INVERTED BINARY EDWARDS COORDINATES (MAIRE MODEL OF AN ELLIPTIC CURVE)

Transcription

1 INVERTED BINARY EDWARDS COORDINATES (MAIRE MODEL OF AN ELLIPTIC CURVE) by STEVEN M. MAIRE Submitted in partial fulfillment of the requirements for the degree of Master of Science Dissertation Advisor: Dr. David Singer Department of Mathematics CASE WESTERN RESERVE UNIVERSITY May, 2014

2 CASE WESTERN RESERVE UNIVERSITY SCHOOL OF GRADUATE STUDIES We hereby approve the thesis/dissertation of STEVEN M. MAIRE candidate for the Master of Science degree*. Dr. David Singer Dr. Elisabeth Werner Dr. Johnathan Duncan (date) March 25, 2014 *We also certify that written approval has been obtained for any proprietary material contained therein.

3 Dedication To my mother, Lynda O. Maire, whose lessons to me as a child came as encrypted signals, where the only cipher, is time. i

4 Contents Dedication i List of Tables iv List of Figures v Acknowledgements vi Abstract vii 1 Introduction Elliptic Curves in Cryptography Weierstrass Form: Paving the Way Weierstrass Addition Law Geometric Interpretation Algebraic Interpretation Edwards Curves: Unifying Finite Field Operations The Addition Law Geometric Interpretation Algebraic Interpretation Binary Edwards Curves: Doubling down on Deuces Building the New Shape for the Edwards Form The First Complete Addition Law Over a Binary Field ii

5 CONTENTS CONTENTS 5 Maire Model Inverted Binary Edwards The Addition Law Operations Unification Elliptic Curves in Cryptography: A Revolution Advantages of the Edwards Forms Further Research iii

6 List of Tables iv

7 List of Figures 2.1 A graph depicting the geometrical chord and tangent method of elliptic curve addtion. The solid red line denotes the addition line while the dashed line denotes reflection. (Left) distinct point addition, and (Right) point doubling A graph depicting the geometry of Edwards curve addition. The solid red line denotes the addition line while the dashed line denotes reflection. (Left) distinct point addition, and (Right) point doubling v

8 Acknowledgements I would like to thank Dr. David Singer for his knowledge and guidance througout this entire process. Without the influence and passion that he shows inside and outside the classroom, I am sure that I would never have gained the appreciation and joy that I have today for mathematics. I would also like to thank my committee for their time, and patience as well as intellectual input they have had within this process. I could not ask for a better group of mathematicians who could help guide me along my way. And last, but certainly not least, each and all of the faculty of the Department of Mathematics, Applied Mathematics, and Statistics. My career at this university has been different to say the least. I am only able to be where I am today with their continued support as an undergraduate, while oversees, and now with my pursuit as a Master s. vi

9 INVERTED BINARY EDWARDS COORDINATES (MAIRE MODEL OF AN ELLIPTIC CURVE) Abstract by STEVEN M. MAIRE Edwards curves are a fairly new way of expressing a family of elliptic curves that contain extremely desirable cryptographic properties over other forms that have been used. The most notable is the notion of a complete and unified addition law. This property makes Edwards curves extremely strong against side-channel attacks. In the analysis and continual development of Edwards curves, it has been seen in the original Edwards form that the use of inverted coordinates creates a more efficient addition/doubling algorithm. Using inverted coordinates, the field operations drop from 10M + 1S (given correctly chosen curve parameters), to 9M + 1S. The sarcrifice is the loss of completeness, but unification remains. This paper examines the use of the inverted coordinates system over the binary Edwards form, and shows the underlying advantages of this transformation. vii

10 Chapter 1 Introduction 1.1 Elliptic Curves in Cryptography Ten years after the beginning of the idea of asymmetric cryptosystems, elliptic curves came onto the scene of public key cryptography. In 1985, Neal Koblitz and Victor Miller independently came up with a scheme that implemented the algebra that exists over an elliptic curve. The Diffie-Hellman key exchange, which was originally published in 1976, based its security on the non-existence of subexponential algorithms to solve the discrete log problem. Using this as a model, Koblitz and Miller proposed the elliptic curve discrete log problem. The use of elliptic curves allowed for the same level of security as the original Diffie-Hellman algorithm, except with smaller key sizes. In utilizing the power of finite fields in computation, Koblitz and Miller were able to take advantage of the geometric, and algebraic, structure of elliptic curves in order to create a more difficult trap-door function. Although mathematically speaking, elliptic curves are a completely valid way to securing information, the implementation leaves it vulnerable to attack. In 1999, Paul Kocher along with others in [2] published one of the first type of attacks known as side-channel attacks. This class of attacks used information within the implementation to give 1

11 1.1. ELLIPTIC CURVES IN CRYPTOGRAPHY CHAPTER 1. INTRODUCTION them clues to the solution. Differential power analysis, timing analysis, acoustic cryptanalysis, and data reminiscence are all examples of how the attacker can gain information about the solution before even beginning to compute a solution through any brute force algorithm. To side-step the side-channel attacks, Harold Edwards, published his paper in 2007 that presented a form of elliptic curves (over a large prime characteristic fields) that contained an addition law on the group that was strongly unified, successfully negating the ability to gain information about secured data from the side-channel information. In the following chapter, we first begin by defining the geometric and algebraic definition of the Weierstrass form. After establishing that understanding, in chapter 3, we move directly into the contribution of Edwards as well as Bernstein and Lange through the introduction of the binary Edwards curves. In chapter 4, we examine a different map into the homogeneous coordinate system and how it can improve upon the original binary Edwards curve. 2

12 Chapter 2 Weierstrass Form: Paving the Way To define most simply, an elliptic curve is a smooth, projective algebraic curve of genus one. We begin our examination by defining this idea of an elliptic curve in the affine coordinate system (x, y) over some field K. Let us, for now, say that char(k) 2, 3, then an elliptic curve is an equation of the form: E(K) : y 2 = x 3 + Ax + B where A, B are constants in the algebraic closure the field K (although these constants are most likely within the actual field). Together with the point at infinity, denoted, the points on this curve form a group where the identity (or neutral) element is. We must ensure that the elliptic curve stated above is non singular, i.e. contains no cusps, or self-intersections. The way that we can guarantee that is by going back to the original definition of an elliptic curve. There is an assumption that an elliptic curve has genus one, ensures that the discriminant (denoted ) must not be zero. If the disciminant was zero, then we have a double root. This double root causes issues topologically because is would imply that the curve is no longer genus one, and therefore not elliptic. For this form of the elliptic curve, the discriminant is defined as: = 4A B 2 3

13 2.1. WEIERSTRASS CHAPTER ADDITION 2. WEIERSTRASS LAW FORM: PAVING THE WAY We can include characteristic 2 and 3 fields to yield more generalized form of the Weierstrass equation, which would give us an elliptic curve: y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 where a 1,..., a 6 are constants within the algebraic closure of the field K. When we begin to define the properties of an elliptic curve, we will start with the Weierstrass form, and move more generally to include fields of characteristic 2, and 3 as necessary. Now that we have a more explicit definition of what an elliptic curve will be, we can construct the addition law that makes up the group operation. 2.1 Weierstrass Addition Law Now that we have the parameters that make up the Weierstrass form of what an elliptic curve is within the affine coordinate system we can define the addition law that is found over this family of curves. We will examine these, both from the geometric as well as the algebraic perspectives. Both examinations will be important later on when we begin to transform our elliptic curve Geometric Interpretation In order to understand the addition law geometrically, we start by stating a theorem from algebraic geometry. Theorem: Bézout s Theorem. Let f, g R be nonzero polynomials of degrees m, n, respectively, that share no common factors. Let C, and D be two plane curves, described by equations f(x, Y ) = 0 and g(x, Y ) = 0 Then the total number of intersection points of C and D, including multiplicities and ideal intersections, is exactly mn. The proof of Bézout s theorem can be found in any algebraic geometry textbook, so here we omit it. When we are considering the cubic elliptic curve as defined above, we can see that a line of the form y = mx+b must intersect the curve three 4

14 2.1. WEIERSTRASS CHAPTER ADDITION 2. WEIERSTRASS LAW FORM: PAVING THE WAY Figure 2.1: A graph depicting the geometrical chord and tangent method of elliptic curve addtion. The solid red line denotes the addition line while the dashed line denotes reflection. (Left) distinct point addition, and (Right) point doubling. times. This gives us a natural place for which to define the addition law over an elliptic curve. The general standpoint of addition now can be defined by a simple process. Draw a line between two points P and Q to intersect the curve again at R. Then draw a line from the identity element ( ), through R to hit the curve once more at R. The sum of point P and Q is then R. The figures on the next page shed some light on how this type of addition works. Now, with this sense of geometry in place, we make a more formal definition of geometric addition over an elliptic curve: Definition: Geometric Addition on the Weierstrass Form. Let K be a field whose characteristic is not 2 or 3. The elliptic curve is then given in the form of the equation y 2 = x 3 + Ax + B. Let P = (x P, y P ), Q = (x Q, y Q ), and R = (x R, y R ) where P, Q, R E(K). Addition then one of the following cases: (i) If P =, then P + Q = Q. (ii) If Q =, then P + Q = P. (iii) If x P = x Q, and y P = y Q, then P + Q =. Corresponding to the vertical line between two points on the curve, going to the point at infinity. 5

15 2.1. WEIERSTRASS CHAPTER ADDITION 2. WEIERSTRASS LAW FORM: PAVING THE WAY (iv) If P = Q and y P = 0, then P + Q =. Corresponding to doubling a point whose vertical line from comes tangent to the curve. (v) Otherwise, if P = Q, then draw a line tangent to the curve at P, and connecting that point R to yields 2P = R. (vi) If P Q, then drawing the secant line between P and Q will hit the elliptic curve at an additional point R. It is easy to see the addition law is has many cases (nonunified), and handling these different cases will bring issues later. In future cases we will attempt to bring these 6 different cases together to yield more efficient addition algorithms that hold the security of the system. With this new found geometric interpretation of how addition works on elliptic curves, we can define the laws algebraically and start to build how they can be implemented in a cryptosystem Algebraic Interpretation With the understanding that we have from the construction of the additon law in previous sections, constructing the algebraic expressions to do so is fairly simple. We start again with the result of Bézout s theorem. With the knowledge that an elliptic curve, which is a cubic in Weierstrass form, intersects a straight line exactly three times, including multiplicities, gives us all the information we need to derive the addition law. Definition: Algebraic Addition on the Weierstrass Form. Let K be a field as before whose characteristic is not 2, or 3. An elliptic curve is then given as it is above, y 2 = x 3 + Ax + B. Let P = (x P, y P ), Q = (x Q, y Q ), and R = (x R, y R ) where P, Q, R E(K). Addition then is defined to be one of the following: (i) If P =, then P + Q = Q. (ii) If Q =, then P + Q = P. (iii) If x P = x Q, and y P = y Q, then P + Q =. 6

16 2.1. WEIERSTRASS CHAPTER ADDITION 2. WEIERSTRASS LAW FORM: PAVING THE WAY (iv) If P = Q and y P = 0, then P + Q =. (v) If P = Q, then 2P = R is found by: m = 3x2 P +A 2y P x R = m 2 2x P y R = m(x P x R ) y P (vi) If P Q, then P + Q = R is found by: m = y Q y R x Q x R x r = m 2 x P x Q y R = m(x P x R ) y P The proof of this is long and can be found in any cryptographic text. For this reason alone, we omit it. So now that we have an algebraic expression for the group addition law on an elliptic curve, there is a way of measuring the efficiency of the algorithm. The way that is commonplace to measure this effectiveness is counting the field multiplication and squarings. This is because the algorithms for multiplication and squaring over some fields require their own sub-method algorithms. In the case of the Weierstrass form, we can handle all of the cases that have to do with with if-then statements. Addition and subtraction within finite fields are operations that take negligible time compared to field multiplication (denoted M), squaring (S), or inversion (I). Then, these are the three different types of field operations which we would consider with respect to operational time. Field multiplication (denoted M in our analysis) is the standard, and field squaring is anywhere from 0.8M to M. We will assume these two as equal. Field inversion, on the other hand, is much more costly on the system and is approximately 100M in comparison. The Weierstrass form, then, from the above equations has a distinct point addition operations count of 2M + 1S + 1I and a point doubling operations count 2M + 2S + 1I. 7

17 2.1. WEIERSTRASS CHAPTER ADDITION 2. WEIERSTRASS LAW FORM: PAVING THE WAY From this simple analysis of how the group operations would work on the field, we can already start to see the disadvantages of the Weierstrass form. The existence of field inversion in both components of the addition law causes huge inefficiencies in the point addition and doubling. Also there exists an asymmetry between the distinct addition and doubling field operations counts. Due to this asymmetry, there have risen a class of attacks that are called side-channel attacks that were mentioned earlier. The development of elliptic curve cryptography is now dedicated to the idea of getting around these side-channel leakages. In the following section we present the discovery of Harold Edwards, and the advantages that arise from the development of the family of Edwards curves. 8

18 Chapter 3 Edwards Curves: Unifying Finite Field Operations In 2007, Harold Edwards published [3] for which he unified the work of Euler and Gauss with respect fo elliptic curves. The result of which is an elliptic curve denoted by a quartic polynomial which contains many desirable cryptographic properties. Bernstein and Lange noted these cryptographic advantages in [4], where they laid out a comparison between Edwards curves and other existing forms. We begin by stating the Edwards form of an elliptic curve as Bernstein and Lange did in their paper: Definition: Edwards (Normal) Form of an Elliptic Curve. Let K be a field in which 2 0. Let E be and elliptic curve over K such that the group E(K) has an element of order 4. Then (1) There exists d K {0, 1} such that the curve x 2 +y 2 = 1+dx 2 y 2 is birationally equivalent over K to a quadratic twist of E. (2)If E(K) has a unique element of order 2 then there is a non-square d K such that the curve x 2 + y 2 = 1 + dx 2 y 2 is birationally equivalent over K to a quadratic twist of E; and (3) If K is finite and E(K) has a unique element of order 2 then there is a non- 9

19 CHAPTER 3. EDWARDS CURVES: UNIFYING FINITE FIELD 3.1. THE ADDITION LAW OPERATIONS square d K such that the curve x 2 + y 2 = 1 + dx 2 y 2 is birationally equivalent over K to E Edwards restricts his case to when d = 1, but through the work of Bernstein and Lange in [4], the parameter d has been expanded to all cases when d K\{0, 1}. The transformation from the standard Weierstrass form to the Edwards form, is that given an elliptic curve over K with the Weierstrass form: E(K) : y 2 = (x c 4 d 1)(x 2 4c 4 d) is equivalent to the curve above through the transformation, Φ, such that: Φ : (u, v) (x, y) where, x = 2c(w c), y = 4c2 (w c)+2c(c 4 d+1)u 2 u 2 u 3 where w = v(c 2 du 2 1) Now we define the neutral group element under the transformation, as (0, c). The point (0, c) is a point of order two on the curve. The points at infinity then become two singular points (1, 0, 0) and (0, 1, 0) of the curve, and blow up into two points each [4]. From this point on we will denote the neutral element as O, the point of order two as O, and the singular elements Ω 1 and Ω 2. Now that we have the definition of the neutral group element as affine points on the curve we can begin to define the addition law over the points that lie on the curve more generally, instead of in cases as was for Weierstrass. 3.1 The Addition Law The largest advantage of the Edwards form over other forms is the idea of a generalized addition law. A strongly unified group law states that for P, Q E(K) for some field K, that group law for finding P + Q and P + P = 2P are identical. The Edwards forms unified addition law makes the idea of deciphering between 10

20 CHAPTER 3. EDWARDS CURVES: UNIFYING FINITE FIELD 3.1. THE ADDITION LAW OPERATIONS distinct addition and point doubling nearly impossible to side-channel attacks. We begin as we did before by giving some geometric sense to how the addition law works before stating the formal definition Geometric Interpretation The geometric interpretation of the addition law on an Edwards curve actually stems from the twisted Edwards curve. A twisted Edwards curve is a more generalized form of the Edwards curve, so its geometric interpretation is valid for the original Edwards form. Just as with the Weierstrass curve, we note that from Bézout s theorem that now that we have an elliptic quartic curve that intersects the parabola 8 times. Let γ be the parabola with vertical and horizontal asymtotes, that passes through three points on the elliptic curve: P, Q, and O. Then γ meets the curve five more times. Of those five times, four are at ideal points, and therefore the last is uniquely defined as R. As stated above, the singularities Ω 1 and Ω 2 are both double points of the elliptic curve. Now, just as before, we connected the point R with the neutral element in order to reflect it. The problem that occurs now is that instead of having one neutral elements, we have also have a point of order two that doubles to the group identity. Reflection will come them from connecting O and O and reflecting the point R over that line. In the case of the Edwards curve, this will involve a reflection over the y-axis as we stated above making R = (x R, y R ) from R = ( x R, y R ). Below we present graphs to help visualize the Edwards for addition law. With this understanding we can set out to now express algebraically the Edwards addition law, as well as verify that it produces points on the curve. 11

21 CHAPTER 3. EDWARDS CURVES: UNIFYING FINITE FIELD 3.1. THE ADDITION LAW OPERATIONS Figure 3.1: A graph depicting the geometry of Edwards curve addition. The solid red line denotes the addition line while the dashed line denotes reflection. (Left) distinct point addition, and (Right) point doubling Algebraic Interpretation In the Weierstrass form, there are six distinct cases for the addition law. In presenting the group addition law on the Edwards form, we will show that it is at least (i) unified, and (ii) complete when certain conditions hold. Before that, we first state the map of the addition law as presented by Edwards in [3]. Given two points (x 1, y 1 ), (x 2, y 2 ) E(K) their sum (x 1, y 1 ) + (x 2, y 2 ) is defined as: (x 1, y 1 ) + (x 2, y 2 ) ( x 1 y 2 +x 2 y 1, y 1 y 2 x 1 x 2 ) c(1+dx 1 y 1 x 2 y 2 ) c(1 dx 1 y 1 x 2 y 2 ) From this definition we see from the result of Bernstein and Lange that, in fact, this is the correct addition law corresponding to the Edwards form. Verification and proofs of this definition can be found in [4] through theorems 3.1, 3,2, and 3.3. Since there is no constraint in the theorem that x 1 x 2 or y 1 y 2, it tells us that the addition law of the Edwards form is the same for P + P and P + Q for any P, Q E(K). To get from unification to the idea of completeness, we must make one more assumption. The added assumption here is that the curve parameter d is not a perfect square within the field K. As stated in [4], when d is not a square, the Edwards addition law is complete: it is defined for all pairs of input points on the Edwards curve over K. The Edwards addition law can then be 12

22 CHAPTER 3. EDWARDS CURVES: UNIFYING FINITE FIELD 3.1. THE ADDITION LAW OPERATIONS carried out on all pairs of points on the elliptic curve and the algorithm has been distilled into the one case stated above. 13

23 Chapter 4 Binary Edwards Curves: Doubling down on Deuces In the previous sections of this paper we introduced the Edwards form, and showed that it was, indeed, birationally equivalent to the Weierstrass form. We then showed that the points on an Edwards curve over a field, K, that has prime characteristic, possessed a unified addition law. Given certain conditions (mainly that the curve parameter d was not a square in K), we could generalize that addition law into the idea of being complete. In this section we show that there exists an Edwards form that is elliptic over a binary field, and present its associated addition law. 4.1 Building the New Shape for the Edwards Form Unfortunately the form x 2 + y 2 = 1 + dx 2 y 2 that was presented by Edwards, and implemented by Bernstein and Lange is not elliptic over a binary field. In 2011, Wegner and Hutter, published in [5], an examination of finite field operations for elliptic curve cryptography and found that binary fields out performed largeprime characteristic fields in both runtime and energy usage. This makes binary 14

24 CHAPTER 4. BINARY EDWARDS CURVES: DOUBLING DOWN ON 4.1. BUILDING THE NEW SHAPE FOR THE EDWARDS FORM DEUCES fields a more natural choice for field representation in elliptic curve cryptography. The motivation here now becomes to build an elliptic curve whose addition law is unified and preferably complete. It is from this vantage point that we come to the second family of elliptic curves by Bernstein and Lange, the binary Edwards curve. In their paper from 2008, Bernstein, Lange, and Farashahi present the binary form: Definition. (Binary Edwards Form) [6] Let K be a field with char(k) = 2. Let d 1, d 2 be elements of K with d 1 0 and d 2 d d 1. The binary Edwards curve with coefficients d 1 and d 2 is the affine curve: E B,d1,d 2 : d 1 (x + y) + d 2 (x 2 + y 2 ) = xy + xy(x + y) + x 2 y 2 Now in order to create the binary Edwards form we have to go back to Weierstrass. Since char(k) = 2 the original elliptic curve form y 2 = x 3 + Ax + B will not be sufficient. Therefore we move back to the generalized Weierstrass form: y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 we have two cases which we need to handle. They are when a 1 0 and a 1 = 0. If a 1 0 then making the change of variables x = a 2 1x 1 + (a 3 /a 1 ) and y = a 3 1y 1 +a 3 1 (a 2 1a 4 +a 2 3) will change the equation to the form y 2 1 +x 1 y 1 = x 3 1+a 2x 2 1+a 6, which is a non-singular elliptic curve if and only if a 6 0. If on the other hand a 1 = 0 then the correct substitution becomes x = x 1 + a 2 and y = y 1 to obtain another form of an elliptic curve over a binary field of y a 3y 1 = x a 4x 1 + a 6. This curve is non-singular, on the other hand, when a 3 0. With these two binary elliptic curve forms we now have the ability to trace the steps of Bernstain and Lange as they did in [6] in developing the binary Edwards form. We first look how to map from the Weierstrass form of characteristic 2 into this binary form. Of the two Weierstrass forms for binary fields we choose to look at: 15

25 CHAPTER 4. BINARY EDWARDS CURVES: DOUBLING DOWN ON 4.2. THE FIRST COMPLETE ADDITION LAW OVER A BINARY FIELD DEUCES C(K) : y 2 + xy = x 3 + a 2 x 2 + a 6 with a 6 0, as stated above. Now, the map that takes the Weierstrass form to the binary Edwards form called Φ, is defined as Φ B : (x, y) (u, v) where: which is equivalent to: x = d 1(d 2 1 +d 1+d 2 )(u+v) (xy+d 1 (x+y) y = d 1 (d 2 u 1 + d 1 + d 2 )( + d xy+d 1 (x+y) 1 + 1) C(K) : d 1 (u + v) + d 2 (u 2 + v 2 ) = uv + uv(u + v) + u 2 v 2 This map though does not have a transformation for the point at infinity. Bernstein and Lange define it separately as going to (0, 0). This element, before and after the transformation, remains the neutral element of the group. With this new form being a quartic, as the original Edwards form is, we must be concerned with singularities of the curve. A point is defined as singular if both partial derivatives of the curve are zero at that point. The authors of [6] put this aside with a simple theorem that states that each binary Edwards curve is non-singular. They state immediately after the proof that there are singularities within the projective closure of the curve defined above, but that those singularities do not exist within the binary field K. They state explicitly that, These points are non-singular since the partial derivative d 1 z 2 + z + 1 does not vanish for z = 0. These blowups are defined over the smallest extension of K in which d 1 z as roots. 4.2 The First Complete Addition Law Over a Binary Field With the parameters of the curve defined as well as its relation back to the Weierstrass form, we can define the addition law on this curve. In order to move directly into the cryptographic sense, we add one more restriction. We will say that the 16

26 CHAPTER 4. BINARY EDWARDS CURVES: DOUBLING DOWN ON 4.2. THE FIRST COMPLETE ADDITION LAW OVER A BINARY FIELD DEUCES curve parameter d 2 can not be put into the form z 2 + z. The effect of this new assumption is that we take the the addition law that was originally strongly unified to completeness. Just as in the Edwards form over a prime characteristic field, we have a set of conditions that allow no special cases when doing the group addition. Before we go any deeper, we state the addition rule for complete addition: Theorem: Completeness of the addition law. Let K be a field in with char(k) = 2. Let d 1, d 2 K where d 1 0 and for any element z K, z 2 +z+d 2 = 0. The addition law for two points (x 1, y 1 ), (x 2, y 2 ) on a binary Edwards curve is defined as: (x 1, y 1 ) + (x 2, y 2 ) = (x 3, y 3 ), where x 3 = d 1(x 1 +x 2 )+d 2 (x 1 +y 1 )(x 2 +y 2 )+(x 1 +x 2 1 )(x 2(y 1 +y 2 +1)+y 1 y 2 ) d 1 +(x 1 +x 2 1 )(x 2+y 2 ) y 3 = d 1(y 1 +y 2 )+d 2 (y 1 +x 1 )(y 2 +x 2 )+(y 1 +y 2 1 )(y 2(x 1 +x 2 +1)+x 1 x 2 ) d 1 +(y 1 +y 2 1 )(y 2+x 2 ) The condition that created completeness from strongly unified is more understandable after seeing the addition law. This addition law will always be well defined as long as d 1 +(x 1 +x 2 1)(x 2 +y 2 ) and d 1 +(y 1 +y 2 1)(x 2 +y 2 ) are always nonzero. Since d 1 is nonzero by assumption, we must only ensure that (x 2 + y 2 ), (x 1 + x 2 1), and (y 1 + y 2 1) are nonzero. The proofs of these statements are non-trivial but tedious. For that reason, the reader should refer to [6] if they wish to see the proofs. With this idea of completeness more understood we can state the following theorem: Theorem. Let n be and integer such that n 3. Each non-supersingular curve over F 2 n is birationally equivalent over F 2 n to a complete binary Edwards curve. This theorem not only verifies the existence of binary Edwards curves with a complete addition law, but also that there are plenty that can be implemented. The number of curves that can utilized with this principle are found to be approximately 50% of the curves over a given field [6]. With this knowledge we now move into a transformation of the binary Edwards curve that has shown progress in elliptic forms. 17

27 Chapter 5 Maire Model The Edwards and binary Edwards form has gained much popularity since H. M. Edwards publication in Now that we have reviewed the properties of the Edwards forms and their equivalence to the standard Weierstrass form, we can begin to move into combining similar ideas that are utilized in other elliptic forms, to the Edwards form. One of the ways that was immediately sought in trying to make elliptic curve addition more efficient was the implementation of the projective coordinate system (x, y, z) for a way of eliminating field inversion. The map from the standard coordinate system to the projective is: (X, Y ) (x/z, y/z). The original curves and points can easily be found again by setting z = 1. Field inversion is by far the most difficult field operation, costing approximately forty times more algorithmically than multiplication, squaring, or addition. Converting to the projective plane was extremely advantageous and immediately algorithm times and field operations counts went down. The transformation to the projective plane above was defined by the substitution X = x/z and Y = y/z. This, though, is not the only possible way of moving into the projective plane. In [7], Bernstein and Lange took a little different path to the projective plane over a standard Edward curve. Using the inverted substitution X = z/x and Y = z/y, of that above, he found that the group had different 18

28 5.1. INVERTED BINARY EDWARDS CHAPTER 5. MAIRE MODEL structure and had the possibility of creating a more efficient algorithm. 5.1 Inverted Binary Edwards What has been done now is to work toward using that same idea into the binary Edwards curve. It has been mentioned that binary fields offer faster field multiplication and lower power than those fields of large prime characteristic. With that being said we move forward and define the Maire form of an elliptic curve: Definition: Maire Form of an Elliptic Curve. Let K be a field in which char(k) = 2. Let d 1, d 2 be elements within K such that d 1 0 and d 2 d d 1. The Maire curve with coefficients d 1 and d 2 is the projective curve E M,d1,d 2 : d 1 (x 2 y + xy 2 ) + d 2 (x 2 + y 2 )z = z(x + z)(y + z) The curve, just as with the binary Edwards curve, is symmetric in x and y, therefore if (x, y, z) is a point on the curve so is (y, x, z). Also points on the curve are part of an equivalence class in which (x, y, z) = (λx.λy, λz) for any nonzero λ K. It is for this reason that for future points on the Maire curve that we will denote them (x : y : z). Now that we have a definition of what the curve looks like we must ensure that it is nonsingular, so that it can have cryptographic usefulness. The following theorem and proof is now presented: Theorem. Each Maire curve is nonsingular. Proof. By definition, we have that the curve E M,d1,d 2 has d 1 0 and d 2 d d 1. An elliptic curve then is defined to be singular if for some (x, y, z) that all partial derivatives at that point are equal to zero. Therefore, we must look for a possible (x, y, z) such that d 1 y 2 +y+1 = 0, d 1 x 2 +x+1 = 0, and d 2 (x 2 +y 2 )+xy+1 = 0. 19

29 5.1. INVERTED BINARY EDWARDS CHAPTER 5. MAIRE MODEL Let E x, E y, E z denote the partial derivatives with respect to x, y, and z, respectively. We look at the sum of the first two partial derivatives, which represent E x + E y = 0 and see that is d 1 (x 2 + y 2 ) + x + y = 0. If x + y = 0 then x = y. If we then look at E z when x = y we see that xy = 1. This implies that x = y = 1. That is not singular because then when E z = 0, then looking at either E x or E y wee see that d 1 = 0, which is a contradiction. The remaining argument is that let x + y 0. Then we can factor out (x + y) of d 1 (x 2 + y 2 ) + x + y = 0 and get d 1 (x + y) = 1. Again we examine E z and see that since d 2 (x 2 +y 2 ) = 1+xy multiplying by d 2 1 gets us d 2 1d 2 (x 2 +y 2 ) = d 2 1(1+xy). This becomes d 2 = d 1 (d 1 + d 1 xy) after noticing d 2 1(x 2 + y 2 ) = 1. Now we multiply x by d 1 (x + y) = 1 to get d 1 x(x + y) = x. This becomes d 1 x 2 + d 1 xy = x so the partial derivative must satisfy d 2 = d 1 (d 1 + d 2 x + x). Since E y = 0 must also be satisfied then d 2 = d 1 (d 1 + 1). This is a contradiction of the assumption d 2 d d 1, therefore the family of Maire curves is nonsingular. Birational Equivalence. Normally, elliptic curves are displayed in Weierstrass form. An elliptic curve that lies over a binary field can be given in homogeneous coordinates by: v 2 w + uvw = u 3 + a 2 u 2 + a 6 where a 6 0. The map from the Maire form to the homogeneous Weierstrass form is then given by the map: u = d 1 (d d 1 + d 2 )(x + y) v = d 1 (d d 1 + d 2 )y + (d 1 + 1)(z + d 1 (x + y)) w = z + d 1 (x + y) The above map then states that the homogeneous Weierstrass form, v 2 w + uvw = u 3 + (d d 2 )u 2 + d 4 1(d d d 2 2), is equivalent to the Maire form. 20

30 5.2. THE ADDITION LAW CHAPTER 5. MAIRE MODEL 5.2 The Addition Law Now that we have implemented the inverted transformation on the binary Edwards curve and come up with our new model, we can start to understand its geometry and addition law. After the transformation the Maire form is a cubic curve, therefore we can go back to the original Weierstrass interpretation of intersecting the cubic curve with a straight line. The difference now that was not done before is that now we are in homogeneous coordinates. Therefore we must intersect the curve with a line within that same homogeneous system. With that idea in mind, we can state the Maire form addition law: Theorem: Maire Addition Law. Let E M be an elliptic curve as defined above and let P = (x 1 : y 1 : z 1 ) and Q = (x 2 : y 2 : z 2 ) be points on E M. Then the sum of these two points is the point N = (x 3 : y 3 : z 3 ) defined by: α = d 1 R(R + S)z 1 z 2 β = d 1 S(Rx 1 + Sy 1 )z 2 + [d 2 (R + S) 2 + RS]z 1 z 2 + d 1 R(R + S)(x 1 z 2 + x 2 z 1 ) y 3 = R(βz 1 + x 1 α) + Sy 1 α x 3 = Sz 1 β z 3 = Sz 1 α where R and S are defined such that if P = Q then R = d 1 y 2 + yz + z 2 and S = d 1 x 2 + xz + z 2. If P Q then R = y 1 z 2 + y 2 z 1 and S = x 1 z 2 + x 2 z 1. The addition law here has some different features that are usually seen. We will start by proving the addition law, then describing the mysterious properties of the parameters that are explained below. Proof. Let E M be a curve as described above, with d 1 0 and d 2 d d 1. Also, let P = (x 1 : y 1 : z 1 ), Q = (x 2 : y 2 : z 2 ), and N = (x 3 : y 3 : z 3 ) be three points on E M. First we make the substitution x = Xz and y = Y z to give us the curve d 1 (X 2 Y + XY 2 ) + d 2 (X 2 + Y 2 )1 = 1(X + 1)(Y + 1). Then the line 21

31 5.2. THE ADDITION LAW CHAPTER 5. MAIRE MODEL Y = m(x+x 1 )+Y 1 intersects the curve d 1 (x 2 y+xy 2 )+d 2 (x 2 +y 2 )1 = 1(x+1)(y+1) exactly three times, at X 1,X 2, and X 3. Therefore plugging the equation of the line into the form of the curve yields: d 1 (X 2 m(x + X 1 ) + Y 1 + Xm(X + X 1 ) + Y 2 1 ) + d 2 (X 2 + m(x + X 1 ) + Y 2 1 )1 = 1(X + 1)(m(X + X 1 ) + Y 1 + 1) With the regrouping of terms we get a cubic polynomial of X in the form Ax 3 + BX 2 + CX + D = 0. We know that the roots of a monic, cubic polynomial sum to the coefficient of the quadratic term. Therefore X 1 + X 2 + X 3 = B/A where A = d 1 m(m + 1) and B = d 1 (mx 1 + Y 1 ) + d 2 (m 2 + 1) + m. We solve for AX 3 to give us AX 3 = B + A(X 1 + X 2 ). The corresponding Y 3 is then found by going back to the original line equation Y 3 = m(x 3 + X 1 ) + Y 1. We multiply this by the factor A to get us AY 3 = Am(X 3 + X 1 ) + AY 1. With both an expression for X 3 and Y 3 now we can define the slope m as a simple ratio R/S. If the points P and Q on the curve are not equal then we use a simple secant line to connect them, whose slope is just (Y 1 + Y 2 )/(X 1 + X 2 ). It is easily seen that R = Y 1 + Y 2 and S = X 1 + X 2. If on the other hand P = Q on the curve the we must implicitly define m by computing dy/dx as: m = dy dx = d 1Y 2 +Y +1 d 1 X 2 +X+1 where R = d 1 Y 2 + Y + 1 and then S = d 1 X 2 + X + 1. To avoid complication, we will use R and S in all expressions with this understanding of how they are defined. We now have expressions for X 3 and Y 3 with respect to the slope m, and the point X 1, and Y 1. We substitute R and S into their expressions and multiply to eliminate division. This gives us the expressions: 22

32 5.3. OPERATIONS UNIFICATION CHAPTER 5. MAIRE MODEL d 1 RS(R + S)X 3 = d 1 S 2 (RX 1 + SY 1 ) + d 2 S(R + S) 2 + RS + d 1 RS(R + S)(X 1 + X 2 ) d 1 RS(R + S)Y 3 = d 1 RS(R + S)[R(X 3 + X 1 ) + SY 1 ] To get us back to the original curve we substitute X i = x i /z i and Y i = y i /z i for i = 1, 2 and again multiply through to get expressions that avoids division. This is also done for the terms R and S which makes them the homogeneous expressions d 1 y 2 + yz + z 2 and d 1 x 2 + xz + z 2, respectively. For X 3 and Y 3 we note that they would be equal to x 3 and y 3 if z 3 = 1. Then because of the equivalence of points through scalar multiplication we simply define z 3 as the coefficient on the left hand side of the above expressions, making it d 1 RS(R + S)z 1 z 2 (after the most recent substitution), and the expressions for x 3 and y 3 are as they are stated in the above theorem. 5.3 Operations Unification This section is dedicated to give conditions for which the the above stated addition law is unified in operations counts. While the addition expression is the same for distinct point addition and doubling, with no special cases necessary, the definition of R and S yields slightly different operations counts for the overall addition law. In an effort to disguise ourselves from falling victim to side-channel attacks, we must attempt to negotiate this obstacle. We show again the expression for R and S: d 1 y 2 + yz + z 2 R = y 1 z 2 + y 2 z 1 d 1 x 2 + xz + z 2 S = y 1 x 2 + x 2 z 1 : P = Q : P Q : P = Q : P Q For point doubling we see an operations count of 1M + 2S for both R and S. Then with distinct addition has operations counts of just 2M. If, though we choose 23

33 5.3. OPERATIONS UNIFICATION CHAPTER 5. MAIRE MODEL the curve parameter d 1 to be a perfect square in K, then we take advantage that squaring is a linear operation in a binary field, which means that R and S become: (δy + z) 2 + yz R = y 1 z 2 + y 2 z 1 (δx + z) 2 + xz S = y 1 x 2 + x 2 z 1 : P = Q : P Q : P = Q : P Q where δ is the square root of the parameter d 1. With this organization and the fact that field squaring and multiplications are very close in power consumption and algorithm run time, we are able to conceal the operations over the course of consecutive elliptic curve point operations. 24

34 Chapter 6 Elliptic Curves in Cryptography: A Revolution Since 1985 elliptic curves have become more and more prominent within the cryptographic community thanks to mathematicians like Neal Koblitz, Victor Miller, and Harold Edwards. As time steps forward notable groups and agencies have started to put more trust into elliptic curves as the future of public key cryptography. The National Security Agency in 2005 published their Suite B algorithms which utilized ECC to secure material up to the level of classified. Bitcoin uses ECC in the form of the Elliptic Curve Digital Signatures Algorithm to secure all of its financial transactions. Sony uses the same EC-DSA to secure its software on the Playstation 3 game console. It should be noted that the only successful attacks on Playstation 3 have been due to cutting the corners in the implementation by using static, instead of random, algorithm parameters. It is from this perspective that we look at the advantages and disadvantages of each curve form. 6.1 Advantages of the Edwards Forms In earlier sections we established conditions when the Edwards curve can be most advantageous to us, we can look at the implementation, and compare it to other forms used in cryptography. The complete addition law that we were seeking is 25

35 6.1. CHAPTER ADVANTAGES 6. ELLIPTIC OF THE CURVES EDWARDS IN CRYPTOGRAPHY: FORMS A REVOLUTION useful as a way to minimize the vulnerability of side-channel attacks. The easiest way to defend against side-channel attacks is to use algorithms that, when possible, don t take short cuts with the point doubling or distinct addition. This is done by hiding the field multiplications by designing algorithms whose timing, power usage, etc. are independent of their input. While one way of guarding against cryptographic attacks can be done algorithmically, speed of a given algorithm is always a concern. Faster algorithms will always be preferred and showing the Edwards curve doesn t sacrifice speed for security is a definite plus to its implementation. In the table below we compare the Edwards curve to other forms that have been used for cryptographic implementation. Each of these prior forms, unlike the Edwards form, do not have a unified addition law. That is why you will notice larger differences in their algorithmic run times as compared to the consistent Edwards. When looking at the table below M denotes field multiplication, S denotes field squaring, and I is field inversion. Coordinate System Addition Doubling Weierstrass 2M + S + I 2M + 2S + I Projective 12M + 2S 8M + 5S Jacobian 12M + 4S 4M + 6S Edwards 10M + I 10M + I The disadvantage of using the Edwards form, is the waste of memory that occurs when operating within the field prescribed. We defined the field for when the Edwards form was birationally equivalent to be non-binary. This implies that char(k) 2 or similarly that 2 0 within the field, as stated in some of the theorems above. The NIST (National Institute for Standards and Technology) standard for ECC states that there is only one elliptic curve recommended for the five prime characteristic fields, where there is one elliptic curve, and one Koblitz curve recommended for each of the five binary fields. In the next section, we will see that Bernstein and Lange s work has transitioned the advantages of the Ed- 26

36 6.2. CHAPTER FURTHER 6. ELLIPTIC RESEARCH CURVES IN CRYPTOGRAPHY: A REVOLUTION wards form to the advantageous binary field. In the previous section we saw that there are more choice options that fit the NIST guidelines over binary fields. Besides curve parameter and field choice, the algorithms for binary fields are much faster overall. In [4], Wedner and Hutter compared binary field operations to prime field operations. They found that binary field based processor ran 69.6% faster than its prime counterpart and saved 15.9% in power. We can immediately see now the advantages of using a binary field over one with prime characteristic. Through the work of Bernstein and Lange we have found a set of Edwards curves, which take advantage of both faster computing, efficient power use, as well as complete addition law to guard against side-channel attacks. 6.2 Further Research Although elliptic curves have come far in their cryptographic implementation, there is still much to be done. Having a more solid understanding of the geometry of the binary Edwards form will surely take us a good deal forward. The geometric interpretation used in the study of twisted Edwards curves works fine for the understanding of the conic that is used to create the addition law. This easily can be taken back to the original Edwards form, but the binary Edwards form does present a different problem completely. Mapping ourselves into the projective plane does a good job of lowering the field operation costs by the elimination of field inversion as well as taking advantage of the equivalence classes between points. To continue to work in the projective plane would be wise in order to continue to make addition algorithms more efficient. In the Maire form, a more implicit definition for the slope parameter m would allow 27

37 6.2. CHAPTER FURTHER 6. ELLIPTIC RESEARCH CURVES IN CRYPTOGRAPHY: A REVOLUTION for a complete and strongly unified addition law in the binary field. 28

38 Bibliography [1] Neal Koblitz. Elliptic Curve Cryptosystems. Mathematics of Computation, [2] Paul Kocher. Differential Power Analysis. 19th International Advances in Cryptology Conference, [3] Harold Edwards. A Normal Form of Elliptic Curves. Bulletin of the American Mathematics Society, [4] Daniel Bernstein & Tanja Lange. Faster Addition and Doubling on Elliptic Curves. Lecture Notes on Computer Science, [5] Erich Wegner & Michael Hutter. Exploring the Design Space of Prime Field vs. Binary Field ECC-Harware Implementations. Information Security Technology for Applications, [6] Daniel Bernstein, Tanja Lange, & R.R. Farashahi. Binary Edwards Curves. International Association of Cryptologic Research, [7] Daniel Bernstein & Tanja Lange. Inverted Edwards Coordinates. Lecture Notes in Computer Science, [8] AJ Menezes, T. Okamoto, & SA Vanstone. Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field. IEEE Trans. Information Theory,

39 BIBLIOGRAPHY BIBLIOGRAPHY [9] Samta Gajbhiye, Monisha Sharma, & Samir Dashputre. A Survey Report on Elliptic Curve Cryptography. International Journal of Electrical and Computer Engineering, [10] Christophe Arene, Tanja Lange, Michael Naehrig, Christophe Ritzenthaler. Faster Computation of the Tate Pairing. Journal of Number Theory, [11] R.R. Farashahi. On the Number of Distinct Legendre, Jacobi, Hessian and Edwards Curves. Workshop on coding and Cryptography,