desingularized projective models The extended map takes the neutral element to the neutral element, hence, ϕ and ϕ 1 commute with the group structures Moreover, the twisted Edwards curve E a,d : ax +y = 1+dx y is isomorphic to M (a+d) (a d), (a d) to M a +b, 1 ab ab Since the Huff curve ax(y 1) = by(x 1) is isomorphic : 1 ab y = x 3 + a +b ab x + x, the Huff curve ax(y 1) = by(x 1) is isomorphic to the Edwards curve E ( a b a+b ) : x + y = 1 + ( a b a+b ) x y 3 Enumeration of isomorphism classes Let E be an elliptic curve over a field K given by a Weierstrass equation E : Y = X 3 + a X + a X + a 6 5

6 with a, a, a 6 K An admissible change of variables defined over an extension field L/K in a Weierstrass equation is one of the form X = u X + r and Y = u 3 Y with u, r L and u 0 The elliptic curves E 1 /K and E /K are said to be isomorphic over L, denote by E 1 =L E, if there is an admissible change of variables defined over L transforming E 1 to E Let E 1 /K : Y = X 3 + a X + a X + a 6 and E /K : Y = X 3 + a X + a X + a 6 be two elliptic curves defined over K It is well known from the definition that E 1 =L E if and only if there exists u, r L and u 0 satisfy the following equations u a = a + 3r, u a = a + ra + 3r, u 6 a 6 = a 6 + ra + r a + r 3 Note that E 1 and E are isomorphic over K if and only if j(e 1 ) = j(e ) If K = F q is a finite field, then the statement is not true We have only j(e 1 ) = j(e ) if E 1 and E are isomorphic over F q The reader is referred to [15] for more results on the isomorphism of elliptic curves The Legendre elliptic curve over K is defined as E λ : y = x(x 1)(x λ), where λ K It is clear that the Legendre curve E λ is nonsingular for λ 0, 1 The points O, (0, 0), (1, 0), and (λ, 0) are all the -division points, that is, the points of order The j-invariant of E λ is j(e λ ) = 8 (λ λ+1) 3 λ (λ 1) In this section, let K = F q It is clear that any general Huff elliptic curve is isomorphic to a Legendre curve over the algebraic closure F q From the enumeration result of the isomorphism classes of Legendre curves over F q ([6]), we have the following theorem Theorem 31 Suppose F q is a finite field with q elements and char(f q ), 3 Let N q denote the number of F q -isomorphism classes of general Huff curves H a,b : x(ay 1) = y(bx 1)(which is the same as the Huff curves ax(y 1) = by(x 1)) defined over F q with ab(a b) 0 Then q + 5, if q 1, 7 (mod 1), N q = 6 q + 1, if q 5, 11 (mod 1) 6 6 (1)

7 31 F q -isomorphism classes of Huff curves Since ax(y 1) = by(x 1) is F q -isomorphic to y = x(x + a )(x + b ), it is also F q -isomorphic to y = x(x 1)(x (1 t )) by (x, y) (x/a +1, y/a 3 ), where t = b/a Lemma 3 The Huff curves ax(y 1) = by(x 1) with a, b F q and ab(a b) 0 (or curves y = x(x 1)(x (1 t )) with t F q and t 0, 1) are isomorphic to Legendre curves y = x(x 1)(x λ) with at least one of λ, 1 λ is a square element over F q The following lemma can be gotten easily Lemma 33 Suppose that F q ( is ) a finite field ( with ) char(f q ) > 3 Let N(s, t) be the number of a F q with = s and = t Then a q 1 a q q 1, if q 1(mod ), N( 1, 1) = q + 1, if q 3(mod ) Firstly, assume that q 1(mod ) According to [6], we can divide the Legendre elliptic curves E b : y = x(x 1)(x b) with b 0, 1, into the following disjoint sets H 1, H, H 3 and H, where { ( ) ( ) } H 1 = y b 1 b = x(x 1)(x b) = = 1, q q { ( ) ( ) } H = y b 1 b = x(x 1)(x b) = 1, = 1, H 3 = H = { ( ) ( y b = x(x 1)(x b) = 1, q { ( ) ( y = x(x 1)(x b) = 1, q b q q 1 b q 1 b q ) } = 1, ) } = 1 From Lemma 33, we get that H 1 = q 5 and H = H 3 = H = q 1 Therefore, We know from [6] the Legendre curves from the 3 distinct sets H 1, H H 3 and H can not be F q -isomorphic to each other let N q,h be the number of F q -isomorphism classes of Legendre elliptic curves H Then we have ([6]) q 1, if q 1, 17 (mod ), 8 N q,h = q + 3, if q 5, 13 (mod ) 8 7

8 Secondly, assume that q 3(mod ) The number of Legendre curves E λ : y = x(x 1)(x b) with b and 1 b are non-square elements equals to q+1 From [6], the number of curves isomorphic to a given curve with both b and 1 b are non-square elements equals to 3 if the j-invariant j 0, and equals to otherwise But j = 0 occurs only when q 7(mod 1) Therefore, the number of F q -isomorphism classes of Huff curves equals to ( q + 1 ( q + 1 )/3 + 1 = q + 5, if q 7 (mod 1), 1 )/3 = q + 1, if q 11 (mod 1) 1 By subtracting above numbers from the number of F q -isomorphism classes of Legendre curves ([6]), we have the following enumeration result Theorem 3 Suppose F q is a finite field with q elements and char(f q ) > 3 Let N q be the number of F q -isomorphism classes of Huff curves ax(y 1) = by(x 1) defined over F q with ab(a b) 0 Then q + 5, if q 1 (mod 1), 6 q + 1, if q 5 (mod 1), 6 N q = q + 1, if q 7 (mod 1), q 3, if q 11 (mod 1) 3 F q -isomorphism classes of general Huff curves In order to enumerate the F q -isomorphism classes of general Huff curves, it is sufficient to count the F q -isomorphism classes of elliptic curves of the form B a,b : y = x(x a)(x b) For any elliptic curve y = x 3 +ax+b defined over F q, the number of elliptic curves which are F q -isomorphic to y = x 3 + ax + b equals to ([11]) q 1, if a = 0 and q 1 ( mod 3), 6 q 1, if b = 0 and q 1 ( mod ), q 1, otherwise 8

9 Let E be an elliptic curve with at least one order point then by moving this point to (0, 0) it can be changed to the form E a,b : y = x 3 + ax + bx The j-invariant of E a,b is 56(a 3b) 3 Note that j(e b (a b) a,b) = 0 if and only if a = 3b, and j(e a,b ) = 178 if and only if a(9b a ) = 0 since E a,b is isomorphic to the elliptic curve y = x (a 3b)x + (1/)a(9b a ) Every order point admits this change, hence, the number of elliptic curves which is F q isomorphic to E a,b equals to q 1, if j = 0 and q 1 (mod 3), 3(q 1), if j = 178 and q 1 (mod ), 3(q 1), otherwise if the curve has three order points The number of elliptic curves with three order points equals to (q 1)(q ) since they admit the normal forms y = x(x a)(x b) Hence, the number of elliptic curves with only one order points equals to q(q 1) (q 1)(q ) (q 1) = q(q 1) The number of elliptic curves E a,b : y = x 3 + ax + bx with j(e a,b ) = 0 equals to q 1 since j(e a,b ) = 0 if and only if a = 3b Thus, if it possess three order points then ( ) ( ) ( a b b 3 1 = = = q q q Hence, the number of elliptic curves E a,b : y = x 3 + ax + bx possess three order points with j(e a,b ) = 0 equals to (q 1) if q 1 (mod 3), and equals to 0 if q (mod 3) Similarly, j(e a,b ) = 178 if and only if a(9b a ) = 0 and then if and only if b = (a/3) Therefore, the number of elliptic curves E a,b : y = x 3 + ax + bx with j(e a,b ) = 178 equals to (q 1) + (q 1) = (q 1) Thus, if it possess three order points then a b is a square element in F q From 9b = a we have a b = b/ = (a/3) Hence, the number of elliptic curves E a,b : y = x 3 + ax + bx possess three order points with j(e a,b ) = 178 equals to 3(q 1) Thus, the number of elliptic curves E a,b : y = x 3 + ax + bx which possess three order points with j(e a,b ) 0, 178 equals to ) (q 1)(q 7), if q 1 (mod 3), (q 1)(q 5), if q (mod 3) 9

10 By the above argument, the number of F q -isomorphism classes of elliptic curves B a,b : y = x(x a)(x b) defined over F q equals to q 1 q 1 + 3(q 1) 3(q 1) + (q 1)(q 7) 3(q 1) = q if q 1 (mod 1) Other cases can be computed similarly Therefore we have the following theorem Theorem 35 Let F q be a finite field with q elements and char(f q ) > 3 Let N q denote the number of F q -isomorphism classes of x(ay 1) = y(bx 1) defined over F q with ab(a b) 0 Then q + 5, if q 1 (mod 1), 3 q + 1, if q 5 (mod 1), N q 3 = q +, if q 7 (mod 1), 3 q, if q 11 (mod 1) 3 Arithmetic on general Huff curves Let C be a nonsingular cubic curve defined over a field K, and let O be a point on C(K) For any two points P and Q, the line through P and Q meets the cubic curve C at one more point, denoted by P Q With a point O as zero element and the chord-tangent composition P Q we can define the group law P + Q by P + Q = O(P Q) on C(K) making C(K) into an abelian group with O as zero element and P = P (OO) If O is an inflection point then P = P O and OO = O 1 The addition law on general Huff curves Let the line joining P = (x 1, y 1 ) and Q = (x, y ) be y = y 1 + λ(x x 1 ) = λx + µ, where λ is the slope of the line Substituting this expression for y 10

11 into the Huff equation x(ay 1) = y(bx 1), we get x(a(λx + µ) 1) = (λx + µ)(bx 1), that is, (aλ bλ)x 3 + (aλµ bµ)x + (aµ + λ 1)x + µ = 0 Let P Q = (x 3, y 3 ), then Hence, Noting that aλµ bµ x 1 + x + x 3 = aλ bλ x 3 = x 1 + x + [a(y y 1 ) b(x x 1 )](x y 1 x 1 y ) (y y 1 )(a(y y 1 ) b(x x 1 )) we have (a(y y 1 ) b(x x 1 ))(x + x 1 )y 1 y = (a(x 1 y + x 1 y x y 1 x 1 y 1 ) bx + bx 1) y 1 y = (ax y bx y )y 1 (ax 1 y 1 bx 1y 1 )y + a(x 1 y x y 1 )y 1 y = (x y )y 1 (x 1 y 1 )y + a(x 1 y x y 1 )y 1 y = (x 1 y x y 1 )(ay 1 y 1), x 3 = x 1 + x a(x 1 + x )y 1 y ay 1 y 1 From we get = x 1 + x + x 1y x y 1 a(x 1 + x )y 1 y y 1 y ay 1 y 1 = x 1y 1 x y a(x 1 + x )y 1 y y 1 y ay 1 y 1 + (a(y y 1 ) b(x x 1 ))(x + x 1 )y 1 y (y 1 y )(ay 1 y 1) (y 1 y ) (ax 1 x (y 1 + y ) + (x 1 + x )) = (ax 1 y 1 + y 1 )x (ax y + y )x 1 + (x 1 y 1 x y ) = (bx 1y 1 + x 1 )x (bx y + x )x 1 + (x 1 y 1 x y ) = bx 1 x ((x 1 y 1 x y )) + (x 1 y 1 x y ) = (x 1 y 1 x y )(bx 1 x + 1), x 1 y 1 x y = ax 1x (y 1 + y ) + (x 1 + x ) y 1 y bx 1 x ()

12 Furthermore, from formula () we get x 3 = ax 1x (y 1 + y ) + (x 1 + x ) a(x 1 + x )y 1 y bx 1 x + 1 ay 1 y 1 = (ax 1x (y 1 + y ) + (x 1 + x ))(ay 1 y 1) a(x 1 + x )y 1 y (bx 1 x + 1) (bx 1 x + 1)(ay 1 y 1) (3) Again from (ax 1 x (y 1 + y ) + (x 1 + x ))(ay 1 y 1) a(x 1 + x )y 1 y (bx 1 x + 1) = a x 1 x (y 1 + y )y 1 y ax 1 x (y 1 + y ) (x 1 + x ) ab(x 1 + x )x 1 x y 1 y = a(ax 1 y 1x y + ax y x 1 y 1 bx 1y 1 x y bx y x 1 y 1 ) ax 1 x (y 1 + y ) (x 1 + x ) = a((x 1 y 1 )x y + (x y )x 1 y 1 ) ax 1 x (y 1 + y ) (x 1 + x ) = ax y 1 y ax 1 y 1 y (x 1 + x ) = (x 1 + x )(1 + ay 1 y ), () we have x 3 = (x 1 + x )(ay 1 y + 1) (bx 1 x + 1)(ay 1 y 1) Similarly, by symmetry we have y 3 = (y 1 + y )(bx 1 x + 1) (bx 1 x 1)(ay 1 y + 1) we claim that the third intersection point (x 3, y 3 ) of the tangent line at P has coordinates x 3 = x 1 (ay 1 + 1) (bx 1 + 1)(ay 1 1), and y 3 = Note that the slope of the tangent line at P is λ P = ay 1 bx 1 y 1 1 bx 1 ax 1 y 1 1 In order to prove the claim we need only to check ay 1 bx 1 y 1 1 bx 1 ax 1 y 1 1 = y 1 (bx 1 + 1) (bx 1 1)(ay 1 + 1) y 1 (bx 1 + 1) (bx 1 1)(ay1 + 1) y 1 x 1 (ay1 + 1) (bx 1 + 1)(ay1 1) x 1 1

13 This is true since the right side of the above equation is y 1 (bx 1 + 1) y 1 (bx 1 1)(ay1 + 1) (bx 1 + 1)(ay1 1) x 1 (ay1 + 1) x 1 (bx 1 + 1)(ay1 1) (bx 1 1)(ay1 + 1) = y 1(bx 1 + ay1 abx 1y1 + 3) (bx 1 + 1)(ay1 1) x 1 (bx 1 + ay1 abx 1y1 + 3) (bx 1 1)(ay1 + 1) = y 1(bx 1 + 1)(ay 1 1) x 1 (bx 1 1)(ay 1 + 1) = (ay 1 1)( y 1 (bx 1 + 1)) (bx 1 1)( x 1 (ay 1 + 1)) = (ay 1 1)(y 1 (bx 1 1) bx 1y 1 ) (bx 1 1)(x 1 (ay1 1) ax 1 y1) = (ay 1 1)(x 1 (ay1 1) bx 1y 1 ) (bx 1 1)(y 1 (bx 1 1) ax 1 y1) = (ay 1 1)(x 1 (ay1 bx 1 y 1 1)) (bx 1 1)(y 1 (bx 1 ax 1 y 1 1)) = x 1(ay1 1)(ay1 bx 1 y 1 1) y 1 (bx 1 1)(bx 1 ax 1 y 1 1) = ay 1 bx 1 y 1 1 bx 1 ax 1 y 1 1 = λ P Let H a,b be a general Huff curve X(aY Z ) = Y (bx Z ) We know that (0, 0, 1) is an inflection point and (1, 0, 0), (0, 1, 0) and (a, b, 0) are exactly the three infinite points from Section For any two points P = (X 1, Y 1, Z 1 ) and Q = (X, Y, Z ), the third intersection point (U 3, V 3, W 3 ) of the line joining P and Q has coordinates U 3 = (X 1 Z + X Z 1 )(bx 1 X Z 1 Z )(ay 1 Y + Z 1 Z ), V 3 = (Y 1 Z + Y Z 1 )(ay 1 Y Z 1 Z )(bx 1 X + Z 1 Z ), W 3 = (b X1X Z1Z )(a Y1 Y Z1Z ) Firstly, choose O = (1, 0, 0) as then neutral element Then for any point P = (X 1, Y 1, Z 1 ) with X 1 Y 1 Z 1 0 on the curve, the point OP = ( Z1, bx 1 Y 1, bx 1 Z 1 ) Furthermore OO = (0, 0, 1), O(a, b, 0) = (0, 1, 0), O(0, 1, 0) = (a, b, 0), O(0, 0, 1) = (1, 0, 0), and (X 1, Y 1, Z 1 ) = (X 1, Y 1, Z 1 ) Hence, let P + Q = (X 3, Y 3, Z 3 ), then X 3 = (bx 1 X Z 1 Z )(bx 1 X + Z 1 Z )(Z 1 Z ay 1 Y ), Y 3 = b(x 1 Z + X Z 1 )(bx 1 X + Z 1 Z )(Y 1 Z + Y Z 1 ), (5) Z 3 = b(x 1 Z + X Z 1 )(bx 1 X Z 1 Z )(ay 1 Y + Z 1 Z ) 13

14 The affine addition formula is ( ) (bx1 x + 1)(1 ay 1 y ) (x 1, y 1 ) + (x, y ) = b(x 1 + x )(1 + ay 1 y ), (y 1 + y )(bx 1 x + 1) (1 + ay 1 y )(bx 1 x 1) Secondly, choose O = (0, 1, 0) as the neutral element Then for any point P = (X 1, Y 1, Z 1 ) with X 1 Y 1 Z 1 0 on the curve, the point OP = (ax 1 Y 1, Z1, ay 1 Z 1 ) We also have OO = (0, 0, 1), O(a, b, 0) = (1, 0, 0), O(1, 0, 0) = (a, b, 0), O(0, 0, 1) = (0, 1, 0), and (X 1, Y 1, Z 1 ) = (X 1, Y 1, Z 1 ) Hence, letp + Q = (X 3, Y 3, Z 3 ), then X 3 = a(x 1 Z + X Z 1 )(Y 1 Z + Y Z 1 )(ay 1 Y + Z 1 Z ), Y 3 = (Z 1 Z bx 1 X )(ay 1 Y Z 1 Z )(ay 1 Y + Z 1 Z ), Z 3 = a(bx 1 X + Z 1 Z )(ay 1 Y Z 1 Z )(Y 1 Z + Y Z 1 ) The affine addition formula is ( (x1 + x )(1 + ay 1 y ) (x 1, y 1 ) + (x, y ) = (1 + bx 1 x )(ay 1 y 1), (1 bx ) 1x )(1 + ay 1 y ) a(y 1 + y )(bx 1 x + 1) Thirdly, choose O = (0, 0, 1) as the neutral element Then for any point P = (X 1, Y 1, Z 1 ) with X 1 Y 1 Z 1 0 on the curve, the point OP = (ax 1 Y 1, Z1, ay 1 Z 1 ) Now OO = (0, 0, 1) and (X 1, Y 1, Z 1 ) = (X 1, Y 1, Z 1 ) Hence, let P + Q = (X 3, Y 3, Z 3 ), then X 3 = (X 1 Z + X Z 1 )(ay 1 Y + Z 1 Z ) (Z 1 Z bx 1 X ), Y 3 = (Y 1 Z + Y Z 1 )(bx 1 X + Z 1 Z ) (Z 1 Z ay 1 Y ), (7) Z 3 = (b X1X Z1Z )(a Y1 Y Z1Z ) The affine addition formula is ( ) (x1 + x )(ay 1 y + 1) (x 1, y 1 ) + (x, y ) = (1 + bx 1 x )(1 ay 1 y ), (y 1 + y )(1 + bx 1 x ) (1 + ay 1 y )(1 bx 1 x ) The Addition Law on the Huff curve ax(y 1) = by(x 1) Let us consider the curve ax(y Z ) = by (X Z ) For any two points P = (X 1, Y 1, Z 1 ) and Q = (X, Y, Z ) on the curve, the third intersection point (U 3, V 3, W 3 ) of the line joining P and Q has coordinates ([9]) U 3 = (X 1 Z + X Z 1 )(X 1 X Z 1 Z )(Y 1 Y + Z 1 Z ), V 3 = (Y 1 Z + Y Z 1 )(Y 1 Y Z 1 Z )(X 1 X + Z 1 Z ), W 3 = (X1X Z1Z )(Y 1 Y Z1Z ) 1 (6)

15 Choose O = (1, 0, 0) as the neutral element Then for any point P = (X 1, Y 1, Z 1 ) with X 1 Y 1 Z 1 0 on the curve, the point OP = ( Z 1, X 1 Y 1, X 1 Z 1 ) Furthermore OO = (0, 0, 1), O(a, b, 0) = (0, 1, 0), O(0, 1, 0) = (a, b, 0), O(0, 0, 1) = (1, 0, 0) and (X 1, Y 1, Z 1 ) = (X 1, Y 1, Z 1 ) Hence, let P + Q = (X 3, Y 3, Z 3 ) then X 3 = (X 1 X Z 1 Z )(X 1 X + Z 1 Z )(Z 1 Z Y 1 Y ), Y 3 = (X 1 Z + X Z 1 )(X 1 X + Z 1 Z )(Y 1 Z + Y Z 1 ), Z 3 = (X 1 Z + X Z 1 )(X 1 X Z 1 Z )(Z 1 Z + Y 1 Y ) Similarly, choose O = (0, 1, 0) as the neutral element Then for any point P = (X 1, Y 1, Z 1 ) with X 1 Y 1 Z 1 0 on the curve, the point OP = (X 1 Y 1, Z 1, Y 1 Z 1 ) Now we have OO = (0, 0, 1), O(a, b, 0) = (1, 0, 0), O(1, 0, 0) = (a, b, 0), O(0, 0, 1) = (0, 1, 0), and (X 1, Y 1, Z 1 ) = (X 1, Y 1, Z 1 ) Hence, let P + Q = (X 3, Y 3, Z 3 ) then ([9]) X 3 = (X 1 Z + X Z 1 )(Y 1 Z + Y Z 1 )(Y 1 Y + Z 1 Z ), Y 3 = (X 1 X Z 1 Z )(Z 1 Z Y 1 Y )(Y 1 Y + Z 1 Z ), Z 3 = (X 1 X + Z 1 Z )(Y 1 Y Z 1 Z )(Y 1 Z + Y Z 1 ) Now we choose O = (0, 0, 1) as the neutral element Let P + Q = (X 3, Y 3, Z 3 ) then ([9]) X 3 = (X 1 Z + X Z 1 )(Y 1 Y + Z 1 Z ) (Z 1 Z X 1 X ), Y 3 = (Y 1 Z + Y Z 1 )(X 1 X + Z 1 Z ) (Z 1 Z Y 1 Y ), (10) Z 3 = (Z1Z X1X )(Z 1Z Y1 Y ) Algorithms Noting that formula (5) and (6) are symmetric to each other, we need only to consider the formula (5) in algorithms Addition on X(aY Z ) = Y (bx Z ) By formula (5), the following algorithm compute (X 3 : Y 3 : Z 3 ) = (X 1 : Y 1 : Z 1 ) + (X : Y : Z ) in 11M +3D costs, ie, 11 field multiplications and 3D constant multiplications by a, b and 1/b respectively A = X 1 X ; B = Y 1 Y ; D = Z 1 Z ; E = ba; F = ab; G = (X 1 + Z 1 )(X + Z ) A D; H = (Y 1 + Z 1 )(Y + Z ) B D; X 3 = (1/b) (E + D)(E D)(D F ); Y 3 = GH(E + D); Z 3 = G(E D)(F + D) 15 (8) (9)

16 By formula (7), the following algorithm compute (X 3 : Y 3 : Z 3 ) = (X 1 : Y 1 : Z 1 )+(X : Y : Z ) in 1M +D costs, where D are constant multiplications by a and b respectively A = X 1 X ; B = Y 1 Y ; D = Z 1 Z ; E = ba; F = ab; G = (X 1 + Z 1 )(X + Z ) A D; H = (Y 1 + Z 1 )(Y + Z ) B D; L = (D E)(D + F ); M = (D + E)(D F ); X 3 = GL(D + F ); Y 3 = HM(D + E); Z 3 = LM Doubling on X(aY Z ) = Y (bx Z ) By formula (5), the following algorithm compute (X 3 : Y 3 : Z 3 ) = (X 1 : Y 1 : Z 1 ) costs 6M + 5S + 3D, where 3D are constant multiplications by a, b and 1/b respectively A = X1; B = Y1 ; C = Z1; D = ba; E = ab; F = (X 1 + Z 1 ) A C; G = (Y 1 + Z 1 ) B C; X 3 = (D C)(D + C)(C E); Y 3 = F G(C + D); Z 3 = F (D C)(C + E) By formula (7), the following algorithm compute (X 3 : Y 3 : Z 3 ) = (X 1 : Y 1 : Z 1 ) in 7M + 5S + D costs, where D are constant multiplications by a and b respectively A = X1; B = Y1 ; C = Z1; D = ba; E = ab; F = (X 1 + Z 1 ) A C; G = (Y 1 + Z 1 ) B C; L = (E + C)(C D); M = (C + D)(C E); X 3 = LF (C + E); Y 3 = GM(C + D); Z 3 = LM The costs of addition and doubling on the Huff curve ax(y Z ) = by (X Z ) are 11M and 7M + 5S, respectively in [9] Therefore, the addition in general Huff curves X(aY Z ) = Y (bx Z ) are almost as fast as that in the curves ax(y Z ) = by (X Z ), but the general Huff curves possess more curves Tripling on X(aY Z ) = Y (bx Z ) We can get the tripling formula from addition formula when using O = 16

17 (1, 0, 0) as the neutral element Assuming that (X 3 : Y 3 : Z 3 ) = 3(X 1 : Y 1 : Z 1 ), then X 3 = X 1 (abx1y 1 ay1 Z1 bx1z 1 3Z1)(abX 1Y 1 + 3aY1 Z1 + Z1 bx1z 1) ; Y 3 = Y 1 (abx1y 1 ay1 Z1 bx1z 1 3Z1)(abX 1Y 1 + 3bX1Z 1 + Z1 ay1 Z1) ; Z 3 = Z 1 (abx1y 1 + 3aY1 Z1 + Z1 bx1z 1)(abX 1Y 1 + 3bX1Z 1 + Z1 ay1 Z1) (3abX1Y 1 + ay1 Z1 + bx1z 1 Z1) This algorithm compute (X 3 : Y 3 : Z 3 ) = 3(X 1 : Y 1 : Z 1 ) costs 10M + 6S by using temporary variables X1, Y1, Z1, Z1, X1Y 1, Y 1 Z1, X 1 Z1 Similarly, we can also get the tripling formula from addition formula when using O = (0, 0, 1) as the neutral element Assuming that (X 3 : Y 3 : Z 3 ) = 3(X 1 : Y 1 : Z 1 ), then X 3 = X 1 (Z 1 bx 1Z 1 + 3aY 1 Z 1 + abx 1Y 1 ) (3Z 1 + bx 1Z 1 + ay 1 Z 1 abx 1Y Y 3 = Y 1 (Z 1 + 3bX 1Z 1 ay 1 Z 1 + abx 1Y 1 ) (3Z 1 + bx 1Z 1 + ay 1 Z 1 abx 1Y Z 3 = Z 1 (Z 1 + 3bX 1Z 1 ay 1 Z 1 + abx 1Y 1 )(Z 1 bx 1Z 1 ay 1 Z 1 3abX 1Y (Z 1 bx 1Z 1 + 3aY 1 Z 1 + abx 1Y The following formula can be used to triple the points on general Huff curves which is independent with the curve parameter a and b X 3 = X 1 (Z 1 X 1Z 1 + 3Y 1 Z 1 + X 1Y 1 ) (3Z 1 + X 1Z 1 + Y 1 Z 1 X 1Y Y 3 = Y 1 (Z 1 + 3X 1 Z 1 Y 1 Z 1 + X 1Y 1 ) (3Z 1 + X 1Z 1 + Y 1 Z 1 X 1Y Z 3 = Z 1 (Z 1 + 3X 1 Z 1 Y 1 Z 1 + X 1Y 1 )(Z 1 X 1Z 1 Y 1 Z 1 3X 1Y (Z1 X1Z 1 + 3Y1 Z1 + X1Y 1 ) 1 ) 1 ); 1 ); This algorithm compute (X 3 : Y 3 : Z 3 ) = 3(X 1 : Y 1 : Z 1 ) in 10M + 6S + 3D costs by using temporary variables X1, Y1, Z1, Z1, X1Y 1, Y 1 Z1, X 1 Z1 References [1] D J Bernstein, and T Lange, Explicit-formulae database URL: [] D J Bernstein, P Birkner, M Joye, T Lange, and C Peters, Twisted Edwards curves, In AFRICACRYPT 008, LNCS 503, , Springer, ) 1 ); 1 ); 1 ) 17

18 [3] D J Bernstein and T Lange, Analysis and optimization of ellipticcurve single-scalar multiplication, Cryptology eprint Archive, Report 007/55 [] W Castryck, SD Galbraith and R Rezaeian Farashahi, Efficient arithmetic on elliptic curves using a mixed Edwards-Montgomery representation, eprint 008/18 [5] R Feng, M Nie and F Wu, Twisted Jacobi intersections curvestamc 010, LNCS, 6108, pp , Springer, 010 Cryptology eprint Archive, Report 009/597 [6] R Feng and H Wu, On the isomorphism classes of Legendre elliptic curves over finite fields, arxiv: , 010 [7] G Fung, H Ströher, H Williams and H Zimmer, Torsion groups of elliptic curves with integral j-invariant over pure cubic fields, Journal of Number Theory, Volume 36, Issue 1, September 1990, Pages 1-5 [8] G B Huff, Diophantine problems in geometry and elliptic ternary forms Duke Math J, 15:3-53, 198 [9] Marc Joye, Mehdi Tibouchi, and Damien Vergnaud, Huff s model for elliptic curves, In GHanrot, FMorain and E Thomé, Eds, Algorithmic Number Theory (ANTS-IX), LNCS 6197, pp 3-50, Springer, 010 [10] N Koblitz, Elliptic curve cryptosystems, Math Comp, 8(177), (1987), [11] AJ Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, 1993 [1] VS Miller, Use of elliptic curves in cryptography, Advances in Cryptology-Crypto 1985, Lecture Notes in Comp Sci, vol 18, Springer-Verlag, 1986, 17-6 [13] R Rezaeian Farashahi and I E Shparlinski On the number of distinct elliptic curves in some families, Designs, Codes and Cryptography, 83-99, Vol5, No1, 010 [1] R Schoof, Nonsigular plane cubic curves over finite field, J Combine, Theory Ser A 6(1987),

19 [15] JH Silverman, The Arithmetic of Elliptic Curves, volume 106 of Graduate Texts in Mathematics, Springer-Verlag,